Skip to content

Commit

Permalink
fix: Switch to upstream go-git. Fixes CVE-2023-49569 (#12515)
Browse files Browse the repository at this point in the history 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
  • Loading branch information
@terrytangyuan
terrytangyuan committed Jan 14, 2024
1 parent 94a178c commit f5fee56
Show file tree
Hide file tree
Showing 2 changed files with 63 additions and 57 deletions.
27 changes: 14 additions & 13 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ require (
github.com/doublerebel/bellows v0.0.0-20160303004610-f177d92a03d3
github.com/evanphx/json-patch v5.7.0+incompatible
github.com/gavv/httpexpect/v2 v2.10.0
github.com/go-git/go-git/v5 v5.4.2
github.com/go-git/go-git/v5 v5.11.0
github.com/go-jose/go-jose/v3 v3.0.1
github.com/go-openapi/jsonreference v0.20.2
github.com/go-sql-driver/mysql v1.7.1
Expand Down Expand Up @@ -55,7 +55,7 @@ require (
github.com/upper/db/v4 v4.7.0
github.com/valyala/fasttemplate v1.2.2
github.com/xeipuuv/gojsonschema v1.2.0
golang.org/x/crypto v0.15.0
golang.org/x/crypto v0.16.0
golang.org/x/exp v0.0.0-20230905200255-921286631fa9
golang.org/x/oauth2 v0.13.0
golang.org/x/sync v0.5.0
Expand All @@ -77,8 +77,11 @@ require (
)

require (
dario.cat/mergo v1.0.0 // indirect
github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68 // indirect
github.com/cloudflare/circl v1.3.3 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
github.com/evilmonkeyinc/jsonpath v0.8.1 // indirect
github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
github.com/google/s2a-go v0.1.7 // indirect
Expand All @@ -94,9 +97,11 @@ require (
github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
github.com/jcmturner/rpc/v2 v2.0.3 // indirect
github.com/pjbgf/sha1cd v0.3.0 // indirect
github.com/sagikazarmark/locafero v0.3.0 // indirect
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
github.com/segmentio/fasthash v1.0.3 // indirect
github.com/skeema/knownhosts v1.2.1 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/vbatts/tar-split v0.11.3 // indirect
go.uber.org/atomic v1.9.0 // indirect
Expand Down Expand Up @@ -129,8 +134,7 @@ require (
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver/v3 v3.2.0 // indirect
github.com/Microsoft/go-winio v0.6.1 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
github.com/acomagu/bufpipe v1.0.4 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
github.com/ajg/form v1.5.1 // indirect
github.com/andybalholm/brotli v1.0.4 // indirect
github.com/awalterschulze/gographviz v0.0.0-20200901124122-0eecad45bd71 // indirect
Expand Down Expand Up @@ -164,16 +168,16 @@ require (
github.com/docker/docker-credential-helpers v0.7.0 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/emicklei/go-restful/v3 v3.10.0 // indirect
github.com/emirpasic/gods v1.12.0 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
github.com/fatih/camelcase v1.0.0 // indirect
github.com/fatih/structs v1.1.0 // indirect
github.com/felixge/httpsnoop v1.0.3 // indirect
github.com/fsnotify/fsnotify v1.6.0 // indirect
github.com/fvbommel/sortorder v1.0.1 // indirect
github.com/go-errors/errors v1.0.1 // indirect
github.com/go-git/gcfg v1.5.0 // indirect
github.com/go-git/go-billy/v5 v5.3.1 // indirect
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
github.com/go-git/go-billy/v5 v5.5.0 // indirect
github.com/go-logr/logr v1.2.3 // indirect
github.com/go-openapi/jsonpointer v0.19.6 // indirect
github.com/go-openapi/swag v0.22.3 // indirect
Expand Down Expand Up @@ -250,8 +254,7 @@ require (
github.com/tidwall/pretty v1.2.0 // indirect
github.com/valyala/bytebufferpool v1.0.0 // indirect
github.com/valyala/fasthttp v1.34.0 // indirect
github.com/whilp/git-urls v1.0.0 // indirect
github.com/xanzy/ssh-agent v0.3.1 // indirect
github.com/xanzy/ssh-agent v0.3.3 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
Expand All @@ -260,9 +263,9 @@ require (
github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
go.opencensus.io v0.24.0 // indirect
go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
golang.org/x/net v0.17.0 // indirect
golang.org/x/net v0.19.0 // indirect
golang.org/x/sys v0.15.0 // indirect
golang.org/x/term v0.14.0
golang.org/x/term v0.15.0
golang.org/x/text v0.14.0 // indirect
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
google.golang.org/appengine v1.6.8 // indirect
Expand All @@ -282,5 +285,3 @@ require (
sigs.k8s.io/kustomize/kyaml v0.13.6 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
)

replace github.com/go-git/go-git/v5 => github.com/argoproj-labs/go-git/v5 v5.4.7
Loading

0 comments on commit f5fee56

Please sign in to comment.