Is gopkg.in/src-d/go-git.v4 safe to use?

gopkg.in/src-d/go-git.v4 has 8 known vulnerabilities on the latest version (v4.13.1). DepScope rates its health at 12/100 (critical risk).

What is the latest version of gopkg.in/src-d/go-git.v4?

The latest version of gopkg.in/src-d/go-git.v4 is v4.13.1, released 2019-08-01.

Yes. gopkg.in/src-d/go-git.v4 has 8 known vulnerabilities. See depscope.dev/pkg/go/gopkg.in/src-d/go-git.v4 for details.

No, gopkg.in/src-d/go-git.v4 is actively maintained. Latest release: v4.13.1 (2019-08-01).

DepScope has no curated alternatives for gopkg.in/src-d/go-git.v4 at this time.

gopkg.in/src-d/go-git.v4 is licensed under Apache-2.0.

govv4.13.1

License Apache-2.0permissive37 versions0 deps

/ 100

Health

do not use

gopkg.in/src-d/go-git.v4 has critical vulnerabilities — do not use

Update to >= 5.13.0 to fix known vulnerabilities

Health breakdown0 – 100

0/25

maintenance

0/20

popularity

0/25

security

12/15

maturity

0/15

community

Vulnerabilities

2 critical2 high

Advisories (8)

Severity	ID	Summary	Fixed in
critical	CVE-2023-49569	Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients	5.11.0
high	CVE-2023-49568	Maliciously crafted Git server replies can cause DoS on go-git clients	5.11.0
high	CVE-2025-21614	go-git clients vulnerable to DoS via maliciously crafted Git server replies	5.13.0

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/go/gopkg.in/src-d/go-git.v4

Last updated · 2019-08-01T15:22:48Z