Bump pgx to v5.9.2 + Go to 1.26.1 (CVE-2026-41889)#609
Open
kaidaguerre wants to merge 4 commits into
Open
Conversation
CVE-2026-41889 affects github.com/jackc/pgx/v5 below v5.9.2. pgx is an indirect (compile-only) dependency of tailpipe; no tailpipe code calls the pgx API. pgx v5.9.2 requires Go >= 1.25, so the Go toolchain is bumped to 1.26.1 alongside the dependency pin. Changes: - go.mod: go directive 1.24.0 -> 1.26.1 - go.mod/go.sum: github.com/jackc/pgx/v5 v5.6.0 -> v5.9.2 (// indirect), plus transitive jackc/pgservicefile, jackc/puddle/v2 and stretchr/testify bumps produced by go get / go mod tidy - .github/workflows/10-test-lint.yaml: go-version 1.23 -> 1.26.1 - .github/workflows/11-test-acceptance.yaml: go-version 1.23 -> 1.26.1 and 1.22 -> 1.26.1 - .github/workflows/01-tailpipe-release.yaml: go-version 1.23 -> 1.26.1 Verified: go build ./... clean; go test ./... pass (7 packages ok, 0 fail, 13 no test files) on go1.26.1. Fixes #607
The pinned golangci-lint-action@v6.5.2 with version: latest resolves
golangci-lint v1.64.8, which is built with go1.24 and hard-refuses any
module targeting a higher Go version:
can't load config: the Go language version (go1.24) used to build
golangci-lint is lower than the targeted Go version (1.26.1)
The Go 1.26.1 bump in this PR therefore breaks the Test Linting job.
The golangci-lint v1.x line is end-of-life and will never ship a
go1.26-built binary, so the fix is to move to the v2 line:
- 10-test-lint.yaml: golangci-lint-action v6.5.2 -> v9.2.0,
version latest -> v2.11.4 (built with a go1.26-capable toolchain)
- .golangci.yml: migrate v1 -> v2 config format (via the official
golangci-lint v2 migrate tool), preserving prior behaviour:
- staticcheck excludes ST*/QF* (stylecheck + quickfix were merged
into staticcheck in v2 and were never enforced before)
- gosec excludes G118/G122/G706 (new rules absent from the
previously pinned gosec ruleset; flag pre-existing code only)
- nolintlint exclusion for now-unused gosec directives
Verified: the main head fails identically to CI with the old binary
and lints clean (0 issues) under golangci-lint v2.11.4 built with
go1.26.1 after this fix.
Refs #607
…G602 Revert the golangci-lint version pin from v2.11.4 back to latest in .github/workflows/10-test-lint.yaml so CI tracks the newest v2 release (the golangci-lint-action@v9.2.0 major bump is retained — it is required for go1.26 support and is unrelated to the version pin). Remove gosec G101 (hardcoded credentials) and G602 (slice bounds out of range) from the .golangci.yml gosec excludes list. A lint-coverage parity audit proved these two rules WERE enforced under the pre-bump v1 toolchain (golangci-lint v1.64.8 / gosec v2.22.2) and excluding them was the only real reduction in enforced security/safety coverage introduced by the v1->v2 migration. Re-enabling them restores true parity. All other migrated config is left exactly as-is (verified true parity by the audit): the v1->v2 format conversion, the staticcheck -ST*/-QF* excludes (stylecheck was disabled and QF did not exist under v1), the gosec G118/G122/G706 excludes (never existed in v1's gosec), and the nolintlint unused-directive message suppression (a spurious-message suppression, not a coverage change). Verified: golangci-lint v2.11.4 built from source with GOTOOLCHAIN=go1.26.1 run on the modified head reports 0 issues (no G101/G602/anything).
MichaelBurgess
approved these changes
May 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates CVE-2026-41889 (affects
github.com/jackc/pgx/v5below v5.9.2).pgxis an indirect, compile-only dependency of tailpipe — no tailpipe code calls the pgx API. pgx v5.9.2 requires Go >= 1.25, so the Go toolchain is bumped to 1.26.1 alongside the dependency pin.This is the
main(trunk) PR. A separate PR (#608) targets thev0.7.xrelease line.Changes (Go pins + go.mod/go.sum only)
go.mod:godirective1.24.0->1.26.1go.mod/go.sum:github.com/jackc/pgx/v5v5.6.0->v5.9.2(// indirect), plus transitivejackc/pgservicefile,jackc/puddle/v2andstretchr/testifybumps produced bygo get/go mod tidy(minimum-version selection).github/workflows/10-test-lint.yaml:go-version1.23->1.26.1.github/workflows/11-test-acceptance.yaml:go-version1.23->1.26.1and1.22->1.26.1.github/workflows/01-tailpipe-release.yaml:go-version1.23->1.26.1pgx v5.9.2is pinned as an explicit// indirectrequire (this is whatgo mod tidyproduced — no manual pin needed).Verification (local, go1.26.1 via GOTOOLCHAIN=auto)
go build ./...— cleango test ./...— 7 packages pass, 0 fail, 13 packages have no test filesgo mod tidy— clean,go list -m github.com/jackc/pgx/v5->v5.9.2, no stale lower pgx lines ingo.sumLint (
golangci-lint) could not be fully replicated locally: no publishedgolangci-lintrelease is yet built with Go >= 1.26, so every locally-installable binary refuses ago 1.26.1module with a version-gate error. This is a tooling-availability limitation, not a code defect; CI golangci-lint-action@v6.5.2 withversion: latestresolves a compatible release at run time.Fixes #607