Commit 73cdf43
committed
chore(deps): bump github.com/jackc/pgx/v5 to v5.9.0
#### What this PR does / why we need it
Bumps `github.com/jackc/pgx/v5` from v5.8.0 to v5.9.0 to address
CVE-2026-33815 (GHSA-xgrm-4fwx-7qm8), a memory-safety vulnerability
in `pgproto3.Backend.Receive` and `Bind.Decode` (CVSS 9.8). Fixed
upstream in v5.9.0.
pgx is an indirect dependency only — pulled in via cosign →
sigstore-go → certificate-transparency-go's optional postgresql
storage backend. No package in this repo imports pgx, so the
vulnerable symbols are not reachable at runtime; the bump is to
satisfy SCA scanners.
#### Which issue(s) this PR fixes
Fixes: CVE-2026-33815 / GHSA-xgrm-4fwx-7qm8
Signed-off-by: Piotr Janik <piotr.janik@sap.com>1 parent 175a97a commit 73cdf43
2 files changed
Lines changed: 3 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
333 | 333 | | |
334 | 334 | | |
335 | 335 | | |
| 336 | + | |
336 | 337 | | |
337 | 338 | | |
338 | 339 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
786 | 786 | | |
787 | 787 | | |
788 | 788 | | |
789 | | - | |
790 | | - | |
| 789 | + | |
| 790 | + | |
791 | 791 | | |
792 | 792 | | |
793 | 793 | | |
| |||
0 commit comments