chore(deps): bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2 (#3068)

dependabot[bot] · tstirrat15 · web-flow · commit 97811cf1455d · 2026-05-01T21:52:33.000Z
Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.9.1 to 5.9.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jackc/pgx/blob/master/CHANGELOG.md">github.com/jackc/pgx/v5's changelog</a>.</em></p> <blockquote> <h1>5.9.2 (April 18, 2026)</h1> <p>Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)</p> <p>SQL injection can occur when:</p> <ol> <li>The non-default simple protocol is used.</li> <li>A dollar quoted string literal is used in the SQL query.</li> <li>That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.</li> <li>The value of that placeholder is controllable by the attacker.</li> </ol> <p>e.g.</p> <pre lang="go"><code>attackValue := `$tag$; drop table canary; --` _, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue) </code></pre> <p>This is unlikely to occur outside of a contrived scenario.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/jackc/pgx/commit/0aeabbcf11d859229c1f0b20e710d3596c76bf27"><code>0aeabbc</code></a> Release v5.9.2</li> <li><a href="https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da"><code>60644f8</code></a> Fix SQL sanitizer bugs with dollar-quoted strings and placeholder overflow</li> <li><a href="https://github.com/jackc/pgx/commit/a5680bc945aa7c6ebac2778d859ee7b4ba86db60"><code>a5680bc</code></a> Merge pull request <a href="https://redirect.github.com/jackc/pgx/issues/2531">#2531</a> from dolmen-go/godoc-add-links</li> <li><a href="https://github.com/jackc/pgx/commit/e34e4524007062710c6a4fb9c8655b75a486b5cd"><code>e34e452</code></a> doc: Add godoc links</li> <li><a href="https://github.com/jackc/pgx/commit/08c9bb1f0d8fa6cc10ed8c713e68b1baa64dfe2c"><code>08c9bb1</code></a> Fix Stringer types encoded as text instead of numeric value in composite fields</li> <li><a href="https://github.com/jackc/pgx/commit/96b4dbdfd0458cb425bf8454d292a23978872cc8"><code>96b4dbd</code></a> Remove unstable test</li> <li><a href="https://github.com/jackc/pgx/commit/acf88e0065682e8948696d26fa6438669c4cabee"><code>acf88e0</code></a> Merge pull request <a href="https://redirect.github.com/jackc/pgx/issues/2526">#2526</a> from abrightwell/abrightwell-min-proto</li> <li><a href="https://github.com/jackc/pgx/commit/2f81f1fc03bef99593e92c64ad9cac954c00e8e6"><code>2f81f1f</code></a> Update <code>max_protocol_version</code> and <code>min_protocol_version</code> defaults</li> <li>See full diff in <a href="https://github.com/jackc/pgx/compare/v5.9.1...v5.9.2">compare view</a></li> </ul> </details> <br /> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tanner Stirrat <tstirrat@gmail.com>
diff --git a/e2e/go.mod b/e2e/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/authzed/spicedb v1.29.5
 	github.com/brianvoe/gofakeit/v6 v6.28.0
 	github.com/ecordell/optgen v0.2.6
-	github.com/jackc/pgx/v5 v5.9.1
+	github.com/jackc/pgx/v5 v5.9.2
 	github.com/stretchr/testify v1.11.1
 	golang.org/x/tools v0.44.0
 	google.golang.org/grpc v1.80.0
diff --git a/e2e/go.sum b/e2e/go.sum
@@ -188,8 +188,8 @@ github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7Ulw
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
 github.com/jackc/pgx-zerolog v0.0.0-20230315001418-f978528409eb h1:pSv+zRVeAYjbXRFjyytFIMRBSKWVowCi7KbXSMR/+ug=
 github.com/jackc/pgx-zerolog v0.0.0-20230315001418-f978528409eb/go.mod h1:CRUuPsmIajLt3dZIlJ5+O8IDSib6y8yrst8DkCthTa4=
-github.com/jackc/pgx/v5 v5.9.1 h1:uwrxJXBnx76nyISkhr33kQLlUqjv7et7b9FjCen/tdc=
-github.com/jackc/pgx/v5 v5.9.1/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
+github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
+github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
diff --git a/go.mod b/go.mod
@@ -61,7 +61,7 @@ require (
 	github.com/hashicorp/go-memdb v1.3.5
 	github.com/jackc/pgio v1.0.0
 	github.com/jackc/pgx-zerolog v0.0.0-20230315001418-f978528409eb
-	github.com/jackc/pgx/v5 v5.9.1
+	github.com/jackc/pgx/v5 v5.9.2
 	github.com/jeroenrinzema/psql-wire v0.17.0
 	github.com/jzelinskie/cobrautil/v2 v2.0.0-20240819150235-f7fe73942d0f
 	github.com/jzelinskie/persistent v0.0.0-20230816160542-1205ef8f0e15
diff --git a/go.sum b/go.sum
@@ -309,8 +309,8 @@ github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7Ulw
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
 github.com/jackc/pgx-zerolog v0.0.0-20230315001418-f978528409eb h1:pSv+zRVeAYjbXRFjyytFIMRBSKWVowCi7KbXSMR/+ug=
 github.com/jackc/pgx-zerolog v0.0.0-20230315001418-f978528409eb/go.mod h1:CRUuPsmIajLt3dZIlJ5+O8IDSib6y8yrst8DkCthTa4=
-github.com/jackc/pgx/v5 v5.9.1 h1:uwrxJXBnx76nyISkhr33kQLlUqjv7et7b9FjCen/tdc=
-github.com/jackc/pgx/v5 v5.9.1/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
+github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
+github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jeroenrinzema/psql-wire v0.17.0 h1:2U5ElqxglXbStaoh6liohLjxkWIjvUamgVwcr8a90Mk=
diff --git a/tools/analyzers/go.sum b/tools/analyzers/go.sum
@@ -3,8 +3,10 @@ github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX
 github.com/samber/lo v1.52.0 h1:Rvi+3BFHES3A8meP33VPAxiBZX/Aws5RxrschYGjomw=
 github.com/samber/lo v1.52.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
 golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
 golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
