Skip to content

fix(deps): update go major updates (major) #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update go major updates (major) #35

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 16, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/labstack/echo/v4 v4.14.0v5.0.0 age confidence
helm.sh/helm/v3 v3.19.4v4.0.5 age confidence

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v5.0.0

Compare Source

Echo v5 is maintenance release with major breaking changes

  • Context is now struct instead of interface and we can add method to it in the future in minor versions.
  • Adds new Router interface for possible new routing implementations.
  • Drops old logging interface and uses moderm log/slog instead.
  • Rearranges alot of methods/function signatures to make them more consistent.

Upgrade notes and v4 support:

  • Echo v4 is supported with security* updates and bug fixes until 2026-12-31
  • If you are using Echo in a production environment, it is recommended to wait until after 2026-03-31 before upgrading.
  • Until 2026-03-31, any critical issues requiring breaking v5 API changes will be addressed, even if this violates semantic versioning.

See API_CHANGES_V5.md for public API changes between v4 and v5, notes on upgrading.

Upgrading TLDR:

If you are using Linux you can migrate easier parts like that:

find . -type f -name "*.go" -exec sed -i 's/ echo.Context/ *echo.Context/g' {} +
find . -type f -name "*.go" -exec sed -i 's/echo\/v4/echo\/v5/g' {} +

macOS

find . -type f -name "*.go" -exec sed -i '' 's/ echo.Context/ *echo.Context/g' {} +
find . -type f -name "*.go" -exec sed -i '' 's/echo\/v4/echo\/v5/g' {} +

or in your favorite IDE

Replace all:

  1. echo.Context -> *echo.Context
  2. echo/v4 -> echo/v5

This should solve most of the issues. Probably the hardest part is updating all the tests.

v4.15.0

Compare Source

Security

NB: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF
protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship
between the request origin and the target. The middleware uses this to make security decisions:

  • same-origin or none: Requests are allowed (exact origin match or direct user navigation)
  • same-site: Falls back to token validation (e.g., subdomain to main domain)
  • cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to
traditional token-based CSRF protection.

New Configuration Options:

  • TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
  • AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},

    // Custom validation for same-site requests
    AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
        // Your custom authorization logic here
        return validateCustomAuth(c), nil
        // return true, err  // blocks request with error
        // return true, nil  // allows CSRF request through
        // return false, nil // falls back to legacy token logic
    },
}))

PR: #​2858

Type-Safe Generic Parameter Binding

  • Added generic functions for type-safe parameter extraction and context access by @​aldas in #​2856

    Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion,
    eliminating manual string parsing and type assertions.

    New Functions:

    • Path parameters: PathParam[T], PathParamOr[T]
    • Query parameters: QueryParam[T], QueryParamOr[T], QueryParams[T], QueryParamsOr[T]
    • Form values: FormParam[T], FormParamOr[T], FormParams[T], FormParamsOr[T]
    • Context store: ContextGet[T], ContextGetOr[T]

    Supported Types:
    Primitives (bool, string, int/uint variants, float32/float64), time.Duration, time.Time
    (with custom layouts and Unix timestamp support), and custom types implementing BindUnmarshaler,
    TextUnmarshaler, or JSONUnmarshaler.

    Example:

    // Before: Manual parsing
idStr := c.Param("id")
id, err := strconv.Atoi(idStr)

// After: Type-safe with automatic parsing
id, err := echo.PathParam[int](c, "id")

// With default values
page, err := echo.QueryParamOr[int](c, "page", 1)
limit, err := echo.QueryParamOr[int](c, "limit", 20)

// Type-safe context access (no more panics from type assertions)
user, err := echo.ContextGet[*User](c, "user")

PR: #​2856

DEPRECATION NOTICE Timeout Middleware Deprecated - Use ContextTimeout Instead

The middleware.Timeout middleware has been deprecated due to fundamental architectural issues that cause
data races. Use middleware.ContextTimeout or middleware.ContextTimeoutWithConfig instead.

Why is this being deprecated?

The Timeout middleware manipulates response writers across goroutine boundaries, which causes data races that
cannot be reliably fixed without a complete architectural redesign. The middleware:

  • Swaps the response writer using http.TimeoutHandler
  • Must be the first middleware in the chain (fragile constraint)
  • Can cause races with other middleware (Logger, metrics, custom middleware)
  • Has been the source of multiple race condition fixes over the years

What should you use instead?

The ContextTimeout middleware (available since v4.12.0) provides timeout functionality using Go's standard
context mechanism. It is:

  • Race-free by design
  • Can be placed anywhere in the middleware chain
  • Simpler and more maintainable
  • Compatible with all other middleware

Migration Guide:

// Before (deprecated):
e.Use(middleware.Timeout())

// After (recommended):
e.Use(middleware.ContextTimeout(30 * time.Second))

Important Behavioral Differences:

  1. Handler cooperation required: With ContextTimeout, your handlers must check context.Done() for cooperative
    cancellation. The old Timeout middleware would send a 503 response regardless of handler cooperation, but had
    data race issues.

  2. Error handling: ContextTimeout returns errors through the standard error handling flow. Handlers that receive
    context.DeadlineExceeded should handle it appropriately:

e.GET("/long-task", func(c echo.Context) error {
    ctx := c.Request().Context()

    // Example: database query with context
    result, err := db.QueryContext(ctx, "SELECT * FROM large_table")
    if err != nil {
        if errors.Is(err, context.DeadlineExceeded) {
            // Handle timeout
            return echo.NewHTTPError(http.StatusServiceUnavailable, "Request timeout")
        }
        return err
    }

    return c.JSON(http.StatusOK, result)
})
  1. Background tasks: For long-running background tasks, use goroutines with context:
e.GET("/async-task", func(c echo.Context) error {
    ctx := c.Request().Context()

    resultCh := make(chan Result, 1)
    errCh := make(chan error, 1)

    go func() {
        result, err := performLongTask(ctx)
        if err != nil {
            errCh <- err
            return
        }
        resultCh <- result
    }()

    select {
    case result := <-resultCh:
        return c.JSON(http.StatusOK, result)
    case err := <-errCh:
        return err
    case <-ctx.Done():
        return echo.NewHTTPError(http.StatusServiceUnavailable, "Request timeout")
    }
})

Enhancements

helm/helm (helm.sh/helm/v3)

v4.0.5: Helm v4.0.5

Compare Source

Helm v4.0.5 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

  • Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #​12556
  • Fixed rollback error when a manifest is removed in a failed upgrade #​13437
  • Fixed check to ensure CLI plugin does not load with the same name as an existing Helm command
  • Fixed helm test --logs failure with hook-delete-policy "hook-failed" or "hook-succeed" #​9098
  • Fixed a bug where empty dependency lists were incorrectly treated as present
  • Fixed a bug where the watch library did not only watch namespaces associated with the objects
  • Fixed regression in downloader plugins environment variables #​31612
  • Fixed bug where --server-side flag is not respected with helm upgrade --install #​31627
  • For SDK users: exposed KUBECONFIG to env

Installation and Upgrading

Download Helm v4.0.5. The common platform binaries are here:

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.1.0 and 3.20.0 is the next minor releases and will be on January 21, 2026
  • 4.1.1 and 3.20.1 are the next patch releases and will be on March 11, 2026

Changelog

  • fix(upgrade): pass --server-side flag to install when using upgrade --install 1b6053d (Evans Mungai)
  • fix(cli): handle nil config in EnvSettings.Namespace() 1e3ee1d (Zadkiel AHARONIAN)
  • fix(getter): pass settings environment variables 31bd995 (Zadkiel AHARONIAN)
  • test(statuswait): fix Copilot code review suggestion for goroutine in tests 41a6b36 (Mohsen Mottaghi)
  • test(statuswait): add more tests suggested by Copilot code review 2a2e6f7 (Mohsen Mottaghi)
  • test(statuswait): add some tests for statuswait 3818c02 (Mohsen Mottaghi)
  • fix: use namespace-scoped watching to avoid cluster-wide LIST permissions 66cab24 (Mohsen Mottaghi)
  • Use length check for MetaDependencies instead of nil comparison abf2007 (Calvin Bui)
  • Deal with golint warning with private executeShutdownFunc 4b3de18 (Benoit Tigeot)
  • Code review 3212770 (Benoit Tigeot)
  • Fix linting issue 417aae9 (Benoit Tigeot)
  • Update pkg/action/hooks.go 6c838b4 (Michelle Fernandez Bieber)
  • added check for nil shutdown c5d87f2 (Michelle Fernandez Bieber)
  • cleaned up empty line 53175b7 (Michelle Fernandez Bieber)
  • updated comment and made defer of shutdown function return errors as before and not the possible shutdown error d2df1ab (Michelle Fernandez Bieber)
  • added shutdown hook that is executed after the logs have been retrieved 5b223de (Michelle Fernandez Bieber)
  • Fix TestCliPluginExitCode e845b68 (tison)
  • Check plugin name is not used 30bfd57 (tison)
  • Fix rollback for missing resources 0fd2c41 (Feruzjon Muyassarov)
  • fix: assign KUBECONFIG environment variable value to env.Kubeconfig b456e27 (LinPr)
  • fix(rollback): errors.Is instead of string comp e2021f8 (Hidde Beydals)
  • fix(uninstall): supersede deployed releases af7c153 (Hidde Beydals)

v4.0.4: Helm v4.0.4

Helm v4.0.4 is a security fix for a Go CVE in the previous tag. This patch release rebuilds the Helm v4.0.2 release with the latest Go toolchain, to fix the Go CVE. Users are encouraged to upgrade. Note that tag v4.0.3 was skipped due to a build failure.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v4.0.4. The common platform binaries are here:

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.19.5 and 4.0.5 are the next patch releases and will be on January 14, 2026
  • 3.20.0 and 4.1.0 is the next minor releases and will be on January 21, 2026

Changelog

  • Bump v4.0.2 CVE deps cd700e0 (George Jenkins)
  • Use latest patch release of Go in releases 9db13ee (Matt Farina)

v4.0.2: Helm v4.0.2

Compare Source

Helm v4.0.2 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v4.0.2. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.20.0 and 4.1.0 is the next minor releases and will be on January 21, 2026

Changelog

  • fix: prevent reporting fallback on version when none specified 94659f2 (Benoit Tigeot)
  • fix: prevent segmentation violation on empty yaml in multidoc 2dd1f66 (Benoit Tigeot)
  • Ignore duplicated URN in logs bbad438 (Benoit Tigeot)
  • jsonschema: warn and ignore unresolved URN $ref to match v3.18.4 bdcf920 (Benoit Tigeot)
  • Publish Helm v4 -> helm-latest-version 9ac7c2b (George Jenkins)
  • fix: Fix Helm v4 release distribtion/get-helm-3 script 0bef6bd (George Jenkins)

v4.0.1: Helm v4.0.1

Compare Source

Helm v4.0.1 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages
Installation and Upgrading

Download Helm v4.0.1. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next
  • 3.19.3 and 4.0.2 are the next patch releases and will be on December 10, 2025
  • 3.20.0 and 4.1.0 is the next minor releases and will be on January 21, 2026
Changelog
  • Copy adopted resource info 12500dd (George Jenkins)
  • fixup test 1cf3841 (George Jenkins)
  • logs 32e2d08 (George Jenkins)
  • fix 4b6472f (George Jenkins)
  • fix: Use server-side apply for object create during update 9dfe3b3 (George Jenkins)
  • Fix kube client logging 861adc2 (Matt Farina)
  • update tests b2f7872 (yxxhero)
  • Refactor environment variable expansion in PrepareCommands and update tests 77f97a1 (yxxhero)
  • Fix syntax errors in the document a156195 (Fish-pro)
  • fix: correct LDFLAGS path for default Kubernetes version 2c0dcda (Benoit Tigeot)

v4.0.0: Helm v4.0.0

Compare Source

The Helm Team is proud to announce the first stable release of Helm 4.

New Features

Helm 4 has numerous new features, but a few deserve highlighting here:

  • Redesigned plugin system that supports Web Assembly based plugins
  • Post-renderers are now plugins
  • Server side apply is now supported
  • Improved resource watching, to support waiting, based on kstatus
  • Local Content-based caching (e.g. for charts)
  • Logging via slog enabling SDK logging to integrate with modern loggers
  • Reproducible builds of chart archives
  • Updated SDK API including support for multiple chart API versions (new experimental v3 chart API version coming soon)

For full release notes, please see: https://helm.sh/docs/overview/

Compatibility with Helm v3

Helm v4 is a major version with backward incompatible changes including to the flags and output of the Helm CLI and to the SDK.

Please evaluate the changes to your workflows. The changes are not as extensive as those from Helm v2 to v3, with the goal that the majority of workflows remain compatible between Helm v3 and v4.

Helm charts apiVersion v2 (majority of today's charts) will continue to be supported in Helm v4. Existing charts should continue to install, upgrade, and otherwise work. Please test the installation and upgrade of charts to ensure it works as expected. Changes (e.g., server side apply) may impact the experience.

Community

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages
Installation and Upgrading

Download Helm v4.0.0. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next
  • 3.19.3 and 4.0.1 are the next patch releases and will be on December 10, 2025
  • 3.20.0 and 4.1.0 is the next minor releases and will be on January 21, 2026
Thank You!

The Helm project has enjoyed code contributions from many community members. Many more community members have assisted by filing issues and working with us to identify and eliminate bugs while adding new features. The #helm-users slack channel has long been a friendly and open forum for getting help and learning more about Helm. We cannot thank you enough for making this a helpful, friendly, and welcoming community for all.

❤️ The Helm Team

v3.19.5: Helm v3.19.5

Compare Source

Helm v3.19.5 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

  • Fixed bug where removing subchart value via override resulted in warning #​31118
  • Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #​12556

Installation and Upgrading

Download Helm v3.19.5. The common platform binaries are here:

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.1.0 and 3.20.0 is the next minor releases and will be on January 21, 2026
  • 4.1.1 and 3.20.1 are the next patch releases and will be on March 11, 2026

Changelog

  • fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)
  • fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)
  • fix null merge 578564e (Ben Foster)

Configuration

📅 Schedule: Branch creation - "before 3am on sunday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Contributor Author

renovate bot commented Nov 16, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 5 additional dependencies were updated

Details:

Package Change
github.com/go-openapi/jsonpointer v0.21.0 -> v0.21.1
github.com/go-openapi/jsonreference v0.20.4 -> v0.21.0
github.com/go-openapi/swag v0.23.0 -> v0.23.1
github.com/mailru/easyjson v0.7.7 -> v0.9.0
k8s.io/kubectl v0.34.0 -> v0.34.1

@renovate renovate bot force-pushed the renovate/major-go-major-updates branch from d20dc74 to c66de85 Compare November 16, 2025 06:27
@renovate renovate bot force-pushed the renovate/major-go-major-updates branch from c66de85 to f639a5a Compare November 24, 2025 21:09
@renovate renovate bot force-pushed the renovate/major-go-major-updates branch from f639a5a to bf01324 Compare December 11, 2025 04:50
@renovate
Copy link
Contributor Author

renovate bot commented Dec 11, 2025
edited
Loading

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 11 additional dependencies were updated

Details:

Package Change
github.com/go-openapi/jsonpointer v0.21.0 -> v0.21.1
github.com/go-openapi/jsonreference v0.20.4 -> v0.21.0
github.com/go-openapi/swag v0.23.0 -> v0.23.1
github.com/mailru/easyjson v0.7.7 -> v0.9.0
golang.org/x/crypto v0.46.0 -> v0.47.0
golang.org/x/mod v0.30.0 -> v0.31.0
golang.org/x/net v0.48.0 -> v0.49.0
golang.org/x/sys v0.39.0 -> v0.40.0
golang.org/x/term v0.38.0 -> v0.39.0
golang.org/x/text v0.32.0 -> v0.33.0
golang.org/x/tools v0.39.0 -> v0.40.0

@renovate renovate bot force-pushed the renovate/major-go-major-updates branch 3 times, most recently from ccaf92d to 9ebec88 Compare December 14, 2025 05:04
@renovate renovate bot force-pushed the renovate/major-go-major-updates branch from 9ebec88 to 30419f5 Compare January 15, 2026 01:54
@renovate renovate bot force-pushed the renovate/major-go-major-updates branch from 30419f5 to 16b70f2 Compare January 18, 2026 17:34
@renovate renovate bot changed the title fix(deps): update module helm.sh/helm/v3 to v4 fix(deps): update go major updates (major) Jan 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant