Skip to content

chore(deps): bump the gomod-patch-and-minor group across 1 directory with 3 updates#99

Merged
Jannes-Dailidow merged 1 commit intomainfrom
dependabot/go_modules/gomod-patch-and-minor-48cc2fe095
Apr 23, 2026
Merged

chore(deps): bump the gomod-patch-and-minor group across 1 directory with 3 updates#99
Jannes-Dailidow merged 1 commit intomainfrom
dependabot/go_modules/gomod-patch-and-minor-48cc2fe095

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 20, 2026
edited
Loading

Bumps the gomod-patch-and-minor group with 3 updates in the / directory: github.com/jackc/pgx/v5, modernc.org/sqlite and github.com/charmbracelet/x/ansi.

Updates github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.9.2 (April 18, 2026)

Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)

SQL injection can occur when:

  1. The non-default simple protocol is used.
  2. A dollar quoted string literal is used in the SQL query.
  3. That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
  4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Commits
  • 0aeabbc Release v5.9.2
  • 60644f8 Fix SQL sanitizer bugs with dollar-quoted strings and placeholder overflow
  • a5680bc Merge pull request #2531 from dolmen-go/godoc-add-links
  • e34e452 doc: Add godoc links
  • 08c9bb1 Fix Stringer types encoded as text instead of numeric value in composite fields
  • 96b4dbd Remove unstable test
  • acf88e0 Merge pull request #2526 from abrightwell/abrightwell-min-proto
  • 2f81f1f Update max_protocol_version and min_protocol_version defaults
  • See full diff in compare view

Updates modernc.org/sqlite from 1.48.2 to 1.49.1

Commits

Updates github.com/charmbracelet/x/ansi from 0.11.6 to 0.11.7

Commits
  • 6921c75 fix(ansi): width: always use grapheme finder for width calculation
  • 266cf5a chore(deps): bump the all group across 1 directory with 2 updates (#836)
  • ad0b1ae chore(scripts): update builds script to use codecov v6 and dependabot/fetch-m...
  • b18aac2 chore(deps): bump golang.org/x/image in /vttest in the all group (#840)
  • ffd2a07 chore(deps): bump golang.org/x/image in /mosaic in the all group (#839)
  • 7664402 chore(deps): bump golang.org/x/sys in /input in the all group (#833)
  • 44f725f chore(deps): bump github.com/mattn/go-runewidth (#838)
  • ac9fd4b chore(deps): bump github.com/mattn/go-runewidth (#837)
  • e969fb5 chore(deps): bump golang.org/x/sys in /termios in the all group (#828)
  • acb1aa7 chore(deps): bump golang.org/x/crypto in /sshkey in the all group (#835)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Welcome to hell. go Runtime issues labels Apr 20, 2026
@dependabot
chore(deps): bump the gomod-patch-and-minor group with 3 updates
db18e1e 
Bumps the gomod-patch-and-minor group with 3 updates: [github.com/jackc/pgx/v5](https://github.com/jackc/pgx), [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) and [github.com/charmbracelet/x/ansi](https://github.com/charmbracelet/x).


Updates `github.com/jackc/pgx/v5` from 5.9.1 to 5.9.2
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](jackc/pgx@v5.9.1...v5.9.2)

Updates `modernc.org/sqlite` from 1.48.2 to 1.49.1
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md)
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.48.2...v1.49.1)

Updates `github.com/charmbracelet/x/ansi` from 0.11.6 to 0.11.7
- [Commits](charmbracelet/x@ansi/v0.11.6...ansi/v0.11.7)

---
updated-dependencies:
- dependency-name: github.com/jackc/pgx/v5
  dependency-version: 5.9.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-patch-and-minor
- dependency-name: modernc.org/sqlite
  dependency-version: 1.49.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-patch-and-minor
- dependency-name: github.com/charmbracelet/x/ansi
  dependency-version: 0.11.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-patch-and-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump the gomod-patch-and-minor group with 3 updates chore(deps): bump the gomod-patch-and-minor group across 1 directory with 3 updates Apr 21, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/gomod-patch-and-minor-48cc2fe095 branch from 934f7e8 to db18e1e Compare April 21, 2026 12:59
@Jannes-Dailidow Jannes-Dailidow merged commit 73e458d into main Apr 23, 2026
2 of 3 checks passed
@Jannes-Dailidow Jannes-Dailidow deleted the dependabot/go_modules/gomod-patch-and-minor-48cc2fe095 branch April 23, 2026 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Welcome to hell. go Runtime issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Jannes-Dailidow