Skip to content

fix: bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0#25240

Merged
Shelnutt2 merged 1 commit into
release/2.32from
release/2.32-go-git-v5.19.0
May 12, 2026
Merged

fix: bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0#25240
Shelnutt2 merged 1 commit into
release/2.32from
release/2.32-go-git-v5.19.0

Conversation

@Shelnutt2
Copy link
Copy Markdown
Contributor

@Shelnutt2 Shelnutt2 commented May 12, 2026

Cherry-pick of go-git v5.19.0 bump to release/2.32 to fix CVE-2026-45022 (improper object parsing).

Original PR: #25124

Ref: GHSA-389r-gv7p-r3rp

Supersedes #25226 (rebased on top of #25224).

Note

This PR was authored by Coder Agents.

Context

The cherry-pick of the original commit (c1c3b978) had merge conflicts in go.mod/go.sum due to dependency drift between main and release/2.32. Instead, the bump was applied directly via go get github.com/go-git/go-git/v5@v5.19.0 followed by go mod tidy, producing equivalent results.

Linear: ENT-24

@Shelnutt2
chore: bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0
67bfce8 
Cherry-pick of go-git v5.19.0 bump to release/2.32.
Fixes CVE-2026-45022 (improper object parsing in go-git).

Original PR: #25124
Commit: c1c3b97
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

👋 Hey @Shelnutt2!

This PR is targeting the release/2.32 release branch, but its title does not start with fix: or fix(scope):.

Only bug fixes should be cherry-picked to release branches. If this is a bug fix, please update the PR title to match the conventional commit format:

fix: description of the bug fix
fix(scope): description of the bug fix

If this is not a bug fix, it likely should not target a release branch.

@Shelnutt2 Shelnutt2 added dependencies Pull requests that update a dependency file cherry-pick/v2.32 labels May 12, 2026
@Shelnutt2 Shelnutt2 changed the title chore: bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 fix: bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 May 12, 2026
@Shelnutt2 Shelnutt2 merged commit bbe0286 into release/2.32 May 12, 2026
108 of 116 checks passed
@github-actions github-actions Bot locked and limited conversation to collaborators May 12, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@f0ssel f0ssel f0ssel approved these changes

@jdomeracki-coder jdomeracki-coder Awaiting requested review from jdomeracki-coder

Assignees

@Shelnutt2 Shelnutt2

Labels

cherry-pick/v2.32 dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shelnutt2 @f0ssel