chore(deps): Update gomod dependency github.com/jackc/pgx/v4 to v5 [SECURITY]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/jackc/pgx/v4	v4.18.3 → v5.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

pgx: SQL Injection via placeholder confusion with dollar quoted string literals

GHSA-j88v-2chj-qfwx

More information

Details

Impact

SQL Injection can occur when:

1. The non-default simple protocol is used.
2. A dollar quoted string literal is used in the SQL query.
3. That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Patches

The problem is resolved in v5.9.2.

Workarounds

Do not use the simple protocol to execute queries matching all the above conditions.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx
• https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da
• https://github.com/jackc/pgx
• https://github.com/jackc/pgx/releases/tag/v5.9.2

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

jackc/pgx (github.com/jackc/pgx/v4)

v5.0.0

Compare Source

Merged Packages

github.com/jackc/pgtype, github.com/jackc/pgconn, and github.com/jackc/pgproto3 are now included in the main
github.com/jackc/pgx repository. Previously there was confusion as to where issues should be reported, additional
release work due to releasing multiple packages, and less clear changelogs.

pgconn

CommandTag is now an opaque type instead of directly exposing an underlying []byte.

The return value ResultReader.Values() is no longer safe to retain a reference to after a subsequent call to NextRow() or Close().

Trace() method adds low level message tracing similar to the PQtrace function in libpq.

pgconn now uses non-blocking IO. This is a significant internal restructuring, but it should not cause any visible changes on its own. However, it is important in implementing other new features.

CheckConn() checks a connection's liveness by doing a non-blocking read. This can be used to detect database restarts or network interruptions without executing a query or a ping.

pgconn now supports pipeline mode.

*PgConn.ReceiveResults removed. Use pipeline mode instead.

Timeout() no longer considers context.Canceled as a timeout error. context.DeadlineExceeded still is considered a timeout error.

pgxpool

Connect and ConnectConfig have been renamed to New and NewWithConfig respectively. The LazyConnect option has been removed. Pools always lazily connect.

pgtype

The pgtype package has been significantly changed.

NULL Representation

Previously, types had a Status field that could be Undefined, Null, or Present. This has been changed to a
Valid bool field to harmonize with how database/sql represents NULL and to make the zero value useable.

Previously, a type that implemented driver.Valuer would have the Value method called even on a nil pointer. All nils
whether typed or untyped now represent NULL.

Codec and Value Split

Previously, the type system combined decoding and encoding values with the value types. e.g. Type Int8 both handled
encoding and decoding the PostgreSQL representation and acted as a value object. This caused some difficulties when
there was not an exact 1 to 1 relationship between the Go types and the PostgreSQL types For example, scanning a
PostgreSQL binary numeric into a Go float64 was awkward (see jackc/pgtype#147). This
concepts have been separated. A Codec only has responsibility for encoding and decoding values. Value types are
generally defined by implementing an interface that a particular Codec understands (e.g. PointScanner and
PointValuer for the PostgreSQL point type).

Array Types

All array types are now handled by ArrayCodec instead of using code generation for each new array type. This also
means that less common array types such as point[] are now supported. Array[T] supports PostgreSQL multi-dimensional
arrays.

Composite Types

Composite types must be registered before use. CompositeFields may still be used to construct and destruct composite
values, but any type may now implement CompositeIndexGetter and CompositeIndexScanner to be used as a composite.

Range Types

Range types are now handled with types RangeCodec and Range[T]. This allows additional user defined range types to
easily be handled. Multirange types are handled similarly with MultirangeCodec and Multirange[T].

pgxtype

LoadDataType moved to *Conn as LoadType.

Bytea

The Bytea and GenericBinary types have been replaced. Use the following instead:

• []byte - For normal usage directly use []byte.
• DriverBytes - Uses driver memory only available until next database method call. Avoids a copy and an allocation.
• PreallocBytes - Uses preallocated byte slice to avoid an allocation.
• UndecodedBytes - Avoids any decoding. Allows working with raw bytes.

Dropped lib/pq Support

pgtype previously supported and was tested against lib/pq. While it will continue to work
in most cases this is no longer supported.

database/sql Scan

Previously, most Scan implementations would convert []byte to string automatically to decode a text value. Now
only string is handled. This is to allow the possibility of future binary support in database/sql mode by
considering []byte to be binary format and string text format. This change should have no effect for any use with
pgx. The previous behavior was only necessary for lib/pq compatibility.

Added *Map.SQLScanner to create a sql.Scanner for types such as []int32 and Range[T] that do not implement
sql.Scanner directly.

Number Type Fields Include Bit size

Int2, Int4, Int8, Float4, Float8, and Uint32 fields now include bit size. e.g. Int is renamed to Int64.
This matches the convention set by database/sql. In addition, for comparable types like pgtype.Int8 and
sql.NullInt64 the structures are identical. This means they can be directly converted one to another.

3rd Party Type Integrations

• Extracted integrations with https://github.com/shopspring/decimal and https://github.com/gofrs/uuid to
  https://github.com/jackc/pgx-shopspring-decimal and https://github.com/jackc/pgx-gofrs-uuid respectively. This trims
  the pgx dependency tree.

Other Changes

• Bit and Varbit are both replaced by the Bits type.
• CID, OID, OIDValue, and XID are replaced by the Uint32 type.
• Hstore is now defined as map[string]*string.
• JSON and JSONB types removed. Use []byte or string directly.
• QChar type removed. Use rune or byte directly.
• Inet and Cidr types removed. Use netip.Addr and netip.Prefix directly. These types are more memory efficient than the previous net.IPNet.
• Macaddr type removed. Use net.HardwareAddr directly.
• Renamed pgtype.ConnInfo to pgtype.Map.
• Renamed pgtype.DataType to pgtype.Type.
• Renamed pgtype.None to pgtype.Finite.
• RegisterType now accepts a *Type instead of Type.
• Assorted array helper methods and types made private.

stdlib

• Removed AcquireConn and ReleaseConn as that functionality has been built in since Go 1.13.

Reduced Memory Usage by Reusing Read Buffers

Previously, the connection read buffer would allocate large chunks of memory and never reuse them. This allowed
transferring ownership to anything such as scanned values without incurring an additional allocation and memory copy.
However, this came at the cost of overall increased memory allocation size. But worse it was also possible to pin large
chunks of memory by retaining a reference to a small value that originally came directly from the read buffer. Now
ownership remains with the read buffer and anything needing to retain a value must make a copy.

Query Execution Modes

Control over automatic prepared statement caching and simple protocol use are now combined into query execution mode.
See documentation for QueryExecMode.

QueryRewriter Interface and NamedArgs

pgx now supports named arguments with the NamedArgs type. This is implemented via the new QueryRewriter interface which
allows arbitrary rewriting of query SQL and arguments.

RowScanner Interface

The RowScanner interface allows a single argument to Rows.Scan to scan the entire row.

Rows Result Helpers

• CollectRows and RowTo* functions simplify collecting results into a slice.
• CollectOneRow collects one row using RowTo* functions.
• ForEachRow simplifies scanning each row and executing code using the scanned values. ForEachRow replaces QueryFunc.

Tx Helpers

Rather than every type that implemented Begin or BeginTx methods also needing to implement BeginFunc and
BeginTxFunc these methods have been converted to functions that take a db that implements Begin or BeginTx.

Improved Batch Query Ergonomics

Previously, the code for building a batch went in one place before the call to SendBatch, and the code for reading the
results went in one place after the call to SendBatch. This could make it difficult to match up the query and the code
to handle the results. Now Queue returns a QueuedQuery which has methods Query, QueryRow, and Exec which can
be used to register a callback function that will handle the result. Callback functions are called automatically when
BatchResults.Close is called.

SendBatch Uses Pipeline Mode When Appropriate

Previously, a batch with 10 unique parameterized statements executed 100 times would entail 11 network round trips. 1
for each prepare / describe and 1 for executing them all. Now pipeline mode is used to prepare / describe all statements
in a single network round trip. So it would only take 2 round trips.

Tracing and Logging

Internal logging support has been replaced with tracing hooks. This allows custom tracing integration with tools like OpenTelemetry. Package tracelog provides an adapter for pgx v4 loggers to act as a tracer.

All integrations with 3rd party loggers have been extracted to separate repositories. This trims the pgx dependency
tree.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[github-actions]

🔍 Dependency Review

github.com/jackc/pgx/v4 v4.18.3 → github.com/jackc/pgx/v5 v5.0.0 — ⚠️ Needs Review

Major version bump. Even though this is listed as an indirect dependency in collector/ and extension/alloyengine/, pgx v5 introduces breaking API changes compared to v4. If any code in these modules (or other direct dependencies you control) use pgx types (pgxpool, pgconn/pgx callbacks, logging, tracing, batch/copy helpers, etc.), you may need to make small but concrete updates.

What to check in your code:

• Logging/tracing: v5 replaces the old Logger interface and LogLevel on connection config with a Tracer and a new tracelog helper.
• Event/callback hooks: some connection configuration hooks and tracing-related types moved/changed (e.g., use Tracer instead of Logger).
• Minor type/behavior adjustments in helpers and results (e.g., command tag/rows-affected handling through pgconn; verify any integer types/assumptions in your code if you use them directly).

If you do not import or use pgx APIs directly in these modules, no code changes are required here; the update is safe as a transitive dependency. If you do, review and apply the changes below.

Recommended code updates (only if you use these APIs):

1. Replace Logger usage with Tracer via tracelog

• In v4, you may have configured logging like:

- cfg, _ := pgxpool.ParseConfig(connString)
- cfg.ConnConfig.Logger = myLogger
- cfg.ConnConfig.LogLevel = pgx.LogLevelInfo

• In v5, configure a Tracer using the tracelog helper:

+ cfg, _ := pgxpool.ParseConfig(connString)
+ cfg.ConnConfig.Tracer = &tracelog.TraceLog{
+   Logger:   myLogger,           // implements tracelog.Logger
+   LogLevel: tracelog.LogLevelInfo,
+ }

Where:

import (
  "github.com/jackc/pgx/v5/pgxpool"
  "github.com/jackc/pgx/v5/tracelog"
)

2. Verify any use of command tags / rows affected

• If your code reads or stores rows-affected counts from pgx/pgconn command tags, double-check integer types you use downstream (e.g., storing into int vs uint). Align with the current pgconn/pgx return types to avoid implicit cast issues.

3. Pool and connection hooks

• If you use pool config hooks (e.g., AfterConnect), or event handlers (e.g., notice handlers/tracing), adjust these to the v5 tracer/event model:

- cfg.AfterConnect = func(ctx context.Context, conn *pgx.Conn) error {
-   // old logging/tracing setup on conn
-   return nil
- }
+ cfg.AfterConnect = func(ctx context.Context, conn *pgx.Conn) error {
+   // set conn-level tracer or related setup compatible with v5
+   return nil
+ }

The hook signature remains the same; update any references that relied on the old Logger or log levels to use Tracer/tracelog instead.

4. Batch, CopyFrom, and scanning helpers

• If you use advanced features (Batch/BatchResults, CopyFrom, Collect* helpers), review the v5 notes to confirm expected return/value types and error behavior remain aligned with your usage. Adjust local types and error handling where necessary.

Evidence (upstream notes and references):

• pgx v5.0.0 releases and migration notes:
  • https://github.com/jackc/pgx/releases/tag/v5.0.0
  • https://github.com/jackc/pgx/tree/v5 (README, examples, and tracelog package)
• Key migration theme: Logger removed in favor of Tracer with tracelog; event-based tracing/logging API updated.

Summary callout:

• If you don’t call pgx/pgxpool/pgconn APIs from these modules, this change will not require code updates here.
• If you do, the primary change you’ll need is switching from Logger/LogLevel to Tracer/tracelog and verifying any advanced API usage (batch/copy/scanning) against v5 behavior.

Notes

• This review only covers changed dependencies surfaced in the provided go.mod diffs. No other dependency changes were detected.