Migrate to newer go-git

google / go-licenses

A lightweight tool to report on the licenses used by a Go package and its dependencies. Highlight! Versioned external URL to licenses can be found at the same time.

Apache License 2.0

824 stars 125 forks source link

Migrate to newer go-git #254

Open divVerent opened 7 months ago

divVerent commented 7 months ago

Projects using go-licenses as build dependency now always get a security warning:

https://github.com/divVerent/aaaaxy/security/dependabot/7

It appears to be a real RCE that also is exploitable through its use by go-licenses.

This can be fixed only by this module upgrading from gopkg.in/src-d/go-git.v4 to github.com/go-git/go-git/v5.

Can you do that?

divVerent commented 7 months ago

This actually seems to already be fixed by 9a41918e8c1e254f6472bdd8454b6030d445b255 - so all that's required is a new release of go-licenses.