deps: update github.com/go-git/go-git/v5 to v5.11.0 and github.com/containerd/containerd to v1.7.11 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/go-git/go-git/v5	v5.10.1 -> v5.11.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-49568

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

References

• GHSA-mw99-9chc-xw7r

---

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.11.0

Compare Source

What's Changed

• git: validate reference names (#​929) by @​aymanbagabas in https://github.com/go-git/go-git/pull/950
• git: stop iterating at oldest shallow when pulling. Fixes #​305 by @​dhoizner in https://github.com/go-git/go-git/pull/939
• plumbing: object, enable renames in getFileStatsFromFilePatches by @​djmoch in https://github.com/go-git/go-git/pull/941
• storage: filesystem, Add option to set a specific FS for alternates by @​pjbgf in https://github.com/go-git/go-git/pull/953
• Align worktree validation with upstream and remove build warnings by @​pjbgf in https://github.com/go-git/go-git/pull/958

New Contributors

• @​dhoizner made their first contribution in https://github.com/go-git/go-git/pull/939
• @​djmoch made their first contribution in https://github.com/go-git/go-git/pull/941

Full Changelog: go-git/go-git@v5.10.1...v5.11.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[netlify]

✅ Deploy Preview for zarf-docs canceled.

Name	Link
🔨 Latest commit	73847c2
🔍 Latest deploy log	https://app.netlify.com/sites/zarf-docs/deploys/659571d7a9c677000801422c

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

[Racer159]

lgtm