fix(deps): update module github.com/labstack/echo/v5 to v5.1.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/labstack/echo/v5	v5.0.4 → v5.1.0

---

Release Notes

labstack/echo (github.com/labstack/echo/v5)

v5.1.0

Compare Source

Security

This change does not break the API contract, but it does introduce breaking changes in logic/behavior.
If your application is using c.RealIP() beware and read https://echo.labstack.com/docs/ip-address

v4 behavior can be restored with:

e := echo.New()
e.IPExtractor = echo.LegacyIPExtractor()

• Remove legacy IP extraction logic from context.RealIP method by @​aldas in #​2933

Enhancements

• Add echo-opentelemetry to the README.md by @​aldas in #​2908
• fix: correct spelling mistakes in comments and field name by @​crawfordxx in #​2916
• Add https://github.com/labstack/echo-prometheus to the middleware list in README.md by @​aldas in #​2919
• Add StartConfig.Listener so server with custom Listener is easier to create by @​aldas in #​2920
• Fix rate limiter documentation for default burst value by @​karesansui-u in #​2925
• Add doc comments to clarify usage of File related methods and leading slash handling by @​aldas in #​2928
• Add NewDefaultFS function to help create filesystem that allows absolute paths by @​aldas in #​2931
• Do not set http.Server.WriteTimeout in StartConfig by @​aldas in #​2932

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Change: github.com/labstack/echo/v5 from v5.0.4 → v5.1.0

Security Changes:

• IP Extraction Logic Modification (PR #2933): The legacy IP extraction logic was removed from context.RealIP() method. This is a behavioral breaking change, but does NOT break the API contract. Applications using c.RealIP() will still compile and run without errors.
  • Legacy v4 behavior can be restored with: e.IPExtractor = echo.LegacyIPExtractor()
  • New behavior prioritizes security through explicit configuration over implicit defaults

Key Enhancements:

• Added StartConfig.Listener for easier custom listener creation (PR #2920)
• Removed automatic http.Server.WriteTimeout setting in StartConfig (PR #2932) - This was causing issues for SSE and static file serving
• Added NewDefaultFS function for filesystem support with absolute paths (PR #2931)
• Documentation improvements for file-related methods and rate limiter
• Added echo-opentelemetry and echo-prometheus to README
• Spelling and comment corrections (PR #2916)

No Breaking API Changes: All existing Echo v5.0.4 method signatures remain compatible.

🎯 Impact Scope Investigation

Codebase Usage Analysis:

✅ No RealIP() usage found - The codebase does not use c.RealIP() anywhere

• Searched entire codebase for RealIP|IPExtractor patterns
• No IP extraction functionality is currently implemented

✅ No IP extraction configuration - e.IPExtractor is never set in the application initialization (cmd/serve.go:102)

✅ WriteTimeout explicitly managed - The application already overrides WriteTimeout in BeforeServeFunc (cmd/serve.go:131)

• Current code: s.WriteTimeout = time.Duration(flagQueueTimeout+flagRunTimeout+flagCompileTimeout)*time.Second + 30*time.Second
• This explicit override is unaffected by Echo v5.1.0's removal of automatic WriteTimeout setting
• The removal actually aligns better with this codebase's approach of explicit timeout management

Echo v5 API Usage:
The codebase uses standard Echo v5 APIs that are fully compatible with v5.1.0:

• echo.New() - Echo instance creation
• echo.StartConfig with BeforeServeFunc - Custom server configuration
• Context methods: c.Bind(), c.JSON(), c.String(), c.Request(), c.Response()
• Middleware: middleware.Recover(), middleware.RequestLogger(), middleware.BodyLimit()
• Error handling: echo.UnwrapResponse()

Test Results:

• ✅ All unit tests pass (handler, middleware, sandbox packages)
• ✅ Build succeeds with Echo v5.1.0
• ✅ No compilation errors or warnings

Files Changed:

• go.mod: Version bump only
• go.sum: Checksum update only

Dependencies:

• No transitive dependency changes detected
• Echo v5.1.0 maintains the same module path and import compatibility

💡 Recommended Actions

✅ Safe to merge immediately - No code changes required.

Why this is safe:

1. No affected features: The codebase doesn't use RealIP() or IP extraction, so the behavioral change doesn't impact functionality
2. Explicit timeout management: The application already explicitly sets WriteTimeout in BeforeServeFunc, so the removal of Echo's default doesn't affect behavior
3. API compatibility: All Echo v5 APIs used in the codebase remain unchanged
4. Test validation: All unit tests pass with the new version
5. No migration needed: Zero code changes required

Optional future enhancements:

• If IP extraction becomes needed in the future (e.g., for rate limiting by IP, logging client IPs), explicitly configure e.IPExtractor using one of the recommended extractors based on your proxy setup:
  • ExtractIPDirect() - No proxy
  • ExtractIPFromXFFHeader() - For X-Forwarded-For headers
  • ExtractIPFromRealIPHeader() - For X-Real-IP headers

Merge recommendation: Merge without hesitation. This is a straightforward dependency update with enhancements and security improvements that don't affect the current codebase functionality.

🔗 Reference Links

• Echo v5.1.0 Release Notes
• PR #2933: Remove legacy IP extraction logic
• PR #2932: Remove WriteTimeout from StartConfig
• Echo IP Address Documentation
• Echo v5 GitHub Repository

Generated by koki-develop/claude-renovate-review