Skip to content

chore(deps): bump github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0 in /apps/backend in the go-database group across 1 directory#195

Open
dependabot[bot] wants to merge 1 commit into
developmentfrom
dependabot/go_modules/apps/backend/development/go-database-e4a4a50fef
Open

chore(deps): bump github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0 in /apps/backend in the go-database group across 1 directory#195
dependabot[bot] wants to merge 1 commit into
developmentfrom
dependabot/go_modules/apps/backend/development/go-database-e4a4a50fef

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 7, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the go-database group with 1 update in the /apps/backend directory: github.com/jackc/pgx/v5.

Updates github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.10.0 (June 3, 2026)

This release includes a significant amount of hardening against malicious or compromised PostgreSQL servers, contributed by Sean Chittenden at CrowdStrike, Inc. This work bounds binary decoders against attacker-controlled message sizes, caps server-supplied SCRAM iteration counts, adds require_auth to restrict which authentication methods a server may use (mitigating downgrade attacks under sslmode=prefer), and ensures cancellation requests are sent over TLS when the original connection used TLS.

Features

  • Add require_auth to restrict accepted server authentication methods (Sean Chittenden at CrowdStrike, Inc.)
  • Add ParseConfigOptions.ConnStringAllowedKeys to restrict allowed connection string keys (Sean Chittenden at CrowdStrike, Inc.)
  • Add StructArgs and StrictStructArgs for @-named queries (Tubelight30)
  • Add ErrConnClosed sentinel error and unwrap it from connLockError (Charlie Tonneslan)
  • pgxpool: check if connection is expired before acquire (arthurdotwork)

Security Hardening

  • Encrypt CancelRequest connection when the primary connection used TLS (Sean Chittenden at CrowdStrike, Inc.)
  • Cap server-supplied SCRAM iteration count (Sean Chittenden at CrowdStrike, Inc.)
  • Default Frontend max message body length to ~1 GiB (Sean Chittenden at CrowdStrike, Inc.)
  • Bound hstore binary decode against malicious server input (Sean Chittenden at CrowdStrike, Inc.)
  • Bound array binary decode element length against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)
  • Bound array element count against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)
  • Bound range, multirange, and tsvector binary decoders (Sean Chittenden at CrowdStrike, Inc.)
  • Document secure connection configuration (Sean Chittenden at CrowdStrike, Inc.)
  • Fix panic on malformed geometric text; return an error instead (MaIII)

Fixes

  • Fix scanning "char" (OID 18) into *string in binary format (luongs3)
  • Fix handling of typed-nil driver.Valuer in array and composite codecs (Donncha Fahy)
  • Fix CopyData.Data hex decoding in UnmarshalJSON (Charlie Tonneslan)
  • Fix data race when context is cancelled during connect
  • Fix parseKeywordValueSettings rejecting trailing whitespace (alliasgher)
  • pgconn: preserve full error chain in normalizeTimeoutError (Charlie Tonneslan)
  • pgconn: use a fresh context for the fallback connection in connectPreferred (Charlie Tonneslan)
  • pgxpool: fix MaxLifetimeDestroyCount and ping order for acquire-time expiry check
  • Add missing error check of rows.Err to load types (Jen Altavilla)
Commits
  • 7293fb1 Update changelog for v5.10.0
  • 1ade285 pgconn: document secure connection configuration
  • b4d6d4d pgtype: bound range, multirange, and tsvector binary decoders
  • 0639b37 pgconn: add ParseConfigOptions.ConnStringAllowedKeys
  • b28e65b pgtype: bound array element count against remaining message bytes
  • cd1f389 pgtype: bound array binary decode element length against remaining bytes
  • ff27b5b pgtype: bound hstore binary decode against malicious server input
  • a6002e1 pgproto3: default Frontend max message body length to ~1 GiB
  • 44f6173 pgconn: cap server-supplied SCRAM iteration count
  • 1a976f7 pgconn: add require_auth to restrict accepted server auth methods
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jun 7, 2026
@dependabot dependabot Bot changed the title chore(deps): bump github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0 in /apps/backend in the go-database group chore(deps): bump github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0 in /apps/backend in the go-database group across 1 directory Jun 8, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/apps/backend/development/go-database-e4a4a50fef branch from 04ce9b3 to 51bb820 Compare June 8, 2026 02:09
@dependabot
chore(deps): bump github.com/jackc/pgx/v5
699eb49 
Bumps the go-database group with 1 update in the /apps/backend directory: [github.com/jackc/pgx/v5](https://github.com/jackc/pgx).


Updates `github.com/jackc/pgx/v5` from 5.9.2 to 5.10.0
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](jackc/pgx@v5.9.2...v5.10.0)

---
updated-dependencies:
- dependency-name: github.com/jackc/pgx/v5
  dependency-version: 5.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-database
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/apps/backend/development/go-database-e4a4a50fef branch from 51bb820 to 699eb49 Compare June 8, 2026 02:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants