SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer
overflow in the calculated message size can cause the one large message to be sent as multiple messages under the
attacker's control.
Thanks to Paul Gerste for reporting this issue.
Fix behavior of CollectRows to return empty slice if Rows are empty (Felix)
Fix simple protocol encoding of json.RawMessage
Fix *Pipeline.getResults should close pipeline on error
Fix panic in TryFindUnderlyingTypeScanPlan (David Kurman)
Fix deallocation of invalidated cached statements in a transaction
Handle invalid sslkey file
Fix scan float4 into sql.Scanner
Fix pgtype.Bits not making copy of data from read buffer. This would cause the data to be corrupted by future reads.
5.5.3 (February 3, 2024)
Fix: prepared statement already exists
Improve CopyFrom auto-conversion of text-ish values
Add ltree type support (Florent Viel)
Make some properties of Batch and QueuedQuery public (Pavlo Golub)
Add AppendRows function (Edoardo Spadolini)
Optimize convert UUID [16]byte to string (Kirill Malikov)
Fix: LargeObject Read and Write of more than ~1GB at a time (Mitar)
5.5.2 (January 13, 2024)
Allow NamedArgs to start with underscore
pgproto3: Maximum message body length support (jeremy.spriet)
Upgrade golang.org/x/crypto to v0.17.0
Add snake_case support to RowToStructByName (Tikhon Fedulov)
Fix: update description cache after exec prepare (James Hartig)
Fix: pipeline checks if it is closed (James Hartig and Ryan Fowler)
Add OnPgError for easier centralized error handling (James Hartig)
5.5.1 (December 9, 2023)
Add CopyFromFunc helper function. (robford)
Add PgConn.Deallocate method that uses PostgreSQL protocol Close message.
pgx uses new PgConn.Deallocate method. This allows deallocating statements to work in a failed transaction. This fixes a case where the prepared statement map could become invalid.
Fix: Prefer driver.Valuer over json.Marshaler for json fields. (Jacopo)
Fix: simple protocol SQL sanitizer previously panicked if an invalid $0 placeholder was used. This now returns an error instead. (maksymnevajdev)
This release contains several improvements including performance, API additions,
and two new experimental packages whose APIs are unstable and may change in the
future.
Enhancements:
#1246[]: Add zap/exp/zapslog package for integration with slog.
#1273[]: Add Name to Logger which returns the Logger's name if one is set.
#1281[]: Add zap/exp/expfield package which contains helper methods
Str and Strs for constructing String-like zap.Fields.
This release contains several improvements including performance, API additions,
and two new experimental packages whose APIs are unstable and may change in the
future.
Enhancements:
#1246[]: Add zap/exp/zapslog package for integration with slog.
#1273[]: Add Name to Logger which returns the Logger's name if one is set.
#1281[]: Add zap/exp/expfield package which contains helper methods
Str and Strs for constructing String-like zap.Fields.
Whoops, we don't want noCopy's Lock method to be public. Harmless as noCopy only exists to hint go vet but not appropriate.
v1.8.8
My sincerest apologies for the 3 year delay. The last few years have been an extraordinarily challenging time for me personally and professionally. I've been experimenting nonstop to better understand what I need from my life and precisely how to attain it.
I moved across Canada from Ontario to British Columbia, taught myself photography, started working a new job at @terrastruct where I designed and wrote https://github.com/terrastruct/d2, taught myself to cook, taught myself to exercise, bought a house on a 20 acre property in the Canadian rockies, became a volunteer firefighter and now I'm working on becoming a paramedic and search and rescue volunteer. My house burnt up in a chimney fire just 1 year after moving in. My vehicle was taken by the fire too...
It's been up and down and round and round these last few years.
Anyway, I am now thankfully working on websocket full time for the foreseeable future. See #402. I'm working on v1.9.0 next. After which I need to finish some inventory work for my house fire insurance claim. Following that I'll be back full time until v2.0.0 is released :)
Thank you to everyone who contributed by reporting issues and opening pull requests.
note: If anyone is good with amd64 and arm64 assembly please give me a hand with reviewing #326.
I'm trying to confirm that it's correctly implemented in the most efficient way possible and that there is no unnecessary code.
Changelog
This release packs a ton of fixes and improvements. Please upgrade as soon as you can.
Breaking changes are prefixed with BREAKING.
