Update module github.com/jackc/pgx/v5 to v5.9.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/jackc/pgx/v5	v5.8.0 → v5.9.2

---

Memory-safety vulnerability in github.com/jackc/pgx/v5.

CVE-2026-33816 / GHSA-9jj7-4m8r-rfcm

More information

Details

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-33816
• https://pkg.go.dev/vuln/GO-2026-4772
• https://github.com/advisories/GHSA-9jj7-4m8r-rfcm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

pgx: SQL Injection via placeholder confusion with dollar quoted string literals

GHSA-j88v-2chj-qfwx

More information

Details

Impact

SQL Injection can occur when:

1. The non-default simple protocol is used.
2. A dollar quoted string literal is used in the SQL query.
3. That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Patches

The problem is resolved in v5.9.2.

Workarounds

Do not use the simple protocol to execute queries matching all the above conditions.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx
• https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da
• https://github.com/jackc/pgx/releases/tag/v5.9.2
• https://github.com/advisories/GHSA-j88v-2chj-qfwx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

jackc/pgx (github.com/jackc/pgx/v5)

v5.9.2

Compare Source

v5.9.1

Compare Source

v5.9.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: console/service/go.sum

Command failed: go get -t ./...
go: downloading github.com/rs/zerolog v1.34.0
go: downloading github.com/kelseyhightower/envconfig v1.4.0
go: downloading github.com/go-openapi/runtime v0.29.3
go: downloading github.com/segmentio/asm v1.2.1
go: downloading go.openly.dev/pointy v1.3.0
go: downloading github.com/go-openapi/strfmt v0.26.1
go: downloading github.com/gdex-lab/go-render v1.0.1
go: downloading github.com/google/uuid v1.6.0
go: downloading github.com/jackc/pgx/v5 v5.9.2
go: downloading github.com/go-openapi/loads v0.23.3
go: downloading github.com/jessevdk/go-flags v1.6.1
go: downloading gotest.tools/v3 v3.5.2
go: downloading github.com/mitchellh/mapstructure v1.5.0
go: downloading golang.org/x/sync v0.20.0
go: downloading github.com/docker/docker v28.5.2+incompatible
go: downloading github.com/docker/go-connections v0.6.0
go: downloading github.com/goombaio/namegenerator v0.0.0-20181006234301-989e774b106e
go: downloading github.com/pressly/goose/v3 v3.27.0
go: downloading github.com/go-openapi/errors v0.22.7
go: downloading github.com/mattn/go-colorable v0.1.14
go: downloading github.com/go-openapi/analysis v0.24.3
go: downloading github.com/go-openapi/spec v0.22.4
go: downloading github.com/go-openapi/swag v0.23.1
go: downloading github.com/go-openapi/swag/conv v0.25.5
go: downloading github.com/go-openapi/swag/stringutils v0.25.5
go: downloading github.com/go-openapi/validate v0.25.2
go: downloading github.com/go-viper/mapstructure/v2 v2.5.0
go: downloading github.com/oklog/ulid v1.3.1
go: downloading github.com/oklog/ulid/v2 v2.1.1
go: downloading golang.org/x/net v0.50.0
go: downloading github.com/jackc/puddle/v2 v2.2.2
go: downloading github.com/go-openapi/swag/loading v0.25.5
go: downloading github.com/go-openapi/swag/yamlutils v0.25.5
go: downloading golang.org/x/sys v0.41.0
go: downloading github.com/google/go-cmp v0.7.0
go: downloading github.com/docker/go-units v0.5.0
go: downloading github.com/moby/docker-image-spec v1.3.1
go: downloading github.com/opencontainers/image-spec v1.1.1
go: downloading github.com/opencontainers/go-digest v1.0.0
go: downloading github.com/Microsoft/go-winio v0.6.2
go: downloading github.com/containerd/errdefs v1.0.0
go: downloading github.com/containerd/errdefs/pkg v0.3.0
go: downloading github.com/distribution/reference v0.6.0
go: downloading github.com/pkg/errors v0.9.1
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0
go: downloading go.opentelemetry.io/otel/trace v1.41.0
go: downloading go.opentelemetry.io/otel v1.41.0
go: downloading github.com/sethvargo/go-retry v0.3.0
go: downloading go.uber.org/multierr v1.11.0
go: downloading github.com/go-openapi/swag/fileutils v0.25.5
go: downloading github.com/go-openapi/swag/jsonutils v0.25.5
go: downloading github.com/mattn/go-isatty v0.0.20
go: downloading github.com/go-openapi/jsonpointer v0.22.5
go: downloading github.com/go-openapi/swag/mangling v0.25.5
go: downloading github.com/go-openapi/jsonreference v0.21.5
go: downloading github.com/go-openapi/swag/jsonname v0.25.5
go: downloading golang.org/x/text v0.34.0
go: downloading github.com/jackc/pgpassfile v1.0.0
go: downloading github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761
go: downloading github.com/go-openapi/swag/typeutils v0.25.5
go: downloading go.yaml.in/yaml/v3 v3.0.4
go: downloading github.com/felixge/httpsnoop v1.0.4
go: downloading go.opentelemetry.io/otel/metric v1.41.0
go: downloading github.com/mfridman/interpolate v0.0.2
go: downloading github.com/go-logr/logr v1.4.3
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading go.opentelemetry.io/auto/sdk v1.2.1
go: downloading github.com/cespare/xxhash/v2 v2.3.0
go: postgresql-cluster-console/internal/controllers imports
	postgresql-cluster-console/models: package postgresql-cluster-console/models is not in std (/opt/containerbase/tools/golang/1.26.2/src/postgresql-cluster-console/models)
go: postgresql-cluster-console/internal/controllers/cluster imports
	postgresql-cluster-console/restapi/operations/cluster: package postgresql-cluster-console/restapi/operations/cluster is not in std (/opt/containerbase/tools/golang/1.26.2/src/postgresql-cluster-console/restapi/operations/cluster)
go: postgresql-cluster-console/internal/controllers/dictionary imports
	postgresql-cluster-console/restapi/operations/dictionary: package postgresql-cluster-console/restapi/operations/dictionary is not in std (/opt/containerbase/tools/golang/1.26.2/src/postgresql-cluster-console/restapi/operations/dictionary)
go: postgresql-cluster-console/internal/controllers/environment imports
	postgresql-cluster-console/restapi/operations/environment: package postgresql-cluster-console/restapi/operations/environment is not in std (/opt/containerbase/tools/golang/1.26.2/src/postgresql-cluster-console/restapi/operations/environment)
go: postgresql-cluster-console/internal/controllers/operation imports
	postgresql-cluster-console/restapi/operations/operation: package postgresql-cluster-console/restapi/operations/operation is not in std (/opt/containerbase/tools/golang/1.26.2/src/postgresql-cluster-console/restapi/operations/operation)
go: postgresql-cluster-console/internal/controllers/project imports
	postgresql-cluster-console/restapi/operations/project: package postgresql-cluster-console/restapi/operations/project is not in std (/opt/containerbase/tools/golang/1.26.2/src/postgresql-cluster-console/restapi/operations/project)
go: postgresql-cluster-console/internal/controllers/secret imports
	postgresql-cluster-console/restapi/operations/secret: package postgresql-cluster-console/restapi/operations/secret is not in std (/opt/containerbase/tools/golang/1.26.2/src/postgresql-cluster-console/restapi/operations/secret)
go: postgresql-cluster-console/internal/controllers/setting imports
	postgresql-cluster-console/restapi/operations/setting: package postgresql-cluster-console/restapi/operations/setting is not in std (/opt/containerbase/tools/golang/1.26.2/src/postgresql-cluster-console/restapi/operations/setting)
go: postgresql-cluster-console/internal/service imports
	postgresql-cluster-console/restapi/operations: package postgresql-cluster-console/restapi/operations is not in std (/opt/containerbase/tools/golang/1.26.2/src/postgresql-cluster-console/restapi/operations)
go: postgresql-cluster-console/internal/service imports
	postgresql-cluster-console/restapi/operations/system: package postgresql-cluster-console/restapi/operations/system is not in std (/opt/containerbase/tools/golang/1.26.2/src/postgresql-cluster-console/restapi/operations/system)