Skip to content

Commit 737c50a

Browse files
plural-copilot[bot]michaeljguarino
plural-copilot[bot]
and
michaeljguarino
authored
fix(deps): upgrade go-git to v5.17.1 to fix CVE (idx file DoS) (#717)
Upgrade github.com/go-git/go-git/v5 from v5.16.5 to v5.17.1 to address a security vulnerability where a maliciously crafted .idx file can cause asymmetric memory consumption, potentially leading to denial-of-service. Co-authored-by: Michael Guarino <mjg@plural.sh>
1 parent 187c1c5 commit 737c50a

2 files changed

Lines changed: 6 additions & 6 deletions

File tree

go.mod

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ require (
2929
github.com/briandowns/spinner v1.23.2
3030
github.com/chartmuseum/helm-push v0.11.1
3131
github.com/fatih/color v1.18.0
32-
github.com/go-git/go-git/v5 v5.16.5
32+
github.com/go-git/go-git/v5 v5.17.1
3333
github.com/gofrs/flock v0.13.0
3434
github.com/google/go-containerregistry v0.20.3
3535
github.com/google/go-github/v45 v45.2.0
@@ -269,7 +269,7 @@ require (
269269
github.com/ghodss/yaml v1.0.0 // indirect
270270
github.com/go-errors/errors v1.5.1 // indirect
271271
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
272-
github.com/go-git/go-billy/v5 v5.7.0 // indirect
272+
github.com/go-git/go-billy/v5 v5.8.0 // indirect
273273
github.com/go-logr/logr v1.4.3 // indirect
274274
github.com/go-openapi/jsonpointer v0.22.4 // indirect
275275
github.com/go-openapi/jsonreference v0.21.4 // indirect

go.sum

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -342,12 +342,12 @@ github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8b
342342
github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
343343
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
344344
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
345-
github.com/go-git/go-billy/v5 v5.7.0 h1:83lBUJhGWhYp0ngzCMSgllhUSuoHP1iEWYjsPl9nwqM=
346-
github.com/go-git/go-billy/v5 v5.7.0/go.mod h1:/1IUejTKH8xipsAcdfcSAlUlo2J7lkYV8GTKxAT/L3E=
345+
github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDzZG0=
346+
github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=
347347
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
348348
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
349-
github.com/go-git/go-git/v5 v5.16.5 h1:mdkuqblwr57kVfXri5TTH+nMFLNUxIj9Z7F5ykFbw5s=
350-
github.com/go-git/go-git/v5 v5.16.5/go.mod h1:QOMLpNf1qxuSY4StA/ArOdfFR2TrKEjJiye2kel2m+M=
349+
github.com/go-git/go-git/v5 v5.17.1 h1:WnljyxIzSj9BRRUlnmAU35ohDsjRK0EKmL0evDqi5Jk=
350+
github.com/go-git/go-git/v5 v5.17.1/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo=
351351
github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
352352
github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw=
353353
github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=

0 commit comments

Comments
 (0)