Skip to content

Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY]#2400

Merged
dirien merged 1 commit intomasterfrom
renovate/minor-5.16-security
Mar 21, 2026
Merged

Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY]#2400
dirien merged 1 commit intomasterfrom
renovate/minor-5.16-security

Conversation

@pulumi-renovate
Copy link
Copy Markdown
Contributor

@pulumi-renovate pulumi-renovate Bot commented Feb 12, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change
github.com/go-git/go-git/v5 indirect minor v5.13.1 -> v5.16.5

go-git improperly verifies data integrity values for .idx and .pack files

CVE-2026-25934 / GHSA-37cx-329c-33x3 / GO-2026-4473

More information

Details

Impact

A vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found.

For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly.

Note that the lack of verification of the packfile checksum has no impact on the trust relationship between the client and server, which is enforced based on the protocol being used (e.g. TLS in the case of https:// or known hosts for ssh://). In other words, the packfile checksum verification does not provide any security benefits when connecting to a malicious or compromised Git server.

Patches

Users should upgrade to v5.16.5, or the latest v6 pseudo-version, in order to mitigate this vulnerability.

Workarounds

In case updating to a fixed version of go-git is not possible, users can run git fsck from the git cli to check for data corruption on a given repository.

Credit

Thanks @​N0zoM1z0 for finding and reporting this issue privately to the go-git project.

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git

CVE-2026-25934 / GHSA-37cx-329c-33x3 / GO-2026-4473

More information

Details

Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.16.5

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.16.4...v5.16.5

v5.16.4

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.16.3...v5.16.4

v5.16.3

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.16.2...v5.16.3

v5.16.2

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.16.1...v5.16.2

v5.16.1

Compare Source

What's Changed

New Contributors

Full Changelog: go-git/go-git@v5.16.0...v5.16.1

v5.16.0

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.15.0...v5.16.0

v5.15.0

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.14.0...v5.15.0

v5.14.0

Compare Source

What's Changed

⚠️ Note that this version requires Go 1.23, due to the bump to golang.org/x/crypto@v0.35.0 which mitigates the CVE above. User's that can't bump to Go 1.23 will need to remain on the previous v5.13.x release.

Full Changelog: go-git/go-git@v5.13.2...v5.14.0

v5.13.2

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.13.1...v5.13.2

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC).

🚦 Automerge: Disabled because a matching PR was automerged previously.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@pulumi-renovate pulumi-renovate Bot added dependencies Pull requests that update a dependency file impact/no-changelog-required This issue doesn't require a CHANGELOG update labels Feb 12, 2026
@pulumi-renovate
Copy link
Copy Markdown
Contributor Author

pulumi-renovate Bot commented Feb 12, 2026

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: ovhcloud-go-kubernetes/go.sum
Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: errors parsing go.mod:
go.mod:6:2: require github.com/ovh/pulumi-ovh/sdk: version "v2.1.1" invalid: should be v0 or v1, not v2

@pulumi-renovate pulumi-renovate Bot added the dependencies Pull requests that update a dependency file label Feb 12, 2026
@pulumi-renovate pulumi-renovate Bot force-pushed the renovate/minor-5.16-security branch 2 times, most recently from b7029af to daabeab Compare February 26, 2026 17:17
@pulumi-renovate pulumi-renovate Bot force-pushed the renovate/minor-5.16-security branch 6 times, most recently from 87695eb to c0245b4 Compare March 4, 2026 07:48
@pulumi-renovate pulumi-renovate Bot force-pushed the renovate/minor-5.16-security branch 5 times, most recently from c8af192 to 99d781f Compare March 19, 2026 08:53
@pulumi-renovate pulumi-renovate Bot force-pushed the renovate/minor-5.16-security branch from 99d781f to 786d6c0 Compare March 19, 2026 15:49
dirien
dirien approved these changes Mar 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@dirien dirien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving: security patch for go-git/v5, small scope.

@dirien dirien enabled auto-merge (squash) March 21, 2026 16:06
@dirien dirien merged commit 3c7246d into master Mar 21, 2026
27 of 28 checks passed
@dirien dirien deleted the renovate/minor-5.16-security branch March 21, 2026 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dirien dirien dirien approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file impact/no-changelog-required This issue doesn't require a CHANGELOG update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dirien