chore(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to 5.13.0 #6

dependabot · 2025-10-07T22:25:29Z

Bumps github.com/go-git/go-git/v5 from 5.11.0 to 5.13.0.

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.13.0

What's Changed

build: bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 in /cli/go-git by @dependabot in go-git/go-git#1065

build: bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in go-git/go-git#1068

build: bump golang.org/x/net from 0.23.0 to 0.24.0 by @dependabot in go-git/go-git#1071

Properly support skipping of non-mandatory extensions by @codablock in go-git/go-git#1066

git: Refine some codes in test and non-test. by @onee-only in go-git/go-git#1077

plumbing: protocol/packp, client-side filter capability support by @edigaryev in go-git/go-git#1000

build: bump golang.org/x/net from 0.22.0 to 0.23.0 in /cli/go-git by @dependabot in go-git/go-git#1078

plumbing: fix sideband demux on flush by @aymanbagabas in go-git/go-git#1084

storage: dotgit, head reference usually comes first by @aymanbagabas in go-git/go-git#1085

build: bump golang.org/x/text from 0.14.0 to 0.15.0 by @dependabot in go-git/go-git#1091

build: bump golang.org/x/crypto from 0.22.0 to 0.23.0 by @dependabot in go-git/go-git#1094

build: bump golang.org/x/net from 0.24.0 to 0.25.0 by @dependabot in go-git/go-git#1093

git: Added an example for Repository.Branches by @johnmatthiggins in go-git/go-git#1088

git: worktree_commit, Modify checking empty commit. Fixes #723 by @onee-only in go-git/go-git#1050

plumbing: transport/http, Wrap http errors to return reason. Fixes #1097 by @ggambetti in go-git/go-git#1100

build: bump golang.org/x/sys from 0.20.0 to 0.21.0 by @dependabot in go-git/go-git#1106

build: bump golang.org/x/text from 0.15.0 to 0.16.0 by @dependabot in go-git/go-git#1107

Bumps Go versions and go-billy by @pjbgf in go-git/go-git#1056

_examples: Fixed a dead link COMPATIBILITY.md by @gecko655 in go-git/go-git#1109

build: bump github.com/jessevdk/go-flags from 1.5.0 to 1.6.1 in /cli/go-git by @dependabot in go-git/go-git#1115

build: bump github.com/elazarl/goproxy from v0.0.0-20230808193330-2592e75ae04a to v0.0.0-20240618083138-03be62527ccb by @hbelmiro in go-git/go-git#1124

build: bump golang.org/x/net from 0.25.0 to 0.26.0 by @dependabot in go-git/go-git#1104

Add option approximating git clean -x flag. by @msuozzo in go-git/go-git#995

Revert "Add option approximating git clean -x flag." by @pjbgf in go-git/go-git#1129

Fix reference updated concurrently error for the filesystem storer by @Javier-varez in go-git/go-git#1116

build: bump golang.org/x/net from 0.26.0 to 0.27.0 by @dependabot in go-git/go-git#1134

utils: merkletrie, Align error message with upstream by @pjbgf in go-git/go-git#1142

plumbing: transport/file, Change paths to absolute by @pjbgf in go-git/go-git#1141

plumbing: gitignore, Fix loading of ignored .gitignore files. by @Achilleshiel in go-git/go-git#1114

build: bump github.com/skeema/knownhosts from 1.2.2 to 1.3.0 by @dependabot in go-git/go-git#1147

plumbing: transport/ssh, Add support for SSH @cert-authority. by @Javier-varez in go-git/go-git#1157

build: run example tests during CI workflow by @crazybolillo in go-git/go-git#1030

storage: filesystem, Fix object cache not working due to uninitialised objects being put into cache by @SatelliteMind in go-git/go-git#1138

git: Fix fetching missing commits by @AriehSchneier in go-git/go-git#1032

plumbing: format/packfile, remove duplicate checks in findMatch() by @edigaryev in go-git/go-git#1152

git: worktree, Fix file reported as Untracked while it is committed by @rodrigocam in go-git/go-git#1023

build: bump golang.org/x/sys from 0.22.0 to 0.23.0 by @dependabot in go-git/go-git#1160

plumbing: filemode, Remove check for setting size of .git/index file by @nicholasSUSE in go-git/go-git#1159

build: bump golang.org/x/net from 0.27.0 to 0.28.0 by @dependabot in go-git/go-git#1163

Fix some lint warning and increase stalebot to 180 days by @pjbgf in go-git/go-git#1128

adjust path extracted from file: url on Windows by @tomqwpl in go-git/go-git#416

build: bump golang.org/x/sys from 0.23.0 to 0.24.0 by @dependabot in go-git/go-git#1164

Add RestoreStaged to Worktree that mimics the behaviour of git restore --staged ... by @ben-tbotlabs in go-git/go-git#493

plumbing: signature, support the same x509 signature formats as git by @yoavamit in go-git/go-git#1169

fix: allow discovery of non bare repos in fsLoader by @jakobmoellerdev in go-git/go-git#1170

build: bump golang.org/x/sys from 0.24.0 to 0.25.0 by @dependabot in go-git/go-git#1178

build: bump golang.org/x/text from 0.17.0 to 0.18.0 by @dependabot in go-git/go-git#1179

build: bump golang.org/x/net from 0.28.0 to 0.29.0 by @dependabot in go-git/go-git#1184

... (truncated)

Commits

94bd4af Merge pull request #1261 from BeChris/issue680
8b7f5ba Merge pull request #1262 from go-git/dependabot/go_modules/github.com/elazarl...
41d80a0 build: bump github.com/elazarl/goproxy
4998140 git: worktree_commit, sanitize author and commiter name and email before crea...
9049625 Merge pull request #1260 from go-git/dependabot/github_actions/github/codeql-...
dae48b4 build: bump github/codeql-action from 3.27.9 to 3.28.0
7d6fbc2 Merge pull request #1220 from BeChris/accept_uppercase_hexa_in_pktline_length
62a77b7 plumbing: Fix invalid reference name error while cloning branches containing ...
5e11196 plumbing: format/pktline, accept upercase hexadecimal value as pktline length...
65f5e1a Merge pull request #1256 from go-git/dependabot/go_modules/golang-org-232a611e2d
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.11.0 to 5.13.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.11.0...v5.13.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.13.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

socket-security · 2025-10-07T22:27:00Z

Caution

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. For more information please check in at #security-help. For License Policy Violations please also tag @Aoife in #security-help.

Action	Severity	Alert (click "▶" to expand/collapse)
Block		`github.com/cloudflare/circl@v1.3.7` has a License Policy Violation. License: Sleepycat (LICENSE) From: `?` → `golang/github.com/go-git/go-git/v5@v5.13.0` → `golang/github.com/cloudflare/circl@v1.3.7` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore golang/github.com/cloudflare/circl@v1.3.7`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Oct 7, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to 5.13.0 #6

chore(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to 5.13.0 #6

Uh oh!

dependabot bot commented on behalf of github Oct 7, 2025

Uh oh!

socket-security bot commented Oct 7, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

chore(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to 5.13.0 #6

Are you sure you want to change the base?

chore(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to 5.13.0 #6

Uh oh!

Conversation

dependabot bot commented on behalf of github Oct 7, 2025

v5.13.0

What's Changed

Uh oh!

socket-security bot commented Oct 7, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants