build(deps): bump the go-deps group with 10 updates

Bumps the go-deps group with 10 updates: | Package | From | To | | --- | --- | --- | | [cloud.google.com/go/compute](https://github.com/googleapis/google-cloud-go) | `1.23.1` | `1.23.3` | | [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) | `1.33.0` | `1.35.1` | | [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) | `1.45.27` | `1.47.9` | | [github.com/hashicorp/go-retryablehttp](https://github.com/hashicorp/go-retryablehttp) | `0.7.4` | `0.7.5` | | [github.com/labstack/echo/v4](https://github.com/labstack/echo) | `4.11.2` | `4.11.3` | | [github.com/labstack/gommon](https://github.com/labstack/gommon) | `0.4.0` | `0.4.1` | | [github.com/openshift-online/ocm-sdk-go](https://github.com/openshift-online/ocm-sdk-go) | `0.1.374` | `0.1.385` | | [github.com/osbuild/images](https://github.com/osbuild/images) | `0.12.0` | `0.15.0` | | [github.com/spf13/cobra](https://github.com/spf13/cobra) | `1.7.0` | `1.8.0` | | [golang.org/x/oauth2](https://github.com/golang/oauth2) | `0.13.0` | `0.14.0` | Updates `cloud.google.com/go/compute` from 1.23.1 to 1.23.3 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.23.1...compute/v1.23.3) Updates `cloud.google.com/go/storage` from 1.33.0 to 1.35.1 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.33.0...storage/v1.35.1) Updates `github.com/aws/aws-sdk-go` from 1.45.27 to 1.47.9 - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.45.27...v1.47.9) Updates `github.com/hashicorp/go-retryablehttp` from 0.7.4 to 0.7.5 - [Changelog](https://github.com/hashicorp/go-retryablehttp/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/go-retryablehttp/compare/v0.7.4...v0.7.5) Updates `github.com/labstack/echo/v4` from 4.11.2 to 4.11.3 - [Release notes](https://github.com/labstack/echo/releases) - [Changelog](https://github.com/labstack/echo/blob/master/CHANGELOG.md) - [Commits](https://github.com/labstack/echo/compare/v4.11.2...v4.11.3) Updates `github.com/labstack/gommon` from 0.4.0 to 0.4.1 - [Release notes](https://github.com/labstack/gommon/releases) - [Commits](https://github.com/labstack/gommon/compare/v0.4.0...v0.4.1) Updates `github.com/openshift-online/ocm-sdk-go` from 0.1.374 to 0.1.385 - [Release notes](https://github.com/openshift-online/ocm-sdk-go/releases) - [Changelog](https://github.com/openshift-online/ocm-sdk-go/blob/main/CHANGES.md) - [Commits](https://github.com/openshift-online/ocm-sdk-go/compare/v0.1.374...v0.1.385) Updates `github.com/osbuild/images` from 0.12.0 to 0.15.0 - [Release notes](https://github.com/osbuild/images/releases) - [Commits](https://github.com/osbuild/images/compare/v0.12.0...v0.15.0) Updates `github.com/spf13/cobra` from 1.7.0 to 1.8.0 - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](https://github.com/spf13/cobra/compare/v1.7.0...v1.8.0) Updates `golang.org/x/oauth2` from 0.13.0 to 0.14.0 - [Commits](https://github.com/golang/oauth2/compare/v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/compute dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: cloud.google.com/go/storage dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/hashicorp/go-retryablehttp dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/labstack/echo/v4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/labstack/gommon dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/openshift-online/ocm-sdk-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/osbuild/images dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps ... Signed-off-by: dependabot[bot] <support@github.com>
2023-11-13 04:25:22 +00:00 · 2023-11-13 04:25:22 +00:00 · a1e428fc53
commit a1e428fc53
parent 13d642bb46
565 changed files with 10888 additions and 5729 deletions
--- a/vendor/github.com/labstack/echo/v4/CHANGELOG.md
+++ b/vendor/github.com/labstack/echo/v4/CHANGELOG.md
@ -1,5 +1,18 @@
 # Changelog

+## v4.11.3 - 2023-11-07
+
+**Security**
+
+* 'c.Attachment' and 'c.Inline' should escape filename in 'Content-Disposition' header to avoid 'Reflect File Download' vulnerability. [#2541](https://github.com/labstack/echo/pull/2541)
+
+**Enhancements**
+
+* Tests: refactor context tests to be separate functions [#2540](https://github.com/labstack/echo/pull/2540)
+* Proxy middleware: reuse echo request context [#2537](https://github.com/labstack/echo/pull/2537)
+* Mark unmarshallable yaml struct tags as ignored [#2536](https://github.com/labstack/echo/pull/2536)
+
+
 ## v4.11.2 - 2023-10-11

 **Security**
--- a/vendor/github.com/labstack/echo/v4/binder.go
+++ b/vendor/github.com/labstack/echo/v4/binder.go
@ -1323,7 +1323,7 @@ func (b *ValueBinder) unixTime(sourceParam string, dest *time.Time, valueMustExi
 	case time.Second:
 		*dest = time.Unix(n, 0)
 	case time.Millisecond:
-		*dest = time.Unix(n/1e3, (n%1e3)*1e6) // TODO: time.UnixMilli(n) exists since Go1.17 switch to that when min version allows
+		*dest = time.UnixMilli(n)
 	case time.Nanosecond:
 		*dest = time.Unix(0, n)
 	}
--- a/vendor/github.com/labstack/echo/v4/context.go
+++ b/vendor/github.com/labstack/echo/v4/context.go
@ -584,8 +584,10 @@ func (c *context) Inline(file, name string) error {
 	return c.contentDisposition(file, name, "inline")
 }

+var quoteEscaper = strings.NewReplacer("\\", "\\\\", `"`, "\\\"")
+
 func (c *context) contentDisposition(file, name, dispositionType string) error {
-	c.response.Header().Set(HeaderContentDisposition, fmt.Sprintf("%s; filename=%q", dispositionType, name))
+	c.response.Header().Set(HeaderContentDisposition, fmt.Sprintf(`%s; filename="%s"`, dispositionType, quoteEscaper.Replace(name)))
 	return c.File(file)
 }

--- a/vendor/github.com/labstack/echo/v4/echo.go
+++ b/vendor/github.com/labstack/echo/v4/echo.go
@ -259,7 +259,7 @@ const (

 const (
 	// Version of Echo
-	Version = "4.11.2"
+	Version = "4.11.3"
 	website = "https://echo.labstack.com"
 	// http://patorjk.com/software/taag/#p=display&f=Small%20Slant&t=Echo
 	banner = `
--- a/vendor/github.com/labstack/echo/v4/middleware/cors.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/cors.go
@ -39,7 +39,7 @@ type (
 		// See https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
 		//
 		// Optional.
-		AllowOriginFunc func(origin string) (bool, error) `yaml:"allow_origin_func"`
+		AllowOriginFunc func(origin string) (bool, error) `yaml:"-"`

 		// AllowMethods determines the value of the Access-Control-Allow-Methods
 		// response header.  This header specified the list of methods allowed when
--- a/vendor/github.com/labstack/echo/v4/middleware/proxy.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/proxy.go
@ -359,6 +359,10 @@ func ProxyWithConfig(config ProxyConfig) echo.MiddlewareFunc {
 					c.Set("_error", nil)
 				}

+				// This is needed for ProxyConfig.ModifyResponse and/or ProxyConfig.Transport to be able to process the Request
+				// that Balancer may have replaced with c.SetRequest.
+				req = c.Request()
+
 				// Proxy
 				switch {
 				case c.IsWebSocket():
--- a/vendor/github.com/labstack/echo/v4/middleware/rewrite.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/rewrite.go
@ -27,7 +27,7 @@ type (
 		// Example:
 		// "^/old/[0.9]+/":     "/new",
 		// "^/api/.+?/(.*)":     "/v2/$1",
-		RegexRules map[*regexp.Regexp]string `yaml:"regex_rules"`
+		RegexRules map[*regexp.Regexp]string `yaml:"-"`
 	}
 )