project-wildfyre / clinical-data-repository-hapi-jpa

1 stars 2 forks source link

Bump postgresql from 42.2.5 to 42.4.1 #16

Open dependabot[bot] opened 2 years ago

dependabot[bot] commented 2 years ago

Bumps postgresql from 42.2.5 to 42.4.1.

Changelog

Sourced from postgresql's changelog.

[42.4.1] (2022-08-01 16:24:20 -0400)

Security

  • fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.
    • Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands.
    • Also adds a new test class ResultSetRefreshTest to verify this change.
    • Reported by Sho Kato

Changed

  • chore: skip publishing pgjdbc-osgi-test to Central
  • chore: bump Gradle to 7.5
  • test: update JUnit to 5.8.2

Added

  • chore: added Gradle Wrapper Validation for verifying gradle-wrapper.jar
  • chore: added "permissions: contents: read" for GitHub Actions to avoid unintentional modifications by the CI
  • chore: support building pgjdbc with Java 17
  • feat: synchronize statement executions (e.g. avoid deadlock when Connection.isValid is executed from concurrent threads)

[42.4.0] (2022-06-09 08:14:02 -0400)

Changed

  • fix: added GROUP_STARTUP_PARAMETERS boolean property to determine whether or not to group startup parameters in a transaction (default=false like 42.2.x) fixes [Issue #2425](pgjdbc/pgjdbc#2497) pgbouncer cannot deal with transactions in statement pooling mode [PR #2425](pgjdbc/pgjdbc#2425)

Fixed

[42.3.6] (2022-05-24 08:52:27 -0400)

Changed

Added

Fixed

  • fix: close refcursors when underlying cursor==null instead of relying on defaultRowFetchSize [PR #2377](pgjdbc/pgjdbc#2377)

[42.3.5] (2022-05-04 08:48:35 -0400)

Changed

  • test: polish TimestampUtilsTest
  • chore: use GitHub Action concurrency feature to terminate CI jobs on fast PR pushes

... (truncated)

Commits
  • bd91c4c Prepare for release (#2580)
  • 739e599 Merge pull request from GHSA-r38f-c4h4-hqq2
  • 736f959 fix: replace syncronization in Connection.close with compareAndSet
  • 4673fd2 feat: synchronize statement executions (e.g. avoid deadlock when Connection.i...
  • fd31a06 update the website content (#2578)
  • a6044d0 set a timeout to get the return from requesting SSL upgrade. (#2572)
  • 58d6fa0 test: bump system-stubs-jupiter to 2.0.1 to support Java 16+
  • b452d8c test: avoid concurrent executions of tests that update environment and system...
  • aa5758a test: update JUnit to 5.8.2
  • 36cd24c fix: log connection URL when it can't be parsed
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/project-wildfyre/clinical-data-repository-hapi-jpa/network/alerts).