Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump go-git to v5.13.1 (CVE-2025-21613) #2822

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Bump go-git to v5.13.1 (CVE-2025-21613) #2822

wants to merge 1 commit into from

Conversation

hightoxicity
Copy link

@hightoxicity hightoxicity commented Jan 8, 2025
edited
Loading

Bump go-git to v5.13.1 to avoid binary to be security scanned as unhealthy vs CVE-2025-21613

  • All tests have passed. If this feature is not already covered by the tests, new tests have been added.
  • The pull request is targeting the dev branch.
  • The code has been validated to compile successfully by running go vet ./....
  • The code has been formatted properly using go fmt ./....

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 8, 2025
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@hightoxicity hightoxicity force-pushed the BUMP-GO-GIT-DEP-CVE-2025-21613 branch from 222d770 to 55fbf78 Compare January 8, 2025 14:11
@EyalDelarea
Copy link
Contributor

Hey @hightoxicity,

Thanks for your contribution!

As highlighted in the following PR: #2816, this introduces a breaking change in our repositories, which needs to be resolved before we can proceed with updating the dependency.

@hightoxicity
Copy link
Author

#2816

Hey @EyalDelarea does it only mean jfrog/froggit-go#142 need to be merged, version tagged there and froggit-go dependency updated with new version into jfrog-cli dependencies?

@EyalDelarea
Copy link
Contributor

#2816

Hey @EyalDelarea does it only mean jfrog/froggit-go#142 need to be merged, version tagged there and froggit-go dependency updated with new version into jfrog-cli dependencies?

This issue needs to be addressed in Froggit-Go, as the update is introducing breaking changes to the APIs. Once fixed, it should be released and then updated across all the other relevant places.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hightoxicity @EyalDelarea