fix(deps): update module github.com/go-git/go-git/v6 to v6.0.0-alpha.2 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/go-git/go-git/v6	v6.0.0-alpha.1 → v6.0.0-alpha.2

GitHub Vulnerability Alerts

GHSA-3xc5-wrhm-f963

Impact

go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations.

If a remote repository responds to the initial /info/refs request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host.

An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential.

Clients using go-git exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue. The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data.

Patches

Users should upgrade to v5.18.0, or v6.0.0-alpha.2, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

The patched versions add support for configuring followRedirects. In line with upstream behaviour, the default is now initial, while users can opt into FollowRedirects or NoFollowRedirects programmatically.

Credit

Thanks to the 3 separate reports from @​celinke97, @​N0zoM1z0 and @​AyushParkara. Thanks for finding and reporting this issue privately to the go-git project. 🙇

Severity

• CVSS Score: 4.7 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

---

go-git: Credential leak via cross-host redirect in smart HTTP transport

GHSA-3xc5-wrhm-f963

More information

Details

Impact

go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations.

If a remote repository responds to the initial /info/refs request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host.

An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential.

Clients using go-git exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue. The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data.

Patches

Users should upgrade to v5.18.0, or v6.0.0-alpha.2, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

The patched versions add support for configuring followRedirects. In line with upstream behaviour, the default is now initial, while users can opt into FollowRedirects or NoFollowRedirects programmatically.

Credit

Thanks to the 3 separate reports from @​celinke97, @​N0zoM1z0 and @​AyushParkara. Thanks for finding and reporting this issue privately to the go-git project. 🙇

Severity

• CVSS Score: 4.7 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

References

• https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963
• https://github.com/go-git/go-git

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

go-git/go-git (github.com/go-git/go-git/v6)

v6.0.0-alpha.2

Compare Source

🚀 Release Summary

⚠️ v6 Alpha Release

This is an alpha release of go-git v6.

We encourage users to test this version in real-world scenarios and help us validate the new transport layer and features.

👉 Please report any issues, bugs, or unexpected behavior via GitHub issues.

This release brings major improvements across transport, performance, and Git feature support, along with significant internal modernization.

🚀 Highlights

• Major refactor of the plumbing/transport API with a new design, improving extensibility and aligning behaviour more closely with upstream Git.
• Performance improvements in remote operations, including faster send-pack.
• Significant improvements to HTTP transport robustness and protocol correctness.
• File transport: added support for gitfile and improved repository detection logic.

🐛 Bug Fixes

• repository: fix DeleteBranch failing when using full ref names (#​1951)
• worktree: fix Add silently failing for absolute paths (#​1949)
• transport/http: fix multi-round pack negotiation (#​1992)
• transport/http: harden redirect handling to match canonical Git (#​1997)
• transport/http: fix data race in dumb HTTP test server (#​1960)
• transport: avoid emitting duplicate NAK after empty ACKs (#​1989)
• updreq: support multiple shallow records in upload request decoding (#​1952)
• file transport: fix Windows file handle leak (#​1976)
• worktree tests: fix Windows file handle leaks (#​1996)
• transport tests: correct receive-pack usage (#​1988)

✨ Enhancements

• remote: faster send-pack implementation (#​1947)
• object: improved object walk painting (#​1973)
• repository: add gitfile support and improve loader detection (#​1994)
• config: introduce ConfigLoader plugins aligned with upstream Git (#​1924)

🔧 Refactoring

• plumbing/transport: replace transport API with new design (#​1972)
• plumbing/transport: follow-up API refactoring and cleanup (#​1983)

📚 Documentation

• docs: updates and introduction of AI Policy (#​1913)

📋 Full Changelog

What's Changed

• git: repository, fix DeleteBranch failing with full ref name by @​tmchow in #​1951
• build: Update golang (main) by @​go-git-renovate[bot] in #​1931
• git: worktree, fix Add silently failing for absolute paths by @​tmchow in #​1949
• build: Update github.com/go-git/go-git-fixtures/v5 digest to eda62fa (main) by @​go-git-renovate[bot] in #​1834
• fix(updreq): support multiple shallow records in upload request decoding by @​yuzhuo in #​1952
• plumbing: transport/http, Fix data race in dumb HTTP test server by preventing sendfile optimization. by @​MotanOfficial in #​1960
• build: Update go-git (main) by @​go-git-renovate[bot] in #​1969
• Update docs and introduce AI Policy by @​pjbgf in #​1913
• Faster send pack for remote by @​stiak in #​1947
• plumbing: transport, replace transport API with new design by @​aymanbagabas in #​1972
• plumbing/transport API Refactoring by @​pjbgf in #​1983
• plumbing: transport, correct the test to use the correct receive-pack… by @​aymanbagabas in #​1988
• Object walk painting by @​stiak in #​1973
• build: Update golang (main) by @​go-git-renovate[bot] in #​1975
• Fix Windows file handle leak in file transport by @​AriehSchneier in #​1976
• plumbing/transport: don't emit a second NAK after encoding empty ACKs by @​Soph in #​1989
• Fix file handle leaks in worktree tests on Windows by @​AriehSchneier in #​1996
• Add gitfile support and fix loader repository detection by @​AriehSchneier in #​1994
• plumbing: transport/http, fix multi-round pack negotiation by @​stiak in #​1992
• Implement ConfigLoader plugins that aligns with upstream behaviour by @​pjbgf in #​1924
• plumbing: transport/http, harden redirect handling to match canonical git by @​aymanbagabas in #​1997

New Contributors

• @​tmchow made their first contribution in #​1951
• @​MotanOfficial made their first contribution in #​1960
• @​stiak made their first contribution in #​1947

Full Changelog: go-git/go-git@v6.0.0-alpha.1...v6.0.0-alpha.2

---

Configuration

📅 Schedule: (in timezone Australia/Sydney)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

ℹ️ Artifact update notice

File name: go/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 5 additional dependencies were updated

Details:

Package	Change
github.com/go-git/go-billy/v6	v6.0.0-20260226131633-45bd0956d66f -> v6.0.0-20260328065524-593ae452e14d
golang.org/x/crypto	v0.49.0 -> v0.50.0
golang.org/x/net	v0.52.0 -> v0.53.0
golang.org/x/sys	v0.42.0 -> v0.43.0
golang.org/x/text	v0.35.0 -> v0.36.0