fix(deps): update module github.com/go-git/go-git/v5 to v5.13.0 [security] #553

renovate · 2025-01-06T16:47:27Z

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/go-git/go-git/v5	`v5.11.0` -> `v5.13.0`

GitHub Vulnerability Alerts

CVE-2025-21613

Impact

An argument injection vulnerability was discovered in go-git versions prior to v5.13.

Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.

Affected versions

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.

Credit

Thanks to @vin01 for responsibly disclosing this vulnerability to us.

CVE-2025-21614

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

`v5.13.0`

Compare Source

What's Changed

build: bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 in /cli/go-git by @dependabot in #1065
build: bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #1068
build: bump golang.org/x/net from 0.23.0 to 0.24.0 by @dependabot in #1071
Properly support skipping of non-mandatory extensions by @codablock in #1066
git: Refine some codes in test and non-test. by @onee-only in #1077
plumbing: protocol/packp, client-side filter capability support by @edigaryev in #1000
build: bump golang.org/x/net from 0.22.0 to 0.23.0 in /cli/go-git by @dependabot in #1078
plumbing: fix sideband demux on flush by @aymanbagabas in #1084
storage: dotgit, head reference usually comes first by @aymanbagabas in #1085
build: bump golang.org/x/text from 0.14.0 to 0.15.0 by @dependabot in #1091
build: bump golang.org/x/crypto from 0.22.0 to 0.23.0 by @dependabot in #1094
build: bump golang.org/x/net from 0.24.0 to 0.25.0 by @dependabot in #1093
git: Added an example for Repository.Branches by @johnmatthiggins in #1088
git: worktree_commit, Modify checking empty commit. Fixes #723 by @onee-only in #1050
plumbing: transport/http, Wrap http errors to return reason. Fixes #1097 by @ggambetti in #1100
build: bump golang.org/x/sys from 0.20.0 to 0.21.0 by @dependabot in #1106
build: bump golang.org/x/text from 0.15.0 to 0.16.0 by @dependabot in #1107
Bumps Go versions and go-billy by @pjbgf in #1056
_examples: Fixed a dead link COMPATIBILITY.md by @gecko655 in #1109
build: bump github.com/jessevdk/go-flags from 1.5.0 to 1.6.1 in /cli/go-git by @dependabot in #1115
build: bump github.com/elazarl/goproxy from v0.0.0-20230808193330-2592e75ae04a to v0.0.0-20240618083138-03be62527ccb by @hbelmiro in #1124
build: bump golang.org/x/net from 0.25.0 to 0.26.0 by @dependabot in #1104
Add option approximating git clean -x flag. by @msuozzo in #995
Revert "Add option approximating git clean -x flag." by @pjbgf in #1129
Fix reference updated concurrently error for the filesystem storer by @Javier-varez in #1116
build: bump golang.org/x/net from 0.26.0 to 0.27.0 by @dependabot in #1134
utils: merkletrie, Align error message with upstream by @pjbgf in #1142
plumbing: transport/file, Change paths to absolute by @pjbgf in #1141
plumbing: gitignore, Fix loading of ignored .gitignore files. by @Achilleshiel in #1114
build: bump github.com/skeema/knownhosts from 1.2.2 to 1.3.0 by @dependabot in #1147
plumbing: transport/ssh, Add support for SSH @cert-authority. by @Javier-varez in #1157
build: run example tests during CI workflow by @crazybolillo in #1030
storage: filesystem, Fix object cache not working due to uninitialised objects being put into cache by @SatelliteMind in #1138
git: Fix fetching missing commits by @AriehSchneier in #1032
plumbing: format/packfile, remove duplicate checks in findMatch() by @edigaryev in #1152
git: worktree, Fix file reported as Untracked while it is committed by @rodrigocam in #1023
build: bump golang.org/x/sys from 0.22.0 to 0.23.0 by @dependabot in #1160
plumbing: filemode, Remove check for setting size of .git/index file by @nicholasSUSE in #1159
build: bump golang.org/x/net from 0.27.0 to 0.28.0 by @dependabot in #1163
Fix some lint warning and increase stalebot to 180 days by @pjbgf in #1128
adjust path extracted from file: url on Windows by @tomqwpl in #416
build: bump golang.org/x/sys from 0.23.0 to 0.24.0 by @dependabot in #1164
Add RestoreStaged to Worktree that mimics the behaviour of git restore --staged ... by @ben-tbotlabs in #493
plumbing: signature, support the same x509 signature formats as git by @yoavamit in #1169
fix: allow discovery of non bare repos in fsLoader by @jakobmoellerdev in #1170
build: bump golang.org/x/sys from 0.24.0 to 0.25.0 by @dependabot in #1178
build: bump golang.org/x/text from 0.17.0 to 0.18.0 by @dependabot in #1179
build: bump golang.org/x/net from 0.28.0 to 0.29.0 by @dependabot in #1184
Consume push URLs when they are provided by @mcepl in #1191
*: use gocheck's MkDir instead of TempDir for tests. Fixes #807 by @uragirii in #1194
build: bump golang.org/x/net from 0.29.0 to 0.30.0 by @dependabot in #1200
worktree: .git/index not correctly generated when running on Windows by @BeChris in #1198
git: worktree, Fix sparse reset. Fixes #90 by @onee-only in #1101
git: worktree, Pass context on updateSubmodules. Fixes #1098 by @onee-only in #1154
build: bump github.com/go-git/go-billy/v5 from 5.5.1-0.20240427054813-8453aa90c6ec to 5.6.0 by @dependabot in #1211
Update contributing guidelines by @pjbgf in #1217
build: bump github.com/ProtonMail/go-crypto from 1.0.0 to 1.1.1 by @dependabot in #1222
build: bump golang.org/x/sys from 0.26.0 to 0.27.0 by @dependabot in #1223
build: bump golang.org/x/crypto from 0.28.0 to 0.29.0 by @dependabot in #1221
build: bump github.com/ProtonMail/go-crypto from 1.1.1 to 1.1.2 by @dependabot in #1226
build: bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @dependabot in #1232
build: bump github.com/ProtonMail/go-crypto from 1.1.2 to 1.1.3 by @dependabot in #1231
build: General improvements around fuzzing by @pjbgf in #1229
build: bump golang.org/x/net from 0.30.0 to 0.32.0 by @dependabot in #1241
build: group dependabot updates for golang.org by @AriehSchneier in #1243
build: bump github/codeql-action from 2.22.11 to 3.27.6 by @dependabot in #1244
build: bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /cli/go-git by @dependabot in #1246
build: bump golang.org/x/crypto from 0.30.0 to 0.31.0 by @dependabot in #1247
build: bump github.com/gliderlabs/ssh from 0.3.7 to 0.3.8 by @dependabot in #1248
add comment preventing people from creating invalid trees by @petar in #732
build: bump github/codeql-action from 3.27.6 to 3.27.9 by @dependabot in #1250
plumbing: Properly encode index version 4 by @BeChris in #1251
Fix typos by @deining in #1148
Fix reset files in subfolders by @linglo in #1177
git: update switch cases by @hezhizhen in #1182
build: bump golang.org/x/net from 0.32.0 to 0.33.0 in the golang-org group by @dependabot in #1256
fix(1212): Fix invalid reference name error while cloning branches containing /- by @varmakarthik12 in #1257
pktline : accept upercase hexadecimal value as pktline length information by @BeChris in #1220
build: bump github/codeql-action from 3.27.9 to 3.28.0 by @dependabot in #1260
build: bump github.com/elazarl/goproxy from 0.0.0-20240618083138-03be62527ccb to 1.2.1 by @dependabot in #1262
git: worktree_commit, sanitize author and commiter name and email before creating the commit object. Fixes #680 by @BeChris in #1261

New Contributors

@johnmatthiggins made their first contribution in #1088
@ggambetti made their first contribution in #1100
@gecko655 made their first contribution in #1109
@hbelmiro made their first contribution in #1124
@msuozzo made their first contribution in #995
@Javier-varez made their first contribution in #1116
@Achilleshiel made their first contribution in #1114
@crazybolillo made their first contribution in #1030
@SatelliteMind made their first contribution in #1138
@rodrigocam made their first contribution in #1023
@nicholasSUSE made their first contribution in #1159
@tomqwpl made their first contribution in #416
@ben-tbotlabs made their first contribution in #493
@yoavamit made their first contribution in #1169
@uragirii made their first contribution in #1194
@petar made their first contribution in #732
@deining made their first contribution in #1148
@linglo made their first contribution in #1177
@varmakarthik12 made their first contribution in #1257

Full Changelog: go-git/go-git@v5.12.0...v5.13.0

`v5.12.0`

Compare Source

What's Changed

git: Worktree.AddWithOptions: add skipStatus option when providing a specific path by @moranCohen26 in #994
git: Signer: fix usage of crypto.Signer interface by @wlynch in #1029
git: Remote, fetch, adds the prune option. by @juliens in #366
git: Add crypto.Signer option to CommitOptions. by @wlynch in #996
git: Worktree checkout tag hash id (#959) by @aymanbagabas in #966
git: Worktree, Don't panic on empty or root path when checking if it is valid by @tim775 in #1042
git: Add commit validation for Reset by @pjbgf in #1048
git: worktree_commit, Fix amend commit to apply changes. Fixes #1024 by @onee-only in #1045
git: Implement Merge function with initial FastForwardMerge support by @pjbgf in #1044
plumbing: object, Make first commit visible on logs filtered with filename. Fixes #191 by @onee-only in #1036
plumbing: no panic in printStats function. Fixes #177 by @nodivbyzero in #971
plumbing: object, Optimize logging with file. by @onee-only in #1046
plumbing: object, check legitimacy in (*Tree).Encode by @niukuo in #967
plumbing: format/gitattributes, close file in ReadAttributesFile by @prskr in #1018
plumbing: check setAuth error. Fixes #185 by @nodivbyzero in #969
plumbing: object, fix variable defaultUtf8CommitMessageEncoding name spell error by @Jerry-yz in #987
utils: merkletrie, calculate filesystem node's hash lazily. by @candid82 in #825
utils: update comment in node.go's Hash() by @codablock in #992
_example: fix 404 link and added ssh-agent clone link by @grinish21 in #1022
_example: checkout-branch example by @dlambda in #446
_example: example for git clone using ssh-agent by @pjbgf in #998

New Contributors

@candid82 made their first contribution in #825
@codablock made their first contribution in #992
@Jerry-yz made their first contribution in #987
@wlynch made their first contribution in #996
@moranCohen26 made their first contribution in #994
@grinish21 made their first contribution in #1022
@prskr made their first contribution in #1018
@dlambda made their first contribution in #446
@juliens made their first contribution in #366
@onee-only made their first contribution in #1036
@tim775 made their first contribution in #1042
@niukuo made their first contribution in #967
@avoidalone made their first contribution in #1047

Full Changelog: go-git/go-git@v5.11.0...v5.12.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2025-01-06T16:47:28Z

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

14 additional dependencies were updated
The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.19` -> `1.21`
`github.com/stretchr/testify`	`v1.9.0` -> `v1.10.0`
`github.com/ProtonMail/go-crypto`	`v0.0.0-20230828082145-3c4c8a2d2371` -> `v1.1.3`
`github.com/cloudflare/circl`	`v1.3.3` -> `v1.3.7`
`github.com/cyphar/filepath-securejoin`	`v0.2.4` -> `v0.2.5`
`github.com/go-git/go-billy/v5`	`v5.5.0` -> `v5.6.0`
`github.com/sergi/go-diff`	`v1.1.0` -> `v1.3.2-0.20230802210424-5b0b94c5c0d3`
`github.com/skeema/knownhosts`	`v1.2.1` -> `v1.3.0`
`golang.org/x/crypto`	`v0.16.0` -> `v0.31.0`
`golang.org/x/exp`	`v0.0.0-20230905200255-921286631fa9` -> `v0.0.0-20240719175910-8a7402abbf56`
`golang.org/x/mod`	`v0.12.0` -> `v0.19.0`
`golang.org/x/net`	`v0.19.0` -> `v0.33.0`
`golang.org/x/sys`	`v0.15.0` -> `v0.28.0`
`golang.org/x/text`	`v0.14.0` -> `v0.21.0`
`golang.org/x/tools`	`v0.13.0` -> `v0.23.0`

vercel · 2025-01-06T16:47:29Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
commitsar	Error			Oct 9, 2025 10:15am

socket-security · 2025-04-08T11:56:04Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/go-git/go-git/v5@v5.11.0 ⏵ v5.13.0		⁺⁷⁵
	github.com/stretchr/testify@v1.9.0 ⏵ v1.10.0	⁺¹

View full report

…rity]

vercel bot deployed to Preview January 6, 2025 16:47 View deployment

renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from afd989f to a155540 Compare February 19, 2025 15:06

vercel bot deployed to Preview February 19, 2025 15:06 View deployment

renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from a155540 to c239989 Compare March 11, 2025 11:53

vercel bot deployed to Preview March 11, 2025 11:53 View deployment

renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from c239989 to 788d0bf Compare April 8, 2025 11:55

vercel bot deployed to Preview April 8, 2025 11:55 View deployment

renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from 788d0bf to 40fdc39 Compare May 7, 2025 11:23

vercel bot deployed to Preview May 7, 2025 11:23 View deployment

renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from 40fdc39 to ac9e945 Compare August 10, 2025 12:31

vercel bot deployed to Preview August 10, 2025 12:32 View deployment

fix(deps): update module github.com/go-git/go-git/v5 to v5.13.0 [secu…

fe12385

…rity]

renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from ac9e945 to fe12385 Compare October 9, 2025 10:15

vercel bot had a problem deploying to Preview October 9, 2025 10:15 Failure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

fix(deps): update module github.com/go-git/go-git/v5 to v5.13.0 [security] #553

fix(deps): update module github.com/go-git/go-git/v5 to v5.13.0 [security] #553

Uh oh!

renovate bot commented Jan 6, 2025 •

edited

Loading

Uh oh!

renovate bot commented Jan 6, 2025 •

edited

Loading

Uh oh!

vercel bot commented Jan 6, 2025 •

edited

Loading

Uh oh!

socket-security bot commented Apr 8, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

fix(deps): update module github.com/go-git/go-git/v5 to v5.13.0 [security] #553

Are you sure you want to change the base?

fix(deps): update module github.com/go-git/go-git/v5 to v5.13.0 [security] #553

Uh oh!

Conversation

renovate bot commented Jan 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

CVE-2025-21613

Impact

Affected versions

Workarounds

Credit

CVE-2025-21614

Impact

Patches

Workarounds

Credit

Release Notes

v5.13.0

What's Changed

New Contributors

v5.12.0

What's Changed

New Contributors

Configuration

Uh oh!

renovate bot commented Jan 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

ℹ Artifact update notice

File name: go.mod

Uh oh!

vercel bot commented Jan 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented Apr 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate bot commented Jan 6, 2025 •

edited

Loading

`v5.13.0`

`v5.12.0`

renovate bot commented Jan 6, 2025 •

edited

Loading

vercel bot commented Jan 6, 2025 •

edited

Loading

socket-security bot commented Apr 8, 2025 •

edited

Loading