Skip to content

fix(deps): update module github.com/labstack/echo/v4 to v4.13.4 #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update module github.com/labstack/echo/v4 to v4.13.4 #23

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 4, 2024
edited
Loading

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

This PR contains the following updates:

Package Change Age Confidence
github.com/labstack/echo/v4 v4.12.0 -> v4.13.4 age confidence

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v4.13.4

Compare Source

Enhancements

Security

v4.13.3

Compare Source

Security

v4.13.2

Compare Source

Security

v4.13.1

Compare Source

Fixes

v4.13.0

Compare Source

BREAKING CHANGE JWT Middleware Removed from Core use labstack/echo-jwt instead

The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #​2699. A drop-in replacement is available in the labstack/echo-jwt repository.

Important: Direct assignments like token := c.Get("user").(*jwt.Token) will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt" in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5".

Background:

The version of golang-jwt/jwt (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in PR #​1946.
JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.

We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.

Enhancements

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies label Dec 4, 2024
@renovate renovate bot requested a review from a team as a code owner December 4, 2024 21:20
@renovate renovate bot changed the title fix(deps): update module github.com/labstack/echo/v4 to v4.13.0 fix(deps): update module github.com/labstack/echo/v4 to v4.13.1 Dec 11, 2024
@renovate renovate bot force-pushed the renovate/github.com-labstack-echo-v4-4.x branch 2 times, most recently from 8612a36 to bfc03a2 Compare December 12, 2024 11:23
@renovate renovate bot changed the title fix(deps): update module github.com/labstack/echo/v4 to v4.13.1 fix(deps): update module github.com/labstack/echo/v4 to v4.13.2 Dec 12, 2024
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Dec 12, 2024
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 7 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.20 -> 1.23.0
github.com/stretchr/testify v1.9.0 -> v1.10.0
github.com/mattn/go-colorable v0.1.13 -> v0.1.14
golang.org/x/crypto v0.22.0 -> v0.38.0
golang.org/x/net v0.24.0 -> v0.40.0
golang.org/x/sys v0.19.0 -> v0.33.0
golang.org/x/text v0.14.0 -> v0.25.0
golang.org/x/time v0.5.0 -> v0.11.0

@renovate renovate bot changed the title fix(deps): update module github.com/labstack/echo/v4 to v4.13.2 fix(deps): update module github.com/labstack/echo/v4 to v4.13.3 Dec 19, 2024
@renovate renovate bot force-pushed the renovate/github.com-labstack-echo-v4-4.x branch from bfc03a2 to de9582a Compare December 19, 2024 08:01
@renovate renovate bot changed the title fix(deps): update module github.com/labstack/echo/v4 to v4.13.3 fix(deps): update module github.com/labstack/echo/v4 to v4.13.4 May 22, 2025
@renovate renovate bot force-pushed the renovate/github.com-labstack-echo-v4-4.x branch from de9582a to f47dd37 Compare May 22, 2025 13:26
@socket-security Socket Security
Copy link

socket-security bot commented May 22, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgithub.com/​labstack/​echo/​v4@​v4.12.0 ⏵ v4.13.472100100100100
Updatedgithub.com/​stretchr/​testify@​v1.9.0 ⏵ v1.10.096 +1100100100100

View full report

@renovate renovate bot force-pushed the renovate/github.com-labstack-echo-v4-4.x branch from f47dd37 to 02d008f Compare August 10, 2025 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants