Update dependency git-lfs/git-lfs to v3.6.1

[renovate]

This PR contains the following updates:

Package	Update	Change
git-lfs/git-lfs	minor	v3.5.1 -> v3.6.1

---

Release Notes

git-lfs/git-lfs (git-lfs/git-lfs)

v3.6.1

Compare Source

This release introduces a security fix for all platforms, which has been assigned CVE-2024-53263.

When requesting credentials from Git for a remote host, prior versions of Git LFS passed portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sent any credentials received back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker might have been able to retrieve a user's Git credentials.

Git LFS now prevents bare line feed (LF) characters from being included in the values sent to the git-credential(1) command, and also prevents bare carriage return (CR) characters from being included unless the credential.protectProtocol configuration option is set to a value equivalent to false.

We would like to extend a special thanks to the following open-source contributors:

• @​Ry0taK for reporting this to us responsibly

Bugs

• Reject bare line-ending control characters in Git credential requests (@​chrisd8088)

Packages

Up to date packages are available on PackageCloud and Homebrew.

RPM RHEL 7/CentOS 7
RPM RHEL 8/Rocky Linux 8
RPM RHEL 9/Rocky Linux 9
Debian 10
Debian 11
Debian 12

SHA-256 hashes:

git-lfs-darwin-amd64-v3.6.1.zip
b53c361e6c85479507ed39ba99b87ec0888ac52f5afd2084fc68af4103081391

git-lfs-darwin-arm64-v3.6.1.zip
83b4ea3b0c72ba19e3bc46e47e92476f4505cc96693333b9fa0a314dddacc4ba

git-lfs-freebsd-386-v3.6.1.tar.gz
976e6123166ad54cd752a70a50f10d3cac22d35afc622f9ad1129320dc463bce

git-lfs-freebsd-amd64-v3.6.1.tar.gz
77c58f7d9ff207efa371fcf048900fa404d12393434c23c767a2f7dbabd0d8e1

git-lfs-linux-386-v3.6.1.tar.gz
62dd22e2cde54c051faaf58b5432f033a0cb6bf366d00648b1bc1b9ed1e819e1

git-lfs-linux-amd64-v3.6.1.tar.gz
2138d2e405a12f1a088272e06790b76699b79cb90d0317b77aafaf35de908d76

git-lfs-linux-arm-v3.6.1.tar.gz
7e3e7df9d7cc663efab9d996c67af17d99afe8b0ce2fc002703cac0b8826f4f7

git-lfs-linux-arm64-v3.6.1.tar.gz
1c2720ff53528fbe769633d448d830aa7b682141e3c4f6a9f26b9cf3b2548d0a

git-lfs-linux-loong64-v3.6.1.tar.gz
0135b9fa6c8a13d4c7cec6e434b6cc4391b74321aa13743dd7e8f14bd33648f8

git-lfs-linux-ppc64le-v3.6.1.tar.gz
86d42801b6e70522560eb3e33c0512f9733b3dad1ca08471cd135f445029cdfb

git-lfs-linux-riscv64-v3.6.1.tar.gz
e26adb02957e859385159d60dd642b800a265d3fcd38590266d3428aefb4ddba

git-lfs-linux-s390x-v3.6.1.tar.gz
c9aa0391ac58c5ed695fceec891c953d12fe78ae31ecbd5fd3cb4204cf8273a9

git-lfs-v3.6.1.tar.gz
1417b7ee9a8fba8d649a89f070fdcde8b2593ca2caa74e3e808d2bb35d5ca5f7

git-lfs-windows-386-v3.6.1.zip
74fd0d4c9ea314719b6890667b0e528c4467726e1a7302e68221afba806a69b5

git-lfs-windows-amd64-v3.6.1.zip
aaca788e04f91676e58654d5ecf96cf03c76768a63b3a6918281a9678884c20c

git-lfs-windows-arm64-v3.6.1.zip
ad40ab00a73ef4bf63c969472d0e5a824686b495dbc01ea8e9e4cc456c49a4b0

git-lfs-windows-v3.6.1.exe
5492bd2d7b37fcb821f48cac17895feb2506d26ad4cde996a30940e86dfecc27

hashes.asc
a5d1256409e83743608fdc43716bd1dc2fbffe00b5f116016d5886187874dcab

sha256sums.asc
4f16f1db8a18631ac9b21cce1545a692373e2b5edc8e211cd959c447d14dfef2

v3.6.0

Compare Source

This release is a feature release which includes support for multi-stage
authentication with Git credential helpers (requires Git 2.46.0) and
relative worktree paths (requires Git 2.48.0), a new object transfer batch
size configuration option, better path handling when installing on Windows,
more POSIX-compliant hook scripts, and improved performance with sparse
checkouts, partial clones, and Git remotes with large numbers of tags.

Note that the 3.6.x series of Git LFS releases will be the last releases
for which we provide packages or support for versions of any Linux
distribution based on either Red Hat Enterprise Linux 7 (RHEL 7) or
SUSE Linux Enterprise Server 12 (SLES 12).

Note also that the 3.6.x series of Git LFS releases may be the last
releases for which we provide packages or support for versions of any
Linux distribution based on Debian 10 ("buster").

This release is built using Go v1.23 and therefore on macOS systems
requires macOS 11 (Big Sur) or later, and on Windows systems requires
at least Windows 10 or Windows Server 2016 (although Windows 8.1 may
suffice).

We would like to extend a special thanks to the following open-source
contributors:

• @​blanet for fixing a crash bug when handling HTTP 429 responses
• @​bogomolets-owl for implementing a batch size configuration option
• @​ConcurrentCrab for preventing hung SSH transfer protocol connections
• @​jochenhz for ensuring files with Unicode names are not accidentally pruned
• @​pastelsky for optimizing performance of our pre-push hook
• @​rustfix for correcting some code comments
• @​rusttech for fixing an array size allocation bug
• @​xdavidwu for improving the portability of our tests and hooks

Features

• git: improve sparse checkout support #​5796 (@​bk2204)
• hook: fix newlines in command missing message #​5886 (@​xdavidwu)
• Add batch size config value and use it everywhere #​5876 (@​bogomolets-owl)
• Support relative paths to linked working trees #​5898 (@​chrisd8088)
• git-lfs: omit tags in ls-remote; optimize pre-push #​5863 (@​pastelsky)
• Support multistage authentication with a Git credential helper #​5803 (@​bk2204)
• Support arbitrary HTTP credential schemes for authentication #​5779 (@​bk2204)
• Optimize performance for scanning trees in partial clones #​5699 (@​bk2204)
• Use lower-case file extensions in Windows installer path checks #​5688 (@​chrisd8088)
• Match PATH case insensitively in Windows installer #​5680 (@​bk2204)

Bugs

• Fix crash during pure SSH object transfer with multiple objects #​5905 (@​chrisd8088)
• ssh: fix connection creation "leaking" connections #​5816 (@​ConcurrentCrab)
• fix: fix slice init length #​5874 (@​rusttech)
• Fix panic caused by accessing non-existent header #​5804 (@​blanet)
• Avoid deadlocking on log scanning with lots of output on stderr #​5738 (@​bk2204)
• checkout: gracefully handle files deleted from the index #​5698 (@​bk2204)
• Fix logScanner fails to parse pointer file containing unicode chars #​5655 (@​jochenhz)

Misc

• Fix improper negated test expressions and refine TLS client certificate tests #​5914 (@​chrisd8088)
• Always capture clone logs in tests and remove or update stale workarounds #​5906 (@​chrisd8088)
• Update Linux distribution package list for v3.6.0 release #​5911 (@​chrisd8088)
• doc: mention the pointer size constraint #​5900 (@​bk2204)
• Repair and restore all tests of cloning over TLS #​5882 (@​chrisd8088)
• t: increase portability #​5887 (@​xdavidwu)
• script/build-git: update Ubuntu 24.04 APT sources #​5889 (@​chrisd8088)
• Run tests in parallel on Windows and always cleanup test directories #​5879 (@​chrisd8088)
• Update release workflow to use Windows Trusted Signing Action #​5873 (@​chrisd8088)
• Upgrade to Go 1.23 #​5872 (@​chrisd8088)
• Use custom random data generator for all test objects and filenames #​5868 (@​chrisd8088)
• Always build Git against custom libcurl in CI workflows on macOS #​5866 (@​chrisd8088)
• Use expected version of Git on macOS in CI jobs #​5813 (@​chrisd8088)
• Move @​bk2204 to alumni #​5808 (@​bk2204)
• docs/api: note API clients may send charset parameter in Content-Type header #​5778 (@​chrisd8088)
• issue template: add more information we'd want to see #​5728 (@​bk2204)
• .github/workflows: use actions/setup-go everywhere #​5729 (@​bk2204)
• build(deps): bump golang.org/x/net from 0.17.0 to 0.23.0 #​5718 (@​dependabot[bot])
• chore: fix function names in comment #​5709 (@​rustfix)
• Include remote error when pure SSH protocol fails #​5674 (@​bk2204)
• Build release assets with 1.22 #​5673 (@​bk2204)
• Build release assets with Go 1.21 #​5668 (@​bk2204)
• script/packagecloud: instantiate distro map properly #​5662 (@​bk2204)
• Install msgfmt on Windows in CI and release workflows #​5666 (@​chrisd8088)

Packages

Up to date packages are available on PackageCloud and Homebrew.

RPM RHEL 7/CentOS 7
RPM RHEL 8/Rocky Linux 8
RPM RHEL 9/Rocky Linux 9
Debian 10
Debian 11
Debian 12

SHA-256 hashes:

git-lfs-darwin-amd64-v3.6.0.zip
80db8e51418816a1d44859b39678c1722b2e3d52894623d6a138b67d52d0ee5c

git-lfs-darwin-arm64-v3.6.0.zip
6d602e04f307f4129d7a4dd8c199c06d53d77555e08164297d943a9acc4afe02

git-lfs-freebsd-386-v3.6.0.tar.gz
52297aacd95b5378e7054b1e5037d18942662b349ff4ac21c3b11dd48306e513

git-lfs-freebsd-amd64-v3.6.0.tar.gz
9621f2d7c935b422d84e9d70ab76694301d8ff2a408c2c6c68e91d5831f1b67f

git-lfs-linux-386-v3.6.0.tar.gz
10da3c2ec46aa76287653a8d8576c271701d1fa899432f5bc3ace2a33c2116f0

git-lfs-linux-amd64-v3.6.0.tar.gz
fff4746159aa7a7b42ef1aa30fed03b534df48a7dbe116d65296c0f0c43c594d

git-lfs-linux-arm-v3.6.0.tar.gz
bc7190755703017d193bee182a4edbf610d6df6d006d6fdd6ad411d552468456

git-lfs-linux-arm64-v3.6.0.tar.gz
9509504b3b825054c3d07af5edc1cc9c00732c6f0fd4a060f04bfbf0f1279fca

git-lfs-linux-loong64-v3.6.0.tar.gz
f80f2e31b9d5725ccabba1e82bfca0261650eb7fa4edd1125f29eab06f0f5dd1

git-lfs-linux-ppc64le-v3.6.0.tar.gz
30b05a380d7015d9ddb9e52b9feedc77a693ee474f36dd9bbca9034ea61116d4

git-lfs-linux-riscv64-v3.6.0.tar.gz
689ecb0f6e96d731ec3424bea0f4aeeb26225dbe44b9b87762baa9ec9d7820f7

git-lfs-linux-s390x-v3.6.0.tar.gz
e54b21c445ac00b4528657d422fd46cea770303a41bf49523313a1fc85b8ec69

git-lfs-v3.6.0.tar.gz
9a5d2a598b4096f0fdde5b2ead6038996c657acafe5a89d22b8c2f1b56aeaf36

git-lfs-windows-386-v3.6.0.zip
58b3029f60d51b8775a0cbb21a39b8504967577a8bb4b3feabb1f1a48bf7fb33

git-lfs-windows-amd64-v3.6.0.zip
62fce4cfd453493966c387db167ba1aa46ecee730ae24a5b902a1d05650fb4ce

git-lfs-windows-arm64-v3.6.0.zip
6e8d6051760bd90372ed7dfcace02f80dddec374bab61b9525e263722f97de7b

git-lfs-windows-v3.6.0.exe
ca1c562d22439d3d6a80957d2b21f6633611db494f1251a46d18d7fa7aea52cd

hashes.asc
d7f8aaba8be9450927a651f10b6c2adbf1b9ec25ec9f9c9b0f14393cefcba9c6

sha256sums.asc
15d2e94804ad866eba43181f03942bef2cf5851ad8433f43c79d0e4f299d8463

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.