Skip to content

Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] #58

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 10, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/go-git/go-git/v5 v5.16.4v5.16.5 age confidence

GitHub Vulnerability Alerts

CVE-2026-25934

Impact

A vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found.

For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly.

Note that the lack of verification of the packfile checksum has no impact on the trust relationship between the client and server, which is enforced based on the protocol being used (e.g. TLS in the case of https:// or known hosts for ssh://). In other words, the packfile checksum verification does not provide any security benefits when connecting to a malicious or compromised Git server.

Patches

Users should upgrade to v5.16.5, or the latest v6 pseudo-version, in order to mitigate this vulnerability.

Workarounds

In case updating to a fixed version of go-git is not possible, users can run git fsck from the git cli to check for data corruption on a given repository.

Credit

Thanks @​N0zoM1z0 for finding and reporting this issue privately to the go-git project.

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.16.5

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.16.4...v5.16.5

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from 7416537 to 04e7915 Compare February 12, 2026 05:09
@renovate renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from 04e7915 to eb55e0a Compare February 12, 2026 05:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicksantamaria nicksantamaria nicksantamaria approved these changes

@GROwen GROwen Awaiting requested review from GROwen GROwen is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nicksantamaria