From cd22a5a28167cccacaa17ce24340bc845c129f88 Mon Sep 17 00:00:00 2001 From: Michael Guarino Date: Fri, 22 May 2026 15:59:04 +0000 Subject: [PATCH] fix: upgrade go-git to v5.19.1 to fix security vulnerability Security scanners identified a path validation vulnerability in go-git v5.19.0 that could allow crafted repositories to modify files outside the intended checkout target, including the repository's .git directory. This commit upgrades github.com/go-git/go-git/v5 from v5.19.0 to v5.19.1 which includes fixes for the vulnerability. Changes: - Upgrade go-git dependency from v5.19.0 to v5.19.1 in go.mod - Update go.sum with new dependency checksums - Update test.Dockerfile Go version from 1.25.7 to 1.26.3 for compatibility Verification: - Docker build completed successfully with new dependency - All 173 tests passed with no regressions Fixes: ghcr.io/pluralsh/console:sha-63e85b1 vulnerability --- go.mod | 2 +- go.sum | 4 ++-- test.Dockerfile | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index fdca168a..90f42dae 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/briandowns/spinner v1.23.2 github.com/chartmuseum/helm-push v0.11.1 github.com/fatih/color v1.18.0 - github.com/go-git/go-git/v5 v5.19.0 + github.com/go-git/go-git/v5 v5.19.1 github.com/gofrs/flock v0.13.0 github.com/google/go-containerregistry v0.20.3 github.com/google/go-github/v45 v45.2.0 diff --git a/go.sum b/go.sum index b119b37b..35bc5570 100644 --- a/go.sum +++ b/go.sum @@ -346,8 +346,8 @@ github.com/go-git/go-billy/v5 v5.9.0 h1:jItGXszUDRtR/AlferWPTMN4j38BQ88XnXKbilmm github.com/go-git/go-billy/v5 v5.9.0/go.mod h1:jCnQMLj9eUgGU7+ludSTYoZL/GGmii14RxKFj7ROgHw= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= -github.com/go-git/go-git/v5 v5.19.0 h1:+WkVUQZSy/F1Gb13udrMKjIM2PrzsNfDKFSfo5tkMtc= -github.com/go-git/go-git/v5 v5.19.0/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ= +github.com/go-git/go-git/v5 v5.19.1 h1:nX27AnaU43/K5bKktKwgBmR9lawoYVe1Ckg0rgzzN00= +github.com/go-git/go-git/v5 v5.19.1/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ= github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA= diff --git a/test.Dockerfile b/test.Dockerfile index 09b04840..723e0783 100644 --- a/test.Dockerfile +++ b/test.Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.25.7-bookworm +FROM golang:1.26.3-bookworm RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates \