chore(deps): bump backend dependencies, add upgrades and CVE fixes implementation plan

Author: agneum

docs/plans/20260402-dependency-upgrades-cve-fixes.md

@@ -9,7 +9,7 @@ workflow:
 
 default:
   image:
-    name: golang:1.24
+    name: golang:1.26
     pull_policy: if-not-present
   interruptible: true  # All jobs can be cancelled by default
 
@@ -70,7 +70,7 @@ lint:
 build-binary-alpine:
   <<: *only_engine
   image:
-    name: golang:1.24-alpine
+    name: golang:1.26-alpine
     pull_policy: if-not-present
   stage: build-binary
   artifacts:

engine/.gitlab-ci.yml

@@ -1,113 +1,122 @@
+version: "2"
 run:
-  timeout: 5m
   issues-exit-code: 1
   tests: true
 output:
   formats:
-   - format: colored-line-number
-  print-issued-lines: true
-  print-linter-name: true
-
-linters-settings:
-  errcheck:
-    check-type-assertions: false
-    check-blank: false
-    exclude-functions:
-      - (*os.File).Close
-  errorlint:
-    errorf: true
-    asserts: true
-    comparison: true
-  gofmt:
-    simplify: true
-  gofumpt:
-    extra-rules: false
-  gosimple:
-    checks: [ "all" ]
-  goimports:
-    local-prefixes: gitlab.com/postgres-ai/database-lab
-  dupl:
-    threshold: 120
-  goconst:
-    min-len: 3
-    min-occurrences: 5
-  lll:
-    line-length: 140
-    tab-width: 1
-  mnd:
-    ignored-functions:
-      - strconv.Format*
-      - os.*
-      - strconv.Parse*
-      - strings.SplitN
-      - bytes.SplitN
-  revive:
-    confidence: 0.8
-  unused:
-    exported-fields-are-used: false
-  unparam:
-    check-exported: false
-  nakedret:
-    max-func-lines: 20
-  prealloc:
-    simple: true
-    range-loops: true
-    for-loops: true
-  gocritic:
-    disabled-checks:
-      - regexpMust
-      - rangeValCopy
-      - appendAssign
-      - hugeParam
-    enabled-tags:
-      - performance
-    disabled-tags:
-      - experimental
-  staticcheck:
-    checks: [ "all" ]
-
+    text:
+      path: stdout
+      print-linter-name: true
+      print-issued-lines: true
 linters:
   enable:
     - dupl
     - errcheck
     - gochecknoinits
     - goconst
     - gocritic
-    - goimports
-    - gosimple
     - govet
     - ineffassign
     - lll
     - misspell
     - mnd
-    - prealloc
     - revive
     - staticcheck
-    - stylecheck
     - unconvert
-    - unused
     - unparam
     - wsl
-  enable-all: false
   disable:
     - depguard
-    - gosec
-    - gocyclo # currently unmaintained
-  fast: false
-
+    - gocyclo
+    - prealloc # disabled: produces false positives on non-trivial loops
+  settings:
+    dupl:
+      threshold: 120
+    errcheck:
+      check-type-assertions: false
+      check-blank: false
+      exclude-functions:
+        - (*os.File).Close
+    errorlint:
+      errorf: true
+      asserts: true
+      comparison: true
+    goconst:
+      min-len: 3
+      min-occurrences: 5
+    gocritic:
+      disabled-checks:
+        - regexpMust
+        - rangeValCopy
+        - appendAssign
+        - hugeParam
+      enabled-tags:
+        - performance
+      disabled-tags:
+        - experimental
+    lll:
+      line-length: 140
+      tab-width: 1
+    mnd:
+      ignored-functions:
+        - strconv.Format*
+        - os.*
+        - strconv.Parse*
+        - strings.SplitN
+        - bytes.SplitN
+    nakedret:
+      max-func-lines: 20
+    prealloc:
+      simple: true
+      range-loops: true
+      for-loops: true
+    revive:
+      confidence: 0.8
+    staticcheck:
+      checks:
+        - all
+        - -QF1001
+        - -QF1006
+        - -QF1008
+        - -QF1012
+    unparam:
+      check-exported: false
+    unused:
+      exported-fields-are-used: false
+  exclusions:
+    generated: lax
+    rules:
+      - linters:
+          - dupl
+          - errcheck
+          - gocyclo
+          - lll
+          - mnd
+          - wsl
+        path: _test\.go
+    paths:
+      - vendor
+      - third_party$
+      - builtin$
+      - examples$
 issues:
-  exclude-rules:
-    - path: _test\.go
-      linters:
-        - dupl
-        - gocyclo
-        - lll
-        - errcheck
-        - wsl
-        - mnd
-  exclude-dirs:
-    - vendor
-
-  exclude-use-default: false
   max-issues-per-linter: 0
   max-same-issues: 0
+formatters:
+  enable:
+    - goimports
+  settings:
+    gofmt:
+      simplify: true
+    gofumpt:
+      extra-rules: false
+    goimports:
+      local-prefixes:
+        - gitlab.com/postgres-ai/database-lab
+  exclusions:
+    generated: lax
+    paths:
+      - vendor
+      - third_party$
+      - builtin$
+      - examples$

