Skip to content

chore: bump up go-git deps to fix CVE-2026-25934#2882

Merged
simar7 merged 1 commit intoaquasecurity:mainfrom
afdesk:chore/deps/fix-CVE-2026-25934
Feb 11, 2026
Merged

chore: bump up go-git deps to fix CVE-2026-25934#2882
simar7 merged 1 commit intoaquasecurity:mainfrom
afdesk:chore/deps/fix-CVE-2026-25934

Conversation

@afdesk
Copy link
Copy Markdown
Contributor

@afdesk afdesk commented Feb 11, 2026

Description

This PR bumps up inderect dependency go-git/go-git/v5 to version 5.16.5 to fix CVE-2026-25934.

Before:

% trivy rootfs ./bin/trivy-operator -q

Report Summary

┌────────────────┬──────────┬─────────────────┬─────────┐
│     Target     │   Type   │ Vulnerabilities │ Secrets │
├────────────────┼──────────┼─────────────────┼─────────┤
│ trivy-operator │ gobinary │        1        │    -    │
└────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


trivy-operator (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│           Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├─────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ github.com/go-git/go-git/v5 │ CVE-2026-25934 │ MEDIUM   │ fixed  │ v5.16.4           │ 5.16.5        │ go-git is a highly extensible git implementation library │
│                             │                │          │        │                   │               │ written in pu ......                                     │
│                             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-25934               │
└─────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

After:

% trivy rootfs ./bin/trivy-operator -q

Report Summary

┌────────────────┬──────────┬─────────────────┬─────────┐
│     Target     │   Type   │ Vulnerabilities │ Secrets │
├────────────────┼──────────┼─────────────────┼─────────┤
│ trivy-operator │ gobinary │        0        │    -    │
└────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@github-actions github-actions bot added the misc label Feb 11, 2026
@afdesk afdesk marked this pull request as ready for review February 11, 2026 08:32
@afdesk afdesk requested a review from simar7 as a code owner February 11, 2026 08:32
@simar7 simar7 merged commit a32b1f3 into aquasecurity:main Feb 11, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simar7 simar7 simar7 approved these changes

Assignees

No one assigned

Labels

misc

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@afdesk @simar7