Skip to content

refactor: remove swag v1 dependency, use swag/v2 exclusively#146

Open
AndriyKalashnykov wants to merge 1 commit intoswaggo:masterfrom
AndriyKalashnykov:remove-swag-v1-dependency
Open

refactor: remove swag v1 dependency, use swag/v2 exclusively#146
AndriyKalashnykov wants to merge 1 commit intoswaggo:masterfrom
AndriyKalashnykov:remove-swag-v1-dependency

Conversation

@AndriyKalashnykov
Copy link
Copy Markdown

@AndriyKalashnykov AndriyKalashnykov commented Apr 6, 2026
edited
Loading

Summary

echo-swagger/v2 currently depends on both github.com/swaggo/swag (v1) and github.com/swaggo/swag/v2. This forces every consumer of echo-swagger/v2 to carry swag v1 as an indirect dependency in their go.mod, even when they only use EchoWrapHandlerV3 (which already uses swag v2 internally).

This PR removes the swag v1 dependency entirely by migrating EchoWrapHandler to use swag/v2 as well. It also bumps echo/v5 from v5.0.0 to v5.0.3 to fix a known path traversal vulnerability (GO-2026-4502).

Changes

  • swagger.go: Replace "github.com/swaggo/swag" import with "github.com/swaggo/swag/v2". Both ReadDoc() and Name have identical APIs in v2 — this is a drop-in replacement. Remove the swagV2 alias since only one swag import remains.
  • swagger_test.go: Remove swag v1 import. Since both handlers now share the v2 registry, remove the duplicate swag.Register() call in TestWrapHandlerV3 (the doc is already registered by TestWrapHandler).
  • go.mod: Remove github.com/swaggo/swag v1.16.2, bump swag/v2 to v2.0.0-rc5, bump echo/v5 to v5.0.3 (fixes GO-2026-4502).

Security fix

Echo v5.0.0 (previously pinned) has GO-2026-4502: a Windows path traversal vulnerability via backslash in middleware.Static default filesystem. Fixed in v5.0.3. This PR bumps to v5.0.3 to resolve the Snyk finding.

Before / After

Before (go.mod of a consumer):
```
require github.com/swaggo/echo-swagger/v2 v2.0.1

require (
github.com/swaggo/swag v1.16.6 // indirect — unwanted
github.com/swaggo/swag/v2 v2.0.0-rc5 // indirect
)
```

After:
```
require github.com/swaggo/echo-swagger/v2 v2.0.2 // hypothetical

require (
github.com/swaggo/swag/v2 v2.0.0-rc5 // indirect — only v2
)
```

Test results

All 16 existing tests pass. govulncheck reports zero vulnerabilities.

Relates to #126, #147

@AndriyKalashnykov AndriyKalashnykov mentioned this pull request Apr 6, 2026
Open
@claude @AndriyKalashnykov
refactor: remove swag v1 dependency, use swag/v2 exclusively
33574a7 
Replace all imports of github.com/swaggo/swag (v1) with
github.com/swaggo/swag/v2 in both EchoWrapHandler and
EchoWrapHandlerV3. Both handlers now use the same v2 registry.

This eliminates the transitive swag v1 dependency that consumers
of echo-swagger/v2 were forced to carry in their go.mod.

Changes:
- swagger.go: remove swag v1 import, use swag/v2 for ReadDoc/Name
- swagger_test.go: remove swag v1 import, fix double-registration
  panic (both handlers now share the v2 registry)
- go.mod: remove github.com/swaggo/swag, bump swag/v2 to v2.0.0-rc5,
  bump echo/v5 to v5.0.3 (fixes GO-2026-4502 path traversal CVE)

Relates to swaggo#126, swaggo#147
@AndriyKalashnykov AndriyKalashnykov force-pushed the remove-swag-v1-dependency branch from 1eb310f to 33574a7 Compare April 6, 2026 15:22
AndriyKalashnykov pushed a commit to AndriyKalashnykov/flight-path that referenced this pull request Apr 6, 2026
@claude @AndriyKalashnykov
docs: track echo-swagger swag v1 removal PR in upgrade tracking
da4979b 
Add swaggo/echo-swagger#146 and #147 to session-checked upgrade
tracking items so we pick up the fix when merged upstream.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AndriyKalashnykov @claude