Skip to content

Commit 227621f

Browse files
build(deps): bump github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0 (#1334)
Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.9.2 to 5.10.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jackc/pgx/blob/master/CHANGELOG.md">github.com/jackc/pgx/v5's changelog</a>.</em></p> <blockquote> <h1>5.10.0 (June 3, 2026)</h1> <p>This release includes a significant amount of hardening against malicious or compromised PostgreSQL servers, contributed by Sean Chittenden at CrowdStrike, Inc. This work bounds binary decoders against attacker-controlled message sizes, caps server-supplied SCRAM iteration counts, adds <code>require_auth</code> to restrict which authentication methods a server may use (mitigating downgrade attacks under <code>sslmode=prefer</code>), and ensures cancellation requests are sent over TLS when the original connection used TLS.</p> <h2>Features</h2> <ul> <li>Add <code>require_auth</code> to restrict accepted server authentication methods (Sean Chittenden at CrowdStrike, Inc.)</li> <li>Add <code>ParseConfigOptions.ConnStringAllowedKeys</code> to restrict allowed connection string keys (Sean Chittenden at CrowdStrike, Inc.)</li> <li>Add <code>StructArgs</code> and <code>StrictStructArgs</code> for <code>@</code>-named queries (Tubelight30)</li> <li>Add <code>ErrConnClosed</code> sentinel error and unwrap it from <code>connLockError</code> (Charlie Tonneslan)</li> <li>pgxpool: check if connection is expired before acquire (arthurdotwork)</li> </ul> <h2>Security Hardening</h2> <ul> <li>Encrypt <code>CancelRequest</code> connection when the primary connection used TLS (Sean Chittenden at CrowdStrike, Inc.)</li> <li>Cap server-supplied SCRAM iteration count (Sean Chittenden at CrowdStrike, Inc.)</li> <li>Default Frontend max message body length to ~1 GiB (Sean Chittenden at CrowdStrike, Inc.)</li> <li>Bound hstore binary decode against malicious server input (Sean Chittenden at CrowdStrike, Inc.)</li> <li>Bound array binary decode element length against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)</li> <li>Bound array element count against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)</li> <li>Bound range, multirange, and tsvector binary decoders (Sean Chittenden at CrowdStrike, Inc.)</li> <li>Document secure connection configuration (Sean Chittenden at CrowdStrike, Inc.)</li> <li>Fix panic on malformed geometric text; return an error instead (MaIII)</li> </ul> <h2>Fixes</h2> <ul> <li>Fix scanning <code>&quot;char&quot;</code> (OID 18) into <code>*string</code> in binary format (luongs3)</li> <li>Fix handling of typed-nil <code>driver.Valuer</code> in array and composite codecs (Donncha Fahy)</li> <li>Fix <code>CopyData.Data</code> hex decoding in <code>UnmarshalJSON</code> (Charlie Tonneslan)</li> <li>Fix data race when context is cancelled during connect</li> <li>Fix <code>parseKeywordValueSettings</code> rejecting trailing whitespace (alliasgher)</li> <li>pgconn: preserve full error chain in <code>normalizeTimeoutError</code> (Charlie Tonneslan)</li> <li>pgconn: use a fresh context for the fallback connection in <code>connectPreferred</code> (Charlie Tonneslan)</li> <li>pgxpool: fix <code>MaxLifetimeDestroyCount</code> and ping order for acquire-time expiry check</li> <li>Add missing error check of <code>rows.Err</code> to load types (Jen Altavilla)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/jackc/pgx/commit/7293fb11125be0373a92f716683f2d494f6fd4b0"><code>7293fb1</code></a> Update changelog for v5.10.0</li> <li><a href="https://github.com/jackc/pgx/commit/1ade2852841d4ee55677207200f4ffdbc217ce69"><code>1ade285</code></a> pgconn: document secure connection configuration</li> <li><a href="https://github.com/jackc/pgx/commit/b4d6d4d1be7f381bb81d12ebfecae6b10f5c7562"><code>b4d6d4d</code></a> pgtype: bound range, multirange, and tsvector binary decoders</li> <li><a href="https://github.com/jackc/pgx/commit/0639b37f8f4fff31dbe73297087e69b3ccc3bf2b"><code>0639b37</code></a> pgconn: add ParseConfigOptions.ConnStringAllowedKeys</li> <li><a href="https://github.com/jackc/pgx/commit/b28e65b0c3e0cd45c09e7c9ce36e5e29caa6dbe9"><code>b28e65b</code></a> pgtype: bound array element count against remaining message bytes</li> <li><a href="https://github.com/jackc/pgx/commit/cd1f389d37d775bc8cb11c60363946f928c02c98"><code>cd1f389</code></a> pgtype: bound array binary decode element length against remaining bytes</li> <li><a href="https://github.com/jackc/pgx/commit/ff27b5bbea012020d1fd8b9bdd56284a88783ef1"><code>ff27b5b</code></a> pgtype: bound hstore binary decode against malicious server input</li> <li><a href="https://github.com/jackc/pgx/commit/a6002e12a8a393844b48c29d105e7542e7b3a251"><code>a6002e1</code></a> pgproto3: default Frontend max message body length to ~1 GiB</li> <li><a href="https://github.com/jackc/pgx/commit/44f61732ecdfd08081a1a2ff7227f1e975f0b71e"><code>44f6173</code></a> pgconn: cap server-supplied SCRAM iteration count</li> <li><a href="https://github.com/jackc/pgx/commit/1a976f7bb91216ea7f8369cb7abe78ce34dc244f"><code>1a976f7</code></a> pgconn: add require_auth to restrict accepted server auth methods</li> <li>Additional commits viewable in <a href="https://github.com/jackc/pgx/compare/v5.9.2...v5.10.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/jackc/pgx/v5&package-manager=go_modules&previous-version=5.9.2&new-version=5.10.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
1 parent a1ffe33 commit 227621f

2 files changed

Lines changed: 3 additions & 3 deletions

File tree

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ require (
1111
github.com/danielgtaylor/huma/v2 v2.38.0
1212
github.com/golang-jwt/jwt/v5 v5.3.1
1313
github.com/google/go-containerregistry v0.21.6
14-
github.com/jackc/pgx/v5 v5.9.2
14+
github.com/jackc/pgx/v5 v5.10.0
1515
github.com/prometheus/client_golang v1.23.2
1616
github.com/rs/cors v1.11.1
1717
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1

go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -83,8 +83,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
8383
github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
8484
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
8585
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
86-
github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
87-
github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
86+
github.com/jackc/pgx/v5 v5.10.0 h1:VhSvgU2jSli8o3AqIEOTJr7rZwAEUVo4E4XhR94Zfr0=
87+
github.com/jackc/pgx/v5 v5.10.0/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
8888
github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
8989
github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
9090
github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=

0 commit comments

Comments
 (0)