fix(security/LOW): Update gomod dependency github.com/jackc/pgx/v4 to v5 [SECURITY]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/jackc/pgx/v4	v4.18.3 → v5.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

pgx: SQL Injection via placeholder confusion with dollar quoted string literals

CVE-2026-41889 / GHSA-j88v-2chj-qfwx

More information

Details

Impact

SQL Injection can occur when:

1. The non-default simple protocol is used.
2. A dollar quoted string literal is used in the SQL query.
3. That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Patches

The problem is resolved in v5.9.2.

Workarounds

Do not use the simple protocol to execute queries matching all the above conditions.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx
• https://nvd.nist.gov/vuln/detail/CVE-2026-41889
• https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da
• https://github.com/jackc/pgx
• https://github.com/jackc/pgx/releases/tag/v5.9.2

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

jackc/pgx (github.com/jackc/pgx/v4)

v5.0.0

Compare Source

Merged Packages

github.com/jackc/pgtype, github.com/jackc/pgconn, and github.com/jackc/pgproto3 are now included in the main
github.com/jackc/pgx repository. Previously there was confusion as to where issues should be reported, additional
release work due to releasing multiple packages, and less clear changelogs.

pgconn

CommandTag is now an opaque type instead of directly exposing an underlying []byte.

The return value ResultReader.Values() is no longer safe to retain a reference to after a subsequent call to NextRow() or Close().

Trace() method adds low level message tracing similar to the PQtrace function in libpq.

pgconn now uses non-blocking IO. This is a significant internal restructuring, but it should not cause any visible changes on its own. However, it is important in implementing other new features.

CheckConn() checks a connection's liveness by doing a non-blocking read. This can be used to detect database restarts or network interruptions without executing a query or a ping.

pgconn now supports pipeline mode.

*PgConn.ReceiveResults removed. Use pipeline mode instead.

Timeout() no longer considers context.Canceled as a timeout error. context.DeadlineExceeded still is considered a timeout error.

pgxpool

Connect and ConnectConfig have been renamed to New and NewWithConfig respectively. The LazyConnect option has been removed. Pools always lazily connect.

pgtype

The pgtype package has been significantly changed.

NULL Representation

Previously, types had a Status field that could be Undefined, Null, or Present. This has been changed to a
Valid bool field to harmonize with how database/sql represents NULL and to make the zero value useable.

Previously, a type that implemented driver.Valuer would have the Value method called even on a nil pointer. All nils
whether typed or untyped now represent NULL.

Codec and Value Split

Previously, the type system combined decoding and encoding values with the value types. e.g. Type Int8 both handled
encoding and decoding the PostgreSQL representation and acted as a value object. This caused some difficulties when
there was not an exact 1 to 1 relationship between the Go types and the PostgreSQL types For example, scanning a
PostgreSQL binary numeric into a Go float64 was awkward (see jackc/pgtype#147). This
concepts have been separated. A Codec only has responsibility for encoding and decoding values. Value types are
generally defined by implementing an interface that a particular Codec understands (e.g. PointScanner and
PointValuer for the PostgreSQL point type).

Array Types

All array types are now handled by ArrayCodec instead of using code generation for each new array type. This also
means that less common array types such as point[] are now supported. Array[T] supports PostgreSQL multi-dimensional
arrays.

Composite Types

Composite types must be registered before use. CompositeFields may still be used to construct and destruct composite
values, but any type may now implement CompositeIndexGetter and CompositeIndexScanner to be used as a composite.

Range Types

Range types are now handled with types RangeCodec and Range[T]. This allows additional user defined range types to
easily be handled. Multirange types are handled similarly with MultirangeCodec and Multirange[T].

pgxtype

LoadDataType moved to *Conn as LoadType.

Bytea

The Bytea and GenericBinary types have been replaced. Use the following instead:

• []byte - For normal usage directly use []byte.
• DriverBytes - Uses driver memory only available until next database method call. Avoids a copy and an allocation.
• PreallocBytes - Uses preallocated byte slice to avoid an allocation.
• UndecodedBytes - Avoids any decoding. Allows working with raw bytes.

Dropped lib/pq Support

pgtype previously supported and was tested against lib/pq. While it will continue to work
in most cases this is no longer supported.

database/sql Scan

Previously, most Scan implementations would convert []byte to string automatically to decode a text value. Now
only string is handled. This is to allow the possibility of future binary support in database/sql mode by
considering []byte to be binary format and string text format. This change should have no effect for any use with
pgx. The previous behavior was only necessary for lib/pq compatibility.

Added *Map.SQLScanner to create a sql.Scanner for types such as []int32 and Range[T] that do not implement
sql.Scanner directly.

Number Type Fields Include Bit size

Int2, Int4, Int8, Float4, Float8, and Uint32 fields now include bit size. e.g. Int is renamed to Int64.
This matches the convention set by database/sql. In addition, for comparable types like pgtype.Int8 and
sql.NullInt64 the structures are identical. This means they can be directly converted one to another.

3rd Party Type Integrations

• Extracted integrations with https://github.com/shopspring/decimal and https://github.com/gofrs/uuid to
  https://github.com/jackc/pgx-shopspring-decimal and https://github.com/jackc/pgx-gofrs-uuid respectively. This trims
  the pgx dependency tree.

Other Changes

• Bit and Varbit are both replaced by the Bits type.
• CID, OID, OIDValue, and XID are replaced by the Uint32 type.
• Hstore is now defined as map[string]*string.
• JSON and JSONB types removed. Use []byte or string directly.
• QChar type removed. Use rune or byte directly.
• Inet and Cidr types removed. Use netip.Addr and netip.Prefix directly. These types are more memory efficient than the previous net.IPNet.
• Macaddr type removed. Use net.HardwareAddr directly.
• Renamed pgtype.ConnInfo to pgtype.Map.
• Renamed pgtype.DataType to pgtype.Type.
• Renamed pgtype.None to pgtype.Finite.
• RegisterType now accepts a *Type instead of Type.
• Assorted array helper methods and types made private.

stdlib

• Removed AcquireConn and ReleaseConn as that functionality has been built in since Go 1.13.

Reduced Memory Usage by Reusing Read Buffers

Previously, the connection read buffer would allocate large chunks of memory and never reuse them. This allowed
transferring ownership to anything such as scanned values without incurring an additional allocation and memory copy.
However, this came at the cost of overall increased memory allocation size. But worse it was also possible to pin large
chunks of memory by retaining a reference to a small value that originally came directly from the read buffer. Now
ownership remains with the read buffer and anything needing to retain a value must make a copy.

Query Execution Modes

Control over automatic prepared statement caching and simple protocol use are now combined into query execution mode.
See documentation for QueryExecMode.

QueryRewriter Interface and NamedArgs

pgx now supports named arguments with the NamedArgs type. This is implemented via the new QueryRewriter interface which
allows arbitrary rewriting of query SQL and arguments.

RowScanner Interface

The RowScanner interface allows a single argument to Rows.Scan to scan the entire row.

Rows Result Helpers

• CollectRows and RowTo* functions simplify collecting results into a slice.
• CollectOneRow collects one row using RowTo* functions.
• ForEachRow simplifies scanning each row and executing code using the scanned values. ForEachRow replaces QueryFunc.

Tx Helpers

Rather than every type that implemented Begin or BeginTx methods also needing to implement BeginFunc and
BeginTxFunc these methods have been converted to functions that take a db that implements Begin or BeginTx.

Improved Batch Query Ergonomics

Previously, the code for building a batch went in one place before the call to SendBatch, and the code for reading the
results went in one place after the call to SendBatch. This could make it difficult to match up the query and the code
to handle the results. Now Queue returns a QueuedQuery which has methods Query, QueryRow, and Exec which can
be used to register a callback function that will handle the result. Callback functions are called automatically when
BatchResults.Close is called.

SendBatch Uses Pipeline Mode When Appropriate

Previously, a batch with 10 unique parameterized statements executed 100 times would entail 11 network round trips. 1
for each prepare / describe and 1 for executing them all. Now pipeline mode is used to prepare / describe all statements
in a single network round trip. So it would only take 2 round trips.

Tracing and Logging

Internal logging support has been replaced with tracing hooks. This allows custom tracing integration with tools like OpenTelemetry. Package tracelog provides an adapter for pgx v4 loggers to act as a tracer.

All integrations with 3rd party loggers have been extracted to separate repositories. This trims the pgx dependency
tree.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[github-actions]

🔍 Dependency Review

Below are the dependency changes detected in go.mod files and what, if anything, you’d need to change in your code to adopt them.

Note: Only dependencies whose versions changed are reviewed. The root go.mod’s movement of pgx/v4 within the file did not change version and is not covered.

---

github.com/jackc/pgx/v4 v4.18.3 → github.com/jackc/pgx/v5 v5.0.0 — ⚠️ Needs Review

Scope

• Changed in: collector/go.mod and extension/alloyengine/go.mod (indirect).
• The root go.mod still references pgx/v4 (same version), so v4 and v5 may coexist due to semantic import versioning (separate import paths /v4 vs /v5).

Impact

• If these modules do not import pgx directly, no code changes are required in this repository (transitive dependencies importing v4 remain unaffected).
• If these modules import pgx directly, pgx v5 includes breaking API changes vs v4. Update code as below.

Key breaking changes and how to update
Sources:

• pgx v5 release notes: https://github.com/jackc/pgx/releases/tag/v5.0.0
• Upgrading guide and docs in the v5 branch (e.g., tracelog, config, stdlib).

1. Logging replaced with tracing

• v4’s Config.Logger and Config.LogLevel were removed.
• v5 introduces Config.Tracer and the tracelog helper package.

Code updates:

- import "github.com/jackc/pgx/v4"
+ import (
+   "github.com/jackc/pgx/v5"
+   "github.com/jackc/pgx/v5/tracelog"
+)

 // assuming cfg is *pgx.ConnConfig or *pgxpool.Config
- cfg.Logger = myLogger
- cfg.LogLevel = pgx.LogLevelDebug
+ cfg.Tracer = &tracelog.TraceLog{
+   Logger:   myLogger,                   // must implement tracelog.Logger (compatible with std log.Logger via adapter)
+   LogLevel: tracelog.LogLevelDebug,     // Debug, Info, Warn, Error, None
+}

Relevant changelog excerpt:

• “Replace Logger/LogLevel with Tracer (pgx/tracelog).”

2. “Ex” query/exec variants removed

• v4 exposed ExecEx, QueryEx, QueryRowEx to pass per-call options (e.g., SimpleProtocol).
• v5 removes these. Use the standard Exec, Query, QueryRow along with new configuration/option mechanisms.

Common updates:

• If you used SimpleProtocol via QueryExOptions/ExecExOptions, configure it at connection level.

- _, err := conn.ExecEx(ctx, "select 1", &pgx.QueryExOptions{SimpleProtocol: true})
+ // Set once on config before connecting:
+ // cfg.DefaultQueryExecMode = pgx.QueryExecModeSimpleProtocol
+ _, err := conn.Exec(ctx, "select 1")

Relevant changelog excerpt:

• “Remove ExecEx/QueryEx/QueryRowEx; use standard methods with new exec mode configuration.”

3. Simple protocol configuration changed

• v4 commonly used PreferSimpleProtocol or per-call SimpleProtocol via Ex options.
• v5 centralizes this with a default query execution mode.

- cfg.PreferSimpleProtocol = true
+ cfg.DefaultQueryExecMode = pgx.QueryExecModeSimpleProtocol

Relevant changelog excerpt:

• “PreferSimpleProtocol replaced by DefaultQueryExecMode with QueryExecModeSimpleProtocol.”

4. database/sql stdlib integration changes

• If you used the old registration-based approach (RegisterConnConfig), switch to OpenDB.

- name := stdlib.RegisterConnConfig(cfg)
- db, err := sql.Open("pgx", name)
+ db := stdlib.OpenDB(cfg)
+ // handle err as needed if you build cfg via ParseConfig, etc.

Relevant changelog excerpt:

• “Use stdlib.OpenDB; registration helpers from earlier versions removed/deprecated.”

Additional notes to check in your code (only if used):

• Type and interface tweaks: some option and callback types (e.g., tracers, loggers) have changed signatures/packages.
• Ensure any direct references to v4-only symbols compile (e.g., pgx.LogLevel*, pgx.Logger, QueryExOptions).
• Imports must point at /v5 for any direct use (the compiler will force this).

Why this is "Needs Review"

• It’s a major release with explicit API removals/renames. If these submodules import pgx directly, you will need to apply the changes above. If they do not, no code changes are required in this repo, and pgx v4 can continue to be used by other transitive dependencies concurrently.

Notes

• Root go.mod: github.com/jackc/pgx/v4 v4.18.3 remains (only moved within the file). No version change to review.