Echo Versions Save

v4.12.0 - 2024-04-15

Security

• Update golang.org/x/net dep because of GO-2024-2687 by @aldas in https://github.com/labstack/echo/pull/2625

Enhancements

• binder: make binding to Map work better with string destinations by @aldas in https://github.com/labstack/echo/pull/2554
• README.md: add Encore as sponsor by @marcuskohlberg in https://github.com/labstack/echo/pull/2579
• Reorder paragraphs in README.md by @aldas in https://github.com/labstack/echo/pull/2581
• CI: upgrade actions/checkout to v4 by @aldas in https://github.com/labstack/echo/pull/2584
• Remove default charset from 'application/json' Content-Type header by @doortts in https://github.com/labstack/echo/pull/2568
• CI: Use Go 1.22 by @aldas in https://github.com/labstack/echo/pull/2588
• binder: allow binding to a nil map by @georgmu in https://github.com/labstack/echo/pull/2574
• Add Skipper Unit Test In BasicBasicAuthConfig and Add More Detail Explanation regarding BasicAuthValidator by @RyoKusnadi in https://github.com/labstack/echo/pull/2461
• fix some typos by @teslaedison in https://github.com/labstack/echo/pull/2603
• fix: some typos by @pomadev in https://github.com/labstack/echo/pull/2596
• Allow ResponseWriters to unwrap writers when flushing/hijacking by @aldas in https://github.com/labstack/echo/pull/2595
• Add SPDX licence comments to files. by @aldas in https://github.com/labstack/echo/pull/2604
• Upgrade deps by @aldas in https://github.com/labstack/echo/pull/2605
• Change type definition blocks to single declarations. This helps copy… by @aldas in https://github.com/labstack/echo/pull/2606
• Fix Real IP logic by @cl-bvl in https://github.com/labstack/echo/pull/2550
• Default binder can use UnmarshalParams(params []string) error inter… by @aldas in https://github.com/labstack/echo/pull/2607
• Default binder can bind pointer to slice as struct field. For example *[]string by @aldas in https://github.com/labstack/echo/pull/2608
• Remove maxparam dependence from Context by @aldas in https://github.com/labstack/echo/pull/2611
• When route is registered with empty path it is normalized to /. by @aldas in https://github.com/labstack/echo/pull/2616
• proxy middleware should use httputil.ReverseProxy for SSE requests by @aldas in https://github.com/labstack/echo/pull/2624

New Contributors

• @marcuskohlberg made their first contribution in https://github.com/labstack/echo/pull/2579
• @doortts made their first contribution in https://github.com/labstack/echo/pull/2568
• @georgmu made their first contribution in https://github.com/labstack/echo/pull/2574
• @RyoKusnadi made their first contribution in https://github.com/labstack/echo/pull/2461
• @teslaedison made their first contribution in https://github.com/labstack/echo/pull/2603
• @pomadev made their first contribution in https://github.com/labstack/echo/pull/2596
• @cl-bvl made their first contribution in https://github.com/labstack/echo/pull/2550

Full Changelog: https://github.com/labstack/echo/compare/v4.11.4...v4.12.0

Security

• Upgrade golang.org/x/crypto to v0.17.0 to fix vulnerability issue #2562

Enhancements

• Update deps and mark Go version to 1.18 as this is what golang.org/x/* use #2563
• Request logger: add example for Slog https://pkg.go.dev/log/slog #2543

Security

• 'c.Attachment' and 'c.Inline' should escape filename in 'Content-Disposition' header to avoid 'Reflect File Download' vulnerability. #2541

Enhancements

• Tests: refactor context tests to be separate functions #2540
• Proxy middleware: reuse echo request context #2537
• Mark unmarshallable yaml struct tags as ignored #2536

Security

• Bump golang.org/x/net to prevent CVE-2023-39325 / CVE-2023-44487 HTTP/2 Rapid Reset Attack #2527
• fix(sec): randomString bias introduced by #2490 #2492
• CSRF/RequestID mw: switch math/random usage to crypto/random #2490

Enhancements

• Delete unused context in body_limit.go #2483
• Use Go 1.21 in CI #2505
• Fix some typos #2511
• Allow CORS middleware to send Access-Control-Max-Age: 0 #2518
• Bump dependancies #2522

Fixes

• Fix Gzip middleware not sending response code for no content responses (404, 301/302 redirects etc) #2481

Fixes

• Fixes the proxy middleware concurrency issue of calling the Next() proxy target on Round Robin Balancer #2409
• Fix group.RouteNotFound not working when group has attached middlewares #2411
• Fix global error handler return error message when message is an error #2456
• Do not use global timeNow variables #2477

Enhancements

• Added a optional config variable to disable centralized error handler in recovery middleware #2410
• refactor: use strings.ReplaceAll directly #2424
• Add support for Go1.20 http.rwUnwrapper to Response struct #2425
• Check whether is nil before invoking centralized error handling #2429
• Proper colon support in echo.Reverse method #2416
• Fix misuses of a vs an in documentation comments #2436
• Add link to slog.Handler library for Echo logging into README.md #2444
• In proxy middleware Support retries of failed proxy requests #2414
• gofmt fixes to comments #2452
• gzip response only if it exceeds a minimal length #2267
• Upgrade packages #2475

Security

• filepath.Clean behaviour has changed in Go 1.20 - adapt to it #2406
• Add middleware.CORSConfig.UnsafeWildcardOriginWithAllowCredentials to make UNSAFE usages of wildcard origin + allow cretentials less likely #2405

Enhancements

• Add more HTTP error values #2277

Security

• Upgrade deps due to the latest golang.org/x/net vulnerability #2402

Enhancements

• Add new JWT repository to the README #2377
• Return an empty string for ctx.path if there is no registered path #2385
• Add context timeout middleware #2380
• Update link to jaegertracing #2394

Security

• We are deprecating JWT middleware in this repository. Please use https://github.com/labstack/echo-jwt instead.

  JWT middleware is moved to separate repository to allow us to bump/upgrade version of JWT implementation (github.com/golang-jwt/jwt) we are using which we can not do in Echo core because this would break backwards compatibility guarantees we try to maintain.

• This minor version bumps minimum Go version to 1.17 (from 1.16) due golang.org/x/ packages we depend on. There are several vulnerabilities fixed in these libraries.

  Echo still tries to support last 4 Go versions but there are occasions we can not guarantee this promise.

Enhancements

• Bump x/text to 0.3.8 #2305
• Bump dependencies and add notes about Go releases we support #2336
• Add helper interface for ProxyBalancer interface #2316
• Expose middleware.CreateExtractors function so we can use it from echo-contrib repository #2338
• Refactor func(Context) error to HandlerFunc #2315
• Improve function comments #2329
• Add new method HTTPError.WithInternal #2340
• Replace io/ioutil package usages #2342
• Add staticcheck to CI flow #2343
• Replace relative path determination from proprietary to std #2345
• Remove square brackets from ipv6 addresses in XFF (X-Forwarded-For header) #2182
• Add testcases for some BodyLimit middleware configuration options #2350
• Additional configuration options for RequestLogger and Logger middleware #2341
• Add route to request log #2162
• GitHub Workflows security hardening #2358
• Add govulncheck to CI and bump dependencies #2362
• Fix rate limiter docs #2366
• Refactor how e.Routes() work and introduce e.OnAddRouteHandler callback #2337

Fixes

• Fix logger panicing (when template is set to empty) by bumping dependency version #2295

Enhancements

• Improve CORS documentation #2272
• Update readme about supported Go versions #2291
• Tests: improve error handling on closing body #2254
• Tests: refactor some of the assertions in tests #2275
• Tests: refactor assertions #2301