Skip to content

fix(deps): Update module github.com/jackc/pgx/v5 to v5.9.2 [SECURITY]#22684

Merged
kodiakhq[bot] merged 2 commits into
mainfrom
renovate/go-github.com-jackc-pgx-v5-vulnerability
Apr 23, 2026
Merged

fix(deps): Update module github.com/jackc/pgx/v5 to v5.9.2 [SECURITY]#22684
kodiakhq[bot] merged 2 commits into
mainfrom
renovate/go-github.com-jackc-pgx-v5-vulnerability

Conversation

@cloudquery-ci
Copy link
Copy Markdown
Contributor

@cloudquery-ci cloudquery-ci Bot commented Apr 23, 2026

This PR contains the following updates:

Package Change Age Confidence
github.com/jackc/pgx/v5 v5.9.1v5.9.2 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-j88v-2chj-qfwx

Impact

SQL Injection can occur when:

  1. The non-default simple protocol is used.
  2. A dollar quoted string literal is used in the SQL query.
  3. That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
  4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Patches

The problem is resolved in v5.9.2.

Workarounds

Do not use the simple protocol to execute queries matching all the above conditions.

Release Notes

jackc/pgx (github.com/jackc/pgx/v5)

v5.9.2

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@cloudquery-ci cloudquery-ci Bot added automerge Automatically merge once required checks pass security labels Apr 23, 2026
@cloudquery-ci
Copy link
Copy Markdown
Contributor Author

cloudquery-ci Bot commented Apr 23, 2026

/gen sha=e7bebeeaa152ee5df8eb77da9eaacf619ea0d943 dir=plugins/destination/postgresql

@kodiakhq kodiakhq Bot merged commit 41577df into main Apr 23, 2026
9 checks passed
@kodiakhq kodiakhq Bot deleted the renovate/go-github.com-jackc-pgx-v5-vulnerability branch April 23, 2026 00:43
@cloudquery-ci cloudquery-ci Bot mentioned this pull request Apr 23, 2026
Merged
kodiakhq Bot pushed a commit that referenced this pull request Apr 23, 2026
@cloudquery-ci
chore(main): Release plugins-destination-postgresql v8.14.8 (#22609)
5d22d30 
🤖 I have created a release *beep* *boop*
---


## [8.14.8](plugins-destination-postgresql-v8.14.7...plugins-destination-postgresql-v8.14.8) (2026-04-23)


### Bug Fixes

* **deps:** Update module github.com/jackc/pgx/v5 to v5.9.2 [SECURITY] ([#22684](#22684)) ([41577df](41577df))
* **deps:** Update module google.golang.org/api to v0.275.0 ([#22590](#22590)) ([0e4cedc](0e4cedc))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

area/plugin/destination/postgresql automerge Automatically merge once required checks pass security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants