Skip to content

build(deps): bump the go_modules group across 1 directory with 3 updates#713

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/go_modules-348ade36c7
Closed

build(deps): bump the go_modules group across 1 directory with 3 updates#713
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/go_modules-348ade36c7

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 4, 2026
edited
Loading

Bumps the go_modules group with 3 updates in the / directory: github.com/go-git/go-git/v5, github.com/distribution/distribution/v3 and github.com/moby/spdystream.

Updates github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.18.0

What's Changed

Full Changelog: go-git/go-git@v5.17.2...v5.18.0

v5.17.2

What's Changed

⚠️ This release fixes a bug (go-git/go-git#1942) that blocked some users from upgrading to v5.17.1. Thanks @​pskrbasu for reporting it. 🙇

Full Changelog: go-git/go-git@v5.17.1...v5.17.2

Commits
  • ea3e7ec Merge pull request #2004 from go-git/v5-http-hardening
  • bcd20a9 plumbing: transport/http, Add support for followRedirects policy
  • 45ae193 Merge pull request #1944 from go-git/fix-perms
  • fda4f74 storage: filesystem/dotgit, Skip writing pack files that already exist on disk
  • 2212dc7 Merge pull request #1941 from go-git/renovate/releases/v5.x-go-github.com-go-...
  • ebb2d7d build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY]
  • See full diff in compare view

Updates github.com/distribution/distribution/v3 from 3.1.0 to 3.1.1

Release notes

Sourced from github.com/distribution/distribution/v3's releases.

v3.1.1

Welcome to the v3.1.1 release of registry!

This is a stable release

Please try out the release binaries and report any issues at https://github.com/distribution/distribution/issues.

Notable Changes

  • Fixes CVE-2026-41888
  • Bounds-check the file basename in PurgeUploads Walk callback
  • Add S3 Express One Zone support to the S3 storage driver (#4858)
  • Fix tag list endpoint in proxy mode (#4846)
  • Clamp oversized n query parameter in proxy mode instead of returning 400 (#4856)

See the full changelog below for the full list of changes.

What's Changed

New Contributors

Full Changelog: distribution/distribution@v3.1.0...v3.1.1

Commits
  • 9a8d98b chore(release): prepare for v3.1.1 release (#4864)
  • d3c0df9 chore(release): prepare for v3.1.1 release
  • e09ff10 Merge commit from fork
  • 8baf3e0 fix: prevent tag deletion when storage.delete.enabled is false
  • f3af4de fix(storage): bounds-check the file basename in PurgeUploads Walk callback (#...
  • 72c88bc fix(storage): bounds-check the file basename in PurgeUploads Walk callback
  • 1b5e226 feat(s3): add express zone one support to S3 driver (#4858)
  • afd2bf0 fix(proxy): clamp oversized n query param instead of returning 400 (#4856)
  • 835c1c5 feat(s3): add express zone one support to S3 driver
  • 0f3e627 build(deps): bump docker/bake-action from 7.0.0 to 7.1.0 (#4853)
  • Additional commits viewable in compare view

Updates github.com/moby/spdystream from 0.5.0 to 0.5.1

Release notes

Sourced from github.com/moby/spdystream's releases.

v0.5.1

What's Changed

Security

Fix memory amplification in SPDY frame parsing leads to denial of service (CVE-2026-35469 / GHSA-pc3f-x583-g7j2)

Changes

Full Changelog: moby/spdystream@v0.5.0...v0.5.1

Commits
  • c59e5d7 Merge pull request #109 from thaJeztah/use_ioutil
  • 2fd0155 use ioutil.Discard for go1.13 compatibility
  • ef6121f Merge commit from fork
  • 241cec9 compare with signed Int for 32-bit Arm
  • 21c3864 Add options to customize limits
  • acf9b45 spdy: update godoc for MaxDataLength
  • eb63605 spdy: limit header-size and header-count
  • 2f21da4 spdy: fix header block byte accounting
  • 5976b66 spdy: enforce 24-bit frame length limits
  • cf0ec5d Guard against oversized SPDY frames
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the go_modules group across 1 directory with 3 updates
7fa125a 
Bumps the go_modules group with 3 updates in the / directory: [github.com/go-git/go-git/v5](https://github.com/go-git/go-git), [github.com/distribution/distribution/v3](https://github.com/distribution/distribution) and [github.com/moby/spdystream](https://github.com/moby/spdystream).


Updates `github.com/go-git/go-git/v5` from 5.17.1 to 5.18.0
- [Release notes](https://github.com/go-git/go-git/releases)
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md)
- [Commits](go-git/go-git@v5.17.1...v5.18.0)

Updates `github.com/distribution/distribution/v3` from 3.1.0 to 3.1.1
- [Release notes](https://github.com/distribution/distribution/releases)
- [Commits](distribution/distribution@v3.1.0...v3.1.1)

Updates `github.com/moby/spdystream` from 0.5.0 to 0.5.1
- [Release notes](https://github.com/moby/spdystream/releases)
- [Commits](moby/spdystream@v0.5.0...v0.5.1)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.18.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/distribution/distribution/v3
  dependency-version: 3.1.1
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/moby/spdystream
  dependency-version: 0.5.1
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels May 4, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 5, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this May 5, 2026
@dependabot dependabot Bot deleted the dependabot/go_modules/go_modules-348ade36c7 branch May 5, 2026 14:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants