labstack/echo v3.3.10 dependency vulnerability

[Lexdamian]

I suggest removal of labstack/echo v3.3.10 entirely and update the repo to use v4.11.1 instead

[darccio]

Hi @Lexdamian, thanks for the suggestion. This removal is planned in our v2 release, still in the works.

Is this causing you any issue that would require us to tackle it before our v2 release?

[Lexdamian]

Hello! I am fixing vulnerabilities issues that are critical and this one is blocking a bunch of repos on our side. What's the release schedule for v2? I have a PR ready for the above mentioned remediation just in case.

[darccio]

@Lexdamian Unless you import our contrib for labstack/echo you aren't vulnerable. Please check our SECURITY.md:

If you are using a vulnerability checker other than golang.org/x/vuln/vulncheck you may detect vulnerabilities in our contrib dependencies. In general we like to specify non-vulnerable minimum versions of dependencies when we can do so in a non-breaking way. To avoid breaking users of this library there may be contrib libraries that are deprecated/vulnerable but still appear in our go.mod file. If you are not using these contrib packages you are not vulnerable (i.e. if they do not appear in your go.sum file). At the next major version we will drop support for these packages. (e.g. as of dd-trace-go@v1 labstack/echo v3 is considered deprecated and users should migrate to labstack/echo.v4)

Regarding v2, there isn't a release schedule yet.

[darccio]

@Lexdamian Can you confirm you are still affected according to vulncheck? As I already stated, unless you import explicitly the labstack/echo contrib, you shouldn't be affected by any vulnerability related to it.