build(go): bump the go group with 2 updates

[dependabot]

Bumps the go group with 2 updates: github.com/labstack/echo/v4 and tailscale.com.

Updates github.com/labstack/echo/v4 from 4.14.0 to 4.15.0

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.0

Security

WARNING: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

• same-origin or none: Requests are allowed (exact origin match or direct user navigation)
• same-site: Falls back to token validation (e.g., subdomain to main domain)
• cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

• TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
• AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))

PR: labstack/echo#2858

Type-Safe Generic Parameter Binding

• Added generic functions for type-safe parameter extraction and context access by @​aldas in labstack/echo#2856

  Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion, eliminating manual string parsing and type assertions.

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.0 - 2026-01-01

Security

NB: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

• same-origin or none: Requests are allowed (exact origin match or direct user navigation)
• same-site: Falls back to token validation (e.g., subdomain to main domain)
• cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

• TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
• AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))

PR: labstack/echo#2858

Type-Safe Generic Parameter Binding

• Added generic functions for type-safe parameter extraction and context access by @​aldas in labstack/echo#2856

  Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion,

... (truncated)

Commits

• 482bb46 v4.15.0 changelog
• d0f9d1e CRSF with Sec-Fetch-Site=same-site falls back to legacy token
• f3fc618 CRSF with Sec-Fetch-Site checks
• 4dcb9b4 licence headers
• cbc0ac1 Add PathParam(Or)/QueryParam(Or)/FormParam(Or) generic functions
• 6b14f4e Add Context.Get generic functions
• 321530d disable test - returns different error under Windows
• c8abd9f disable flaky test
• 9fe43f7 fix Rate limiter disallows fractional rates
• 1b5122a document things to reduce false positives
• Additional commits viewable in compare view

Updates tailscale.com from 1.92.4 to 1.94.1

Release notes

Sourced from tailscale.com's releases.

v1.94.1

Please refer to the changelog available at https://tailscale.com/changelog

v1.92.5

Please refer to the changelog available at https://tailscale.com/changelog

Commits

• d885b34 VERSION.txt: this is v1.94.1
• 77af257 k8s-operator,kube: allow k8s api request events to be enabled via grants (#18...
• ab802bb tsnet: add support for Services
• 56442e2 ipn/ipnlocal: allow retrieval of serve config ETags from local API
• 919b2ac net/netmon: move TailscaleInterfaceIndex out of netmon.State (#18428)
• 8207707 VERSION.txt: this is v1.94.0
• 5aeee1d .github/workflows: double the timeout for golangci-lint (#18404)
• c3b7f24 ipn,ipn/local: always accept routes for Tailscale Services (cgnat range) (#18...
• e9d8276 cmd/containerboot: allow for automatic ID token generation
• 02af7c9 tsnet: allow for automatic ID token generation
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions