chore(deps): bump github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0 in /pro#3790
Conversation
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.17.1 to 5.18.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.17.1...v5.18.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.18.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Security Review Summary
go-git v5.18.0 — The primary dependency bump is healthy. It includes fixes for CVE-2026-33762, CVE-2026-34165, and CVE-2026-25934, which all affected earlier go-git versions.
1 finding (Medium): The transitive golang.org/x/net bump introduces a known vulnerability. See inline comment for details.
Sent by Cursor Automation: Find vulnerabilities
| golang.org/x/crypto v0.48.0 // indirect | ||
| golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect | ||
| golang.org/x/net v0.49.0 // indirect | ||
| golang.org/x/net v0.50.0 // indirect |
There was a problem hiding this comment.
Severity: Medium — Known CVE introduced in transitive dependency
golang.org/x/net is bumped from v0.49.0 (not affected) to v0.50.0, which is the only version affected by CVE-2026-27141 (GO-2026-4559).
A missing nil-check in the golang.org/x/net/http2 frame parser allows an attacker to send crafted HTTP/2 frames (0x0a–0x0f) that cause a running server to panic, leading to denial-of-service. The fix shipped in v0.51.0.
Because the previous version (v0.49.0) was not vulnerable, merging this PR actively introduces a known vulnerability into the dependency tree.
Recommendation: After merging, immediately follow up by bumping golang.org/x/net to v0.51.0 or later (e.g., via go get golang.org/x/net@v0.51.0 && go mod tidy), or request Dependabot regenerate the PR against the patched version. Alternatively, pin golang.org/x/net to >= v0.51.0 in go.mod before merging.
Bumps github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0.
Release notes
Sourced from github.com/go-git/go-git/v5's releases.
Commits
ea3e7ecMerge pull request #2004 from go-git/v5-http-hardeningbcd20a9plumbing: transport/http, Add support for followRedirects policy45ae193Merge pull request #1944 from go-git/fix-permsfda4f74storage: filesystem/dotgit, Skip writing pack files that already exist on disk2212dc7Merge pull request #1941 from go-git/renovate/releases/v5.x-go-github.com-go-...ebb2d7dbuild: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY]Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.