Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (release-v0.8)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/go-git/go-git/v5	v5.17.1 → v5.18.0

---

go-git: Credential leak via cross-host redirect in smart HTTP transport

GHSA-3xc5-wrhm-f963

More information

Details

Impact

go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations.

If a remote repository responds to the initial /info/refs request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host.

An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential.

Clients using go-git exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue. The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data.

Patches

Users should upgrade to v5.18.0, or v6.0.0-alpha.2, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

The patched versions add support for configuring followRedirects. In line with upstream behaviour, the default is now initial, while users can opt into FollowRedirects or NoFollowRedirects programmatically.

Credit

Thanks to the 3 separate reports from @​celinke97, @​N0zoM1z0 and @​AyushParkara. Thanks for finding and reporting this issue privately to the go-git project. 🙇

Severity

• CVSS Score: 4.7 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

References

• https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963
• https://github.com/advisories/GHSA-3xc5-wrhm-f963

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.18.0

Compare Source

What's Changed

• plumbing: transport/http, Add support for followRedirects policy by @​pjbgf in #​2004

Full Changelog: go-git/go-git@v5.17.2...v5.18.0

v5.17.2

Compare Source

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in #​1941
• dotgit: skip writing pack files that already exist on disk by @​pjbgf in #​1944

⚠️ This release fixes a bug (#​1942) that blocked some users from upgrading to v5.17.1. Thanks @​pskrbasu for reporting it. 🙇

Full Changelog: go-git/go-git@v5.17.1...v5.17.2

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: acceptance/go.sum

Command failed: go mod tidy
go: downloading github.com/onsi/ginkgo v1.16.5
go: downloading github.com/onsi/gomega v1.38.2
go: downloading github.com/yudai/pp v2.0.1+incompatible
go: downloading gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
go: downloading github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399
go: downloading go.uber.org/goleak v1.3.0
go: downloading gotest.tools/v3 v3.5.2
go: downloading gotest.tools v2.2.0+incompatible
go: downloading github.com/go-openapi/testify/v2 v2.4.1
go: downloading github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d
go: downloading github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb
go: downloading github.com/elazarl/goproxy v1.7.2
go: downloading github.com/creack/pty v1.1.24
go: downloading github.com/hashicorp/go-hclog v1.6.3
go: downloading github.com/onsi/ginkgo/v2 v2.27.2
go: downloading k8s.io/apiserver v0.35.2
go: downloading k8s.io/component-base v0.35.2
go: downloading github.com/tektoncd/triggers v0.35.0
go: downloading github.com/sassoftware/relic/v7 v7.6.2
go: downloading github.com/go-quicktest/qt v1.101.0
go: downloading golang.org/x/tools v0.43.0
go: downloading github.com/nxadm/tail v1.4.11
go: downloading github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5
go: downloading github.com/go-openapi/testify/enable/yaml/v2 v2.4.1
go: downloading github.com/google/trillian v1.7.2
go: downloading github.com/go-sql-driver/mysql v1.9.3
go: downloading github.com/jackc/pgx/v5 v5.7.5
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.4
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.4
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.4
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.4
go: downloading github.com/tink-crypto/tink-go-awskms/v2 v2.1.0
go: downloading github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0
go: downloading github.com/tink-crypto/tink-go-hcvault/v2 v2.4.0
go: downloading github.com/tink-crypto/tink-go/v2 v2.6.0
go: downloading go.step.sm/crypto v0.75.0
go: downloading github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
go: downloading github.com/gliderlabs/ssh v0.3.8
go: downloading github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6
go: downloading github.com/go-rod/rod v0.116.2
go: downloading k8s.io/cli-runtime v0.34.2
go: downloading knative.dev/serving v0.39.4
go: downloading github.com/blendle/zapdriver v1.3.1
go: downloading software.sslmate.com/src/go-pkcs12 v0.4.0
go: downloading github.com/cloudevents/sdk-go/v2 v2.16.2
go: downloading github.com/google/gofuzz v1.2.0
go: downloading github.com/lib/pq v1.10.9
go: downloading github.com/hashicorp/go-uuid v1.0.3
go: downloading gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7
go: downloading github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
go: downloading google.golang.org/api v0.271.0
go: downloading github.com/kylelemons/godebug v1.1.0
go: downloading filippo.io/edwards25519 v1.1.1
go: downloading github.com/jackc/pgpassfile v1.0.0
go: downloading github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761
go: downloading github.com/jmhodges/clock v1.2.0
go: downloading github.com/aws/aws-sdk-go-v2 v1.41.4
go: downloading github.com/aws/aws-sdk-go-v2/config v1.32.12
go: downloading github.com/aws/aws-sdk-go-v2/service/kms v1.49.5
go: downloading github.com/jellydator/ttlcache/v3 v3.4.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
go: downloading github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
go: downloading github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0
go: downloading cloud.google.com/go/kms v1.25.0
go: downloading github.com/hashicorp/vault/api v1.22.0
go: downloading github.com/aws/aws-sdk-go v1.55.8
go: downloading github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
go: downloading github.com/moby/sys/atomicwriter v0.1.0
go: downloading github.com/ysmood/goob v0.4.0
go: downloading github.com/ysmood/got v0.40.0
go: downloading github.com/ysmood/gson v0.7.3
go: downloading github.com/ysmood/fetchup v0.2.3
go: downloading github.com/ysmood/leakless v0.9.0
go: downloading github.com/Masterminds/semver/v3 v3.4.0
go: downloading github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
go: downloading go.etcd.io/etcd/client/pkg/v3 v3.6.5
go: downloading go.etcd.io/etcd/client/v3 v3.6.5
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0
go: downloading github.com/google/btree v1.1.3
go: downloading github.com/evanphx/json-patch v5.9.0+incompatible
go: downloading github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de
go: downloading knative.dev/eventing v0.30.3
go: downloading knative.dev/networking v0.0.0-20231017124814-2a7676e912b7
go: downloading github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef
go: downloading github.com/zalando/go-keyring v0.2.3
go: downloading github.com/kelseyhightower/envconfig v1.4.0
go: downloading github.com/fsnotify/fsnotify v1.9.0
go: downloading cloud.google.com/go/auth v0.18.2
go: downloading cloud.google.com/go v0.123.0
go: downloading github.com/golang/protobuf v1.5.4
go: downloading github.com/hashicorp/golang-lru/v2 v2.0.7
go: downloading github.com/aws/smithy-go v1.24.2
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.19.12
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20
go: downloading github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6
go: downloading github.com/aws/aws-sdk-go-v2/service/signin v1.0.8
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.30.13
go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.41.9
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20
go: downloading github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2
go: downloading github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0
go: downloading cloud.google.com/go/iam v1.5.3
go: downloading cloud.google.com/go/longrunning v0.8.0
go: downloading github.com/googleapis/gax-go/v2 v2.17.0
go: downloading github.com/hashicorp/errwrap v1.1.0
go: downloading github.com/hashicorp/go-multierror v1.1.1
go: downloading github.com/hashicorp/go-rootcerts v1.0.2
go: downloading github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0
go: downloading github.com/hashicorp/go-secure-stdlib/strutil v0.1.2
go: downloading github.com/hashicorp/hcl v1.0.1-vault-7
go: downloading github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c
go: downloading github.com/shoenig/test v0.6.4
go: downloading github.com/go-task/slim-sprig/v3 v3.0.0
go: downloading github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0
go: downloading sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2
go: downloading go.etcd.io/etcd/api/v3 v3.6.5
go: downloading github.com/coreos/go-systemd/v22 v22.7.0
go: downloading github.com/coreos/go-semver v0.3.1
go: downloading github.com/danieljoos/wincred v1.2.3
go: downloading github.com/godbus/dbus/v5 v5.1.0
go: downloading cuelabs.dev/go/oci/ociregistry v0.0.0-20251212221603-3adeb8663819
go: downloading github.com/pelletier/go-toml/v2 v2.2.4
go: downloading cloud.google.com/go/compute/metadata v0.9.0
go: downloading cloud.google.com/go/compute v1.54.0
go: downloading cloud.google.com/go/auth/oauth2adapt v0.2.8
go: downloading github.com/google/s2a-go v0.1.9
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20
go: downloading github.com/hashicorp/go-sockaddr v1.0.7
go: downloading github.com/ryanuber/go-glob v1.0.0
go: downloading github.com/natefinch/atomic v1.0.1
go: downloading github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24
go: downloading github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/emicklei/proto v1.14.3
go: downloading github.com/protocolbuffers/txtpbfmt v0.0.0-20260217160748-a481f6a22f94
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.14
go: downloading gonum.org/v1/gonum v0.16.0
go: downloading github.com/jackc/puddle/v2 v2.2.2
go: downloading github.com/golang-jwt/jwt/v5 v5.3.0
go: downloading github.com/mitchellh/go-wordwrap v1.0.1
go: finding module for package knative.dev/pkg/metrics
go: downloading knative.dev/pkg v0.0.0-20260422015212-ec452872dcc1
go: finding module for package knative.dev/pkg/tracing/config
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/metrics: module knative.dev/pkg@latest found (v0.0.0-20260422015212-ec452872dcc1), but does not contain package knative.dev/pkg/metrics
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/tracing/config: module knative.dev/pkg@latest found (v0.0.0-20260422015212-ec452872dcc1), but does not contain package knative.dev/pkg/tracing/config