engine/.golangci.yml

@@ -1,7 +1,7 @@
 # How to start a container: https://postgres.ai/docs/how-to-guides/administration/engine-manage
 
 # Compile stage
-FROM golang:1.24 AS build-env
+FROM golang:1.26 AS build-env
 
 # Build Delve
 RUN go install github.com/go-delve/delve/cmd/dlv@latest
@@ -12,7 +12,7 @@ RUN go install github.com/go-delve/delve/cmd/dlv@latest
 # RUN GO111MODULE=on CGO_ENABLED=0 go build -gcflags="all=-N -l" -o /dblab-server-debug ./cmd/database-lab/main.go
 
 # Final stage
-FROM docker:27.5.1
+FROM docker:29.3.1
 
 # Install dependencies
 RUN apk update \

engine/Dockerfile.dblab-server-debug

@@ -35,10 +35,11 @@ help: ## Display the help message
 all: clean build ## Build all binary components of the project
 
 install-lint: ## Install the linter to $GOPATH/bin which is expected to be in $PATH
-	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.64.8
+	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.11.4
 
 run-lint: ## Run linters
 	golangci-lint run
+	golangci-lint fmt --diff
 
 lint: install-lint run-lint ## Install and run linters
 

engine/Makefile

@@ -61,10 +61,7 @@ func runTctl(ctx context.Context, tctlPath, identityFile, proxyAddr string, args
 	ctx, cancel := context.WithTimeout(ctx, tctlCommandTimeout)
 	defer cancel()
 
-	baseArgs := []string{
-		"--identity", identityFile,
-		"--auth-server", proxyAddr,
-	}
+	baseArgs := []string{"--identity", identityFile, "--auth-server", proxyAddr}
 	fullArgs := append(baseArgs, args...)
 
 	out, err := exec.CommandContext(ctx, tctlPath, fullArgs...).CombinedOutput()

engine/cmd/cli/commands/teleport/tctl.go

@@ -1,6 +1,6 @@
 module gitlab.com/postgres-ai/database-lab/v3
 
-go 1.24.7
+go 1.26.0
 
 require (
 	github.com/AlekSi/pointer v1.2.0
@@ -11,7 +11,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/config v1.32.12
 	github.com/aws/aws-sdk-go-v2/service/rds v1.113.1
 	github.com/containerd/errdefs v1.0.0
-	github.com/docker/cli v29.3.0+incompatible
+	github.com/docker/cli v28.5.2+incompatible
 	github.com/docker/docker v28.5.2+incompatible
 	github.com/docker/go-connections v0.6.0
 	github.com/docker/go-units v0.5.0
@@ -21,8 +21,7 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/websocket v1.5.3
-	github.com/jackc/pgtype v1.14.4
-	github.com/jackc/pgx/v4 v4.18.3
+	github.com/jackc/pgx/v5 v5.7.5
 	github.com/lib/pq v1.10.9
 	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58
 	github.com/pkg/errors v0.9.1
@@ -38,8 +37,8 @@ require (
 	github.com/urfave/cli/v2 v2.25.7
 	github.com/wagslane/go-password-validator v0.3.0
 	golang.org/x/crypto v0.45.0
-	golang.org/x/mod v0.29.0
-	golang.org/x/oauth2 v0.35.0
+	golang.org/x/mod v0.32.0
+	golang.org/x/oauth2 v0.36.0
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 )
@@ -76,12 +75,8 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
-	github.com/jackc/pgconn v1.14.3 // indirect
-	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgproto3/v2 v2.3.3 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
@@ -110,16 +105,15 @@ require (
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect
-	go.opentelemetry.io/otel v1.40.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 // indirect
-	go.opentelemetry.io/otel/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.40.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect
+	go.opentelemetry.io/otel v1.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 // indirect
+	go.opentelemetry.io/otel/metric v1.42.0 // indirect
+	go.opentelemetry.io/otel/trace v1.42.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/sys v0.40.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
-	google.golang.org/protobuf v1.36.8 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 )