Commit cc7a4bd
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
chore(deps): bump org.postgresql:postgresql from 42.7.9 to 42.7.11 (agentscope-ai#1334)
Bumps [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) from
42.7.9 to 42.7.11.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pgjdbc/pgjdbc/releases">org.postgresql:postgresql's
releases</a>.</em></p>
<blockquote>
<h2>v42.7.11</h2>
<h2>Security</h2>
<ul>
<li>fix: Limit SCRAM PBKDF2 iterations accepted from the server.
pgjdbc was vulnerable to a client-side denial of service in
SCRAM-SHA-256 authentication, where a malicious or compromised
PostgreSQL server could specify an extremely large PBKDF2 iteration
count, causing the client to consume unbounded CPU and potentially
exhaust connection pools. The fix introduces a new scramMaxIterations
connection property (defaulting to 100,000) to cap iteration counts
before computation begins.
See the <a
href="https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq">Security
Advisory</a> for more detail.
The following <a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-42198">CVE-2026-42198</a>
has been issued.</li>
</ul>
<h2>Changes</h2>
<ul>
<li>fix: Add sources and javadocs to shaded published lib generation <a
href="https://github.com/sehrope"><code>@sehrope</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4043">#4043</a>)</li>
<li>update Changelog and website for release of 42.7.11 <a
href="https://github.com/davecramer"><code>@davecramer</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4042">#4042</a>)</li>
<li>Fix scram fix location in changelog and update published artifact
developer list <a
href="https://github.com/sehrope"><code>@sehrope</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4041">#4041</a>)</li>
<li>Restrict test with scram_iterations to v16+ and release notes <a
href="https://github.com/sehrope"><code>@sehrope</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4040">#4040</a>)</li>
<li>chore(deps): update ubuntu:24.04 docker digest to 84e77de <a
href="https://github.com/renovate-bot"><code>@renovate-bot</code></a>
(<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4017">#4017</a>)</li>
<li>test: add tests for QueryExecutor#getTransactionState <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4006">#4006</a>)</li>
<li>chore(deps): update actions/create-github-app-token action to v2.2.2
<a
href="https://github.com/renovate-bot"><code>@renovate-bot</code></a>
(<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3983">#3983</a>)</li>
<li>fix: fix flaky CopyBothResponseTest by using WAL flush LSN <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3979">#3979</a>)</li>
<li>fix: fix flaky replication restart tests by waiting for
confirmed_flush_lsn <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3975">#3975</a>)</li>
<li>test: fix flaky LogicalReplicationStatusTest by polling
pg_stat_replication <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3974">#3974</a>)</li>
<li>chore: replace Appveyor with ikalnytskyi/action-setup-postgres <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3966">#3966</a>)</li>
<li>test: move test table creation from <a
href="https://github.com/BeforeEach"><code>@BeforeEach</code></a> to <a
href="https://github.com/BeforeAll"><code>@BeforeAll</code></a> <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3967">#3967</a>)</li>
<li>Return jsonb as PGObject fixes Issue <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3926">#3926</a>
<a href="https://github.com/davecramer"><code>@davecramer</code></a>
(<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3956">#3956</a>)</li>
<li>Update docker scripts <a
href="https://github.com/davecramer"><code>@davecramer</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3958">#3958</a>)</li>
<li>implement require_auth, this is pretty much how libpq does this. <a
href="https://github.com/davecramer"><code>@davecramer</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3895">#3895</a>)</li>
<li>docs: add SCRAM authentication test setup section to TESTING.md <a
href="https://github.com/emmaeng700"><code>@emmaeng700</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3945">#3945</a>)</li>
<li>Add RequireServerVersion annotation for tests <a
href="https://github.com/sehrope"><code>@sehrope</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3939">#3939</a>)</li>
</ul>
<h2>🐛 Bug Fixes</h2>
<ul>
<li>fix: ensure extended protocol messages end with Sync message <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3728">#3728</a>)</li>
<li>fix: enable cursor-based fetching in extended protocol when
transaction started via SQL command <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3996">#3996</a>)</li>
<li>fix: retry with SSL on IOException when sslMode=ALLOW <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3973">#3973</a>)</li>
<li>fix: allow fallback to non-SSL connection when sslMode=prefer and
sslResponseTimeout kicks in <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3968">#3968</a>)</li>
<li>fix: catch SecurityException from setContextClassLoader on
ForkJoinPool workers <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3962">#3962</a>)</li>
<li>fix: use compareTo for LogSequenceNumber comparison <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3961">#3961</a>)</li>
<li>fix: release COPY lock on IOException to prevent connection hang (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3957">#3957</a>)
