Skip to content

chore(deps): bump the go-dependencies group across 1 directory with 5 updates#170

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-dependencies-ec9a223621
Open

chore(deps): bump the go-dependencies group across 1 directory with 5 updates#170
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-dependencies-ec9a223621

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 12, 2026

Copy link
Copy Markdown
Contributor

Bumps the go-dependencies group with 5 updates in the / directory:

Package From To
github.com/a-h/templ 0.3.1001 0.3.1020
github.com/golang-migrate/migrate/v4 4.18.3 4.19.1
github.com/jackc/pgx/v5 5.7.5 5.9.2
github.com/labstack/echo/v4 4.13.4 4.15.2
github.com/lib/pq 1.10.9 1.12.3

Updates github.com/a-h/templ from 0.3.1001 to 0.3.1020

Release notes

Sourced from github.com/a-h/templ's releases.

v0.3.1020

Changelog

  • 09d6b02 chore: bump version
  • a411f13 chore: fix linter warning in test code
  • 524cd39 feat: add -check flag, closes #1007 (#1373)
  • f3d595c feat: add Range to ExpressionAttribute nodes (#1347)
  • 82af17c feat: add Range to GoCode nodes (#1348)
  • cf98cdc feat: add Range to StringExpression nodes (#1349)
  • ff38cee feat: add ranges for attribute node values (#1383)
  • 552ed02 feat: support concurrent rendering of templ components (#1359)
  • b310a97 fix(generatecmd): check cmd.Start() error before inserting cmd in to running map (#1382)
  • 410a80e fix(lsp): delete $GOROOT hack in uri.File
  • 95a0854 fix: allow JSFuncCall on arbitrary HTML attributes (#1375)
  • e581c01 fix: attributes containing a conditional, are always multiline (#1380)
  • b2952ed fix: clear children context in Fragment.Render (#1360)
  • 8fecf2d fix: prevent corrupted output in watch mode with gzip, fixes #1365 (#1366)
  • 7adcb62 fix: show correct updates based on written Go files without watch (#1363)
  • aa493e0 fix: track Range for non-JavaScript ScriptExpression nodes (#1350)
  • d52d64e fix: use dedicated shadow host in Suspense example to ensure header is rendered (#1370)
  • 83176f9 fix: vulnerabilities in x/net (only affects templ watch mode and tests), fixes #1354
Commits
  • 09d6b02 chore: bump version
  • ff38cee feat: add ranges for attribute node values (#1383)
  • e581c01 fix: attributes containing a conditional, are always multiline (#1380)
  • b310a97 fix(generatecmd): check cmd.Start() error before inserting cmd in to `run...
  • 95a0854 fix: allow JSFuncCall on arbitrary HTML attributes (#1375)
  • 8fecf2d fix: prevent corrupted output in watch mode with gzip, fixes #1365 (#1366)
  • a411f13 chore: fix linter warning in test code
  • 524cd39 feat: add -check flag, closes #1007 (#1373)
  • d52d64e fix: use dedicated shadow host in Suspense example to ensure header is render...
  • 552ed02 feat: support concurrent rendering of templ components (#1359)
  • Additional commits viewable in compare view

Updates github.com/golang-migrate/migrate/v4 from 4.18.3 to 4.19.1

Release notes

Sourced from github.com/golang-migrate/migrate/v4's releases.

