Commit daa692b
authored
fix(deps): update module github.com/go-git/go-git/v6 to v6.0.0-alpha.3 [security] (#5335)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/go-git/go-git/v6](https://redirect.github.com/go-git/go-git)
| `v6.0.0-alpha.2` → `v6.0.0-alpha.3` |
|
|
---
### go-git's improper parsing of specially crafted objects may lead to
inconsistent interpretation compared to upstream Git
[CVE-2026-45022](https://nvd.nist.gov/vuln/detail/CVE-2026-45022) /
[GHSA-389r-gv7p-r3rp](https://redirect.github.com/advisories/GHSA-389r-gv7p-r3rp)
<details>
<summary>More information</summary>
#### Details
##### Impact
`go-git` may parse malformed Git objects in a way that differs from
upstream Git. When `commit` or `tag` objects contain ambiguous or
malformed headers, `go-git`’s decoded representation may expose values
differently from how Git itself would interpret or reject the same
object.
Additionally, `go-git`’s commit signing and verification logic operates
over commit data reconstructed from `go-git`’s parsed representation
rather than the original raw object bytes. As a result, `go-git` may
sign or verify a commit payload that is not byte-for-byte equivalent to
the object stored in the repository.
This can cause a signature to appear valid for a commit whose displayed
or effective metadata differs from the object that was intended to be
signed.
##### Patches
Users should upgrade to a patched version in order to mitigate this
vulnerability. Versions prior to v5 are likely to be affected, users are
recommended to upgrade to a supported `go-git` version.
##### Credit
Thanks to @​bugbunny-research (https://bugbunny.ai/) for reporting
this to `sigstore/gitsign`, and to @​wlynch, @​patzielinski
and @​adityasaky for coordinating the disclosure with the `go-git`
project. 🙇 🥇
Thanks to @​wayphinder for reporting this to the `go-git` project.
:bow:
#### Severity
- CVSS Score: 7.0 / 10 (High)
- Vector String:
`CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N`
#### References
-
[https://github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp)
-
[https://github.com/advisories/GHSA-389r-gv7p-r3rp](https://redirect.github.com/advisories/GHSA-389r-gv7p-r3rp)
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-389r-gv7p-r3rp)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### go-git's improper parsing of specially crafted objects may lead to
inconsistent interpretation compared to upstream Git
[CVE-2026-45022](https://nvd.nist.gov/vuln/detail/CVE-2026-45022) /
[GHSA-389r-gv7p-r3rp](https://redirect.github.com/advisories/GHSA-389r-gv7p-r3rp)
<details>
<summary>More information</summary>
#### Details
##### Impact
`go-git` may parse malformed Git objects in a way that differs from
upstream Git. When `commit` or `tag` objects contain ambiguous or
malformed headers, `go-git`’s decoded representation may expose values
differently from how Git itself would interpret or reject the same
object.
Additionally, `go-git`’s commit signing and verification logic operates
over commit data reconstructed from `go-git`’s parsed representation
rather than the original raw object bytes. As a result, `go-git` may
sign or verify a commit payload that is not byte-for-byte equivalent to
the object stored in the repository.
This can cause a signature to appear valid for a commit whose displayed
or effective metadata differs from the object that was intended to be
signed.
##### Patches
Users should upgrade to a patched version in order to mitigate this
vulnerability. Versions prior to v5 are likely to be affected, users are
recommended to upgrade to a supported `go-git` version.
##### Credit
Thanks to @​bugbunny-research (https://bugbunny.ai/) for reporting
this to `sigstore/gitsign`, and to @​wlynch, @​patzielinski
and @​adityasaky for coordinating the disclosure with the `go-git`
project. 🙇 🥇
Thanks to @​wayphinder for reporting this to the `go-git` project.
:bow:
#### Severity
- CVSS Score: 7.0 / 10 (High)
- Vector String:
`CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N`
#### References
-
[https://github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp)
-
[https://github.com/go-git/go-git](https://redirect.github.com/go-git/go-git)
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-389r-gv7p-r3rp) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Release Notes
<details>
<summary>go-git/go-git (github.com/go-git/go-git/v6)</summary>
###
[`v6.0.0-alpha.3`](https://redirect.github.com/go-git/go-git/releases/tag/v6.0.0-alpha.3)
[Compare
Source](https://redirect.github.com/go-git/go-git/compare/v6.0.0-alpha.2...v6.0.0-alpha.3)
#### What's Changed
- plumbing: transport, add git-upload-archive support by
[@​aymanbagabas](https://redirect.github.com/aymanbagabas) in
[#​1986](https://redirect.github.com/go-git/go-git/pull/1986)
- utils: sync, Make zlib compression pluggable via x/plugin by
[@​stiak](https://redirect.github.com/stiak) in
[#​2012](https://redirect.github.com/go-git/go-git/pull/2012)
- build: establish DCO sign-off requirement for all contributions by
[@​pjbgf](https://redirect.github.com/pjbgf) in
[#​1914](https://redirect.github.com/go-git/go-git/pull/1914)
- docs: update `CONTRIBUTING.md`, `README.md` and add `HISTORY.md` by
[@​pjbgf](https://redirect.github.com/pjbgf) in
[#​1946](https://redirect.github.com/go-git/go-git/pull/1946)
- storage: filesystem, close packfile iterators after use by
[@​aymanbagabas](https://redirect.github.com/aymanbagabas) in
[#​2027](https://redirect.github.com/go-git/go-git/pull/2027)
- Add .github/copilot-instructions.md with PR review guidelines by
[@​Copilot](https://redirect.github.com/Copilot) in
[#​2040](https://redirect.github.com/go-git/go-git/pull/2040)
- docs: update comment to reflect support for the last 2 stable Go
versions by [@​alexandear](https://redirect.github.com/alexandear)
in [#​2041](https://redirect.github.com/go-git/go-git/pull/2041)
- \*: clone, resolve relative local URLs against CWD in
CloneOptions.Validate by
[@​AriehSchneier](https://redirect.github.com/AriehSchneier) in
[#​1891](https://redirect.github.com/go-git/go-git/pull/1891)
- SHA256: Support submodules in SHA256 repositories by
[@​pjbgf](https://redirect.github.com/pjbgf) in
[#​1979](https://redirect.github.com/go-git/go-git/pull/1979)
- plumbing: ssh, fix concurrent test failures due to cert key generation
by [@​aymanbagabas](https://redirect.github.com/aymanbagabas) in
[#​2043](https://redirect.github.com/go-git/go-git/pull/2043)
- storage: filesystem, dedupe object iteration by
[@​pjbgf](https://redirect.github.com/pjbgf) in
[#​2042](https://redirect.github.com/go-git/go-git/pull/2042)
- build: Update module github.com/go-git/go-git-fixtures/v6 to
v6.0.0-20260422085740-0c07409f52ec (main) by
[@​go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot]
in [#​2045](https://redirect.github.com/go-git/go-git/pull/2045)
- Implement Git-compatible wildmatch for gitignore patterns by
[@​AriehSchneier](https://redirect.github.com/AriehSchneier) in
[#​1940](https://redirect.github.com/go-git/go-git/pull/1940)
- git: worktree, fix treeContainsDirs test to build a new tree for each…
by [@​aymanbagabas](https://redirect.github.com/aymanbagabas) in
[#​2047](https://redirect.github.com/go-git/go-git/pull/2047)
- \_examples: remove deprecated usage of io/ioutil by
[@​alexandear](https://redirect.github.com/alexandear) in
[#​2046](https://redirect.github.com/go-git/go-git/pull/2046)
- plumbing: transport/upload\_pack multi round bugs by
[@​manland](https://redirect.github.com/manland) in
[#​2016](https://redirect.github.com/go-git/go-git/pull/2016)
- plumbing: filemode, fix typo in comment by
[@​shawntoffel](https://redirect.github.com/shawntoffel) in
[#​2003](https://redirect.github.com/go-git/go-git/pull/2003)
- build: Update module github.com/go-git/go-billy/v6 to
v6.0.0-20260424211911-732291493fb8 (main) by
[@​go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot]
in [#​2051](https://redirect.github.com/go-git/go-git/pull/2051)
- plumbing: packp, refactor AdvRefs and capability packages by
[@​aymanbagabas](https://redirect.github.com/aymanbagabas) in
[#​1987](https://redirect.github.com/go-git/go-git/pull/1987)
- worktree: skip ignored directories during Status walk by
[@​Soph](https://redirect.github.com/Soph) in
[#​2048](https://redirect.github.com/go-git/go-git/pull/2048)
- build: Update module github.com/pjbgf/sha1cd to v0.6.0 (main) by
[@​go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot]
in [#​2059](https://redirect.github.com/go-git/go-git/pull/2059)
- internal: servers, add git server implementation by
[@​aymanbagabas](https://redirect.github.com/aymanbagabas) in
[#​2014](https://redirect.github.com/go-git/go-git/pull/2014)
- Remove use of `ChrootOS` by
[@​pjbgf](https://redirect.github.com/pjbgf) in
[#​2061](https://redirect.github.com/go-git/go-git/pull/2061)
- plumbing: transport, Align flush size with upstream git by
[@​pjbgf](https://redirect.github.com/pjbgf) in
[#​2000](https://redirect.github.com/go-git/go-git/pull/2000)
- internal: git, add server timeout test small tolerance by
[@​aymanbagabas](https://redirect.github.com/aymanbagabas) in
[#​2064](https://redirect.github.com/go-git/go-git/pull/2064)
- Align object encoding with upstream by
[@​pjbgf](https://redirect.github.com/pjbgf) in
[#​2066](https://redirect.github.com/go-git/go-git/pull/2066)
#### New Contributors
- [@​Copilot](https://redirect.github.com/Copilot) made their
first contribution in
[#​2040](https://redirect.github.com/go-git/go-git/pull/2040)
- [@​shawntoffel](https://redirect.github.com/shawntoffel) made
their first contribution in
[#​2003](https://redirect.github.com/go-git/go-git/pull/2003)
**Full Changelog**:
<go-git/go-git@v6.0.0-alpha.2...v6.0.0-alpha.3>
</details>
---
### Configuration
📅 **Schedule**: (in timezone Australia/Sydney)
- Branch creation
- ""
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/google/osv.dev).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->1 parent e3657d0 commit daa692b
2 files changed
Lines changed: 11 additions & 11 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
11 | 11 | | |
12 | 12 | | |
13 | 13 | | |
14 | | - | |
| 14 | + | |
15 | 15 | | |
16 | 16 | | |
17 | 17 | | |
| |||
63 | 63 | | |
64 | 64 | | |
65 | 65 | | |
66 | | - | |
| 66 | + | |
67 | 67 | | |
68 | 68 | | |
69 | 69 | | |
| |||
77 | 77 | | |
78 | 78 | | |
79 | 79 | | |
80 | | - | |
| 80 | + | |
81 | 81 | | |
82 | 82 | | |
83 | 83 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
105 | 105 | | |
106 | 106 | | |
107 | 107 | | |
108 | | - | |
109 | | - | |
110 | | - | |
111 | | - | |
112 | | - | |
113 | | - | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
114 | 114 | | |
115 | 115 | | |
116 | 116 | | |
| |||
190 | 190 | | |
191 | 191 | | |
192 | 192 | | |
193 | | - | |
194 | | - | |
| 193 | + | |
| 194 | + | |
195 | 195 | | |
196 | 196 | | |
197 | 197 | | |
| |||
0 commit comments