build(deps): bump github.com/go-git/go-git/v6 from 6.0.0-20260328145551-a93bccd59f82 to 6.0.0-alpha.2 in the go_modules group across 1 directory

[dependabot]

Bumps the go_modules group with 1 update in the / directory: github.com/go-git/go-git/v6.

Updates github.com/go-git/go-git/v6 from 6.0.0-20260328145551-a93bccd59f82 to 6.0.0-alpha.2

Release notes

Sourced from github.com/go-git/go-git/v6's releases.

v6.0.0-alpha.2

🚀 Release Summary

⚠️ v6 Alpha Release

This is an alpha release of go-git v6.

We encourage users to test this version in real-world scenarios and help us validate the new transport layer and features.

👉 Please report any issues, bugs, or unexpected behavior via GitHub issues.

This release brings major improvements across transport, performance, and Git feature support, along with significant internal modernization.

🚀 Highlights

• Major refactor of the plumbing/transport API with a new design, improving extensibility and aligning behaviour more closely with upstream Git.
• Performance improvements in remote operations, including faster send-pack.
• Significant improvements to HTTP transport robustness and protocol correctness.
• File transport: added support for gitfile and improved repository detection logic.

🐛 Bug Fixes

• repository: fix DeleteBranch failing when using full ref names (#1951)
• worktree: fix Add silently failing for absolute paths (#1949)
• transport/http: fix multi-round pack negotiation (#1992)
• transport/http: harden redirect handling to match canonical Git (#1997)
• transport/http: fix data race in dumb HTTP test server (#1960)
• transport: avoid emitting duplicate NAK after empty ACKs (#1989)
• updreq: support multiple shallow records in upload request decoding (#1952)
• file transport: fix Windows file handle leak (#1976)
• worktree tests: fix Windows file handle leaks (#1996)
• transport tests: correct receive-pack usage (#1988)

✨ Enhancements

• remote: faster send-pack implementation (#1947)
• object: improved object walk painting (#1973)
• repository: add gitfile support and improve loader detection (#1994)
• config: introduce ConfigLoader plugins aligned with upstream Git (#1924)

🔧 Refactoring

• plumbing/transport: replace transport API with new design (#1972)
• plumbing/transport: follow-up API refactoring and cleanup (#1983)

📚 Documentation

• docs: updates and introduction of AI Policy (#1913)

📋 Full Changelog

What's Changed

• git: repository, fix DeleteBranch failing with full ref name by @​tmchow in go-git/go-git#1951
• build: Update golang (main) by @​go-git-renovate[bot] in go-git/go-git#1931
• git: worktree, fix Add silently failing for absolute paths by @​tmchow in go-git/go-git#1949

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[codeant-ai]

Skipping PR review because a bot author is detected.

If you want to trigger CodeAnt AI, comment @codeant-ai review to trigger a manual review.

[kilo-code-bot]

Code Review Summary

Status: No Code Issues | Recommendation: Merge with caution

Overview

This is a dependency-only PR - there are no code changes to review. The diff only contains updates to go.mod and go.sum files.

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Files Reviewed (2 files)

• go.mod - dependency version updates
• go.sum - checksums update

Warnings

File	Issue
go.mod:16	WARNING: Upgrading to go-git/v6 v6.0.0-alpha.2 which is still an alpha version. The release notes indicate significant internal refactoring, particularly in the transport layer API. Ensure your codebase doesn't rely on internal implementation details that may have changed.

Other Observations

1. Dependency changes include:

   • github.com/go-git/go-git/v6: 6.0.0-20260328145551-a93bccd59f82 → v6.0.0-alpha.2
   • golang.org/x/crypto: v0.49.0 → v0.50.0
   • golang.org/x/net: v0.52.0 → v0.53.0
   • golang.org/x/sys: v0.42.0 → v0.43.0
   • golang.org/x/term: v0.41.0 → v0.42.0
   • golang.org/x/text: v0.35.0 → v0.36.0

2. The github.com/golang/groupcache indirect dependency was removed (likely a transitive dependency that is no longer needed).

3. Dependabot shows a compatibility score warning - this suggests potential breaking changes. Test thoroughly before merging to production.

Recommendation

This PR can be merged, but:

• Run existing tests to verify go-git functionality still works
• Review the release notes for any API changes that might affect usage
• The alpha version upgrade is acceptable for non-production use

---

Review performed in READ-ONLY mode - no code changes possible.

---

_{Reviewed by minimax-m2.5 · 115,522 tokens}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​golang.org/​x/​crypto@​v0.49.0 ⏵ v0.50.0	+1
	golang/​github.com/​go-git/​go-git/​v6@​v6.0.0-20260328145551-a93bccd59f82 ⏵ v6.0.0-alpha.2	-2
	golang/​golang.org/​x/​net@​v0.52.0 ⏵ v0.53.0	+1
	golang/​golang.org/​x/​text@​v0.35.0 ⏵ v0.36.0
	golang/​golang.org/​x/​term@​v0.41.0 ⏵ v0.42.0

View full report