Skip to content

chore(deps): bump go-git to v5.19.1 to address Snyk vulns#2453

Closed
c-julin wants to merge 1 commit into
masterfrom
julin/security-go-git-upgrade
Closed

chore(deps): bump go-git to v5.19.1 to address Snyk vulns#2453
c-julin wants to merge 1 commit into
masterfrom
julin/security-go-git-upgrade

Conversation

@c-julin

@c-julin c-julin commented May 19, 2026

Copy link
Copy Markdown
Contributor

Summary

Resolves 4 open Snyk findings against github.com/go-git/go-git/v5 by bumping it from 5.17.0 -> 5.19.1.

Severity Snyk ID Title
HIGH SNYK-GOLANG-...TRANSPORTHTTP-16109639 Insufficiently Protected Credentials (CVE-2026-41506)
HIGH SNYK-GOLANG-...PLUMBINGOBJECT-16638689 Incorrect Behavior Order: Validate Before Canonicalize
MEDIUM SNYK-GOLANG-...FORMATINDEX-15855246 Improper Validation of Array Index
MEDIUM SNYK-GOLANG-...FORMATINDEX-15855220 Allocation of Resources Without Limits

Indirect bumps pulled in by the go-git upgrade: go-billy/v5 5.8.0 -> 5.9.0, pjbgf/sha1cd 0.5.0 -> 0.6.0, golang.org/x/exp date bump.

Out of scope

One open Snyk finding remains: github.com/vmihailenco/msgpack/v5@5.4.1 (CVE-2026-2454, MEDIUM, DoS via malformed input). Upstream has no released fix (fixedIn: []), and our usage is bounded to operator-allowlisted Kafka topics. Recommend snyk ignore with a written reachability rationale + expiry in a follow-up.

Test plan

  • go build ./... clean
  • go vet ./... clean
  • govulncheck ./... no longer reports go-git findings (remaining hits are github.com/docker/docker in pkg/testutil/, pre-existing and test-only)
  • CI passes

Upgrades github.com/go-git/go-git/v5 from 5.17.0 -> 5.19.1, resolving:

- SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBINGTRANSPORTHTTP-16109639
  HIGH: Insufficiently Protected Credentials (CVE-2026-41506)
- SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBINGOBJECT-16638689
  HIGH: Incorrect Behavior Order: Validate Before Canonicalize
- SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBINGFORMATINDEX-15855246
  MEDIUM: Improper Validation of Array Index
- SNYK-GOLANG-GITHUBCOMGOGITGOGITV5PLUMBINGFORMATINDEX-15855220
  MEDIUM: Allocation of Resources Without Limits or Throttling

Indirect bumps pulled in by go-git: go-billy/v5 5.8.0 -> 5.9.0,
pjbgf/sha1cd 0.5.0 -> 0.6.0, golang.org/x/exp.

The remaining open Snyk finding (vmihailenco/msgpack/v5,
CVE-2026-2454) has no upstream fix available and is left for
ignore-with-justification triage in a follow-up.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant