sam_oneal/pulumi-docker-build
1
0
Fork 0
Code Actions Packages Releases Wiki Activity

Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (#758)

Browse Source 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[github.com/go-git/go-git/v5](https://redirect.github.com/go-git/go-git)
| indirect | patch | `v5.16.0` -> `v5.16.5` |

### GitHub Vulnerability Alerts

####
[CVE-2026-25934](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3)

### Impact 

A vulnerability was discovered in `go-git` whereby data integrity values
for `.pack` and `.idx` files were not properly verified. This resulted
in `go-git` potentially consuming corrupted files, which would likely
result in unexpected errors such as `object not found`.

For context, clients fetch
[`packfiles`](https://git-scm.com/docs/pack-protocol#_packfile_data)
from upstream Git servers. Those files contain a checksum of their
contents, so that clients can perform integrity checks before consuming
it. The pack indexes (`.idx`) are
[generated](https://git-scm.com/docs/pack-format) locally by `go-git`,
or the `git` cli, when new `.pack` files are received and processed. The
integrity checks for both files were not being verified correctly.

Note that the lack of verification of the packfile checksum has no
impact on the trust relationship between the client and server, which is
enforced based on the protocol being used (e.g. TLS in the case of
`https://` or known hosts for `ssh://`). In other words, the packfile
checksum verification does not provide any security benefits when
connecting to a malicious or compromised Git server.

### Patches

Users should upgrade to `v5.16.5`, or the latest `v6`
[pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to
mitigate this vulnerability.

### Workarounds

In case updating to a fixed version of `go-git` is not possible, users
can run [git fsck](https://git-scm.com/docs/git-fsck) from the `git` cli
to check for data corruption on a given repository.

### Credit

Thanks @​N0zoM1z0 for finding and reporting this issue privately
to the `go-git` project.

---

### Release Notes

<details>
<summary>go-git/go-git (github.com/go-git/go-git/v5)</summary>

###
[`v5.16.5`](https://redirect.github.com/go-git/go-git/releases/tag/v5.16.5)

[Compare
Source](https://redirect.github.com/go-git/go-git/compare/v5.16.4...v5.16.5)

##### What's Changed

- build: Update module golang.org/x/crypto to v0.45.0 \[SECURITY]
(releases/v5.x) by
[@&#8203;go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot]
in[https://github.com/go-git/go-git/pull/1744](https://redirect.github.com/go-git/go-git/pull/1744)4
- build: Bump Go test versions to 1.23-1.25 (v5) by
[@&#8203;pjbgf](https://redirect.github.com/pjbgf) in
[https://github.com/go-git/go-git/pull/1746](https://redirect.github.com/go-git/go-git/pull/1746)
- \[v5] git: worktree, Don't delete local untracked files when resetting
worktree by [@&#8203;Ch00k](https://redirect.github.com/Ch00k) in
[https://github.com/go-git/go-git/pull/1800](https://redirect.github.com/go-git/go-git/pull/1800)
- Expand packfile checks by
[@&#8203;pjbgf](https://redirect.github.com/pjbgf) in
[https://github.com/go-git/go-git/pull/1836](https://redirect.github.com/go-git/go-git/pull/1836)

**Full Changelog**:
https://github.com/go-git/go-git/compare/v5.16.4...v5.16.5

###
[`v5.16.4`](https://redirect.github.com/go-git/go-git/releases/tag/v5.16.4)

[Compare
Source](https://redirect.github.com/go-git/go-git/compare/v5.16.3...v5.16.4)

##### What's Changed

- backport plumbing: format/idxfile, prevent panic by
[@&#8203;swills](https://redirect.github.com/swills) in
[https://github.com/go-git/go-git/pull/1732](https://redirect.github.com/go-git/go-git/pull/1732)
- \[backport] build: test, Fix build on Windows. by
[@&#8203;pjbgf](https://redirect.github.com/pjbgf) in
[https://github.com/go-git/go-git/pull/1734](https://redirect.github.com/go-git/go-git/pull/1734)
- build: Update module golang.org/x/net to v0.38.0 \[SECURITY]
(releases/v5.x) by
[@&#8203;go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot]
in[https://github.com/go-git/go-git/pull/1742](https://redirect.github.com/go-git/go-git/pull/1742)2
- build: Update module github.com/cloudflare/circl to v1.6.1 \[SECURITY]
(releases/v5.x) by
[@&#8203;go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot]
in[https://github.com/go-git/go-git/pull/1741](https://redirect.github.com/go-git/go-git/pull/1741)1
- build: Update module github.com/go-git/go-git/v5 to v5.13.0
\[SECURITY] (releases/v5.x) by
[@&#8203;go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot]
in[https://github.com/go-git/go-git/pull/1743](https://redirect.github.com/go-git/go-git/pull/1743)3

**Full Changelog**:
https://github.com/go-git/go-git/compare/v5.16.3...v5.16.4

###
[`v5.16.3`](https://redirect.github.com/go-git/go-git/releases/tag/v5.16.3)

[Compare
Source](https://redirect.github.com/go-git/go-git/compare/v5.16.2...v5.16.3)

##### What's Changed

- internal: Expand regex to fix build \[5.x] by
[@&#8203;baloo](https://redirect.github.com/baloo) in
[https://github.com/go-git/go-git/pull/1644](https://redirect.github.com/go-git/go-git/pull/1644)
- build: raise timeouts for windows CI tests and disable CIFuzz \[5.x]
by [@&#8203;baloo](https://redirect.github.com/baloo) in
[https://github.com/go-git/go-git/pull/1646](https://redirect.github.com/go-git/go-git/pull/1646)
- plumbing: support commits extra headers, support jujutsu signed commit
\[5.x] by [@&#8203;baloo](https://redirect.github.com/baloo) in
[https://github.com/go-git/go-git/pull/1633](https://redirect.github.com/go-git/go-git/pull/1633)

**Full Changelog**:
https://github.com/go-git/go-git/compare/v5.16.2...v5.16.3

###
[`v5.16.2`](https://redirect.github.com/go-git/go-git/releases/tag/v5.16.2)

[Compare
Source](https://redirect.github.com/go-git/go-git/compare/v5.16.1...v5.16.2)

##### What's Changed

- utils: fix diff so subpaths work for sparse checkouts, fixes 1455 to
releases/v5.x by [@&#8203;kane8n](https://redirect.github.com/kane8n) in
[https://github.com/go-git/go-git/pull/1567](https://redirect.github.com/go-git/go-git/pull/1567)

**Full Changelog**:
https://github.com/go-git/go-git/compare/v5.16.1...v5.16.2

###
[`v5.16.1`](https://redirect.github.com/go-git/go-git/releases/tag/v5.16.1)

[Compare
Source](https://redirect.github.com/go-git/go-git/compare/v5.16.0...v5.16.1)

##### What's Changed

- utils: merkletrie, Fix diff on sparse-checkout index. Fixes
[#&#8203;1406](https://redirect.github.com/go-git/go-git/issues/1406) to
releases/v5.x by [@&#8203;kane8n](https://redirect.github.com/kane8n) in
[https://github.com/go-git/go-git/pull/1561](https://redirect.github.com/go-git/go-git/pull/1561)

##### New Contributors

- [@&#8203;kane8n](https://redirect.github.com/kane8n) made their first
contribution in
[https://github.com/go-git/go-git/pull/1561](https://redirect.github.com/go-git/go-git/pull/1561)

**Full Changelog**:
https://github.com/go-git/go-git/compare/v5.16.0...v5.16.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - Monday through
Friday ( * * * * 1-5 ) (UTC).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJpbXBhY3Qvbm8tY2hhbmdlbG9nLXJlcXVpcmVkIl19-->

---------

Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com>
Co-authored-by: pulumi-bot <bot@pulumi.com>
This commit is contained in:
pulumi-renovate[bot]
2026-02-10 00:50:46 +00:00
committed by GitHub
parent 5b05d733ea
commit ca8a59a077
6 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
sdk/go/dockerbuild/go.sum generated
View File

@@ -68,8 +68,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN
github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
github.com/go-git/go-git/v5 v5.16.0 h1:k3kuOEpkc0DeY7xlL6NaaNg39xdgQbtH5mwCafHO9AQ=
github.com/go-git/go-git/v5 v5.16.0/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
github.com/go-git/go-git/v5 v5.16.5 h1:mdkuqblwr57kVfXri5TTH+nMFLNUxIj9Z7F5ykFbw5s=
github.com/go-git/go-git/v5 v5.16.5/go.mod h1:QOMLpNf1qxuSY4StA/ArOdfFR2TrKEjJiye2kel2m+M=
github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=