Without upgrade, this might be exploited through package managers able to fetch from Git URLs (so NPM, Go Modules, and others).