[Autofix] Bump go-git/v5 to v5.19.0 in cli/go-git to clear critical CVEs#15
Closed
vardior9 wants to merge 1 commit into
Closed
[Autofix] Bump go-git/v5 to v5.19.0 in cli/go-git to clear critical CVEs#15vardior9 wants to merge 1 commit into
vardior9 wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
✅ Fixed
OSS · View in Apiiro
Summary:
Bumped the direct dependency
github.com/go-git/go-git/v5incli/go-git/go.modfrom v5.12.0 to v5.19.0, and regeneratedcli/go-git/go.sumviago mod tidy.What Changed:
In
cli/go-git/go.mod, the required version ofgithub.com/go-git/go-git/v5was raised fromv5.12.0tov5.19.0, the latest released version.go mod tidywas then run insidecli/go-git/, which regeneratedcli/go-git/go.sum, refreshed the indirect dependency block to match v5.19.0's transitive graph (winio, ProtonMail/go-crypto, cloudflare/circl, filepath-securejoin, go-billy, golang/groupcache, pjbgf/sha1cd, skeema/knownhosts, golang.org/x/crypto, golang.org/x/net, golang.org/x/sys, plus new transitiveklauspost/cpuid/v2), and bumped thegodirective to the version required by v5.19.0's module graph.go build ./...andgo vet ./...both pass cleanly afterward.Why This Fix:
The overlay flagged a direct-dependency vulnerability and listed a pseudo-version fix (
v5.18.1-0.20260420130857-e5bbc088b774) that is not actually published in the Go module proxy. Queryinggo list -m -versions github.com/go-git/go-git/v5showed v5.19.0 as the highest available released tag; it postdates the fix commit referenced by the pseudo-version, so picking the highest available stable release is the safest no-regression strategy. A smaller bump (e.g. v5.13.x) would leave more historical CVEs unfixed; v5.19.0 is the smallest stable bump that clears them all. Noreplaceoverride was needed since the dependency is declared directly.Files Changed:
cli/go-git/go.modcli/go-git/go.sumReviewer Notes:
go mod tidyraised thegodirective incli/go-git/go.modfrom1.20to1.25.0because v5.19.0's module graph now requires it; confirm your build/CI toolchain offers Go 1.25 (the toolchain auto-downloaded it during tidy, but a hermetic CI may need a Go version bump).golang.org/x/{mod,tools}dropped; newklauspost/cpuid/v2added) — this is the normal v5.19.0 transitive graph, bu…Potential Impact:
This is a single direct dependency major-line bump from v5.12.0 to v5.19.0 in the CLI sub-module only; the parent
github.com/go-git/go-git/v5module is untouched. v5.x is the same major line, so APIs used bycli/go-git(which compiles cleanly against v5.19.0) should be source-compatible. Main blast radius is the implicit Go toolchain bump to 1.25 for the CLI build.About Apiiro Autofix
This PR was automatically generated by Apiiro Autofix. Review all changes carefully before merging and run your test suite to verify no regressions.