Releases: labstack/echo
v4.13.4
What's Changed
- chore: fix some typos in comment by @zhuhaicity in #2735
- CI: test with Go 1.24 by @aldas in #2748
- Add support for TLS WebSocket proxy by @t-ibayashi-safie in #2762
Security
- Update dependencies for GO-2025-3487, GO-2025-3503 and GO-2025-3595 in #2780
New Contributors
- @zhuhaicity made their first contribution in #2735
- @t-ibayashi-safie made their first contribution in #2762
Full Changelog: v4.13.3...v4.13.4
Contributors
Assets 2
v4.13.3
v4.13.2 - update dependencies
Security
- Update dependencies (dependabot reports https://pkg.go.dev/vuln/GO-2024-3321 by @aldas in #2721
Full Changelog: v4.13.1...v4.13.2
Contributors
Assets 2
v4.13.1
Fixes
- Fix BindBody ignoring
Transfer-Encoding: chunkedrequests (introduced in #2710) by @178inaba in #2717
Full Changelog: v4.13.0...v4.13.1
Contributors
Assets 2
JWT Middleware Removed
BREAKING CHANGE: JWT Middleware Removed from Core
The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #2699. A drop-in replacement is available in the labstack/echo-jwt repository or see alternative implementation
Important: Direct assignments like token := c.Get("user").(*jwt.Token) will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt" in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5".
Background:
The version of golang-jwt/jwt (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in PR #1946.
JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.
We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.
Enhancements
- remove jwt middleware by @stevenwhitehead in #2701
- optimization: struct alignment by @behnambm in #2636
- bind: Maintain backwards compatibility for map[string]interface{} binding by @thesaltree in #2656
- Add Go 1.23 to CI by @aldas in #2675
- improve
MultipartFormtest by @martinyonatann in #2682 bind: add support of multipart multi files by @martinyonatann in #2684- Add TemplateRenderer struct to ease creating renderers for
html/templateandtext/templatepackages. by @aldas in #2690 - Refactor TestBasicAuth to utilize table-driven test format by @ErikOlson in #2688
- Remove broken header by @aldas in #2705
- fix(bind body): content-length can be -1 by @phamvinhdat in #2710
- CORS middleware should compile allowOrigin regexp at creation by @aldas in #2709
- Shorten Github issue template and add test example by @aldas in #2711
New Contributors
- @behnambm made their first contribution in #2636
- @thesaltree made their first contribution in #2656
- @martinyonatann made their first contribution in #2682
- @ErikOlson made their first contribution in #2688
- @phamvinhdat made their first contribution in #2710
- @stevenwhitehead made their first contribution in #2701
Full Changelog: v4.12.0...v4.13.0
Contributors
Assets 2
v4.12.0
v4.12.0 - 2024-04-15
Security
- Update golang.org/x/net dep because of GO-2024-2687 by @aldas in #2625
Enhancements
- binder: make binding to Map work better with string destinations by @aldas in #2554
- README.md: add Encore as sponsor by @marcuskohlberg in #2579
- Reorder paragraphs in README.md by @aldas in #2581
- CI: upgrade actions/checkout to v4 by @aldas in #2584
- Remove default charset from 'application/json' Content-Type header by @doortts in #2568
- CI: Use Go 1.22 by @aldas in #2588
- binder: allow binding to a nil map by @georgmu in #2574
- Add Skipper Unit Test In BasicBasicAuthConfig and Add More Detail Explanation regarding BasicAuthValidator by @RyoKusnadi in #2461
- fix some typos by @teslaedison in #2603
- fix: some typos by @pomadev in #2596
- Allow ResponseWriters to unwrap writers when flushing/hijacking by @aldas in #2595
- Add SPDX licence comments to files. by @aldas in #2604
- Upgrade deps by @aldas in #2605
- Change type definition blocks to single declarations. This helps copy⦠by @aldas in #2606
- Fix Real IP logic by @cl-bvl in #2550
- Default binder can use
UnmarshalParams(params []string) errorinter⦠by @aldas in #2607 - Default binder can bind pointer to slice as struct field. For example
*[]stringby @aldas in #2608 - Remove maxparam dependence from Context by @aldas in #2611
- When route is registered with empty path it is normalized to
/. by @aldas in #2616 - proxy middleware should use httputil.ReverseProxy for SSE requests by @aldas in #2624
New Contributors
- @marcuskohlberg made their first contribution in #2579
- @doortts made their first contribution in #2568
- @georgmu made their first contribution in #2574
- @RyoKusnadi made their first contribution in #2461
- @teslaedison made their first contribution in #2603
- @pomadev made their first contribution in #2596
- @cl-bvl made their first contribution in #2550
Full Changelog: v4.11.4...v4.12.0
Contributors
Assets 2
v4.11.4 upgrade dependencies
Security
Enhancements
- Update deps and mark Go version to 1.18 as this is what golang.org/x/* use #2563
- Request logger: add example for Slog https://pkg.go.dev/log/slog #2543
v4.11.3
Security
- 'c.Attachment' and 'c.Inline' should escape filename in 'Content-Disposition' header to avoid 'Reflect File Download' vulnerability. #2541
Enhancements
v4.11.2
Security
- Bump golang.org/x/net to prevent CVE-2023-39325 / CVE-2023-44487 HTTP/2 Rapid Reset Attack #2527
- fix(sec): randomString bias introduced by #2490 #2492
- CSRF/RequestID mw: switch math/random usage to crypto/random #2490
Enhancements