Skip to content

Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (release-v0.8)#3253

Open
renovate[bot] wants to merge 1 commit intorelease-v0.8from
renovate/release-v0.8-go-github.com-go-git-go-git-v5-vulnerability
Open

Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (release-v0.8)#3253
renovate[bot] wants to merge 1 commit intorelease-v0.8from
renovate/release-v0.8-go-github.com-go-git-go-git-v5-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Apr 18, 2026

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/go-git/go-git/v5 v5.17.1v5.18.0 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-3xc5-wrhm-f963

Impact

go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations.

If a remote repository responds to the initial /info/refs request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host.

An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential.

Clients using go-git exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue. The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data.

Patches

Users should upgrade to v5.18.0, or v6.0.0-alpha.2, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

The patched versions add support for configuring followRedirects. In line with upstream behaviour, the default is now initial, while users can opt into FollowRedirects or NoFollowRedirects programmatically.

Credit

Thanks to the 3 separate reports from @​celinke97, @​N0zoM1z0 and @​AyushParkara. Thanks for finding and reporting this issue privately to the go-git project. 🙇

Severity
  • CVSS Score: 4.7 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.18.0

Compare Source

What's Changed

  • plumbing: transport/http, Add support for followRedirects policy by @​pjbgf in #​2004

Full Changelog: go-git/go-git@v5.17.2...v5.18.0

v5.17.2

Compare Source

What's Changed

⚠️ This release fixes a bug (#​1942) that blocked some users from upgrading to v5.17.1. Thanks @​pskrbasu for reporting it. 🙇

Full Changelog: go-git/go-git@v5.17.1...v5.17.2

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate bot commented Apr 18, 2026

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: acceptance/go.sum
Command failed: go mod tidy
go: downloading k8s.io/apiserver v0.35.2
go: downloading k8s.io/component-base v0.35.2
go: finding module for package knative.dev/pkg/metrics
go: downloading knative.dev/pkg v0.0.0-20260417155523-2b1e89838597
go: finding module for package knative.dev/pkg/tracing/config
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/metrics: module knative.dev/pkg@latest found (v0.0.0-20260417155523-2b1e89838597), but does not contain package knative.dev/pkg/metrics
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/tracing/config: module knative.dev/pkg@latest found (v0.0.0-20260417155523-2b1e89838597), but does not contain package knative.dev/pkg/tracing/config

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

release-v0.8 renovate size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants