Skip to content

Bump the all-dependencies group with 2 updates#331

Merged
ChrisSchinnerl merged 1 commit into
masterfrom
dependabot/go_modules/all-dependencies-c0f090b072
Jun 22, 2026
Merged

Bump the all-dependencies group with 2 updates#331
ChrisSchinnerl merged 1 commit into
masterfrom
dependabot/go_modules/all-dependencies-c0f090b072

Bump the all-dependencies group with 2 updates

bf855b1
Select commit
Loading
Failed to load commit list.
Knope Bot / Require changes to be documented required action Jun 22, 2026 in 0s

This pull request has not been documented yet

This project requires changes to be documented via either changesets or conventional commits. Depending on how this pull request is merged, it may not be fully documented:

  • ❌ Squash would use commit message, that message is not conventional
  • ❌ Merge would use commit messages, and no commits are conventional
  • ❌ Rebase is allowed, and no commits are conventional

To satisfy this check, you can:

  • Address the conventional commit issues above
  • Click one of the buttons on this screen to auto-generate a change file (may only be visible to maintainers)
  • Create a change file with the Knope CLI
  • Create a change file in GitHub's web editor or copy/paste the content below into .changeset/bump_the_all_dependencies_group_with_2_updates.md
    • Replace "CHANGE_TYPE" with major, minor, or patch (see knope's docs), then edit as needed for your users.

Details

---
default: CHANGE_TYPE
---

# Bump the all-dependencies group with 2 updates

#331 by @dependabot[bot]

Bumps the all-dependencies group with 2 updates: [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) and [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3).

Updates `github.com/jackc/pgx/v5` from 5.9.2 to 5.10.0
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/jackc/pgx/blob/master/CHANGELOG.md">github.com/jackc/pgx/v5's changelog</a>.</em></p>
<blockquote>
<h1>5.10.0 (June 3, 2026)</h1>
<p>This release includes a significant amount of hardening against malicious or compromised PostgreSQL servers,
contributed by Sean Chittenden at CrowdStrike, Inc. This work bounds binary decoders against attacker-controlled
message sizes, caps server-supplied SCRAM iteration counts, adds <code>require_auth</code> to restrict which authentication
methods a server may use (mitigating downgrade attacks under <code>sslmode=prefer</code>), and ensures cancellation requests are
sent over TLS when the original connection used TLS.</p>
<h2>Features</h2>
<ul>
<li>Add <code>require_auth</code> to restrict accepted server authentication methods (Sean Chittenden at CrowdStrike, Inc.)</li>
<li>Add <code>ParseConfigOptions.ConnStringAllowedKeys</code> to restrict allowed connection string keys (Sean Chittenden at CrowdStrike, Inc.)</li>
<li>Add <code>StructArgs</code> and <code>StrictStructArgs</code> for <code>@</code>-named queries (Tubelight30)</li>
<li>Add <code>ErrConnClosed</code> sentinel error and unwrap it from <code>connLockError</code> (Charlie Tonneslan)</li>
<li>pgxpool: check if connection is expired before acquire (arthurdotwork)</li>
</ul>
<h2>Security Hardening</h2>
<ul>
<li>Encrypt <code>CancelRequest</code> connection when the primary connection used TLS (Sean Chittenden at CrowdStrike, Inc.)</li>
<li>Cap server-supplied SCRAM iteration count (Sean Chittenden at CrowdStrike, Inc.)</li>
<li>Default Frontend max message body length to ~1 GiB (Sean Chittenden at CrowdStrike, Inc.)</li>
<li>Bound hstore binary decode against malicious server input (Sean Chittenden at CrowdStrike, Inc.)</li>
<li>Bound array binary decode element length against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)</li>
<li>Bound array element count against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)</li>
<li>Bound range, multirange, and tsvector binary decoders (Sean Chittenden at CrowdStrike, Inc.)</li>
<li>Document secure connection configuration (Sean Chittenden at CrowdStrike, Inc.)</li>
<li>Fix panic on malformed geometric text; return an error instead (MaIII)</li>
</ul>
<h2>Fixes</h2>
<ul>
<li>Fix scanning <code>&quot;char&quot;</code> (OID 18) into <code>*string</code> in binary format (luongs3)</li>
<li>Fix handling of typed-nil <code>driver.Valuer</code> in array and composite codecs (Donncha Fahy)</li>
<li>Fix <code>CopyData.Data</code> hex decoding in <code>UnmarshalJSON</code> (Charlie Tonneslan)</li>
<li>Fix data race when context is cancelled during connect</li>
<li>Fix <code>parseKeywordValueSettings</code> rejecting trailing whitespace (alliasgher)</li>
<li>pgconn: preserve full error chain in <code>normalizeTimeoutError</code> (Charlie Tonneslan)</li>
<li>pgconn: use a fresh context for the fallback connection in <code>connectPreferred</code> (Charlie Tonneslan)</li>
<li>pgxpool: fix <code>MaxLifetimeDestroyCount</code> and ping order for acquire-time expiry check</li>
<li>Add missing error check of <code>rows.Err</code> to load types (Jen Altavilla)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/jackc/pgx/commit/7293fb11125be0373a92f716683f2d494f6fd4b0"><code>7293fb1</code></a> Update changelog for v5.10.0</li>
<li><a href="https://github.com/jackc/pgx/commit/1ade2852841d4ee55677207200f4ffdbc217ce69"><code>1ade285</code></a> pgconn: document secure connection configuration</li>
<li><a href="https://github.com/jackc/pgx/commit/b4d6d4d1be7f381bb81d12ebfecae6b10f5c7562"><code>b4d6d4d</code></a> pgtype: bound range, multirange, and tsvector binary decoders</li>
<li><a href="https://github.com/jackc/pgx/commit/0639b37f8f4fff31dbe73297087e69b3ccc3bf2b"><code>0639b37</code></a> pgconn: add ParseConfigOptions.ConnStringAllowedKeys</li>
<li><a href="https://github.com/jackc/pgx/commit/b28e65b0c3e0cd45c09e7c9ce36e5e29caa6dbe9"><code>b28e65b</code></a> pgtype: bound array element count against remaining message bytes</li>
<li><a href="https://github.com/jackc/pgx/commit/cd1f389d37d775bc8cb11c60363946f928c02c98"><code>cd1f389</code></a> pgtype: bound array binary decode element length against remaining bytes</li>
<li><a href="https://github.com/jackc/pgx/commit/ff27b5bbea012020d1fd8b9bdd56284a88783ef1"><code>ff27b5b</code></a> pgtype: bound hstore binary decode against malicious server input</li>
<li><a href="https://github.com/jackc/pgx/commit/a6002e12a8a393844b48c29d105e7542e7b3a251"><code>a6002e1</code></a> pgproto3: default Frontend max message body length to ~1 GiB</li>
<li><a href="https://github.com/jackc/pgx/commit/44f61732ecdfd08081a1a2ff7227f1e975f0b71e"><code>44f6173</code></a> pgconn: cap server-supplied SCRAM iteration count</li>
<li><a href="https://github.com/jackc/pgx/commit/1a976f7bb91216ea7f8369cb7abe78ce34dc244f"><code>1a976f7</code></a> pgconn: add require_auth to restrict accepted server auth methods</li>
<li>Additional commits viewable in <a href="https://github.com/jackc/pgx/compare/v5.9.2...v5.10.0">compare view</a></li>
</ul>
</details>
<br />

Updates `github.com/mattn/go-sqlite3` from 1.14.45 to 1.14.47
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/mattn/go-sqlite3/commit/693de1267690b83d1efe52e27dd30f8945dc52ac"><code>693de12</code></a> Merge pull request <a href="https://redirect.github.com/mattn/go-sqlite3/issues/1408">#1408</a> from dxbjavid/getfilename-cstring-leak</li>
<li><a href="https://github.com/mattn/go-sqlite3/commit/837b4f2860f1b8508e5c115b9608d3b854f1f9be"><code>837b4f2</code></a> Merge pull request <a href="https://redirect.github.com/mattn/go-sqlite3/issues/1413">#1413</a> from mattn/cache-stmt-column-metadata</li>
<li><a href="https://github.com/mattn/go-sqlite3/commit/e99486c6b58d5d609726a60b9759204573e0b45e"><code>e99486c</code></a> cache column metadata for prepared and cached statements</li>
<li><a href="https://github.com/mattn/go-sqlite3/commit/eb06f26148e99a1890e46756a2cff13db2e40806"><code>eb06f26</code></a> Merge pull request <a href="https://redirect.github.com/mattn/go-sqlite3/issues/1412">#1412</a> from mattn/codex-5sxu1n</li>
<li><a href="https://github.com/mattn/go-sqlite3/commit/423f9605f33804999963ece923d2398333a0dc7f"><code>423f960</code></a> Make callback handle lookups lock-free</li>
<li><a href="https://github.com/mattn/go-sqlite3/commit/a3cd5cd6fd2104b9b61d2b95f0a8653d63a1c24c"><code>a3cd5cd</code></a> free leaked schema string in GetFilename</li>
<li><a href="https://github.com/mattn/go-sqlite3/commit/379319c0d851cd45f9671590d56d3125d87a7e99"><code>379319c</code></a> Merge pull request <a href="https://redirect.github.com/mattn/go-sqlite3/issues/1407">#1407</a> from mattn/blob-arg-call-order</li>
<li><a href="https://github.com/mattn/go-sqlite3/commit/c3e96cd5bb00c5559cba98079fdf6cec861763ca"><code>c3e96cd</code></a> call sqlite3_value_blob before sqlite3_value_bytes in callbackArgString</li>
<li><a href="https://github.com/mattn/go-sqlite3/commit/518ffdba0a56062ab17108900d19fe71feefb581"><code>518ffdb</code></a> Merge pull request <a href="https://redirect.github.com/mattn/go-sqlite3/issues/1406">#1406</a> from dxbjavid/function-text-embedded-nul</li>
<li><a href="https://github.com/mattn/go-sqlite3/commit/b1e8d68f31c23fd5a7a1f08457bb81818db0d943"><code>b1e8d68</code></a> read text value before its byte length to match documented order</li>
<li>Additional commits viewable in <a href="https://github.com/mattn/go-sqlite3/compare/v1.14.45...v1.14.47">compare view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions


</details>
View more details on Knope Bot