SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer
overflow in the calculated message size can cause the one large message to be sent as multiple messages under the
attacker's control.
Thanks to Paul Gerste for reporting this issue.
Fix behavior of CollectRows to return empty slice if Rows are empty (Felix)
Fix simple protocol encoding of json.RawMessage
Fix *Pipeline.getResults should close pipeline on error
Fix panic in TryFindUnderlyingTypeScanPlan (David Kurman)
Fix deallocation of invalidated cached statements in a transaction
Handle invalid sslkey file
Fix scan float4 into sql.Scanner
Fix pgtype.Bits not making copy of data from read buffer. This would cause the data to be corrupted by future reads.
5.5.3 (February 3, 2024)
Fix: prepared statement already exists
Improve CopyFrom auto-conversion of text-ish values
Add ltree type support (Florent Viel)
Make some properties of Batch and QueuedQuery public (Pavlo Golub)
Add AppendRows function (Edoardo Spadolini)
Optimize convert UUID [16]byte to string (Kirill Malikov)
Fix: LargeObject Read and Write of more than ~1GB at a time (Mitar)
5.5.2 (January 13, 2024)
Allow NamedArgs to start with underscore
pgproto3: Maximum message body length support (jeremy.spriet)
Upgrade golang.org/x/crypto to v0.17.0
Add snake_case support to RowToStructByName (Tikhon Fedulov)
Fix: update description cache after exec prepare (James Hartig)
Fix: pipeline checks if it is closed (James Hartig and Ryan Fowler)
Add OnPgError for easier centralized error handling (James Hartig)
5.5.1 (December 9, 2023)
Add CopyFromFunc helper function. (robford)
Add PgConn.Deallocate method that uses PostgreSQL protocol Close message.
pgx uses new PgConn.Deallocate method. This allows deallocating statements to work in a failed transaction. This fixes a case where the prepared statement map could become invalid.
Fix: Prefer driver.Valuer over json.Marshaler for json fields. (Jacopo)
Fix: simple protocol SQL sanitizer previously panicked if an invalid $0 placeholder was used. This now returns an error instead. (maksymnevajdev)
This release contains several improvements including performance, API additions,
and two new experimental packages whose APIs are unstable and may change in the
future.
Enhancements:
#1246[]: Add zap/exp/zapslog package for integration with slog.
#1273[]: Add Name to Logger which returns the Logger's name if one is set.
#1281[]: Add zap/exp/expfield package which contains helper methods
Str and Strs for constructing String-like zap.Fields.
This release contains several improvements including performance, API additions,
and two new experimental packages whose APIs are unstable and may change in the
future.
Enhancements:
#1246[]: Add zap/exp/zapslog package for integration with slog.
#1273[]: Add Name to Logger which returns the Logger's name if one is set.
#1281[]: Add zap/exp/expfield package which contains helper methods
Str and Strs for constructing String-like zap.Fields.
Whoops, we don't want noCopy's Lock method to be public. Harmless as noCopy only exists to hint go vet but not appropriate.
v1.8.8
My sincerest apologies for the 3 year delay. The last few years have been an extraordinarily challenging time for me personally and professionally. I've been experimenting nonstop to better understand what I need from my life and precisely how to attain it.
I moved across Canada from Ontario to British Columbia, taught myself photography, started working a new job at @terrastruct where I designed and wrote https://github.com/terrastruct/d2, taught myself to cook, taught myself to exercise, bought a house on a 20 acre property in the Canadian rockies, became a volunteer firefighter and now I'm working on becoming a paramedic and search and rescue volunteer. My house burnt up in a chimney fire just 1 year after moving in. My vehicle was taken by the fire too...
It's been up and down and round and round these last few years.
Anyway, I am now thankfully working on websocket full time for the foreseeable future. See #402. I'm working on v1.9.0 next. After which I need to finish some inventory work for my house fire insurance claim. Following that I'll be back full time until v2.0.0 is released :)
Thank you to everyone who contributed by reporting issues and opening pull requests.
note: If anyone is good with amd64 and arm64 assembly please give me a hand with reviewing #326.
I'm trying to confirm that it's correctly implemented in the most efficient way possible and that there is no unnecessary code.
Changelog
This release packs a ton of fixes and improvements. Please upgrade as soon as you can.
Breaking changes are prefixed with BREAKING.
API additions are prefixed with API.
d7a55cf Ensure no goroutines leak after Close #330
25a5ca4 netconn.go: Fix panic on zero or negative deadline durations
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the gomod group with 5 updates:
4.16.24.17.15.4.25.5.41.9.01.11.01.24.01.27.01.8.71.8.11Updates
github.com/golang-migrate/migrate/v4from 4.16.2 to 4.17.1Release notes
Sourced from github.com/golang-migrate/migrate/v4's releases.
... (truncated)
Commits
0c456c4Merge pull request #1068 from goodfirm/masterf100226Update dktest from v0.4.0 to v0.4.1 to fix docker vulnerabilityc523775Merge pull request #1055 from golang-migrate/dependabot/go_modules/github.com...a78d1abBump github.com/jackc/pgx/v5 from 5.3.1 to 5.5.4837776fMerge pull request #1054 from golang-migrate/dependabot/go_modules/google.gol...128b650Merge pull request #1050 from golang-migrate/dependabot/go_modules/github.com...2e0872fBump google.golang.org/protobuf from 1.31.0 to 1.33.0d1df97bBump github.com/jackc/pgx/v4 from 4.18.1 to 4.18.21a002d0Set golangci-lint to 1.54.2 (latest is broken) (#1046)2c5df87Merge pull request #1072 from dhui/dktesting-cleanupUpdates
github.com/jackc/pgx/v5from 5.4.2 to 5.5.4Changelog
Sourced from github.com/jackc/pgx/v5's changelog.
... (truncated)
Commits
da6f2c9Update changelogc543134SQL sanitizer wraps arguments in parentheses20344dfCheck for overflow on uint16 sizes in pgproto3adbb38fDo not allow protocol messages larger than ~1GBc1b0a01Fix behavior of CollectRows to return empty slice if Rows are empty88dfc22Fix simple protocol encoding of json.RawMessage2e84dcc*Pipeline.getResults should close pipeline on errord149d3fFix panic in TryFindUnderlyingTypeScanPlan046f497deallocateInvalidatedCachedStatements now runs in transactions8896bd6Handle invalid sslkey fileUpdates
github.com/rs/corsfrom 1.9.0 to 1.11.0Commits
4c32059Normalize allowed request headers and store them in a sorted set (fixes #170)...8d33ca4Complete documentation; deprecate AllowOriginRequestFunc in favour of AllowOr...af821aeMerge branch 'jub0bs-master'0bcf73fUpdate benchmarkeacc8e8Fix skewed middleware benchmarks (#165)9297f15Respect the documented precedence of options (#163)73f81b4Fix readme benchmark rendering (#161)e19471cPrevent empty Access-Control-Expose-Headers header (#160)20a76bdUpdate benchmark46855aeRemove travis build report from READMEUpdates
go.uber.org/zapfrom 1.24.0 to 1.27.0Release notes
Sourced from go.uber.org/zap's releases.
Changelog
Sourced from go.uber.org/zap's changelog.
Commits
fcf8ee5Release v1.27.0 (#1419)e5a56eeAdd WithPanicHook logger option for panic log tests (#1416)0e2aa4eassets: Fix logo color profile (#1418)956a21cAdd methods for logging with level as argument (#1406)2a893f6build(deps): bump golangci/golangci-lint-action from 3 to 4 (#1417)e5745d6ci: Test with Go 1.22 (#1409)7db06bczapslog: rename Option to HandlerOption (#1411)35ded09zapslog: fix all with slogtest, support inline group, ignore empty group. (#1...27b96e3Make zaptest.NewTestingWriter public (#1399)70f61bbzapslog: Bump zap from v1.24.0 to v1.26.0 (#1404)Updates
nhooyr.io/websocketfrom 1.8.7 to 1.8.11Release notes
Sourced from nhooyr.io/websocket's releases.
... (truncated)
Commits
bd07a64Merge branch 'dev'e87d61aMisc fixes for release43abf8eREADME.md: Revert assembly change for nowb0ec201Merge pull request #427 from alixander/fix-race250db1eread: Fix CloseRead to have its own done channel211ef4bws_js_test: Fixc97fb09mask_asm: Disable for now until v1.9.00edbb28netconn: fmt856e371ws_js: Update to match new close codedb18a31close.go: Rewrite how the library handles closingDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show