git-lfs: update to 3.7.1

Fixes symlink traversal vulnerability (CVE-2025-26625) that allowed
writing files outside the repository on checkout/pull.

Other changes since 3.5.1:
- Add --refetch option to force re-download of LFS objects
- Add --json and --dry-run options for fetch operations
- Improve .netrc handling on Windows and macOS root CA support
- Upgrade to Go 1.25 (requires Linux kernel 3.2+)

Signed-off-by: Alexandru Ardelean <redacted>

diff --git a/net/git-lfs/Makefile b/net/git-lfs/Makefile
index a23a8422c92a619d6033146193fa87fd69c182a7..cb7e0afec85c8cd5e2315cc5dba67db0a5950b5f 100644 (file)
--- a/net/git-lfs/Makefile
+++ b/net/git-lfs/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=git-lfs
-PKG_VERSION:=3.5.1
+PKG_VERSION:=3.7.1
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-v$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/git-lfs/git-lfs/releases/download/v$(PKG_VERSION)
-PKG_HASH:=fc19c7316e80a6ef674aa4e1863561c1263cd4ce0588b9989e4be9461664d752
+PKG_HASH:=8f56058622edfea1d111e50e9844ef2f5ce670b2dbe4d55d48e765c943af4351
 
 PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>
 PKG_LICENSE:=MIT

diff --git a/net/git-lfs/test.sh b/net/git-lfs/test.sh
index c85566d883485090ecc703c04feb1ecd5498bf8e..831d740f8d1fa9c16b791283e80a712dacdfb25d 100644 (file)
--- a/net/git-lfs/test.sh
+++ b/net/git-lfs/test.sh
@@ -1,3 +1,14 @@
 #!/bin/sh
 
-git-lfs --version|grep "$2"
+[ "$1" = "git-lfs" ] || exit 0
+
+# Verify git-lfs registers itself as a git extension and core commands work
+git lfs help 2>&1 | grep -q "track"
+
+# Verify git-lfs env shows it is wired into git
+git lfs env 2>&1 | grep -qi "git\|lfs\|endpoint"
+
+# Verify key subcommands are available
+git lfs help track 2>&1 | grep -qi "track"
+git lfs help push  2>&1 | grep -qi "push"
+git lfs help pull  2>&1 | grep -qi "pull"