<a href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3960">#3960</a>)</li>
</ul>
<h2>🧰 Maintenance</h2>
<ul>
<li>style: replace <a
href="https://github.com/exception"><code>@exception</code></a> with <a
href="https://github.com/throws"><code>@throws</code></a> in getBoolean
javadoc <a href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4035">#4035</a>)</li>
<li>chore: use <code>@vlsi/github-actions-random-matrix</code> npm
package <a href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4008">#4008</a>)</li>
<li>chore: use tag names for pinning github actions, pin
ikalnytskyi/action-setup-postgres <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4007">#4007</a>)</li>
<li>chore: bump errorprone to 2.48.0 <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4005">#4005</a>)</li>
<li>test: add <a
href="https://github.com/DisableLogger"><code>@DisableLogger</code></a>
annotation to suppress expected log warnings in tests <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3971">#3971</a>)</li>
<li>chore: suppress deprecations in test code to reduce build verbosity
<a href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3972">#3972</a>)</li>
<li>chore: replace log warning in ConnectionFactory.closeStream with
Throwable.addSuppressed <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3970">#3970</a>)</li>
<li>chore: use greedy pairwise coverage for CI matrix generation <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3965">#3965</a>)</li>
<li>chore: use full version tags in GitHub Actions comments <a
href="https://github.com/vlsi"><code>@vlsi</code></a> (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3963">#3963</a>)</li>
</ul>
<h2>⬆️ Dependencies</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md">org.postgresql:postgresql's
changelog</a>.</em></p>
<blockquote>
<h2>[42.7.11] (2026-04-28)</h2>
<h3>Security</h3>
<ul>
<li>fix: Limit SCRAM PBKDF2 iterations accepted from the server.
pgjdbc was vulnerable to a client-side denial of service in
SCRAM-SHA-256 authentication, where a malicious or compromised
PostgreSQL server could specify an extremely large PBKDF2 iteration
count, causing the client to consume unbounded CPU and potentially
exhaust connection pools. The fix introduces a new scramMaxIterations
connection property (defaulting to 100,000) to cap iteration counts
before computation begins.
See the <a
href="https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq">Security
Advisory</a> for more detail.
The following <a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-42198">CVE-2026-42198</a>
has been issued.</li>
</ul>
<h3>Added</h3>
<ul>
<li>feat: implement require_auth connection property, aligning with
libpq behavior [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3895">#3895</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3895">pgjdbc/pgjdbc#3895</a>)</li>
</ul>
<h3>Changed</h3>
<ul>
<li>chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres
[PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3966">#3966</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3966">pgjdbc/pgjdbc#3966</a>)</li>
<li>chore: upgrade Gradle to v9 [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3978">#3978</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3978">pgjdbc/pgjdbc#3978</a>)</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>fix: ensure extended protocol messages end with Sync message [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3728">#3728</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3728">pgjdbc/pgjdbc#3728</a>)</li>
<li>fix: enable cursor-based fetching in extended protocol when
transaction started via SQL command [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3996">#3996</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3996">pgjdbc/pgjdbc#3996</a>)</li>
<li>fix: retry with SSL on IOException when sslMode=ALLOW [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3973">#3973</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3973">pgjdbc/pgjdbc#3973</a>)</li>
<li>fix: make sure the driver honours connectTimeout when retrying the
connection [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3968">#3968</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3968">pgjdbc/pgjdbc#3968</a>)</li>
<li>fix: allow fallback to non-SSL connection when sslMode=prefer and
sslResponseTimeout kicks in [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3968">#3968</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3968">pgjdbc/pgjdbc#3968</a>)</li>
<li>fix: catch SecurityException from setContextClassLoader on
ForkJoinPool workers [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3962">#3962</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3962">pgjdbc/pgjdbc#3962</a>)</li>
<li>fix: use compareTo for LogSequenceNumber comparison to handle
unsigned values correctly [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3961">#3961</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3961">pgjdbc/pgjdbc#3961</a>)</li>
<li>fix: release COPY lock on IOException to prevent connection hang [PR
<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3957">#3957</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3957">pgjdbc/pgjdbc#3957</a>)</li>
<li>fix: return jsonb as PGObject instead of String [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3956">#3956</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3956">pgjdbc/pgjdbc#3956</a>)</li>
<li>fix: align SSL key file permission check with libpq [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3952">#3952</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3952">pgjdbc/pgjdbc#3952</a>)</li>
<li>fix: guard connection closed flag with a reentrant lock to protect
against concurrent close [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3905">#3905</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3905">pgjdbc/pgjdbc#3905</a>)</li>
</ul>
<h2>[42.7.10] (2026-02-11)</h2>
<h3>Changed</h3>
<ul>
<li>chore: Migrate to Shadow 9 <a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3931">PR
3931</a></li>
<li>style: fix empty line before javadoc for checkstyle compliance [PR
<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3925">#3925</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3925">pgjdbc/pgjdbc#3925</a>)</li>
<li>style: fix lambda argument indentation for checkstyle compliance [PR
<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3922">#3922</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3922">pgjdbc/pgjdbc#3922</a>)</li>
<li>test: add autosave=always|never|conservative and
cleanupSavepoints=true|false to the randomized CI jobs [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3917">#3917</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3917">pgjdbc/pgjdbc#3917</a>)</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>fix: non-standard strings failing test for version 19 [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3934">#3934</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3934">pgjdbc/pgjdbc#3934</a>)</li>
<li>fix: small issues in ConnectionFactoryImpl [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3929">#3929</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3929">pgjdbc/pgjdbc#3929</a>)</li>
<li>fix: process pending responses before fastpath to avoid protocol
errors <a href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3913">PR
# 3913</a></li>
<li>doc: use.md, fix typos [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3911">#3911</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3911">pgjdbc/pgjdbc#3911</a>)</li>
<li>doc: datasource.md, fix minor formatting issue [PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3912">#3912</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3912">pgjdbc/pgjdbc#3912</a>)</li>
<li>doc: add the new PGP signing key to the official documentation [PR
<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3912">#3912</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3813">pgjdbc/pgjdbc#3813</a>)</li>
</ul>
<h3>Reverted</h3>
<ul>
<li>Revert "fix: make all Calendar instances proleptic Gregorian
(<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3837">#3837</a>)
(<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3887">#3887</a>)"
[PR <a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3932">#3932</a>](<a
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3932">pgjdbc/pgjdbc#3932</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pgjdbc/pgjdbc/commit/78e261ff2a7f16a37bdceb2204f67e484387da2f"><code>78e261f</code></a>
fix: Add sources and javadocs to shaded published lib generation</li>
<li><a
href="https://github.com/pgjdbc/pgjdbc/commit/1e09fa0496377296c9e2ef3bfd2b409945fba17a"><code>1e09fa0</code></a>
update Changelog and website for release of 42.7.11 (<a
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4042">#4042</a>)</li>
<li><a
href="https://github.com/pgjdbc/pgjdbc/commit/d479fa5b8c8c915a441ce1f2448f69f23dd0b66c"><code>d479fa5</code></a>
Fix scram fix location in changelog and update published artifact
developer l...</li>
<li><a
href="https://github.com/pgjdbc/pgjdbc/commit/b04fc46af6c207bc7ce9e788fea8c43d18b73d0f"><code>b04fc46</code></a>
docs: Add scram max iters fix to changelog</li>
<li><a
href="https://github.com/pgjdbc/pgjdbc/commit/cf548225b4078db954765339720ffdf3bc94e5a6"><code>cf54822</code></a>
test: Disable scram test on older version without scram_iterations
GUC</li>
<li><a
href="https://github.com/pgjdbc/pgjdbc/commit/7dbcc79b2b4adf7b71458c9434d2c43cec7713b9"><code>7dbcc79</code></a>
test: Add SCRAM max iteration tests</li>
<li><a
href="https://github.com/pgjdbc/pgjdbc/commit/c9d41d1332a7426fcef19ff89f2e6b1116429143"><code>c9d41d1</code></a>
fix: Limit SCRAM PBKDF2 iterations accepted from the server</li>
<li><a
href="https://github.com/pgjdbc/pgjdbc/commit/a340cb2b0ae24c0d98ad9dec569200ebb704d6aa"><code>a340cb2</code></a>
style: replace <a
href="https://github.com/exception"><code>@exception</code></a> with <a
href="https://github.com/throws"><code>@throws</code></a> in getBoolean
javadoc</li>
<li><a
href="https://github.com/pgjdbc/pgjdbc/commit/77837f80c0c20a9f33f9e21b091f4d4552f8e753"><code>77837f8</code></a>
fix(deps): update dependency
org.openrewrite.rewrite:org.openrewrite.rewrite....</li>
<li><a
href="https://github.com/pgjdbc/pgjdbc/commit/23af03bc839af5217ea141946ae41e648264061c"><code>23af03b</code></a>
chore(deps): update actions/checkout action to v6</li>
<li>Additional commits viewable in <a
href="https://github.com/pgjdbc/pgjdbc/compare/REL42.7.9...REL42.7.11">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>1 parent 7dd640b commit cc7a4bd
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
85 | 85 | | |
86 | 86 | | |
87 | 87 | | |
88 | | - | |
| 88 | + | |
89 | 89 | | |
90 | 90 | | |
91 | 91 | | |
| |||
0 commit comments