ready release gin 1.9.1

[thinkerou]

as title, @appleboy please review, thanks!

[codecov]

Codecov Report

Merging #3620 (2b1fd65) into master (bb1fc2e) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #3620   +/-   ##
=======================================
  Coverage   99.01%   99.01%           
=======================================
  Files          42       42           
  Lines        3157     3157           
=======================================
  Hits         3126     3126           
  Misses         21       21           
  Partials       10       10           

Flag	Coverage Δ
	99.01% <ø> (ø)
go-1.18	98.92% <ø> (ø)
go-1.19	99.01% <ø> (ø)
go-1.20	99.01% <ø> (ø)
macos-latest	99.01% <ø> (ø)
ubuntu-latest	99.01% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

[herrberk]

Looks like these two got downgraded?

[thinkerou]

@herrberk thanks! fixed.

[adrianosela]

RE: CVE-2023-29401 | GO-2023-1737 | GHSA-2c4m-59x9-fr2g | Fix PR | Original Issue

---

Hey @thinkerou, for starters: thanks so much for moving this forward! Your effort is noticed.

Gin is one of the most, if not the most, popular http framework for Go. Many organizations use Gin as their framework of choice, including my workplace and myself for personal projects.

I understand its hard, and in most cases not possible, to hold a community-ran project to strict SLAs; however the sentiment of the comments thread in #3556 is shared by many of us security-oriented folks who use Gin.

It's been ~60 days since the issue was originally reported, with the reporter claiming to have tried to contact the maintainer numerous times via multiple different channels - and the fix is still not released.

It would be awesome to have a better security story around fixing issues quickly with Gin... The timeline of this change was a bit too lengthy. Organizations out there in the best case have compliance goals to meet, and in the worst case have things running in the wild with tangible risk related to this CVE.

Perhaps the Gin maintainers would consider widening the list of folks who can approve/merge and push releases, in particular for security related changes and releases. Perhaps Gin documenting a soft SLA to meet when it comes to security issues?

Once again, thank you and the rest of the Gin team <3

[herrberk]

Perhaps the Gin maintainers would consider widening the list of folks who can approve/merge and push releases, in particular for security related changes and releases. Perhaps Gin documenting a soft SLA to meet when it comes to security issues?

I second this, if a maintainer is away on vacation, etc. the project (especially the one that is used by 136k and has ~400 contributors) should be able to proceed without having to wait on them. Thoughts? @thinkerou @javierprovecho

[vitordm]

Lets go!

[Laotree]

fixme pls

[Laotree]

Convert -> convert start with lower case as context

[thinkerou]

done

[thinkerou]

thanks everyone!
@appleboy and I have only limited permission, now do more things need @javierprovecho and @manucorporat

[vitordm]

Please @appleboy, We need this fix!

[cpusoft]

We need this fix!

[amandalal]

❗ ❗ ❗ Who is authorized to merge this PR? We need this ASAP please @javierprovecho @manucorporat

[dayvsonsales]

Hello, please, some administrator could please merge this PR, we need this

[thinkerou]

hi, who can copy the pull request and commit it, I approve and merge. thanks!

[adrianosela]

@thinkerou #3630

[thinkerou]

@adrianosela thanks a lot! let's go!

[thinkerou]

v1.9.1 have released, please see https://github.com/gin-gonic/gin/releases/tag/v1.9.1, thanks!