fix(deps): update go minor/patch updates

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/labstack/echo/v4	v4.14.0 → v4.15.0
k8s.io/api	v0.34.3 → v0.35.0
k8s.io/apiextensions-apiserver	v0.34.3 → v0.35.0
k8s.io/apimachinery	v0.34.3 → v0.35.0
k8s.io/cli-runtime	v0.34.3 → v0.35.0
k8s.io/client-go	v0.34.3 → v0.35.0

---

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v4.15.0

Compare Source

Security

NB: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF
protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship
between the request origin and the target. The middleware uses this to make security decisions:

• same-origin or none: Requests are allowed (exact origin match or direct user navigation)
• same-site: Falls back to token validation (e.g., subdomain to main domain)
• cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to
traditional token-based CSRF protection.

New Configuration Options:

• TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
• AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},

    // Custom validation for same-site requests
    AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
        // Your custom authorization logic here
        return validateCustomAuth(c), nil
        // return true, err  // blocks request with error
        // return true, nil  // allows CSRF request through
        // return false, nil // falls back to legacy token logic
    },
}))

PR: #​2858

Type-Safe Generic Parameter Binding

• Added generic functions for type-safe parameter extraction and context access by @​aldas in #​2856

  Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion,
  eliminating manual string parsing and type assertions.

  New Functions:

  • Path parameters: PathParam[T], PathParamOr[T]
  • Query parameters: QueryParam[T], QueryParamOr[T], QueryParams[T], QueryParamsOr[T]
  • Form values: FormParam[T], FormParamOr[T], FormParams[T], FormParamsOr[T]
  • Context store: ContextGet[T], ContextGetOr[T]

  Supported Types:
  Primitives (bool, string, int/uint variants, float32/float64), time.Duration, time.Time
  (with custom layouts and Unix timestamp support), and custom types implementing BindUnmarshaler,
  TextUnmarshaler, or JSONUnmarshaler.

  Example:

  // Before: Manual parsing
  idStr := c.Param("id")
  id, err := strconv.Atoi(idStr)
  
  // After: Type-safe with automatic parsing
  id, err := echo.PathParam[int](c, "id")
  
  // With default values
  page, err := echo.QueryParamOr[int](c, "page", 1)
  limit, err := echo.QueryParamOr[int](c, "limit", 20)
  
  // Type-safe context access (no more panics from type assertions)
  user, err := echo.ContextGet[*User](c, "user")

PR: #​2856

DEPRECATION NOTICE Timeout Middleware Deprecated - Use ContextTimeout Instead

The middleware.Timeout middleware has been deprecated due to fundamental architectural issues that cause
data races. Use middleware.ContextTimeout or middleware.ContextTimeoutWithConfig instead.

Why is this being deprecated?

The Timeout middleware manipulates response writers across goroutine boundaries, which causes data races that
cannot be reliably fixed without a complete architectural redesign. The middleware:

• Swaps the response writer using http.TimeoutHandler
• Must be the first middleware in the chain (fragile constraint)
• Can cause races with other middleware (Logger, metrics, custom middleware)
• Has been the source of multiple race condition fixes over the years

What should you use instead?

The ContextTimeout middleware (available since v4.12.0) provides timeout functionality using Go's standard
context mechanism. It is:

• Race-free by design
• Can be placed anywhere in the middleware chain
• Simpler and more maintainable
• Compatible with all other middleware

Migration Guide:

// Before (deprecated):
e.Use(middleware.Timeout())

// After (recommended):
e.Use(middleware.ContextTimeout(30 * time.Second))

Important Behavioral Differences:

1. Handler cooperation required: With ContextTimeout, your handlers must check context.Done() for cooperative
   cancellation. The old Timeout middleware would send a 503 response regardless of handler cooperation, but had
   data race issues.

