nywilken
commented
1 week ago Thanks a lot for the backport 🙌
Should we also backport the fix we did here too (maybe in another PR)
When presented with this PR in Slack @sylviamoss and @mcollao-hc validated that v2 is not susceptible to the vulnerability because v2 does not have a function called findRemoteDefaultBranch nor does it execute a command similar to exec.CommandContext(ctx, "git", "ls-remote", "--symref", "--", u.String(), "HEAD")
Please advise if your testing is showing different results.
Recreate git config during update to prevent git config alteration
Related to: #497