build(deps): bump git2 from 0.18.3 to 0.20.4

[dependabot]

Bumps git2 from 0.18.3 to 0.20.4.

Changelog

Sourced from git2's changelog.

0.20.4 - 2026-02-02

0.20.3...0.20.4

Fixed

• Fix undefined behavior when dereferencing empty Buf. #1213

0.20.3 - 2025-12-06

0.20.2...0.20.3

Changed

• Bumped requirement to libgit2-sys 0.18.3, which updates libgit2 from 1.9.0 to 1.9.2. #1197

0.20.2 - 2025-05-05

0.20.1...0.20.2

Added

• Added Status::WT_UNREADABLE. #1151

Fixed

• Added missing codes for GIT_EDIRECTORY, GIT_EMERGECONFLICT, GIT_EUNCHANGED, GIT_ENOTSUPPORTED, and GIT_EREADONLY to Error::raw_code. #1153
• Fixed missing initialization in Indexer::new. #1160

0.20.1 - 2025-03-17

0.20.0...0.20.1

Added

• Added Repository::branch_upstream_merge() #1131
• Added Index::conflict_get() #1134
• Added Index::conflict_remove() #1133
• Added opts::set_cache_object_limit() #1118
• Added Repo::merge_file_from_index() and associated MergeFileOptions and MergeFileResult. #1062

Changed

• The url dependency minimum raised to 2.5.4

... (truncated)

Commits

• 8852d7d Merge pull request #1214 from weihanglo/backport-from-raw-parts
• 0b274f7 Bump to 0.20.4
• 73a5d5d Add test for dereference of an empty Buf
• ce56683 fix: check ptr nullity before calling from_raw_parts
• 7cf345c Merge pull request #1197 from ehuss/git2-0.20-br
• dd41077 Bump git2 to 0.20.3
• a6a58e2 Merge pull request #1195 from ehuss/update-libgit2
• 1fb5f64 Merge pull request #1161 from ehuss/bump-version
• 26bfd30 Update version of git2 to 0.20.2
• eef4592 Merge pull request #1160 from ehuss/indexer-init
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​git2@​0.18.3 ⏵ 0.20.4		+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): cargo libgit2-sys is 100.0% likely to have a medium risk anomaly Notes: This action directly executes a user-provided command either on the runner or inside a user-specified container image and mounts the runner working directory into the container while forwarding many environment variables. The behavior is expected for a generic 'run build step' action, but it is risky if inputs (command, container, container-version) can be controlled by untrusted parties because it enables arbitrary code execution, file access/modification, and potential secret exfiltration. There is no obfuscation or embedded credentials in the file. Treat this action as potentially dangerous when used with untrusted inputs or in contexts (like forked PRs) where inputs or container images may be attacker-controlled. Recommended mitigations: validate or restrict container image inputs, avoid forwarding sensitive env vars, avoid mounting full repo when not necessary, and restrict use of this action in untrusted workflows. Confidence: 1.00 Severity: 0.60 From: ? → cargo/git2@0.20.4 → cargo/libgit2-sys@0.18.3%2B1.9.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/libgit2-sys@0.18.3%2B1.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report