chore: remove unused go-git dependency and transitive security advisory#302
Conversation
go-git/go-git was listed as a direct dependency but was not imported anywhere in the codebase — all git operations shell out via exec.Command. Running go mod tidy removes go-git and its full transitive closure, including go-git/go-billy/v5 v5.6.2 which had an outstanding security advisory requiring v5.9.0 or later. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
All contributors have signed the CLA ✍️ ✅ |
|
I have read the CLA Document and I hereby sign the CLA |
|
Flagging the security context for this PR for maintainer awareness. The dependency removed here — github.com/go-git/go-billy/v5 v5.6.2 — was carrying two published advisories, both patched in v5.9.0: GHSA-qw64-3x98-g7q2 / CVE-2026-44973 — Path traversal (High, CVSS 8.1): crafted paths using .. can escape intended base directories via osfs.ChrootOS. Since go-git is not imported anywhere in the codebase (all git operations shell out via exec.Command), the fix here is a full removal rather than a version bump — eliminating the advisory surface entirely. go build ./... and go test ./... both pass cleanly after the change. @jayshrivastava @mufeez-amjad — would appreciate a review when you have a moment. |
mufeez-amjad
left a comment
mufeez-amjad
left a comment
There was a problem hiding this comment.
Thanks for the cleanup! Indeed, we switched from go-git to using the git binary via the shell.
mufeez-amjad
left a comment
mufeez-amjad
left a comment
There was a problem hiding this comment.
Actually, can you paste the output of:
go mod why -m github.com/kr/pretty
go mod why -m github.com/rogpeppe/go-internal
go mod why -m gopkg.in/check.v1
Just want to confirm these are only indirect/test dependency graph changes from go mod tidy.
|
For sure! Here you go: github.com/kr/prettyclaude-squad/app github.com/rogpeppe/go-internalclaude-squad/app gopkg.in/check.v1claude-squad/app |
2 participants
Summary
github.com/go-git/go-git/v5was declared as a direct dependency ingo.modbut is not imported anywhere in the codebase — all git operations useexec.Commandto shell out to the systemgitbinary.go-git's transitive dependencygithub.com/go-git/go-billy/v5was pinned atv5.6.2, which is affected by a security advisory requiringv5.9.0or later.go mod tidyremovesgo-gitand its full transitive closure (includinggo-billy,go-winio,ProtonMail/go-crypto,cloudflare/circl,golang.org/x/crypto,golang.org/x/net, and others), resolving the advisory by eliminating the dependency entirely.Changes
go.mod: removedgo-git/go-gitdirect dep and 14 indirect deps that came with itgo.sum: updated accordinglyTest plan
go build ./...passesgo vet ./...passesgofmt -l .reports no filesgo test ./...)🤖 Generated with Claude Code