Skip to content

chore(deps): bump the updates group with 3 updates#9

Merged
github-actions[bot] merged 1 commit intomainfrom
dependabot/go_modules/updates-9869cebbc0
Apr 1, 2026
Merged

chore(deps): bump the updates group with 3 updates#9
github-actions[bot] merged 1 commit intomainfrom
dependabot/go_modules/updates-9869cebbc0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 1, 2026

Bumps the updates group with 3 updates: github.com/fxamacker/cbor/v2, github.com/go-playground/validator/v10 and github.com/labstack/echo/v5.

Updates github.com/fxamacker/cbor/v2 from 2.9.0 to 2.9.1

Release notes

Sourced from github.com/fxamacker/cbor/v2's releases.

v2.9.1

This release includes important bugfixes, defensive checks, improved code quality, and more tests. Although not public, the fuzzer was also improved by adding more fuzz tests.

🐞 Bug fixes related to the keyasint feature

These changes only affect Go struct fields tagged with keyasint:

  • [Decoding] Reject integer keys that exceed math.MaxInt64 when decoding CBOR map to a struct with keyasint field (PR #757)
  • [Decoding] Prevent string representation of an integer key from matching the struct field tagged by keyasint (PR #757)
  • [Encoding & Decoding] Deduplicate struct fields with the same normalized keyasint tag values (PR #757)

🐞 Other bug fixes and defensive checks

Some of the bugs fixed are related to decoding extreme values that cannot be encoded with this library. For example, the decoder checks if epoch time encoded as CBOR float value representing hundreds of billions of years overflows int64(seconds).

NOTE: It is generally good practice to avoid using floating point to store epoch time (even when not using CBOR).

  • [Decoding] Reject decoding epoch time encoded as floats that overflow int64 (PR #753)
  • [Encoding] Return a cloned slice for an empty RawMessage from RawMessage.MarshalCBOR (PR #753)
  • [Encoding] Reject encoding nil inside indefinite-length strings (PR #750)
  • [Diagnostic] Accept valid U+FFFD replacement character (PR #753)

What's Changed

CI / GitHub Actions and Docs

... (truncated)

Commits
  • 63d1c66 Merge pull request #758 from fxamacker/fxamacker/update-readme-for-release
  • e8b10c3 Merge pull request #757 from fxamacker/fxamacker/fix-keyasint
  • 4dd026b Update README status
  • 3076938 Update golangci-lint to v2.10.1
  • 6920cbe Migrate .golangci.yml to version 2
  • 05358b1 Fix several issues related to keyasint
  • 3851e1b Merge pull request #754 from fxamacker/fxamacker/refactor-parseMapToStruct-etc
  • 48a18bf Refactor field
  • 59d62f5 Merge pull request #753 from fxamacker/fxamacker/small-bugfixes
  • 46bc977 Merge pull request #752 from fxamacker/fxamacker/refactor-and-add-tests
  • Additional commits viewable in compare view

Updates github.com/go-playground/validator/v10 from 10.30.1 to 10.30.2

Release notes

Sourced from github.com/go-playground/validator/v10's releases.

v10.30.2

What's Changed

New Contributors

Full Changelog: go-playground/validator@v10.30.1...v10.30.2

Commits
  • b9258bd fix(fqdn): allow hyphens in last domain label (#1548)
  • b9f1d79 feat: add postcode patterns for Colombia (CO) and British Virgin Islands (VG)...
  • 7fa9599 chore(deps): bump golang.org/x/crypto from 0.48.0 to 0.49.0 (#1546)
  • 8ca29ec chore(deps): bump golang.org/x/text from 0.34.0 to 0.35.0 (#1545)
  • 5e1bedf docs: add Valuer interface documentation and example (#1540)
  • 42927a0 feat: implement ValidatorValuer interface feature (#1416)
  • c254ece docs: fix typos (#1527)
  • 4325386 fix: prevent panic in unique validation with nil pointer elements (#1532)
  • d3f35da Go 1.26 support (#1535)
  • f5c74ce chore(deps): bump golang.org/x/crypto from 0.47.0 to 0.48.0 (#1533)
  • Additional commits viewable in compare view

Updates github.com/labstack/echo/v5 from 5.0.4 to 5.1.0

Release notes

Sourced from github.com/labstack/echo/v5's releases.

v5.1.0

Security

This change does not break the API contract, but it does introduce breaking changes in logic/behavior. If your application is using c.RealIP() beware and read https://echo.labstack.com/docs/ip-address

In v5 the c.RealIP() will now return request.RemoteAddr unless e.IPExtractor has been configured. No potentially spoofable headers are used by default anymore.

Configure IPExtractor with proper trust options when you want to read IP from headers. See:

v4 behavior can be restored with:

e := echo.New()
e.IPExtractor = echo.LegacyIPExtractor()

Related PR: Remove legacy IP extraction logic from context.RealIP method by @​aldas in labstack/echo#2933

What's Changed

New Contributors

Full Changelog: labstack/echo@v5.0.4...v5.1.0

Changelog

Sourced from github.com/labstack/echo/v5's changelog.

v5.1.0 - 2026-03-31

Security

This change does not break the API contract, but it does introduce breaking changes in logic/behavior. If your application is using c.RealIP() beware and read https://echo.labstack.com/docs/ip-address

v4 behavior can be restored with:

e := echo.New()
e.IPExtractor = echo.LegacyIPExtractor()

Enhancements

Commits
  • 597b4fa Changelog for v5.1.0
  • c192e50 Merge pull request #2933 from aldas/LegacyIPExtractor
  • 22e4b71 Remove legacy IP extraction logic from context.RealIP method and move it to L...
  • 83e04d2 Do not set http.Server.WriteTimeout in StartConfig this is bad for SSE and st...
  • a7005b2 Add NewDefaultFS function to help create filesystem that allows absolute path...
  • a0e5ff7 Add doc comments to clarify usage of File related methods and leading slash h...
  • 3f50cc6 Fix rate limiter documentation for default burst value
  • 675712d Add StartConfig.Listener so server with custom Listener is easier to create.
  • 7d228b2 Add https://github.com/labstack/echo-prometheus to the middleware list in REA...
  • ec05bc8 fix: correct spelling mistakes in comments and field name
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the updates group with 3 updates
e3c888d 
Bumps the updates group with 3 updates: [github.com/fxamacker/cbor/v2](https://github.com/fxamacker/cbor), [github.com/go-playground/validator/v10](https://github.com/go-playground/validator) and [github.com/labstack/echo/v5](https://github.com/labstack/echo).


Updates `github.com/fxamacker/cbor/v2` from 2.9.0 to 2.9.1
- [Release notes](https://github.com/fxamacker/cbor/releases)
- [Commits](fxamacker/cbor@v2.9.0...v2.9.1)

Updates `github.com/go-playground/validator/v10` from 10.30.1 to 10.30.2
- [Release notes](https://github.com/go-playground/validator/releases)
- [Commits](go-playground/validator@v10.30.1...v10.30.2)

Updates `github.com/labstack/echo/v5` from 5.0.4 to 5.1.0
- [Release notes](https://github.com/labstack/echo/releases)
- [Changelog](https://github.com/labstack/echo/blob/master/CHANGELOG.md)
- [Commits](labstack/echo@v5.0.4...v5.1.0)

---
updated-dependencies:
- dependency-name: github.com/fxamacker/cbor/v2
  dependency-version: 2.9.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: updates
- dependency-name: github.com/go-playground/validator/v10
  dependency-version: 10.30.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: updates
- dependency-name: github.com/labstack/echo/v5
  dependency-version: 5.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Apr 1, 2026
@github-actions github-actions bot added the automerge Automatically approved and merged Dependabot PRs for minor and patch updates. label Apr 1, 2026
@github-actions github-actions bot enabled auto-merge (squash) April 1, 2026 05:30
@github-actions github-actions bot merged commit f9f8625 into main Apr 1, 2026
5 checks passed
@dependabot dependabot bot deleted the dependabot/go_modules/updates-9869cebbc0 branch April 1, 2026 05:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

automerge Automatically approved and merged Dependabot PRs for minor and patch updates. dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants