go-sentry-api Update module github.com/labstack/echo/v4 to v4.13.4

The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #2699. A drop-in replacement is available in the labstack/echo-jwt repository.

Important: Direct assignments like token := c.Get("user").(*jwt.Token) will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt" in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5".

Background:

The version of golang-jwt/jwt (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in PR #1946. JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.

We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.

Enhancements

remove jwt middleware by @stevenwhitehead in #2701
optimization: struct alignment by @behnambm in #2636
bind: Maintain backwards compatibility for map[string]interface{} binding by @thesaltree in #2656
Add Go 1.23 to CI by @aldas in #2675
improve MultipartForm test by @martinyonatann in #2682
bind : add support of multipart multi files by @martinyonatann in #2684
Add TemplateRenderer struct to ease creating renderers for html/template and text/template packages. by @aldas in #2690
Refactor TestBasicAuth to utilize table-driven test format by @ErikOlson in #2688
Remove broken header by @aldas in #2705
fix(bind body): content-length can be -1 by @phamvinhdat in #2710
CORS middleware should compile allowOrigin regexp at creation by @aldas in #2709
Shorten Github issue template and add test example by @aldas in #2711

`v4.12.0`

Compare Source

Security

Update golang.org/x/net dep because of GO-2024-2687 by @aldas in #2625

Enhancements

binder: make binding to Map work better with string destinations by @aldas in #2554
README.md: add Encore as sponsor by @marcuskohlberg in #2579
Reorder paragraphs in README.md by @aldas in #2581
CI: upgrade actions/checkout to v4 by @aldas in #2584
Remove default charset from 'application/json' Content-Type header by @doortts in #2568
CI: Use Go 1.22 by @aldas in #2588
binder: allow binding to a nil map by @georgmu in #2574
Add Skipper Unit Test In BasicBasicAuthConfig and Add More Detail Explanation regarding BasicAuthValidator by @RyoKusnadi in #2461
fix some typos by @teslaedison in #2603
fix: some typos by @pomadev in #2596
Allow ResponseWriters to unwrap writers when flushing/hijacking by @aldas in #2595
Add SPDX licence comments to files. by @aldas in #2604
Upgrade deps by @aldas in #2605
Change type definition blocks to single declarations. This helps copy… by @aldas in #2606
Fix Real IP logic by @cl-bvl in #2550
Default binder can use UnmarshalParams(params []string) error inter… by @aldas in #2607
Default binder can bind pointer to slice as struct field. For example *[]string by @aldas in #2608
Remove maxparam dependence from Context by @aldas in #2611
When route is registered with empty path it is normalized to /. by @aldas in #2616
proxy middleware should use httputil.ReverseProxy for SSE requests by @aldas in #2624

`v4.11.4`

Compare Source

Security

Upgrade golang.org/x/crypto to v0.17.0 to fix vulnerability issue #2562

Enhancements

Update deps and mark Go version to 1.18 as this is what golang.org/x/* use #2563
Request logger: add example for Slog https://pkg.go.dev/log/slog #2543

`v4.11.3`

Compare Source

Security

'c.Attachment' and 'c.Inline' should escape filename in 'Content-Disposition' header to avoid 'Reflect File Download' vulnerability. #2541

Enhancements

Tests: refactor context tests to be separate functions #2540
Proxy middleware: reuse echo request context #2537
Mark unmarshallable yaml struct tags as ignored #2536

`v4.11.2`

Compare Source

Security

Bump golang.org/x/net to prevent CVE-2023-39325 / CVE-2023-44487 HTTP/2 Rapid Reset Attack #2527
fix(sec): randomString bias introduced by #2490 #2492
CSRF/RequestID mw: switch math/random usage to crypto/random #2490

Enhancements

Delete unused context in body_limit.go #2483
Use Go 1.21 in CI #2505
Fix some typos #2511
Allow CORS middleware to send Access-Control-Max-Age: 0 #2518
Bump dependancies #2522

`v4.11.1`

Compare Source

Fixes

Fix Gzip middleware not sending response code for no content responses (404, 301/302 redirects etc) #2481

`v4.11.0`

Compare Source

Fixes

Fixes the proxy middleware concurrency issue of calling the Next() proxy target on Round Robin Balancer #2409
Fix group.RouteNotFound not working when group has attached middlewares #2411
Fix global error handler return error message when message is an error #2456
Do not use global timeNow variables #2477

Enhancements

Added a optional config variable to disable centralized error handler in recovery middleware #2410
refactor: use strings.ReplaceAll directly #2424
Add support for Go1.20 http.rwUnwrapper to Response struct #2425
Check whether is nil before invoking centralized error handling #2429
Proper colon support in echo.Reverse method #2416
Fix misuses of a vs an in documentation comments #2436
Add link to slog.Handler library for Echo logging into README.md #2444
In proxy middleware Support retries of failed proxy requests #2414
gofmt fixes to comments #2452
gzip response only if it exceeds a minimal length #2267
Upgrade packages #2475

`v4.10.2`

Compare Source

Security

filepath.Clean behaviour has changed in Go 1.20 - adapt to it #2406
Add middleware.CORSConfig.UnsafeWildcardOriginWithAllowCredentials to make UNSAFE usages of wildcard origin + allow cretentials less likely #2405

Enhancements

Add more HTTP error values #2277

`v4.10.1`

Compare Source

Security

Upgrade deps due to the latest golang.org/x/net vulnerability #2402

Enhancements

Add new JWT repository to the README #2377
Return an empty string for ctx.path if there is no registered path #2385
Add context timeout middleware #2380
Update link to jaegertracing #2394

`v4.10.0`

Compare Source

Security

We are deprecating JWT middleware in this repository. Please use https://github.com/labstack/echo-jwt instead.

JWT middleware is moved to separate repository to allow us to bump/upgrade version of JWT implementation (github.com/golang-jwt/jwt) we are using which we can not do in Echo core because this would break backwards compatibility guarantees we try to maintain.
This minor version bumps minimum Go version to 1.17 (from 1.16) due golang.org/x/ packages we depend on. There are several vulnerabilities fixed in these libraries.

Echo still tries to support last 4 Go versions but there are occasions we can not guarantee this promise.

Enhancements

Bump x/text to 0.3.8 #2305
Bump dependencies and add notes about Go releases we support #2336
Add helper interface for ProxyBalancer interface #2316
Expose middleware.CreateExtractors function so we can use it from echo-contrib repository #2338
Refactor func(Context) error to HandlerFunc #2315
Improve function comments #2329
Add new method HTTPError.WithInternal #2340
Replace io/ioutil package usages #2342
Add staticcheck to CI flow #2343
Replace relative path determination from proprietary to std #2345
Remove square brackets from ipv6 addresses in XFF (X-Forwarded-For header) #2182
Add testcases for some BodyLimit middleware configuration options #2350
Additional configuration options for RequestLogger and Logger middleware #2341
Add route to request log #2162
GitHub Workflows security hardening #2358
Add govulncheck to CI and bump dependencies #2362
Fix rate limiter docs #2366
Refactor how e.Routes() work and introduce e.OnAddRouteHandler callback #2337

`v4.9.1`

Compare Source

Fixes

Fix logger panicing (when template is set to empty) by bumping dependency version #2295

Enhancements

Improve CORS documentation #2272
Update readme about supported Go versions #2291
Tests: improve error handling on closing body #2254
Tests: refactor some of the assertions in tests #2275
Tests: refactor assertions #2301

`v4.9.0`

Compare Source

Security

Fix open redirect vulnerability in handlers serving static directories (e.Static, e.StaticFs, echo.StaticDirectoryHandler) #2260

Enhancements

Allow configuring ErrorHandler in CSRF middleware #2257
Replace HTTP method constants in tests with stdlib constants #2247

`v4.8.0`

Compare Source

Most notable things

You can now add any arbitrary HTTP method type as a route #2237

e.Add("COPY", "/*", func(c echo.Context) error 
  return c.String(http.StatusOK, "OK COPY")
})

You can add custom 404 handler for specific paths #2217

e.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })

g := e.Group("/images")
g.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })

Enhancements

Add new value binding methods (UnixTimeMilli,TextUnmarshaler,JSONUnmarshaler) to Valuebinder #2127
Refactor: body_limit middleware unit test #2145
Refactor: Timeout mw: rework how test waits for timeout. #2187
BasicAuth middleware returns 500 InternalServerError on invalid base64 strings but should return 400 #2191
Refactor: duplicated findStaticChild process at findChildWithLabel #2176
Allow different param names in different methods with same path scheme #2209
Add support for registering handlers for different 404 routes #2217
Middlewares should use errors.As() instead of type assertion on HTTPError #2227
Allow arbitrary HTTP method types to be added as routes #2237

`v4.7.2`

Compare Source

Fixes

Fix nil pointer exception when calling Start again after address binding error #2131
Fix CSRF middleware not being able to extract token from multipart/form-data form #2136
Fix Timeout middleware write race #2126

Enhancements

Recover middleware should not log panic for aborted handler #2134

`v4.7.1`

Compare Source

Fixes

Fix e.Static, .File(), c.Attachment() being picky with paths starting with ./, ../ and / after 4.7.0 introduced echo.Filesystem support (Go1.16+) #2123

Enhancements

Remove some unused code #2116

`v4.7.0`

Compare Source

Enhancements

Add JWT, KeyAuth, CSRF multivalue extractors #2060
Add LogErrorFunc to recover middleware #2072
Add support for HEAD method query params binding #2027
Improve filesystem support with echo.FileFS, echo.StaticFS, group.FileFS, group.StaticFS #2064

Fixes

Fix X-Real-IP bug, improve tests #2007
Minor syntax fixes #1994, #2102, #2102

General

Add cache-control and connection headers #2103
Add Retry-After header constant #2078
Upgrade go directive in go.mod to 1.17 #2049
Add Pagoda #2077 and Souin #2069 to 3rd-party middlewares in README

`v4.6.3`

Compare Source

Fixes

Fixed Echo version number in greeting message which was not incremented to 4.6.2 #2066

`v4.6.2`

Compare Source

Fixes

Fixed route containing escaped colon should be matchable but is not matched to request path #2047
Fixed a problem that returned wrong content-encoding when the gzip compressed content was empty. #1921
Update (test) dependencies #2021

Enhancements

Add support for configurable target header for the request_id middleware #2040
Change decompress middleware to use stream decompression instead of buffering #2018
Documentation updates

`v4.6.1`

Compare Source

Enhancements

Add start time to request logger middleware values #1991

`v4.6.0`

Compare Source

Introduced a new request logger middleware to help with cases when you want to use some other logging library in your application.

Fixes

fix timeout middleware warning: superfluous response.WriteHeader #1905

Enhancements

Add Cookie to KeyAuth middleware's KeyLookup #1929
JWT middleware should ignore case of auth scheme in request header #1951
Refactor default error handler to return first if response is already committed #1956
Added request logger middleware which helps to use custom logger library for logging requests. #1980
Allow escaping of colon in route path so Google Cloud API "custom methods" could be implemented #1988

`v4.5.0`

Compare Source

Important notes

A BREAKING CHANGE is introduced for JWT middleware users. The JWT library used for the JWT middleware had to be changed from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt due former library being unmaintained and affected by security issues. The github.com/golang-jwt/jwt project is a drop-in replacement, but supports only the latest 2 Go versions. So for JWT middleware users Go 1.15+ is required. For detailed information please read #1940

To change the library imports in all .go files in your project replace all occurrences of dgrijalva/jwt-go with golang-jwt/jwt.

For Linux CLI you can use:

find -type f -name "*.go" -exec sed -i "s/dgrijalva\/jwt-go/golang-jwt\/jwt/g" {} \;
go mod tidy

Fixes

Change JWT library to github.com/golang-jwt/jwt #1946

`v4.4.0`

Compare Source

Fixes

Split HeaderXForwardedFor header only by comma #1878
Fix Timeout middleware Context propagation #1910

Enhancements

Bind data using headers as source #1866
Adds JWTConfig.ParseTokenFunc to JWT middleware to allow different libraries implementing JWT parsing. #1887
Adding tests for Echo#Host #1895
Adds RequestIDHandler function to RequestID middleware #1898
Allow for custom JSON encoding implementations #1880

`v4.3.0`

Compare Source

Important notes

Route matching has improvements for following cases:
1. Correctly match routes with parameter part as last part of route (with trailing backslash)
2. Considering handlers when resolving routes and search for matching http method handler
Echo minimal Go version is now 1.13.

Fixes

When url ends with slash first param route is the match #1804
Router should check if node is suitable as matching route by path+method and if not then continue search in tree #1808
Fix timeout middleware not writing response correctly when handler panics #1864
Fix binder not working with embedded pointer structs #1861
Add Go 1.16 to CI and drop 1.12 specific code #1850

Enhancements

Make KeyFunc public in JWT middleware #1756
Add support for optional filesystem to the static middleware #1797
Add a custom error handler to key-auth middleware #1847
Allow JWT token to be looked up from multiple sources #1845

`v4.2.2`

Compare Source

Fixes

Allow proxy middleware to use query part in rewrite (#1802)
Fix timeout middleware not sending status code when handler returns an error (#1805)
Fix Bind() when target is array/slice and path/query params complains bind target not being struct (#1835)
Fix panic in redirect middleware on short host name (#1813)
Fix timeout middleware docs (#1836)

`v4.2.1`

Compare Source

Important notes

Due to a datarace the config parameters for the newly added timeout middleware required a change. See the docs. A performance regression has been fixed, even bringing better performance than before for some routing scenarios.

Fixes

Fix performance regression caused by path escaping (#1777, #1798, #1799, aldas)
Avoid context canceled errors (#1789, clwluvw)
Improve router to use on stack backtracking (#1791, aldas, stffabi)
Fix panic in timeout middleware not being not recovered and cause application crash (#1794, aldas)
Fix Echo.Serve() not serving on HTTP port correctly when TLSListener is used (#1785, #1793, aldas)
Apply go fmt (#1788, Le0tk0k)
Uses strings.Equalfold (#1790, rkilingr)
Improve code quality (#1792, withshubh)

This release was made possible by our contributors: aldas, clwluvw, lammel, Le0tk0k, maciej-jezierski, rkilingr, stffabi, withshubh

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sep 20 '24 17:09 renovate[bot]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.13` -> `1.23.0`

Dec 12 '24 09:12 renovate[bot]

go-sentry-api go-sentry-api copied to clipboard

Update module github.com/labstack/echo/v4 to v4.13.4

Release Notes

Configuration

ℹ Artifact update notice

File name: go.mod

go-sentry-api
go-sentry-api copied to clipboard