Skip to content

build(deps): bump the go_modules group across 1 directory with 4 updates #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: master
Choose a base branch
from
Open

build(deps): bump the go_modules group across 1 directory with 4 updates #133

dependabot wants to merge 1 commit into from
+32 −37

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 10, 2026
edited by devin-ai-integration bot
Loading

Bumps the go_modules group with 3 updates in the / directory: github.com/go-git/go-git/v5, github.com/wneessen/go-mail and github.com/nwaples/rardecode/v2.

Updates github.com/go-git/go-git/v5 from 5.16.2 to 5.16.5

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.16.5

What's Changed

Full Changelog: go-git/go-git@v5.16.4...v5.16.5

v5.16.4

What's Changed

Full Changelog: go-git/go-git@v5.16.3...v5.16.4

v5.16.3

What's Changed

Full Changelog: go-git/go-git@v5.16.2...v5.16.3

Commits
  • 48a1ae0 Merge pull request #1836 from go-git/check-v5
  • 42bdf1f storage: filesystem, Verify idx matches pack file
  • 4146a56 plumbing: format/idxfile, Verify idxfile's checksum
  • 63d78ec plumbing: format/packfile, Add new ErrMalformedPackFile
  • 25f1624 Merge pull request #1800 from Ch00k/no-delete-untracked-v5
  • 600fb13 git: worktree, Don't delete local untracked files when resetting worktree
  • 390a569 Merge pull request #1746 from pjbgf/bump-go
  • 61c8b85 build: Bump Go test versions to 1.23-1.25 (v5)
  • e5a05ec Merge pull request #1744 from go-git/renovate/releases/v5.x-go-golang.org-x-c...
  • 1495930 plumbing: Remove use of non-constant format strings
  • Additional commits viewable in compare view

Updates github.com/wneessen/go-mail from 0.6.2 to 0.7.1

Release notes

Sourced from github.com/wneessen/go-mail's releases.

v0.7.1: Vulnerability fix in mail address handling

[!IMPORTANT] This release fixes a vulnerability. All users are encouraged to update to this release at their earliest convenience.

Welcome to go-mail v0.7.1!

This is a security release, which addresses a bug that causes insufficient address encoding when passing mail addresses to the SMTP client, which could lead to possible wrong address routing or even to ESMTP parameter smuggling.

The details of the bug are outlined in #495 and in the go-mail security advisory: GHSA-wpwj-69cm-q9c5 Github assigned the following CVE for this vulnerability: CVE-2025-59937

The vulnerability has been reported by xclow3n. Thank you very much for the detailed report and the thorough testing!

What's Changed

Full Changelog: wneessen/go-mail@v0.7.0...v0.7.1

Commits
  • 42e92cf Merge pull request #496 from wneessen/bugfix/495_mail-address-parsing
  • c3c0757 Refactored error handling and return values across multiple files
  • 06b3fce Fixed test case and replaced hidden Unicode character for address injection t...
  • 158baff Bumped version to v0.7.1
  • 591f073 Added tests to validate email address injection handling
  • f61143a Refactored sender handling to make use of net/mail's mail address stringifica...
  • 0dcdac6 Added test for handling quoted local-part in recipients (issue #495)
  • ff718ad Refactored recipient handling to make use of net/mail's mail address stringif...
  • ac1eb03 Merge pull request #494 from wneessen/switch-pbkdf2-to-stdlib
  • 0508d94 Removed internal PBKDF2 implementation and replaced with Go's standard library
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.41.0 to 0.45.0

Commits
  • 4e0068c go.mod: update golang.org/x dependencies
  • e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
  • f91f7a7 ssh/agent: prevent panic on malformed constraint
  • 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
  • bcf6a84 acme: pass context to request
  • b4f2b62 ssh: fix error message on unsupported cipher
  • 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
  • 122a78f go.mod: update golang.org/x dependencies
  • c0531f9 all: eliminate vet diagnostics
  • 0997000 all: fix some comments
  • Additional commits viewable in compare view

Updates github.com/nwaples/rardecode/v2 from 2.1.0 to 2.2.0

Commits
  • 52fb4e8 allow max dictionary size to be set, with default now at 4GB
  • 9f4b0d1 dont let the dictionary be larger than the unpacked file size
  • 153fdf5 Merge pull request #47 from nwaples/bytereader
  • 3f140e5 document RarFS methods
  • b4fc922 change os.FileMode to fs.FileMode
  • edb01e7 add Seek support for uncompressed files
  • 710bda2 add initial Seek support for limitedReader
  • 9deacfb save offset in packetFileReader
  • 4f0a750 change limitedReader to save offset internally
  • 1c32663 split volume into readerVolume and fileVolume
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.
Open with Devin

@dependabot
build(deps): bump the go_modules group across 1 directory with 4 updates
239596b 
Bumps the go_modules group with 3 updates in the / directory: [github.com/go-git/go-git/v5](https://github.com/go-git/go-git), [github.com/wneessen/go-mail](https://github.com/wneessen/go-mail) and [github.com/nwaples/rardecode/v2](https://github.com/nwaples/rardecode).


Updates `github.com/go-git/go-git/v5` from 5.16.2 to 5.16.5
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.16.2...v5.16.5)

Updates `github.com/wneessen/go-mail` from 0.6.2 to 0.7.1
- [Release notes](https://github.com/wneessen/go-mail/releases)
- [Commits](wneessen/go-mail@v0.6.2...v0.7.1)

Updates `golang.org/x/crypto` from 0.41.0 to 0.45.0
- [Commits](golang/crypto@v0.41.0...v0.45.0)

Updates `github.com/nwaples/rardecode/v2` from 2.1.0 to 2.2.0
- [Commits](nwaples/rardecode@v2.1.0...v2.2.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.16.5
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/wneessen/go-mail
  dependency-version: 0.7.1
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/nwaples/rardecode/v2
  dependency-version: 2.2.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Feb 10, 2026
@socket-security
Copy link

socket-security bot commented Feb 10, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgolang/​golang.org/​x/​crypto@​v0.41.0 ⏵ v0.45.074 +1100 +3100100100
Addedgolang/​golang.org/​x/​net@​v0.47.075100100100100
Updatedgolang/​golang.org/​x/​text@​v0.28.0 ⏵ v0.31.078 +1100100100100
Updatedgolang/​github.com/​go-git/​go-git/​v5@​v5.16.2 ⏵ v5.16.581 +1100 +2100100100
Updatedgolang/​golang.org/​x/​sys@​v0.35.0 ⏵ v0.38.084100100100100
Updatedgolang/​github.com/​wneessen/​go-mail@​v0.6.2 ⏵ v0.7.195 +1100 +1610010090
Updatedgolang/​golang.org/​x/​sync@​v0.16.0 ⏵ v0.18.099100100100100

View full report

devin-ai-integration[bot]
devin-ai-integration bot reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

Open in Devin Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code modifies/dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants