fix: update libgit2 to 1.9.2 for security fixes

[peaktwilight]

The current libgit2-sys dependency (0.18.2+1.9.1) bundles libgit2 1.9.1, which has two security vulnerabilities fixed in libgit2 1.9.2 (released Dec 6, 2025):

1. SSH arbitrary command execution — Remote repository names were improperly sent to the shell without quoting when using external SSH transport, potentially allowing arbitrary command execution.

2. SSH public key buffer overflow — Public keys that are not NUL-terminated were improperly zeroed using memset with the wrong length, resulting in a buffer overflow or incomplete key zeroing.

Remediation

Update git2 to 0.20.4, which depends on libgit2-sys >=0.18.3 (libgit2 1.9.2).

References

• https://github.com/libgit2/libgit2/releases/tag/v1.9.2
• https://libgit2.org/security/