SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer
overflow in the calculated message size can cause the one large message to be sent as multiple messages under the
attacker's control.
Thanks to Paul Gerste for reporting this issue.
Fix behavior of CollectRows to return empty slice if Rows are empty (Felix)
Fix simple protocol encoding of json.RawMessage
Fix *Pipeline.getResults should close pipeline on error
Fix panic in TryFindUnderlyingTypeScanPlan (David Kurman)
Fix deallocation of invalidated cached statements in a transaction
Handle invalid sslkey file
Fix scan float4 into sql.Scanner
Fix pgtype.Bits not making copy of data from read buffer. This would cause the data to be corrupted by future reads.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the security group with 5 updates:
5.5.35.5.43.24.13.24.21.8.41.9.00.15.00.16.00.21.00.22.0Updates
github.com/jackc/pgx/v5from 5.5.3 to 5.5.4Changelog
Sourced from github.com/jackc/pgx/v5's changelog.
Commits
da6f2c9Update changelogc543134SQL sanitizer wraps arguments in parentheses20344dfCheck for overflow on uint16 sizes in pgproto3adbb38fDo not allow protocol messages larger than ~1GBc1b0a01Fix behavior of CollectRows to return empty slice if Rows are empty88dfc22Fix simple protocol encoding of json.RawMessage2e84dcc*Pipeline.getResults should close pipeline on errord149d3fFix panic in TryFindUnderlyingTypeScanPlan046f497deallocateInvalidatedCachedStatements now runs in transactions8896bd6Handle invalid sslkey fileUpdates
github.com/shirou/gopsutil/v3from 3.24.1 to 3.24.2Release notes
Sourced from github.com/shirou/gopsutil/v3's releases.
Commits
e767a0fMerge pull request #1599 from shirou/feat/add_macos_on_github_action_test53fb8ca[darwin][ci]: skip frequency check on GitHub Action25c3f40[ci]: add macos-13 and macos-14 on GitHub Action146bae2Merge pull request #1597 from vlnaum/cwd_windowsd3057c2cwd support windows doc8aeaf16Merge pull request #1594 from jmatthew/openbsd-riscv64cbbb240Merge pull request #1595 from shirou/dependabot/github_actions/golangci/golan...d0037ddchore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.06ccc605update list OpenBSD arch list27ffa28add support for OpenBSD/riscv64Updates
github.com/stretchr/testifyfrom 1.8.4 to 1.9.0Release notes
Sourced from github.com/stretchr/testify's releases.
... (truncated)
Commits
bb548d0Merge pull request #1552 from stretchr/dependabot/go_modules/github.com/stret...814075fbuild(deps): bump github.com/stretchr/objx from 0.5.1 to 0.5.2e045612Merge pull request #1339 from bogdandrutu/uintptr5b6926dMerge pull request #1385 from hslatman/not-implements9f97d67Merge pull request #1550 from stretchr/release-notesbcb0d3fInclude the auto-release notes in releasesfb770f8Merge pull request #1247 from ccoVeille/typos85d8bb6fix typos in comments, tests and github templatese2741faMerge pull request #1548 from arjunmahishi/msgAndArgs6e59f20http_assertions: assert that the msgAndArgs actually works in testsUpdates
golang.org/x/modfrom 0.15.0 to 0.16.0Commits
766dc5dmodfile: use new go version string format in WorkFile.add errorUpdates
golang.org/x/netfrom 0.21.0 to 0.22.0Commits
7ee34a0go.mod: update golang.org/x dependenciesc289c7awebsocket: re-add documentation for DialConfig9fb4a8chttp2: send an error of FLOW_CONTROL_ERROR when exceed the maximum octets3dfd003websocket: add support for dialing with contextfa11427quic: move package out of internal591be7fquic: fix UDP on big-endian Linux, tests on various architectures34cc446quic: temporarily disable networking tests failing on various platforms4bdc6dfquic: expand package docs, and document Stream22cbde9quic: set ServerName in client connection TLSConfig57e4cc7quic: handle PATH_CHALLENGE and PATH_RESPONSE framesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show