Skip to content

Bump github.com/go-git/go-git/v5 from 5.12.0 to 5.14.0 #305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 2, 2025
Merged

Bump github.com/go-git/go-git/v5 from 5.12.0 to 5.14.0 #305

merged 2 commits into from
Mar 2, 2025

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 27, 2025

Bumps github.com/go-git/go-git/v5 from 5.12.0 to 5.14.0.

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.14.0

What's Changed

⚠️ Note that this version requires Go 1.23, due to the bump to golang.org/x/[email protected] which mitigates the CVE above. User's that can't bump to Go 1.23 will need to remain on the previous v5.13.x release.

Full Changelog: go-git/go-git@v5.13.2...v5.14.0

v5.13.2

What's Changed

Full Changelog: go-git/go-git@v5.13.1...v5.13.2

v5.13.1

What's Changed

Full Changelog: go-git/go-git@v5.13.0...v5.13.1

v5.13.0

What's Changed

... (truncated)

Commits
  • 863c621 Merge pull request #1436 from pjbgf/v5-bumps
  • 2e69e81 build: Bump dependencies
  • b2c1ec9 build: Bump Go versions
  • 2c68247 Merge pull request #1383 from go-git/dependabot/go_modules/github.com/ProtonM...
  • d462c2e Merge pull request #1359 from BeChris/issue1150-v5
  • 32ac23a Merge pull request #1392 from go-git/dependabot/go_modules/github.com/pjbgf/s...
  • 93e635a build: bump github.com/pjbgf/sha1cd from 0.3.0 to 0.3.2
  • b2bb975 git: worktree_status, took into account code review remarks
  • 518ac88 git: worktree_status, fix adding dot slash files to working tree (backported ...
  • 21b3150 build: bump github.com/ProtonMail/go-crypto from 1.1.4 to 1.1.5
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump github.com/go-git/go-git/v5 from 5.12.0 to 5.14.0
08e92dd 
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.12.0 to 5.14.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.12.0...v5.14.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the topic: infrastructure Related to project infrastructure label Feb 27, 2025
per1234
per1234 reviewed Feb 28, 2025
View reviewed changes
Copy link
Contributor

@per1234 per1234 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review on the previous bump PR:

#292 (comment)

I verified that the blocker bug mentioned there is still present in github.com/go-git/go-git/[email protected].

@per1234 per1234 added the type: imperfection Perceived defect in any part of project label Feb 28, 2025
@per1234 per1234 closed this Feb 28, 2025
@dependabot dependabot bot deleted the dependabot/go_modules/github.com/go-git/go-git/v5-5.14.0 branch February 28, 2025 03:33
@per1234 per1234 added the conclusion: invalid Issue/PR not valid label Feb 28, 2025
@per1234 per1234 restored the dependabot/go_modules/github.com/go-git/go-git/v5-5.14.0 branch March 1, 2025 10:33
@per1234 per1234 reopened this Mar 1, 2025
@per1234 per1234 removed the conclusion: invalid Issue/PR not valid label Mar 1, 2025
@arduino arduino deleted a comment from dependabot bot Mar 1, 2025
@per1234 per1234 added the topic: security Related to the protection of user data label Mar 2, 2025
per1234
per1234 approved these changes Mar 2, 2025
View reviewed changes
Copy link
Contributor

@per1234 per1234 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made the following statement made in the previous review:

I verified that the blocker bug mentioned there is still present in github.com/go-git/go-git/[email protected]

It is true that the bug (go-git/go-git#1411) is still present. However, after further investigation I discovered that the original determination that go-git/go-git#1411 is a blocker for bumping github.com/go-git/go-git/v5 in libraries-repository-engine was erroneous.

Summary

It turns out that go-git/go-git#1411 is not effectively a regression for libraries-repository-engine. The reason is that the conditions under which go-git/go-git#1411 occurs would cause libraries-repository-engine to fault even without the bump.

Explanation

The conditions under which go-git/go-git#1411 occurs are:

  • The repository contains a file with executable permissions.
  • The the github.com/go-git/go-git/v5.Worktree.Checkout method is called.
  • The application is running on a Windows machine.

After bumping the github.com/go-git/go-git/v5 dependency to v5.14.0 (or v5.13.2), a call to the github.com/arduino/libraries-repository-engine/internal/libraries/gitutils.CheckoutTag function will return an error under these conditions, here:

libraries-repository-engine/internal/libraries/gitutils/gitutils.go

Lines 174 to 176 in ec0ec0c

if err = repoTree.Checkout(&git.CheckoutOptions{Hash: *resolvedTag, Force: true}); err != nil {
return err
}

However, the function will return an error under these conditions even with a version of github.com/go-git/go-git/v5 <v5.13.2. This is due to a separate bug in handling of these conditions: go-git/go-git#771. With the previous versions of github.com/go-git/go-git/v5, github.com/go-git/go-git/v5.Worktree.Checkout will not return an error, but github.com/go-git/go-git/v5.Status.IsClean returns false, this causes github.com/arduino/libraries-repository-engine/internal/libraries/gitutils.cleanRepository to return false:

libraries-repository-engine/internal/libraries/gitutils/gitutils.go

Line 221 in ec0ec0c

return repoStatus.IsClean(), nil

which in turn causes github.com/arduino/libraries-repository-engine/internal/libraries/gitutils.CheckoutTag to return an error:

libraries-repository-engine/internal/libraries/gitutils/gitutils.go

Lines 178 to 190 in ec0ec0c

// Ensure the repository is checked out to a clean state.
// Because it might not succeed on the first attempt, a retry is allowed.
for range [2]int{} {
clean, err := cleanRepository(repoTree)
if err != nil {
return err
}
if clean {
return nil
}
}
return fmt.Errorf("failed to get repository to clean state")

Conclusion

Since the bump does not cause an effective regression in libraries-repository-engine, there is no reason to refrain from accepting it.

Although ideally libraries-repository-engine would operate correctly under these conditions, the inability of the application to do so is not a critical defect. The reason is that the bug is specific to the Windows filesystem (which does not have the concept of executable file permissions) and the production usage of the application is exclusively on a Linux machine. So the defect could only impact contributors using a Windows machine to perform freestyle testing (the project's formal test suite does not provide coverage for these conditions).

@per1234 per1234 merged commit a8be669 into main Mar 2, 2025
43 checks passed
@per1234 per1234 deleted the dependabot/go_modules/github.com/go-git/go-git/v5-5.14.0 branch March 2, 2025 02:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@per1234 per1234 per1234 approved these changes

Assignees

@per1234 per1234

Labels
topic: infrastructure Related to project infrastructure topic: security Related to the protection of user data type: imperfection Perceived defect in any part of project
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@per1234