From ca8a59a077bff1a53a6ada147637d46cb4057ead Mon Sep 17 00:00:00 2001 From: "pulumi-renovate[bot]" <189166143+pulumi-renovate[bot]@users.noreply.github.com> Date: Tue, 10 Feb 2026 00:50:46 +0000 Subject: [PATCH] Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (#758) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/go-git/go-git/v5](https://redirect.github.com/go-git/go-git) | indirect | patch | `v5.16.0` -> `v5.16.5` | ### GitHub Vulnerability Alerts #### [CVE-2026-25934](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3) ### Impact A vulnerability was discovered in `go-git` whereby data integrity values for `.pack` and `.idx` files were not properly verified. This resulted in `go-git` potentially consuming corrupted files, which would likely result in unexpected errors such as `object not found`. For context, clients fetch [`packfiles`](https://git-scm.com/docs/pack-protocol#_packfile_data) from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (`.idx`) are [generated](https://git-scm.com/docs/pack-format) locally by `go-git`, or the `git` cli, when new `.pack` files are received and processed. The integrity checks for both files were not being verified correctly. Note that the lack of verification of the packfile checksum has no impact on the trust relationship between the client and server, which is enforced based on the protocol being used (e.g. TLS in the case of `https://` or known hosts for `ssh://`). In other words, the packfile checksum verification does not provide any security benefits when connecting to a malicious or compromised Git server. ### Patches Users should upgrade to `v5.16.5`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Workarounds In case updating to a fixed version of `go-git` is not possible, users can run [git fsck](https://git-scm.com/docs/git-fsck) from the `git` cli to check for data corruption on a given repository. ### Credit Thanks @​N0zoM1z0 for finding and reporting this issue privately to the `go-git` project. --- ### Release Notes
go-git/go-git (github.com/go-git/go-git/v5) ### [`v5.16.5`](https://redirect.github.com/go-git/go-git/releases/tag/v5.16.5) [Compare Source](https://redirect.github.com/go-git/go-git/compare/v5.16.4...v5.16.5) ##### What's Changed - build: Update module golang.org/x/crypto to v0.45.0 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot] in[https://github.com/go-git/go-git/pull/1744](https://redirect.github.com/go-git/go-git/pull/1744)4 - build: Bump Go test versions to 1.23-1.25 (v5) by [@​pjbgf](https://redirect.github.com/pjbgf) in [https://github.com/go-git/go-git/pull/1746](https://redirect.github.com/go-git/go-git/pull/1746) - \[v5] git: worktree, Don't delete local untracked files when resetting worktree by [@​Ch00k](https://redirect.github.com/Ch00k) in [https://github.com/go-git/go-git/pull/1800](https://redirect.github.com/go-git/go-git/pull/1800) - Expand packfile checks by [@​pjbgf](https://redirect.github.com/pjbgf) in [https://github.com/go-git/go-git/pull/1836](https://redirect.github.com/go-git/go-git/pull/1836) **Full Changelog**: https://github.com/go-git/go-git/compare/v5.16.4...v5.16.5 ### [`v5.16.4`](https://redirect.github.com/go-git/go-git/releases/tag/v5.16.4) [Compare Source](https://redirect.github.com/go-git/go-git/compare/v5.16.3...v5.16.4) ##### What's Changed - backport plumbing: format/idxfile, prevent panic by [@​swills](https://redirect.github.com/swills) in [https://github.com/go-git/go-git/pull/1732](https://redirect.github.com/go-git/go-git/pull/1732) - \[backport] build: test, Fix build on Windows. by [@​pjbgf](https://redirect.github.com/pjbgf) in [https://github.com/go-git/go-git/pull/1734](https://redirect.github.com/go-git/go-git/pull/1734) - build: Update module golang.org/x/net to v0.38.0 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot] in[https://github.com/go-git/go-git/pull/1742](https://redirect.github.com/go-git/go-git/pull/1742)2 - build: Update module github.com/cloudflare/circl to v1.6.1 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot] in[https://github.com/go-git/go-git/pull/1741](https://redirect.github.com/go-git/go-git/pull/1741)1 - build: Update module github.com/go-git/go-git/v5 to v5.13.0 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot] in[https://github.com/go-git/go-git/pull/1743](https://redirect.github.com/go-git/go-git/pull/1743)3 **Full Changelog**: https://github.com/go-git/go-git/compare/v5.16.3...v5.16.4 ### [`v5.16.3`](https://redirect.github.com/go-git/go-git/releases/tag/v5.16.3) [Compare Source](https://redirect.github.com/go-git/go-git/compare/v5.16.2...v5.16.3) ##### What's Changed - internal: Expand regex to fix build \[5.x] by [@​baloo](https://redirect.github.com/baloo) in [https://github.com/go-git/go-git/pull/1644](https://redirect.github.com/go-git/go-git/pull/1644) - build: raise timeouts for windows CI tests and disable CIFuzz \[5.x] by [@​baloo](https://redirect.github.com/baloo) in [https://github.com/go-git/go-git/pull/1646](https://redirect.github.com/go-git/go-git/pull/1646) - plumbing: support commits extra headers, support jujutsu signed commit \[5.x] by [@​baloo](https://redirect.github.com/baloo) in [https://github.com/go-git/go-git/pull/1633](https://redirect.github.com/go-git/go-git/pull/1633) **Full Changelog**: https://github.com/go-git/go-git/compare/v5.16.2...v5.16.3 ### [`v5.16.2`](https://redirect.github.com/go-git/go-git/releases/tag/v5.16.2) [Compare Source](https://redirect.github.com/go-git/go-git/compare/v5.16.1...v5.16.2) ##### What's Changed - utils: fix diff so subpaths work for sparse checkouts, fixes 1455 to releases/v5.x by [@​kane8n](https://redirect.github.com/kane8n) in [https://github.com/go-git/go-git/pull/1567](https://redirect.github.com/go-git/go-git/pull/1567) **Full Changelog**: https://github.com/go-git/go-git/compare/v5.16.1...v5.16.2 ### [`v5.16.1`](https://redirect.github.com/go-git/go-git/releases/tag/v5.16.1) [Compare Source](https://redirect.github.com/go-git/go-git/compare/v5.16.0...v5.16.1) ##### What's Changed - utils: merkletrie, Fix diff on sparse-checkout index. Fixes [#​1406](https://redirect.github.com/go-git/go-git/issues/1406) to releases/v5.x by [@​kane8n](https://redirect.github.com/kane8n) in [https://github.com/go-git/go-git/pull/1561](https://redirect.github.com/go-git/go-git/pull/1561) ##### New Contributors - [@​kane8n](https://redirect.github.com/kane8n) made their first contribution in [https://github.com/go-git/go-git/pull/1561](https://redirect.github.com/go-git/go-git/pull/1561) **Full Changelog**: https://github.com/go-git/go-git/compare/v5.16.0...v5.16.1
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). --------- Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com> Co-authored-by: pulumi-bot --- examples/go/go.mod | 2 +- examples/go/go.sum | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- sdk/go/dockerbuild/go.mod | 2 +- sdk/go/dockerbuild/go.sum | 4 ++-- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/examples/go/go.mod b/examples/go/go.mod index 4f657f9..5559593 100644 --- a/examples/go/go.mod +++ b/examples/go/go.mod @@ -33,7 +33,7 @@ require ( github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.6.2 // indirect - github.com/go-git/go-git/v5 v5.16.0 // indirect + github.com/go-git/go-git/v5 v5.16.5 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/glog v1.2.4 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect diff --git a/examples/go/go.sum b/examples/go/go.sum index 5f9d14b..018b15c 100644 --- a/examples/go/go.sum +++ b/examples/go/go.sum @@ -67,8 +67,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= -github.com/go-git/go-git/v5 v5.16.0 h1:k3kuOEpkc0DeY7xlL6NaaNg39xdgQbtH5mwCafHO9AQ= -github.com/go-git/go-git/v5 v5.16.0/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8= +github.com/go-git/go-git/v5 v5.16.5 h1:mdkuqblwr57kVfXri5TTH+nMFLNUxIj9Z7F5ykFbw5s= +github.com/go-git/go-git/v5 v5.16.5/go.mod h1:QOMLpNf1qxuSY4StA/ArOdfFR2TrKEjJiye2kel2m+M= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= diff --git a/go.mod b/go.mod index 44e9e68..22842d7 100644 --- a/go.mod +++ b/go.mod @@ -120,7 +120,7 @@ require ( github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.6.2 // indirect - github.com/go-git/go-git/v5 v5.16.0 // indirect + github.com/go-git/go-git/v5 v5.16.5 // indirect github.com/go-jose/go-jose/v3 v3.0.4 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect diff --git a/go.sum b/go.sum index 1c65572..757ba3d 100644 --- a/go.sum +++ b/go.sum @@ -263,8 +263,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= -github.com/go-git/go-git/v5 v5.16.0 h1:k3kuOEpkc0DeY7xlL6NaaNg39xdgQbtH5mwCafHO9AQ= -github.com/go-git/go-git/v5 v5.16.0/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8= +github.com/go-git/go-git/v5 v5.16.5 h1:mdkuqblwr57kVfXri5TTH+nMFLNUxIj9Z7F5ykFbw5s= +github.com/go-git/go-git/v5 v5.16.5/go.mod h1:QOMLpNf1qxuSY4StA/ArOdfFR2TrKEjJiye2kel2m+M= github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY= github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= diff --git a/sdk/go/dockerbuild/go.mod b/sdk/go/dockerbuild/go.mod index 843d7fe..ea5e2af 100644 --- a/sdk/go/dockerbuild/go.mod +++ b/sdk/go/dockerbuild/go.mod @@ -33,7 +33,7 @@ require ( github.com/frankban/quicktest v1.14.6 // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.6.2 // indirect - github.com/go-git/go-git/v5 v5.16.0 // indirect + github.com/go-git/go-git/v5 v5.16.5 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/glog v1.2.4 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect diff --git a/sdk/go/dockerbuild/go.sum b/sdk/go/dockerbuild/go.sum index 8bde97e..bba2adc 100644 --- a/sdk/go/dockerbuild/go.sum +++ b/sdk/go/dockerbuild/go.sum @@ -68,8 +68,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= -github.com/go-git/go-git/v5 v5.16.0 h1:k3kuOEpkc0DeY7xlL6NaaNg39xdgQbtH5mwCafHO9AQ= -github.com/go-git/go-git/v5 v5.16.0/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8= +github.com/go-git/go-git/v5 v5.16.5 h1:mdkuqblwr57kVfXri5TTH+nMFLNUxIj9Z7F5ykFbw5s= +github.com/go-git/go-git/v5 v5.16.5/go.mod h1:QOMLpNf1qxuSY4StA/ArOdfFR2TrKEjJiye2kel2m+M= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=