fix(deps): update module github.com/labstack/echo/v4 to v4.13.3
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
github.com/labstack/echo/v4 | require | minor |
v4.8.0 -> v4.13.3
|
Release Notes
labstack/echo
v4.13.3
Security
- Update golang.org/x/net dependency GO-2024-3333 in https://github.com/labstack/echo/pull/2722
v4.13.2
Security
- Update dependencies (dependabot reports GO-2024-3321) in https://github.com/labstack/echo/pull/2721
v4.13.1
Fixes
- Fix BindBody ignoring
Transfer-Encoding: chunked
requests by @178inaba in https://github.com/labstack/echo/pull/2717
v4.13.0
BREAKING CHANGE JWT Middleware Removed from Core use labstack/echo-jwt instead
The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #2699. A drop-in replacement is available in the labstack/echo-jwt repository.
Important: Direct assignments like token := c.Get("user").(*jwt.Token)
will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt"
in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5"
.
Background:
The version of golang-jwt/jwt
(v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in MR #1946.
JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.
We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.
Enhancements
- remove jwt middleware by @stevenwhitehead in https://github.com/labstack/echo/pull/2701
- optimization: struct alignment by @behnambm in https://github.com/labstack/echo/pull/2636
- bind: Maintain backwards compatibility for map[string]interface{} binding by @thesaltree in https://github.com/labstack/echo/pull/2656
- Add Go 1.23 to CI by @aldas in https://github.com/labstack/echo/pull/2675
- improve
MultipartForm
test by @martinyonatann in https://github.com/labstack/echo/pull/2682 -
bind
: add support of multipart multi files by @martinyonatann in https://github.com/labstack/echo/pull/2684 - Add TemplateRenderer struct to ease creating renderers for
html/template
andtext/template
packages. by @aldas in https://github.com/labstack/echo/pull/2690 - Refactor TestBasicAuth to utilize table-driven test format by @ErikOlson in https://github.com/labstack/echo/pull/2688
- Remove broken header by @aldas in https://github.com/labstack/echo/pull/2705
- fix(bind body): content-length can be -1 by @phamvinhdat in https://github.com/labstack/echo/pull/2710
- CORS middleware should compile allowOrigin regexp at creation by @aldas in https://github.com/labstack/echo/pull/2709
- Shorten Github issue template and add test example by @aldas in https://github.com/labstack/echo/pull/2711
v4.12.0
Security
- Update golang.org/x/net dep because of GO-2024-2687 by @aldas in https://github.com/labstack/echo/pull/2625
Enhancements
- binder: make binding to Map work better with string destinations by @aldas in https://github.com/labstack/echo/pull/2554
- README.md: add Encore as sponsor by @marcuskohlberg in https://github.com/labstack/echo/pull/2579
- Reorder paragraphs in README.md by @aldas in https://github.com/labstack/echo/pull/2581
- CI: upgrade actions/checkout to v4 by @aldas in https://github.com/labstack/echo/pull/2584
- Remove default charset from 'application/json' Content-Type header by @doortts in https://github.com/labstack/echo/pull/2568
- CI: Use Go 1.22 by @aldas in https://github.com/labstack/echo/pull/2588
- binder: allow binding to a nil map by @georgmu in https://github.com/labstack/echo/pull/2574
- Add Skipper Unit Test In BasicBasicAuthConfig and Add More Detail Explanation regarding BasicAuthValidator by @RyoKusnadi in https://github.com/labstack/echo/pull/2461
- fix some typos by @teslaedison in https://github.com/labstack/echo/pull/2603
- fix: some typos by @pomadev in https://github.com/labstack/echo/pull/2596
- Allow ResponseWriters to unwrap writers when flushing/hijacking by @aldas in https://github.com/labstack/echo/pull/2595
- Add SPDX licence comments to files. by @aldas in https://github.com/labstack/echo/pull/2604
- Upgrade deps by @aldas in https://github.com/labstack/echo/pull/2605
- Change type definition blocks to single declarations. This helps copy… by @aldas in https://github.com/labstack/echo/pull/2606
- Fix Real IP logic by @cl-bvl in https://github.com/labstack/echo/pull/2550
- Default binder can use
UnmarshalParams(params []string) error
inter… by @aldas in https://github.com/labstack/echo/pull/2607 - Default binder can bind pointer to slice as struct field. For example
*[]string
by @aldas in https://github.com/labstack/echo/pull/2608 - Remove maxparam dependence from Context by @aldas in https://github.com/labstack/echo/pull/2611
- When route is registered with empty path it is normalized to
/
. by @aldas in https://github.com/labstack/echo/pull/2616 - proxy middleware should use httputil.ReverseProxy for SSE requests by @aldas in https://github.com/labstack/echo/pull/2624
v4.11.4
Security
Enhancements
- Update deps and mark Go version to 1.18 as this is what golang.org/x/* use #2563
