Skip to content

Commit 63c6546

Browse files
msukkariclaude
msukkari
and
claude
authored
chore: bump go-git/v5 to 5.18.0 to address GHSA-3xc5-wrhm-f963 (#11)
Fixes a credential-leak vulnerability in go-git's smart-HTTP transport where authentication credentials could be forwarded to a redirect target on a different host. Patched in v5.18.0, which adds `followRedirects` configuration defaulting to `initial`. Sourcebot clones only trusted code hosts over HTTPS, so practical exposure is low, but bumping removes the advisory. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent da9bf1a commit 63c6546

2 files changed

Lines changed: 3 additions & 3 deletions

File tree

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ require (
1111
github.com/fsnotify/fsnotify v1.8.0
1212
github.com/gfleury/go-bitbucket-v1 v0.0.0-20240917142304-df385efaac68
1313
github.com/go-enry/go-enry/v2 v2.9.1
14-
github.com/go-git/go-git/v5 v5.17.0
14+
github.com/go-git/go-git/v5 v5.18.0
1515
github.com/gobwas/glob v0.2.3
1616
github.com/google/go-cmp v0.7.0
1717
github.com/google/go-github/v78 v78.0.0

go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -122,8 +122,8 @@ github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDz
122122
github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=
123123
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
124124
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
125-
github.com/go-git/go-git/v5 v5.17.0 h1:AbyI4xf+7DsjINHMu35quAh4wJygKBKBuXVjV/pxesM=
126-
github.com/go-git/go-git/v5 v5.17.0/go.mod h1:f82C4YiLx+Lhi8eHxltLeGC5uBTXSFa6PC5WW9o4SjI=
125+
github.com/go-git/go-git/v5 v5.18.0 h1:O831KI+0PR51hM2kep6T8k+w0/LIAD490gvqMCvL5hM=
126+
github.com/go-git/go-git/v5 v5.18.0/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo=
127127
github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
128128
github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
129129
github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=

0 commit comments

Comments
 (0)