Update module github.com/labstack/echo/v4 to v4.13.4

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/labstack/echo/v4	v4.2.0 -> v4.13.4

---

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v4.13.4

Compare Source

Enhancements

• chore: fix some typos in comment by @​zhuhaicity in #​2735
• CI: test with Go 1.24 by @​aldas in #​2748
• Add support for TLS WebSocket proxy by @​t-ibayashi-safie in #​2762

Security

• Update dependencies for GO-2025-3487, GO-2025-3503 and GO-2025-3595 in #​2780

v4.13.3

Compare Source

Security

• Update golang.org/x/net dependency GO-2024-3333 in #​2722

v4.13.2

Compare Source

Security

• Update dependencies (dependabot reports GO-2024-3321) in #​2721

v4.13.1

Compare Source

Fixes

• Fix BindBody ignoring Transfer-Encoding: chunked requests by @​178inaba in #​2717

v4.13.0

Compare Source

BREAKING CHANGE JWT Middleware Removed from Core use labstack/echo-jwt instead

The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #​2699. A drop-in replacement is available in the labstack/echo-jwt repository.

Important: Direct assignments like token := c.Get("user").(*jwt.Token) will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt" in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5".

Background:

The version of golang-jwt/jwt (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in PR #​1946.
JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.

We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.

Enhancements

• remove jwt middleware by @​stevenwhitehead in #​2701
• optimization: struct alignment by @​behnambm in #​2636
• bind: Maintain backwards compatibility for map[string]interface{} binding by @​thesaltree in #​2656
• Add Go 1.23 to CI by @​aldas in #​2675
• improve MultipartForm test by @​martinyonatann in #​2682
• bind : add support of multipart multi files by @​martinyonatann in #​2684
• Add TemplateRenderer struct to ease creating renderers for html/template and text/template packages. by @​aldas in #​2690
• Refactor TestBasicAuth to utilize table-driven test format by @​ErikOlson in #​2688
• Remove broken header by @​aldas in #​2705
• fix(bind body): content-length can be -1 by @​phamvinhdat in #​2710
• CORS middleware should compile allowOrigin regexp at creation by @​aldas in #​2709
• Shorten Github issue template and add test example by @​aldas in #​2711

v4.12.0

Compare Source

Security

• Update golang.org/x/net dep because of GO-2024-2687 by @​aldas in #​2625

Enhancements

• binder: make binding to Map work better with string destinations by @​aldas in #​2554
• README.md: add Encore as sponsor by @​marcuskohlberg in #​2579
• Reorder paragraphs in README.md by @​aldas in #​2581
• CI: upgrade actions/checkout to v4 by @​aldas in #​2584
• Remove default charset from 'application/json' Content-Type header by @​doortts in #​2568
• CI: Use Go 1.22 by @​aldas in #​2588
• binder: allow binding to a nil map by @​georgmu in #​2574
• Add Skipper Unit Test In BasicBasicAuthConfig and Add More Detail Explanation regarding BasicAuthValidator by @​RyoKusnadi in #​2461
• fix some typos by @​teslaedison in #​2603
• fix: some typos by @​pomadev in #​2596
• Allow ResponseWriters to unwrap writers when flushing/hijacking by @​aldas in #​2595
• Add SPDX licence comments to files. by @​aldas in #​2604
• Upgrade deps by @​aldas in #​2605
• Change type definition blocks to single declarations. This helps copy… by @​aldas in #​2606
• Fix Real IP logic by @​cl-bvl in #​2550
• Default binder can use UnmarshalParams(params []string) error inter… by @​aldas in #​2607
• Default binder can bind pointer to slice as struct field. For example *[]string by @​aldas in #​2608
• Remove maxparam dependence from Context by @​aldas in #​2611
• When route is registered with empty path it is normalized to /. by @​aldas in #​2616
• proxy middleware should use httputil.ReverseProxy for SSE requests by @​aldas in #​2624

v4.11.4

Compare Source

Security

• Upgrade golang.org/x/crypto to v0.17.0 to fix vulnerability issue #​2562

Enhancements

• Update deps and mark Go version to 1.18 as this is what golang.org/x/* use #​2563
• Request logger: add example for Slog https://pkg.go.dev/log/slog #​2543

v4.11.3

Compare Source

Security

• 'c.Attachment' and 'c.Inline' should escape filename in 'Content-Disposition' header to avoid 'Reflect File Download' vulnerability. #​2541

Enhancements

• Tests: refactor context tests to be separate functions #​2540
• Proxy middleware: reuse echo request context #​2537
• Mark unmarshallable yaml struct tags as ignored #​2536

v4.11.2

Compare Source

Security

• Bump golang.org/x/net to prevent CVE-2023-39325 / CVE-2023-44487 HTTP/2 Rapid Reset Attack #​2527
• fix(sec): randomString bias introduced by #​2490 #​2492
• CSRF/RequestID mw: switch math/random usage to crypto/random #​2490

Enhancements

• Delete unused context in body_limit.go #​2483
• Use Go 1.21 in CI #​2505
• Fix some typos #​2511
• Allow CORS middleware to send Access-Control-Max-Age: 0 #​2518
• Bump dependancies #​2522

v4.11.1

Compare Source

Fixes

• Fix Gzip middleware not sending response code for no content responses (404, 301/302 redirects etc) #​2481

v4.11.0

Compare Source

Fixes

• Fixes the proxy middleware concurrency issue of calling the Next() proxy target on Round Robin Balancer #​2409
• Fix group.RouteNotFound not working when group has attached middlewares #​2411
• Fix global error handler return error message when message is an error #​2456
• Do not use global timeNow variables #​2477

Enhancements

• Added a optional config variable to disable centralized error handler in recovery middleware #​2410
• refactor: use strings.ReplaceAll directly #​2424
• Add support for Go1.20 http.rwUnwrapper to Response struct #​2425
• Check whether is nil before invoking centralized error handling #​2429
• Proper colon support in echo.Reverse method #​2416
• Fix misuses of a vs an in documentation comments #​2436
• Add link to slog.Handler library for Echo logging into README.md #​2444
• In proxy middleware Support retries of failed proxy requests #​2414
• gofmt fixes to comments #​2452
• gzip response only if it exceeds a minimal length #​2267
• Upgrade packages #​2475

v4.10.2

Compare Source

Security

• filepath.Clean behaviour has changed in Go 1.20 - adapt to it #​2406
• Add middleware.CORSConfig.UnsafeWildcardOriginWithAllowCredentials to make UNSAFE usages of wildcard origin + allow cretentials less likely #​2405

Enhancements

• Add more HTTP error values #​2277

v4.10.1

Compare Source

Security

• Upgrade deps due to the latest golang.org/x/net vulnerability #​2402

Enhancements

• Add new JWT repository to the README #​2377
• Return an empty string for ctx.path if there is no registered path #​2385
• Add context timeout middleware #​2380
• Update link to jaegertracing #​2394

v4.10.0

Compare Source

Security

• We are deprecating JWT middleware in this repository. Please use https://github.com/labstack/echo-jwt instead.

  JWT middleware is moved to separate repository to allow us to bump/upgrade version of JWT implementation (github.com/golang-jwt/jwt) we are using
  which we can not do in Echo core because this would break backwards compatibility guarantees we try to maintain.

• This minor version bumps minimum Go version to 1.17 (from 1.16) due golang.org/x/ packages we depend on. There are
  several vulnerabilities fixed in these libraries.

  Echo still tries to support last 4 Go versions but there are occasions we can not guarantee this promise.

Enhancements

• Bump x/text to 0.3.8 #​2305
• Bump dependencies and add notes about Go releases we support #​2336
• Add helper interface for ProxyBalancer interface #​2316
• Expose middleware.CreateExtractors function so we can use it from echo-contrib repository #​2338
• Refactor func(Context) error to HandlerFunc #​2315
• Improve function comments #​2329
• Add new method HTTPError.WithInternal #​2340
• Replace io/ioutil package usages #​2342
• Add staticcheck to CI flow #​2343
• Replace relative path determination from proprietary to std #​2345
• Remove square brackets from ipv6 addresses in XFF (X-Forwarded-For header) #​2182
• Add testcases for some BodyLimit middleware configuration options #​2350
• Additional configuration options for RequestLogger and Logger middleware #​2341
• Add route to request log #​2162
• GitHub Workflows security hardening #​2358
• Add govulncheck to CI and bump dependencies #​2362
• Fix rate limiter docs #​2366
• Refactor how e.Routes() work and introduce e.OnAddRouteHandler callback #​2337

v4.9.1

Compare Source

Fixes

• Fix logger panicing (when template is set to empty) by bumping dependency version #​2295

Enhancements

• Improve CORS documentation #​2272
• Update readme about supported Go versions #​2291
• Tests: improve error handling on closing body #​2254
• Tests: refactor some of the assertions in tests #​2275
• Tests: refactor assertions #​2301

v4.9.0

Compare Source

Security

• Fix open redirect vulnerability in handlers serving static directories (e.Static, e.StaticFs, echo.StaticDirectoryHandler) #​2260

Enhancements

• Allow configuring ErrorHandler in CSRF middleware #​2257
• Replace HTTP method constants in tests with stdlib constants #​2247

v4.8.0

Compare Source

Most notable things

You can now add any arbitrary HTTP method type as a route #​2237

e.Add("COPY", "/*", func(c echo.Context) error 
  return c.String(http.StatusOK, "OK COPY")
})

You can add custom 404 handler for specific paths #​2217

e.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })

g := e.Group("/images")
g.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })

Enhancements

• Add new value binding methods (UnixTimeMilli,TextUnmarshaler,JSONUnmarshaler) to Valuebinder #​2127
• Refactor: body_limit middleware unit test #​2145
• Refactor: Timeout mw: rework how test waits for timeout. #​2187
• BasicAuth middleware returns 500 InternalServerError on invalid base64 strings but should return 400 #​2191
• Refactor: duplicated findStaticChild process at findChildWithLabel #​2176
• Allow different param names in different methods with same path scheme #​2209
• Add support for registering handlers for different 404 routes #​2217
• Middlewares should use errors.As() instead of type assertion on HTTPError #​2227
• Allow arbitrary HTTP method types to be added as routes #​2237

v4.7.2

Compare Source

Fixes

• Fix nil pointer exception when calling Start again after address binding error #​2131
• Fix CSRF middleware not being able to extract token from multipart/form-data form #​2136
• Fix Timeout middleware write race #​2126

Enhancements

• Recover middleware should not log panic for aborted handler #​2134

v4.7.1

Compare Source

Fixes

• Fix e.Static, .File(), c.Attachment() being picky with paths starting with ./, ../ and / after 4.7.0 introduced echo.Filesystem support (Go1.16+) #​2123

Enhancements

• Remove some unused code #​2116

v4.7.0

Compare Source

Enhancements

• Add JWT, KeyAuth, CSRF multivalue extractors #​2060
• Add LogErrorFunc to recover middleware #​2072
• Add support for HEAD method query params binding #​2027
• Improve filesystem support with echo.FileFS, echo.StaticFS, group.FileFS, group.StaticFS #​2064

Fixes

• Fix X-Real-IP bug, improve tests #​2007
• Minor syntax fixes #​1994, #​2102, #​2102

General

• Add cache-control and connection headers #​2103
• Add Retry-After header constant #​2078
• Upgrade go directive in go.mod to 1.17 #​2049
• Add Pagoda #​2077 and Souin #​2069 to 3rd-party middlewares in README

v4.6.3

Compare Source

Fixes

• Fixed Echo version number in greeting message which was not incremented to 4.6.2 #​2066

v4.6.2

Compare Source

Fixes

• Fixed route containing escaped colon should be matchable but is not matched to request path #​2047
• Fixed a problem that returned wrong content-encoding when the gzip compressed content was empty. #​1921
• Update (test) dependencies #​2021

Enhancements

• Add support for configurable target header for the request_id middleware #​2040
• Change decompress middleware to use stream decompression instead of buffering #​2018
• Documentation updates

v4.6.1

Compare Source

Enhancements

• Add start time to request logger middleware values #​1991

v4.6.0

Compare Source

Introduced a new request logger middleware
to help with cases when you want to use some other logging library in your application.

Fixes

• fix timeout middleware warning: superfluous response.WriteHeader #​1905

Enhancements

• Add Cookie to KeyAuth middleware's KeyLookup #​1929
• JWT middleware should ignore case of auth scheme in request header #​1951
• Refactor default error handler to return first if response is already committed #​1956
• Added request logger middleware which helps to use custom logger library for logging requests. #​1980
• Allow escaping of colon in route path so Google Cloud API "custom methods" could be implemented #​1988

v4.5.0

Compare Source

Important notes

A BREAKING CHANGE is introduced for JWT middleware users.
The JWT library used for the JWT middleware had to be changed from github.com/dgrijalva/jwt-go to
github.com/golang-jwt/jwt due former library being unmaintained and affected by security
issues.
The github.com/golang-jwt/jwt project is a drop-in replacement, but supports only the latest 2 Go versions.
So for JWT middleware users Go 1.15+ is required. For detailed information please read #​1940

To change the library imports in all .go files in your project replace all occurrences of dgrijalva/jwt-go with golang-jwt/jwt.

For Linux CLI you can use:

find -type f -name "*.go" -exec sed -i "s/dgrijalva\/jwt-go/golang-jwt\/jwt/g" {} \;
go mod tidy

Fixes

• Change JWT library to github.com/golang-jwt/jwt #​1946

v4.4.0

Compare Source

Fixes

• Split HeaderXForwardedFor header only by comma #​1878
• Fix Timeout middleware Context propagation #​1910

Enhancements

• Bind data using headers as source #​1866
• Adds JWTConfig.ParseTokenFunc to JWT middleware to allow different libraries implementing JWT parsing. #​1887
• Adding tests for Echo#Host #​1895
• Adds RequestIDHandler function to RequestID middleware #​1898
• Allow for custom JSON encoding implementations #​1880

v4.3.0

Compare Source

Important notes

• Route matching has improvements for following cases:
  1. Correctly match routes with parameter part as last part of route (with trailing backslash)
  2. Considering handlers when resolving routes and search for matching http method handler
• Echo minimal Go version is now 1.13.

Fixes

• When url ends with slash first param route is the match #​1804
• Router should check if node is suitable as matching route by path+method and if not then continue search in tree #​1808
• Fix timeout middleware not writing response correctly when handler panics #​1864
• Fix binder not working with embedded pointer structs #​1861
• Add Go 1.16 to CI and drop 1.12 specific code #​1850

Enhancements

• Make KeyFunc public in JWT middleware #​1756
• Add support for optional filesystem to the static middleware #​1797
• Add a custom error handler to key-auth middleware #​1847
• Allow JWT token to be looked up from multiple sources #​1845

v4.2.2

Compare Source

Fixes

• Allow proxy middleware to use query part in rewrite (#​1802)
• Fix timeout middleware not sending status code when handler returns an error (#​1805)
• Fix Bind() when target is array/slice and path/query params complains bind target not being struct (#​1835)
• Fix panic in redirect middleware on short host name (#​1813)
• Fix timeout middleware docs (#​1836)

v4.2.1

Compare Source

Important notes

Due to a datarace the config parameters for the newly added timeout middleware required a change.
See the docs.
A performance regression has been fixed, even bringing better performance than before for some routing scenarios.

Fixes

• Fix performance regression caused by path escaping (#​1777, #​1798, #​1799, aldas)
• Avoid context canceled errors (#​1789, clwluvw)
• Improve router to use on stack backtracking (#​1791, aldas, stffabi)
• Fix panic in timeout middleware not being not recovered and cause application crash (#​1794, aldas)
• Fix Echo.Serve() not serving on HTTP port correctly when TLSListener is used (#​1785, #​1793, aldas)
• Apply go fmt (#​1788, Le0tk0k)
• Uses strings.Equalfold (#​1790, rkilingr)
• Improve code quality (#​1792, withshubh)

This release was made possible by our contributors:
aldas, clwluvw, lammel, Le0tk0k, maciej-jezierski, rkilingr, stffabi, withshubh

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.13 -> 1.23.0