chore(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.1#3869
chore(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.1#3869dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.18.0 to 5.19.1. - [Release notes](https://github.com/go-git/go-git/releases) - [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md) - [Commits](go-git/go-git@v5.18.0...v5.19.1) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.19.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Security review (automation)
Outcome: No medium-or-higher-confidence vulnerabilities are introduced by this change set. The diff is limited to go.mod / go.sum (dependency graph only); no Semaphore application code was added or modified.
Tracing: github.com/go-git/go-git/v5 is used for clone/pull/fetch/list against repository URLs and credentials configured for projects (for example db_lib/GoGitClient.go). That usage is unchanged by this PR; there is no new attacker-controlled sink or missing control attributable to the diff.
Dependency / supply chain: Bumping github.com/go-git/go-git/v5 from 5.18.0 → 5.19.1 aligns with upstream security guidance: GHSA-389r-gv7p-r3rp (High, CVE-2026-45022) lists affected versions as < 5.19.0 and patched 5.19.0+. Staying on 5.18.0 left consumers in the affected range; this bump is a remediation, not a regression. Indirect updates (go-billy, filepath-securejoin, golang.org/x/*, etc.) are routine transitive refreshes with no separate exploit path identified from this diff alone.
Prior automation threads: Cleaned up so this assessment is the active one.
Slack summary (copy/paste)
PR 3869 (go-git 5.18.0 → 5.19.1): Security pass on the diff — dependency-only, no new app-level issues. Net positive: addresses go-git GHSA-389r / CVE-2026-45022 (High; affected < 5.19.0). No open findings from this review.
Sent by Cursor Automation: Find vulnerabilities
Bumps github.com/go-git/go-git/v5 from 5.18.0 to 5.19.1.
Release notes
Sourced from github.com/go-git/go-git/v5's releases.
Commits
3c3be60Merge pull request #2137 from go-git/validate-v53fba897plumbing: format/packfile, cap delta chain depth in parsera97d660Merge pull request #2125 from hiddeco/v5/format-input-boundsaeaa125plumbing: format/objfile, require Header before Read1f38e17plumbing: format/packfile, bound inflate sizef7545a0plumbing: format/idxfile, bound nr by file size170b881Merge pull request #2116 from pjbgf/symlink-v57b6d994Merge pull request #2117 from hiddeco/v5/worktree-fs-mkdirall-root-noopf0709b3git: Stop validating symlink target paths776d00fgit: Allow MkdirAll on worktree-root pathsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.