Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(deps): update module github.com/labstack/echo/v4 to v4.13.0 (#6404)
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/labstack/echo/v4](https://redirect.github.com/labstack/echo) | `v4.12.0` -> `v4.13.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>labstack/echo (github.com/labstack/echo/v4)</summary> ### [`v4.13.0`](https://redirect.github.com/labstack/echo/blob/HEAD/CHANGELOG.md#v4130---2024-12-04) [Compare Source](https://redirect.github.com/labstack/echo/compare/v4.12.0...v4.13.0) **BREAKING CHANGE** JWT Middleware Removed from Core use [labstack/echo-jwt](https://redirect.github.com/labstack/echo-jwt) instead The JWT middleware has been **removed from Echo core** due to another security vulnerability, [CVE-2024-51744](https://nvd.nist.gov/vuln/detail/CVE-2024-51744). For more details, refer to issue [#​2699](https://redirect.github.com/labstack/echo/issues/2699). A drop-in replacement is available in the [labstack/echo-jwt](https://redirect.github.com/labstack/echo-jwt) repository. **Important**: Direct assignments like `token := c.Get("user").(*jwt.Token)` will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from `"github.com/golang-jwt/jwt"` in your handlers to the new middleware version using `"github.com/golang-jwt/jwt/v5"`. Background: The version of `golang-jwt/jwt` (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in [PR #​1946](https://redirect.github.com/labstack/echo/pull/1946). JWT middleware was marked as deprecated in Echo core as of [v4.10.0](https://redirect.github.com/labstack/echo/releases/tag/v4.10.0) on 2022-12-27. If you did not notice that, consider leveraging tools like [Staticcheck](https://staticcheck.dev/) to catch such deprecations earlier in you dev/CI flow. For bonus points - check out [gosec](https://redirect.github.com/securego/gosec). We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision. **Enhancements** - remove jwt middleware by [@​stevenwhitehead](https://redirect.github.com/stevenwhitehead) in [https://github.com/labstack/echo/pull/2701](https://redirect.github.com/labstack/echo/pull/2701) - optimization: struct alignment by [@​behnambm](https://redirect.github.com/behnambm) in [https://github.com/labstack/echo/pull/2636](https://redirect.github.com/labstack/echo/pull/2636) - bind: Maintain backwards compatibility for map\[string]interface{} binding by [@​thesaltree](https://redirect.github.com/thesaltree) in [https://github.com/labstack/echo/pull/2656](https://redirect.github.com/labstack/echo/pull/2656) - Add Go 1.23 to CI by [@​aldas](https://redirect.github.com/aldas) in [https://github.com/labstack/echo/pull/2675](https://redirect.github.com/labstack/echo/pull/2675) - improve `MultipartForm` test by [@​martinyonatann](https://redirect.github.com/martinyonatann) in [https://github.com/labstack/echo/pull/2682](https://redirect.github.com/labstack/echo/pull/2682) - `bind` : add support of multipart multi files by [@​martinyonatann](https://redirect.github.com/martinyonatann) in [https://github.com/labstack/echo/pull/2684](https://redirect.github.com/labstack/echo/pull/2684) - Add TemplateRenderer struct to ease creating renderers for `html/template` and `text/template` packages. by [@​aldas](https://redirect.github.com/aldas) in [https://github.com/labstack/echo/pull/2690](https://redirect.github.com/labstack/echo/pull/2690) - Refactor TestBasicAuth to utilize table-driven test format by [@​ErikOlson](https://redirect.github.com/ErikOlson) in [https://github.com/labstack/echo/pull/2688](https://redirect.github.com/labstack/echo/pull/2688) - Remove broken header by [@​aldas](https://redirect.github.com/aldas) in [https://github.com/labstack/echo/pull/2705](https://redirect.github.com/labstack/echo/pull/2705) - fix(bind body): content-length can be -1 by [@​phamvinhdat](https://redirect.github.com/phamvinhdat) in [https://github.com/labstack/echo/pull/2710](https://redirect.github.com/labstack/echo/pull/2710) - CORS middleware should compile allowOrigin regexp at creation by [@​aldas](https://redirect.github.com/aldas) in [https://github.com/labstack/echo/pull/2709](https://redirect.github.com/labstack/echo/pull/2709) - Shorten Github issue template and add test example by [@​aldas](https://redirect.github.com/aldas) in [https://github.com/labstack/echo/pull/2711](https://redirect.github.com/labstack/echo/pull/2711) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/open-telemetry/opentelemetry-go-contrib). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS40Mi40IiwidXBkYXRlZEluVmVyIjoiMzkuNDIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiU2tpcCBDaGFuZ2Vsb2ciLCJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- Loading branch information
1 parent
3f2ac98
commit cbdb600