v4.19.1

What's Changed

New Contributors

Full Changelog: golang-migrate/migrate@v4.19.0...v4.19.1

v4.19.0

What's Changed

New Contributors

Full Changelog: golang-migrate/migrate@v4.18.3...v4.19.0

Commits
  • 89e308c chore: remove dependency on "hashicorp/go-multierror" (#1322)
  • 472ef2e Merge pull request #1336 from golang-migrate/dependabot/go_modules/golang.org...
  • 8d76259 Bump golang.org/x/crypto from 0.43.0 to 0.45.0
  • 9f9df7c chore: Update cloud.google.com/go/spanner version (#1330)
  • a371c8e Merge pull request #1304 from iamonah/fix/clarify-databaseName-meaning
  • 43cc3b3 Merge pull request #1325 from HaraldNordgren/linter_issues
  • f939a89 Merge pull request #1335 from golang-migrate/dependabot/go_modules/golang.org...
  • 6dd86e0 Bump golang.org/x/crypto from 0.36.0 to 0.45.0
  • 70e6d6d Merge pull request #1333 from matsoob/updateGoInBaseImage
  • a51d0da Merge pull request #1334 from golang-migrate/dependabot/go_modules/github.com...
  • Additional commits viewable in compare view

Updates github.com/jackc/pgx/v5 from 5.7.5 to 5.9.2

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.9.2 (April 18, 2026)

Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)

SQL injection can occur when:

  1. The non-default simple protocol is used.
  2. A dollar quoted string literal is used in the SQL query.
  3. That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
  4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

5.9.1 (March 22, 2026)

  • Fix: batch result format corruption when using cached prepared statements (reported by Dirkjan Bussink)

5.9.0 (March 21, 2026)

This release includes a number of new features such as SCRAM-SHA-256-PLUS support, OAuth authentication support, and PostgreSQL protocol 3.2 support.

It significantly reduces the amount of network traffic when using prepared statements (which are used automatically by default) by avoiding unnecessary Describe Portal messages. This also reduces local memory usage.

It also includes multiple fixes for potential DoS due to panic or OOM if connected to a malicious server that sends deliberately malformed messages.

  • Require Go 1.25+
  • Add SCRAM-SHA-256-PLUS support (Adam Brightwell)
  • Add OAuth authentication support for PostgreSQL 18 (David Schneider)
  • Add PostgreSQL protocol 3.2 support (Dirkjan Bussink)
  • Add tsvector type support (Adam Brightwell)
  • Skip Describe Portal for cached prepared statements reducing network round trips
  • Make LoadTypes query easier to support on "postgres-like" servers (Jelte Fennema-Nio)
  • Default empty user to current OS user matching libpq behavior (ShivangSrivastava)
  • Optimize LRU statement cache with custom linked list and node pooling (Mathias Bogaert)
  • Optimize date scanning by replacing regex with manual parsing (Mathias Bogaert)
  • Optimize pgio append/set functions with direct byte shifts (Mathias Bogaert)
  • Make RowsAffected faster (Abhishek Chanda)
  • Fix: Pipeline.Close panic when server sends multiple FATAL errors (Varun Chawla)
  • Fix: ContextWatcher goroutine leak (Hank Donnay)
  • Fix: stdlib discard connections with open transactions in ResetSession (Jeremy Schneider)

... (truncated)

Commits
  • 0aeabbc Release v5.9.2
  • 60644f8 Fix SQL sanitizer bugs with dollar-quoted strings and placeholder overflow
  • a5680bc Merge pull request #2531 from dolmen-go/godoc-add-links
  • e34e452 doc: Add godoc links
  • 08c9bb1 Fix Stringer types encoded as text instead of numeric value in composite fields
  • 96b4dbd Remove unstable test
  • acf88e0 Merge pull request #2526 from abrightwell/abrightwell-min-proto
  • 2f81f1f Update max_protocol_version and min_protocol_version defaults
  • 4e4eaed Release v5.9.1
  • 6273188 Fix batch result format corruption when using cached prepared statements
  • Additional commits viewable in compare view

Updates github.com/labstack/echo/v4 from 4.13.4 to 4.15.2

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.1

What's Changed

Full Changelog: labstack/echo@v4.15.0...v4.15.1

v4.15.0

Security

WARNING: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

  • same-origin or none: Requests are allowed (exact origin match or direct user navigation)
  • same-site: Falls back to token validation (e.g., subdomain to main domain)
  • cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

  • TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
  • AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))

