chore(deps): update security updates [security]

[NumaryBot]

This PR contains the following updates:

Package	Type	Update	Change
github.com/jackc/pgx/v5	indirect	minor	v5.7.6 -> v5.9.2
golang.org/x/net	indirect	minor	v0.52.0 -> v0.53.0

GitHub Vulnerability Alerts

CVE-2026-33816

Memory-safety vulnerability in github.com/jackc/pgx/v5.

CVE-2026-41889

Impact

SQL Injection can occur when:

1. The non-default simple protocol is used.
2. A dollar quoted string literal is used in the SQL query.
3. That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Patches

The problem is resolved in v5.9.2.

Workarounds

Do not use the simple protocol to execute queries matching all the above conditions.

---

CVE-2026-33815 in github.com/jackc/pgx

CVE-2026-33815 / GHSA-xgrm-4fwx-7qm8 / GO-2026-4771

More information

Details

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity

Unknown

References

No references.

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Memory-safety vulnerability in github.com/jackc/pgx/v5.

CVE-2026-33816 / GHSA-9jj7-4m8r-rfcm / GO-2026-4772

More information

Details

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-33816
• https://github.com/jackc/pgx
• https://pkg.go.dev/vuln/GO-2026-4772

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

CVE-2026-33816 in github.com/jackc/pgx

CVE-2026-33816 / GHSA-9jj7-4m8r-rfcm / GO-2026-4772

More information

Details

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity

Unknown

References

No references.

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

pgx: SQL Injection via placeholder confusion with dollar quoted string literals

CVE-2026-41889 / GHSA-j88v-2chj-qfwx

More information

Details

Impact

SQL Injection can occur when:

1. The non-default simple protocol is used.
2. A dollar quoted string literal is used in the SQL query.
3. That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Patches

The problem is resolved in v5.9.2.

Workarounds

Do not use the simple protocol to execute queries matching all the above conditions.

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx
• https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da
• https://github.com/jackc/pgx
• https://github.com/jackc/pgx/releases/tag/v5.9.2

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

CVE-2026-33814 / GO-2026-4918

More information

Details

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Severity

Unknown

References

• https://go.dev/cl/761581
• https://go.dev/cl/761640
• https://go.dev/issue/78476
• https://groups.google.com/g/golang-announce/c/qcCIEXso47M

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

jackc/pgx (github.com/jackc/pgx/v5)

v5.9.2

Compare Source

v5.9.1

Compare Source

v5.9.0

Compare Source

v5.8.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

Summary by CodeRabbit

• Chores
  • Updated several Go runtime and third‑party dependency versions (including pgx and various golang.org/x packages) to improve security, compatibility, and performance across the application.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 27add71c-449f-46ec-86df-a6389e35cee2

📥 Commits

Reviewing files that changed from the base of the PR and between 89ecdfd and 5df4491.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

---

📝 Walkthrough

Walkthrough

Bumps several indirect Go module versions in go.mod: golang.org/x/text to v0.36.0, github.com/jackc/pgx/v5 (indirect) to v5.9.2, and golang.org/x/crypto, golang.org/x/net, golang.org/x/sys, golang.org/x/tools to newer patch/minor versions.

Changes

Dependency Update

Layer / File(s)	Summary
Go module pins go.mod	Updates golang.org/x/text v0.35.0 → v0.36.0; github.com/jackc/pgx/v5 v5.7.6 → v5.9.2 (indirect); and golang.org/x/crypto v0.49.0 → v0.50.0, golang.org/x/net v0.52.0 → v0.53.0, golang.org/x/sys v0.42.0 → v0.43.0, golang.org/x/tools v0.42.0 → v0.43.0 (all indirect).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I nibbled go.mod late at night,
versions hopped forward, snug and light.
pgx and text took tiny leaps,
minor deps woke from quieter sleeps,
now builds hum soft as carrot dreams. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating dependencies with security fixes for critical vulnerabilities (CVE-2026-33815, CVE-2026-33816, CVE-2026-33814).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/security

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 104: The go.mod dependency line for github.com/jackc/pgx/v5 should be
bumped from v5.9.0 to v5.9.1 to pull in the latest security patch; update the
version string for the module named "github.com/jackc/pgx/v5" and then run "go
get github.com/jackc/pgx/v5@v5.9.1" (or equivalent) followed by "go mod tidy" to
refresh go.sum and ensure the lockfile and transitive deps are updated; verify
no import paths or code changes are required for pgx functions/types used in the
codebase after the upgrade.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8674f14c-df16-4e0c-865f-d0001ec5011a

📥 Commits

Reviewing files that changed from the base of the PR and between eb9ce86 and d88807a.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[NumaryBot]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
golang.org/x/text	v0.35.0 -> v0.36.0
golang.org/x/crypto	v0.49.0 -> v0.50.0
golang.org/x/sys	v0.42.0 -> v0.43.0
golang.org/x/tools	v0.42.0 -> v0.43.0