Bump the updates group with 3 updates

[dependabot]

Bumps the updates group with 3 updates: github.com/aarondl/sqlboiler/v4, github.com/jackc/pgx/v5 and github.com/labstack/echo/v4.

Updates github.com/aarondl/sqlboiler/v4 from 4.19.5 to 4.19.7

Changelog

Sourced from github.com/aarondl/sqlboiler/v4's changelog.

[4.19.7] - 2025-12-31

Fixed

• Version number in main.go

[4.19.6] - 2025-12-31

Fixed

• Do not treat columns with partial unique indexes as unique in psql driver.

Security

• Update golang.org/x/crypto from 0.38.0 -> 0.45.0

[4.19.2-4] - 2025-06-26

Changed

• Change import paths

[4.19.1] - 2025-05-20

Fixed

• Fix performance issue in v4.19.0 by reverting the cleanup of unused imports.
• Updated minimum required Go version to 1.23.
• Updated dependencies to fix CVEs.

[4.19.0] - 2025-05-09

Added

• Add relation getters on base model structs. (thanks @​parnic)
• Added --no-relation-getters option to prevent generation relation getters on the main structs. (thanks @​parnic)
• Add Query, Exec, and Bind helpers to the global executor. (thanks @​parnic)
  • BindGP
  • QueryRowG
  • QueryRowContextG
  • ExecG
  • ExecGP
  • QueryG
  • QueryGP
  • ExecContextG
  • ExecContextP
  • ExecContextGP
  • QueryContextG
  • QueryContextP
  • QueryContextGP

... (truncated)

Commits

• 3b1f527 Bump version
• 33a326a Update changelog
• c11dae0 Merge pull request #1467 from aarondl/dependabot/go_modules/golang.org/x/cryp...
• fba535b Bump golang.org/x/crypto from 0.38.0 to 0.45.0
• 544e18d Merge pull request #1463 from shantanuraj/shantanu/fix-json-buffer-reuse
• 7f8daf0 Drop unused sliceType argument from bind
• b5b94dd Fix buffer reuse when reading types.JSON
• 8b2fd83 add TestBindJsonSlice
• b385498 Merge pull request #1462 from beonode/psql-partial-unique-index-fix
• 5f0bad9 Revert accidental autoformatting
• Additional commits viewable in compare view

Updates github.com/jackc/pgx/v5 from 5.7.6 to 5.8.0

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.8.0 (December 26, 2025)

• Require Go 1.24+
• Remove golang.org/x/crypto dependency
• Add OptionShouldPing to control ResetSession ping behavior (ilyam8)
• Fix: Avoid overflow when MaxConns is set to MaxInt32
• Fix: Close batch pipeline after a query error (Anthonin Bonnefoy)
• Faster shutdown of pgxpool.Pool background goroutines (Blake Gentry)
• Add pgxpool ping timeout (Amirsalar Safaei)
• Fix: Rows.FieldDescriptions for empty query
• Scan unknown types into *any as string or []byte based on format code
• Optimize pgtype.Numeric (Philip Dubé)
• Add AfterNetConnect hook to pgconn.Config
• Fix: Handle for preparing statements that fail during the Describe phase
• Fix overflow in numeric scanning (Ilia Demianenko)
• Fix: json/jsonb sql.Scanner source type is []byte
• Migrate from math/rand to math/rand/v2 (Mathias Bogaert)
• Optimize internal iobufpool (Mathias Bogaert)
• Optimize stmtcache invalidation (Mathias Bogaert)
• Fix: missing error case in interval parsing (Maxime Soulé)
• Fix: invalidate statement/description cache in Exec (James Hartig)
• ColumnTypeLength method return the type length for varbit type (DengChan)
• Array and Composite codecs handle typed nils

Commits

• fe8740a Release v5.8.0
• e5dde5a Skip test on CockroachDB
• 06f2d82 Remove trailing space
• 2cf78dd Merge pull request #2448 from DengChan/column_type_lenth_varbit
• 2d1c4ef Skip tests on CockroachDB
• 1a5fa7f Array and Composite codecs handle typed nils
• 5736d09 ColumnTypeLength method return the type length for varbit type.
• 4c1308c Revert "stdlib matches native pgx scanning support"
• 14ce2b7 Skip test on CockroachDB
• 65b2724 Merge pull request #2443 from jameshartig/x-invalidate-cache-in-exec
• Additional commits viewable in compare view

Updates github.com/labstack/echo/v4 from 4.14.0 to 4.15.0

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.0

Security

WARNING: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

• same-origin or none: Requests are allowed (exact origin match or direct user navigation)
• same-site: Falls back to token validation (e.g., subdomain to main domain)
• cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

• TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
• AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))

PR: labstack/echo#2858

Type-Safe Generic Parameter Binding

• Added generic functions for type-safe parameter extraction and context access by @​aldas in labstack/echo#2856

  Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion, eliminating manual string parsing and type assertions.

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.0 - 2026-01-01

Security

NB: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

• same-origin or none: Requests are allowed (exact origin match or direct user navigation)
• same-site: Falls back to token validation (e.g., subdomain to main domain)
• cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

• TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
• AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))

PR: labstack/echo#2858

Type-Safe Generic Parameter Binding

• Added generic functions for type-safe parameter extraction and context access by @​aldas in labstack/echo#2856

  Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion,

... (truncated)

Commits

• 482bb46 v4.15.0 changelog
• d0f9d1e CRSF with Sec-Fetch-Site=same-site falls back to legacy token
• f3fc618 CRSF with Sec-Fetch-Site checks
• 4dcb9b4 licence headers
• cbc0ac1 Add PathParam(Or)/QueryParam(Or)/FormParam(Or) generic functions
• 6b14f4e Add Context.Get generic functions
• 321530d disable test - returns different error under Windows
• c8abd9f disable flaky test
• 9fe43f7 fix Rate limiter disallows fractional rates
• 1b5122a document things to reduce false positives
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions