Update module github.com/labstack/echo/v4 to v4.14.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/labstack/echo/v4	v4.11.3 -> v4.14.0

---

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v4.14.0

Compare Source

middleware.Logger has been deprecated. For request logging, use middleware.RequestLogger or
middleware.RequestLoggerWithConfig.

middleware.RequestLogger replaces middleware.Logger, offering comparable configuration while relying on the
Go standard library’s new slog logger.

The previous default output format was JSON. The new default follows the standard slog logger settings.
To continue emitting request logs in JSON, configure slog accordingly:

slog.SetDefault(slog.New(slog.NewJSONHandler(os.Stdout, nil)))
e.Use(middleware.RequestLogger())

Security

• Logger middleware json string escaping and deprecation by @​aldas in #​2849

Enhancements

• Update deps by @​aldas in #​2807
• refactor to use reflect.TypeFor by @​cuiweixie in #​2812
• Use Go 1.25 in CI by @​aldas in #​2810
• Modernize context.go by replacing interface{} with any by @​vishr in #​2822
• Fix typo in SetParamValues comment by @​vishr in #​2828
• Fix typo in ContextTimeout middleware comment by @​vishr in #​2827
• Improve BasicAuth middleware: use strings.Cut and RFC compliance by @​vishr in #​2825
• Fix duplicate plus operator in router backtracking logic by @​yuya-morimoto in #​2832
• Replace custom private IP range check with built-in net.IP.IsPrivate by @​kumapower17 in #​2835
• Ensure proxy connection is closed in proxyRaw function(#​2837) by @​kumapower17 in #​2838
• Update deps by @​aldas in #​2843
• Update golang.org/x/* deps by @​aldas in #​2850

v4.13.4

Compare Source

Enhancements

• chore: fix some typos in comment by @​zhuhaicity in #​2735
• CI: test with Go 1.24 by @​aldas in #​2748
• Add support for TLS WebSocket proxy by @​t-ibayashi-safie in #​2762

Security

• Update dependencies for GO-2025-3487, GO-2025-3503 and GO-2025-3595 in #​2780

v4.13.3

Compare Source

Security

• Update golang.org/x/net dependency GO-2024-3333 in #​2722

v4.13.2

Compare Source

Security

• Update dependencies (dependabot reports GO-2024-3321) in #​2721

v4.13.1

Compare Source

Fixes

• Fix BindBody ignoring Transfer-Encoding: chunked requests by @​178inaba in #​2717

v4.13.0

Compare Source

BREAKING CHANGE JWT Middleware Removed from Core use labstack/echo-jwt instead

The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #​2699. A drop-in replacement is available in the labstack/echo-jwt repository.

Important: Direct assignments like token := c.Get("user").(*jwt.Token) will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt" in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5".

Background:

The version of golang-jwt/jwt (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in PR #​1946.
JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.

We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.

Enhancements

• remove jwt middleware by @​stevenwhitehead in #​2701
• optimization: struct alignment by @​behnambm in #​2636
• bind: Maintain backwards compatibility for map[string]interface{} binding by @​thesaltree in #​2656
• Add Go 1.23 to CI by @​aldas in #​2675
• improve MultipartForm test by @​martinyonatann in #​2682
• bind : add support of multipart multi files by @​martinyonatann in #​2684
• Add TemplateRenderer struct to ease creating renderers for html/template and text/template packages. by @​aldas in #​2690
• Refactor TestBasicAuth to utilize table-driven test format by @​ErikOlson in #​2688
• Remove broken header by @​aldas in #​2705
• fix(bind body): content-length can be -1 by @​phamvinhdat in #​2710
• CORS middleware should compile allowOrigin regexp at creation by @​aldas in #​2709
• Shorten Github issue template and add test example by @​aldas in #​2711

v4.12.0

Compare Source

Security

• Update golang.org/x/net dep because of GO-2024-2687 by @​aldas in #​2625

Enhancements

• binder: make binding to Map work better with string destinations by @​aldas in #​2554
• README.md: add Encore as sponsor by @​marcuskohlberg in #​2579
• Reorder paragraphs in README.md by @​aldas in #​2581
• CI: upgrade actions/checkout to v4 by @​aldas in #​2584
• Remove default charset from 'application/json' Content-Type header by @​doortts in #​2568
• CI: Use Go 1.22 by @​aldas in #​2588
• binder: allow binding to a nil map by @​georgmu in #​2574
• Add Skipper Unit Test In BasicBasicAuthConfig and Add More Detail Explanation regarding BasicAuthValidator by @​RyoKusnadi in #​2461
• fix some typos by @​teslaedison in #​2603
• fix: some typos by @​pomadev in #​2596
• Allow ResponseWriters to unwrap writers when flushing/hijacking by @​aldas in #​2595
• Add SPDX licence comments to files. by @​aldas in #​2604
• Upgrade deps by @​aldas in #​2605
• Change type definition blocks to single declarations. This helps copy… by @​aldas in #​2606
• Fix Real IP logic by @​cl-bvl in #​2550
• Default binder can use UnmarshalParams(params []string) error inter… by @​aldas in #​2607
• Default binder can bind pointer to slice as struct field. For example *[]string by @​aldas in #​2608
• Remove maxparam dependence from Context by @​aldas in #​2611
• When route is registered with empty path it is normalized to /. by @​aldas in #​2616
• proxy middleware should use httputil.ReverseProxy for SSE requests by @​aldas in #​2624

v4.11.4

Compare Source

Security

• Upgrade golang.org/x/crypto to v0.17.0 to fix vulnerability issue #​2562

Enhancements

• Update deps and mark Go version to 1.18 as this is what golang.org/x/* use #​2563
• Request logger: add example for Slog https://pkg.go.dev/log/slog #​2543

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 13 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.21 -> 1.23.0
github.com/stretchr/testify	v1.8.4 -> v1.10.0
github.com/google/go-cmp	v0.5.9 -> v0.6.0
github.com/labstack/gommon	v0.4.0 -> v0.4.2
github.com/mattn/go-colorable	v0.1.13 -> v0.1.14
github.com/mattn/go-isatty	v0.0.19 -> v0.0.20
github.com/stretchr/objx	v0.5.0 -> v0.5.2
golang.org/x/crypto	v0.14.0 -> v0.38.0
golang.org/x/mod	v0.12.0 -> v0.17.0
golang.org/x/net	v0.17.0 -> v0.40.0
golang.org/x/sys	v0.13.0 -> v0.33.0
golang.org/x/text	v0.13.0 -> v0.25.0
golang.org/x/time	v0.3.0 -> v0.11.0
golang.org/x/tools	v0.13.0 -> v0.21.1-0.20240508182429-e35e4ccd0d2d

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 13 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.21 -> 1.24.0
github.com/stretchr/testify	v1.8.4 -> v1.11.1
github.com/google/go-cmp	v0.5.9 -> v0.6.0
github.com/labstack/gommon	v0.4.0 -> v0.4.2
github.com/mattn/go-colorable	v0.1.13 -> v0.1.14
github.com/mattn/go-isatty	v0.0.19 -> v0.0.20
github.com/stretchr/objx	v0.5.0 -> v0.5.2
golang.org/x/crypto	v0.14.0 -> v0.46.0
golang.org/x/mod	v0.12.0 -> v0.30.0
golang.org/x/net	v0.17.0 -> v0.48.0
golang.org/x/sys	v0.13.0 -> v0.39.0
golang.org/x/text	v0.13.0 -> v0.32.0
golang.org/x/time	v0.3.0 -> v0.14.0
golang.org/x/tools	v0.13.0 -> v0.39.0