Skip to content

chore(deps): bump the go-dependencies group with 5 updates#865

Merged
mbevc1 merged 1 commit into
mainfrom
dependabot/go_modules/go-dependencies-568150f33b
May 7, 2026
Merged

chore(deps): bump the go-dependencies group with 5 updates#865
mbevc1 merged 1 commit into
mainfrom
dependabot/go_modules/go-dependencies-568150f33b

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 7, 2026

Bumps the go-dependencies group with 5 updates:

Package From To
github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager 0.1.20 0.1.21
github.com/aws/aws-sdk-go-v2/service/s3 1.100.1 1.101.0
github.com/go-git/go-billy/v5 5.8.0 5.9.0
github.com/go-git/go-git/v5 5.18.0 5.19.0
google.golang.org/api 0.277.0 0.278.0

Updates github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager from 0.1.20 to 0.1.21

Commits

Updates github.com/aws/aws-sdk-go-v2/service/s3 from 1.100.1 to 1.101.0

Commits

Updates github.com/go-git/go-billy/v5 from 5.8.0 to 5.9.0

Release notes

Sourced from github.com/go-git/go-billy/v5's releases.

v5.9.0

What's Changed

Full Changelog: go-git/go-billy@v5.8.0...v5.9.0

Commits
  • 237e529 Merge pull request #206 from pjbgf/v5-improvements
  • 04edb39 build: Add go-git integration test
  • d8efefd osfs: preserve empty ChrootOS base
  • 07f2a0b Merge pull request #205 from pjbgf/v5-improvements
  • 25207c8 build: Bump Go versions in workflows
  • 2fda229 osfs: ChrootOS eval baseDir on creation
  • 427b27f Merge pull request #203 from pjbgf/v5-improvements
  • 7d5a23e chroot: Reject symlink loops
  • 2c2287a util: avoid following symlinks in RemoveAll fallback
  • cbd88e9 Fix mount path handling
  • Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.19.0

What's Changed

Full Changelog: go-git/go-git@v5.18.0...v5.19.0

Commits
  • bc930f4 Merge pull request #2065 from go-git/commit-v5
  • d315264 plumbing: object, Reset object before decode
  • 6e1d348 plumbing: object, Align Tree handling with upstream
  • e134ba3 tests: Skip double checks in Git v2.11
  • 1971422 tests: Add git conformance tests for signing verification
  • a387aa8 plumbing: object, Add ErrMalformedTag
  • f415670 plumbing: object, Decode Tag headers via a state machine
  • 5b0cd38 plumbing: object, Reject multi-signature commits at Verify
  • fe8ed62 plumbing: object, Align Tag.EncodeWithoutSignature with Commit
  • 98e337d plumbing: object, Add support for Tag.SignatureSHA256
  • Additional commits viewable in compare view

Updates google.golang.org/api from 0.277.0 to 0.278.0

Release notes

Sourced from google.golang.org/api's releases.

v0.278.0

0.278.0 (2026-05-05)

Features

Changelog

Sourced from google.golang.org/api's changelog.

0.278.0 (2026-05-05)

Features

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the go-dependencies group with 5 updates
aa6d739 
Bumps the go-dependencies group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager](https://github.com/aws/aws-sdk-go-v2) | `0.1.20` | `0.1.21` |
| [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.100.1` | `1.101.0` |
| [github.com/go-git/go-billy/v5](https://github.com/go-git/go-billy) | `5.8.0` | `5.9.0` |
| [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `5.18.0` | `5.19.0` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.277.0` | `0.278.0` |


Updates `github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager` from 0.1.20 to 0.1.21
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@feature/s3/transfermanager/v0.1.20...feature/s3/transfermanager/v0.1.21)

Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.100.1 to 1.101.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@service/s3/v1.100.1...service/s3/v1.101.0)

Updates `github.com/go-git/go-billy/v5` from 5.8.0 to 5.9.0
- [Release notes](https://github.com/go-git/go-billy/releases)
- [Commits](go-git/go-billy@v5.8.0...v5.9.0)

Updates `github.com/go-git/go-git/v5` from 5.18.0 to 5.19.0
- [Release notes](https://github.com/go-git/go-git/releases)
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md)
- [Commits](go-git/go-git@v5.18.0...v5.19.0)

Updates `google.golang.org/api` from 0.277.0 to 0.278.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.277.0...v0.278.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager
  dependency-version: 0.1.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-dependencies
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-version: 1.101.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
- dependency-name: github.com/go-git/go-billy/v5
  dependency-version: 5.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
- dependency-name: google.golang.org/api
  dependency-version: 0.278.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels May 7, 2026
@claude
Copy link
Copy Markdown
Contributor

claude Bot commented May 7, 2026
edited
Loading

Claude finished @dependabot[bot]'s task in 1m 20s —— View job

Dependency Upgrade Review

  • Identify changed dependencies
  • Review go.mod/go.sum changes
  • Search for usage of each dependency in the codebase
  • Assess breaking change risk
  • Post final review

5 direct dependency bumps — all minor/patch, no breaking changes detected.

1. aws-sdk-go-v2/feature/s3/transfermanager 0.1.20 → 0.1.21 (patch, 0.x)

  • Usage: internal/aws/aws.gotransfermanager.New(), transfermanager.Client, transfermanager.DownloadObjectInput, DownloadObject()
  • Risk: Low. Patch bump; commits are auto-generated client regenerations. The APIs used (New, DownloadObject, DownloadObjectInput) are stable interfaces in this package. Being 0.x means no formal stability guarantee, but no API changes in this release.

2. aws-sdk-go-v2/service/s3 1.100.1 → 1.101.0 (minor)

  • Usage: internal/aws/aws.gos3.Client, s3.NewFromConfig(), s3.ListObjectsV2Input, s3.NewListObjectsV2Paginator()
  • Risk: Low. Minor bump with regenerated clients and endpoint model updates. No removals or breaking changes; the S3 APIs used here are core and stable.

3. go-git/go-billy/v5 5.8.0 → 5.9.0 (minor)

  • Usage: internal/gitview/gitView_test.go, internal/testHelpers/testHelpers.goosfs.New()
  • Risk: Low. This release deprecates ChrootOS in favor of BoundOS and adds symlink loop rejection. This repo only uses osfs.New() (6 call sites), which is not deprecated or changed. No action needed.
  • Notable: also includes a security improvement (rejecting symlink loops in chroot, avoiding symlink-following in RemoveAll fallback) — positive hardening.

4. go-git/go-git/v5 5.18.0 → 5.19.0 (minor)

  • Usage: internal/gitview/gitView.goPlainOpenWithOptions, PlainOpenOptions{EnableDotGitCommonDir}, ResolveRevision, CommitObject, Log, Remote; tests use PlainOpen, PlainClone, PlainInit
  • Risk: Low. Changes are: bumping sha1cd and go-billy, aligning object encoding with upstream git (tag/commit decode/encode). The APIs used by this repo (PlainOpen*, ResolveRevision, CommitObject, Log, Remote) are unaffected. The tag decoding state machine and multi-signature commit rejection are internal plumbing changes.
  • Transitive bumps worth noting: pjbgf/sha1cd 0.3.2 → 0.6.0 (major jump for a 0.x dep) and cyphar/filepath-securejoin 0.6.0 → 0.6.1 — neither is directly imported, both come through go-git.

5. google.golang.org/api 0.277.0 → 0.278.0 (minor, 0.x)

  • Usage: internal/cloudrun/cloudrun.go — only google.golang.org/api/iterator (the iterator.Done sentinel)
  • Risk: Negligible. The iterator subpackage and its Done sentinel are foundational and haven't changed. The release only contains auto-regenerated discovery clients.

Transitive dependency changes

The PR also bumps several indirect deps pulled in by the above:

  • golang.org/x/exp, golang.org/x/mod, golang.org/x/tools — standard Go extended libs, routine updates
  • klauspost/cpuid/v2 v2.3.0 — new indirect dep (likely pulled by sha1cd for CPU feature detection)

Verdict: Safe to merge. All version bumps are minor/patch with no API-breaking changes to the surfaces used by this codebase.

@mbevc1 mbevc1 enabled auto-merge (squash) May 7, 2026 09:38
@mbevc1 mbevc1 merged commit ed4e2a2 into main May 7, 2026
11 checks passed
@mbevc1 mbevc1 deleted the dependabot/go_modules/go-dependencies-568150f33b branch May 7, 2026 09:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mbevc1 mbevc1 mbevc1 approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mbevc1