PR: labstack/echo#2858

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.2 - 2026-05-01

Security

Thanks to @​shblue21 for reporting this issue.

v4.15.1 - 2026-02-22

Enhancements

v4.15.0 - 2026-01-01

Security

NB: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

  • same-origin or none: Requests are allowed (exact origin match or direct user navigation)
  • same-site: Falls back to token validation (e.g., subdomain to main domain)
  • cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

  • TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
  • AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests

</tr></table>

... (truncated)

Commits
  • 25685e6 Merge pull request #2963 from aldas/v4_changelog_4_15_2
  • f9d7689 Changelog for v4.15.2
  • 37fff28 Merge pull request #2962 from aldas/v4_valid_proto
  • ca4f38a Context.Scheme should validate values taken from header
  • 2e527a7 Update CI, update deps
  • 6f3a84a Merge pull request #2905 from aldas/v4_crsf_token_fallback
  • 24fa4d0 CSRF: support older token-based CSRF protection handler that want to render t...
  • 482bb46 v4.15.0 changelog
  • d0f9d1e CRSF with Sec-Fetch-Site=same-site falls back to legacy token
  • f3fc618 CRSF with Sec-Fetch-Site checks
  • Additional commits viewable in compare view

Updates github.com/lib/pq from 1.10.9 to 1.12.3

Release notes

Sourced from github.com/lib/pq's releases.

v1.12.3

  • Send datestyle startup parameter, improving compatbility with database engines that use a different default datestyle such as EnterpriseDB (#1312).

#1312: lib/pq#1312

v1.12.2

  • Treat io.ErrUnexpectedEOF as driver.ErrBadConn so database/sql discards the connection. Since v1.12.0 this could result in permanently broken connections, especially with CockroachDB which frequently sends partial messages (#1299).

#1299: lib/pq#1299

v1.12.1

  • Look for pgpass file in ~/.pgpass instead of ~/.postgresql/pgpass (#1300).

  • Don't clear password if directly set on pq.Config (#1302).

#1300: lib/pq#1300 #1302: lib/pq#1302

v1.12.0

  • The next release may change the default sslmode from require to prefer. See #1271 for details.

  • CopyIn() and CopyInToSchema() have been marked as deprecated. These are simple query builders and not needed for COPY [..] FROM STDIN support (which is not deprecated). (#1279)

    // Old
    tx.Prepare(CopyIn("temp", "num", "text", "blob", "nothing"))
    

    // Replacement tx.Prepare(copy temp (num, text, blob, nothing) from stdin)

Features

  • Support protocol 3.2, and the min_protocol_version and max_protocol_version DSN parameters (#1258).

  • Support sslmode=prefer and sslmode=allow (#1270).

  • Support ssl_min_protocol_version and ssl_max_protocol_version (#1277).

  • Support connection service file to load connection details (#1285).

  • Support sslrootcert=system and use ~/.postgresql/root.crt as the default value of sslrootcert (#1280, #1281).

  • Add a new pqerror package with PostgreSQL error codes (#1275).

    For example, to test if an error is a UNIQUE constraint violation:

    if pqErr, ok := errors.AsType[*pq.Error](https://github.com/lib/pq/blob/HEAD/err); ok && pqErr.Code == pqerror.UniqueViolation {
        log.Fatalf("email %q already exsts", email)
    }
    

    To make this a bit more convenient, it also adds a pq.As() function:

... (truncated)

Changelog

Sourced from github.com/lib/pq's changelog.

v1.12.3 (2026-04-03)

  • Send datestyle startup parameter, improving compatbility with database engines that use a different default datestyle such as EnterpriseDB (#1312).

#1312: lib/pq#1312

v1.12.2 (2026-04-02)

  • Treat io.ErrUnexpectedEOF as driver.ErrBadConn so database/sql discards the connection. Since v1.12.0 this could result in permanently broken connections, especially with CockroachDB which frequently sends partial messages (#1299).

#1299: lib/pq#1299

v1.12.1 (2026-03-30)

  • Look for pgpass file in ~/.pgpass instead of ~/.postgresql/pgpass (#1300).

  • Don't clear password if directly set on pq.Config (#1302).

#1300: lib/pq#1300 #1302: lib/pq#1302

v1.12.0 (2026-03-18)

  • The next release may change the default sslmode from require to prefer. See #1271 for details.

  • CopyIn() and CopyInToSchema() have been marked as deprecated. These are simple query builders and not needed for COPY [..] FROM STDIN support (which is not deprecated). (#1279)

    // Old
    tx.Prepare(CopyIn("temp", "num", "text", "blob", "nothing"))
    

    // Replacement tx.Prepare(copy temp (num, text, blob, nothing) from stdin)

Features

  • Support protocol 3.2, and the min_protocol_version and max_protocol_version DSN parameters (#1258).

  • Support sslmode=prefer and sslmode=allow (#1270).

  • Support ssl_min_protocol_version and ssl_max_protocol_version (#1277).

... (truncated)

Commits
  • 1f3e3d9 Send datestyle as a startup parameter (#1312)
  • 32ba56b Expand tests for multiple result sets
  • c2cfac1 Release v1.12.2
  • 859f104 Test CockroachDB
  • 12e464c Allow multiple matches and regexps in pqtest.ErrorContains()
  • 6d77ced Treat io.ErrUnexpectedEOF as driver.ErrBadConn in handleError
  • 71daecb Ensure transactions are closed in pqtest
  • 8f44823 Set PGAPPNAME for tests
  • 4af2196 Fix healthcheck
  • 38a54e4 Split out testdata/init a bit
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

… updates

Bumps the go-dependencies group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/a-h/templ](https://github.com/a-h/templ) | `0.3.1001` | `0.3.1020` |
| [github.com/golang-migrate/migrate/v4](https://github.com/golang-migrate/migrate) | `4.18.3` | `4.19.1` |
| [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) | `5.7.5` | `5.9.2` |
| [github.com/labstack/echo/v4](https://github.com/labstack/echo) | `4.13.4` | `4.15.2` |
| [github.com/lib/pq](https://github.com/lib/pq) | `1.10.9` | `1.12.3` |



Updates `github.com/a-h/templ` from 0.3.1001 to 0.3.1020
- [Release notes](https://github.com/a-h/templ/releases)
- [Commits](a-h/templ@v0.3.1001...v0.3.1020)

Updates `github.com/golang-migrate/migrate/v4` from 4.18.3 to 4.19.1
- [Release notes](https://github.com/golang-migrate/migrate/releases)
- [Commits](golang-migrate/migrate@v4.18.3...v4.19.1)

Updates `github.com/jackc/pgx/v5` from 5.7.5 to 5.9.2
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](jackc/pgx@v5.7.5...v5.9.2)

Updates `github.com/labstack/echo/v4` from 4.13.4 to 4.15.2
- [Release notes](https://github.com/labstack/echo/releases)
- [Changelog](https://github.com/labstack/echo/blob/v4.15.2/CHANGELOG.md)
- [Commits](labstack/echo@v4.13.4...v4.15.2)

Updates `github.com/lib/pq` from 1.10.9 to 1.12.3
- [Release notes](https://github.com/lib/pq/releases)
- [Changelog](https://github.com/lib/pq/blob/master/CHANGELOG.md)
- [Commits](lib/pq@v1.10.9...v1.12.3)

---
updated-dependencies:
- dependency-name: github.com/a-h/templ
  dependency-version: 0.3.1020
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-dependencies
- dependency-name: github.com/golang-migrate/migrate/v4
  dependency-version: 4.19.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
- dependency-name: github.com/jackc/pgx/v5
  dependency-version: 5.9.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
- dependency-name: github.com/labstack/echo/v4
  dependency-version: 4.15.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
- dependency-name: github.com/lib/pq
  dependency-version: 1.12.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants