Skip to content

Update vulnerable dependencies [SECURITY]#490

Open
pulumi-renovate[bot] wants to merge 1 commit intomainfrom
renovate/security
Open

Update vulnerable dependencies [SECURITY]#490
pulumi-renovate[bot] wants to merge 1 commit intomainfrom
renovate/security

Conversation

@pulumi-renovate
Copy link
Copy Markdown
Contributor

@pulumi-renovate pulumi-renovate bot commented Apr 10, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change
github.com/go-git/go-git/v5 indirect minor v5.17.1 -> v5.18.0
github.com/hashicorp/go-getter indirect minor v1.7.9 -> v1.8.6

GitHub Vulnerability Alerts

GHSA-3xc5-wrhm-f963

Impact

go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations.

If a remote repository responds to the initial /info/refs request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host.

An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential.

Clients using go-git exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue. The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data.

Patches

Users should upgrade to v5.18.0, or v6.0.0-alpha.2, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

The patched versions add support for configuring followRedirects. In line with upstream behaviour, the default is now initial, while users can opt into FollowRedirects or NoFollowRedirects programmatically.

Credit

Thanks to the 3 separate reports from @​celinke97, @​N0zoM1z0 and @​AyushParkara. Thanks for finding and reporting this issue privately to the go-git project. 🙇

CVE-2026-4660

HashiCorp's go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.18.0

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.17.2...v5.18.0

v5.17.2

Compare Source

What's Changed

⚠️ This release fixes a bug (https://github.com/go-git/go-git/issues/1942) that blocked some users from upgrading to v5.17.1. Thanks @​pskrbasu for reporting it. 🙇

Full Changelog: go-git/go-git@v5.17.1...v5.17.2

hashicorp/go-getter (github.com/hashicorp/go-getter)

v1.8.6

Compare Source

v1.8.5

Compare Source

What's Changed

NOTES:

Binary Distribution Update: To streamline our release process and align with other HashiCorp tools, all release binaries will now be published exclusively to the official HashiCorp release site. We will no longer attach release assets to GitHub Releases.

New Contributors

Full Changelog: hashicorp/go-getter@v1.8.4...v1.8.5

v1.8.4

Compare Source

What's Changed

New Contributors

Full Changelog: hashicorp/go-getter@v1.8.3...v1.8.4

v1.8.3

Compare Source

What's Changed

New Contributors

Full Changelog: hashicorp/go-getter@v1.8.2...v1.8.3

v1.8.2

Compare Source

What's Changed

New Contributors

Full Changelog: hashicorp/go-getter@v1.8.1...v1.8.2

v1.8.1

Compare Source

What's Changed

New Contributors

Full Changelog: hashicorp/go-getter@v1.8.0...v1.8.1

v1.8.0

What's Changed

New Contributors

Full Changelog: hashicorp/go-getter@v1.7.9...v1.8.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@pulumi-renovate pulumi-renovate bot added dependencies Pull requests that update a dependency file impact/no-changelog-required This issue doesn't require a CHANGELOG update labels Apr 10, 2026
@pulumi-renovate pulumi-renovate bot enabled auto-merge (squash) April 10, 2026 22:13
@pulumi-renovate
Copy link
Copy Markdown
Contributor Author

pulumi-renovate bot commented Apr 10, 2026

ℹ Artifact update notice

File name: provider/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 27 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.24.7 -> 1.25.8
cloud.google.com/go/iam v1.1.6 -> v1.5.3
cloud.google.com/go/storage v1.39.1 -> v1.61.3
github.com/fatih/color v1.17.0 -> v1.18.0
github.com/google/s2a-go v0.1.7 -> v0.1.9
github.com/googleapis/enterprise-certificate-proxy v0.3.2 -> v0.3.14
github.com/googleapis/gax-go/v2 v2.12.2 -> v2.17.0
github.com/hashicorp/go-version v1.7.0 -> v1.8.0
github.com/klauspost/compress v1.18.0 -> v1.18.5
github.com/mattn/go-colorable v0.1.13 -> v0.1.14
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 -> v0.63.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 -> v0.61.0
go.opentelemetry.io/otel v1.40.0 -> v1.42.0
go.opentelemetry.io/otel/metric v1.40.0 -> v1.42.0
golang.org/x/crypto v0.47.0 -> v0.49.0
golang.org/x/mod v0.31.0 -> v0.33.0
golang.org/x/net v0.49.0 -> v0.52.0
golang.org/x/oauth2 v0.34.0 -> v0.36.0
golang.org/x/sync v0.19.0 -> v0.20.0
golang.org/x/sys v0.40.0 -> v0.42.0
golang.org/x/term v0.39.0 -> v0.41.0
golang.org/x/text v0.33.0 -> v0.35.0
golang.org/x/time v0.12.0 -> v0.15.0
golang.org/x/tools v0.40.0 -> v0.42.0
google.golang.org/api v0.169.0 -> v0.271.0
google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 -> v0.0.0-20260128011058-8636f8732409
google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 -> v0.0.0-20260203192932-546029d2fa20
google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 -> v0.0.0-20260226221140-a57be14db171

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 10, 2026
edited
Loading

Does the PR have any schema changes?

Found 1 breaking change:

Functions

  • 🔴 "xyz:index/dataSource:DataSource" missing

New functions:

  • index/getDataSource.getDataSource

Maintainer note: consult the runbook for dealing with any breaking changes.

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 10, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (a047373) to head (332f48e).

Additional details and impacted files 
@@          Coverage Diff          @@
##            main    #490   +/-   ##
=====================================
  Coverage   0.00%   0.00%           
=====================================
  Files          1       1           
  Lines         61      61           
=====================================
  Misses        61      61

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@pulumi-renovate pulumi-renovate bot force-pushed the renovate/security branch 3 times, most recently from 519a8f9 to 674cd90 Compare April 17, 2026 07:01
@pulumi-renovate pulumi-renovate bot changed the title Update module github.com/hashicorp/go-getter to v1.8.6 [SECURITY] Update vulnerable dependencies [SECURITY] Apr 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pulumi-renovate-approve pulumi-renovate-approve[bot] pulumi-renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file impact/no-changelog-required This issue doesn't require a CHANGELOG update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants