[🐸 Frogbot] Update version of github.com/go-git/go-git/v5 to 5.16.5

[github-actions]

📦 Vulnerable Dependencies

Severity	ID	Contextual Analysis	Direct Dependencies	Impacted Dependency	Fixed Versions
Medium	CVE-2026-25934	Not Covered	github.com/go-git/go-git/v5:v5.16.3 github.com/jfrog/jfrog-cli-artifactory:v0.8.1-0.20260120063955-c654c159290e github.com/jfrog/jfrog-cli-core/v2:v2.60.1-0.20260112010739-87fc7275623c github.com/jfrog/jfrog-cli-security:v1.26.0 github.com/jfrog/jfrog-client-go:v1.55.1-0.20260121110006-56e09db08899	github.com/go-git/go-git/v5 v5.16.3	[5.16.5]

🔖 Details

Vulnerability Details

Contextual Analysis:	Not Covered
Direct Dependencies:	github.com/go-git/go-git/v5:v5.16.3, github.com/jfrog/jfrog-cli-artifactory:v0.8.1-0.20260120063955-c654c159290e, github.com/jfrog/jfrog-cli-core/v2:v2.60.1-0.20260112010739-87fc7275623c, github.com/jfrog/jfrog-cli-security:v1.26.0, github.com/jfrog/jfrog-client-go:v1.55.1-0.20260121110006-56e09db08899
Impacted Dependency:	github.com/go-git/go-git/v5:v5.16.3
Fixed Versions:	[5.16.5]
CVSS V3:	4.3

go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.

---

🐸 JFrog Frogbot