Bump github.com/go-git/go-billy/v5 from 5.8.0 to 5.9.0

[dependabot]

Bumps github.com/go-git/go-billy/v5 from 5.8.0 to 5.9.0.

Release notes

Sourced from github.com/go-git/go-billy/v5's releases.

v5.9.0

What's Changed

• Use path.Clean instead of filepath.Clean in iofs.Open by @​puerco in go-git/go-billy#197
• Deprecate ChrootOS in favour of BoundOS by @​pjbgf in go-git/go-billy#201
• General Improvements by @​pjbgf in go-git/go-billy#203
• osfs: ChrootOS eval baseDir on creation by @​pjbgf in go-git/go-billy#205
• Run go-git tests as part of integration tests by @​pjbgf in go-git/go-billy#206

Full Changelog: go-git/go-billy@v5.8.0...v5.9.0

Commits

• 237e529 Merge pull request #206 from pjbgf/v5-improvements
• 04edb39 build: Add go-git integration test
• d8efefd osfs: preserve empty ChrootOS base
• 07f2a0b Merge pull request #205 from pjbgf/v5-improvements
• 25207c8 build: Bump Go versions in workflows
• 2fda229 osfs: ChrootOS eval baseDir on creation
• 427b27f Merge pull request #203 from pjbgf/v5-improvements
• 7d5a23e chroot: Reject symlink loops
• 2c2287a util: avoid following symlinks in RemoveAll fallback
• cbd88e9 Fix mount path handling
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[thepetk]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dependabot[bot], thepetk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [thepetk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[qodo-code-review]

Looking for bugs?

Check back in a few minutes. Qodo's review agents are on it.

[qodo-code-review]

PR Summary by Qodo

Bump go-billy/v5 to 5.9.0 (refresh indirect deps and Go version)
⚙️ Configuration changes 🕐 Less than 10 minutes

Description

• Bump github.com/go-git/go-billy/v5 from 5.8.0 to 5.9.0 (indirect).
• Refresh indirect dependency versions and go.sum checksums.
• Update go.mod Go version directive from 1.24.3 to 1.25.0.

Diagram

graph TD
  R["Repo module"] --> GM["go.mod"] --> GV("Go 1.25.0")
  R["Repo module"] --> GM["go.mod"] --> GB("go-billy/v5 5.9.0")
  R["Repo module"] --> GM["go.mod"] --> SJ("securejoin 0.6.1")
  R["Repo module"] --> GM["go.mod"] --> GX("x/* libs bumped")
  R["Repo module"] --> GS["go.sum"] --> CS("Updated checksums")

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Split toolchain bump from dependency bump

• ➕ Isolates risk if Go 1.25.0 impacts builds/CI
• ➕ Easier rollback and bisecting if regressions appear
• ➖ Requires managing two PRs and potentially duplicated CI cycles

2. Keep go.mod 'go' directive unchanged (dependency bump only)

• ➕ Avoids unintentional minimum-Go-version change for downstream consumers
• ➕ Reduces chance of CI failures if workflows/runners lag behind
• ➖ May diverge from upstream module requirements if newer deps assume newer Go semantics

Recommendation: Proceed with the dependency bump if the repository CI/tooling is already validated on Go 1.25.x; otherwise, consider splitting or reverting the go.mod 'go' directive change and landing it separately once CI/workflows are confirmed compatible.

Files changed (2) +22 / -22

Other (2) +22 / -22

go.modBump go directive and indirect dependencies +6/-6

Bump go directive and indirect dependencies

• Updates the module Go version directive from 1.24.3 to 1.25.0. Bumps github.com/go-git/go-billy/v5 to v5.9.0 and refreshes several indirect requirements (including filepath-securejoin and golang.org/x packages).

go.mod

go.sumRefresh checksums for bumped modules +16/-16

Refresh checksums for bumped modules

• Updates go.sum entries to match the new indirect dependency versions, including go-billy/v5 and multiple golang.org/x module updates.

go.sum