SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer
overflow in the calculated message size can cause the one large message to be sent as multiple messages under the
attacker's control.
Thanks to Paul Gerste for reporting this issue.
Fix behavior of CollectRows to return empty slice if Rows are empty (Felix)
Fix simple protocol encoding of json.RawMessage
Fix *Pipeline.getResults should close pipeline on error
Fix panic in TryFindUnderlyingTypeScanPlan (David Kurman)
Fix deallocation of invalidated cached statements in a transaction
Handle invalid sslkey file
Fix scan float4 into sql.Scanner
Fix pgtype.Bits not making copy of data from read buffer. This would cause the data to be corrupted by future reads.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the security group with 5 updates:
5.5.3
5.5.4
3.24.1
3.24.2
1.8.4
1.9.0
0.15.0
0.16.0
0.21.0
0.22.0
Updates
github.com/jackc/pgx/v5
from 5.5.3 to 5.5.4Changelog
Sourced from github.com/jackc/pgx/v5's changelog.
Commits
da6f2c9
Update changelogc543134
SQL sanitizer wraps arguments in parentheses20344df
Check for overflow on uint16 sizes in pgproto3adbb38f
Do not allow protocol messages larger than ~1GBc1b0a01
Fix behavior of CollectRows to return empty slice if Rows are empty88dfc22
Fix simple protocol encoding of json.RawMessage2e84dcc
*Pipeline.getResults should close pipeline on errord149d3f
Fix panic in TryFindUnderlyingTypeScanPlan046f497
deallocateInvalidatedCachedStatements now runs in transactions8896bd6
Handle invalid sslkey fileUpdates
github.com/shirou/gopsutil/v3
from 3.24.1 to 3.24.2Release notes
Sourced from github.com/shirou/gopsutil/v3's releases.
Commits
e767a0f
Merge pull request #1599 from shirou/feat/add_macos_on_github_action_test53fb8ca
[darwin][ci]: skip frequency check on GitHub Action25c3f40
[ci]: add macos-13 and macos-14 on GitHub Action146bae2
Merge pull request #1597 from vlnaum/cwd_windowsd3057c2
cwd support windows doc8aeaf16
Merge pull request #1594 from jmatthew/openbsd-riscv64cbbb240
Merge pull request #1595 from shirou/dependabot/github_actions/golangci/golan...d0037dd
chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.06ccc605
update list OpenBSD arch list27ffa28
add support for OpenBSD/riscv64Updates
github.com/stretchr/testify
from 1.8.4 to 1.9.0Release notes
Sourced from github.com/stretchr/testify's releases.
... (truncated)
Commits
bb548d0
Merge pull request #1552 from stretchr/dependabot/go_modules/github.com/stret...814075f
build(deps): bump github.com/stretchr/objx from 0.5.1 to 0.5.2e045612
Merge pull request #1339 from bogdandrutu/uintptr5b6926d
Merge pull request #1385 from hslatman/not-implements9f97d67
Merge pull request #1550 from stretchr/release-notesbcb0d3f
Include the auto-release notes in releasesfb770f8
Merge pull request #1247 from ccoVeille/typos85d8bb6
fix typos in comments, tests and github templatese2741fa
Merge pull request #1548 from arjunmahishi/msgAndArgs6e59f20
http_assertions: assert that the msgAndArgs actually works in testsUpdates
golang.org/x/mod
from 0.15.0 to 0.16.0Commits
766dc5d
modfile: use new go version string format in WorkFile.add errorUpdates
golang.org/x/net
from 0.21.0 to 0.22.0Commits
7ee34a0
go.mod: update golang.org/x dependenciesc289c7a
websocket: re-add documentation for DialConfig9fb4a8c
http2: send an error of FLOW_CONTROL_ERROR when exceed the maximum octets3dfd003
websocket: add support for dialing with contextfa11427
quic: move package out of internal591be7f
quic: fix UDP on big-endian Linux, tests on various architectures34cc446
quic: temporarily disable networking tests failing on various platforms4bdc6df
quic: expand package docs, and document Stream22cbde9
quic: set ServerName in client connection TLSConfig57e4cc7
quic: handle PATH_CHALLENGE and PATH_RESPONSE framesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show