Bump github.com/go-git/go-git/v5 from 5.16.2 to 5.19.1 in the oc-mirror-v2-security-updates group across 1 directory

[dependabot]

Bumps the oc-mirror-v2-security-updates group with 1 update in the / directory: github.com/go-git/go-git/v5.

Updates github.com/go-git/go-git/v5 from 5.16.2 to 5.19.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.19.1

What's Changed

• v5: plumbing: transport/ssh, Shell-quote path by @​hiddeco in go-git/go-git#2068
• v5: git: submodule, Fix relative URL resolution by @​hiddeco in go-git/go-git#2070
• v5: git: submodule, canonical remote for relative URLs by @​hiddeco in go-git/go-git#2074
• v5: git: submodule, error on remote without URLs by @​hiddeco in go-git/go-git#2078
• v5: plumbing: format/idxfile, Validate offset64 indices by @​hiddeco in go-git/go-git#2084
• v5: *: Reject malformed variable-length integers by @​hiddeco in go-git/go-git#2092
• v5: plumbing: format/packfile, Tighten delta validation by @​hiddeco in go-git/go-git#2091
• v5: Add worktreeFilesystem wrapper for worktree and hardening by @​hiddeco in go-git/go-git#2100
• v5: config: validate submodule names by @​hiddeco in go-git/go-git#2082
• build: Update module github.com/go-git/go-git/v5 to v5.19.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#2111
• v5: git: Allow MkdirAll on worktree-root paths by @​hiddeco in go-git/go-git#2117
• v5: git: Stop validating symlink target paths by @​pjbgf in go-git/go-git#2116
• v5: plumbing: format decoder input bounds and contracts by @​hiddeco in go-git/go-git#2125
• plumbing: format/packfile, cap delta chain depth in parser by @​pjbgf in go-git/go-git#2137

Full Changelog: go-git/go-git@v5.19.0...v5.19.1

v5.19.0

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#2010
• v5: Bump sha1cd and go-billy by @​pjbgf in go-git/go-git#2060
• v5: Align object encoding with upstream by @​pjbgf in go-git/go-git#2065

Full Changelog: go-git/go-git@v5.18.0...v5.19.0

v5.18.0

What's Changed

• plumbing: transport/http, Add support for followRedirects policy by @​pjbgf in go-git/go-git#2004

Full Changelog: go-git/go-git@v5.17.2...v5.18.0

v5.17.2

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1941
• dotgit: skip writing pack files that already exist on disk by @​pjbgf in go-git/go-git#1944

⚠️ This release fixes a bug (go-git/go-git#1942) that blocked some users from upgrading to v5.17.1. Thanks @​pskrbasu for reporting it. 🙇

Full Changelog: go-git/go-git@v5.17.1...v5.17.2

v5.17.1

What's Changed

• build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1930
• [v5] plumbing: format/index, Improve v4 entry name validation by @​pjbgf in go-git/go-git#1935
• [v5] plumbing: format/idxfile, Fix version and fanout checks by @​pjbgf in go-git/go-git#1937

... (truncated)

Commits

• 3c3be60 Merge pull request #2137 from go-git/validate-v5
• 3fba897 plumbing: format/packfile, cap delta chain depth in parser
• a97d660 Merge pull request #2125 from hiddeco/v5/format-input-bounds
• aeaa125 plumbing: format/objfile, require Header before Read
• 1f38e17 plumbing: format/packfile, bound inflate size
• f7545a0 plumbing: format/idxfile, bound nr by file size
• 170b881 Merge pull request #2116 from pjbgf/symlink-v5
• 7b6d994 Merge pull request #2117 from hiddeco/v5/worktree-fs-mkdirall-root-noop
• f0709b3 git: Stop validating symlink target paths
• 776d00f git: Allow MkdirAll on worktree-root paths
• Additional commits viewable in compare view

Summary by CodeRabbit

• Chores
  • Upgraded Go runtime to version 1.25.0.
  • Updated dependencies to latest stable versions for improved security and performance, including cryptography, networking, and git-related packages.

[coderabbitai]

Walkthrough

Updates the module directive to Go 1.25.0 and bumps versions for multiple dependencies in go.mod, including golang.org/x/crypto, golang.org/x/sync, golang.org/x/term, github.com/go-git/*, github.com/cyphar/filepath-securejoin, and several indirect golang.org/x packages.

Changes

Dependency Version Bumps

Layer / File(s)	Summary
Go toolchain and core golang.org/x deps go.mod	Module go set from 1.24.3 → 1.25.0. Bumped golang.org/x/crypto, golang.org/x/exp (indirect pseudo-version), golang.org/x/sync, and golang.org/x/term to newer versions.
Third-party and transitive deps go.mod	Bumped github.com/cyphar/filepath-securejoin (v0.4.1 → v0.6.1), github.com/go-git/go-billy/v5 (v5.6.2 → v5.9.0), github.com/go-git/go-git/v5 (v5.16.2 → v5.19.1), and indirect golang.org/x/net, golang.org/x/sys, golang.org/x/text versions. golang.org/x/oauth2 remains at v0.33.0.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 10

❌ Failed checks (10 inconclusive)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Microshift Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Single Node Openshift (Sno) Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ote Binary Stdout Contract	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Weak-Crypto	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Container-Privileges	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Sensitive-Data-In-Logs	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title specifically mentions bumping github.com/go-git/go-git/v5 from 5.16.2 to 5.19.1, which is one of the main changes, but the PR also includes updates to multiple other dependencies (golang.org/x/crypto, golang.org/x/sync, golang.org/x/term, go-billy, and several golang.org/x packages) and upgrades the Go version from 1.24.3 to 1.25.0.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/oc-mirror-v2-security-updates-f67f74747b

Warning

Tools execution failed with the following error:

Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[aguidirh]

/ok-to-test

[openshift-ci-robot]

@dependabot[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

Bumps the oc-mirror-v2-security-updates group with 1 update in the / directory: github.com/go-git/go-git/v5.

Updates github.com/go-git/go-git/v5 from 5.16.2 to 5.17.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.17.1

What's Changed

• build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1930
• [v5] plumbing: format/index, Improve v4 entry name validation by @​pjbgf in go-git/go-git#1935
• [v5] plumbing: format/idxfile, Fix version and fanout checks by @​pjbgf in go-git/go-git#1937

Full Changelog: go-git/go-git@v5.17.0...v5.17.1

v5.17.0

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1839
• git: worktree, optimize infiles function for very large repos by @​k-anshul in go-git/go-git#1853
• git: Add strict checks for supported extensions by @​pjbgf in go-git/go-git#1861
• backport, git: Improve Status() speed with new index.ModTime check by @​cedric-appdirect in go-git/go-git#1862
• storage: filesystem, Avoid overwriting loose obj files by @​pjbgf in go-git/go-git#1864

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

v5.16.5

What's Changed

• build: Update module golang.org/x/crypto to v0.45.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1744
• build: Bump Go test versions to 1.23-1.25 (v5) by @​pjbgf in go-git/go-git#1746
• [v5] git: worktree, Don't delete local untracked files when resetting worktree by @​Ch00k in go-git/go-git#1800
• Expand packfile checks by @​pjbgf in go-git/go-git#1836

Full Changelog: go-git/go-git@v5.16.4...v5.16.5

v5.16.4

What's Changed

• backport plumbing: format/idxfile, prevent panic by @​swills in go-git/go-git#1732
• [backport] build: test, Fix build on Windows. by @​pjbgf in go-git/go-git#1734
• build: Update module golang.org/x/net to v0.38.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1742
• build: Update module github.com/cloudflare/circl to v1.6.1 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1741
• build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1743

Full Changelog: go-git/go-git@v5.16.3...v5.16.4

v5.16.3

What's Changed

• internal: Expand regex to fix build [5.x] by @​baloo in go-git/go-git#1644
• build: raise timeouts for windows CI tests and disable CIFuzz [5.x] by @​baloo in go-git/go-git#1646
• plumbing: support commits extra headers, support jujutsu signed commit [5.x] by @​baloo in go-git/go-git#1633

Full Changelog: go-git/go-git@v5.16.2...v5.16.3

Commits

• 5e23dfd Merge pull request #1937 from pjbgf/idx-v5
• 6b38a32 Merge pull request #1935 from pjbgf/index-v5
• cd757fc plumbing: format/idxfile, Fix version and fanout checks
• 3ec0d70 plumbing: format/index, Fix tree extension invalidated entry parsing
• dbe10b6 plumbing: format/index, Align V2/V3 long name and V4 prefix encoding with Git
• e9b65df plumbing: format/index, Improve v4 entry name validation
• adad18d Merge pull request #1930 from go-git/renovate/releases/v5.x-go-github.com-clo...
• 29470bd build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY]
• bdf0688 Merge pull request #1864 from pjbgf/v5-issue-55
• 5290e52 storage: filesystem, Avoid overwriting loose obj files. Fixes #55
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

rebase

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[aguidirh]

@dependabot rebase

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aguidirh, dependabot[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [aguidirh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 29-32: The go.mod update lists bumped modules (golang.org/x/crypto
v0.50.0, golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f, golang.org/x/sync
v0.20.0, golang.org/x/term v0.42.0) but lacks verification evidence; run an OSV
querybatch for those exact module@version identifiers and retrieve the Go proxy
metadata (the `@v/`<version>.info JSON) for each module version (or attach the CI
artifact that contains that metadata) and include both sets of outputs in the PR
so reviewers can see there are no OSV/CVE matches and that none of the versions
are yanked or pre-release. Ensure the attached evidence explicitly references
the four module@version strings above and make it easy to inspect (e.g., raw
JSON or CI job artifact links).
- Line 3: The go.mod line "go 1.25.0" may pin a toolchain newer than CI/build
images support; verify all CI jobs, Dockerfiles/Containerfiles, Makefile
targets, and any workflow YAMLs reference or use a Go version that supports 1.25
(search for golang:*, GO_VERSION, toolchain go1.* entries), and either update
those images/vars to golang:1.25.x or lower the go.mod "go" directive to the
highest Go minor version guaranteed in CI; after aligning versions, run the
provided shell checks and CI locally to confirm builds/tests pass before
merging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fbaf069e-be4e-494a-80ae-8ea9ba5e8c8e

📥 Commits

Reviewing files that changed from the base of the PR and between 79b1082 and f403b62.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate CI/tooling support for Go 1.25.0 before merge.

Please confirm all build/test images and CI jobs are already on Go 1.25.x; otherwise this can cause immediate pipeline breakage after merge.

#!/bin/bash
set -euo pipefail

echo "== Files that pin Go/toolchain versions =="
fd -i '(^|\.)(go\.mod|Dockerfile|Containerfile|Makefile|\.yml|\.yaml)$' . \
  | xargs -r rg -n -C2 -e '\bgo\s+1\.' -e 'golang:1\.' -e 'GO_VERSION' -e 'toolchain\s+go1\.'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 3, The go.mod line "go 1.25.0" may pin a toolchain newer than
CI/build images support; verify all CI jobs, Dockerfiles/Containerfiles,
Makefile targets, and any workflow YAMLs reference or use a Go version that
supports 1.25 (search for golang:*, GO_VERSION, toolchain go1.* entries), and
either update those images/vars to golang:1.25.x or lower the go.mod "go"
directive to the highest Go minor version guaranteed in CI; after aligning
versions, run the provided shell checks and CI locally to confirm builds/tests
pass before merging.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify exact versions and release stability for the bumped modules in go.mod
mods=(
  "golang.org/x/crypto@v0.50.0"
  "golang.org/x/exp@v0.0.0-20260410095643-746e56fc9e2f"
  "golang.org/x/sync@v0.20.0"
  "golang.org/x/term@v0.42.0"
  "github.com/cyphar/filepath-securejoin@v0.6.1"
  "github.com/go-git/go-billy/v5@v5.9.0"
  "github.com/go-git/go-git/v5@v5.19.1"
  "golang.org/x/net@v0.53.0"
  "golang.org/x/sys@v0.43.0"
  "golang.org/x/text@v0.36.0"
)

echo "== OSV check (querybatch) =="
payload="$(printf '%s\n' "${mods[@]}" | awk -F@ '{printf "{\"package\":{\"ecosystem\":\"Go\",\"name\":\"%s\"},\"version\":\"%s\"}\n",$1,$2}' | jq -s '{queries:.}')"
curl -sS https://api.osv.dev/v1/querybatch \
  -H 'content-type: application/json' \
  -d "$payload" | jq .

echo "== Go proxy metadata (sanity: version exists) =="
for m in "${mods[@]}"; do
  mod="${m%@*}"
  ver="${m#*@}"
  enc_mod="${mod//\//%2F}"
  echo "--- $m"
  curl -fsS "https://proxy.golang.org/${mod}/@v/${ver}.info" | jq . || echo "missing on proxy: $m"
done

Repository: openshift/oc-mirror

Length of output: 1925

---

Add OSV/CVE and yanked/pre-release verification evidence for bumped go.mod modules

The dependency versions are pinned, but there’s no attached output showing the bumped modules are free of OSV advisories and are not yanked/pre-release. Attach the OSV querybatch results and Go proxy @v/<version>.info metadata (or the CI artifact) for at least: golang.org/x/crypto@v0.50.0, golang.org/x/exp@v0.0.0-20260410095643-746e56fc9e2f, golang.org/x/sync@v0.20.0, golang.org/x/term@v0.42.0.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 29 - 32, The go.mod update lists bumped modules
(golang.org/x/crypto v0.50.0, golang.org/x/exp
v0.0.0-20260410095643-746e56fc9e2f, golang.org/x/sync v0.20.0, golang.org/x/term
v0.42.0) but lacks verification evidence; run an OSV querybatch for those exact
module@version identifiers and retrieve the Go proxy metadata (the
`@v/`<version>.info JSON) for each module version (or attach the CI artifact that
contains that metadata) and include both sets of outputs in the PR so reviewers
can see there are no OSV/CVE matches and that none of the versions are yanked or
pre-release. Ensure the attached evidence explicitly references the four
module@version strings above and make it easy to inspect (e.g., raw JSON or CI
job artifact links).

[openshift-ci]

@dependabot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-images	f403b62	link	true	/test okd-scos-images
ci/prow/lint	f403b62	link	true	/test lint
ci/prow/sanity	f403b62	link	true	/test sanity
ci/prow/integration	f403b62	link	true	/test integration
ci/prow/images	f403b62	link	true	/test images
ci/prow/unit	f403b62	link	true	/test unit

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.