- Request logger: add example for Slog https://pkg.go.dev/log/slog #2543
v4.11.3
Security
- 'c.Attachment' and 'c.Inline' should escape filename in 'Content-Disposition' header to avoid 'Reflect File Download' vulnerability. #2541
Enhancements
- Tests: refactor context tests to be separate functions #2540
- Proxy middleware: reuse echo request context #2537
- Mark unmarshallable yaml struct tags as ignored #2536
v4.11.2
Security
- Bump golang.org/x/net to prevent CVE-2023-39325 / CVE-2023-44487 HTTP/2 Rapid Reset Attack #2527
- fix(sec): randomString bias introduced by #2490 #2492
- CSRF/RequestID mw: switch math/random usage to crypto/random #2490
Enhancements
- Delete unused context in body_limit.go #2483
- Use Go 1.21 in CI #2505
- Fix some typos #2511
- Allow CORS middleware to send Access-Control-Max-Age: 0 #2518
- Bump dependancies #2522
v4.11.1
Fixes
- Fix
Gzip
middleware not sending response code for no content responses (404, 301/302 redirects etc) #2481
v4.11.0
Fixes
- Fixes the proxy middleware concurrency issue of calling the Next() proxy target on Round Robin Balancer #2409
- Fix
group.RouteNotFound
not working when group has attached middlewares #2411 - Fix global error handler return error message when message is an error #2456
- Do not use global timeNow variables #2477
Enhancements
- Added a optional config variable to disable centralized error handler in recovery middleware #2410
- refactor: use
strings.ReplaceAll
directly #2424 - Add support for Go1.20
http.rwUnwrapper
to Response struct #2425 - Check whether is nil before invoking centralized error handling #2429
- Proper colon support in
echo.Reverse
method #2416 - Fix misuses of a vs an in documentation comments #2436
- Add link to slog.Handler library for Echo logging into README.md #2444
- In proxy middleware Support retries of failed proxy requests #2414
- gofmt fixes to comments #2452
- gzip response only if it exceeds a minimal length #2267
- Upgrade packages #2475
v4.10.2
Security
-
filepath.Clean
behaviour has changed in Go 1.20 - adapt to it #2406 - Add
middleware.CORSConfig.UnsafeWildcardOriginWithAllowCredentials
to make UNSAFE usages of wildcard origin + allow cretentials less likely #2405
Enhancements
- Add more HTTP error values #2277
v4.10.1
Security
- Upgrade deps due to the latest golang.org/x/net vulnerability #2402
Enhancements
- Add new JWT repository to the README #2377
- Return an empty string for ctx.path if there is no registered path #2385
- Add context timeout middleware #2380
- Update link to jaegertracing #2394
v4.10.0
Security
-
We are deprecating JWT middleware in this repository. Please use https://github.com/labstack/echo-jwt instead.
JWT middleware is moved to separate repository to allow us to bump/upgrade version of JWT implementation (
github.com/golang-jwt/jwt
) we are using which we can not do in Echo core because this would break backwards compatibility guarantees we try to maintain. -
This minor version bumps minimum Go version to 1.17 (from 1.16) due
golang.org/x/
packages we depend on. There are several vulnerabilities fixed in these libraries.Echo still tries to support last 4 Go versions but there are occasions we can not guarantee this promise.
Enhancements
- Bump x/text to 0.3.8 #2305
- Bump dependencies and add notes about Go releases we support #2336
- Add helper interface for ProxyBalancer interface #2316
- Expose
middleware.CreateExtractors
function so we can use it from echo-contrib repository #2338 - Refactor func(Context) error to HandlerFunc #2315
- Improve function comments #2329
- Add new method HTTPError.WithInternal #2340
- Replace io/ioutil package usages #2342
- Add staticcheck to CI flow #2343
- Replace relative path determination from proprietary to std #2345
- Remove square brackets from ipv6 addresses in XFF (X-Forwarded-For header) #2182
- Add testcases for some BodyLimit middleware configuration options #2350
- Additional configuration options for RequestLogger and Logger middleware #2341
- Add route to request log #2162
- GitHub Workflows security hardening #2358
- Add govulncheck to CI and bump dependencies #2362
- Fix rate limiter docs #2366
- Refactor how
e.Routes()
work and introducee.OnAddRouteHandler
callback #2337
v4.9.1
Fixes
- Fix logger panicing (when template is set to empty) by bumping dependency version #2295
Enhancements
- Improve CORS documentation #2272
- Update readme about supported Go versions #2291
- Tests: improve error handling on closing body #2254
- Tests: refactor some of the assertions in tests #2275
- Tests: refactor assertions #2301
v4.9.0
Security
- Fix open redirect vulnerability in handlers serving static directories (e.Static, e.StaticFs, echo.StaticDirectoryHandler) #2260
Enhancements
Configuration
-
If you want to rebase/retry this MR, click this checkbox.
This MR has been generated by Renovate Bot.