You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
**Error**: `go: github.com/jackc/pgx/v4@v5.9.1: invalid version: go.mod has non-.../v4 module path "github.com/jackc/pgx/v5" (and .../v4/go.mod does not exist) at revision v5.9.1`
368
+
369
+
### Root Cause
370
+
371
+
Dockerfile line 386 specifies `go get github.com/jackc/pgx/v4@v5.9.1`. This mixes the v4 module path with a v5 version tag. Go's semantic import versioning rejects this because tag `v5.9.1` declares module path `github.com/jackc/pgx/v5` in its go.mod.
372
+
373
+
### Fix
374
+
375
+
**Dockerfile line 386** — change:
376
+
```dockerfile
377
+
go get github.com/jackc/pgx/v4@v5.9.1 && \
378
+
```
379
+
to:
380
+
```dockerfile
381
+
go get github.com/jackc/pgx/v4@v4.18.3 && \
382
+
```
383
+
384
+
No changes needed to the Renovate annotation (line 385) or the CVE comment (line 384) — both are already correct.
- v4.18.3 is the latest and likely final v4 release
390
+
- pgproto3/v2 is archived at v2.3.3 (July 2025) — no fix will be released in the v2 line
391
+
- The CVE (pgproto3/v2 buffer overflow) can only be fully resolved by CrowdSec migrating to pgx/v5 upstream
392
+
- Bumping pgx/v4 to v4.18.3 gets the latest v4 maintenance patch; the CVE remains an accepted risk per §5
393
+
394
+
### Validation
395
+
396
+
The same `docker build` that previously failed at step 7/11 should now pass through the CrowdSec dependency patching stage and proceed to compilation (steps 8-11).
0 commit comments