build(deps): bump github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0 by dependabot[bot] · Pull Request #1334 · modelcontextprotocol/registry

dependabot · 2026-06-04T03:35:39Z

Bumps github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0.

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.10.0 (June 3, 2026)

This release includes a significant amount of hardening against malicious or compromised PostgreSQL servers, contributed by Sean Chittenden at CrowdStrike, Inc. This work bounds binary decoders against attacker-controlled message sizes, caps server-supplied SCRAM iteration counts, adds require_auth to restrict which authentication methods a server may use (mitigating downgrade attacks under sslmode=prefer), and ensures cancellation requests are sent over TLS when the original connection used TLS.

Features

Add require_auth to restrict accepted server authentication methods (Sean Chittenden at CrowdStrike, Inc.)

Add ParseConfigOptions.ConnStringAllowedKeys to restrict allowed connection string keys (Sean Chittenden at CrowdStrike, Inc.)

Add StructArgs and StrictStructArgs for @-named queries (Tubelight30)

Add ErrConnClosed sentinel error and unwrap it from connLockError (Charlie Tonneslan)

pgxpool: check if connection is expired before acquire (arthurdotwork)

Security Hardening

Encrypt CancelRequest connection when the primary connection used TLS (Sean Chittenden at CrowdStrike, Inc.)

Cap server-supplied SCRAM iteration count (Sean Chittenden at CrowdStrike, Inc.)

Default Frontend max message body length to ~1 GiB (Sean Chittenden at CrowdStrike, Inc.)

Bound hstore binary decode against malicious server input (Sean Chittenden at CrowdStrike, Inc.)

Bound array binary decode element length against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)

Bound array element count against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)

Bound range, multirange, and tsvector binary decoders (Sean Chittenden at CrowdStrike, Inc.)

Document secure connection configuration (Sean Chittenden at CrowdStrike, Inc.)

Fix panic on malformed geometric text; return an error instead (MaIII)

Fixes

Fix scanning "char" (OID 18) into *string in binary format (luongs3)

Fix handling of typed-nil driver.Valuer in array and composite codecs (Donncha Fahy)

Fix CopyData.Data hex decoding in UnmarshalJSON (Charlie Tonneslan)

Fix data race when context is cancelled during connect

Fix parseKeywordValueSettings rejecting trailing whitespace (alliasgher)

pgconn: preserve full error chain in normalizeTimeoutError (Charlie Tonneslan)

pgconn: use a fresh context for the fallback connection in connectPreferred (Charlie Tonneslan)

pgxpool: fix MaxLifetimeDestroyCount and ping order for acquire-time expiry check

Add missing error check of rows.Err to load types (Jen Altavilla)

Commits

7293fb1 Update changelog for v5.10.0
1ade285 pgconn: document secure connection configuration
b4d6d4d pgtype: bound range, multirange, and tsvector binary decoders
0639b37 pgconn: add ParseConfigOptions.ConnStringAllowedKeys
b28e65b pgtype: bound array element count against remaining message bytes
cd1f389 pgtype: bound array binary decode element length against remaining bytes
ff27b5b pgtype: bound hstore binary decode against malicious server input
a6002e1 pgproto3: default Frontend max message body length to ~1 GiB
44f6173 pgconn: cap server-supplied SCRAM iteration count
1a976f7 pgconn: add require_auth to restrict accepted server auth methods
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.9.2 to 5.10.0. - [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md) - [Commits](jackc/pgx@v5.9.2...v5.10.0) --- updated-dependencies: - dependency-name: github.com/jackc/pgx/v5 dependency-version: 5.10.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jun 4, 2026

rdimitrov approved these changes Jun 4, 2026

View reviewed changes

rdimitrov merged commit 227621f into main Jun 4, 2026
4 checks passed

rdimitrov deleted the dependabot/go_modules/github.com/jackc/pgx/v5-5.10.0 branch June 4, 2026 20:03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0#1334

build(deps): bump github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0#1334
rdimitrov merged 1 commit into
mainfrom
dependabot/go_modules/github.com/jackc/pgx/v5-5.10.0

dependabot Bot commented on behalf of github Jun 4, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Jun 4, 2026

5.10.0 (June 3, 2026)

Features

Security Hardening

Fixes

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant