Skip to content

build(deps): bump github.com/jackc/pgx/v5 from 5.9.0 to 5.9.2#1098

Merged
ARolek merged 1 commit into
masterfrom
dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2
Jul 13, 2026
Merged

build(deps): bump github.com/jackc/pgx/v5 from 5.9.0 to 5.9.2#1098
ARolek merged 1 commit into
masterfrom
dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 23, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/jackc/pgx/v5 from 5.9.0 to 5.9.2.

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.9.2 (April 18, 2026)

Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)

SQL injection can occur when:

  1. The non-default simple protocol is used.
  2. A dollar quoted string literal is used in the SQL query.
  3. That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
  4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

5.9.1 (March 22, 2026)

  • Fix: batch result format corruption when using cached prepared statements (reported by Dirkjan Bussink)
Commits
  • 0aeabbc Release v5.9.2
  • 60644f8 Fix SQL sanitizer bugs with dollar-quoted strings and placeholder overflow
  • a5680bc Merge pull request #2531 from dolmen-go/godoc-add-links
  • e34e452 doc: Add godoc links
  • 08c9bb1 Fix Stringer types encoded as text instead of numeric value in composite fields
  • 96b4dbd Remove unstable test
  • acf88e0 Merge pull request #2526 from abrightwell/abrightwell-min-proto
  • 2f81f1f Update max_protocol_version and min_protocol_version defaults
  • 4e4eaed Release v5.9.1
  • 6273188 Fix batch result format corruption when using cached prepared statements
  • Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 23, 2026
@dependabot dependabot Bot requested review from ARolek and gdey as code owners April 23, 2026 00:43
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 23, 2026
@coveralls

coveralls commented Apr 23, 2026

Copy link
Copy Markdown

Coverage Report for CI Build 198

Coverage remained the same at 40.888%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 16692
Covered Lines: 6825
Line Coverage: 40.89%
Coverage Strength: 216.89 hits per line

💛 - Coveralls

@ARolek

ARolek commented Jul 13, 2026

Copy link
Copy Markdown
Member

@dependabot rebase

Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.9.0 to 5.9.2.
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](jackc/pgx@v5.9.0...v5.9.2)

---
updated-dependencies:
- dependency-name: github.com/jackc/pgx/v5
  dependency-version: 5.9.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2 branch from 1a86e61 to 198dbe2 Compare July 13, 2026 19:14
@ARolek ARolek merged commit 7e8f167 into master Jul 13, 2026
14 of 16 checks passed
@ARolek ARolek deleted the dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2 branch July 13, 2026 20:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants