fix: upgrade go-git to v6.0.0-alpha.3 to resolve GHSA-389r-gv7p-r3rp#3110
Open
chainloop-platform[bot] wants to merge 2 commits into
Open
fix: upgrade go-git to v6.0.0-alpha.3 to resolve GHSA-389r-gv7p-r3rp#3110chainloop-platform[bot] wants to merge 2 commits into
chainloop-platform[bot] wants to merge 2 commits into
Conversation
Upgrades github.com/go-git/go-git/v6 from v6.0.0-alpha.2 to v6.0.0-alpha.3 to fix improper parsing of specially crafted Git objects that could lead to inconsistent interpretation compared to upstream Git. This vulnerability (CVE-2025-21607, GHSA-389r-gv7p-r3rp) had a CVSS score of 7.0 (High) and could allow attackers to manipulate commit metadata in attestation records, undermining supply chain security guarantees. Assisted-by: Claude Code
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Combines dependabot PRs #3103 and #3104 on top of the GHSA fix: - go-git/v5 5.18.0 -> 5.19.0 - go-billy/v5 5.8.0 -> 5.9.0 - go-billy/v6, go-git-fixtures/v6 refreshed for v6 alpha.3 - sha1cd 0.5.0 -> 0.6.0 - golang.org/x/exp, x/mod, x/tools bumped via go mod tidy Assisted-by: Claude Code Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
migmartri
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrades go-git from v6.0.0-alpha.2 to v6.0.0-alpha.3 to fix a high-severity vulnerability in Git object parsing that could lead to supply chain security issues.
Vulnerability Fixed
GHSA-389r-gv7p-r3rp (CVE-2025-21607) - HIGH severity (CVSS 7.0)
go-git's improper parsing of specially crafted Git objects may lead to inconsistent interpretation compared to upstream Git. The library's commit signing and verification logic operates over commit data reconstructed from go-git's parsed representation rather than the original raw object bytes. When parsing malformed objects with ambiguous or specially crafted headers, go-git may parse them differently than canonical Git, causing signatures to appear valid for commits whose displayed metadata differs from the object intended to be signed.
Changes Made
github.com/go-git/go-git/v6fromv6.0.0-alpha.2tov6.0.0-alpha.3in go.modImpact
This vulnerability affects Chainloop's attestation crafter component (
pkg/attestation/crafter/crafter.go) which parses Git commit objects during attestation initialization. The fix ensures that commit metadata (author, timestamp, message, signature status) is parsed consistently with canonical Git, preventing potential manipulation of supply chain evidence recorded in immutable attestations.Testing
After merging, verify that:
Assisted-by: Claude Code