Skip to content

fix(deps): bump go-git to v5.19.1#747

Closed
plural-copilot[bot] wants to merge 1 commit into
mainfrom
agent/bump-go-git-1747803600000
Closed

fix(deps): bump go-git to v5.19.1#747
plural-copilot[bot] wants to merge 1 commit into
mainfrom
agent/bump-go-git-1747803600000

Conversation

@plural-copilot
Copy link
Copy Markdown
Contributor

@plural-copilot plural-copilot Bot commented May 21, 2026

Summary

  • upgrade github.com/go-git/go-git/v5 from v5.19.0 to v5.19.1
  • remove stale go.sum entries for the vulnerable v5.19.0 release
  • keep the change scoped to the dependency metadata used by the CLI image build

Why

Security scanners reported the go-git path validation vulnerability in ghcr.io/pluralsh/console:sha-57eff70. This repository directly depends on go-git in its git utility package, so bumping to the patched v5.19.1 release addresses the reported issue with the smallest possible code change.

Verification

  • reviewed README.md, Makefile, Dockerfile, test.Dockerfile, and docker compose files for compile/test paths
  • attempted local validation, but the sandbox did not have go installed and Docker daemon access was denied, so build/test execution could not be completed in this environment

plural-copilot[bot]
plural-copilot Bot commented May 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@plural-copilot plural-copilot Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:

Name Details
💬 Prompt Security scanners have found the following vulnerability in our cluster:...
🔗 Run history View run history

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 21, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgithub.com/​go-git/​go-git/​v5@​v5.19.0 ⏵ v5.19.182 +1100 +3100100100

View full report

@michaeljguarino michaeljguarino deleted the agent/bump-go-git-1747803600000 branch May 21, 2026 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaeljguarino michaeljguarino Awaiting requested review from michaeljguarino michaeljguarino is a code owner

@zreigz zreigz Awaiting requested review from zreigz zreigz is a code owner

@floreks floreks Awaiting requested review from floreks floreks is a code owner

@maciaszczykm maciaszczykm Awaiting requested review from maciaszczykm maciaszczykm is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michaeljguarino