v5: Add worktreeFilesystem wrapper for worktree and hardening#2100
Merged
Conversation
Introduce worktreeFilesystem, a wrapper around billy.Filesystem that calls validPath on every mutating operation (Create, OpenFile, Remove, Rename, Symlink, MkdirAll). This ensures dangerous paths like .git/*, ../, and git~1/ are rejected regardless of which code path writes to the worktree. Backport of go-git#2081. Unlike upstream, the Worktree.Filesystem field is preserved as a public billy.Filesystem rather than replaced with a Filesystem() method. Standard usage routes through the wrapper, but a caller can still bypass by reassigning the field; the v5 API contract takes precedence over enforcement. Assisted-by: Claude Opus 4.6 <[email protected]> Signed-off-by: Paulo Gomes <[email protected]> Signed-off-by: Hidde Beydals <[email protected]>
Replace the runtime.GOOS == "windows" guard in path validation with the core.protectNTFS configuration option, matching upstream Git behaviour. When not explicitly set, defaults to true on Windows. This allows non-Windows systems to opt in to NTFS protection, and Windows systems to opt out when not needed. Backport of go-git#2081. Adapted to v5: validPath becomes a method on worktreeFilesystem, and a Worktree.validPath helper type-asserts the public Filesystem field to the wrapper or falls back to a transient wrapper at the platform default. This avoids touching the 70+ Worktree test constructors that build a worktree directly with a raw billy.Filesystem. Also adds config.OptBool, copied from upstream's d0aa22f, since v5 does not yet have the type. Assisted-by: Claude Opus 4.6 <[email protected]> Signed-off-by: Paulo Gomes <[email protected]> Signed-off-by: Hidde Beydals <[email protected]>
Add support for core.protectHFS, which detects .git paths obfuscated with Unicode zero-width and directional characters that HFS+ silently strips during path normalization. When enabled, paths like .git are rejected. Defaults to true on macOS, matching upstream Git behaviour. Backport of go-git#2081. Assisted-by: Claude Opus 4.6 <[email protected]> Signed-off-by: Paulo Gomes <[email protected]> Signed-off-by: Hidde Beydals <[email protected]>
Extend path validation to check every path component, not just the first. Single-dot components are also rejected. This matches upstream Git's verify_path_internal which validates at every directory separator boundary. A non-first final .git component (e.g. "submodule/.git") is permitted because submodule worktrees contain a .git pointer file. The per-call-site validChange checks are removed since the worktreeFilesystem wrapper enforces validation on all mutating operations. Backport of go-git#2081. Assisted-by: Claude Opus 4.6 <[email protected]> Signed-off-by: Paulo Gomes <[email protected]> Signed-off-by: Hidde Beydals <[email protected]>
Reject path components matching Windows reserved device names (CON, PRN, AUX, NUL, COM1-9, LPT1-9, CONIN$, CONOUT$). The match is case-insensitive and applies when the component is exactly the reserved name or is followed by a space, dot, or colon (NTFS Alternate Data Stream separator). Mirrors upstream Git `is_valid_win32_path` in compat/mingw.c. Backport of go-git#2081. Signed-off-by: Paulo Gomes <[email protected]> Signed-off-by: Hidde Beydals <[email protected]>
Move the HFS+ helpers (defaultProtectHFS, hfsIgnoredCodepoints,
isHFSDotGit) into hfs.go and the NTFS helpers (defaultProtectNTFS,
windowsValidPath, windowsReservedNames, isWindowsReservedName) into
ntfs.go, so worktree_fs.go is back to just the wrapper and the
shared validPath logic.
Expand worktreeFilesystem to wrap the read-side billy.Filesystem
methods (Open, Stat, ReadDir, Lstat, Readlink, Chroot) plus a
TempFile blocker, with errors annotated by the operation that
rejected the path. Read operations use a new validReadPath helper
that treats the worktree root ("", ".", "/") as legitimate while
delegating component validation to validPath. validPath grows a
byte-position-agnostic control-character check at the start so
ASCII-control bytes are rejected before the component loop, matching
the gate in upstream Git's verify_path_internal.
Backport of go-git#2081.
Bundled here is a TestWorktree test update that should logically
have been part of the wrapper-introduction commit: the assertion
now type-asserts w.Filesystem to *worktreeFilesystem and compares
the embedded Filesystem against the input, since v5 keeps the
field public and assigns the wrapper to it.
Signed-off-by: Paulo Gomes <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Validate the symlink target as well as the link path so a symlink cannot be planted whose target traverses out of the worktree, and silence the unused-parameter lint in TempFile (it stays a hard unsupported-operation rejection). Backport of go-git#2081. Signed-off-by: Paulo Gomes <[email protected]> Signed-off-by: Hidde Beydals <[email protected]>
Tighten the prefix gate in windowsValidPath so that bare ".git" is
no longer rejected here. validPath already refuses root-level or
non-final ".git" components on every platform; the windows-side
check only needs to catch the disguised variants (".git " /
".git." / ".git::$INDEX_ALLOCATION") that NTFS would normalise
back to ".git". Without this, a submodule worktree's ".git"
pointer file failed the Windows wrapper guard.
Backport of go-git#2081.
Signed-off-by: Paulo Gomes <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Add a `parseConfigBool` helper that mirrors upstream Git's `git_parse_maybe_bool`: it accepts `true`/`yes`/`on`/`1` and `false`/`no`/`off`/`0` case-insensitively, and returns `OptBoolUnset` for empty or unrecognised values so the caller's platform default stays in place. `unmarshalCore` swaps `strconv.ParseBool` for `parseConfigBool` when reading `core.protectNTFS` and `core.protectHFS`. The previous `strconv.ParseBool` path silently misinterpreted user-friendly syntax: writing `protectNTFS = on` made `strconv.ParseBool` return an error, which left the field at its zero value (`OptBoolUnset`), so on Windows the platform default applied — but a user who wrote `protectNTFS = on` to deliberately enable the protection on Linux would have got the platform default (`false`) instead of the explicit `true` they intended. With the tolerant parser, all of `true` / `yes` / `on` / `1` (and their false counterparts) take effect where the user expects them to. Other booleans in this package keep the loose `== "true"` pattern; aligning them is out of scope. Only the security toggles are upgraded here, where silent misinterpretation has the highest cost. Reference: upstream Git `git_parse_maybe_bool_text` at `parse.c` L157-L173 and `git_parse_maybe_bool` at `parse.c` L174-L182 in tag `v2.54.0`[1]. `git_parse_maybe_bool` is the closer match, since it also accepts integer values via `git_parse_int`. [1]: https://github.com/git/git/blob/v2.54.0/parse.c#L157-L182 Backport of go-git#2097. Assisted-by: Claude Opus 4.7 Signed-off-by: Hidde Beydals <[email protected]>
Lift platform-specific dotgit-variant detection out of package `git` into a self-contained package so it can be reached from any caller — `config` (go-git#2079's submodule-name validation), `storage/filesystem/dotgit` (the `Module(name)` containment check), and the tree-side gates added in a follow-up commit — without those callers depending on the root `git` package. The package collects three layers: - HFS+ side: the ignored-codepoint table plus `IsHFSDot` / `IsHFSDotGit` / `IsHFSDotGitmodules` family (zero-width / case-folding aware). Implementations are unchanged from the previous `git`-package versions; only the package boundary moves. - NTFS / Windows side: `IsNTFSDot` (a port of canonical Git's `is_ntfs_dot_generic`), `IsNTFSDotGitmodules`, the `WindowsValidPath` predicate, and the reserved-name table (`CON`, `NUL`, `AUX`, …). The `dotGit = ".git"` constant is declared locally to avoid coupling pathutil to `git.GitDirName`. - Cross-platform helper: `IsDotGitName` matches `.git` and its 8.3 NTFS short alias `git~1` case-insensitively. On top of these primitives sits `ValidTreePath`, the strict validator applied at the boundary where attacker-controlled tree data leaves the trusted store. Where the wrapper-layer `validPath` in package `git` is intentionally tolerant of final-position `.git` (legitimate `submodule/.git` flows in submodule cleanup) and only consults HFS+/NTFS variants when the corresponding `core.protect*` flag is on, `ValidTreePath` is always-strict regardless of runtime config: tree paths are canonical UTF-8 with no zero-width characters or 8.3 short- name forms, so an entry that looks like one is suspicious anywhere. It rejects control characters, empty / `.` / `..` components, Windows volume-name prefixes, `.git` and its HFS+/NTFS variants at every position, and reserved device names. Mirrors upstream Git's `verify_path_internal` at `read-cache.c` L987-L1048 in tag `v2.54.0`[1], stripped of its runtime `protect_hfs` / `protect_ntfs` gating because the pathutil layer is consulted from the strict tree boundary, not from application paths. [1]: https://github.com/git/git/blob/v2.54.0/read-cache.c#L987-L1048 Backport of go-git#2097. Assisted-by: Claude Opus 4.7 Signed-off-by: Hidde Beydals <[email protected]>
Apply `pathutil.ValidTreePath` at the chokepoints where tree
data crosses out of the trusted object store and where
application-supplied paths cross into the index. Layered on
top of the existing tolerant wrapper `validPath` in package
`git`, this gives the worktree two layers of protection:
strict validation at the boundary, tolerant validation at
the filesystem edge for legitimate flows (`submodule/.git`
Stat / Remove during submodule cleanup).
Read-side chokepoints in `plumbing/object`:
- `(*Tree).FindEntry` — most callers funnel through here:
`(*Tree).File`, `(*Tree).Tree`, `(*Tree).Size`, and the
`checkoutChange` Modify/Insert branch. A dangerous tree-
derived path is refused at the lookup boundary before
anything materialises.
- `TreeWalker.Next` — drives `transformChildren` (which
feeds `merkletrie.DiffTree`), `FileIter`, and the archive
writers. Each leaf entry name is validated as it
surfaces; a malformed entry stops the walk with the
validator's error rather than skipping silently.
Inspection-only callers that need raw access can still
read `Tree.Entries` directly.
- `(*Tree).TreeEntryFile` — boundary where a `*File` whose
Name a caller can hand to filesystem ops leaves the
store.
Write-side chokepoint in `worktree_status`:
- `doAddFileToIndex` validates the path via
`pathutil.ValidTreePath` before calling `Index.Add`.
Mirrors upstream Git's `verify_path_internal` invocation
from `make_cache_entry` on the index-addition side.
Diverges from upstream by keeping `Index.Add`'s existing
`(*Entry)` signature for v5 API compatibility — the gate
moves to the worktree caller, which is the only in-tree
`Index.Add(path)` call site.
Application-side gates in package `git`:
- The wrapper-level `validPath` continues to gate
filesystem writes; HFS+/NTFS-aware rejection of
`.gitmodules` symlink targets is now driven by the same
`pathutil` predicates so the wrapper and the strict
validator stay aligned. The control-character loop is
byte-oriented for upstream parity with
`verify_path_internal`.
- `Submodule.Repository`'s `Chroot` validates the
submodule's tree-stored Path before scoping the
repository, refusing embedded `.git` / HFS+ / NTFS
variants regardless of `core.protectHFS` /
`core.protectNTFS`.
- `Worktree.checkoutFileSymlink` no longer performs its
own `gitmodulesFile` check — `validSymlinkName` on the
wrapper covers it (and its NTFS / HFS variants).
The root-level `hfs.go` / `ntfs.go` files held only the
3-line `defaultProtectHFS` / `defaultProtectNTFS` runtime-
policy helpers after the `pathutil` extraction; they fold
into `worktree_fs.go` next to the wrapper that consumes
them. The local `windowsValidPath` test in `worktree_test.go`
is dropped — `pathutil.WindowsValidPath` has equivalent
coverage in `internal/pathutil/ntfs_test.go`.
Backport of go-git#2097.
Bundled here are test fixes that surface the new gates:
`change_adaptor_test.go` sets `TreeEntry.Name` so
`TreeEntryFile`'s gate accepts the synthetic entries;
`submodule_test.go` sets `Path` on the synthetic submodules
that previously left it empty, and bypasses the wrapper
when planting the malicious `.gitmodules` symlink (the
read-side detection in `Submodules()` is the layer being
exercised, not the write-side gate).
Assisted-by: Claude Opus 4.7
Signed-off-by: Hidde Beydals <[email protected]>
Restrict `ValidTreePath`'s NTFS gating to the disguised-`.git` family, dropping the always-on Windows reserved-name check that made go-git refuse trees upstream Git happily reads. In upstream's `verify_path_internal`[1], `is_ntfs_dotgit` runs under `protect_ntfs` (defaulting to 1 on every platform) but `is_valid_win32_path` is compile-time gated to Windows-native and Cygwin builds. Names such as `lib/con.go` are well-formed on non-Windows, so a go-git client on Linux must be able to read trees containing them. Lift `is_ntfs_dotgit` out as `IsNTFSDotGit` rather than keeping the disguise logic fused into `WindowsValidPath`. As a side-effect this closes a gap in the previous implementation: it only recognised the `.git` prefix, so `git~1 ` (trailing space), `git~1.`, and `git~1::ads` slipped past, even though upstream's `is_ntfs_dotgit`[2] also matches the `git~1` short-name prefix. `WindowsValidPath` now composes `IsNTFSDotGit` with the reserved-name table, retaining its existing wrapper-layer contract: bare `.git` and `git~1` are allowed, position-checked by callers. Defence in depth is preserved at the materialisation boundary: `worktreeFilesystem.validPath` still enforces both checks under `core.protectNTFS`, so reserved-name and disguise rejection remain in place when a path is about to hit disk on Windows. [1]: https://github.com/git/git/blob/v2.54.0/read-cache.c#L987-L1048 [2]: https://github.com/git/git/blob/v2.54.0/path.c#L1415-L1449 Backport of go-git#2097. Assisted-by: Claude Opus 4.7 Signed-off-by: Hidde Beydals <[email protected]>
Mirror upstream Git's `PROTECT_NTFS_DEFAULT`, which has been `1` unconditionally since 9102f958ee5 (CVE-2019-1353)[1]. Until now go-git gated the default on `runtime.GOOS == "windows"`, leaving Linux and macOS users without the wrapper-layer `is_ntfs_dotgit` and reserved-name checks unless they explicitly set `core.protectNTFS=true`. The motivating scenario is unchanged from upstream's: WSL mounts Windows drives under `/mnt/`, so a Linux process can reach an NTFS-backed worktree where the `.git` directory is also resolvable as `git~1` (or `.git ` / `.git::$DATA`). Gating the guard on the runtime OS skips that class of attack on the very system where it is reachable. Tree-side gates already catch disguised `.git` regardless of this default — `pathutil.ValidTreePath` is always-on per ce4cca1 (the prior commit). This commit closes the parallel gap at the wrapper layer: `worktreeFilesystem.validPath` and `validSymlinkName` now enforce the NTFS rules on non-Windows by default, matching upstream's protect-by-default posture. `PROTECT_HFS_DEFAULT` is left untouched. Upstream chose not to flip that default in 9102f958ee5 (the cost in the cited benchmark was non-trivial and the WSL-equivalent scenario for HFS+ is not realistic), and `defaultProtectHFS` already mirrors that decision via its Darwin-only return. [1]: git/git@9102f958ee5 Backport of go-git#2097. Assisted-by: Claude Opus 4.7 Signed-off-by: Hidde Beydals <[email protected]>
chhe
pushed a commit
to chhe/act_runner
that referenced
this pull request
May 19, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `v5.19.0` → `v5.19.1` |  |  | --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.19.1`](https://github.com/go-git/go-git/releases/tag/v5.19.1) [Compare Source](go-git/go-git@v5.19.0...v5.19.1) #### What's Changed - v5: plumbing: transport/ssh, Shell-quote path by [@​hiddeco](https://github.com/hiddeco) in [#​2068](go-git/go-git#2068) - v5: git: submodule, Fix relative URL resolution by [@​hiddeco](https://github.com/hiddeco) in [#​2070](go-git/go-git#2070) - v5: git: submodule, canonical remote for relative URLs by [@​hiddeco](https://github.com/hiddeco) in [#​2074](go-git/go-git#2074) - v5: git: submodule, error on remote without URLs by [@​hiddeco](https://github.com/hiddeco) in [#​2078](go-git/go-git#2078) - v5: plumbing: format/idxfile, Validate offset64 indices by [@​hiddeco](https://github.com/hiddeco) in [#​2084](go-git/go-git#2084) - v5: \*: Reject malformed variable-length integers by [@​hiddeco](https://github.com/hiddeco) in [#​2092](go-git/go-git#2092) - v5: plumbing: format/packfile, Tighten delta validation by [@​hiddeco](https://github.com/hiddeco) in [#​2091](go-git/go-git#2091) - v5: Add `worktreeFilesystem` wrapper for worktree and hardening by [@​hiddeco](https://github.com/hiddeco) in [#​2100](go-git/go-git#2100) - v5: config: validate submodule names by [@​hiddeco](https://github.com/hiddeco) in [#​2082](go-git/go-git#2082) - build: Update module github.com/go-git/go-git/v5 to v5.19.0 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#​2111](go-git/go-git#2111) - v5: git: Allow MkdirAll on worktree-root paths by [@​hiddeco](https://github.com/hiddeco) in [#​2117](go-git/go-git#2117) - v5: git: Stop validating symlink target paths by [@​pjbgf](https://github.com/pjbgf) in [#​2116](go-git/go-git#2116) - v5: plumbing: format decoder input bounds and contracts by [@​hiddeco](https://github.com/hiddeco) in [#​2125](go-git/go-git#2125) - plumbing: format/packfile, cap delta chain depth in parser by [@​pjbgf](https://github.com/pjbgf) in [#​2137](go-git/go-git#2137) **Full Changelog**: <go-git/go-git@v5.19.0...v5.19.1> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4Mi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Reviewed-on: https://gitea.com/gitea/runner/pulls/980 Reviewed-by: Lunny Xiao <[email protected]> Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>
Maks1mS
pushed a commit
to stplr-dev/stplr
that referenced
this pull request
May 20, 2026
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | require | patch | `v5.19.0` → `v5.19.1` | [](https://securityscorecards.dev/viewer/?uri=github.com/go-git/go-git) | --- >⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/23) for more information. --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.19.1`](https://github.com/go-git/go-git/releases/tag/v5.19.1) [Compare Source](go-git/go-git@v5.19.0...v5.19.1) #### What's Changed - v5: plumbing: transport/ssh, Shell-quote path by [@​hiddeco](https://github.com/hiddeco) in [#​2068](go-git/go-git#2068) - v5: git: submodule, Fix relative URL resolution by [@​hiddeco](https://github.com/hiddeco) in [#​2070](go-git/go-git#2070) - v5: git: submodule, canonical remote for relative URLs by [@​hiddeco](https://github.com/hiddeco) in [#​2074](go-git/go-git#2074) - v5: git: submodule, error on remote without URLs by [@​hiddeco](https://github.com/hiddeco) in [#​2078](go-git/go-git#2078) - v5: plumbing: format/idxfile, Validate offset64 indices by [@​hiddeco](https://github.com/hiddeco) in [#​2084](go-git/go-git#2084) - v5: \*: Reject malformed variable-length integers by [@​hiddeco](https://github.com/hiddeco) in [#​2092](go-git/go-git#2092) - v5: plumbing: format/packfile, Tighten delta validation by [@​hiddeco](https://github.com/hiddeco) in [#​2091](go-git/go-git#2091) - v5: Add `worktreeFilesystem` wrapper for worktree and hardening by [@​hiddeco](https://github.com/hiddeco) in [#​2100](go-git/go-git#2100) - v5: config: validate submodule names by [@​hiddeco](https://github.com/hiddeco) in [#​2082](go-git/go-git#2082) - build: Update module github.com/go-git/go-git/v5 to v5.19.0 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#​2111](go-git/go-git#2111) - v5: git: Allow MkdirAll on worktree-root paths by [@​hiddeco](https://github.com/hiddeco) in [#​2117](go-git/go-git#2117) - v5: git: Stop validating symlink target paths by [@​pjbgf](https://github.com/pjbgf) in [#​2116](go-git/go-git#2116) - v5: plumbing: format decoder input bounds and contracts by [@​hiddeco](https://github.com/hiddeco) in [#​2125](go-git/go-git#2125) - plumbing: format/packfile, cap delta chain depth in parser by [@​pjbgf](https://github.com/pjbgf) in [#​2137](go-git/go-git#2137) **Full Changelog**: <go-git/go-git@v5.19.0...v5.19.1> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzAuMjIiLCJ1cGRhdGVkSW5WZXIiOiI0My4xNzAuMjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbIktpbmQvRGVwZW5kZW5jaWVzIl19--> Reviewed-on: https://altlinux.space/stapler/stplr/pulls/435
frewilhelm
pushed a commit
to open-component-model/ocm
that referenced
this pull request
Jun 1, 2026
#1983) … compatibility <!-- markdownlint-disable MD041 --> #### What this PR does / why we need it Fixes broken update to go-git v1.59.1 **Why it broke:** go-git v5.19.1 added a worktreeFilesystem security wrapper (go-git/go-git#2100). The wrapper rejects components named `.git`. This PR removed the hardening with `AddWithOptions(&git.AddOptions{All: true})` #### Which issue(s) this PR is related to Fixes: #1965 Signed-off-by: Matthias Bruns <[email protected]>
12 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #2081 and #2097.