JavaGolangJavaScriptSwiftAndroidRustMiddleware
12 hours ago
go-micro
micro

v5.30.0

What's Changed

Full Changelog: https://github.com/micro/go-micro/compare/v5.29.0...v5.30.0

2 days ago
echo
labstack

v4.15.4

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3016, released in v5.2.1). Thanks to @a-tt-om and @oran-gugu for reporting.

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt

// 1. share `public/` folder contents from the server root. This folder actually contains subfolder `admin` which
// contents we want to forbid from downloading
e.Static("/", "public")

// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
    return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txthello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

Full Changelog: https://github.com/labstack/echo/compare/v4.15.3...v4.15.4

2 days ago
echo
labstack

v5.2.1

Security

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt

// 1. share `public/` folder contents from the server root. This folder actually contains subfolder `admin` which
// contents we want to forbid from downloading
e.Static("/", "public")

// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
    return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Closes GHSA-vfp3-v2gw-7wfq more completely: the previous fix (#3009) rejected explicitly encoded separators at the handler level; this patch makes the no-unescape behavior the default so new configurations are safe without extra opt-out steps.

What changed: DisablePathUnescaping (on StaticConfig and StaticDirectoryHandlerConfig) is deprecated and replaced by EnablePathUnescaping (default false). Path unescaping is now opt-in.

What this protects: With EnablePathUnescaping: false (new default), encoded separators (%2F, %5C) are never decoded before routing or file lookup, so they cannot bypass route-level authentication or other middleware guards.

What this does NOT protect: Serving a directory with Static, StaticFS, or StaticDirectoryHandler exposes its entire subtree. Sibling routes are not a reliable ACL boundary — attach authorization middleware directly to the static mount, or serve sensitive sub-trees under separate guarded routes.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txthello world.txt), you must now opt in:

// Static middleware
e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
    EnablePathUnescaping: true, // only safe when NOT relying on route-based ACL guards
    ...
}))

// StaticDirectoryHandler
middleware.StaticDirectoryHandler(fs, &middleware.StaticDirectoryHandlerConfig{
    EnablePathUnescaping: true,
})

Full Changelog: https://github.com/labstack/echo/compare/v5.2.0...v5.2.1

2 days ago
wails
wailsapp

Wails v3.0.0-alpha2.103

Wails v3 Alpha Release - v3.0.0-alpha2.103

Changed

  • Move iOS and Android native features onto platform managers: call them via application.IOS.* and application.Android.* (e.g. application.IOS.Haptic("medium"), application.Android.Share(payload)) instead of the old application.IOS*/application.Android* free functions (#5602)
  • Rename mobile bridge events: cross-platform events now use the common:* prefix (e.g. common:haptic, common:location) and platform-exclusive events use ios:* / android:* (e.g. ios:backgroundTask, android:foregroundService); the native:* prefix is no longer used (#5602)

🤖 This is an automated nightly release generated from the latest changes on master.

Installation:

go install github.com/wailsapp/wails/v3/cmd/wails3@v3.0.0-alpha2.103

⚠️ Alpha Warning: This is pre-release software and may contain bugs or incomplete features.

2 days ago
go-micro
micro

v5.29.0

What's Changed

Full Changelog: https://github.com/micro/go-micro/compare/v5.28.0...v5.29.0

2 days ago
sarama
IBM

Version 1.50.3 (2026-06-15)

What's Changed

🎉 New Features / Improvements

🐛 Fixes

📦 Dependency updates

🔧 Maintenance

Full Changelog: https://github.com/IBM/sarama/compare/v1.50.2...v1.50.3

3 days ago
resty
go-resty

v3.0.0-rc.2

v3 Release Candidate 2

v3 Guide

Bug Fixes

New Contributors

Full Changelog: https://github.com/go-resty/resty/compare/v3.0.0-rc.1...v3.0.0-rc.2

3 days ago
echo
labstack

v4.15.3 - Static encoded-separator route bypass fix (GHSA-vfp3-v2gw-7wfq)

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3009, released in v5.2.0). Thanks to @a-tt-om and @oran-gugu for reporting.

Full Changelog: https://github.com/labstack/echo/compare/v4.15.2...v4.15.3

3 days ago
wails
wailsapp

Wails v3.0.0-alpha.102

Wails v3 Alpha Release - v3.0.0-alpha.102

Added

  • Add experimental wails3 setup wizard for interactive project setup and dependency checking
  • Add --json flag to wails3 doctor for machine-readable output
  • Add signing status section to wails3 doctor command

Fixed

  • Fix npm detection on Linux to check PATH in addition to package manager

🤖 This is an automated nightly release generated from the latest changes on master.

Installation:

go install github.com/wailsapp/wails/v3/cmd/wails3@v3.0.0-alpha.102

⚠️ Alpha Warning: This is pre-release software and may contain bugs or incomplete features.

3 days ago
echo
labstack

v5.2.0 - Static encoded-separator route bypass fix (GHSA-vfp3-v2gw-7wfq)

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler/StaticFS and the Static middleware are affected. Thanks to @a-tt-om and @oran-gugu for reporting.

Enhancements

New Contributors

Full Changelog: https://github.com/labstack/echo/compare/v5.1.1...v5.2.0