2. Error handling: ContextTimeout returns errors through the standard error handling flow. Handlers that receive
   context.DeadlineExceeded should handle it appropriately:

e.GET("/long-task", func(c echo.Context) error {
    ctx := c.Request().Context()

    // Example: database query with context
    result, err := db.QueryContext(ctx, "SELECT * FROM large_table")
    if err != nil {
        if errors.Is(err, context.DeadlineExceeded) {
            // Handle timeout
            return echo.NewHTTPError(http.StatusServiceUnavailable, "Request timeout")
        }
        return err
    }

    return c.JSON(http.StatusOK, result)
})

3. Background tasks: For long-running background tasks, use goroutines with context:

e.GET("/async-task", func(c echo.Context) error {
    ctx := c.Request().Context()

    resultCh := make(chan Result, 1)
    errCh := make(chan error, 1)

    go func() {
        result, err := performLongTask(ctx)
        if err != nil {
            errCh <- err
            return
        }
        resultCh <- result
    }()

    select {
    case result := <-resultCh:
        return c.JSON(http.StatusOK, result)
    case err := <-errCh:
        return err
    case <-ctx.Done():
        return echo.NewHTTPError(http.StatusServiceUnavailable, "Request timeout")
    }
})

Enhancements

• Fixes by @​aldas in #​2852
• Generic functions by @​aldas in #​2856
• CRSF with Sec-Fetch-Site checks by @​aldas in #​2858

kubernetes/api (k8s.io/api)

v0.35.0

Compare Source

kubernetes/apiextensions-apiserver (k8s.io/apiextensions-apiserver)

v0.35.0

Compare Source

kubernetes/apimachinery (k8s.io/apimachinery)

v0.35.0

Compare Source

kubernetes/cli-runtime (k8s.io/cli-runtime)

v0.35.0

Compare Source

kubernetes/client-go (k8s.io/client-go)

v0.35.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "before 3am on sunday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: example/complete/go.sum

Command failed: go get -t ./...
go: downloading github.com/minio/minio-go/v7 v7.0.97
go: downloading k8s.io/api v0.35.0
go: downloading github.com/dustin/go-humanize v1.0.1
go: downloading github.com/google/uuid v1.6.0
go: downloading github.com/klauspost/compress v1.18.0
go: downloading github.com/klauspost/crc32 v1.3.0
go: downloading github.com/minio/crc64nvme v1.1.0
go: downloading github.com/minio/md5-simd v1.1.2
go: downloading golang.org/x/net v0.48.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading helm.sh/helm/v3 v3.19.4
go: downloading k8s.io/cli-runtime v0.34.3
go: downloading k8s.io/client-go v0.34.3
go: downloading k8s.io/apiextensions-apiserver v0.34.3
go: downloading k8s.io/apimachinery v0.35.0
go: downloading github.com/vmware-tanzu/velero v1.17.0
go: downloading sigs.k8s.io/controller-runtime v0.22.4
go: downloading github.com/labstack/echo/v4 v4.14.0
go: downloading k8s.io/klog/v2 v2.130.1
go: downloading golang.org/x/sys v0.39.0
go: downloading github.com/klauspost/cpuid/v2 v2.2.11
go: downloading github.com/go-ini/ini v1.67.0
go: downloading golang.org/x/crypto v0.46.0
go: downloading github.com/rs/xid v1.6.0
go: downloading github.com/joho/godotenv v1.5.1
go: downloading github.com/Masterminds/semver/v3 v3.4.0
go: downloading github.com/Masterminds/sprig/v3 v3.3.0
go: downloading github.com/gosuri/uitable v0.0.4
go: downloading github.com/pkg/errors v0.9.1
go: downloading golang.org/x/term v0.38.0
go: downloading sigs.k8s.io/yaml v1.6.0
go: downloading github.com/spf13/pflag v1.0.10
go: downloading github.com/spf13/cobra v1.10.1
go: downloading gopkg.in/evanphx/json-patch.v4 v4.13.0
go: downloading k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading sigs.k8s.io/randfill v1.0.0
go: downloading github.com/evanphx/json-patch/v5 v5.9.11
go: downloading github.com/evanphx/json-patch v5.9.11+incompatible
go: downloading github.com/labstack/gommon v0.4.2
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
go: downloading sigs.k8s.io/structured-merge-diff/v6 v6.3.0
go: downloading github.com/go-logr/logr v1.4.3
go: downloading github.com/tinylib/msgp v1.3.0
go: downloading golang.org/x/text v0.32.0
go: downloading dario.cat/mergo v1.0.1
go: downloading github.com/Masterminds/goutils v1.1.1
go: downloading github.com/huandu/xstrings v1.5.0
go: downloading github.com/mitchellh/copystructure v1.2.0
go: downloading github.com/shopspring/decimal v1.4.0
go: downloading github.com/spf13/cast v1.7.0
go: downloading github.com/fatih/color v1.18.0
go: downloading github.com/cyphar/filepath-securejoin v0.6.1
go: downloading github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
go: downloading github.com/BurntSushi/toml v1.5.0
go: downloading github.com/gobwas/glob v0.2.3
go: downloading github.com/hashicorp/go-multierror v1.1.1
go: downloading k8s.io/kubectl v0.34.2
go: downloading github.com/containerd/containerd v1.7.29
go: downloading github.com/opencontainers/image-spec v1.1.1
go: downloading oras.land/oras-go/v2 v2.6.0
go: downloading github.com/Masterminds/squirrel v1.5.4
go: downloading github.com/jmoiron/sqlx v1.4.0
go: downloading github.com/lib/pq v1.10.9
go: downloading github.com/rubenv/sql-migrate v1.8.0
go: downloading github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de
go: downloading github.com/moby/term v0.5.2
go: downloading github.com/google/gnostic-models v0.7.0
go: downloading go.yaml.in/yaml/v2 v2.4.3
go: downloading golang.org/x/sync v0.19.0
go: downloading sigs.k8s.io/kustomize/api v0.20.1
go: downloading sigs.k8s.io/kustomize/kyaml v0.20.1
go: downloading google.golang.org/protobuf v1.36.8
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730
go: downloading github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
go: downloading github.com/peterbourgon/diskv v2.0.1+incompatible
go: downloading github.com/fxamacker/cbor/v2 v2.9.0
go: downloading golang.org/x/oauth2 v0.30.0
go: downloading golang.org/x/time v0.14.0
go: downloading github.com/mattn/go-colorable v0.1.14
go: downloading github.com/mattn/go-isatty v0.0.20
go: downloading github.com/valyala/fasttemplate v1.2.2
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/philhofer/fwd v1.2.0
go: downloading github.com/mitchellh/reflectwalk v1.0.2
go: downloading github.com/mattn/go-runewidth v0.0.15
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading go.yaml.in/yaml/v3 v3.0.4
go: downloading github.com/hashicorp/errwrap v1.1.0
go: downloading k8s.io/component-base v0.34.3
go: downloading github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f
go: downloading github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
go: downloading k8s.io/apiserver v0.34.3
go: downloading github.com/containerd/log v0.1.0
go: downloading github.com/containerd/platforms v0.2.1
go: downloading github.com/opencontainers/go-digest v1.0.0
go: downloading github.com/lann/builder v0.0.0-20180802200727-47ae307949d0
go: downloading github.com/go-gorp/gorp/v3 v3.1.0
go: downloading github.com/go-openapi/swag v0.23.0
go: downloading github.com/go-openapi/jsonreference v0.20.4
go: downloading github.com/google/btree v1.1.3
go: downloading github.com/x448/float16 v0.8.4
go: downloading github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
go: downloading github.com/valyala/bytebufferpool v1.0.0
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee
go: downloading github.com/rivo/uniseg v0.4.4
go: downloading github.com/google/go-cmp v0.7.0
go: downloading github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
go: downloading github.com/chai2010/gettext-go v1.0.2
go: downloading github.com/MakeNowJust/heredoc v1.0.0
go: downloading github.com/mitchellh/go-wordwrap v1.0.1
go: downloading github.com/russross/blackfriday/v2 v2.1.0
go: downloading github.com/containerd/errdefs v0.3.0
go: downloading google.golang.org/grpc v1.73.0
go: downloading github.com/sirupsen/logrus v1.9.3
go: downloading github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0
go: downloading github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading github.com/go-openapi/jsonpointer v0.21.0
go: downloading github.com/blang/semver/v4 v4.0.0
go: downloading github.com/go-errors/errors v1.5.1
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822
go: downloading github.com/emicklei/go-restful/v3 v3.12.2
go: downloading github.com/josharian/intern v1.0.0
go: downloading github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00
go: downloading github.com/xlab/treeprint v1.2.0
go: downloading github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674
go: downloading github.com/moby/spdystream v0.5.0
go: downloading github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
go: complete-example imports
	github.com/taking/kubemigrate/pkg/client/velero imports
	k8s.io/client-go/kubernetes/scheme imports
	k8s.io/api/storagemigration/v1alpha1: cannot find module providing package k8s.io/api/storagemigration/v1alpha1

File name: example/kubernetes/go.sum

Command failed: go get -t ./...
go: kubernetes-example imports
	github.com/taking/kubemigrate/pkg/client/kubernetes imports
	k8s.io/client-go/kubernetes imports
	k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1 imports
	k8s.io/api/storagemigration/v1alpha1: cannot find module providing package k8s.io/api/storagemigration/v1alpha1