Bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.1

[dependabot]

Bumps github.com/go-git/go-git/v5 from 5.18.0 to 5.19.1.

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.19.1

What's Changed

• v5: plumbing: transport/ssh, Shell-quote path by @​hiddeco in go-git/go-git#2068
• v5: git: submodule, Fix relative URL resolution by @​hiddeco in go-git/go-git#2070
• v5: git: submodule, canonical remote for relative URLs by @​hiddeco in go-git/go-git#2074
• v5: git: submodule, error on remote without URLs by @​hiddeco in go-git/go-git#2078
• v5: plumbing: format/idxfile, Validate offset64 indices by @​hiddeco in go-git/go-git#2084
• v5: *: Reject malformed variable-length integers by @​hiddeco in go-git/go-git#2092
• v5: plumbing: format/packfile, Tighten delta validation by @​hiddeco in go-git/go-git#2091
• v5: Add worktreeFilesystem wrapper for worktree and hardening by @​hiddeco in go-git/go-git#2100
• v5: config: validate submodule names by @​hiddeco in go-git/go-git#2082
• build: Update module github.com/go-git/go-git/v5 to v5.19.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#2111
• v5: git: Allow MkdirAll on worktree-root paths by @​hiddeco in go-git/go-git#2117
• v5: git: Stop validating symlink target paths by @​pjbgf in go-git/go-git#2116
• v5: plumbing: format decoder input bounds and contracts by @​hiddeco in go-git/go-git#2125
• plumbing: format/packfile, cap delta chain depth in parser by @​pjbgf in go-git/go-git#2137

Full Changelog: go-git/go-git@v5.19.0...v5.19.1

v5.19.0

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#2010
• v5: Bump sha1cd and go-billy by @​pjbgf in go-git/go-git#2060
• v5: Align object encoding with upstream by @​pjbgf in go-git/go-git#2065

Full Changelog: go-git/go-git@v5.18.0...v5.19.0

Commits

• 3c3be60 Merge pull request #2137 from go-git/validate-v5
• 3fba897 plumbing: format/packfile, cap delta chain depth in parser
• a97d660 Merge pull request #2125 from hiddeco/v5/format-input-bounds
• aeaa125 plumbing: format/objfile, require Header before Read
• 1f38e17 plumbing: format/packfile, bound inflate size
• f7545a0 plumbing: format/idxfile, bound nr by file size
• 170b881 Merge pull request #2116 from pjbgf/symlink-v5
• 7b6d994 Merge pull request #2117 from hiddeco/v5/worktree-fs-mkdirall-root-noop
• f0709b3 git: Stop validating symlink target paths
• 776d00f git: Allow MkdirAll on worktree-root paths
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[thepetk]

/lgtm

/retest

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dependabot[bot], thepetk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [thepetk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[qodo-code-review]

PR Summary by Qodo

Bump go-git to v5.19.1 and refresh Go module/toolchain versions
⚙️ Configuration changes 🕐 10-20 Minutes

Description

• Bump github.com/go-git/go-git/v5 from v5.18.0 to v5.19.1.
• Update Go version directive to 1.25.0.
• Refresh transitive dependencies and checksums (x/*, go-billy, securejoin, sha1cd).

Diagram

graph TD
  alizer["alizer module"] --> gomod["go.mod/go.sum"] --> go125["Go 1.25"]
  alizer --> gogit{{"go-git v5.19.1"}} --> billy{{"go-billy v5.9.0"}}
  gogit --> securejoin{{"securejoin v0.6.1"}}
  gogit --> sha1cd{{"sha1cd v0.6.0"}} --> cpuid{{"cpuid/v2 v2.3.0"}}
  gogit --> xpkgs{{"golang.org/x/*"}}

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Split into two PRs (Go version vs dependency bump)

• ➕ Isolates risk: Go toolchain changes can be validated/rolled back independently
• ➕ Simplifies root-cause if CI breaks (toolchain vs library)
• ➖ Two PRs to review/merge
• ➖ May be blocked if the dependency bump truly requires the newer Go directive

2. Keep 'go' directive stable and use a 'toolchain' directive (if desired)

• ➕ Preserves module language version compatibility while still pinning build toolchain
• ➕ Reduces downstream constraints for consumers that vendor this module
• ➖ May not match repository policy if you intentionally want to raise the minimum Go version
• ➖ Requires confirming supported Go policy and CI matrices

Recommendation: Proceed with the dependency bump as-is, but explicitly confirm the repository’s intended minimum Go version before merging (the PR raises the go.mod 'go' directive to 1.25.0). If the Go version change wasn’t intentional, prefer splitting or reverting just the 'go' directive and re-running 'go mod tidy' under the supported toolchain.

Files changed (2) +31 / -28

Other (2) +31 / -28

go.modBump go-git to v5.19.1 and update Go version + indirect deps +9/-8

Bump go-git to v5.19.1 and update Go version + indirect deps

• Updates the module 'go' directive to 1.25.0 and bumps github.com/go-git/go-git/v5 to v5.19.1. Refreshes several indirect dependencies (notably go-billy, filepath-securejoin, sha1cd, and multiple golang.org/x packages) to match the new dependency graph.

go.mod

go.sumRefresh go.sum checksums for upgraded transitive modules +22/-20

Refresh go.sum checksums for upgraded transitive modules

• Updates checksums to reflect the new go-git/go-billy versions and associated transitive upgrades. Adds checksums for newly introduced/updated modules (e.g., klauspost/cpuid/v2) and bumps multiple golang.org/x module versions.

go.sum

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)

1. Go version bump mismatch 🐞 Bug ☼ Reliability

Description

The PR bumps the module Go version to 1.25.0, which drops compatibility with older Go toolchains and
also changes the Go version used by CI/release workflows because they read the version from go.mod.
The repo README still advertises Go 1.24, so the required toolchain version is now inconsistent with
the documented support level.

Code

go.mod[3]

+go 1.25.0

Evidence

go.mod now declares go 1.25.0, while CI/release workflows explicitly configure
actions/setup-go to use go-version-file: go.mod, meaning they will follow the new required
version. The README still shows a Go 1.24 badge, creating an inconsistency between documented and
enforced toolchain versions.

go.mod[1-7]
.github/workflows/CI.yml[14-18]
.github/workflows/release.yaml[34-37]
README.md[1-5]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
This PR updates `go.mod` to `go 1.25.0`, which raises the minimum required Go version and changes what CI installs (workflows use `go-version-file: go.mod`). The README still advertises Go 1.24, so either the Go version bump is unintentional or documentation/support policy must be updated.

### Issue Context
- `actions/setup-go` in CI and release workflows reads the Go version from `go.mod`, so changing the `go` directive changes the toolchain used in automation.
- Contributors/users following the README will reasonably expect Go 1.24 compatibility.

### Fix Focus Areas
- go.mod[3-3]
- README.md[1-5]
- .github/workflows/CI.yml[14-18]
- .github/workflows/release.yaml[34-37]

### Suggested fix
- If Go 1.25 is **not** an intentional minimum requirement change: revert `go 1.25.0` back to the prior minimum (e.g., `1.24.3`) and re-run `go mod tidy` with that Go version.
- If Go 1.25 **is** intentional: update README (badge and any stated requirements) to reflect 1.25, and ensure any other tooling/docs that assume 1.24 are updated accordingly.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[qodo-code-review]

1. Go version bump mismatch 🐞 Bug ☼ Reliability

The PR bumps the module Go version to 1.25.0, which drops compatibility with older Go toolchains and
also changes the Go version used by CI/release workflows because they read the version from go.mod.
The repo README still advertises Go 1.24, so the required toolchain version is now inconsistent with
the documented support level.

Agent Prompt

### Issue description
This PR updates `go.mod` to `go 1.25.0`, which raises the minimum required Go version and changes what CI installs (workflows use `go-version-file: go.mod`). The README still advertises Go 1.24, so either the Go version bump is unintentional or documentation/support policy must be updated.

### Issue Context
- `actions/setup-go` in CI and release workflows reads the Go version from `go.mod`, so changing the `go` directive changes the toolchain used in automation.
- Contributors/users following the README will reasonably expect Go 1.24 compatibility.

### Fix Focus Areas
- go.mod[3-3]
- README.md[1-5]
- .github/workflows/CI.yml[14-18]
- .github/workflows/release.yaml[34-37]

### Suggested fix
- If Go 1.25 is **not** an intentional minimum requirement change: revert `go 1.25.0` back to the prior minimum (e.g., `1.24.3`) and re-run `go mod tidy` with that Go version.
- If Go 1.25 **is** intentional: update README (badge and any stated requirements) to reflect 1.25, and ensure any other tooling/docs that assume 1.24 are updated accordingly.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools