chore(deps): bump the go_modules group across 3 directories with 2 updates by dependabot[bot] · Pull Request #5365 · google/osv.dev

dependabot · 2026-05-13T15:32:29Z

Bumps the go_modules group with 1 update in the /gcp/indexer directory: github.com/go-git/go-git/v5.
Bumps the go_modules group with 1 update in the /go directory: github.com/go-git/go-billy/v6.
Bumps the go_modules group with 1 update in the /vulnfeeds directory: github.com/go-git/go-git/v5.

Updates github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.19.0

What's Changed

build: Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (releases/v5.x) by @go-git-renovate[bot] in go-git/go-git#2010

v5: Bump sha1cd and go-billy by @pjbgf in go-git/go-git#2060

v5: Align object encoding with upstream by @pjbgf in go-git/go-git#2065

Full Changelog: go-git/go-git@v5.18.0...v5.19.0

Commits

bc930f4 Merge pull request #2065 from go-git/commit-v5
d315264 plumbing: object, Reset object before decode
6e1d348 plumbing: object, Align Tree handling with upstream
e134ba3 tests: Skip double checks in Git v2.11
1971422 tests: Add git conformance tests for signing verification
a387aa8 plumbing: object, Add ErrMalformedTag
f415670 plumbing: object, Decode Tag headers via a state machine
5b0cd38 plumbing: object, Reject multi-signature commits at Verify
fe8ed62 plumbing: object, Align Tag.EncodeWithoutSignature with Commit
98e337d plumbing: object, Add support for Tag.SignatureSHA256
Additional commits viewable in compare view

Updates github.com/go-git/go-billy/v6 from 6.0.0-20260424211911-732291493fb8 to 6.0.0-alpha.1

Release notes

Sourced from github.com/go-git/go-billy/v6's releases.

v6.0.0-alpha.1

What's Changed

build(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 by @dependabot[bot] in go-git/go-billy#35

Adding support for wasm/wasip1 by @tryggvil in go-git/go-billy#36

Memory.ReadDir() should return an error when path isn't found. by @weberc2-tempus in go-git/go-billy#38

Adding support for WriteAt by @sfc-gh-thardie in go-git/go-billy#39

Update memfs.New() to create root directory by @onee-only in go-git/go-billy#45

Fix symlink by @pjbgf in go-git/go-billy#46

Close via defer by @spennymac in go-git/go-billy#47

build(deps): bump golang.org/x/net from 0.17.0 to 0.23.0 by @dependabot[bot] in go-git/go-billy#49

General improvements to memfs by @pjbgf in go-git/go-billy#50

build: bump actions/checkout from 3 to 4 by @dependabot[bot] in go-git/go-billy#51

build: bump golang.org/x/sys from 0.18.0 to 0.19.0 by @dependabot[bot] in go-git/go-billy#53

build: bump github/codeql-action from 2.3.3 to 3.25.3 by @dependabot[bot] in go-git/go-billy#54

build: bump actions/setup-go from 3 to 5 by @dependabot[bot] in go-git/go-billy#55

build: bump github.com/onsi/gomega from 1.27.10 to 1.33.0 by @dependabot[bot] in go-git/go-billy#52

boundos:insideBaseDirEval: return true if baseDir is "/" by @rminnich in go-git/go-billy#48

Bumping dependencies and forward ports by @pjbgf in go-git/go-billy#97

build: bump golang.org/x/sys from 0.28.0 to 0.29.0 in the golang-org group by @dependabot[bot] in go-git/go-billy#99

memfs: Add deterministic modification times by @pjbgf in go-git/go-billy#98

Bump module to v6 by @pjbgf in go-git/go-billy#107

build: Add golangci-lint checks by @pjbgf in go-git/go-billy#109

build: bump github.com/cyphar/filepath-securejoin from 0.3.6 to 0.4.1 by @dependabot[bot] in go-git/go-billy#112

build: bump github/codeql-action from 3.27.5 to 3.28.8 by @dependabot[bot] in go-git/go-billy#113

build: bump golang.org/x/sys from 0.29.0 to 0.30.0 in the golang-org group by @dependabot[bot] in go-git/go-billy#114

memfs: Add thread-safety to Memory by @pjbgf in go-git/go-billy#110

embedfs: Move the embedfs from go-git-fixtures by @pjbgf in go-git/go-billy#111

build: Bump Go to 1.22 by @pjbgf in go-git/go-billy#115

build: Add OpenSSF Scorecard by @pjbgf in go-git/go-billy#116

build: Bump and pin GH actions by @pjbgf in go-git/go-billy#117

build: bump actions/checkout from 4.1.1 to 4.2.2 by @dependabot[bot] in go-git/go-billy#118

build: bump github/codeql-action from 3.28.10 to 3.28.13 by @dependabot[bot] in go-git/go-billy#124

build: bump actions/setup-go from 5.3.0 to 5.4.0 by @dependabot[bot] in go-git/go-billy#123

build: bump actions/upload-artifact from 4.6.1 to 4.6.2 by @dependabot[bot] in go-git/go-billy#122

build: bump github/codeql-action from 3.28.13 to 3.28.16 by @dependabot[bot] in go-git/go-billy#128

build: bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in go-git/go-billy#129

build: bump actions/setup-go from 5.4.0 to 5.5.0 by @dependabot[bot] in go-git/go-billy#130

build: bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in go-git/go-billy#131

build: bump golang.org/x/sys from 0.30.0 to 0.31.0 in the golang-org group by @dependabot[bot] in go-git/go-billy#119

Bump golangci to v2.1.6 by @pjbgf in go-git/go-billy#133

build: bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in go-git/go-billy#134

build: bump golang.org/x/sys from 0.33.0 to 0.34.0 in the golang-org group by @dependabot[bot] in go-git/go-billy#136

build: bump golang.org/x/sys from 0.34.0 to 0.35.0 in the golang-org group by @dependabot[bot] in go-git/go-billy#139

build: bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in go-git/go-billy#138

build: bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in go-git/go-billy#142

build: bump github/codeql-action from 3.29.7 to 3.30.0 by @dependabot[bot] in go-git/go-billy#143

build: bump github.com/stretchr/testify from 1.10.0 to 1.11.1 by @dependabot[bot] in go-git/go-billy#141

build: bump golang.org/x/sys from 0.35.0 to 0.36.0 in the golang-org group by @dependabot[bot] in go-git/go-billy#144

build: Pin dependencies, enable CodeQL for GH actions and bump Go versions by @pjbgf in go-git/go-billy#145

build: bump github.com/cyphar/filepath-securejoin from 0.4.1 to 0.5.0 by @dependabot[bot] in go-git/go-billy#146

... (truncated)

Commits

See full diff in compare view

Updates github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.19.0

What's Changed

build: Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (releases/v5.x) by @go-git-renovate[bot] in go-git/go-git#2010

v5: Bump sha1cd and go-billy by @pjbgf in go-git/go-git#2060

v5: Align object encoding with upstream by @pjbgf in go-git/go-git#2065

Full Changelog: go-git/go-git@v5.18.0...v5.19.0

Commits

bc930f4 Merge pull request #2065 from go-git/commit-v5
d315264 plumbing: object, Reset object before decode
6e1d348 plumbing: object, Align Tree handling with upstream
e134ba3 tests: Skip double checks in Git v2.11
1971422 tests: Add git conformance tests for signing verification
a387aa8 plumbing: object, Add ErrMalformedTag
f415670 plumbing: object, Decode Tag headers via a state machine
5b0cd38 plumbing: object, Reject multi-signature commits at Verify
fe8ed62 plumbing: object, Align Tag.EncodeWithoutSignature with Commit
98e337d plumbing: object, Add support for Tag.SignatureSHA256
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

…dates Bumps the go_modules group with 1 update in the /gcp/indexer directory: [github.com/go-git/go-git/v5](https://github.com/go-git/go-git). Bumps the go_modules group with 1 update in the /go directory: [github.com/go-git/go-billy/v6](https://github.com/go-git/go-billy). Bumps the go_modules group with 1 update in the /vulnfeeds directory: [github.com/go-git/go-git/v5](https://github.com/go-git/go-git). Updates `github.com/go-git/go-git/v5` from 5.18.0 to 5.19.0 - [Release notes](https://github.com/go-git/go-git/releases) - [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md) - [Commits](go-git/go-git@v5.18.0...v5.19.0) Updates `github.com/go-git/go-billy/v6` from 6.0.0-20260424211911-732291493fb8 to 6.0.0-alpha.1 - [Release notes](https://github.com/go-git/go-billy/releases) - [Commits](https://github.com/go-git/go-billy/commits/v6.0.0-alpha.1) Updates `github.com/go-git/go-git/v5` from 5.18.0 to 5.19.0 - [Release notes](https://github.com/go-git/go-git/releases) - [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md) - [Commits](go-git/go-git@v5.18.0...v5.19.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.19.0 dependency-type: direct:production dependency-group: go_modules - dependency-name: github.com/go-git/go-billy/v6 dependency-version: 6.0.0-alpha.1 dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.19.0 dependency-type: direct:production dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-05-15T01:10:44Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels May 13, 2026

dependabot Bot closed this May 15, 2026

dependabot Bot deleted the dependabot/go_modules/gcp/indexer/go_modules-713d0d1fda branch May 15, 2026 01:10

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the go_modules group across 3 directories with 2 updates#5365

chore(deps): bump the go_modules group across 3 directories with 2 updates#5365
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/gcp/indexer/go_modules-713d0d1fda

dependabot Bot commented on behalf of github May 13, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github May 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v5.19.0

What's Changed

v6.0.0-alpha.1

What's Changed

v5.19.0

What's Changed

Uh oh!

dependabot Bot commented on behalf of github May 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github May 13, 2026 •

edited

Loading