Skip to content

fix: bump go-git/go-git/v5 to v5.19.1 to remediate CVE-2026-45571 and CVE-2026-45570#17

Open
plural-copilot[bot] wants to merge 1 commit into
mainfrom
agent/bump-go-git-v5-19-1-cves-1748286059000
Open

fix: bump go-git/go-git/v5 to v5.19.1 to remediate CVE-2026-45571 and CVE-2026-45570#17
plural-copilot[bot] wants to merge 1 commit into
mainfrom
agent/bump-go-git-v5-19-1-cves-1748286059000

Conversation

@plural-copilot

Copy link
Copy Markdown

Summary

  • bump github.com/go-git/go-git/v5 from v5.19.0 to v5.19.1
  • remediate CVE-2026-45571 and CVE-2026-45570
  • keep the change scoped to dependency metadata only; no application logic changes

Vulnerabilities addressed

  • CVE-2026-45571 (MEDIUM): path validation issue in go-git that allows crafted repository data to affect files outside the checkout target, including the .git directory
  • CVE-2026-45570 (LOW): improper single-quote escaping in go-git's SSH transport, where repository paths containing ' can break out of the quoted shell context

Dependency change

  • github.com/go-git/go-git/v5: v5.19.0v5.19.1

Notes

  • this fixes vulnerabilities in the git-server image used by the pluralsh/console service
  • no vendored copy or vendor/modules.txt updates were needed in this repository

@plural-copilot plural-copilot Bot left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:

Name Details
💬 Prompt ## Bump go-git/go-git/v5 to v5.19.1 to fix two CVEs...
🔗 Run history View run history

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgithub.com/​go-git/​go-git/​v5@​v5.19.0 ⏵ v5.19.182 +1100 +3100100100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants