build(deps): Bump the minor-updates group across 1 directory with 3 updates

[dependabot]

Bumps the minor-updates group with 3 updates in the / directory: github.com/go-playground/validator/v10, github.com/labstack/echo/v4 and github.com/swaggest/swgui.

Updates github.com/go-playground/validator/v10 from 10.30.2 to 10.30.3

Release notes

Sourced from github.com/go-playground/validator/v10's releases.

v10.30.3

What's Changed

• Fix/issue 1550 UUID case insensitive by @​leo-jp-edwards in go-playground/validator#1551
• Feat: Add NoneOf Validation by @​Carmen-Shannon in go-playground/validator#1554
• Add bcp47_strict_language_tag validator by @​bfabio in go-playground/validator#1489
• chore(deps): bump golang.org/x/text from 0.35.0 to 0.36.0 by @​dependabot[bot] in go-playground/validator#1558
• chore(deps): bump golang.org/x/crypto from 0.49.0 to 0.50.0 by @​dependabot[bot] in go-playground/validator#1559
• Add CLAUDE.md with repo guidance for Claude Code by @​deankarn in go-playground/validator#1564
• Reduce build size with dead code elimination by @​zemzale in go-playground/validator#1542
• Refactored out detectFileMIMEType, matchesMIMEType logic for reuse. Added standalone isMIMEType validator for flexibility by @​dapzthelegend in go-playground/validator#1544
• feat(translations): add timezone support for en and ja locales by @​dedyf5 in go-playground/validator#1566
• docs: use errors.As in README and translations example by @​eyupcanakman in go-playground/validator#1563
• docs: fix typos by @​rymiyamoto in go-playground/validator#1568
• feat: add origin validator for web origin URLs by @​ahmedkamalio in go-playground/validator#1565
• fix: reject hostnames with trailing hyphen in RFC 952 validator by @​ahmedkamalio in go-playground/validator#1569
• fix(lint): correctly disable govet inline analyzer & deprecated gomodguard by @​nodivbyzero in go-playground/validator#1574
• chore(deps): bump golang.org/x/text from 0.36.0 to 0.37.0 by @​dependabot[bot] in go-playground/validator#1572
• chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 by @​dependabot[bot] in go-playground/validator#1571
• fix(cron): anchor regex and accept full cron syntax by @​ahmedkamalio in go-playground/validator#1577
• chore(deps): bump golang.org/x/crypto from 0.51.0 to 0.52.0 by @​dependabot[bot] in go-playground/validator#1580
• feat: omit blank tag names from namespace by @​abemedia in go-playground/validator#1567
• fix(docs): correct ripemd160 tag name in README validation table by @​napoleonbot in go-playground/validator#1582

New Contributors

• @​leo-jp-edwards made their first contribution in go-playground/validator#1551
• @​Carmen-Shannon made their first contribution in go-playground/validator#1554
• @​dapzthelegend made their first contribution in go-playground/validator#1544
• @​dedyf5 made their first contribution in go-playground/validator#1566
• @​eyupcanakman made their first contribution in go-playground/validator#1563
• @​rymiyamoto made their first contribution in go-playground/validator#1568
• @​abemedia made their first contribution in go-playground/validator#1567
• @​napoleonbot made their first contribution in go-playground/validator#1582

Full Changelog: go-playground/validator@v10.30.2...v10.30.3

Commits

• ac4c1ba fix(docs): correct ripemd160 tag name in README validation table (#1582)
• feacb34 feat: omit blank tag names from namespace (#1567)
• 5ed0a7e chore(deps): bump golang.org/x/crypto from 0.51.0 to 0.52.0 (#1580)
• 0364541 fix(cron): anchor regex and accept full cron syntax (#1577)
• 8eb2659 chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 (#1571)
• f7e1721 chore(deps): bump golang.org/x/text from 0.36.0 to 0.37.0 (#1572)
• cf37fce fix(lint): correctly disable govet inline analyzer & deprecated gomodguard (#...
• 7c334e5 fix: reject hostnames with trailing hyphen in RFC 952 validator (#1569)
• 6bcb7bc feat: add origin validator for web origin URLs (#1565)
• 6fd2fa8 docs: fix typos (#1568)
• Additional commits viewable in compare view

Updates github.com/labstack/echo/v4 from 4.15.2 to 4.15.4

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.4

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3016, released in v5.2.1). Thanks to @​a-tt-om and @​oran-gugu for reporting.

---

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.4 - 2026-06-15

Security

Fixes GHSA-vfp3-v2gw-7wfq

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

v4.15.3 - 2026-06-14

... (truncated)

Commits

• ec79b58 Merge pull request #3020 from aldas/v4_v4-15-4_changelog
• 2714c07 Changelog for v4.15.4 - security fix
• 13f0ed1 Merge pull request #3019 from aldas/v4_backport_3016
• d16a4ec backport PR 3016 from v4
• 8f167b9 Merge pull request #3018 from aldas/v4_remove_v5_dep
• 9afa4ba remove dependency on labstack/echo v5 introduced in go.mod and go.sum
• 1e05f63 Merge pull request #3017 from aldas/v4_ci_updates
• 11a3cc4 Update dependencies and add ignore for linting
• 26bd016 Update CI action versions
• aa52f6a ci: run workflows on the v4 branch, not just master (#3013)
• Additional commits viewable in compare view

Updates github.com/swaggest/swgui from 1.8.7 to 1.8.8

Release notes

Sourced from github.com/swaggest/swgui's releases.

v1.8.8

What's Changed

• Update to Swagger UI v5.32.6 by @​vearutop in swaggest/swgui#58

Full Changelog: swaggest/swgui@v1.8.7...v1.8.8

Commits

• 5c47097 Update to Swagger UI v5.32.6 (#58)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions