Skip to content

chore(deps): bump the go-dependencies group with 2 updates#899

Merged
mbevc1 merged 1 commit into
mainfrom
dependabot/go_modules/go-dependencies-abaf4f7f98
May 19, 2026
Merged

chore(deps): bump the go-dependencies group with 2 updates#899
mbevc1 merged 1 commit into
mainfrom
dependabot/go_modules/go-dependencies-abaf4f7f98

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 19, 2026

Bumps the go-dependencies group with 2 updates: github.com/go-git/go-git/v5 and google.golang.org/api.

Updates github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.19.1

What's Changed

Full Changelog: go-git/go-git@v5.19.0...v5.19.1

Commits
  • 3c3be60 Merge pull request #2137 from go-git/validate-v5
  • 3fba897 plumbing: format/packfile, cap delta chain depth in parser
  • a97d660 Merge pull request #2125 from hiddeco/v5/format-input-bounds
  • aeaa125 plumbing: format/objfile, require Header before Read
  • 1f38e17 plumbing: format/packfile, bound inflate size
  • f7545a0 plumbing: format/idxfile, bound nr by file size
  • 170b881 Merge pull request #2116 from pjbgf/symlink-v5
  • 7b6d994 Merge pull request #2117 from hiddeco/v5/worktree-fs-mkdirall-root-noop
  • f0709b3 git: Stop validating symlink target paths
  • 776d00f git: Allow MkdirAll on worktree-root paths
  • Additional commits viewable in compare view

Updates google.golang.org/api from 0.279.0 to 0.280.0

Release notes

Sourced from google.golang.org/api's releases.

v0.280.0

0.280.0 (2026-05-19)

Features

Changelog

Sourced from google.golang.org/api's changelog.

0.280.0 (2026-05-19)

Features

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the go-dependencies group with 2 updates
8aae89e 
Bumps the go-dependencies group with 2 updates: [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) and [google.golang.org/api](https://github.com/googleapis/google-api-go-client).


Updates `github.com/go-git/go-git/v5` from 5.19.0 to 5.19.1
- [Release notes](https://github.com/go-git/go-git/releases)
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md)
- [Commits](go-git/go-git@v5.19.0...v5.19.1)

Updates `google.golang.org/api` from 0.279.0 to 0.280.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.279.0...v0.280.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.19.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-dependencies
- dependency-name: google.golang.org/api
  dependency-version: 0.280.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels May 19, 2026
@claude
Copy link
Copy Markdown
Contributor

claude Bot commented May 19, 2026
edited
Loading

Claude finished @dependabot[bot]'s task in 59s —— View job

Dependency Upgrade Review

  • Identify changed dependencies and review changelogs
  • Search for go-git/go-git/v5 usage in the codebase
  • Search for google.golang.org/api usage in the codebase
  • Assess upgrade risks and post findings

1. github.com/go-git/go-git/v5 — 5.19.0 → 5.19.1 (patch)

What changed: This is a security-focused patch release. The changes harden input validation across the board — shell-quoting SSH paths, tightening delta/packfile validation, rejecting malformed variable-length integers, capping delta chain depth, validating submodule names, and adding a worktreeFilesystem wrapper for worktree hardening.

Usage in this repo: The go-git library is used in internal/gitview/gitView.go for read-only git operations:

  • git.PlainOpenWithOptions() — opening local repos
  • repository.CommitObject(), repository.Log(), repository.Head() — reading commits and history
  • Also used in test helpers (internal/testHelpers/) and command tests for setting up test git repos

Risk assessment: Very low

  • This is a patch release with only hardening/security fixes — no API changes, no new features, no breaking changes.
  • The repo uses only read-only repository operations (open, log, commit lookup, head). None of the hardened areas (submodule handling, worktree filesystem writes, SSH transport path quoting) are exercised by this codebase.
  • The transitive bumps to golang.org/x/crypto (0.50→0.51) and golang.org/x/net (0.53→0.54) are also patch-level and expected as indirect dependencies of go-git.

2. google.golang.org/api — 0.279.0 → 0.280.0 (minor)

What changed: All commits are auto-regenerated discovery client updates — no hand-written library changes, no behavioral changes to the iterator or core transport packages.

Usage in this repo: Only google.golang.org/api/iterator is imported, in internal/cloudrun/cloudrun.go, for paginating Cloud Run API responses.

Risk assessment: Very low

  • The iterator package is a stable utility and was not touched in this release.
  • The transitive bump to google.golang.org/genproto/googleapis/rpc is also a routine regeneration.

Summary

Both upgrades are safe to merge. The go-git bump is particularly worthwhile as it picks up multiple security hardening fixes. No API surface used by this codebase was changed in either dependency. CI is currently running — recommend merging once the Main workflow passes.

@mbevc1 mbevc1 merged commit a36d03c into main May 19, 2026
15 checks passed
@mbevc1 mbevc1 deleted the dependabot/go_modules/go-dependencies-abaf4f7f98 branch May 19, 2026 22:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mbevc1 mbevc1 mbevc1 approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mbevc1