Skip to content

go.mod: bump pgx to v5.9.2 for OAuthTokenProvider support#171289

Closed
darshanjain10 wants to merge 1 commit into
cockroachdb:masterfrom
darshanjain10:bump-pgx-v5.9.2
Closed

go.mod: bump pgx to v5.9.2 for OAuthTokenProvider support#171289
darshanjain10 wants to merge 1 commit into
cockroachdb:masterfrom
darshanjain10:bump-pgx-v5.9.2

Conversation

@darshanjain10

@darshanjain10 darshanjain10 commented Jun 1, 2026

Copy link
Copy Markdown

Bumps github.com/jackc/pgx/v5 from v5.7.2 to v5.9.2, which adds OAuthTokenProvider to pgconn.Config, enabling native OAUTHBEARER SASL client support needed for subsequent work on the pgwire OAuth flow.

DEPS.bzl updated to use the properly mirrored format after running
./dev generate bazel --mirror.

Four compatibility fixes are required:

  1. pgconn.PgConn.SecretKey() now returns []byte instead of uint32, supporting the new PostgreSQL protocol v3.2 variable-length cancel key. The sqlproxy cancel tests recover the original uint32 via a new pgConnSecretKeyUint32 helper, which asserts the key is exactly 4 bytes. This makes the protocol v3.0 assumption explicit: CockroachDB only speaks v3.0 today so the key is always 4 bytes, and the assertion will catch any future drift rather than silently truncating.

  2. pgconn now returns a "conn closed" error from its internal state machine when operations are attempted on an already-closed connection, rather than propagating the OS-level "connection reset by peer" or "unexpected EOF". Two regex assertions in sqlproxy tests are updated to accept all three forms.

  3. pgxpool.Config.BeforeAcquire is deprecated in v5.9.2 in favor of PrepareConn, which has the same semantics but also returns an error. The workload pool setup is migrated accordingly.

  4. pgx v5.9.2 enforces the PostgreSQL pipeline protocol more strictly: ReadyForQuery must be sent after Sync, not after each Execute. TestPipelineMetric's fake server was sending ReadyForQuery after each Execute (via finishQuery(execPortal)), which worked with v5.7.2's lenient pipeline reader but fails with v5.9.2. Two new test helpers (expectExecPortalPipelined, expectSyncAndSendReadyForQuery) correctly simulate the pipeline response sequence.

Closes #171149
Closes #169280
Informs: CRDB-64341
Epic: CRDB-60766
Release note: None

@darshanjain10 darshanjain10 requested review from a team as code owners June 1, 2026 09:36
@darshanjain10 darshanjain10 requested review from spilchen and removed request for a team June 1, 2026 09:36
@trunk-io

trunk-io Bot commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Merging to master in this repository is managed by Trunk.

  • To merge this pull request, check the box to the left or comment /trunk merge below.

After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here

@cockroachlabs-cla-agent

cockroachlabs-cla-agent Bot commented Jun 1, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@cockroach-teamcity

Copy link
Copy Markdown
Member

This change is Reviewable

@cockroach-teamcity cockroach-teamcity added the X-perf-gain Microbenchmarks CI: Added if a performance gain is detected label Jun 1, 2026
@darshanjain10 darshanjain10 changed the title go.mod: bump pgx to v5.9.2 for OAuthTokenProvider support and drop pgx/v4 go.mod: bump pgx to v5.9.2 for OAuthTokenProvider support Jun 1, 2026
@darshanjain10 darshanjain10 requested a review from a team as a code owner June 2, 2026 03:21
@darshanjain10 darshanjain10 requested a review from a team as a code owner June 2, 2026 05:21
@darshanjain10 darshanjain10 requested review from cpj2195 and williamchoe3 and removed request for a team June 2, 2026 05:21
@sanchit-CRL

Copy link
Copy Markdown
Collaborator
  • The commit body documents the 4 compatibility fixes well, but the PR description only mentions the OAuth motivation. Hoist the commit body into the PR description so reviewers landing on the PR page don't have to open the commit to learn why conn_test.go and proxy_handler_test.go changed.
  • Trailer cleanup — currently the commit ends with Epic: none while the PR description says Epic: CRDB-60766. Also worth closing the duplicate dep-bump issue Update pgx/v5 #169280 in the same commit. Suggested trailers:

Closes #171149
Closes #169280
Informs: CRDB-64341
Epic: CRDB-60766

Release note: None

@sanchit-CRL sanchit-CRL left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR title (...for OAuthTokenProvider support) is more informative than the commit headline (go.mod: bump pgx to v5.9.2). Aligning the commit headline.

Comment thread pkg/sqlproxy/proxy_handler_test.go Outdated
cancelRequest := proxyCancelRequest{
ProxyIP: net.IP{},
SecretKey: conn.PgConn().SecretKey(),
SecretKey: binary.BigEndian.Uint32(conn.PgConn().SecretKey()),

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Safe today because CRDB only advertises PG protocol v3.0 (so the BackendKeyData secret is always exactly 4 bytes), but under v3.2 the cancel key is variable length and BigEndian.Uint32 would silently truncate to the first 4 bytes no panic, just a wrong key. Worth either a one-time require.Len(t, key, 4) guard or a small secretKeyAsUint32(t, key) helper to make the v3.0 assumption explicit and load-bearing.

It would be better to get an eye from SQl foundation on this as well

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to assert the size of the key.

I looked at the other changes in here from a SQL Foundations perspective and it all looks good.

@blathers-crl

blathers-crl Bot commented Jun 2, 2026

Copy link
Copy Markdown

Detected infrastructure failure (matched: self-hosted runner lost communication with the server). Automatically rerunning failed jobs. (run link)

@spilchen spilchen left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

@spilchen reviewed 6 files and all commit messages, and made 2 comments.
Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (waiting on cpj2195, sanchit-CRL, and williamchoe3).

Comment thread pkg/sqlproxy/proxy_handler_test.go Outdated
cancelRequest := proxyCancelRequest{
ProxyIP: net.IP{},
SecretKey: conn.PgConn().SecretKey(),
SecretKey: binary.BigEndian.Uint32(conn.PgConn().SecretKey()),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to assert the size of the key.

I looked at the other changes in here from a SQL Foundations perspective and it all looks good.

Bumps github.com/jackc/pgx/v5 from v5.7.2 to v5.9.2. The primary
motivation is that v5.9.2 adds OAuthTokenProvider to pgconn.Config,
enabling native OAUTHBEARER SASL client support.

Four compatibility fixes are required:

1. pgconn.PgConn.SecretKey() now returns []byte instead of uint32,
   supporting the new PostgreSQL protocol v3.2 variable-length cancel
   key. The sqlproxy cancel tests recover the original uint32 via a
   new pgConnSecretKeyUint32 helper, which asserts the key is exactly
   4 bytes. This makes the protocol v3.0 assumption explicit: CockroachDB
   only speaks v3.0 today so the key is always 4 bytes, and the assertion
   will catch any future drift rather than silently truncating.

2. pgconn now returns a "conn closed" error from its internal state
   machine when operations are attempted on an already-closed
   connection, rather than propagating the OS-level "connection reset
   by peer" or "unexpected EOF". Two regex assertions in sqlproxy
   tests are updated to accept all three forms.

3. pgxpool.Config.BeforeAcquire is deprecated in v5.9.2 in favor of
   PrepareConn, which has the same semantics but also returns an
   error. The workload pool setup is migrated accordingly.

4. pgx v5.9.2 enforces the PostgreSQL pipeline protocol more strictly:
   ReadyForQuery must be sent after Sync, not after each Execute.
   TestPipelineMetric's fake server was sending ReadyForQuery after
   each Execute (via finishQuery(execPortal)), which worked with
   v5.7.2's lenient pipeline reader but fails with v5.9.2. Two new
   test helpers (expectExecPortalPipelined, expectSyncAndSendReadyForQuery)
   correctly simulate the pipeline response sequence.

Closes #171149
Closes #169280
Informs: CRDB-64341
Epic: CRDB-60766

Release note: None

@sanchit-CRL sanchit-CRL left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

X-perf-gain Microbenchmarks CI: Added if a performance gain is detected

Projects

None yet

Development

Successfully merging this pull request may close these issues.

go.mod: bump pgx to v5.9.2+ for OAUTHBEARER OAuthTokenProvider support Update pgx/v5

4 participants