API additions are prefixed with API.
d7a55cf Ensure no goroutines leak after Close #330
25a5ca4 netconn.go: Fix panic on zero or negative deadline durations
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the gomod group with 5 updates:
4.16.2
4.17.1
5.4.2
5.5.4
1.9.0
1.11.0
1.24.0
1.27.0
1.8.7
1.8.11
Updates
github.com/golang-migrate/migrate/v4
from 4.16.2 to 4.17.1Release notes
Sourced from github.com/golang-migrate/migrate/v4's releases.
... (truncated)
Commits
0c456c4
Merge pull request #1068 from goodfirm/masterf100226
Update dktest from v0.4.0 to v0.4.1 to fix docker vulnerabilityc523775
Merge pull request #1055 from golang-migrate/dependabot/go_modules/github.com...a78d1ab
Bump github.com/jackc/pgx/v5 from 5.3.1 to 5.5.4837776f
Merge pull request #1054 from golang-migrate/dependabot/go_modules/google.gol...128b650
Merge pull request #1050 from golang-migrate/dependabot/go_modules/github.com...2e0872f
Bump google.golang.org/protobuf from 1.31.0 to 1.33.0d1df97b
Bump github.com/jackc/pgx/v4 from 4.18.1 to 4.18.21a002d0
Set golangci-lint to 1.54.2 (latest is broken) (#1046)2c5df87
Merge pull request #1072 from dhui/dktesting-cleanupUpdates
github.com/jackc/pgx/v5
from 5.4.2 to 5.5.4Changelog
Sourced from github.com/jackc/pgx/v5's changelog.
... (truncated)
Commits
da6f2c9
Update changelogc543134
SQL sanitizer wraps arguments in parentheses20344df
Check for overflow on uint16 sizes in pgproto3adbb38f
Do not allow protocol messages larger than ~1GBc1b0a01
Fix behavior of CollectRows to return empty slice if Rows are empty88dfc22
Fix simple protocol encoding of json.RawMessage2e84dcc
*Pipeline.getResults should close pipeline on errord149d3f
Fix panic in TryFindUnderlyingTypeScanPlan046f497
deallocateInvalidatedCachedStatements now runs in transactions8896bd6
Handle invalid sslkey fileUpdates
github.com/rs/cors
from 1.9.0 to 1.11.0Commits
4c32059
Normalize allowed request headers and store them in a sorted set (fixes #170)...8d33ca4
Complete documentation; deprecate AllowOriginRequestFunc in favour of AllowOr...af821ae
Merge branch 'jub0bs-master'0bcf73f
Update benchmarkeacc8e8
Fix skewed middleware benchmarks (#165)9297f15
Respect the documented precedence of options (#163)73f81b4
Fix readme benchmark rendering (#161)e19471c
Prevent empty Access-Control-Expose-Headers header (#160)20a76bd
Update benchmark46855ae
Remove travis build report from READMEUpdates
go.uber.org/zap
from 1.24.0 to 1.27.0Release notes
Sourced from go.uber.org/zap's releases.
Changelog
Sourced from go.uber.org/zap's changelog.
Commits
fcf8ee5
Release v1.27.0 (#1419)e5a56ee
Add WithPanicHook logger option for panic log tests (#1416)0e2aa4e
assets: Fix logo color profile (#1418)956a21c
Add methods for logging with level as argument (#1406)2a893f6
build(deps): bump golangci/golangci-lint-action from 3 to 4 (#1417)e5745d6
ci: Test with Go 1.22 (#1409)7db06bc
zapslog: rename Option to HandlerOption (#1411)35ded09
zapslog: fix all with slogtest, support inline group, ignore empty group. (#1...27b96e3
Make zaptest.NewTestingWriter public (#1399)70f61bb
zapslog: Bump zap from v1.24.0 to v1.26.0 (#1404)Updates
nhooyr.io/websocket
from 1.8.7 to 1.8.11Release notes
Sourced from nhooyr.io/websocket's releases.
... (truncated)
Commits
bd07a64
Merge branch 'dev'e87d61a
Misc fixes for release43abf8e
README.md: Revert assembly change for nowb0ec201
Merge pull request #427 from alixander/fix-race250db1e
read: Fix CloseRead to have its own done channel211ef4b
ws_js_test: Fixc97fb09
mask_asm: Disable for now until v1.9.00edbb28
netconn: fmt856e371
ws_js: Update to match new close codedb18a31
close.go: Rewrite how the library handles closingDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show