Skip to content

chore: upgrade go-git to v5.19.1 to address CVE-2026-45570, CVE-2026-45571, GHSA-w5pp-99ch-qj29#15

Merged
brendan-kellam merged 1 commit into
mainfrom
cursor/cve/go-git
Jun 9, 2026
Merged

chore: upgrade go-git to v5.19.1 to address CVE-2026-45570, CVE-2026-45571, GHSA-w5pp-99ch-qj29#15
brendan-kellam merged 1 commit into
mainfrom
cursor/cve/go-git

Conversation

@brendan-kellam

@brendan-kellam brendan-kellam commented Jun 9, 2026

Copy link
Copy Markdown

Fixes SOU-1168
Fixes SOU-1169
Fixes SOU-1248

Upgrades the direct github.com/go-git/go-git/v5 dependency from v5.19.0 to v5.19.1 (latest), a bugfix release that patches all three open go-git advisories:

  • CVE-2026-45571 — crafted repositories may modify .git directories (path validation)
  • CVE-2026-45570 — improper single-quote escaping in the SSH transport
  • GHSA-w5pp-99ch-qj29 — malformed Git object data may cause DoS (panics / resource exhaustion)

go.mod/go.sum only. go build ./... passes.

🤖 Generated with Claude Code

@brendan-kellam @claude
chore: upgrade go-git to v5.19.1 to address CVE-2026-45570, CVE-2026-…
0980de2 
…45571, GHSA-w5pp-99ch-qj29

go-git is a direct dependency. v5.19.1 is a bugfix release that patches all
three open advisories (path validation / .git manipulation, SSH single-quote
escaping, and malformed-object DoS). go.mod/go.sum only; go build ./... passes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@brendan-kellam brendan-kellam merged commit 3d1f49a into main Jun 9, 2026
14 of 15 checks passed
@brendan-kellam brendan-kellam deleted the cursor/cve/go-git branch June 9, 2026 00:38
@brendan-kellam brendan-kellam mentioned this pull request Jun 9, 2026
Merged
brendan-kellam added a commit to sourcebot-dev/sourcebot that referenced this pull request Jun 9, 2026
@brendan-kellam @claude
chore: bump zoekt submodule to upgrade go-git to v5.19.1
14bf530 
Advances the vendor/zoekt submodule to sourcebot-dev/zoekt#15, which upgrades
go-git v5.19.0 -> v5.19.1 (CVE-2026-45570, CVE-2026-45571, GHSA-w5pp-99ch-qj29).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
brendan-kellam added a commit to sourcebot-dev/sourcebot that referenced this pull request Jun 9, 2026
@brendan-kellam @claude
chore: bump zoekt submodule to upgrade go-git to v5.19.1 (CVE-2026-45571
d02f61c 
) (#1290)

* chore: bump zoekt submodule to upgrade go-git to v5.19.1

Advances the vendor/zoekt submodule to sourcebot-dev/zoekt#15, which upgrades
go-git v5.19.0 -> v5.19.1 (CVE-2026-45570, CVE-2026-45571, GHSA-w5pp-99ch-qj29).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Update CHANGELOG.md

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brendan-kellam