Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update module github.com/labstack/echo/v4 to v4.13.3 #47

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update module github.com/labstack/echo/v4 to v4.13.3 #47

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 20, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/labstack/echo/v4 v4.2.0 -> v4.13.3 age adoption passing confidence

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v4.13.3

Compare Source

Security

v4.13.2

Compare Source

Security

v4.13.1

Compare Source

Fixes

v4.13.0

Compare Source

BREAKING CHANGE JWT Middleware Removed from Core use labstack/echo-jwt instead

The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #​2699. A drop-in replacement is available in the labstack/echo-jwt repository.

Important: Direct assignments like token := c.Get("user").(*jwt.Token) will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt" in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5".

Background:

The version of golang-jwt/jwt (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in PR #​1946.
JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.

We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.

Enhancements

v4.12.0

Compare Source

Security

Enhancements

v4.11.4

Compare Source

Security

  • Upgrade golang.org/x/crypto to v0.17.0 to fix vulnerability issue #​2562

Enhancements

v4.11.3

Compare Source

Security

  • 'c.Attachment' and 'c.Inline' should escape filename in 'Content-Disposition' header to avoid 'Reflect File Download' vulnerability. #​2541

Enhancements

  • Tests: refactor context tests to be separate functions #​2540
  • Proxy middleware: reuse echo request context #​2537
  • Mark unmarshallable yaml struct tags as ignored #​2536

v4.11.2

Compare Source

Security

Enhancements

v4.11.1

Compare Source

Fixes

  • Fix Gzip middleware not sending response code for no content responses (404, 301/302 redirects etc) #​2481

v4.11.0

Compare Source

Fixes

  • Fixes the proxy middleware concurrency issue of calling the Next() proxy target on Round Robin Balancer #​2409
  • Fix group.RouteNotFound not working when group has attached middlewares #​2411
  • Fix global error handler return error message when message is an error #​2456
  • Do not use global timeNow variables #​2477

Enhancements

  • Added a optional config variable to disable centralized error handler in recovery middleware #​2410
  • refactor: use strings.ReplaceAll directly #​2424
  • Add support for Go1.20 http.rwUnwrapper to Response struct #​2425
  • Check whether is nil before invoking centralized error handling #​2429
  • Proper colon support in echo.Reverse method #​2416
  • Fix misuses of a vs an in documentation comments #​2436
  • Add link to slog.Handler library for Echo logging into README.md #​2444
  • In proxy middleware Support retries of failed proxy requests #​2414
  • gofmt fixes to comments #​2452
  • gzip response only if it exceeds a minimal length #​2267
  • Upgrade packages #​2475

v4.10.2

Compare Source

Security

  • filepath.Clean behaviour has changed in Go 1.20 - adapt to it #​2406
  • Add middleware.CORSConfig.UnsafeWildcardOriginWithAllowCredentials to make UNSAFE usages of wildcard origin + allow cretentials less likely #​2405

Enhancements

v4.10.1

Compare Source

Security

  • Upgrade deps due to the latest golang.org/x/net vulnerability #​2402

Enhancements

  • Add new JWT repository to the README #​2377
  • Return an empty string for ctx.path if there is no registered path #​2385
  • Add context timeout middleware #​2380
  • Update link to jaegertracing #​2394

v4.10.0

Compare Source

Security

  • We are deprecating JWT middleware in this repository. Please use https://github.com/labstack/echo-jwt instead.

    JWT middleware is moved to separate repository to allow us to bump/upgrade version of JWT implementation (github.com/golang-jwt/jwt) we are using
    which we can not do in Echo core because this would break backwards compatibility guarantees we try to maintain.

  • This minor version bumps minimum Go version to 1.17 (from 1.16) due golang.org/x/ packages we depend on. There are
    several vulnerabilities fixed in these libraries.

    Echo still tries to support last 4 Go versions but there are occasions we can not guarantee this promise.

Enhancements

  • Bump x/text to 0.3.8 #​2305
  • Bump dependencies and add notes about Go releases we support #​2336
  • Add helper interface for ProxyBalancer interface #​2316
  • Expose middleware.CreateExtractors function so we can use it from echo-contrib repository #​2338
  • Refactor func(Context) error to HandlerFunc #​2315
  • Improve function comments #​2329
  • Add new method HTTPError.WithInternal #​2340
  • Replace io/ioutil package usages #​2342
  • Add staticcheck to CI flow #​2343
  • Replace relative path determination from proprietary to std #​2345
  • Remove square brackets from ipv6 addresses in XFF (X-Forwarded-For header) #​2182
  • Add testcases for some BodyLimit middleware configuration options #​2350
  • Additional configuration options for RequestLogger and Logger middleware #​2341
  • Add route to request log #​2162
  • GitHub Workflows security hardening #​2358
  • Add govulncheck to CI and bump dependencies #​2362
  • Fix rate limiter docs #​2366
  • Refactor how e.Routes() work and introduce e.OnAddRouteHandler callback #​2337

v4.9.1

Compare Source

Fixes

  • Fix logger panicing (when template is set to empty) by bumping dependency version #​2295

Enhancements

  • Improve CORS documentation #​2272
  • Update readme about supported Go versions #​2291
  • Tests: improve error handling on closing body #​2254
  • Tests: refactor some of the assertions in tests #​2275
  • Tests: refactor assertions #​2301

v4.9.0

Compare Source

Security

  • Fix open redirect vulnerability in handlers serving static directories (e.Static, e.StaticFs, echo.StaticDirectoryHandler) #​2260

Enhancements

  • Allow configuring ErrorHandler in CSRF middleware #​2257
  • Replace HTTP method constants in tests with stdlib constants #​2247

v4.8.0

Compare Source

Most notable things

You can now add any arbitrary HTTP method type as a route #​2237

e.Add("COPY", "/*", func(c echo.Context) error 
  return c.String(http.StatusOK, "OK COPY")
})

You can add custom 404 handler for specific paths #​2217

e.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })

g := e.Group("/images")
g.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })

Enhancements

  • Add new value binding methods (UnixTimeMilli,TextUnmarshaler,JSONUnmarshaler) to Valuebinder #​2127
  • Refactor: body_limit middleware unit test #​2145
  • Refactor: Timeout mw: rework how test waits for timeout. #​2187
  • BasicAuth middleware returns 500 InternalServerError on invalid base64 strings but should return 400 #​2191
  • Refactor: duplicated findStaticChild process at findChildWithLabel #​2176
  • Allow different param names in different methods with same path scheme #​2209
  • Add support for registering handlers for different 404 routes #​2217
  • Middlewares should use errors.As() instead of type assertion on HTTPError #​2227
  • Allow arbitrary HTTP method types to be added as routes #​2237

v4.7.2

Compare Source

Fixes

  • Fix nil pointer exception when calling Start again after address binding error #​2131
  • Fix CSRF middleware not being able to extract token from multipart/form-data form #​2136
  • Fix Timeout middleware write race #​2126

Enhancements

  • Recover middleware should not log panic for aborted handler #​2134

v4.7.1

Compare Source

Fixes

  • Fix e.Static, .File(), c.Attachment() being picky with paths starting with ./, ../ and / after 4.7.0 introduced echo.Filesystem support (Go1.16+) #​2123

Enhancements

v4.7.0

Compare Source

Enhancements

  • Add JWT, KeyAuth, CSRF multivalue extractors #​2060
  • Add LogErrorFunc to recover middleware #​2072
  • Add support for HEAD method query params binding #​2027
  • Improve filesystem support with echo.FileFS, echo.StaticFS, group.FileFS, group.StaticFS #​2064

Fixes

General

  • Add cache-control and connection headers #​2103
  • Add Retry-After header constant #​2078
  • Upgrade go directive in go.mod to 1.17 #​2049
  • Add Pagoda #​2077 and Souin #​2069 to 3rd-party middlewares in README

v4.6.3

Compare Source

Fixes

  • Fixed Echo version number in greeting message which was not incremented to 4.6.2 #​2066

v4.6.2

Compare Source

Fixes

  • Fixed route containing escaped colon should be matchable but is not matched to request path #​2047
  • Fixed a problem that returned wrong content-encoding when the gzip compressed content was empty. #​1921
  • Update (test) dependencies #​2021

Enhancements

  • Add support for configurable target header for the request_id middleware #​2040
  • Change decompress middleware to use stream decompression instead of buffering #​2018
  • Documentation updates

v4.6.1

Compare Source

Enhancements

  • Add start time to request logger middleware values #​1991

v4.6.0

Compare Source

Introduced a new request logger middleware
to help with cases when you want to use some other logging library in your application.

Fixes

  • fix timeout middleware warning: superfluous response.WriteHeader #​1905

Enhancements

  • Add Cookie to KeyAuth middleware's KeyLookup #​1929
  • JWT middleware should ignore case of auth scheme in request header #​1951
  • Refactor default error handler to return first if response is already committed #​1956
  • Added request logger middleware which helps to use custom logger library for logging requests. #​1980
  • Allow escaping of colon in route path so Google Cloud API "custom methods" could be implemented #​1988

v4.5.0

Compare Source

Important notes

A BREAKING CHANGE is introduced for JWT middleware users.
The JWT library used for the JWT middleware had to be changed from github.com/dgrijalva/jwt-go to
github.com/golang-jwt/jwt due former library being unmaintained and affected by security
issues.
The github.com/golang-jwt/jwt project is a drop-in replacement, but supports only the latest 2 Go versions.
So for JWT middleware users Go 1.15+ is required. For detailed information please read #​1940

To change the library imports in all .go files in your project replace all occurrences of dgrijalva/jwt-go with golang-jwt/jwt.

For Linux CLI you can use:

find -type f -name "*.go" -exec sed -i "s/dgrijalva\/jwt-go/golang-jwt\/jwt/g" {} \;
go mod tidy

Fixes

  • Change JWT library to github.com/golang-jwt/jwt #​1946

v4.4.0

Compare Source

Fixes

  • Split HeaderXForwardedFor header only by comma #​1878
  • Fix Timeout middleware Context propagation #​1910

Enhancements

  • Bind data using headers as source #​1866
  • Adds JWTConfig.ParseTokenFunc to JWT middleware to allow different libraries implementing JWT parsing. #​1887
  • Adding tests for Echo#Host #​1895
  • Adds RequestIDHandler function to RequestID middleware #​1898
  • Allow for custom JSON encoding implementations #​1880

v4.3.0

Compare Source

Important notes

  • Route matching has improvements for following cases:
    1. Correctly match routes with parameter part as last part of route (with trailing backslash)
    2. Considering handlers when resolving routes and search for matching http method handler
  • Echo minimal Go version is now 1.13.

Fixes

  • When url ends with slash first param route is the match #​1804
  • Router should check if node is suitable as matching route by path+method and if not then continue search in tree #​1808
  • Fix timeout middleware not writing response correctly when handler panics #​1864
  • Fix binder not working with embedded pointer structs #​1861
  • Add Go 1.16 to CI and drop 1.12 specific code #​1850

Enhancements

  • Make KeyFunc public in JWT middleware #​1756
  • Add support for optional filesystem to the static middleware #​1797
  • Add a custom error handler to key-auth middleware #​1847
  • Allow JWT token to be looked up from multiple sources #​1845

v4.2.2

Compare Source

Fixes

  • Allow proxy middleware to use query part in rewrite (#​1802)
  • Fix timeout middleware not sending status code when handler returns an error (#​1805)
  • Fix Bind() when target is array/slice and path/query params complains bind target not being struct (#​1835)
  • Fix panic in redirect middleware on short host name (#​1813)
  • Fix timeout middleware docs (#​1836)

v4.2.1

Compare Source

Important notes

Due to a datarace the config parameters for the newly added timeout middleware required a change.
See the docs.
A performance regression has been fixed, even bringing better performance than before for some routing scenarios.

Fixes

  • Fix performance regression caused by path escaping (#​1777, #​1798, #​1799, aldas)
  • Avoid context canceled errors (#​1789, clwluvw)
  • Improve router to use on stack backtracking (#​1791, aldas, stffabi)
  • Fix panic in timeout middleware not being not recovered and cause application crash (#​1794, aldas)
  • Fix Echo.Serve() not serving on HTTP port correctly when TLSListener is used (#​1785, #​1793, aldas)
  • Apply go fmt (#​1788, Le0tk0k)
  • Uses strings.Equalfold (#​1790, rkilingr)
  • Improve code quality (#​1792, withshubh)

This release was made possible by our contributors:
aldas, clwluvw, lammel, Le0tk0k, maciej-jezierski, rkilingr, stffabi, withshubh

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/jackfan.us.kg-labstack-echo-v4-4.x branch 5 times, most recently from e693c9d to 3810fef Compare September 20, 2024 18:38
@renovate renovate bot force-pushed the renovate/jackfan.us.kg-labstack-echo-v4-4.x branch from 3810fef to 879a43d Compare December 4, 2024 23:10
@renovate renovate bot changed the title Update module github.com/labstack/echo/v4 to v4.12.0 Update module github.com/labstack/echo/v4 to v4.13.0 Dec 4, 2024
@renovate renovate bot force-pushed the renovate/jackfan.us.kg-labstack-echo-v4-4.x branch from 879a43d to 0c23eb8 Compare December 11, 2024 10:58
@renovate renovate bot changed the title Update module github.com/labstack/echo/v4 to v4.13.0 Update module github.com/labstack/echo/v4 to v4.13.1 Dec 11, 2024
@renovate renovate bot force-pushed the renovate/jackfan.us.kg-labstack-echo-v4-4.x branch from 0c23eb8 to b5d6bed Compare December 12, 2024 09:12
@renovate renovate bot changed the title Update module github.com/labstack/echo/v4 to v4.13.1 Update module github.com/labstack/echo/v4 to v4.13.2 Dec 12, 2024
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Dec 12, 2024

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/stretchr/testify v1.9.0 -> v1.10.0

@renovate renovate bot force-pushed the renovate/jackfan.us.kg-labstack-echo-v4-4.x branch from b5d6bed to aa7d932 Compare December 19, 2024 07:32
@renovate renovate bot changed the title Update module github.com/labstack/echo/v4 to v4.13.2 Update module github.com/labstack/echo/v4 to v4.13.3 Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants