Skip to content

fix: bump go-git to v5.19.1#746

Closed
plural-copilot[bot] wants to merge 1 commit into
mainfrom
agent/bump-go-git-v5-19-1-1747785600000
Closed

fix: bump go-git to v5.19.1#746
plural-copilot[bot] wants to merge 1 commit into
mainfrom
agent/bump-go-git-v5-19-1-1747785600000

Conversation

@plural-copilot
Copy link
Copy Markdown
Contributor

@plural-copilot plural-copilot Bot commented May 21, 2026

Summary

  • fix the vulnerability surfaced in the console service image by upgrading github.com/go-git/go-git/v5 in plural-cli
  • update the exact package version from v5.19.0 to v5.19.1
  • keep the change minimal to remediate the root cause in the owned binary source

Details

The actionable finding reported that ghcr.io/pluralsh/console contains a vulnerable github.com/go-git/go-git/v5 v5.19.0 inside /usr/local/bin/plural. That binary is built from this repository, so the root-cause fix belongs here in plural-cli.

Exact package/version changes:

  • github.com/go-git/go-git/v5: v5.19.0 -> v5.19.1

Verification

  • confirmed github.com/go-git/go-git/v5 is a direct dependency in go.mod
  • confirmed repository usage under pkg/utils/git/
  • confirmed the final diff only updates go.mod and go.sum
  • environment limitation: Docker API access was denied in the sandbox and no local go binary was installed, so no runtime module resolution test could be executed here

Follow-up

  • console image consumers should rebuild or update to a console image that includes a plural-cli binary built from this fix after merge

plural-copilot[bot]
plural-copilot Bot commented May 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@plural-copilot plural-copilot Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:

Name Details
💬 Prompt Create the minimum root-cause PR needed in plural-cli to remediate the actionable console-image vulnerability....
🔗 Run history View run history

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 21, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgithub.com/​go-git/​go-git/​v5@​v5.19.0 ⏵ v5.19.182 +1100 +3100100100

View full report

@michaeljguarino michaeljguarino deleted the agent/bump-go-git-v5-19-1-1747785600000 branch May 21, 2026 19:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaeljguarino michaeljguarino Awaiting requested review from michaeljguarino michaeljguarino is a code owner

@zreigz zreigz Awaiting requested review from zreigz zreigz is a code owner

@floreks floreks Awaiting requested review from floreks floreks is a code owner

@maciaszczykm maciaszczykm Awaiting requested review from maciaszczykm maciaszczykm is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@michaeljguarino @stratospoc