Skip to content

Update go-git to v5.18.0 to remediate GHSA-3xc5-wrhm-f963#735

Merged
michaeljguarino merged 1 commit into
mainfrom
agent/update-go-git-ghsa-3xc5-wrhm-f963-1777936289501
May 5, 2026
Merged

Update go-git to v5.18.0 to remediate GHSA-3xc5-wrhm-f963#735
michaeljguarino merged 1 commit into
mainfrom
agent/update-go-git-ghsa-3xc5-wrhm-f963-1777936289501

Conversation

@plural-copilot

@plural-copilot plural-copilot Bot commented May 4, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR updates github.com/go-git/go-git/v5 from v5.17.1 to v5.18.0 to address security advisory GHSA-3xc5-wrhm-f963 affecting the console image (ghcr.io/pluralsh/console:sha-a836274).

Vulnerability Details

  • Advisory: GHSA-3xc5-wrhm-f963
  • Affected Component: github.com/go-git/go-git/v5
  • Current Version: v5.17.1
  • Fixed Version: v5.18.0
  • Scope: Security vulnerability in go-git library

Changes Made

  • Updated go.mod to require github.com/go-git/go-git/v5 v5.18.0
  • Ran go mod tidy to update go.sum with new checksums
  • Verified build compilation succeeds with the updated dependency

Validation Performed

✅ Build: Successfully compiled CLI binary with v5.18.0
✅ Dependencies: All module dependencies resolved correctly
✅ Impact: Minimal - patch version update with no breaking changes

Impact Assessment

  • Risk Level: Low (patch version update)
  • Breaking Changes: None expected
  • Usage: go-git is used in pkg/utils/git/* for basic repository operations
  • Testing: Build verified, no test files exist for the affected package

Next Steps

After merging this PR, the console image will need to be rebuilt to include the updated plural binary with the remediated dependency.

@michaeljguarino
Update go-git to v5.18.0 to remediate GHSA-3xc5-wrhm-f963
5662e8c 
Bumped github.com/go-git/go-git/v5 from v5.17.1 to v5.18.0 to address
security advisory GHSA-3xc5-wrhm-f963 affecting the console image.

Changes:
- go.mod: Updated go-git dependency to v5.18.0
- go.sum: Updated checksums for new version

Verified: Build and basic validation passed
plural-copilot[bot]
plural-copilot Bot commented May 4, 2026
View reviewed changes

@plural-copilot plural-copilot Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the claude Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:

Name Details
💬 Prompt Create a PR in pluralsh/plural-cli to remediate the in-scope vulnerability reported via the console image....
🔗 Run history View run history

@socket-security

socket-security Bot commented May 4, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgithub.com/​go-git/​go-git/​v5@​v5.17.1 ⏵ v5.18.082 +1100 +2100100100

View full report

@michaeljguarino michaeljguarino added the bug-fix This pull request fixes a bug label May 5, 2026
@michaeljguarino michaeljguarino merged commit f5678ec into main May 5, 2026
13 of 15 checks passed
@michaeljguarino michaeljguarino deleted the agent/update-go-git-ghsa-3xc5-wrhm-f963-1777936289501 branch May 5, 2026 01:36
This was referenced May 5, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaeljguarino michaeljguarino michaeljguarino approved these changes

@zreigz zreigz Awaiting requested review from zreigz zreigz is a code owner

@floreks floreks Awaiting requested review from floreks floreks is a code owner

@maciaszczykm maciaszczykm Awaiting requested review from maciaszczykm maciaszczykm is a code owner

Assignees

No one assigned

Labels

bug-fix This pull request fixes a bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michaeljguarino