[v5] git: Add strict checks for supported extensions#1861
Merged
pjbgf merged 2 commits intogo-git:releases/v5.xfrom Feb 24, 2026
Merged
[v5] git: Add strict checks for supported extensions#1861pjbgf merged 2 commits intogo-git:releases/v5.xfrom
pjbgf merged 2 commits intogo-git:releases/v5.xfrom
Conversation
The upstream Git enforces fail-safe heuristics to ensure that older git versions will avoid handling repositories using extensions they are unaware of. The logic is largely based on the value of core.repositoryformatversion. As per official Git docs: > This version specifies the rules for operating on the on-disk repository data. > An implementation of git which does not understand a particular version > advertised by an on-disk repository MUST NOT operate on that repository; > doing so risks not only producing wrong results, but actually losing data. Now go-git will ensure that: - The git.Open logic will verify and enforces the extension support rules. - go-git will keep track of built-in extensions that it supports. This is a breaking change and it will force go-git to not be able to open repositories that it in fact doesn't really support. Conversaly, the error messages will be more useful (e.g. unknown extension vs object not found). Upstream refs: - https://git-scm.com/docs/git-config#Documentation/git-config.txt-extensions - https://git-scm.com/docs/gitrepository-layout#_git_repository_format_versions Signed-off-by: Paulo Gomes <[email protected]>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR backports strict Git extension validation from #1850 to go-git v5. It enforces Git's fail-safe heuristics for repository format versions, ensuring go-git refuses to open repositories using unsupported extensions or format versions.
Changes:
- Added extension validation logic in
verifyExtensions()function that checks repository format version compatibility - Integrated extension checks into the
Open()function to reject unsupported repositories early - Added comprehensive test coverage for various extension and format version scenarios
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| repository_extensions.go | New file implementing core extension validation logic with error definitions, supported extension maps, and the verifyExtensions function |
| repository.go | Integrates extension validation into the Open function by calling verifyExtensions after loading config |
| repository_extensions_test.go | New test file with table-driven tests covering various extension and format version scenarios |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The test workflow for v5 diverged from main slightly, including its job name, which caused it to not be in-sync with the latest repository rulesets. Signed-off-by: Paulo Gomes <[email protected]>
arthurzam
pushed a commit
to gentoo-golang-dist/forgejo-runner
that referenced
this pull request
Feb 27, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `v5.16.5` -> `v5.17.0` |  |  | --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.17.0`](https://github.com/go-git/go-git/releases/tag/v5.17.0) [Compare Source](go-git/go-git@v5.16.5...v5.17.0) #### What's Changed - build: Update module github.com/go-git/go-git/v5 to v5.16.5 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#​1839](go-git/go-git#1839) - git: worktree, optimize infiles function for very large repos by [@​k-anshul](https://github.com/k-anshul) in [#​1853](go-git/go-git#1853) - git: Add strict checks for supported extensions by [@​pjbgf](https://github.com/pjbgf) in [#​1861](go-git/go-git#1861) - backport, git: Improve Status() speed with new index.ModTime check by [@​cedric-appdirect](https://github.com/cedric-appdirect) in [#​1862](go-git/go-git#1862) - storage: filesystem, Avoid overwriting loose obj files by [@​pjbgf](https://github.com/pjbgf) in [#​1864](go-git/go-git#1864) **Full Changelog**: <go-git/go-git@v5.16.5...v5.17.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41LjAiLCJ1cGRhdGVkSW5WZXIiOiI0My41LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbIktpbmQvRGVwZW5kZW5jeVVwZGF0ZSIsInJ1bi1lbmQtdG8tZW5kLXRlc3RzIl19--> Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/1410 Reviewed-by: Mathieu Fenniak <[email protected]> Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>
Maks1mS
pushed a commit
to stplr-dev/stplr
that referenced
this pull request
Feb 28, 2026
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | require | minor | `v5.16.5` → `v5.17.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/go-git/go-git) | --- >⚠️ **Warning** > > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.17.0`](https://github.com/go-git/go-git/releases/tag/v5.17.0) [Compare Source](go-git/go-git@v5.16.5...v5.17.0) #### What's Changed - build: Update module github.com/go-git/go-git/v5 to v5.16.5 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#​1839](go-git/go-git#1839) - git: worktree, optimize infiles function for very large repos by [@​k-anshul](https://github.com/k-anshul) in [#​1853](go-git/go-git#1853) - git: Add strict checks for supported extensions by [@​pjbgf](https://github.com/pjbgf) in [#​1861](go-git/go-git#1861) - backport, git: Improve Status() speed with new index.ModTime check by [@​cedric-appdirect](https://github.com/cedric-appdirect) in [#​1862](go-git/go-git#1862) - storage: filesystem, Avoid overwriting loose obj files by [@​pjbgf](https://github.com/pjbgf) in [#​1864](go-git/go-git#1864) **Full Changelog**: <go-git/go-git@v5.16.5...v5.17.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday ( * 0-4,22-23 * * 1-5 ), Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNS4yIiwidXBkYXRlZEluVmVyIjoiNDMuMTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiS2luZC9EZXBlbmRlbmNpZXMiXX0=--> Reviewed-on: https://altlinux.space/stapler/stplr/pulls/333 Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>
charithe
added a commit
to charithe/cerbos
that referenced
this pull request
Mar 9, 2026
v5.17.0 includes strict extension checks (go-git/go-git#1861) but it causes problems for `worktreeconfig` because it wasn't added to the supported extension list until go-git/go-git#1877. Until it's released, we need to keep the version back. Signed-off-by: Charith Ellawala <[email protected]>
charithe
added a commit
to cerbos/cerbos
that referenced
this pull request
Mar 9, 2026
v5.17.0 includes strict extension checks (go-git/go-git#1861) but it causes problems for `worktreeconfig` because it wasn't added to the supported extension list until go-git/go-git#1877. Until it's released, we need to keep the version back. Signed-off-by: Charith Ellawala <[email protected]> Signed-off-by: Charith Ellawala <[email protected]>
haines
pushed a commit
to haines/cerbos
that referenced
this pull request
Mar 16, 2026
v5.17.0 includes strict extension checks (go-git/go-git#1861) but it causes problems for `worktreeconfig` because it wasn't added to the supported extension list until go-git/go-git#1877. Until it's released, we need to keep the version back. Signed-off-by: Charith Ellawala <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The upstream Git enforces fail-safe heuristics to ensure that older git versions will avoid handling repositories using extensions they are unaware of.
The logic is largely based on the value of
core.repositoryformatversion. As per official Git docs:Now go-git will ensure that:
git.Openlogic will verify and enforces the extension support rules.This is a breaking change and it will force go-git to not be able to open repositories that it in fact doesn't really support. Conversaly, the error messages will be more useful (e.g.
unknown extension: Xvsobject not found).Upstream refs:
Back-port of #1850.