Skip to content

fix(deps): update module github.com/labstack/echo/v4 to v4.13.3

This MR contains the following updates:

Package Type Update Change
github.com/labstack/echo/v4 require minor v4.8.0 -> v4.13.3

Release Notes

labstack/echo

v4.13.3

Compare Source

Security

v4.13.2

Compare Source

Security

v4.13.1

Compare Source

Fixes

v4.13.0

Compare Source

BREAKING CHANGE JWT Middleware Removed from Core use labstack/echo-jwt instead

The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #​2699. A drop-in replacement is available in the labstack/echo-jwt repository.

Important: Direct assignments like token := c.Get("user").(*jwt.Token) will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt" in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5".

Background:

The version of golang-jwt/jwt (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in MR #​1946. JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.

We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.

Enhancements

v4.12.0

Compare Source

Security

Enhancements

v4.11.4

Compare Source

Security

  • Upgrade golang.org/x/crypto to v0.17.0 to fix vulnerability issue #​2562

Enhancements

v4.11.3

Compare Source

Security

  • 'c.Attachment' and 'c.Inline' should escape filename in 'Content-Disposition' header to avoid 'Reflect File Download' vulnerability. #​2541

Enhancements

  • Tests: refactor context tests to be separate functions #​2540
  • Proxy middleware: reuse echo request context #​2537
  • Mark unmarshallable yaml struct tags as ignored #​2536

v4.11.2

Compare Source

Security

  • Bump golang.org/x/net to prevent CVE-2023-39325 / CVE-2023-44487 HTTP/2 Rapid Reset Attack #​2527
  • fix(sec): randomString bias introduced by #​2490 #​2492
  • CSRF/RequestID mw: switch math/random usage to crypto/random #​2490

Enhancements

v4.11.1

Compare Source

Fixes

  • Fix Gzip middleware not sending response code for no content responses (404, 301/302 redirects etc) #​2481

v4.11.0

Compare Source

Fixes

  • Fixes the proxy middleware concurrency issue of calling the Next() proxy target on Round Robin Balancer #​2409
  • Fix group.RouteNotFound not working when group has attached middlewares #​2411
  • Fix global error handler return error message when message is an error #​2456
  • Do not use global timeNow variables #​2477

Enhancements

  • Added a optional config variable to disable centralized error handler in recovery middleware #​2410
  • refactor: use strings.ReplaceAll directly #​2424
  • Add support for Go1.20 http.rwUnwrapper to Response struct #​2425
  • Check whether is nil before invoking centralized error handling #​2429
  • Proper colon support in echo.Reverse method #​2416
  • Fix misuses of a vs an in documentation comments #​2436
  • Add link to slog.Handler library for Echo logging into README.md #​2444
  • In proxy middleware Support retries of failed proxy requests #​2414
  • gofmt fixes to comments #​2452
  • gzip response only if it exceeds a minimal length #​2267
  • Upgrade packages #​2475

v4.10.2

Compare Source

Security

  • filepath.Clean behaviour has changed in Go 1.20 - adapt to it #​2406
  • Add middleware.CORSConfig.UnsafeWildcardOriginWithAllowCredentials to make UNSAFE usages of wildcard origin + allow cretentials less likely #​2405

Enhancements

v4.10.1

Compare Source

Security

  • Upgrade deps due to the latest golang.org/x/net vulnerability #​2402

Enhancements

  • Add new JWT repository to the README #​2377
  • Return an empty string for ctx.path if there is no registered path #​2385
  • Add context timeout middleware #​2380
  • Update link to jaegertracing #​2394

v4.10.0

Compare Source

Security

  • We are deprecating JWT middleware in this repository. Please use https://github.com/labstack/echo-jwt instead.

    JWT middleware is moved to separate repository to allow us to bump/upgrade version of JWT implementation (github.com/golang-jwt/jwt) we are using which we can not do in Echo core because this would break backwards compatibility guarantees we try to maintain.

  • This minor version bumps minimum Go version to 1.17 (from 1.16) due golang.org/x/ packages we depend on. There are several vulnerabilities fixed in these libraries.

    Echo still tries to support last 4 Go versions but there are occasions we can not guarantee this promise.

Enhancements

  • Bump x/text to 0.3.8 #​2305
  • Bump dependencies and add notes about Go releases we support #​2336
  • Add helper interface for ProxyBalancer interface #​2316
  • Expose middleware.CreateExtractors function so we can use it from echo-contrib repository #​2338
  • Refactor func(Context) error to HandlerFunc #​2315
  • Improve function comments #​2329
  • Add new method HTTPError.WithInternal #​2340
  • Replace io/ioutil package usages #​2342
  • Add staticcheck to CI flow #​2343
  • Replace relative path determination from proprietary to std #​2345
  • Remove square brackets from ipv6 addresses in XFF (X-Forwarded-For header) #​2182
  • Add testcases for some BodyLimit middleware configuration options #​2350
  • Additional configuration options for RequestLogger and Logger middleware #​2341
  • Add route to request log #​2162
  • GitHub Workflows security hardening #​2358
  • Add govulncheck to CI and bump dependencies #​2362
  • Fix rate limiter docs #​2366
  • Refactor how e.Routes() work and introduce e.OnAddRouteHandler callback #​2337

v4.9.1

Compare Source

Fixes

  • Fix logger panicing (when template is set to empty) by bumping dependency version #​2295

Enhancements

  • Improve CORS documentation #​2272
  • Update readme about supported Go versions #​2291
  • Tests: improve error handling on closing body #​2254
  • Tests: refactor some of the assertions in tests #​2275
  • Tests: refactor assertions #​2301

v4.9.0

Compare Source

Security

  • Fix open redirect vulnerability in handlers serving static directories (e.Static, e.StaticFs, echo.StaticDirectoryHandler) #​2260

Enhancements

  • Allow configuring ErrorHandler in CSRF middleware #​2257
  • Replace HTTP method constants in tests with stdlib constants #​2247

Configuration

📅 Schedule: "before 6am on Monday" in timezone Europe/Paris.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.


  • If you want to rebase/retry this MR, click this checkbox.

This MR has been generated by Renovate Bot.

Edited by Renovate-Bot

Merge request reports

Loading