Bump github.com/go-git/go-git/v5 from 5.13.1 to 5.16.5#162
Open
dependabot[bot] wants to merge 2 commits intomainfrom
Open
Bump github.com/go-git/go-git/v5 from 5.13.1 to 5.16.5#162dependabot[bot] wants to merge 2 commits intomainfrom
dependabot[bot] wants to merge 2 commits intomainfrom
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
force-pushed
the
dependabot/go_modules/github.com/go-git/go-git/v5-5.16.5
branch
from
d21aac4 to
85822fe
Compare
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.13.1 to 5.16.5. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.13.1...v5.16.5) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.16.5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/go_modules/github.com/go-git/go-git/v5-5.16.5
branch
from
85822fe to
7a5e378
Compare
6 tasks
Cre-eD
added a commit
that referenced
this pull request
May 6, 2026
Phase 1 of CIS Docker Benchmark + OWASP Container Top 10 hardening pass. All 5 published images rebuilt; baseline → hardened CVE counts: kubectl: 1H → 0 cloud-helpers: 4H → 4H (glibc fix not yet in AL2023 dnf, deferred) caddy: 48 (5H/5M/3L+stdlib+core) → 10 (upstream transitives) github-actions: 38 (13 alpine + 25 binary + 2 secrets) → 2 (deferred) github-actions-staging: same as prod (synced) Dockerfile changes (CIS 4.1/4.2/4.3/4.6/4.7/4.9, OWASP Container 02): - All FROM bases pinned by @sha256: digest - Pulumi installer replaced with checksum-verified tarball download (no more `curl | sh`); checksums fetched per-version from GitHub Releases pulumi-${VERSION}-checksums.txt - Google Cloud SDK pinned to 567.0.0 with inline SHA-256 ARG - github-actions(+staging) split into builder/runtime stages; runtime drops py3-pip, binutils, upx, bundledpythonunix; image 1.51GB→1.24GB - urllib3 dummyserver test fixtures (Trivy "secret" findings) removed - kubectl runs as non-root UID 10001 - Caddy bumped 2.8.4 → 2.11.2; certmagic-gcs 0.1.2 → 0.1.7 - Alpine 3.19 → 3.21 in github-actions(+staging) (clears musl, openssh, busybox CVEs) - HEALTHCHECK added to kubectl, caddy, github-actions(+staging) - cloud-helpers ADD → COPY Go module bumps (clears 25 CVEs in the baked github-actions binary): google.golang.org/grpc 1.72.1 → 1.80.0 (CRIT CVE-2026-33186) go.opentelemetry.io/otel 1.36.0 → 1.43.0 (HIGH CVE-2026-29181) go.opentelemetry.io/otel/sdk 1.36.0 → 1.43.0 (HIGH CVE-2026-24051, CVE-2026-39883) github.com/go-git/go-git/v5 5.13.1 → 5.18.0 (HIGH CVE-2026-25934, CVE-2026-34165, CVE-2026-41506) github.com/go-jose/go-jose/v3 3.0.4 → 3.0.5 (HIGH CVE-2026-34986) github.com/go-jose/go-jose/v4 4.1.3 → 4.1.4 (HIGH CVE-2026-34986) github.com/aws/aws-sdk-go-v2 1.26.1 → 1.41.5 (MED GHSA-xmrv-pmrh-hhx2) github.com/aws/aws-sdk-go-v2/service/s3 1.53.1 → 1.97.3 (MED GHSA-xmrv-pmrh-hhx2) github.com/cloudflare/circl 1.6.1 → 1.6.3 (LOW CVE-2026-1229) toolchain go1.25.1 → go1.25.9 (clears ~15 stdlib CVEs incl. crypto/tls, crypto/x509, encoding/pem, net/url, html/template) Supersedes Dependabot PR #162 (go-git 5.13.1 → 5.16.5 — insufficient, needed 5.18.0 for CVE-2026-41506). Deferred (no upstream fix available): - github.com/docker/docker CVE-2026-34040/33997: Trivy points to v29.3.1 but only v28.5.2+incompatible is published on proxy.golang.org. Reachability: pkg/clouds/pulumi/docker/pull.go uses Docker client for image pulls in Pulumi flows; auth-bypass is exploitable only against a malicious Docker daemon. - glibc CVE-2026-4046 in cloud-helpers: AL2023 dnf has not yet shipped 2.34-231.amzn2023.0.4. Hardened Dockerfile runs `dnf upgrade` and will pick up the fix automatically. Reachability: glibc iconv() DoS via crafted charset; cloud-helpers Go binary doesn't call iconv. LOW risk. - Caddy upstream transitive deps in 2.11.2 binary (10 vulns): xcaddy can override direct deps via --with but not transitives in Caddy core's go.mod. Closes when Caddy 2.11.3+ ships.
Cre-eD
added a commit
that referenced
this pull request
May 7, 2026
…se 1) (#227) ## Summary Phase 1 of a CIS Docker Benchmark + OWASP Container Top 10 hardening pass on this repo's published artifacts. All 5 published images rebuilt; CVE counts before → after: | Image | Before | After | Notes | |---|---|---|---| | `simplecontainer/kubectl` | 1 HIGH | **0** | clean | | `simplecontainer/cloud-helpers:aws-*` | 4 HIGH | 4 HIGH (deferred) | glibc fix not yet in AL2023 dnf — auto-applies on next rebuild | | `simplecontainer/caddy` | 48 (5H/5M/3L + Caddy core + Go stdlib) | 10 (upstream transitives) | Caddy 2.8.4 → 2.11.2 | | `simplecontainer/github-actions` | 38 (13 alpine + 25 binary + 2 secrets) | **2** (deferred) | image 1.51GB → 1.24GB | | `simplecontainer/github-actions:staging` | same as prod | same as prod | synced | **Grype cross-check (`--only-fixed`):** kubectl / caddy / github-actions / staging — `No vulnerabilities found`. cloud-helpers — only the deferred glibc. Supersedes Dependabot PR #162 (go-git 5.13.1 → 5.16.5 was insufficient; this PR moves to 5.18.0 to clear CVE-2026-41506). ## Fixed — Dockerfile changes (CIS Docker Benchmark §4) | CIS | What changed | |---|---| | 4.1 | `kubectl` runs as non-root UID 10001 | | 4.2 / 4.7 | All `FROM` bases pinned by `@sha256:` digest (no floating tags) | | 4.3 | Multi-stage rewrite of `github-actions(+staging).Dockerfile`: builder keeps `binutils`, `upx`, `python3` for `gcloud components install`; runtime drops them and `py3-pip`. `bundledpythonunix` and `urllib3` dummyserver test fixtures removed | | 4.6 | `HEALTHCHECK` added to kubectl, caddy, github-actions(+staging) | | 4.9 | `cloud-helpers.aws.Dockerfile`: `ADD` → `COPY` | | SSCS §5 | Pulumi installer replaced with verified tarball download (per-version `pulumi-${VERSION}-checksums.txt` from GitHub Releases). Google Cloud SDK pinned to 567.0.0 with inline SHA-256 ARG. **No remaining `curl \| sh`** in any Dockerfile | | OWASP Container 02 | Every third-party download verified before use | Caddy upgraded 2.8.4 → 2.11.2, certmagic-gcs 0.1.2 → 0.1.7. Alpine 3.19 → 3.21 for github-actions(+staging) (clears `musl`, `openssh-client-common`, `busybox` CVEs). ## Fixed — Go module bumps (clears CVEs in the baked `github-actions` binary) | Module | Before → After | Severity | |---|---|---| | `google.golang.org/grpc` | 1.72.1 → 1.80.0 | **CRITICAL** (CVE-2026-33186) | | `go.opentelemetry.io/otel` | 1.36.0 → 1.43.0 | HIGH (CVE-2026-29181) | | `go.opentelemetry.io/otel/sdk` | 1.36.0 → 1.43.0 | HIGH (CVE-2026-24051, CVE-2026-39883) | | `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` | 1.36.0 → 1.43.0 | MEDIUM (CVE-2026-39882) | | `github.com/go-git/go-git/v5` | 5.13.1 → 5.18.0 | HIGH (CVE-2026-25934, 34165, 41506) + LOW (CVE-2026-33762) | | `github.com/go-jose/go-jose/v3` | 3.0.4 → 3.0.5 | HIGH (CVE-2026-34986) | | `github.com/go-jose/go-jose/v4` | 4.1.3 → 4.1.4 | HIGH (CVE-2026-34986) | | `github.com/aws/aws-sdk-go-v2` | 1.26.1 → 1.41.5 | MEDIUM (GHSA-xmrv-pmrh-hhx2) | | `github.com/aws/aws-sdk-go-v2/service/s3` | 1.53.1 → 1.97.3 | MEDIUM (GHSA-xmrv-pmrh-hhx2) | | `github.com/cloudflare/circl` | 1.6.1 → 1.6.3 | LOW (CVE-2026-1229) | | `toolchain` | go1.25.1 → go1.25.9 | clears ~15 Go stdlib CVEs (`crypto/tls`, `crypto/x509`, `encoding/pem`, `net/url`, `html/template`, `archive/tar`, ...) | ## Deferred (no upstream fix available) | Finding | Severity | Why | Reachability | When to revisit | |---|---|---|---|---| | `github.com/docker/docker` CVE-2026-34040 / 33997 | HIGH / MEDIUM | Trivy points to v29.3.1 but only `v28.5.2+incompatible` is published on `proxy.golang.org`. The Moby project may publish v29 later or under a new module path. | Used by `pkg/clouds/pulumi/docker/pull.go` for Pulumi image pulls. Auth-bypass is exploitable only against a malicious Docker daemon authorizing plugin install — not the case in our pipelines. | Re-check `go list -m -versions github.com/docker/docker` next pass | | `glibc` CVE-2026-4046 in cloud-helpers AL2023 base | HIGH | AL2023 dnf has not yet shipped 2.34-231.amzn2023.0.4. Hardened Dockerfile already runs `dnf upgrade` so it will auto-apply on next image rebuild after Amazon publishes. | iconv() DoS via attacker-controlled charset; cloud-helpers Go Lambda runner doesn't call iconv. **LOW risk in this image.** | Next image rebuild after Amazon publishes (typically days/weeks) | | Caddy 2.11.2 transitive deps (10 vulns) | 2C / 4H / 3M / 1L | xcaddy can override direct deps via `--with` but not arbitrary transitives in Caddy core's `go.mod` without forking. | Property of the upstream Caddy core build. | Caddy 2.11.3+ release | | Caddy non-root USER | n/a | Requires `setcap CAP_NET_BIND_SERVICE` on binary plus coordinating cert/state directory ownership with consumer-mounted volumes. | n/a | Phase 2+ | | github-actions non-root USER | n/a | GitHub docker-action runners mount `/github/workspace` as root; non-root USER triggers `safe.directory` failures and write-permission errors. | n/a | Track upstream GitHub guidance | ## Dependabot reconciliation - **PR #162** (`go-git 5.13.1 → 5.16.5`): superseded by this PR (we move to 5.18.0 — needed for CVE-2026-41506 which 5.16.5 doesn't fix). Will be auto-closed when this PR merges; will leave a comment when ready. ## Evidence ``` # Trivy summary — kubectl Before: 1 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0) After: 0 # Trivy summary — github-actions Before: 13 alpine + 25 binary + 2 secrets (incl. 2 CRIT, 10 HIGH in binary) After: 0 alpine + 2 binary + 0 secrets (only deferred docker/docker) # Grype --only-fixed cross-check sca-test/kubectl:hardened No vulnerabilities found sca-test/cloud-helpers:hardened glibc … (deferred) sca-test/caddy:hardened No vulnerabilities found sca-test/github-actions:hardened No vulnerabilities found sca-test/github-actions:staging-hardened No vulnerabilities found # Image size simplecontainer/github-actions:latest 1.51 GB sca-test/github-actions:hardened 1.24 GB (-280 MB) ``` ## Test plan - [ ] CI builds all 5 images successfully on this branch (push.yaml docker-build matrix) - [ ] `simplecontainer/github-actions:hardened` boots — `docker run … --version` works - [ ] Pulumi flows still execute against new gcloud 567.0.0 + Pulumi 3.184.0 (auto-extracted from go.mod) - [ ] Smoke test in [push.yaml](.github/workflows/push.yaml) builds — schema-gen, golangci-lint, go test all pass against bumped go.mod - [ ] Branch preview run validates new images end-to-end before merge - [ ] After merge, monitor Dependabot alerts auto-close on default branch ## Next phases (tracked separately) 2. Self-attest own artifacts — sign + scan + SBOM + SLSA provenance for `simplecontainer/*` images and `sc.tar.gz` tarballs 3. Workflow least-privilege & pinning — drop root `contents: write`, SHA-pin third-party actions, fix `pull_request` secret exposure, remove `--allow-insecure-entitlement` 4. Repo controls — CODEOWNERS, SECURITY.md, expanded Dependabot, CodeQL, gosec, branch rulesets 5. Code-level fixes — HMAC for `pkg/security/cache.go` tamper detection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps github.com/go-git/go-git/v5 from 5.13.1 to 5.16.5.
Release notes
Sourced from github.com/go-git/go-git/v5's releases.
... (truncated)
Commits
48a1ae0Merge pull request #1836 from go-git/check-v542bdf1fstorage: filesystem, Verify idx matches pack file4146a56plumbing: format/idxfile, Verify idxfile's checksum63d78ecplumbing: format/packfile, Add new ErrMalformedPackFile25f1624Merge pull request #1800 from Ch00k/no-delete-untracked-v5600fb13git: worktree, Don't delete local untracked files when resetting worktree390a569Merge pull request #1746 from pjbgf/bump-go61c8b85build: Bump Go test versions to 1.23-1.25 (v5)e5a05ecMerge pull request #1744 from go-git/renovate/releases/v5.x-go-golang.org-x-c...1495930plumbing: Remove use of non-constant format stringsYou can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.