Commit 227621f
authored
build(deps): bump github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0 (#1334)
Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.9.2
to 5.10.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jackc/pgx/blob/master/CHANGELOG.md">github.com/jackc/pgx/v5's
changelog</a>.</em></p>
<blockquote>
<h1>5.10.0 (June 3, 2026)</h1>
<p>This release includes a significant amount of hardening against
malicious or compromised PostgreSQL servers,
contributed by Sean Chittenden at CrowdStrike, Inc. This work bounds
binary decoders against attacker-controlled
message sizes, caps server-supplied SCRAM iteration counts, adds
<code>require_auth</code> to restrict which authentication
methods a server may use (mitigating downgrade attacks under
<code>sslmode=prefer</code>), and ensures cancellation requests are
sent over TLS when the original connection used TLS.</p>
<h2>Features</h2>
<ul>
<li>Add <code>require_auth</code> to restrict accepted server
authentication methods (Sean Chittenden at CrowdStrike, Inc.)</li>
<li>Add <code>ParseConfigOptions.ConnStringAllowedKeys</code> to
restrict allowed connection string keys (Sean Chittenden at CrowdStrike,
Inc.)</li>
<li>Add <code>StructArgs</code> and <code>StrictStructArgs</code> for
<code>@</code>-named queries (Tubelight30)</li>
<li>Add <code>ErrConnClosed</code> sentinel error and unwrap it from
<code>connLockError</code> (Charlie Tonneslan)</li>
<li>pgxpool: check if connection is expired before acquire
(arthurdotwork)</li>
</ul>
<h2>Security Hardening</h2>
<ul>
<li>Encrypt <code>CancelRequest</code> connection when the primary
connection used TLS (Sean Chittenden at CrowdStrike, Inc.)</li>
<li>Cap server-supplied SCRAM iteration count (Sean Chittenden at
CrowdStrike, Inc.)</li>
<li>Default Frontend max message body length to ~1 GiB (Sean Chittenden
at CrowdStrike, Inc.)</li>
<li>Bound hstore binary decode against malicious server input (Sean
Chittenden at CrowdStrike, Inc.)</li>
<li>Bound array binary decode element length against remaining message
bytes (Sean Chittenden at CrowdStrike, Inc.)</li>
<li>Bound array element count against remaining message bytes (Sean
Chittenden at CrowdStrike, Inc.)</li>
<li>Bound range, multirange, and tsvector binary decoders (Sean
Chittenden at CrowdStrike, Inc.)</li>
<li>Document secure connection configuration (Sean Chittenden at
CrowdStrike, Inc.)</li>
<li>Fix panic on malformed geometric text; return an error instead
(MaIII)</li>
</ul>
<h2>Fixes</h2>
<ul>
<li>Fix scanning <code>"char"</code> (OID 18) into
<code>*string</code> in binary format (luongs3)</li>
<li>Fix handling of typed-nil <code>driver.Valuer</code> in array and
composite codecs (Donncha Fahy)</li>
<li>Fix <code>CopyData.Data</code> hex decoding in
<code>UnmarshalJSON</code> (Charlie Tonneslan)</li>
<li>Fix data race when context is cancelled during connect</li>
<li>Fix <code>parseKeywordValueSettings</code> rejecting trailing
whitespace (alliasgher)</li>
<li>pgconn: preserve full error chain in
<code>normalizeTimeoutError</code> (Charlie Tonneslan)</li>
<li>pgconn: use a fresh context for the fallback connection in
<code>connectPreferred</code> (Charlie Tonneslan)</li>
<li>pgxpool: fix <code>MaxLifetimeDestroyCount</code> and ping order for
acquire-time expiry check</li>
<li>Add missing error check of <code>rows.Err</code> to load types (Jen
Altavilla)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jackc/pgx/commit/7293fb11125be0373a92f716683f2d494f6fd4b0"><code>7293fb1</code></a>
Update changelog for v5.10.0</li>
<li><a
href="https://github.com/jackc/pgx/commit/1ade2852841d4ee55677207200f4ffdbc217ce69"><code>1ade285</code></a>
pgconn: document secure connection configuration</li>
<li><a
href="https://github.com/jackc/pgx/commit/b4d6d4d1be7f381bb81d12ebfecae6b10f5c7562"><code>b4d6d4d</code></a>
pgtype: bound range, multirange, and tsvector binary decoders</li>
<li><a
href="https://github.com/jackc/pgx/commit/0639b37f8f4fff31dbe73297087e69b3ccc3bf2b"><code>0639b37</code></a>
pgconn: add ParseConfigOptions.ConnStringAllowedKeys</li>
<li><a
href="https://github.com/jackc/pgx/commit/b28e65b0c3e0cd45c09e7c9ce36e5e29caa6dbe9"><code>b28e65b</code></a>
pgtype: bound array element count against remaining message bytes</li>
<li><a
href="https://github.com/jackc/pgx/commit/cd1f389d37d775bc8cb11c60363946f928c02c98"><code>cd1f389</code></a>
pgtype: bound array binary decode element length against remaining
bytes</li>
<li><a
href="https://github.com/jackc/pgx/commit/ff27b5bbea012020d1fd8b9bdd56284a88783ef1"><code>ff27b5b</code></a>
pgtype: bound hstore binary decode against malicious server input</li>
<li><a
href="https://github.com/jackc/pgx/commit/a6002e12a8a393844b48c29d105e7542e7b3a251"><code>a6002e1</code></a>
pgproto3: default Frontend max message body length to ~1 GiB</li>
<li><a
href="https://github.com/jackc/pgx/commit/44f61732ecdfd08081a1a2ff7227f1e975f0b71e"><code>44f6173</code></a>
pgconn: cap server-supplied SCRAM iteration count</li>
<li><a
href="https://github.com/jackc/pgx/commit/1a976f7bb91216ea7f8369cb7abe78ce34dc244f"><code>1a976f7</code></a>
pgconn: add require_auth to restrict accepted server auth methods</li>
<li>Additional commits viewable in <a
href="https://github.com/jackc/pgx/compare/v5.9.2...v5.10.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>1 parent a1ffe33 commit 227621f
2 files changed
Lines changed: 3 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
11 | 11 | | |
12 | 12 | | |
13 | 13 | | |
14 | | - | |
| 14 | + | |
15 | 15 | | |
16 | 16 | | |
17 | 17 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
83 | 83 | | |
84 | 84 | | |
85 | 85 | | |
86 | | - | |
87 | | - | |
| 86 | + | |
| 87 | + | |
88 | 88 | | |
89 | 89 | | |
90 | 90 | | |
| |||
0 commit comments