fix(deps): update module github.com/go-git/go-git/v5 to v5.11.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/go-git/go-git/v5	v5.9.0 -> v5.11.0

GitHub Vulnerability Alerts

CVE-2023-49568

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

References

• GHSA-mw99-9chc-xw7r

CVE-2023-49569

Impact

A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.

Applications are only affected if they are using the ChrootOS, which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS or in-memory filesystems are not affected by this issue.
This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible in a timely manner, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

---

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.11.0

Compare Source

What's Changed

• git: validate reference names (#​929) by @​aymanbagabas in https://github.com/go-git/go-git/pull/950
• git: stop iterating at oldest shallow when pulling. Fixes #​305 by @​dhoizner in https://github.com/go-git/go-git/pull/939
• plumbing: object, enable renames in getFileStatsFromFilePatches by @​djmoch in https://github.com/go-git/go-git/pull/941
• storage: filesystem, Add option to set a specific FS for alternates by @​pjbgf in https://github.com/go-git/go-git/pull/953
• Align worktree validation with upstream and remove build warnings by @​pjbgf in https://github.com/go-git/go-git/pull/958

New Contributors

• @​dhoizner made their first contribution in https://github.com/go-git/go-git/pull/939
• @​djmoch made their first contribution in https://github.com/go-git/go-git/pull/941

Full Changelog: go-git/go-git@v5.10.1...v5.11.0

v5.10.1

Compare Source

What's Changed

• Worktree, ignore ModeSocket files by @​steiler in https://github.com/go-git/go-git/pull/930
• git: add tracer package by @​aymanbagabas in https://github.com/go-git/go-git/pull/916
• remote: Flip clause for fast-forward only check by @​adityasaky in https://github.com/go-git/go-git/pull/875
• plumbing: transport/ssh, Fix nil pointer dereference caused when an unreachable proxy server is set. Fixes #​900 by @​anandf in https://github.com/go-git/go-git/pull/901
• plumbing: uppload-server-info, implement upload-server-info by @​aymanbagabas in https://github.com/go-git/go-git/pull/896
• plumbing: optimise memory consumption for filesystem storage by @​pjbgf in https://github.com/go-git/go-git/pull/799
• plumbing: format/packfile, Refactor patch delta by @​pjbgf in https://github.com/go-git/go-git/pull/908
• plumbing: fix empty uploadpack request error by @​aymanbagabas in https://github.com/go-git/go-git/pull/932
• plumbing: transport/git, Improve tests error message by @​pjbgf in https://github.com/go-git/go-git/pull/752
• plumbing: format/pktline, Respect pktline error-line errors by @​aymanbagabas in https://github.com/go-git/go-git/pull/936
• utils: remove ioutil.Pipe and use std library io.Pipe by @​aymanbagabas in https://github.com/go-git/go-git/pull/922
• utils: move trace to utils by @​aymanbagabas in https://github.com/go-git/go-git/pull/931
• cli: separate go module for cli by @​aymanbagabas in https://github.com/go-git/go-git/pull/914
• build: bump github.com/google/go-cmp from 0.5.9 to 0.6.0 by @​dependabot in https://github.com/go-git/go-git/pull/887
• build: bump actions/setup-go from 3 to 4 by @​dependabot in https://github.com/go-git/go-git/pull/891
• build: bump github.com/skeema/knownhosts from 1.2.0 to 1.2.1 by @​dependabot in https://github.com/go-git/go-git/pull/888
• build: bump actions/checkout from 3 to 4 by @​dependabot in https://github.com/go-git/go-git/pull/890
• build: bump golang.org/x/sys from 0.13.0 to 0.14.0 by @​dependabot in https://github.com/go-git/go-git/pull/907
• build: bump golang.org/x/text from 0.13.0 to 0.14.0 by @​dependabot in https://github.com/go-git/go-git/pull/906
• build: bump golang.org/x/crypto from 0.14.0 to 0.15.0 by @​dependabot in https://github.com/go-git/go-git/pull/917
• build: bump golang.org/x/net from 0.17.0 to 0.18.0 by @​dependabot in https://github.com/go-git/go-git/pull/918

New Contributors

• @​anandf made their first contribution in https://github.com/go-git/go-git/pull/901
• @​steiler made their first contribution in https://github.com/go-git/go-git/pull/930

Full Changelog: go-git/go-git@v5.10.0...v5.10.1

v5.10.0

Compare Source

What's Changed

• PlainInitOptions.Bare and allow using InitOptions with PlainInitWithOptions by @​ThinkChaos in https://github.com/go-git/go-git/pull/782
• Worktree, apply ProxyOption on Pull by @​nodivbyzero in https://github.com/go-git/go-git/pull/840
• Repository: add clone --shared feature by @​enverbisevac in https://github.com/go-git/go-git/pull/860
• build: Add github workflow to check commit message format by @​pjbgf in https://github.com/go-git/go-git/pull/867
• Improve handling of remote errors by @​makkes in https://github.com/go-git/go-git/pull/866
• build(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 by @​dependabot in https://github.com/go-git/go-git/pull/873
• plumbing: commitgraph, Add generation v2 support by @​zeripath in https://github.com/go-git/go-git/pull/869
• plumbing: protocol/packp, Add validation for decodeLine by @​pjbgf in https://github.com/go-git/go-git/pull/868
• plumbing: parse the encoding header of the commit object by @​liwenqiu in https://github.com/go-git/go-git/pull/761
• plumbing: commitgraph, allow SHA256 commit-graphs by @​zeripath in https://github.com/go-git/go-git/pull/853
• plumbing: commitgraph, Allow reading commit-graph chains by @​zeripath in https://github.com/go-git/go-git/pull/854
• plumbing/object: Support mergetag in merge commits by @​adityasaky in https://github.com/go-git/go-git/pull/847

New Contributors

• @​nodivbyzero made their first contribution in https://github.com/go-git/go-git/pull/840
• @​adityasaky made their first contribution in https://github.com/go-git/go-git/pull/847
• @​hezhizhen made their first contribution in https://github.com/go-git/go-git/pull/836
• @​0x34d made their first contribution in https://github.com/go-git/go-git/pull/855
• @​liwenqiu made their first contribution in https://github.com/go-git/go-git/pull/761
• @​enverbisevac made their first contribution in https://github.com/go-git/go-git/pull/860
• @​makkes made their first contribution in https://github.com/go-git/go-git/pull/866

Full Changelog: go-git/go-git@v5.9.0...v5.10.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (9e8c060) 69.45% compared to head (e781cab) 69.45%.
Report is 2 commits behind head on main.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #212   +/-   ##
=======================================
  Coverage   69.45%   69.45%           
=======================================
  Files          29       29           
  Lines        2089     2089           
=======================================
  Hits         1451     1451           
  Misses        556      556           
  Partials       82       82           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.