Skip to content

chore(deps): bump go-git to v5.19.1 on release-2.8 (Snyk vulns)#2454

Closed
c-julin wants to merge 1 commit into
release-2.8from
julin/security-go-git-upgrade-release-2.8
Closed

chore(deps): bump go-git to v5.19.1 on release-2.8 (Snyk vulns)#2454
c-julin wants to merge 1 commit into
release-2.8from
julin/security-go-git-upgrade-release-2.8

Conversation

@c-julin

@c-julin c-julin commented May 19, 2026

Copy link
Copy Markdown
Contributor

Summary

Backport of #2453 to release-2.8.

Resolves 4 open Snyk findings against github.com/go-git/go-git/v5 by bumping it from 5.16.5 -> 5.19.1.

Severity Snyk ID Title
HIGH SNYK-GOLANG-...TRANSPORTHTTP-16109639 Insufficiently Protected Credentials (CVE-2026-41506)
HIGH SNYK-GOLANG-...PLUMBINGOBJECT-16638689 Incorrect Behavior Order: Validate Before Canonicalize
MEDIUM SNYK-GOLANG-...FORMATINDEX-15855246 Improper Validation of Array Index
MEDIUM SNYK-GOLANG-...FORMATINDEX-15855220 Allocation of Resources Without Limits

Indirect bumps pulled in by go-git: go-billy/v5 5.6.2 -> 5.9.0, pjbgf/sha1cd 0.3.2 -> 0.6.0, cyphar/filepath-securejoin 0.4.1 -> 0.6.1, golang.org/x/exp date bump.

Out of scope

github.com/vmihailenco/msgpack/v5@5.4.1 (CVE-2026-2454, MEDIUM) — upstream has no released fix. Same disposition as on master: recommend snyk ignore with rationale + expiry.

Test plan

  • go build ./... clean
  • govulncheck ./... no longer reports go-git findings (remaining hits are github.com/docker/docker in pkg/testutil/, pre-existing and test-only)
  • CI passes

Backport of #2453 to release-2.8.

Upgrades github.com/go-git/go-git/v5 from 5.16.5 -> 5.19.1, resolving:

- SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBINGTRANSPORTHTTP-16109639
  HIGH: Insufficiently Protected Credentials (CVE-2026-41506)
- SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBINGOBJECT-16638689
  HIGH: Incorrect Behavior Order: Validate Before Canonicalize
- SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBINGFORMATINDEX-15855246
  MEDIUM: Improper Validation of Array Index
- SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBINGFORMATINDEX-15855220
  MEDIUM: Allocation of Resources Without Limits or Throttling

Indirect bumps pulled in by go-git: go-billy/v5 5.6.2 -> 5.9.0,
pjbgf/sha1cd 0.3.2 -> 0.6.0, cyphar/filepath-securejoin 0.4.1 -> 0.6.1,
golang.org/x/exp.

The remaining open Snyk finding (vmihailenco/msgpack/v5,
CVE-2026-2454) has no upstream fix available.
@c-julin c-julin closed this May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant