chore(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 by dependabot[bot] · Pull Request #1965 · open-component-model/ocm

dependabot · 2026-05-19T15:58:14Z

Bumps github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1.

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.19.1

What's Changed

v5: plumbing: transport/ssh, Shell-quote path by @hiddeco in go-git/go-git#2068

v5: git: submodule, Fix relative URL resolution by @hiddeco in go-git/go-git#2070

v5: git: submodule, canonical remote for relative URLs by @hiddeco in go-git/go-git#2074

v5: git: submodule, error on remote without URLs by @hiddeco in go-git/go-git#2078

v5: plumbing: format/idxfile, Validate offset64 indices by @hiddeco in go-git/go-git#2084

v5: *: Reject malformed variable-length integers by @hiddeco in go-git/go-git#2092

v5: plumbing: format/packfile, Tighten delta validation by @hiddeco in go-git/go-git#2091

v5: Add worktreeFilesystem wrapper for worktree and hardening by @hiddeco in go-git/go-git#2100

v5: config: validate submodule names by @hiddeco in go-git/go-git#2082

build: Update module github.com/go-git/go-git/v5 to v5.19.0 [SECURITY] (releases/v5.x) by @go-git-renovate[bot] in go-git/go-git#2111

v5: git: Allow MkdirAll on worktree-root paths by @hiddeco in go-git/go-git#2117

v5: git: Stop validating symlink target paths by @pjbgf in go-git/go-git#2116

v5: plumbing: format decoder input bounds and contracts by @hiddeco in go-git/go-git#2125

plumbing: format/packfile, cap delta chain depth in parser by @pjbgf in go-git/go-git#2137

Full Changelog: go-git/go-git@v5.19.0...v5.19.1

Commits

3c3be60 Merge pull request #2137 from go-git/validate-v5
3fba897 plumbing: format/packfile, cap delta chain depth in parser
a97d660 Merge pull request #2125 from hiddeco/v5/format-input-bounds
aeaa125 plumbing: format/objfile, require Header before Read
1f38e17 plumbing: format/packfile, bound inflate size
f7545a0 plumbing: format/idxfile, bound nr by file size
170b881 Merge pull request #2116 from pjbgf/symlink-v5
7b6d994 Merge pull request #2117 from hiddeco/v5/worktree-fs-mkdirall-root-noop
f0709b3 git: Stop validating symlink target paths
776d00f git: Allow MkdirAll on worktree-root paths
Additional commits viewable in compare view

matthiasbruns · 2026-05-26T05:13:06Z

@dependabot rebase

frewilhelm · 2026-05-29T09:02:58Z

@dependabot rebase

dependabot · 2026-05-29T09:17:37Z

Dependabot failed to update your dependencies. Because of this, Dependabot cannot update this pull request.

frewilhelm · 2026-05-29T17:11:02Z

@dependabot rebase

matthiasbruns · 2026-06-01T05:48:48Z

@dependabot rebase

dependabot · 2026-06-01T05:48:52Z

Looks like this PR is already up-to-date with main! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

matthiasbruns

Security/hardening patch for go-git: SSH path quoting, submodule URL fixes, packfile delta validation tightening. Patch release, no breaking changes.

frewilhelm · 2026-06-01T06:34:35Z

Security/hardening patch for go-git: SSH path quoting, submodule URL fixes, packfile delta validation tightening. Patch release, no breaking changes. CI passes.

CI does not pass https://github.com/open-component-model/ocm/actions/runs/26737717804/job/78794327019?pr=1965

matthiasbruns · 2026-06-01T10:34:34Z

@dependabot rebase

matthiasbruns · 2026-06-01T11:01:02Z

yeah the bump seems to break something... I will take over and see if I can fix it

matthiasbruns · 2026-06-01T11:32:01Z

Fixed in #1983

dependabot · 2026-06-01T14:59:53Z

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

frewilhelm · 2026-06-01T16:43:00Z

@dependabot recreate

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.19.0 to 5.19.1. - [Release notes](https://github.com/go-git/go-git/releases) - [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md) - [Commits](go-git/go-git@v5.19.0...v5.19.1) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.19.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added kind/chore chore, maintenance, etc. kind/dependency dependency update, etc. labels May 19, 2026

dependabot Bot requested a review from a team as a code owner May 19, 2026 15:58

dependabot Bot added kind/dependency dependency update, etc. kind/chore chore, maintenance, etc. labels May 19, 2026

github-actions Bot added the size/xs Extra small label May 19, 2026

dependabot Bot force-pushed the dependabot/go_modules/github.com/go-git/go-git/v5-5.19.1 branch from 3650591 to c676c49 Compare May 26, 2026 05:14

dependabot Bot force-pushed the dependabot/go_modules/github.com/go-git/go-git/v5-5.19.1 branch from c676c49 to c43d7ab Compare May 29, 2026 17:12

dependabot Bot force-pushed the dependabot/go_modules/github.com/go-git/go-git/v5-5.19.1 branch from c43d7ab to c5a1d2e Compare June 1, 2026 05:51

matthiasbruns approved these changes Jun 1, 2026

View reviewed changes

dependabot Bot force-pushed the dependabot/go_modules/github.com/go-git/go-git/v5-5.19.1 branch from c5a1d2e to 3408e56 Compare June 1, 2026 10:36

matthiasbruns self-assigned this Jun 1, 2026

matthiasbruns mentioned this pull request Jun 1, 2026

fix(tests): replace AddGlob with AddWithOptions to fix go-git v5.19.1… #1983

Merged

frewilhelm closed this in d41adba Jun 1, 2026

dependabot Bot deleted the dependabot/go_modules/github.com/go-git/go-git/v5-5.19.1 branch June 1, 2026 15:00

frewilhelm restored the dependabot/go_modules/github.com/go-git/go-git/v5-5.19.1 branch June 1, 2026 15:02

frewilhelm reopened this Jun 1, 2026

frewilhelm force-pushed the dependabot/go_modules/github.com/go-git/go-git/v5-5.19.1 branch from 3408e56 to a5c16ac Compare June 1, 2026 16:19

frewilhelm approved these changes Jun 1, 2026

View reviewed changes

dependabot Bot force-pushed the dependabot/go_modules/github.com/go-git/go-git/v5-5.19.1 branch from a5c16ac to 16d2302 Compare June 1, 2026 16:44

frewilhelm enabled auto-merge (squash) June 1, 2026 16:46

frewilhelm merged commit c666a61 into main Jun 1, 2026
21 checks passed

frewilhelm deleted the dependabot/go_modules/github.com/go-git/go-git/v5-5.19.1 branch June 1, 2026 16:56

Conversation

dependabot Bot commented on behalf of github May 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v5.19.1

What's Changed

Uh oh!

matthiasbruns commented May 26, 2026

Uh oh!

frewilhelm commented May 29, 2026

Uh oh!

dependabot Bot commented on behalf of github May 29, 2026

Uh oh!

frewilhelm commented May 29, 2026

Uh oh!

matthiasbruns commented Jun 1, 2026

Uh oh!

dependabot Bot commented on behalf of github Jun 1, 2026

Uh oh!

matthiasbruns left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

frewilhelm commented Jun 1, 2026

Uh oh!

matthiasbruns commented Jun 1, 2026

Uh oh!

matthiasbruns commented Jun 1, 2026

Uh oh!

matthiasbruns commented Jun 1, 2026

Uh oh!

dependabot Bot commented on behalf of github Jun 1, 2026

Uh oh!

frewilhelm commented Jun 1, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

dependabot Bot commented on behalf of github May 19, 2026 •

edited

Loading

matthiasbruns left a comment •

edited

Loading