Bump github.com/labstack/echo/v4 from 4.11.1 to 4.13.2

[dependabot]

Bumps github.com/labstack/echo/v4 from 4.11.1 to 4.13.2.

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.13.2 - update dependencies

Security

• Update dependencies (dependabot reports https://pkg.go.dev/vuln/GO-2024-3321 by @​aldas in labstack/echo#2721

Full Changelog: labstack/echo@v4.13.1...v4.13.2

v4.13.1

Fixes

• Fix BindBody ignoring Transfer-Encoding: chunked requests (introduced in #2710) by @​178inaba in labstack/echo#2717

Full Changelog: labstack/echo@v4.13.0...v4.13.1

JWT Middleware Removed

BREAKING CHANGE: JWT Middleware Removed from Core

The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #2699. A drop-in replacement is available in the labstack/echo-jwt repository or see alternative implementation

Important: Direct assignments like token := c.Get("user").(*jwt.Token) will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt" in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5".

Background:

The version of golang-jwt/jwt (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in [PR #1946](labstack/echo#1946). JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.

We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.

Enhancements

• remove jwt middleware by @​stevenwhitehead in labstack/echo#2701
• optimization: struct alignment by @​behnambm in labstack/echo#2636
• bind: Maintain backwards compatibility for map[string]interface{} binding by @​thesaltree in labstack/echo#2656
• Add Go 1.23 to CI by @​aldas in labstack/echo#2675
• improve MultipartForm test by @​martinyonatann in labstack/echo#2682
• bind : add support of multipart multi files by @​martinyonatann in labstack/echo#2684
• Add TemplateRenderer struct to ease creating renderers for html/template and text/template packages. by @​aldas in labstack/echo#2690
• Refactor TestBasicAuth to utilize table-driven test format by @​ErikOlson in labstack/echo#2688
• Remove broken header by @​aldas in labstack/echo#2705
• fix(bind body): content-length can be -1 by @​phamvinhdat in labstack/echo#2710
• CORS middleware should compile allowOrigin regexp at creation by @​aldas in labstack/echo#2709
• Shorten Github issue template and add test example by @​aldas in labstack/echo#2711

New Contributors

• @​behnambm made their first contribution in labstack/echo#2636
• @​thesaltree made their first contribution in labstack/echo#2656
• @​martinyonatann made their first contribution in labstack/echo#2682

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.13.2 - 2024-12-12

Security

• Update dependencies (dependabot reports GO-2024-3321) in labstack/echo#2721

v4.13.1 - 2024-12-11

Fixes

• Fix BindBody ignoring Transfer-Encoding: chunked requests by @​178inaba in labstack/echo#2717

v4.13.0 - 2024-12-04

BREAKING CHANGE JWT Middleware Removed from Core use labstack/echo-jwt instead

The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #2699. A drop-in replacement is available in the labstack/echo-jwt repository.

Important: Direct assignments like token := c.Get("user").(*jwt.Token) will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt" in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5".

Background:

The version of golang-jwt/jwt (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in [PR #1946](labstack/echo#1946). JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.

We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.

Enhancements

• remove jwt middleware by @​stevenwhitehead in labstack/echo#2701
• optimization: struct alignment by @​behnambm in labstack/echo#2636
• bind: Maintain backwards compatibility for map[string]interface{} binding by @​thesaltree in labstack/echo#2656
• Add Go 1.23 to CI by @​aldas in labstack/echo#2675
• improve MultipartForm test by @​martinyonatann in labstack/echo#2682
• bind : add support of multipart multi files by @​martinyonatann in labstack/echo#2684
• Add TemplateRenderer struct to ease creating renderers for html/template and text/template packages. by @​aldas in labstack/echo#2690
• Refactor TestBasicAuth to utilize table-driven test format by @​ErikOlson in labstack/echo#2688
• Remove broken header by @​aldas in labstack/echo#2705
• fix(bind body): content-length can be -1 by @​phamvinhdat in labstack/echo#2710
• CORS middleware should compile allowOrigin regexp at creation by @​aldas in labstack/echo#2709
• Shorten Github issue template and add test example by @​aldas in labstack/echo#2711

v4.12.0 - 2024-04-15

Security

... (truncated)

Commits

• 692bc2a Update dependencies (dependabot reports https://pkg.go.dev/vuln/GO-2024-3321)...
• fd3f074 Changelog for v4.13.1 (#2719)
• 0368ed8 Add Conditions to Ensure Bind Succeeds with Transfer-Encoding: chunked (#2717)
• 3b01785 Changelog for 4.13.0 (#2712)
• fe26277 remove jwt middleware
• 9e73691 Shorten Github issue template and add test example
• 118c163 CORS middleware should compile allowOrigin regexp at creation.
• a973e3b add unit-test
• c4410fe fix(bind body): content-length can be -1
• 5d98929 Remove broken header
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)