chore(deps): update module github.com/labstack/echo/v4 to v4.13.0 #17

Merged
finn merged 1 commit from renovate/github.com-labstack-echo-v4-4.x into main 2024-12-04 21:09:38 +00:00
Collaborator

This PR contains the following updates:

Package Type Update Change
github.com/labstack/echo/v4 require minor v4.12.0 -> v4.13.0

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v4.13.0

Compare Source

BREAKING CHANGE JWT Middleware Removed from Core use labstack/echo-jwt instead

The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #​2699. A drop-in replacement is available in the labstack/echo-jwt repository.

Important: Direct assignments like token := c.Get("user").(*jwt.Token) will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt" in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5".

Background:

The version of golang-jwt/jwt (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in PR #​1946.
JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.

We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.

Enhancements


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/labstack/echo/v4](https://github.com/labstack/echo) | require | minor | `v4.12.0` -> `v4.13.0` | --- ### Release Notes <details> <summary>labstack/echo (github.com/labstack/echo/v4)</summary> ### [`v4.13.0`](https://github.com/labstack/echo/blob/HEAD/CHANGELOG.md#v4130---2024-12-04) [Compare Source](https://github.com/labstack/echo/compare/v4.12.0...v4.13.0) **BREAKING CHANGE** JWT Middleware Removed from Core use [labstack/echo-jwt](https://github.com/labstack/echo-jwt) instead The JWT middleware has been **removed from Echo core** due to another security vulnerability, [CVE-2024-51744](https://nvd.nist.gov/vuln/detail/CVE-2024-51744). For more details, refer to issue [#&#8203;2699](https://github.com/labstack/echo/issues/2699). A drop-in replacement is available in the [labstack/echo-jwt](https://github.com/labstack/echo-jwt) repository. **Important**: Direct assignments like `token := c.Get("user").(*jwt.Token)` will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from `"github.com/golang-jwt/jwt"` in your handlers to the new middleware version using `"github.com/golang-jwt/jwt/v5"`. Background: The version of `golang-jwt/jwt` (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in [PR #&#8203;1946](https://github.com/labstack/echo/pull/1946). JWT middleware was marked as deprecated in Echo core as of [v4.10.0](https://github.com/labstack/echo/releases/tag/v4.10.0) on 2022-12-27. If you did not notice that, consider leveraging tools like [Staticcheck](https://staticcheck.dev/) to catch such deprecations earlier in you dev/CI flow. For bonus points - check out [gosec](https://github.com/securego/gosec). We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision. **Enhancements** - remove jwt middleware by [@&#8203;stevenwhitehead](https://github.com/stevenwhitehead) in https://github.com/labstack/echo/pull/2701 - optimization: struct alignment by [@&#8203;behnambm](https://github.com/behnambm) in https://github.com/labstack/echo/pull/2636 - bind: Maintain backwards compatibility for map\[string]interface{} binding by [@&#8203;thesaltree](https://github.com/thesaltree) in https://github.com/labstack/echo/pull/2656 - Add Go 1.23 to CI by [@&#8203;aldas](https://github.com/aldas) in https://github.com/labstack/echo/pull/2675 - improve `MultipartForm` test by [@&#8203;martinyonatann](https://github.com/martinyonatann) in https://github.com/labstack/echo/pull/2682 - `bind` : add support of multipart multi files by [@&#8203;martinyonatann](https://github.com/martinyonatann) in https://github.com/labstack/echo/pull/2684 - Add TemplateRenderer struct to ease creating renderers for `html/template` and `text/template` packages. by [@&#8203;aldas](https://github.com/aldas) in https://github.com/labstack/echo/pull/2690 - Refactor TestBasicAuth to utilize table-driven test format by [@&#8203;ErikOlson](https://github.com/ErikOlson) in https://github.com/labstack/echo/pull/2688 - Remove broken header by [@&#8203;aldas](https://github.com/aldas) in https://github.com/labstack/echo/pull/2705 - fix(bind body): content-length can be -1 by [@&#8203;phamvinhdat](https://github.com/phamvinhdat) in https://github.com/labstack/echo/pull/2710 - CORS middleware should compile allowOrigin regexp at creation by [@&#8203;aldas](https://github.com/aldas) in https://github.com/labstack/echo/pull/2709 - Shorten Github issue template and add test example by [@&#8203;aldas](https://github.com/aldas) in https://github.com/labstack/echo/pull/2711 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMS41IiwidXBkYXRlZEluVmVyIjoiMzkuMTEuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
renovatebot added 1 commit 2024-12-04 21:01:07 +00:00
renovatebot scheduled this pull request to auto merge when all checks succeed 2024-12-04 21:01:08 +00:00
finn merged commit 20647cc889 into main 2024-12-04 21:09:38 +00:00
finn deleted branch renovate/github.com-labstack-echo-v4-4.x 2024-12-04 21:09:39 +00:00
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: finn/go-project-template#17
No description provided.