fix(deps): update module github.com/labstack/echo/v4 to v4.9.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/labstack/echo/v4	v4.6.1 → v4.9.0

GitHub Vulnerability Alerts

CVE-2022-40083

Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF). Version 4.9.0 contains a patch for the issue.

---

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v4.9.0

Compare Source

Security

• Fix open redirect vulnerability in handlers serving static directories (e.Static, e.StaticFs, echo.StaticDirectoryHandler) #​2260

Enhancements

• Allow configuring ErrorHandler in CSRF middleware #​2257
• Replace HTTP method constants in tests with stdlib constants #​2247

v4.8.0

Compare Source

Most notable things

You can now add any arbitrary HTTP method type as a route #​2237

e.Add("COPY", "/*", func(c echo.Context) error 
  return c.String(http.StatusOK, "OK COPY")
})

You can add custom 404 handler for specific paths #​2217

e.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })

g := e.Group("/images")
g.RouteNotFound("/*", func(c echo.Context) error { return c.NoContent(http.StatusNotFound) })

Enhancements

• Add new value binding methods (UnixTimeMilli,TextUnmarshaler,JSONUnmarshaler) to Valuebinder #​2127
• Refactor: body_limit middleware unit test #​2145
• Refactor: Timeout mw: rework how test waits for timeout. #​2187
• BasicAuth middleware returns 500 InternalServerError on invalid base64 strings but should return 400 #​2191
• Refactor: duplicated findStaticChild process at findChildWithLabel #​2176
• Allow different param names in different methods with same path scheme #​2209
• Add support for registering handlers for different 404 routes #​2217
• Middlewares should use errors.As() instead of type assertion on HTTPError #​2227
• Allow arbitrary HTTP method types to be added as routes #​2237

v4.7.2

Compare Source

Fixes

• Fix nil pointer exception when calling Start again after address binding error #​2131
• Fix CSRF middleware not being able to extract token from multipart/form-data form #​2136
• Fix Timeout middleware write race #​2126

Enhancements

• Recover middleware should not log panic for aborted handler #​2134

v4.7.1

Compare Source

Fixes

• Fix e.Static, .File(), c.Attachment() being picky with paths starting with ./, ../ and / after 4.7.0 introduced echo.Filesystem support (Go1.16+) #​2123

Enhancements

• Remove some unused code #​2116

v4.7.0

Compare Source

Enhancements

• Add JWT, KeyAuth, CSRF multivalue extractors #​2060
• Add LogErrorFunc to recover middleware #​2072
• Add support for HEAD method query params binding #​2027
• Improve filesystem support with echo.FileFS, echo.StaticFS, group.FileFS, group.StaticFS #​2064

Fixes

• Fix X-Real-IP bug, improve tests #​2007
• Minor syntax fixes #​1994, #​2102, #​2102

General

• Add cache-control and connection headers #​2103
• Add Retry-After header constant #​2078
• Upgrade go directive in go.mod to 1.17 #​2049
• Add Pagoda #​2077 and Souin #​2069 to 3rd-party middlewares in README

v4.6.3

Compare Source

Fixes

• Fixed Echo version number in greeting message which was not incremented to 4.6.2 #​2066

v4.6.2

Compare Source

Fixes

• Fixed route containing escaped colon should be matchable but is not matched to request path #​2047
• Fixed a problem that returned wrong content-encoding when the gzip compressed content was empty. #​1921
• Update (test) dependencies #​2021

Enhancements

• Add support for configurable target header for the request_id middleware #​2040
• Change decompress middleware to use stream decompression instead of buffering #​2018
• Documentation updates

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/labstack/gommon	v0.3.0 -> v0.3.1