Bump github.com/go-git/go-git/v5 from 5.16.5 to 5.17.1

[dependabot]

Bumps github.com/go-git/go-git/v5 from 5.16.5 to 5.17.1.

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.17.1

What's Changed

• build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1930
• [v5] plumbing: format/index, Improve v4 entry name validation by @​pjbgf in go-git/go-git#1935
• [v5] plumbing: format/idxfile, Fix version and fanout checks by @​pjbgf in go-git/go-git#1937

Full Changelog: go-git/go-git@v5.17.0...v5.17.1

v5.17.0

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1839
• git: worktree, optimize infiles function for very large repos by @​k-anshul in go-git/go-git#1853
• git: Add strict checks for supported extensions by @​pjbgf in go-git/go-git#1861
• backport, git: Improve Status() speed with new index.ModTime check by @​cedric-appdirect in go-git/go-git#1862
• storage: filesystem, Avoid overwriting loose obj files by @​pjbgf in go-git/go-git#1864

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

Commits

• 5e23dfd Merge pull request #1937 from pjbgf/idx-v5
• 6b38a32 Merge pull request #1935 from pjbgf/index-v5
• cd757fc plumbing: format/idxfile, Fix version and fanout checks
• 3ec0d70 plumbing: format/index, Fix tree extension invalidated entry parsing
• dbe10b6 plumbing: format/index, Align V2/V3 long name and V4 prefix encoding with Git
• e9b65df plumbing: format/index, Improve v4 entry name validation
• adad18d Merge pull request #1930 from go-git/renovate/releases/v5.x-go-github.com-clo...
• 29470bd build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY]
• bdf0688 Merge pull request #1864 from pjbgf/v5-issue-55
• 5290e52 storage: filesystem, Avoid overwriting loose obj files. Fixes #55
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[claude]

Claude finished @dependabot[bot]'s task in 52s —— View job

---

Dependency Upgrade Review: go-git/go-git/v5 5.16.5 → 5.17.1

• Review changed files (go.mod, go.sum)
• Identify how go-git is used in the codebase
• Assess breaking changes and risks
• Post final review

---

Changes

Dependency	Old	New	Type
github.com/go-git/go-git/v5	5.16.5	5.17.1	minor + patch
github.com/go-git/go-billy/v5	5.6.2	5.8.0	transitive bump

Release Highlights (v5.17.0 → v5.17.1)

• Security: Updates github.com/cloudflare/circl to v1.6.3 (security fix)
• Bug fixes: Improved v4 index entry name validation, fixed idxfile version/fanout checks
• Performance: Optimized infiles function for large repos, improved Status() speed via index.ModTime check
• Safety: Avoids overwriting loose object files, added strict checks for supported extensions

Usage in This Codebase

go-git is used in 3 production locations and 3 test files:

File	APIs Used
internal/gitview/gitView.go	PlainOpenWithOptions, ResolveRevision, CommitObject, Log, Remote, Head — core read-only git operations
internal/testHelpers/testHelpers.go	Clone, Init, filesystem.NewStorage, osfs.New, cache.NewObjectLRUDefault — test repo setup
cmd/kosli/pipelineCommand_test.go	PlainOpen — test helper
cmd/kosli/attestJira_test.go	billy, git — test helper
internal/gitview/gitView_test.go	Init, osfs, filesystem, cache — test repo setup

Risk Assessment: Low ✅

1. No breaking API changes: This is a minor version bump (5.16 → 5.17). The release notes show no removed or changed public APIs. All APIs used by this codebase (PlainOpenWithOptions, PlainOpen, Clone, Init, Log, ResolveRevision, CommitObject, Remote, Head) remain unchanged.

2. go-billy v5.6.2 → v5.8.0: Also a minor bump. This repo uses osfs.New() and the billy.Filesystem interface — both stable APIs with no breaking changes in this range.

3. Read-only usage: The production code (gitView.go) only reads from git repos — it doesn't write objects, manipulate indexes, or use worktree write operations. The stricter index validation and loose object protections in v5.17.x won't affect read-only consumers.

4. Security improvement: The circl security update and stricter input validation are net positives with no compatibility risk.

Recommendation

Safe to merge. This is a straightforward minor version bump with security fixes and no breaking changes affecting this codebase's usage patterns. CI should confirm everything passes.