Skip to content

Bump the gomod group with 2 updates#367

Merged
erikdubbelboer merged 1 commit into
mainfrom
dependabot/go_modules/gomod-d6ba094ac9
Jun 15, 2026
Merged

Bump the gomod group with 2 updates#367
erikdubbelboer merged 1 commit into
mainfrom
dependabot/go_modules/gomod-d6ba094ac9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps the gomod group with 2 updates: github.com/jackc/pgx/v5 and golang.org/x/crypto.

Updates github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.10.0 (June 3, 2026)

This release includes a significant amount of hardening against malicious or compromised PostgreSQL servers, contributed by Sean Chittenden at CrowdStrike, Inc. This work bounds binary decoders against attacker-controlled message sizes, caps server-supplied SCRAM iteration counts, adds require_auth to restrict which authentication methods a server may use (mitigating downgrade attacks under sslmode=prefer), and ensures cancellation requests are sent over TLS when the original connection used TLS.

Features

  • Add require_auth to restrict accepted server authentication methods (Sean Chittenden at CrowdStrike, Inc.)
  • Add ParseConfigOptions.ConnStringAllowedKeys to restrict allowed connection string keys (Sean Chittenden at CrowdStrike, Inc.)
  • Add StructArgs and StrictStructArgs for @-named queries (Tubelight30)
  • Add ErrConnClosed sentinel error and unwrap it from connLockError (Charlie Tonneslan)
  • pgxpool: check if connection is expired before acquire (arthurdotwork)

Security Hardening

  • Encrypt CancelRequest connection when the primary connection used TLS (Sean Chittenden at CrowdStrike, Inc.)
  • Cap server-supplied SCRAM iteration count (Sean Chittenden at CrowdStrike, Inc.)
  • Default Frontend max message body length to ~1 GiB (Sean Chittenden at CrowdStrike, Inc.)
  • Bound hstore binary decode against malicious server input (Sean Chittenden at CrowdStrike, Inc.)
  • Bound array binary decode element length against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)
  • Bound array element count against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)
  • Bound range, multirange, and tsvector binary decoders (Sean Chittenden at CrowdStrike, Inc.)
  • Document secure connection configuration (Sean Chittenden at CrowdStrike, Inc.)
  • Fix panic on malformed geometric text; return an error instead (MaIII)

Fixes

  • Fix scanning "char" (OID 18) into *string in binary format (luongs3)
  • Fix handling of typed-nil driver.Valuer in array and composite codecs (Donncha Fahy)
  • Fix CopyData.Data hex decoding in UnmarshalJSON (Charlie Tonneslan)
  • Fix data race when context is cancelled during connect
  • Fix parseKeywordValueSettings rejecting trailing whitespace (alliasgher)
  • pgconn: preserve full error chain in normalizeTimeoutError (Charlie Tonneslan)
  • pgconn: use a fresh context for the fallback connection in connectPreferred (Charlie Tonneslan)
  • pgxpool: fix MaxLifetimeDestroyCount and ping order for acquire-time expiry check
  • Add missing error check of rows.Err to load types (Jen Altavilla)
Commits
  • 7293fb1 Update changelog for v5.10.0
  • 1ade285 pgconn: document secure connection configuration
  • b4d6d4d pgtype: bound range, multirange, and tsvector binary decoders
  • 0639b37 pgconn: add ParseConfigOptions.ConnStringAllowedKeys
  • b28e65b pgtype: bound array element count against remaining message bytes
  • cd1f389 pgtype: bound array binary decode element length against remaining bytes
  • ff27b5b pgtype: bound hstore binary decode against malicious server input
  • a6002e1 pgproto3: default Frontend max message body length to ~1 GiB
  • 44f6173 pgconn: cap server-supplied SCRAM iteration count
  • 1a976f7 pgconn: add require_auth to restrict accepted server auth methods
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.52.0 to 0.53.0

Commits
  • 45460e0 go.mod: update golang.org/x dependencies
  • d37c95e pkcs12: limit PBKDF iteration count to prevent CPU exhaustion
  • e2ffffe ssh: reject incomplete gssapi-with-mic configurations
  • 60e158a ssh/test: isolate CLI tests from user SSH config and agent
  • 1b77d23 ssh/knownhosts: reject lines with multiple or unknown markers
  • 3872a2b ssh/knownhosts: verify declared key type matches decoded key
  • 9f72ecc ssh/knownhosts: treat only ASCII space and tab as whitespace
  • 8f405a4 ssh: validate ECDSA curve matches expected algorithm
  • bb41b3d ssh: improve DH GEX group selection using PreferredBits
  • e04e721 ssh/agent: validate ed25519 private key length in Add
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the gomod group with 2 updates
fe36f41 
Bumps the gomod group with 2 updates: [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) and [golang.org/x/crypto](https://github.com/golang/crypto).


Updates `github.com/jackc/pgx/v5` from 5.9.2 to 5.10.0
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](jackc/pgx@v5.9.2...v5.10.0)

Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0
- [Commits](golang/crypto@v0.52.0...v0.53.0)

---
updated-dependencies:
- dependency-name: github.com/jackc/pgx/v5
  dependency-version: 5.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: golang.org/x/crypto
  dependency-version: 0.53.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 15, 2026
@erikdubbelboer erikdubbelboer merged commit 0abf20f into main Jun 15, 2026
5 checks passed
@erikdubbelboer erikdubbelboer deleted the dependabot/go_modules/gomod-d6ba094ac9 branch June 15, 2026 02:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erikdubbelboer erikdubbelboer erikdubbelboer approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@erikdubbelboer