Skip to content

build(deps): bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2#227

Merged
olavloite merged 2 commits into
mainfrom
dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2
Jun 11, 2026
Merged

build(deps): bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2#227
olavloite merged 2 commits into
mainfrom
dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2.

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.9.2 (April 18, 2026)

Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)

SQL injection can occur when:

  1. The non-default simple protocol is used.
  2. A dollar quoted string literal is used in the SQL query.
  3. That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
  4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Commits
  • 0aeabbc Release v5.9.2
  • 60644f8 Fix SQL sanitizer bugs with dollar-quoted strings and placeholder overflow
  • a5680bc Merge pull request #2531 from dolmen-go/godoc-add-links
  • e34e452 doc: Add godoc links
  • 08c9bb1 Fix Stringer types encoded as text instead of numeric value in composite fields
  • 96b4dbd Remove unstable test
  • acf88e0 Merge pull request #2526 from abrightwell/abrightwell-min-proto
  • 2f81f1f Update max_protocol_version and min_protocol_version defaults
  • See full diff in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Apr 23, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 23, 2026 00:46
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Apr 23, 2026
@trusted-contributions-gcf trusted-contributions-gcf Bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Apr 23, 2026
olavloite pushed a commit that referenced this pull request Jun 10, 2026
chore(deps): tidy dependencies for PR #227
b0e12ad
olavloite
olavloite approved these changes Jun 10, 2026
View reviewed changes

@olavloite olavloite left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved by AI Dependency Reviewer bot.

@olavloite

olavloite commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

@dependabot recreate

@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2 branch from b0e12ad to 2b5bba0 Compare June 10, 2026 15:48
olavloite added a commit that referenced this pull request Jun 10, 2026
@olavloite
chore(deps): tidy dependencies for PR #227
32a5397
olavloite
olavloite approved these changes Jun 10, 2026
View reviewed changes

@olavloite olavloite left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved by AI Dependency Reviewer bot.

@olavloite

olavloite commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

@dependabot recreate

@dependabot
build(deps): bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2
445a4e1 
Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.9.1 to 5.9.2.
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](jackc/pgx@v5.9.1...v5.9.2)

---
updated-dependencies:
- dependency-name: github.com/jackc/pgx/v5
  dependency-version: 5.9.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2 branch from 32a5397 to 445a4e1 Compare June 11, 2026 07:17
olavloite
olavloite approved these changes Jun 11, 2026
View reviewed changes

@olavloite olavloite left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved by AI Dependency Reviewer bot.

@olavloite olavloite merged commit 99a4446 into main Jun 11, 2026
22 checks passed
@olavloite olavloite deleted the dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2 branch June 11, 2026 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olavloite olavloite olavloite approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code kokoro:force-run Add this label to force Kokoro to re-run the tests.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@olavloite