From 42d3a9da1fc6f8f237da8a506439d8edd0b9dc8f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Mar 2026 17:16:43 +0000 Subject: [PATCH] chore(deps): bump github.com/go-git/go-git/v5 from 5.17.0 to 5.17.1 Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.17.0 to 5.17.1. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.17.0...v5.17.1) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.17.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 +- .../v5/plumbing/format/idxfile/decoder.go | 10 +- .../v5/plumbing/format/index/decoder.go | 106 ++++++++++++------ .../v5/plumbing/format/index/encoder.go | 39 ++++--- vendor/modules.txt | 2 +- 6 files changed, 105 insertions(+), 58 deletions(-) diff --git a/go.mod b/go.mod index 464154e85..c353841c5 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/argoproj-labs/argocd-operator v0.15.0 github.com/bradleyfalzon/ghinstallation/v2 v2.17.0 github.com/go-errors/errors v1.5.1 - github.com/go-git/go-git/v5 v5.17.0 + github.com/go-git/go-git/v5 v5.17.1 github.com/go-logr/logr v1.4.3 github.com/google/uuid v1.6.0 github.com/onsi/ginkgo/v2 v2.28.1 diff --git a/go.sum b/go.sum index 1e93e2fb6..78e251c03 100644 --- a/go.sum +++ b/go.sum @@ -146,8 +146,8 @@ github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDz github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= -github.com/go-git/go-git/v5 v5.17.0 h1:AbyI4xf+7DsjINHMu35quAh4wJygKBKBuXVjV/pxesM= -github.com/go-git/go-git/v5 v5.17.0/go.mod h1:f82C4YiLx+Lhi8eHxltLeGC5uBTXSFa6PC5WW9o4SjI= +github.com/go-git/go-git/v5 v5.17.1 h1:WnljyxIzSj9BRRUlnmAU35ohDsjRK0EKmL0evDqi5Jk= +github.com/go-git/go-git/v5 v5.17.1/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo= github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs= github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= diff --git a/vendor/github.com/go-git/go-git/v5/plumbing/format/idxfile/decoder.go b/vendor/github.com/go-git/go-git/v5/plumbing/format/idxfile/decoder.go index 867553c68..9e006a726 100644 --- a/vendor/github.com/go-git/go-git/v5/plumbing/format/idxfile/decoder.go +++ b/vendor/github.com/go-git/go-git/v5/plumbing/format/idxfile/decoder.go @@ -91,8 +91,8 @@ func readVersion(idx *MemoryIndex, r io.Reader) error { return err } - if v > VersionSupported { - return ErrUnsupportedVersion + if v != VersionSupported { + return fmt.Errorf("%w: v%d", ErrUnsupportedVersion, v) } idx.Version = v @@ -106,6 +106,10 @@ func readFanout(idx *MemoryIndex, r io.Reader) error { return err } + if k > 0 && n < idx.Fanout[k-1] { + return fmt.Errorf("%w: fanout table is not monotonically non-decreasing at entry %d", ErrMalformedIdxFile, k) + } + idx.Fanout[k] = n idx.FanoutMapping[k] = noMapping } @@ -155,7 +159,7 @@ func readCRC32(idx *MemoryIndex, r io.Reader) error { } func readOffsets(idx *MemoryIndex, r io.Reader) error { - var o64cnt int + var o64cnt int64 for k := 0; k < fanout; k++ { if pos := idx.FanoutMapping[k]; pos != noMapping { if _, err := io.ReadFull(r, idx.Offset32[pos]); err != nil { diff --git a/vendor/github.com/go-git/go-git/v5/plumbing/format/index/decoder.go b/vendor/github.com/go-git/go-git/v5/plumbing/format/index/decoder.go index fc25d3702..a1bdf00a2 100644 --- a/vendor/github.com/go-git/go-git/v5/plumbing/format/index/decoder.go +++ b/vendor/github.com/go-git/go-git/v5/plumbing/format/index/decoder.go @@ -4,8 +4,8 @@ import ( "bufio" "bytes" "errors" + "fmt" "io" - "strconv" "time" @@ -26,12 +26,14 @@ var ( ErrInvalidChecksum = errors.New("invalid checksum") // ErrUnknownExtension is returned when an index extension is encountered that is considered mandatory ErrUnknownExtension = errors.New("unknown extension") + // ErrMalformedIndexFile is returned when the index file contents are + // structurally invalid. + ErrMalformedIndexFile = errors.New("index decoder: malformed index file") ) const ( entryHeaderLength = 62 entryExtended = 0x4000 - entryValid = 0x8000 nameMask = 0xfff intentToAddMask = 1 << 13 skipWorkTreeMask = 1 << 14 @@ -140,33 +142,55 @@ func (d *Decoder) readEntry(idx *Index) (*Entry, error) { e.SkipWorktree = extended&skipWorkTreeMask != 0 } - if err := d.readEntryName(idx, e, flags); err != nil { + nameConsumed, err := d.readEntryName(idx, e, flags) + if err != nil { return nil, err } - return e, d.padEntry(idx, e, read) + return e, d.padEntry(idx, e, read, nameConsumed) } -func (d *Decoder) readEntryName(idx *Index, e *Entry, flags uint16) error { - var name string - var err error - +// readEntryName reads the entry path and sets e.Name. It returns the +// number of bytes consumed from the stream for the name portion. +func (d *Decoder) readEntryName(idx *Index, e *Entry, flags uint16) (int, error) { switch idx.Version { case 2, 3: - len := flags & nameMask - name, err = d.doReadEntryName(len) + nameLen := flags & nameMask + name, consumed, err := d.doReadEntryName(nameLen) + if err != nil { + return 0, err + } + e.Name = name + return consumed, nil case 4: - name, err = d.doReadEntryNameV4() + name, err := d.doReadEntryNameV4() + if err != nil { + return 0, err + } + e.Name = name + return 0, nil // V4 has no padding; consumed count unused default: - return ErrUnsupportedVersion + return 0, ErrUnsupportedVersion } +} - if err != nil { - return err +// doReadEntryName reads the entry path for V2/V3 indexes. It returns the +// name, the number of bytes consumed from the stream, and any error. +// When nameLen equals nameMask (0xFFF), the name was too long to fit in +// the 12-bit field and the real length is found by scanning for the NUL +// terminator — matching C Git's strlen(name) fallback in create_from_disk. +func (d *Decoder) doReadEntryName(nameLen uint16) (string, int, error) { + if nameLen == nameMask { + name, err := binary.ReadUntil(d.r, '\x00') + if err != nil { + return "", 0, err + } + return string(name), len(name) + 1, nil // +1 for the consumed NUL delimiter } - e.Name = name - return nil + name := make([]byte, nameLen) + _, err := io.ReadFull(d.r, name) + return string(name), int(nameLen), err } func (d *Decoder) doReadEntryNameV4() (string, error) { @@ -177,7 +201,14 @@ func (d *Decoder) doReadEntryNameV4() (string, error) { var base string if d.lastEntry != nil { + if l < 0 || int(l) > len(d.lastEntry.Name) { + return "", fmt.Errorf("%w: invalid V4 entry name strip length %d (previous name length: %d)", + ErrMalformedIndexFile, l, len(d.lastEntry.Name)) + } base = d.lastEntry.Name[:len(d.lastEntry.Name)-int(l)] + } else if l > 0 { + return "", fmt.Errorf("%w: non-zero strip length %d on first V4 entry", + ErrMalformedIndexFile, l) } name, err := binary.ReadUntil(d.r, '\x00') @@ -188,24 +219,23 @@ func (d *Decoder) doReadEntryNameV4() (string, error) { return base + string(name), nil } -func (d *Decoder) doReadEntryName(len uint16) (string, error) { - name := make([]byte, len) - _, err := io.ReadFull(d.r, name) - - return string(name), err -} - -// Index entries are padded out to the next 8 byte alignment -// for historical reasons related to how C Git read the files. -func (d *Decoder) padEntry(idx *Index, e *Entry, read int) error { +// padEntry discards NUL padding bytes that follow each V2/V3 entry on +// disk. nameConsumed is the number of stream bytes consumed while reading +// the entry name (which may exceed len(e.Name) when a NUL terminator was +// consumed for long names where the 12-bit length field overflowed). +func (d *Decoder) padEntry(idx *Index, e *Entry, read, nameConsumed int) error { if idx.Version == 4 { return nil } entrySize := read + len(e.Name) padLen := 8 - entrySize%8 - _, err := io.CopyN(io.Discard, d.r, int64(padLen)) - return err + padLen -= nameConsumed - len(e.Name) + if padLen > 0 { + _, err := io.CopyN(io.Discard, d.r, int64(padLen)) + return err + } + return nil } func (d *Decoder) readExtensions(idx *Index) error { @@ -312,7 +342,7 @@ func (d *Decoder) readChecksum(expected []byte) error { } func validateHeader(r io.Reader) (version uint32, err error) { - var s = make([]byte, 4) + s := make([]byte, 4) if _, err := io.ReadFull(r, s); err != nil { return 0, err } @@ -376,24 +406,26 @@ func (d *treeExtensionDecoder) readEntry() (*TreeEntry, error) { return nil, err } - // An entry can be in an invalidated state and is represented by having a - // negative number in the entry_count field. - if i == -1 { - return nil, nil - } - e.Entries = i trees, err := binary.ReadUntil(d.r, '\n') if err != nil { return nil, err } - i, err = strconv.Atoi(string(trees)) + subtrees, err := strconv.Atoi(string(trees)) if err != nil { return nil, err } - e.Trees = i + e.Trees = subtrees + + // An entry can be in an invalidated state and is represented by having a + // negative number in the entry_count field. In this case, there is no + // object name and the next entry starts immediately after the newline. + if i < 0 { + return nil, nil + } + _, err = io.ReadFull(d.r, e.Hash[:]) if err != nil { return nil, err diff --git a/vendor/github.com/go-git/go-git/v5/plumbing/format/index/encoder.go b/vendor/github.com/go-git/go-git/v5/plumbing/format/index/encoder.go index c232e0323..161bd97ff 100644 --- a/vendor/github.com/go-git/go-git/v5/plumbing/format/index/encoder.go +++ b/vendor/github.com/go-git/go-git/v5/plumbing/format/index/encoder.go @@ -5,9 +5,7 @@ import ( "errors" "fmt" "io" - "path" "sort" - "strings" "time" "github.com/go-git/go-git/v5/plumbing/hash" @@ -160,26 +158,39 @@ func (e *Encoder) encodeEntryName(entry *Entry) error { } func (e *Encoder) encodeEntryNameV4(entry *Entry) error { - name := entry.Name - l := 0 + // V4 prefix compression: find the longest common prefix between the + // previous entry's name and the current one. The strip length tells + // the decoder how many bytes to remove from the end of the previous + // name, and the suffix is the remainder of the current name. + prefix := 0 if e.lastEntry != nil { - dir := path.Dir(e.lastEntry.Name) + "/" - if strings.HasPrefix(entry.Name, dir) { - l = len(e.lastEntry.Name) - len(dir) - name = strings.TrimPrefix(entry.Name, dir) - } else { - l = len(e.lastEntry.Name) - } + prefix = commonPrefixLen(e.lastEntry.Name, entry.Name) + } + stripLen := 0 + if e.lastEntry != nil { + stripLen = len(e.lastEntry.Name) - prefix } e.lastEntry = entry - err := binary.WriteVariableWidthInt(e.w, int64(l)) - if err != nil { + if err := binary.WriteVariableWidthInt(e.w, int64(stripLen)); err != nil { return err } - return binary.Write(e.w, []byte(name+string('\x00'))) + suffix := entry.Name[prefix:] + return binary.Write(e.w, append([]byte(suffix), '\x00')) +} + +// commonPrefixLen returns the length of the longest common byte prefix +// between a and b. +func commonPrefixLen(a, b string) int { + n := min(len(b), len(a)) + for i := range n { + if a[i] != b[i] { + return i + } + } + return n } func (e *Encoder) encodeRawExtension(signature string, data []byte) error { diff --git a/vendor/modules.txt b/vendor/modules.txt index 51c236374..f986a6349 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -319,7 +319,7 @@ github.com/go-git/go-billy/v5/helper/polyfill github.com/go-git/go-billy/v5/memfs github.com/go-git/go-billy/v5/osfs github.com/go-git/go-billy/v5/util -# github.com/go-git/go-git/v5 v5.17.0 +# github.com/go-git/go-git/v5 v5.17.1 ## explicit; go 1.24.0 github.com/go-git/go-git/v5 github.com/go-git/go-git/v5/config