Update pump an storage to support pgx v5

[MFCaballero]

Description

Related Issue

Motivation and Context

How This Has Been Tested

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

• I ensured that the documentation is up to date
• I explained why this PR updates go.mod in detail with reasoning why it's required
• I would like a code coverage CI quality gate exception and have explained why

[probelabs]

This PR updates the github.com/TykTechnologies/storage and github.com/TykTechnologies/tyk-pump dependencies to support pgx v5, a major version update for the PostgreSQL driver.

Files Changed Analysis

The changes are concentrated in dependency management files and minor test adjustments:

• go.mod & go.sum: These files are updated to bump the versions of two key dependencies:
  • github.com/TykTechnologies/storage is updated from v1.3.0 to v1.3.1.
  • github.com/TykTechnologies/tyk-pump is updated from v1.13.0-rc2... to v1.14.1-rc2.
• Test Files: Minor cosmetic changes were made in apidef/mcp/validator_test.go, apidef/oas/validator_test.go, and apidef/streams/validator_test.go. The capitalization of an error message was changed from "Malformed version: %s" to "malformed version: %s" in test assertions.

Architecture & Impact Assessment

• What this PR accomplishes: This PR aligns the Tyk Gateway with pgx v5 by updating the storage and pump components, which handle database interactions with PostgreSQL.

• Key technical changes: The primary change is the version bump of the storage and tyk-pump modules in go.mod. The underlying code changes that add pgx v5 support are contained within these updated dependency versions.

• Affected system components:

  • Storage Layer: Any functionality relying on PostgreSQL for persistence, such as session management, key storage, and API definitions, is affected by the storage module update.
  • Tyk Pump: The analytics processing component is affected, specifically its PostgreSQL pump which is responsible for writing analytics data to the database.

• Component Relationships:

graph TD
TykGateway -->|uses| Storage["storage v1.3.1"]
TykGateway -->|uses| TykPump["tyk-pump v1.14.1-rc2"]
Storage -->|communicates with| PostgreSQL[PostgreSQL DB]
TykPump -->|communicates with| PostgreSQL

subgraph "Updated Dependencies"
  Storage
  TykPump
end

style Storage fill:#d4f0db
style TykPump fill:#d4f0db

## Scope Discovery & Context Expansion

While the direct code changes in this repository are minimal, the indirect scope is significant. A major version update of a core dependency like a database driver (`pgx`) can introduce breaking changes or subtle shifts in behavior. The actual code adaptation for `pgx v5` resides within the `storage` and `tyk-pump` repositories.

The primary risk for this repository is the potential for regressions introduced by these updated dependencies. A thorough review should involve checking the release notes for `storage v1.3.1` and `tyk-pump v1.14.1-rc2` to understand the full extent of the changes. It is critical to ensure that existing integration tests covering all PostgreSQL-related functionality are executed to catch any regressions.


<details>
<summary>Metadata</summary>

- Review Effort: 3 / 5
- Primary Label: chore


</details>
<!-- visor:section-end id="overview" -->

<!-- visor:thread-end key="TykTechnologies/tyk#8093@10eac47" -->

---

*Powered by [Visor](https://probelabs.com/visor) from [Probelabs](https://probelabs.com)*

*Last updated: 2026-04-17T18:41:06.964Z | Triggered by: pr_updated | Commit: 10eac47*

💡 **TIP:** You can chat with Visor using `/visor ask <your question>`
<!-- /visor-comment-id:visor-thread-overview-TykTechnologies/tyk#8093 -->

[probelabs]

Security Issues (1)

Severity	Location	Issue
🟡 Warning	go.mod:32-33	This change updates core data handling dependencies (`storage` and `tyk-pump`) to support a new major version of the PostgreSQL driver (`pgx v5`). Such a significant upgrade within a dependency can introduce security vulnerabilities if the migration is not handled perfectly. Potential risks include new SQL injection vectors if parameterization APIs changed, or weakened TLS enforcement if connection logic was altered. 💡 Suggestion It is crucial to verify that these updated dependencies have undergone a security review and targeted testing for issues related to the `pgx v5` migration. Confirm that the maintainers of `storage` and `tyk-pump` have validated their new versions against common database security risks before integrating them.

Security Issues (1)

Severity	Location	Issue
🟡 Warning	go.mod:32-33	This change updates core data handling dependencies (`storage` and `tyk-pump`) to support a new major version of the PostgreSQL driver (`pgx v5`). Such a significant upgrade within a dependency can introduce security vulnerabilities if the migration is not handled perfectly. Potential risks include new SQL injection vectors if parameterization APIs changed, or weakened TLS enforcement if connection logic was altered. 💡 Suggestion It is crucial to verify that these updated dependencies have undergone a security review and targeted testing for issues related to the `pgx v5` migration. Confirm that the maintainers of `storage` and `tyk-pump` have validated their new versions against common database security risks before integrating them.

\n\n ### Architecture Issues (1)

Severity	Location	Issue
🟡 Warning	go.mod:32-33	This PR updates core dependencies (`storage` and `tyk-pump`) to support a new major version of a transitive dependency, the database driver `pgx v5`. This constitutes a significant architectural change with the potential for behavioral shifts or regressions. The pull request description is empty and provides no context, motivation, or summary of testing for this critical update. Major dependency changes that affect core functionality must be thoroughly documented to allow for proper risk assessment and architectural review. 💡 Suggestion Update the pull request description to detail the reasons for this dependency upgrade. The description should include: 1) The motivation for moving to `pgx v5`. 2) A summary of the key changes in `storage v1.3.1` and `tyk-pump v1.14.1-rc2`. 3) A description of the testing performed to validate that the gateway's PostgreSQL integration remains stable and performant.

✅ Performance Check Passed

No performance issues found – changes LGTM.

Quality Issues (3)

Severity	Location	Issue
🟡 Warning	apidef/mcp/validator_test.go:425	The test asserts an error message 'malformed version: %s', which is inconsistent with the error message 'Malformed version: %s' found in other, similar tests within the codebase. This inconsistency can make maintenance harder, as it's unclear if the difference is intentional or an oversight. Standardizing error messages in tests improves clarity and simplifies updates. 💡 Suggestion Update the expected error message to 'Malformed version: %s' to align with other tests in the codebase, such as in `apidef/validator_test.go`. This ensures consistency across the test suite.
🟡 Warning	apidef/oas/validator_test.go:414	The test asserts an error message 'malformed version: %s', which is inconsistent with the error message 'Malformed version: %s' found in other, similar tests within the codebase. This inconsistency can make maintenance harder, as it's unclear if the difference is intentional or an oversight. Standardizing error messages in tests improves clarity and simplifies updates. 💡 Suggestion Update the expected error message to 'Malformed version: %s' to align with other tests in the codebase, such as in `apidef/validator_test.go`. This ensures consistency across the test suite.
🟡 Warning	apidef/streams/validator_test.go:301	The test asserts an error message 'malformed version: %s', which is inconsistent with the error message 'Malformed version: %s' found in other, similar tests within the codebase. This inconsistency can make maintenance harder, as it's unclear if the difference is intentional or an oversight. Standardizing error messages in tests improves clarity and simplifies updates. 💡 Suggestion Update the expected error message to 'Malformed version: %s' to align with other tests in the codebase, such as in `apidef/validator_test.go`. This ensures consistency across the test suite.

---

Powered by Visor from Probelabs

Last updated: 2026-04-17T18:40:45.748Z | Triggered by: pr_updated | Commit: 10eac47

💡 TIP: You can chat with Visor using /visor ask <your question>

[github-actions]

API Changes

no api changes detected

[MFCaballero]

/release to release-5.12.1

[probelabs]

❌ Cherry-pick failed. Please check the workflow logs.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🚨 Jira Linter Failed

Commit: 10eac47
Failed at: 2026-04-17 18:39:07 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details

failed to validate branch and PR title rules: branch name 'update-pump-and-storage' must contain a valid Jira ticket ID (e.g., ABC-123)

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

---

This comment will be automatically deleted once the linter passes.