Bump github.com/jackc/pgx/v5 to v5.9.2 (CVE-2026-41889)#4991
Open
kaidaguerre wants to merge 1 commit into
Open
Bump github.com/jackc/pgx/v5 to v5.9.2 (CVE-2026-41889)#4991kaidaguerre wants to merge 1 commit into
kaidaguerre wants to merge 1 commit into
Conversation
Raise the direct dependency github.com/jackc/pgx/v5 from v5.7.6 to v5.9.2 to remediate CVE-2026-41889, plus go mod tidy. Dependency-only: no Go toolchain bump (go.mod already declares go 1.26.0 and CI Go pins are 1.26.x) and no behavioral code changes (pgx v5.7.6 -> v5.9.2 behavioral analysis found 0 affected sites in steampipe). go mod tidy also raised github.com/stretchr/testify v1.10.0 -> v1.11.1, which is required by pgx v5.9.2's own go.mod. go build ./... and go test ./... pass. Fixes #4989
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Raise the direct dependency
github.com/jackc/pgx/v5from v5.7.6 to v5.9.2 to remediate CVE-2026-41889, plusgo mod tidy.This is a dependency-only change:
go.modalready declaresgo 1.26.0and all CI Go pins are already 1.26.x.sql.Scanner, the singleerrors.Is(err, pgx.ErrNoRows)site is additive-safe, all conn-string builders supply an explicit non-empty user, andgolang.org/x/cryptois// indirectonly).go mod tidyalso raisedgithub.com/stretchr/testifyv1.10.0 → v1.11.1. This is required by pgx v5.9.2's owngo.mod(pgx v5.9.2 requires testify v1.11.1, vs v1.10.0 for v5.7.6); steampipe directly requires testify, so the minimum is re-resolved upward. Expected, pgx-driven transitive churn.Verification
go build ./...— cleango test ./...— pass (21 packages with tests pass, 0 fail, 21 with no test files)golangci-lint run --timeout=10m) iscontinue-on-error: true/ advisory in the workflow; not run locally because the locally-installed golangci-lint (built with go1.24) cannot load a go1.26 module. The change adds no new code, so lint risk is nil.Fixes #4989