fix(deps): update module github.com/labstack/echo/v4 to v4.13.4

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/labstack/echo/v4	v4.11.1 -> v4.13.4

---

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v4.13.4

Compare Source

Enhancements

• chore: fix some typos in comment by @​zhuhaicity in #​2735
• CI: test with Go 1.24 by @​aldas in #​2748
• Add support for TLS WebSocket proxy by @​t-ibayashi-safie in #​2762

Security

• Update dependencies for GO-2025-3487, GO-2025-3503 and GO-2025-3595 in #​2780

v4.13.3

Compare Source

Security

• Update golang.org/x/net dependency GO-2024-3333 in #​2722

v4.13.2

Compare Source

Security

• Update dependencies (dependabot reports GO-2024-3321) in #​2721

v4.13.1

Compare Source

Fixes

• Fix BindBody ignoring Transfer-Encoding: chunked requests by @​178inaba in #​2717

v4.13.0

Compare Source

BREAKING CHANGE JWT Middleware Removed from Core use labstack/echo-jwt instead

The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #​2699. A drop-in replacement is available in the labstack/echo-jwt repository.

Important: Direct assignments like token := c.Get("user").(*jwt.Token) will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt" in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5".

Background:

The version of golang-jwt/jwt (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in PR #​1946.
JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.

We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.

Enhancements

• remove jwt middleware by @​stevenwhitehead in #​2701
• optimization: struct alignment by @​behnambm in #​2636
• bind: Maintain backwards compatibility for map[string]interface{} binding by @​thesaltree in #​2656
• Add Go 1.23 to CI by @​aldas in #​2675
• improve MultipartForm test by @​martinyonatann in #​2682
• bind : add support of multipart multi files by @​martinyonatann in #​2684
• Add TemplateRenderer struct to ease creating renderers for html/template and text/template packages. by @​aldas in #​2690
• Refactor TestBasicAuth to utilize table-driven test format by @​ErikOlson in #​2688
• Remove broken header by @​aldas in #​2705
• fix(bind body): content-length can be -1 by @​phamvinhdat in #​2710
• CORS middleware should compile allowOrigin regexp at creation by @​aldas in #​2709
• Shorten Github issue template and add test example by @​aldas in #​2711

v4.12.0

Compare Source

Security

• Update golang.org/x/net dep because of GO-2024-2687 by @​aldas in #​2625

Enhancements

• binder: make binding to Map work better with string destinations by @​aldas in #​2554
• README.md: add Encore as sponsor by @​marcuskohlberg in #​2579
• Reorder paragraphs in README.md by @​aldas in #​2581
• CI: upgrade actions/checkout to v4 by @​aldas in #​2584
• Remove default charset from 'application/json' Content-Type header by @​doortts in #​2568
• CI: Use Go 1.22 by @​aldas in #​2588
• binder: allow binding to a nil map by @​georgmu in #​2574
• Add Skipper Unit Test In BasicBasicAuthConfig and Add More Detail Explanation regarding BasicAuthValidator by @​RyoKusnadi in #​2461
• fix some typos by @​teslaedison in #​2603
• fix: some typos by @​pomadev in #​2596
• Allow ResponseWriters to unwrap writers when flushing/hijacking by @​aldas in #​2595
• Add SPDX licence comments to files. by @​aldas in #​2604
• Upgrade deps by @​aldas in #​2605
• Change type definition blocks to single declarations. This helps copy… by @​aldas in #​2606
• Fix Real IP logic by @​cl-bvl in #​2550
• Default binder can use UnmarshalParams(params []string) error inter… by @​aldas in #​2607
• Default binder can bind pointer to slice as struct field. For example *[]string by @​aldas in #​2608
• Remove maxparam dependence from Context by @​aldas in #​2611
• When route is registered with empty path it is normalized to /. by @​aldas in #​2616
• proxy middleware should use httputil.ReverseProxy for SSE requests by @​aldas in #​2624

v4.11.4

Compare Source

Security

• Upgrade golang.org/x/crypto to v0.17.0 to fix vulnerability issue #​2562

Enhancements

• Update deps and mark Go version to 1.18 as this is what golang.org/x/* use #​2563
• Request logger: add example for Slog https://pkg.go.dev/log/slog #​2543

v4.11.3

Compare Source

Security

• 'c.Attachment' and 'c.Inline' should escape filename in 'Content-Disposition' header to avoid 'Reflect File Download' vulnerability. #​2541

Enhancements

• Tests: refactor context tests to be separate functions #​2540
• Proxy middleware: reuse echo request context #​2537
• Mark unmarshallable yaml struct tags as ignored #​2536

v4.11.2

Compare Source

Security

• Bump golang.org/x/net to prevent CVE-2023-39325 / CVE-2023-44487 HTTP/2 Rapid Reset Attack #​2527
• fix(sec): randomString bias introduced by #​2490 #​2492
• CSRF/RequestID mw: switch math/random usage to crypto/random #​2490

Enhancements

• Delete unused context in body_limit.go #​2483
• Use Go 1.21 in CI #​2505
• Fix some typos #​2511
• Allow CORS middleware to send Access-Control-Max-Age: 0 #​2518
• Bump dependancies #​2522

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 7 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.20 -> 1.23.0
github.com/labstack/gommon	v0.4.0 -> v0.4.2
github.com/mattn/go-colorable	v0.1.13 -> v0.1.14
github.com/mattn/go-isatty	v0.0.19 -> v0.0.20
golang.org/x/crypto	v0.11.0 -> v0.38.0
golang.org/x/net	v0.12.0 -> v0.40.0
golang.org/x/sys	v0.10.0 -> v0.33.0
golang.org/x/time	v0.3.0 -> v0.11.0