Backport of go-git upgrade to v5.18.0 for the v1.26 release branch.
Fixes GHSA-3xc5-wrhm-f963 (credential exposure on HTTP redirects).
---
This PR was written with the help of Claude Opus 4.6
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
Update all non-locked Go dependencies and pin incompatible ones.
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Hey, I bumped Go to 1.26.1 and fixed a couple of things I ran into while
poking around.
### Changes
- Bump go.mod from 1.26.0 to 1.26.1 (security patch)
- Bump golangci-lint from v2.10.1 to v2.11.2
- Run make tidy, fmt, lint-go
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
After many years, "activitypub" is still "in progress" and no real
progress for end users. So it is not mature.
Temporarily mark the endpoints as "501 not implemented",
and wait until the whole design is stable and usable.
The jobparser sub package in act is only used by Gitea. Move it to Gitea
to make it more easier to maintain.
---------
Co-authored-by: Christopher Homberger <christopher.homberger@web.de>
1. handle non-release git verions (not semver)
2. fix rubygems version "0" handling (only ">=" can be omitted)
3. lazy compile the regexp to improve performance
4. make test data maintainable, use origin source code instead of compressed binary
## Overview
This PR updates the Go toolchain version from `1.25.5` to `1.25.6` for
the Gitea project.
## Changes
### Toolchain Update
- **Go Toolchain**: Updated from `go1.25.5` to `go1.25.6`
This is a minor toolchain version bump that ensures the project uses the
latest patch release of Go 1.25.
## Security Improvements
While this PR primarily addresses the toolchain update, the project
maintains a strong security posture through:
### Current Security Measures
```log
Vulnerability #1: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
More info: https://pkg.go.dev/vuln/GO-2026-4342
Standard library
Found in: archive/zip@go1.25.5
Fixed in: archive/zip@go1.25.6
Example traces found:
#1: modules/packages/nuget/metadata.go:217:25: nuget.ParseNuspecMetaData calls zip.Reader.Open
Vulnerability #2: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
More info: https://pkg.go.dev/vuln/GO-2026-4341
Standard library
Found in: net/url@go1.25.5
Fixed in: net/url@go1.25.6
Example traces found:
#1: modules/storage/minio.go:284:34: storage.MinioStorage.URL calls url.ParseQuery
#2: routers/api/v1/repo/action.go:1640:29: repo.DownloadArtifactRaw calls url.URL.Query
Vulnerability #3: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in
crypto/tls
More info: https://pkg.go.dev/vuln/GO-2026-4340
Standard library
Found in: crypto/tls@go1.25.5
Fixed in: crypto/tls@go1.25.6
Example traces found:
#1: services/auth/source/ldap/source_search.go:129:25: ldap.dial calls ldap.Conn.StartTLS, which calls tls.Conn.Handshake
#2: modules/graceful/server.go:156:14: graceful.Server.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext
#3: modules/lfs/content_store.go:132:27: lfs.hashingReader.Read calls tls.Conn.Read
#4: modules/proxyprotocol/conn.go:91:21: proxyprotocol.Conn.Write calls tls.Conn.Write
#5: modules/session/virtual.go:168:39: session.VirtualStore.Release calls couchbase.CouchbaseProvider.Exist, which eventually calls tls.Dial
#6: services/auth/source/ldap/source_search.go:120:22: ldap.dial calls ldap.DialTLS, which calls tls.DialWithDialer
#7: services/migrations/gogs.go:114:34: migrations.client calls http.Transport.RoundTrip, which eventually calls tls.Dialer.DialContext
```
## Breaking Changes
None expected. This is a minor toolchain patch update.
Most potential deadlock problems should have been fixed, and new code is
unlikely to cause new problems with the new design.
Also raise the minimum Git version required to 2.6.0 (released in 2015)
From [docs](https://go.dev/doc/toolchain#config):
> The go line declares the minimum required Go version for using the
module or workspace. For compatibility reasons, if the go line is
omitted from a go.mod file, the module is considered to have an implicit
go 1.16 line, and if the go line is omitted from a go.work file, the
workspace is considered to have an implicit go 1.18 line.
> The toolchain line declares a suggested toolchain to use with the
module or workspace. As described in “[Go toolchain
selection](https://go.dev/doc/toolchain#select)” below, the go command
may run this specific toolchain when operating in that module or
workspace if the default toolchain’s version is less than the suggested
toolchain’s version. If the toolchain line is omitted, the module or
workspace is considered to have an implicit toolchain goV line, where V
is the Go version from the go line.
This is better than setting `go` to the latest version which may break
builds when that go version is unavailable, for example with
`GOTOOLCHAIN=local` in the official go docker images.
Fix#35649
* Use upstream `git-lfs-transfer`
* The Close should be called when error occurs (bug fix)
* The connection pool should be shared (bug fix)
* Add more tests to cover "LFS over SSH download"
gofumpt now
[supports](https://github.com/mvdan/gofumpt/releases/tag/v0.9.0) the
[ignore](https://tip.golang.org/ref/mod#go-mod-file-ignore) directive
added in go 1.25, make use of it which speeds up `make fmt` by around
30%. Likely this also has similar speed gains in other go-related
commands which use the `./...` pattern.
The change in `build/code-batch-process.go` was introduced by `gofumpt`
because of this change:
> A new rule is introduced to "clothe" naked returns for the sake of
clarity. While there is nothing wrong with naming results in function
signatures, using lone return statements can be confusing to the reader.
- ~Upgrade golang to 1.25~ blocked by the issue
https://github.com/go-swagger/go-swagger/issues/3220
- Upgrade minor versions of most dependencies
- Upgrade github.com/google/go-github version to v74
- Fix meilisearch because of sdk interface change
- Use github.com/Necoro/html2text which is a fork instead of html2text
because of https://github.com/jaytaylor/html2text/issues/67 which
resulted in complie failure.
- Fix some deprecated methods of gitlab go client.
silverwind