build(deps): bump github.com/labstack/echo/v5 from 5.0.0 to 5.0.3 in /crosstest

[dependabot]

Bumps github.com/labstack/echo/v5 from 5.0.0 to 5.0.3.

Release notes

Sourced from github.com/labstack/echo/v5's releases.

v5.0.3 security (static middleware directory traversal under Windows)

Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by @​shblue21 (labstack/echo#2891).

This applies to cases when:

• Windows is used as OS
• middleware.StaticConfig.Filesystem is nil (default)
• echo.Filesystem is has not been set explicitly (default)

Full Changelog: labstack/echo@v5.0.2...v5.0.3

v5.0.2 security (static middleware folder browsing)

Security

• Fix Static middleware when folder browsing is enabled (config.Browse=true , defaults to false) lists all files/subfolders from config.Filesystem root folder and not starting from config.Root and requested folder in labstack/echo#2887 . Reported by @​shblue21 in labstack/echo#2886

Full Changelog: labstack/echo@v5.0.1...v5.0.2

v5.0.1 small fixes

What's Changed

• Panic MW: will now return a custom PanicStackError with stack trace by @​aldas in labstack/echo#2871
• Docs: add missing err parameter to DenyHandler example by @​cgalibern in labstack/echo#2878
• Context: improve websocket checks in IsWebSocket() [per RFC 6455] by @​raju-mechatronics in labstack/echo#2875
• Fix: Context.Json() should not send status code before serialization is complete by @​aldas in labstack/echo#2877

New Contributors

• @​cgalibern made their first contribution in labstack/echo#2878
• @​raju-mechatronics made their first contribution in labstack/echo#2875

Full Changelog: labstack/echo@v5.0.0...v5.0.1

Changelog

Sourced from github.com/labstack/echo/v5's changelog.

v5.0.3 - 2026-02-06

Security

• Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by @​shblue21.

This applies to cases when:

• Windows is used as OS
• middleware.StaticConfig.Filesystem is nil (default)
• echo.Filesystem is has not been set explicitly (default)

Exposure is restricted to the active process working directory and its subfolders.

v5.0.2 - 2026-02-02

Security

• Fix Static middleware with config.Browse=true lists all files/subfolders from config.Filesystem root and not starting from config.Root in labstack/echo#2887

v5.0.1 - 2026-01-28

• Panic MW: will now return a custom PanicStackError with stack trace by @​aldas in labstack/echo#2871
• Docs: add missing err parameter to DenyHandler example by @​cgalibern in labstack/echo#2878
• improve: improve websocket checks in IsWebSocket() [per RFC 6455] by @​raju-mechatronics in labstack/echo#2875
• fix: Context.Json() should not send status code before serialization is complete by @​aldas in labstack/echo#2877

Commits

• b1d4430 Merge pull request #2891 from aldas/fix_staticmw
• 48f25a6 Fix test reporting different size due Windows / Linux line ending inconsisten...
• 6c16259 Fix directory traversal vulnerability under Windows in Static middleware when...
• 88d975a Fix directory traversal vulnerability under Windows in Static middleware when...
• 09ccfba Fill c.Request().Pattern field with route path to help standard library based...
• 68aaf3a Changelog for version 5.0.2
• 26ec148 security (static middleware): fix bowser=true listing all file names from giv...
• ba10490 Merge pull request #2880 from aldas/changelog_501
• 0954d6e Changelog for v5.0.1 release
• 8e4c91f Create SECURITY.md
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

Breaking Changes 🛠

• Update compatibility policy to align with Go, supporting only the last two major Go versions. by giortzisg in #1264
• Drop support for Go 1.24 by giortzisg in #1264

Internal Changes 🔧

Deps

• Bump github.com/labstack/echo/v5 from 5.0.0 to 5.0.3 in /crosstest by dependabot[bot] in #1272

• Bump golangci-lint action from 2.1.1 to 2.11.4 by giortzisg in #1265
• Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 in /otel by dependabot in #1256
• Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.40.0 to 1.43.0 in /otel/otlp by dependabot in #1255

Other

• Add crosstest package by giortzisg in #1269
• Add sentrytest package by giortzisg in #1267

---

_{🤖 This preview updates automatically when you update the PR.}