[v5] git: Add strict checks for supported extensions#1861
Merged
pjbgf merged 2 commits intogo-git:releases/v5.xfrom Feb 24, 2026
Merged
[v5] git: Add strict checks for supported extensions#1861pjbgf merged 2 commits intogo-git:releases/v5.xfrom
pjbgf merged 2 commits intogo-git:releases/v5.xfrom
Conversation
The upstream Git enforces fail-safe heuristics to ensure that older git versions will avoid handling repositories using extensions they are unaware of. The logic is largely based on the value of core.repositoryformatversion. As per official Git docs: > This version specifies the rules for operating on the on-disk repository data. > An implementation of git which does not understand a particular version > advertised by an on-disk repository MUST NOT operate on that repository; > doing so risks not only producing wrong results, but actually losing data. Now go-git will ensure that: - The git.Open logic will verify and enforces the extension support rules. - go-git will keep track of built-in extensions that it supports. This is a breaking change and it will force go-git to not be able to open repositories that it in fact doesn't really support. Conversaly, the error messages will be more useful (e.g. unknown extension vs object not found). Upstream refs: - https://git-scm.com/docs/git-config#Documentation/git-config.txt-extensions - https://git-scm.com/docs/gitrepository-layout#_git_repository_format_versions Signed-off-by: Paulo Gomes <pjbgf@linux.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR backports strict Git extension validation from #1850 to go-git v5. It enforces Git's fail-safe heuristics for repository format versions, ensuring go-git refuses to open repositories using unsupported extensions or format versions.
Changes:
- Added extension validation logic in
verifyExtensions()function that checks repository format version compatibility - Integrated extension checks into the
Open()function to reject unsupported repositories early - Added comprehensive test coverage for various extension and format version scenarios
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| repository_extensions.go | New file implementing core extension validation logic with error definitions, supported extension maps, and the verifyExtensions function |
| repository.go | Integrates extension validation into the Open function by calling verifyExtensions after loading config |
| repository_extensions_test.go | New test file with table-driven tests covering various extension and format version scenarios |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The test workflow for v5 diverged from main slightly, including its job name, which caused it to not be in-sync with the latest repository rulesets. Signed-off-by: Paulo Gomes <pjbgf@linux.com>
arthurzam
pushed a commit
to gentoo-golang-dist/forgejo-runner
that referenced
this pull request
Feb 27, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `v5.16.5` -> `v5.17.0` |  |  | --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.17.0`](https://github.com/go-git/go-git/releases/tag/v5.17.0) [Compare Source](go-git/go-git@v5.16.5...v5.17.0) #### What's Changed - build: Update module github.com/go-git/go-git/v5 to v5.16.5 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#​1839](go-git/go-git#1839) - git: worktree, optimize infiles function for very large repos by [@​k-anshul](https://github.com/k-anshul) in [#​1853](go-git/go-git#1853) - git: Add strict checks for supported extensions by [@​pjbgf](https://github.com/pjbgf) in [#​1861](go-git/go-git#1861) - backport, git: Improve Status() speed with new index.ModTime check by [@​cedric-appdirect](https://github.com/cedric-appdirect) in [#​1862](go-git/go-git#1862) - storage: filesystem, Avoid overwriting loose obj files by [@​pjbgf](https://github.com/pjbgf) in [#​1864](go-git/go-git#1864) **Full Changelog**: <go-git/go-git@v5.16.5...v5.17.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41LjAiLCJ1cGRhdGVkSW5WZXIiOiI0My41LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbIktpbmQvRGVwZW5kZW5jeVVwZGF0ZSIsInJ1bi1lbmQtdG8tZW5kLXRlc3RzIl19--> Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/1410 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org> Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>
Maks1mS
pushed a commit
to stplr-dev/stplr
that referenced
this pull request
Feb 28, 2026
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | require | minor | `v5.16.5` → `v5.17.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/go-git/go-git) | --- >⚠️ **Warning** > > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.17.0`](https://github.com/go-git/go-git/releases/tag/v5.17.0) [Compare Source](go-git/go-git@v5.16.5...v5.17.0) #### What's Changed - build: Update module github.com/go-git/go-git/v5 to v5.16.5 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#​1839](go-git/go-git#1839) - git: worktree, optimize infiles function for very large repos by [@​k-anshul](https://github.com/k-anshul) in [#​1853](go-git/go-git#1853) - git: Add strict checks for supported extensions by [@​pjbgf](https://github.com/pjbgf) in [#​1861](go-git/go-git#1861) - backport, git: Improve Status() speed with new index.ModTime check by [@​cedric-appdirect](https://github.com/cedric-appdirect) in [#​1862](go-git/go-git#1862) - storage: filesystem, Avoid overwriting loose obj files by [@​pjbgf](https://github.com/pjbgf) in [#​1864](go-git/go-git#1864) **Full Changelog**: <go-git/go-git@v5.16.5...v5.17.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday ( * 0-4,22-23 * * 1-5 ), Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNS4yIiwidXBkYXRlZEluVmVyIjoiNDMuMTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiS2luZC9EZXBlbmRlbmNpZXMiXX0=--> Reviewed-on: https://altlinux.space/stapler/stplr/pulls/333 Co-authored-by: Renovate Bot <stapler-helper-bot@noreply.altlinux.space> Co-committed-by: Renovate Bot <stapler-helper-bot@noreply.altlinux.space>
charithe
added a commit
to charithe/cerbos
that referenced
this pull request
Mar 9, 2026
v5.17.0 includes strict extension checks (go-git/go-git#1861) but it causes problems for `worktreeconfig` because it wasn't added to the supported extension list until go-git/go-git#1877. Until it's released, we need to keep the version back. Signed-off-by: Charith Ellawala <charith@cerbos.dev>
charithe
added a commit
to cerbos/cerbos
that referenced
this pull request
Mar 9, 2026
v5.17.0 includes strict extension checks (go-git/go-git#1861) but it causes problems for `worktreeconfig` because it wasn't added to the supported extension list until go-git/go-git#1877. Until it's released, we need to keep the version back. Signed-off-by: Charith Ellawala <charith@cerbos.dev> Signed-off-by: Charith Ellawala <charith@cerbos.dev>
haines
pushed a commit
to haines/cerbos
that referenced
this pull request
Mar 16, 2026
v5.17.0 includes strict extension checks (go-git/go-git#1861) but it causes problems for `worktreeconfig` because it wasn't added to the supported extension list until go-git/go-git#1877. Until it's released, we need to keep the version back. Signed-off-by: Charith Ellawala <charith@cerbos.dev>
migmartri
added a commit
to migmartri/chainloop
that referenced
this pull request
Mar 30, 2026
go-git v5.17.0 introduced strict repository extension validation (go-git/go-git#1861) with a case-sensitivity bug that rejects the worktreeConfig extension, breaking attestation init in repos using git worktree. Reverts to v5.16.5 and adds defensive handling in gracefulGitRepoHead so unsupported extension errors degrade gracefully instead of failing the attestation. Closes chainloop-dev#2966 Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
This was referenced Mar 30, 2026
nschloe
pushed a commit
to live-clones/forgejo
that referenced
this pull request
Mar 31, 2026
…0/forgejo) (#11898) This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `v5.16.5` → `v5.17.1` |  |  | --- >⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/2779) for more information. --- ### go-git missing validation decoding Index v4 files leads to panic [CVE-2026-33762](https://nvd.nist.gov/vuln/detail/CVE-2026-33762) / [GHSA-gm2x-2g9h-ccm8](GHSA-gm2x-2g9h-ccm8) <details> <summary>More information</summary> #### Details ##### Impact `go-git`’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (`go-git` supports only `v2` and `v3`) are not vulnerable to this issue. An attacker able to supply a crafted `.git/index` file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition. Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the `.git` directory. ##### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ##### Credit go-git maintainers thank @​kq5y for finding and reporting this issue privately to the `go-git` project. #### Severity - CVSS Score: 2.8 / 10 (Low) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L` #### References - [https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8](https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8) - [https://github.com/go-git/go-git](https://github.com/go-git/go-git) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-gm2x-2g9h-ccm8) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### go-git: Maliciously crafted idx file can cause asymmetric memory consumption [CVE-2026-34165](https://nvd.nist.gov/vuln/detail/CVE-2026-34165) / [GHSA-jhf3-xxhw-2wpp](GHSA-jhf3-xxhw-2wpp) <details> <summary>More information</summary> #### Details ##### Impact A vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition. Exploitation requires write access to the local repository's `.git` directory, it order to create or alter existing `.idx` files. ##### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ##### Credit The go-git maintainers thank @​kq5y for finding and reporting this issue privately to the `go-git` project. #### Severity - CVSS Score: 5.0 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H` #### References - [https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp](https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp) - [https://github.com/go-git/go-git](https://github.com/go-git/go-git) - [https://github.com/go-git/go-git/releases/tag/v5.17.1](https://github.com/go-git/go-git/releases/tag/v5.17.1) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-jhf3-xxhw-2wpp) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.17.1`](https://github.com/go-git/go-git/releases/tag/v5.17.1) [Compare Source](go-git/go-git@v5.17.0...v5.17.1) #### What's Changed - build: Update module github.com/cloudflare/circl to v1.6.3 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#​1930](go-git/go-git#1930) - \[v5] plumbing: format/index, Improve v4 entry name validation by [@​pjbgf](https://github.com/pjbgf) in [#​1935](go-git/go-git#1935) - \[v5] plumbing: format/idxfile, Fix version and fanout checks by [@​pjbgf](https://github.com/pjbgf) in [#​1937](go-git/go-git#1937) **Full Changelog**: <go-git/go-git@v5.17.0...v5.17.1> ### [`v5.17.0`](https://github.com/go-git/go-git/releases/tag/v5.17.0) [Compare Source](go-git/go-git@v5.16.5...v5.17.0) #### What's Changed - build: Update module github.com/go-git/go-git/v5 to v5.16.5 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#​1839](go-git/go-git#1839) - git: worktree, optimize infiles function for very large repos by [@​k-anshul](https://github.com/k-anshul) in [#​1853](go-git/go-git#1853) - git: Add strict checks for supported extensions by [@​pjbgf](https://github.com/pjbgf) in [#​1861](go-git/go-git#1861) - backport, git: Improve Status() speed with new index.ModTime check by [@​cedric-appdirect](https://github.com/cedric-appdirect) in [#​1862](go-git/go-git#1862) - storage: filesystem, Avoid overwriting loose obj files by [@​pjbgf](https://github.com/pjbgf) in [#​1864](go-git/go-git#1864) **Full Changelog**: <go-git/go-git@v5.16.5...v5.17.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45OS4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTkuMSIsInRhcmdldEJyYW5jaCI6InYxMS4wL2Zvcmdlam8iLCJsYWJlbHMiOlsiZGVwZW5kZW5jeS11cGdyYWRlIiwidGVzdC9ub3QtbmVlZGVkIl19--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11898 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>
nschloe
pushed a commit
to live-clones/forgejo
that referenced
this pull request
Mar 31, 2026
…v14.0/forgejo) (#11899) This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `v5.16.5` → `v5.17.1` |  |  | --- ### go-git missing validation decoding Index v4 files leads to panic [CVE-2026-33762](https://nvd.nist.gov/vuln/detail/CVE-2026-33762) / [GHSA-gm2x-2g9h-ccm8](GHSA-gm2x-2g9h-ccm8) <details> <summary>More information</summary> #### Details ##### Impact `go-git`’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (`go-git` supports only `v2` and `v3`) are not vulnerable to this issue. An attacker able to supply a crafted `.git/index` file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition. Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the `.git` directory. ##### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ##### Credit go-git maintainers thank @​kq5y for finding and reporting this issue privately to the `go-git` project. #### Severity - CVSS Score: 2.8 / 10 (Low) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L` #### References - [https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8](https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8) - [https://github.com/go-git/go-git](https://github.com/go-git/go-git) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-gm2x-2g9h-ccm8) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### go-git: Maliciously crafted idx file can cause asymmetric memory consumption [CVE-2026-34165](https://nvd.nist.gov/vuln/detail/CVE-2026-34165) / [GHSA-jhf3-xxhw-2wpp](GHSA-jhf3-xxhw-2wpp) <details> <summary>More information</summary> #### Details ##### Impact A vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition. Exploitation requires write access to the local repository's `.git` directory, it order to create or alter existing `.idx` files. ##### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ##### Credit The go-git maintainers thank @​kq5y for finding and reporting this issue privately to the `go-git` project. #### Severity - CVSS Score: 5.0 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H` #### References - [https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp](https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp) - [https://github.com/go-git/go-git](https://github.com/go-git/go-git) - [https://github.com/go-git/go-git/releases/tag/v5.17.1](https://github.com/go-git/go-git/releases/tag/v5.17.1) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-jhf3-xxhw-2wpp) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.17.1`](https://github.com/go-git/go-git/releases/tag/v5.17.1) [Compare Source](go-git/go-git@v5.17.0...v5.17.1) #### What's Changed - build: Update module github.com/cloudflare/circl to v1.6.3 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#​1930](go-git/go-git#1930) - \[v5] plumbing: format/index, Improve v4 entry name validation by [@​pjbgf](https://github.com/pjbgf) in [#​1935](go-git/go-git#1935) - \[v5] plumbing: format/idxfile, Fix version and fanout checks by [@​pjbgf](https://github.com/pjbgf) in [#​1937](go-git/go-git#1937) **Full Changelog**: <go-git/go-git@v5.17.0...v5.17.1> ### [`v5.17.0`](https://github.com/go-git/go-git/releases/tag/v5.17.0) [Compare Source](go-git/go-git@v5.16.5...v5.17.0) #### What's Changed - build: Update module github.com/go-git/go-git/v5 to v5.16.5 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#​1839](go-git/go-git#1839) - git: worktree, optimize infiles function for very large repos by [@​k-anshul](https://github.com/k-anshul) in [#​1853](go-git/go-git#1853) - git: Add strict checks for supported extensions by [@​pjbgf](https://github.com/pjbgf) in [#​1861](go-git/go-git#1861) - backport, git: Improve Status() speed with new index.ModTime check by [@​cedric-appdirect](https://github.com/cedric-appdirect) in [#​1862](go-git/go-git#1862) - storage: filesystem, Avoid overwriting loose obj files by [@​pjbgf](https://github.com/pjbgf) in [#​1864](go-git/go-git#1864) **Full Changelog**: <go-git/go-git@v5.16.5...v5.17.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45OS4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTkuMSIsInRhcmdldEJyYW5jaCI6InYxNC4wL2Zvcmdlam8iLCJsYWJlbHMiOlsiZGVwZW5kZW5jeS11cGdyYWRlIiwidGVzdC9ub3QtbmVlZGVkIl19--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11899 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>
cgrdavies
added a commit
to cgrdavies/go-git
that referenced
this pull request
Apr 12, 2026
extensions() normalises all extension names with strings.ToLower, but the extensionsValidForV0 map keys were stored in camelCase. Because Go map lookups are case-sensitive, this caused every repository with extensions.worktreeConfig = true (set automatically by modern git when running `git sparse-checkout set` or `disable`) to fail to open with: core.repositoryformatversion does not support extension: worktreeconfig This regression was introduced in v5.17.0 by go-git#1861 and reported in go-git#1939 and go-git#1943. The fix has landed in main (v6) via go-git#1877 but was not backported to v5. This patch lowercases the three affected map keys to match the normalised input, resolving the regression without changing any other behaviour.
cgrdavies
added a commit
to cgrdavies/go-git
that referenced
this pull request
Apr 12, 2026
This patch makes go-git open repositories that have `extensions.worktreeConfig = true` set in their config — a common situation for modern git clients, since `git sparse-checkout set` and `git sparse-checkout disable` enable the extension automatically. There are two separate bugs in v5.17.x that must be fixed together: 1. extensions() normalises extension names with strings.ToLower, but the extensionsValidForV0 map keys were stored in camelCase. Go map lookups are case-sensitive, so the lookup for the normalised key "worktreeconfig" never matched the map key "worktreeConfig", and the V0 validation unconditionally rejected the extension. 2. After passing the V0 gate, verifyExtensions then checks every extension against builtinExtensions. worktreeConfig was missing from that map, so v5 still rejected it with "unknown extension: worktreeconfig". The first bug was introduced in v5.17.0 (go-git#1861). Both are fixed in main (go-git#1877) which is only available in v6-alpha. This patch applies the minimum viable backport for v5: lowercase the V0 map keys and add worktreeconfig to builtinExtensions. Per-worktree config files (.git/config.worktree) are not read, which matches behaviour prior to v5.17.0 — the shared repository config continues to work unchanged. Refs: go-git#1939, go-git#1943, go-git#1877
cgrdavies
added a commit
to cgrdavies/go-git
that referenced
this pull request
Apr 12, 2026
This patch makes go-git open repositories that have `extensions.worktreeConfig = true` set in their config — a common situation for modern git clients, since `git sparse-checkout set` and `git sparse-checkout disable` enable the extension automatically. There are two separate bugs in v5.17.x that must be fixed together: 1. extensions() normalises extension names with strings.ToLower, but the extensionsValidForV0 map keys were stored in camelCase. Go map lookups are case-sensitive, so the lookup for the normalised key "worktreeconfig" never matched the map key "worktreeConfig", and the V0 validation unconditionally rejected the extension. 2. After passing the V0 gate, verifyExtensions then checks every extension against builtinExtensions. worktreeConfig was missing from that map, so v5 still rejected it with "unknown extension: worktreeconfig". The first bug was introduced in v5.17.0 (go-git#1861). Both are fixed in main (go-git#1877) which is only available in v6-alpha. This patch applies the minimum viable backport for v5: lowercase the V0 map keys and add worktreeconfig to builtinExtensions. Per-worktree config files (.git/config.worktree) are not read, which matches behaviour prior to v5.17.0 — the shared repository config continues to work unchanged. Refs: go-git#1939, go-git#1943, go-git#1877
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The upstream Git enforces fail-safe heuristics to ensure that older git versions will avoid handling repositories using extensions they are unaware of.
The logic is largely based on the value of
core.repositoryformatversion. As per official Git docs:Now go-git will ensure that:
git.Openlogic will verify and enforces the extension support rules.This is a breaking change and it will force go-git to not be able to open repositories that it in fact doesn't really support. Conversaly, the error messages will be more useful (e.g.
unknown extension: Xvsobject not found).Upstream refs:
Back-port of #1850.