chore: bump go-git/v5 to 5.18.0 (GHSA-3xc5-wrhm-f963)#11
Merged
Conversation
Fixes a credential-leak vulnerability in go-git's smart-HTTP transport where authentication credentials could be forwarded to a redirect target on a different host. Patched in v5.18.0, which adds `followRedirects` configuration defaulting to `initial`. Sourcebot clones only trusted code hosts over HTTPS, so practical exposure is low, but bumping removes the advisory. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
msukkari
added a commit
to sourcebot-dev/sourcebot
that referenced
this pull request
Apr 21, 2026
…f963) Picks up sourcebot-dev/zoekt#11 which addresses Dependabot alert #16 (credential leak on cross-host redirect in go-git's smart-HTTP transport). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2 tasks
msukkari
added a commit
that referenced
this pull request
Apr 21, 2026
- google.golang.org/grpc 1.75.0 -> 1.80.0 (addresses GHSA critical #11: authorization bypass via missing leading slash in :path). - go.opentelemetry.io/otel* 1.42.0/1.33.0 -> 1.43.0 (addresses sourcegraph#15 high: BSD kenv PATH hijack, and sourcegraph#14 medium: unbounded OTLP HTTP response body). Fixes Dependabot alerts 11, 14, 15 on sourcebot-dev/zoekt. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced Apr 21, 2026
msukkari
added a commit
to sourcebot-dev/sourcebot
that referenced
this pull request
Apr 21, 2026
* chore: bump vendor/zoekt to include CodeQL security fixes Pulls in sourcebot-dev/zoekt#13 (open), which resolves all open CodeQL security alerts on the zoekt repo: - go/clear-text-logging (high) in gitindex/clone.go - go/incorrect-integer-conversion (high) in api.go and zoekt-sourcegraph-indexserver/sg.go - actions/missing-workflow-permissions (medium x8) in ci.yml and buf-breaking-check.yml - actions/untrusted-checkout/high (high) in semgrep.yml Also carries through the dependency bumps from sourcebot-dev/zoekt#11 and #12 (go-git 5.18.0, grpc 1.80.0, otel 1.43.0) that were merged after #1140 so weren't included when main shipped the original zoekt sync. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: repoint vendor/zoekt at sourcebot-dev/zoekt@main merge commit sourcebot-dev/zoekt#13 merged as 7c6c629f. Updating the submodule pointer from the feature-branch tip (945c3e96) to the merge commit on main so vendor/zoekt tracks canonical history before merging. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: repoint vendor/zoekt at upstream-ancestry merge commit sourcebot-dev/zoekt#10 was squash-merged into zoekt@main, which flattened the merge commit and left GitHub reporting the fork as 108 commits behind sourcegraph/zoekt:main even though all upstream content was present. Fixed by performing a 'git merge -s ours upstream/main' on zoekt@main: this records upstream/main as a second parent without changing any files, restoring the ancestry link. Bumping this submodule pointer from 7c6c629f (the previous main tip) to df983ea1 (the new merge-ours commit). The vendored tree content is byte-identical to 7c6c629f; only the commit graph is different. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves Dependabot alert sourcegraph#16 (GHSA-3xc5-wrhm-f963, CVSS 4.7).
go-git's smart-HTTP transport reuses the original session's authentication headers after following a cross-host redirect, which can leak credentials to an attacker-controlled host. Patched in v5.18.0, which adds
followRedirectsconfiguration and defaults to the upstream git behavior (initial).Sourcebot in practice only clones from trusted code hosts over HTTPS, so real-world exposure is low, but the dependency bump silences the advisory and brings us in line with the
go-gitproject's current supported release.Test plan
go build ./...passes.go test -count=1 -short ./gitindex/...passes.go.mod/go.sumonly differ in the go-git pin and its transitive closure.