fix(deps): update module github.com/go-git/go-git/v5 to v5.11.0 [security]

[mnaser]

This PR contains the following updates:

Package	Type	Update	Change
github.com/go-git/go-git/v5	require	minor	v5.4.2 -> v5.11.0

GitHub Vulnerability Alerts

CVE-2023-49568

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

References

• GHSA-mw99-9chc-xw7r

---

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.11.0

Compare Source

What's Changed

• git: validate reference names (#​929) by @​aymanbagabas in https://github.com/go-git/go-git/pull/950
• git: stop iterating at oldest shallow when pulling. Fixes #​305 by @​dhoizner in https://github.com/go-git/go-git/pull/939
• plumbing: object, enable renames in getFileStatsFromFilePatches by @​djmoch in https://github.com/go-git/go-git/pull/941
• storage: filesystem, Add option to set a specific FS for alternates by @​pjbgf in https://github.com/go-git/go-git/pull/953
• Align worktree validation with upstream and remove build warnings by @​pjbgf in https://github.com/go-git/go-git/pull/958

New Contributors

• @​dhoizner made their first contribution in https://github.com/go-git/go-git/pull/939
• @​djmoch made their first contribution in https://github.com/go-git/go-git/pull/941

Full Changelog: go-git/go-git@v5.10.1...v5.11.0

v5.10.1

Compare Source

What's Changed

• Worktree, ignore ModeSocket files by @​steiler in https://github.com/go-git/go-git/pull/930
• git: add tracer package by @​aymanbagabas in https://github.com/go-git/go-git/pull/916
• remote: Flip clause for fast-forward only check by @​adityasaky in https://github.com/go-git/go-git/pull/875
• plumbing: transport/ssh, Fix nil pointer dereference caused when an unreachable proxy server is set. Fixes #​900 by @​anandf in https://github.com/go-git/go-git/pull/901
• plumbing: uppload-server-info, implement upload-server-info by @​aymanbagabas in https://github.com/go-git/go-git/pull/896
• plumbing: optimise memory consumption for filesystem storage by @​pjbgf in https://github.com/go-git/go-git/pull/799
• plumbing: format/packfile, Refactor patch delta by @​pjbgf in https://github.com/go-git/go-git/pull/908
• plumbing: fix empty uploadpack request error by @​aymanbagabas in https://github.com/go-git/go-git/pull/932
• plumbing: transport/git, Improve tests error message by @​pjbgf in https://github.com/go-git/go-git/pull/752
• plumbing: format/pktline, Respect pktline error-line errors by @​aymanbagabas in https://github.com/go-git/go-git/pull/936
• utils: remove ioutil.Pipe and use std library io.Pipe by @​aymanbagabas in https://github.com/go-git/go-git/pull/922
• utils: move trace to utils by @​aymanbagabas in https://github.com/go-git/go-git/pull/931
• cli: separate go module for cli by @​aymanbagabas in https://github.com/go-git/go-git/pull/914
• build: bump github.com/google/go-cmp from 0.5.9 to 0.6.0 by @​dependabot in https://github.com/go-git/go-git/pull/887
• build: bump actions/setup-go from 3 to 4 by @​dependabot in https://github.com/go-git/go-git/pull/891
• build: bump github.com/skeema/knownhosts from 1.2.0 to 1.2.1 by @​dependabot in https://github.com/go-git/go-git/pull/888
• build: bump actions/checkout from 3 to 4 by @​dependabot in https://github.com/go-git/go-git/pull/890
• build: bump golang.org/x/sys from 0.13.0 to 0.14.0 by @​dependabot in https://github.com/go-git/go-git/pull/907
• build: bump golang.org/x/text from 0.13.0 to 0.14.0 by @​dependabot in https://github.com/go-git/go-git/pull/906
• build: bump golang.org/x/crypto from 0.14.0 to 0.15.0 by @​dependabot in https://github.com/go-git/go-git/pull/917
• build: bump golang.org/x/net from 0.17.0 to 0.18.0 by @​dependabot in https://github.com/go-git/go-git/pull/918

New Contributors

• @​anandf made their first contribution in https://github.com/go-git/go-git/pull/901
• @​steiler made their first contribution in https://github.com/go-git/go-git/pull/930

Full Changelog: go-git/go-git@v5.10.0...v5.10.1

v5.10.0

Compare Source

What's Changed

• PlainInitOptions.Bare and allow using InitOptions with PlainInitWithOptions by @​ThinkChaos in https://github.com/go-git/go-git/pull/782
• Worktree, apply ProxyOption on Pull by @​nodivbyzero in https://github.com/go-git/go-git/pull/840
• Repository: add clone --shared feature by @​enverbisevac in https://github.com/go-git/go-git/pull/860
• build: Add github workflow to check commit message format by @​pjbgf in https://github.com/go-git/go-git/pull/867
• Improve handling of remote errors by @​makkes in https://github.com/go-git/go-git/pull/866
• build(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 by @​dependabot in https://github.com/go-git/go-git/pull/873
• plumbing: commitgraph, Add generation v2 support by @​zeripath in https://github.com/go-git/go-git/pull/869
• plumbing: protocol/packp, Add validation for decodeLine by @​pjbgf in https://github.com/go-git/go-git/pull/868
• plumbing: parse the encoding header of the commit object by @​liwenqiu in https://github.com/go-git/go-git/pull/761
• plumbing: commitgraph, allow SHA256 commit-graphs by @​zeripath in https://github.com/go-git/go-git/pull/853
• plumbing: commitgraph, Allow reading commit-graph chains by @​zeripath in https://github.com/go-git/go-git/pull/854
• plumbing/object: Support mergetag in merge commits by @​adityasaky in https://github.com/go-git/go-git/pull/847

New Contributors

• @​nodivbyzero made their first contribution in https://github.com/go-git/go-git/pull/840
• @​adityasaky made their first contribution in https://github.com/go-git/go-git/pull/847
• @​hezhizhen made their first contribution in https://github.com/go-git/go-git/pull/836
• @​0x34d made their first contribution in https://github.com/go-git/go-git/pull/855
• @​liwenqiu made their first contribution in https://github.com/go-git/go-git/pull/761
• @​enverbisevac made their first contribution in https://github.com/go-git/go-git/pull/860
• @​makkes made their first contribution in https://github.com/go-git/go-git/pull/866

Full Changelog: go-git/go-git@v5.9.0...v5.10.0

v5.9.0

Compare Source

What's Changed

• git: worktree: add Amend option to CommitOptions by @​john-cai in https://github.com/go-git/go-git/pull/438
• git: worktree, reset ignored files that are part of the worktree: Fixes #​819 by @​daolis in https://github.com/go-git/go-git/pull/821
• plumbing: Do not swallow http message coming from VCS providers by @​matejrisek in https://github.com/go-git/go-git/pull/835
• plumbing: transport, handle IPv6 while parsing endpoint. Fixes #​740 by @​ninedraft in https://github.com/go-git/go-git/pull/820
• *: update goproxy dependency to fix CVE-2023-37788 vulnerability by @​svghadi in https://github.com/go-git/go-git/pull/832
• *: bump dependencies and Go to 1.19 by @​pjbgf in https://github.com/go-git/go-git/pull/837

New Contributors

• @​svghadi made their first contribution in https://github.com/go-git/go-git/pull/832
• @​daolis made their first contribution in https://github.com/go-git/go-git/pull/821

Full Changelog: go-git/go-git@v5.8.1...v5.9.0

v5.8.1

Compare Source

What's Changed

• *: Bump dependencies by @​pjbgf in https://github.com/go-git/go-git/pull/815

Full Changelog: go-git/go-git@v5.8.0...v5.8.1

v5.8.0

Compare Source

What's Changed

• git: Fix fetching after shallow clone. Fixes #​305 by @​AriehSchneier in https://github.com/go-git/go-git/pull/778
• git: enable fetch with unqualified references by @​AriehSchneier in https://github.com/go-git/go-git/pull/762
• git: don't add to want if exists, shallow and depth 1 by @​AriehSchneier in https://github.com/go-git/go-git/pull/763
• git: Clone HEAD should not force master. Fixes #​363 by @​AriehSchneier in https://github.com/go-git/go-git/pull/758
• git: fix the issue with submodules having the SCP style URL fail due to the wrong URL parsing by @​matejrisek in https://github.com/go-git/go-git/pull/756
• git: add a clone option to allow for shallow cloning of submodules by @​matejrisek in https://github.com/go-git/go-git/pull/765
• worktree: minor speedup for doAddDirectory by @​ThinkChaos in https://github.com/go-git/go-git/pull/702
• _examples: Remove wrong comment by @​pascal-hofmann in https://github.com/go-git/go-git/pull/357
• *: Handle paths starting with tilde by @​ricci2511 in https://github.com/go-git/go-git/pull/808
• *: Handle paths starting with ~Username by @​AriehSchneier in https://github.com/go-git/go-git/pull/809
• storage: filesystem/dotgit, add support for tmp_objdir prefix by @​L11R in https://github.com/go-git/go-git/pull/812
• plumbing: gitignore, replace user dir in path by @​Jleagle in https://github.com/go-git/go-git/pull/772
• plumbing: gitignore, fix incorrect parsing. Fixes #​500 by @​AriehSchneier in https://github.com/go-git/go-git/pull/781
• plumbing: http, Fix empty repos on Git v2.41+ by @​pjbgf in https://github.com/go-git/go-git/pull/802
• plumbing: packp, A request is not empty if it contains shallows. Fixes #​328 by @​AriehSchneier in https://github.com/go-git/go-git/pull/792
• plumbing: blame, Complete rewrite. Fixes #​603 by @​AriehSchneier in https://github.com/go-git/go-git/pull/789
• plumbing: gitignore, Allow gitconfig to contain a gitignore relative to any user home. Fixes #​578 by @​AriehSchneier in https://github.com/go-git/go-git/pull/785

New Contributors

• @​Jleagle made their first contribution in https://github.com/go-git/go-git/pull/772
• @​pascal-hofmann made their first contribution in https://github.com/go-git/go-git/pull/357
• @​ricci2511 made their first contribution in https://github.com/go-git/go-git/pull/808
• @​L11R made their first contribution in https://github.com/go-git/go-git/pull/812

Full Changelog: go-git/go-git@v5.7.0...v5.7.1

v5.7.0

Compare Source

What's Changed

• *: Add support for initializing SHA256 repositories by @​pjbgf in https://github.com/go-git/go-git/pull/707
• git: add mirror clone option by @​aymanbagabas in https://github.com/go-git/go-git/pull/735
• git: Add support to ls-remote with peeled references. Fixes #​749 by @​pjbgf in https://github.com/go-git/go-git/pull/750
• git: fix cloning with branch name by @​AriehSchneier in https://github.com/go-git/go-git/pull/755
• git: Worktree, add check to see if file already checked in. Fixes #​718 by @​cbbm142 in https://github.com/go-git/go-git/pull/719
• git: Worktree, git grep bare repositories by @​aymanbagabas in https://github.com/go-git/go-git/pull/728
• git: Add Depth to SubmoduleUpdateOptions by @​matejrisek in https://github.com/go-git/go-git/pull/754
• git: Testing, Fix tests not cleaning temp folders by @​AriehSchneier in https://github.com/go-git/go-git/pull/769
• git: remote, add support for a configurable timeout. by @​andrewpollock in https://github.com/go-git/go-git/pull/753
• git: Allow Initial Branch to be configurable by @​techknowlogick in https://github.com/go-git/go-git/pull/764
• storage: filesystem/dotgit, Improve load packed-refs by @​fcharlie in https://github.com/go-git/go-git/pull/743
• storage: filesystem, Populate index before use. Fixes #​148 by @​AriehSchneier in https://github.com/go-git/go-git/pull/722
• plumbing: resolve non-external delta references by @​ZauberNerd in https://github.com/go-git/go-git/pull/485
• plumbing/transport: fix regression in scp-like match by @​jotadrilo in https://github.com/go-git/go-git/pull/715
• plumbing/transport: Add support for custom proxy settings by @​aryan9600 in https://github.com/go-git/go-git/pull/744
• *: small fixes across the codebase by @​pjbgf in https://github.com/go-git/go-git/pull/770
• *: bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 by @​dependabot in https://github.com/go-git/go-git/pull/776
• *: bump dependencies by @​pjbgf in https://github.com/go-git/go-git/pull/748
• *: bump Go version to 1.18 on go.mod by @​pjbgf in https://github.com/go-git/go-git/pull/774
• *: add Codeql workflow and bump dependencies by @​pjbgf in https://github.com/go-git/go-git/pull/775
• ci: fix upstream git build for master branch by @​pjbgf in https://github.com/go-git/go-git/pull/739

New Contributors

• @​ZauberNerd made their first contribution in https://github.com/go-git/go-git/pull/485
• @​jotadrilo made their first contribution in https://github.com/go-git/go-git/pull/715
• @​fcharlie made their first contribution in https://github.com/go-git/go-git/pull/743
• @​AriehSchneier made their first contribution in https://github.com/go-git/go-git/pull/755
• @​cbbm142 made their first contribution in https://github.com/go-git/go-git/pull/719
• @​aryan9600 made their first contribution in https://github.com/go-git/go-git/pull/744
• @​matejrisek made their first contribution in https://github.com/go-git/go-git/pull/754
• @​andrewpollock made their first contribution in https://github.com/go-git/go-git/pull/753
• @​techknowlogick made their first contribution in https://github.com/go-git/go-git/pull/764

Full Changelog: go-git/go-git@v5.6.1...v5.7.0

v5.6.1

Compare Source

What's Changed

• plumbing/transport: don't use the firstErrLine when it is empty by @​ThinkChaos in https://github.com/go-git/go-git/pull/682
• plumbing/transport: ssh, unable to pass a custom HostKeyCallback func by @​aymanbagabas in https://github.com/go-git/go-git/pull/655
• storage/filesystem: dotgit: fix a filesystem race in Refs/walkReferencesTree by @​MichaelMure in https://github.com/go-git/go-git/pull/659
• *: bump golang.org/x/net from 0.2.0 to 0.7.0 by @​dependabot in https://github.com/go-git/go-git/pull/684
• *: bump dependencies by @​pjbgf in https://github.com/go-git/go-git/pull/697
• *: fix panic for empty revisions by @​pjbgf in https://github.com/go-git/go-git/pull/696
• ci: bump GitHub actions, enable go test race detection and stop using developer's GPG keys during test execution by @​pjbgf in https://github.com/go-git/go-git/pull/701

Full Changelog: go-git/go-git@v5.6.0...v5.6.1

v5.6.0

Compare Source

What's Changed

• Worktree, check for empty parent dirs during Reset (Fixes #​670) by @​mbohy in https://github.com/go-git/go-git/pull/671
• *: remove need to build with CGO by @​pjbgf in https://github.com/go-git/go-git/pull/688
• plumbing: support SSH/X509 signed tags by @​hiddeco in https://github.com/go-git/go-git/pull/690

Full Changelog: go-git/go-git@v5.5.2...v5.6.0

v5.5.2

Compare Source

What's Changed

• *: update go-billy v5.4.0, removes data races. Fixes #​629 by @​mcuadros in https://github.com/go-git/go-git/pull/653
• Worktree: Add, fix add removed files. Fixes #​223 by @​tfujiwar in https://github.com/go-git/go-git/pull/652

Full Changelog: go-git/go-git@v5.5.1...v5.5.2

v5.5.1

Compare Source

What's Changed

• *: fix error when building with CGO_ENABLED=0 by @​pjbgf in https://github.com/go-git/go-git/pull/625
• plumbing: transport/ssh: fix panic on Windows 10 with paegent as ssh-agent by @​doxsch in https://github.com/go-git/go-git/pull/617
• CommitOptions: AllowEmptyCommits, return an error instead of creating empty commits by @​pjbgf in https://github.com/go-git/go-git/pull/623

Full Changelog: go-git/go-git@v5.5.0...v5.5.1

v5.5.0

Compare Source

What's Changed

• *: add collision resistent SHA1 implementation by @​pjbgf in https://github.com/go-git/go-git/pull/618
• *: replace go-homedir with os.UserHomeDir by @​mvdan in https://github.com/go-git/go-git/pull/535
• Remote: add RemoteURL to {Fetch,Pull,Push}Options by @​noerw in https://github.com/go-git/go-git/pull/375
• Remote: Push, add support to push commits per hashes by @​tjamet in https://github.com/go-git/go-git/pull/325
• Remote: Push, add ForceWithLease Push Option by @​john-cai in https://github.com/go-git/go-git/pull/404
• Remote: PushOptions add push-options by @​S-Bohn in https://github.com/go-git/go-git/pull/399
• Remote: Push, add atomic to push options by @​john-cai in https://github.com/go-git/go-git/pull/406
• Remote: add FollowTags option for pushes by @​john-cai in https://github.com/go-git/go-git/pull/385
• Worktree: use syscall.Timespec.Unix by @​tklauser in https://github.com/go-git/go-git/pull/437
• Worktree: Checkout, simplified sparse checkout by @​john-cai in https://github.com/go-git/go-git/pull/410
• Repository: don't crash accessing invalid pathinfo by @​muesli in https://github.com/go-git/go-git/pull/443
• storage: filesystem, switch from os.SEEK_* to io.Seek* by @​abhinav in https://github.com/go-git/go-git/pull/421
• config: add branch description support by @​ninedraft in https://github.com/go-git/go-git/pull/409
• revision: fix endless looping in revision parser by @​michenriksen in https://github.com/go-git/go-git/pull/475
• pumbling: optimise zlib reader and consolidate sync.Pools by @​pjbgf in https://github.com/go-git/go-git/pull/608
• pumbling: parse optimisations by @​pjbgf in https://github.com/go-git/go-git/pull/602
• plumbing: object, rename calculation uses too much memory by @​jfontan in https://github.com/go-git/go-git/pull/503
• plumbing: protocol/pakp and server, include the contents of GO_GIT_USER_AGENT_EXTRA. Fixes #​529 by @​stewing in https://github.com/go-git/go-git/pull/531
• plumbing: protocol/pakp, avoid duplicate encoding when overriding a Capability value. by @​tylerchr in https://github.com/go-git/go-git/pull/521
• plumbing: protocol/pakp, update agent by @​caarlos0 in https://github.com/go-git/go-git/pull/453
• plumbing: protocol/pakp: Actions should have type Action by @​abhinav in https://github.com/go-git/go-git/pull/420
• plumbing: protocol/pakp: allow unsupported multi_ack capability by @​pjbgf in https://github.com/go-git/go-git/pull/613
• plumbing: transport/ssh, auto-populate HostKeyAlgorithms. Fixes #​411 by @​evanelias in https://github.com/go-git/go-git/pull/548
• pumbling: format/packfile, resolve external reference delta by @​ga-paul-t in https://github.com/go-git/go-git/pull/392
• plumbing: format/packfile, prevent large objects from being read into memory completely by @​zeripath in https://github.com/go-git/go-git/pull/330
• plumbing: format/index, support v3 index by @​john-cai in https://github.com/go-git/go-git/pull/407
• plumbing: format/gitignore, Read .git/info/exclude file too. by @​enisdenjo in https://github.com/go-git/go-git/pull/402
• plumbing: format/gitattributes, Avoid index out of range by @​To1ne in https://github.com/go-git/go-git/pull/598
• plumbing: format/config, Branch name with hash can be cloned. Fixes #​309 by @​dowy in https://github.com/go-git/go-git/pull/354
• go.mod: update github.com/xanzy/ssh-agent to v0.3.1 by @​tklauser in https://github.com/go-git/go-git/pull/403
• go.mod: update dependencies to remove supply chain CVEs by @​pjbgf in https://github.com/go-git/go-git/pull/620
• examples: added "tag find if head is tagged" by @​snebel29 in https://github.com/go-git/go-git/pull/374
• examples: remote fix typo by @​nep-0 in https://github.com/go-git/go-git/pull/408

Full Changelog: go-git/go-git@v5.4.2...v5.5.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.