Skip to content

chore(deps): bump github.com/jackc/pgx/v5 from 5.9.0 to 5.9.2#1938

Merged
piotrjanik merged 1 commit intomainfrom
dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2
May 5, 2026
Merged

chore(deps): bump github.com/jackc/pgx/v5 from 5.9.0 to 5.9.2#1938
piotrjanik merged 1 commit intomainfrom
dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 4, 2026
edited
Loading

Bumps github.com/jackc/pgx/v5 from 5.9.0 to 5.9.2.

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.9.2 (April 18, 2026)

Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)

SQL injection can occur when:

  1. The non-default simple protocol is used.
  2. A dollar quoted string literal is used in the SQL query.
  3. That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
  4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

5.9.1 (March 22, 2026)

  • Fix: batch result format corruption when using cached prepared statements (reported by Dirkjan Bussink)
Commits
  • 0aeabbc Release v5.9.2
  • 60644f8 Fix SQL sanitizer bugs with dollar-quoted strings and placeholder overflow
  • a5680bc Merge pull request #2531 from dolmen-go/godoc-add-links
  • e34e452 doc: Add godoc links
  • 08c9bb1 Fix Stringer types encoded as text instead of numeric value in composite fields
  • 96b4dbd Remove unstable test
  • acf88e0 Merge pull request #2526 from abrightwell/abrightwell-min-proto
  • 2f81f1f Update max_protocol_version and min_protocol_version defaults
  • 4e4eaed Release v5.9.1
  • 6273188 Fix batch result format corruption when using cached prepared statements
  • Additional commits viewable in compare view

@dependabot dependabot Bot added kind/chore chore, maintenance, etc. kind/dependency dependency update, etc. labels May 4, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 4, 2026 11:40
@github-actions github-actions Bot added the size/xs Extra small label May 4, 2026
@piotrjanik piotrjanik enabled auto-merge (squash) May 4, 2026 21:13
@morri-son
Copy link
Copy Markdown
Contributor

morri-son commented May 5, 2026

@dependabot rebase

@dependabot
chore(deps): bump github.com/jackc/pgx/v5 from 5.9.0 to 5.9.2
e9f1ce2 
Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.9.0 to 5.9.2.
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](jackc/pgx@v5.9.0...v5.9.2)

---
updated-dependencies:
- dependency-name: github.com/jackc/pgx/v5
  dependency-version: 5.9.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2 branch from 7f32866 to e9f1ce2 Compare May 5, 2026 07:08
@piotrjanik piotrjanik merged commit 129f7be into main May 5, 2026
22 checks passed
@dependabot dependabot Bot deleted the dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2 branch May 5, 2026 07:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@piotrjanik piotrjanik piotrjanik approved these changes

Assignees

No one assigned

Labels

kind/chore chore, maintenance, etc. kind/dependency dependency update, etc. size/xs Extra small

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@morri-son @piotrjanik