Skip to content

Releases: labstack/echo

v4.13.3

19 Dec 04:54
45524e3
Compare
Choose a tag to compare

Security

Full Changelog: v4.13.2...v4.13.3

v4.13.2 - update dependencies

12 Dec 07:18
692bc2a
Compare
Choose a tag to compare

Security

Full Changelog: v4.13.1...v4.13.2

v4.13.1

11 Dec 10:22
fd3f074
Compare
Choose a tag to compare

Fixes

  • Fix BindBody ignoring Transfer-Encoding: chunked requests (introduced in #2710) by @178inaba in #2717

Full Changelog: v4.13.0...v4.13.1

JWT Middleware Removed

04 Dec 20:29
3b01785
Compare
Choose a tag to compare

BREAKING CHANGE: JWT Middleware Removed from Core

The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #2699. A drop-in replacement is available in the labstack/echo-jwt repository or see alternative implementation

Important: Direct assignments like token := c.Get("user").(*jwt.Token) will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt" in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5".

Background:

The version of golang-jwt/jwt (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in PR #1946.
JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.

We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.

Enhancements

New Contributors

Full Changelog: v4.12.0...v4.13.0

v4.12.0

15 Apr 18:33
88c379f
Compare
Choose a tag to compare

v4.12.0 - 2024-04-15

Security

Enhancements

  • binder: make binding to Map work better with string destinations by @aldas in #2554
  • README.md: add Encore as sponsor by @marcuskohlberg in #2579
  • Reorder paragraphs in README.md by @aldas in #2581
  • CI: upgrade actions/checkout to v4 by @aldas in #2584
  • Remove default charset from 'application/json' Content-Type header by @doortts in #2568
  • CI: Use Go 1.22 by @aldas in #2588
  • binder: allow binding to a nil map by @georgmu in #2574
  • Add Skipper Unit Test In BasicBasicAuthConfig and Add More Detail Explanation regarding BasicAuthValidator by @RyoKusnadi in #2461
  • fix some typos by @teslaedison in #2603
  • fix: some typos by @pomadev in #2596
  • Allow ResponseWriters to unwrap writers when flushing/hijacking by @aldas in #2595
  • Add SPDX licence comments to files. by @aldas in #2604
  • Upgrade deps by @aldas in #2605
  • Change type definition blocks to single declarations. This helps copy… by @aldas in #2606
  • Fix Real IP logic by @cl-bvl in #2550
  • Default binder can use UnmarshalParams(params []string) error inter… by @aldas in #2607
  • Default binder can bind pointer to slice as struct field. For example *[]string by @aldas in #2608
  • Remove maxparam dependence from Context by @aldas in #2611
  • When route is registered with empty path it is normalized to /. by @aldas in #2616
  • proxy middleware should use httputil.ReverseProxy for SSE requests by @aldas in #2624

New Contributors

Full Changelog: v4.11.4...v4.12.0

v4.11.4 upgrade dependencies

20 Dec 13:28
226e4f0
Compare
Choose a tag to compare

Security

  • Upgrade golang.org/x/crypto to v0.17.0 to fix vulnerability issue #2562

Enhancements

v4.11.3

07 Nov 12:22
4b26cde
Compare
Choose a tag to compare

Security

  • 'c.Attachment' and 'c.Inline' should escape filename in 'Content-Disposition' header to avoid 'Reflect File Download' vulnerability. #2541

Enhancements

  • Tests: refactor context tests to be separate functions #2540
  • Proxy middleware: reuse echo request context #2537
  • Mark unmarshallable yaml struct tags as ignored #2536

v4.11.2

11 Oct 05:34
98a5237
Compare
Choose a tag to compare

Security

Enhancements

  • Delete unused context in body_limit.go #2483
  • Use Go 1.21 in CI #2505
  • Fix some typos #2511
  • Allow CORS middleware to send Access-Control-Max-Age: 0 #2518
  • Bump dependancies #2522

v4.11.1

16 Jul 17:46
Compare
Choose a tag to compare

Fixes

  • Fix Gzip middleware not sending response code for no content responses (404, 301/302 redirects etc) #2481

v4.11.0

14 Jul 20:33
Compare
Choose a tag to compare

Fixes

  • Fixes the proxy middleware concurrency issue of calling the Next() proxy target on Round Robin Balancer #2409
  • Fix group.RouteNotFound not working when group has attached middlewares #2411
  • Fix global error handler return error message when message is an error #2456
  • Do not use global timeNow variables #2477

Enhancements

  • Added a optional config variable to disable centralized error handler in recovery middleware #2410
  • refactor: use strings.ReplaceAll directly #2424
  • Add support for Go1.20 http.rwUnwrapper to Response struct #2425
  • Check whether is nil before invoking centralized error handling #2429
  • Proper colon support in echo.Reverse method #2416
  • Fix misuses of a vs an in documentation comments #2436
  • Add link to slog.Handler library for Echo logging into README.md #2444
  • In proxy middleware Support retries of failed proxy requests #2414
  • gofmt fixes to comments #2452
  • gzip response only if it exceeds a minimal length #2267
  • Upgrade packages #2475