cgalibern
commented
4 days ago Hi @inge4pres, Is there a reason why you don't propose github.com/golang-jwt/jwt/v5 ?
Sorry the response is into #2699
Closed inge4pres closed 2 days ago
cgalibern
commented
4 days ago Hi @inge4pres, Is there a reason why you don't propose github.com/golang-jwt/jwt/v5 ?
Sorry the response is into #2699
aldas
commented
3 days ago Because there will be v6 one day + some CVE and we again need to upgrade that library version. Echo core library tries very hard not to introduce backwards incompatible changes. So in long run removing this dependency is better strategy. We already have https://github.com/labstack/echo-jwt which from first day said is not trying to be stable and not introduce breaking changes.
being stable and not breaking things is one of the most important feature of Go. In comparison to Javascript ecosystem Go is a bliss to maintain older applications. I very much want Echo to honor this tradition as much as we can - but CVEs pop up every other year with JWT.
inge4pres
commented
2 days ago Superseded by https://github.com/labstack/echo/pull/2701
Fixes #2699
We want to avoid a known vulnerability in golang-jwt library is flagged as a security concern when using echo as a framework in our applications.
Tests are passing locally with the new version.