Skip to content

fix(deps): upgrade go-git to v5.17.1 to fix CVE (idx file DoS)#717

Merged
michaeljguarino merged 1 commit intomainfrom
agent/fix-go-git-cve-1743535413655
Apr 1, 2026
Merged

fix(deps): upgrade go-git to v5.17.1 to fix CVE (idx file DoS)#717
michaeljguarino merged 1 commit intomainfrom
agent/fix-go-git-cve-1743535413655

Conversation

@plural-copilot
Copy link
Copy Markdown
Contributor

@plural-copilot plural-copilot bot commented Apr 1, 2026

Summary

  • Upgrade github.com/go-git/go-git/v5 from v5.16.5 to v5.17.1
  • Fixes security vulnerability: maliciously crafted .idx file can cause asymmetric memory consumption leading to denial-of-service (DoS)
  • Affected image: ghcr.io/pluralsh/console:0.12.10

Details

Vulnerability: A maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition.

Exploitation requires: Write access to the local repository's .git directory to create or alter existing .idx files.

Fix version: v5.17.1

Test Plan

  • Updated go.mod to use go-git v5.17.1
  • Ran go mod tidy to update go.sum
  • Verified build compiles successfully using Docker

🤖 Generated with Claude Code

@michaeljguarino
fix(deps): upgrade go-git to v5.17.1 to fix CVE (idx file DoS)
ff175e5 
Upgrade github.com/go-git/go-git/v5 from v5.16.5 to v5.17.1 to address
a security vulnerability where a maliciously crafted .idx file can cause
asymmetric memory consumption, potentially leading to denial-of-service.
plural-copilot[bot]
plural-copilot bot commented Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@plural-copilot plural-copilot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the claude (engine: claude) agent runtime. Here's some useful information you might want to know to evaluate
the ai's perfomance:

Name Details
💬 Prompt Security scanners have found the following vulnerability in our cluster:...
🔗 Run history View run history

@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 1, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgithub.com/​go-git/​go-git/​v5@​v5.16.5 ⏵ v5.17.181 +1100 +3100100100

View full report

@michaeljguarino michaeljguarino added the enhancement New feature or request label Apr 1, 2026
@michaeljguarino michaeljguarino merged commit 737c50a into main Apr 1, 2026
14 of 15 checks passed
@michaeljguarino michaeljguarino deleted the agent/fix-go-git-cve-1743535413655 branch April 1, 2026 17:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaeljguarino michaeljguarino michaeljguarino approved these changes

@zreigz zreigz Awaiting requested review from zreigz zreigz is a code owner

@floreks floreks Awaiting requested review from floreks floreks is a code owner

@maciaszczykm maciaszczykm Awaiting requested review from maciaszczykm maciaszczykm is a code owner

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michaeljguarino