Skip to content

Conversation

renovate-bot
Copy link
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/go-git/go-git/v5 v5.12.0 -> v5.13.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-21613

Impact

An argument injection vulnerability was discovered in go-git versions prior to v5.13.

Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.

Affected versions

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.

Credit

Thanks to @​vin01 for responsibly disclosing this vulnerability to us.

CVE-2025-21614

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.


Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.13.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-git/go-git@v5.12.0...v5.13.0


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested a review from q2w as a code owner January 6, 2025 18:18
@renovate-bot renovate-bot requested a review from a team as a code owner January 6, 2025 18:18
Copy link

ℹ Artifact update notice

File name: cli/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 4 additional dependencies were updated

Details:

Package Change
github.com/ProtonMail/go-crypto v1.0.0 -> v1.1.3
github.com/cyphar/filepath-securejoin v0.2.4 -> v0.2.5
github.com/go-git/go-billy/v5 v5.5.0 -> v5.6.0
github.com/skeema/knownhosts v1.2.2 -> v1.3.0

@dpebot
Copy link
Collaborator

dpebot commented Jan 6, 2025

/gcbrun

@dpebot
Copy link
Collaborator

dpebot commented Jan 6, 2025

/gcbrun

Copy link

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@apeabody apeabody merged commit 0de9314 into GoogleCloudPlatform:main Jan 6, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants