Are there any dangers in exposing git sha1 commit hashes?

As explained there, the SHA-1 hashes are identifiers for the stored objects, including commits -- they are computed deterministically from the object contents. There is no secret in there. Though SHA-1 is nominally one-way, this would theoretically allow an attacker, who wants to guess the contents of an object, to verify whether his guess is correct or not. This would entail guessing exactly, down to the last bit, including time stamps and other similar things.

If your object contains some secret data which can be brute-forced (e.g. a password, subject to dictionary attacks), then an attacker might use the SHA-1 hash as a test. This seems hard because of the condition on guessing everything else properly, but the possibility is there. Therefore, if your commit contains such secret data, you are right to change the hash value -- but in that case, don't change it slightly, because a quasi-match is as good as an exact match on hash values, for the attacker. Change the hash values completely: replace each one of them with a sequence of 40 random hexadecimal characters.

Note that knowing the hash values does not grant any other extra power to the attacker; in particular, they do not give him access to the repository.