From f662de1b96db75e9e04020cc49f487fb808efe31 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Wed, 22 Apr 2026 12:12:17 +0300 Subject: [PATCH] git-lfs: update to 3.7.1 Fixes symlink traversal vulnerability (CVE-2025-26625) that allowed writing files outside the repository on checkout/pull. Other changes since 3.5.1: - Add --refetch option to force re-download of LFS objects - Add --json and --dry-run options for fetch operations - Improve .netrc handling on Windows and macOS root CA support - Upgrade to Go 1.25 (requires Linux kernel 3.2+) Signed-off-by: Alexandru Ardelean --- net/git-lfs/Makefile | 4 ++-- net/git-lfs/test.sh | 13 ++++++++++++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/net/git-lfs/Makefile b/net/git-lfs/Makefile index a23a8422c9..cb7e0afec8 100644 --- a/net/git-lfs/Makefile +++ b/net/git-lfs/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=git-lfs -PKG_VERSION:=3.5.1 +PKG_VERSION:=3.7.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-v$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/git-lfs/git-lfs/releases/download/v$(PKG_VERSION) -PKG_HASH:=fc19c7316e80a6ef674aa4e1863561c1263cd4ce0588b9989e4be9461664d752 +PKG_HASH:=8f56058622edfea1d111e50e9844ef2f5ce670b2dbe4d55d48e765c943af4351 PKG_MAINTAINER:=Alexandru Ardelean PKG_LICENSE:=MIT diff --git a/net/git-lfs/test.sh b/net/git-lfs/test.sh index c85566d883..831d740f8d 100644 --- a/net/git-lfs/test.sh +++ b/net/git-lfs/test.sh @@ -1,3 +1,14 @@ #!/bin/sh -git-lfs --version|grep "$2" +[ "$1" = "git-lfs" ] || exit 0 + +# Verify git-lfs registers itself as a git extension and core commands work +git lfs help 2>&1 | grep -q "track" + +# Verify git-lfs env shows it is wired into git +git lfs env 2>&1 | grep -qi "git\|lfs\|endpoint" + +# Verify key subcommands are available +git lfs help track 2>&1 | grep -qi "track" +git lfs help push 2>&1 | grep -qi "push" +git lfs help pull 2>&1 | grep -qi "pull"