Skip to content

Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY]#2668

Merged
pulumi-renovate[bot] merged 1 commit intomasterfrom
renovate/minor-5.17-security
Mar 31, 2026
Merged

Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY]#2668
pulumi-renovate[bot] merged 1 commit intomasterfrom
renovate/minor-5.17-security

Conversation

@pulumi-renovate
Copy link
Copy Markdown
Contributor

@pulumi-renovate pulumi-renovate Bot commented Mar 31, 2026

This PR contains the following updates:

Package Type Update Change
github.com/go-git/go-git/v5 indirect minor v5.16.5 -> v5.17.1

GitHub Vulnerability Alerts

CVE-2026-33762

Impact

go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.

This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue.

An attacker able to supply a crafted .git/index file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.

Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the .git directory.

Patches

Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.

Credit

go-git maintainers thank @​kq5y for finding and reporting this issue privately to the go-git project.

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.17.1

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.17.0...v5.17.1

v5.17.0

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@pulumi-renovate pulumi-renovate Bot added dependencies Pull requests that update a dependency file impact/no-changelog-required This issue doesn't require a CHANGELOG update labels Mar 31, 2026
@pulumi-renovate pulumi-renovate Bot enabled auto-merge (squash) March 31, 2026 05:47
@pulumi-renovate
Copy link
Copy Markdown
Contributor Author

pulumi-renovate Bot commented Mar 31, 2026

ℹ Artifact update notice

File name: aws-apigateway-go-routes/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/go-git/go-billy/v5 v5.6.2 -> v5.8.0
File name: aws-go-ansible-wordpress/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/go-git/go-billy/v5 v5.6.2 -> v5.8.0
File name: misc/benchmarks/go-many-resources/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/go-git/go-billy/v5 v5.6.2 -> v5.8.0
File name: misc/test/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/go-git/go-billy/v5 v5.6.2 -> v5.8.0
File name: stack-readme-go/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/go-git/go-billy/v5 v5.6.2 -> v5.8.0
File name: testing-integration/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/go-git/go-billy/v5 v5.6.2 -> v5.8.0

@pulumi-renovate pulumi-renovate Bot merged commit b33b3f3 into master Mar 31, 2026
1 check passed
@pulumi-renovate pulumi-renovate Bot deleted the renovate/minor-5.17-security branch March 31, 2026 05:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pulumi-renovate-approve pulumi-renovate-approve[bot] pulumi-renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file impact/no-changelog-required This issue doesn't require a CHANGELOG update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants