fix(database): remove pgx/v4 + pgproto3/v2 CVEs via pgx/v5-only credential-refresh fork

decisions/0002-pgx-v4-pgproto3-risk-acceptance.md

@@ -1,9 +1,38 @@
 # 2. Accept risk: pgx/v4 + pgproto3/v2 vulnerabilities (no upstream fix)
 
 Date: 2026-05-29
-Status: Accepted
+Status: Superseded by the fix below (2026-05-29)
 Context: GitHub Dependabot alerts #23–#25 (high) and #54–#56 (low)
 
+## Superseded — fixed by removing pgx/v4 entirely (2026-05-29)
+
+The risk-acceptance below is no longer in force: the vulnerable packages have
+been **removed from the dependency graph**, not merely accepted.
+
+Root cause: `go-db-credential-refresh@v1.2.1`'s `driver` package imports
+`github.com/jackc/pgx/v4/stdlib` unconditionally (for an optional `"pgxv4"`
+driver) even though the `database` module only ever uses the `"pgx"` driver,
+which the library already maps to **pgx/v5**. So pgx/v4 + pgproto3/v2 were
+dead-but-linked.
+
+Fix: forked the library to `github.com/GoCodeAlone/go-db-credential-refresh`
+(tag `v1.3.0` + nested `store/awsrds/v1.3.0`), dropping the `"pgxv4"` driver and
+its v4 import (pgx/v5, mysql, pq drivers retained). The `database` module + the
+`verbose-debug` / `instance-aware-db` examples now import the fork directly
+(direct require, not `replace` — `replace` does not propagate to consumers).
+`go mod tidy` then drops pgx/v4 + pgproto3/v2 entirely; repo-wide grep confirms
+neither remains in any go.mod/go.sum. Build + tests pass.
+
+Note on `exclude`: a go.mod `exclude` of the vulnerable versions does NOT help
+on its own — every pgx/v4 (≤4.18.3) and pgproto3/v2 (≤2.3.3) version is
+vulnerable, so `exclude` merely forces a *downgrade* to another vulnerable
+version while the package is still imported. Removing the importer (the fork) is
+what eliminates them; no `exclude` is used.
+
+---
+
+## (Historical) original risk-acceptance
+
 ## Context
 
 Dependabot reports two advisories against the `database` module and the

examples/instance-aware-db/go.mod

@@ -15,7 +15,9 @@ require (
 require (
 	filippo.io/edwards25519 v1.1.1 // indirect
 	github.com/BurntSushi/toml v1.6.0 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.38.3 // indirect
+	github.com/GoCodeAlone/go-db-credential-refresh v1.3.0 // indirect
+	github.com/GoCodeAlone/go-db-credential-refresh/store/awsrds v1.3.0 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.39.0 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.31.0 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.18.10 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.6 // indirect
@@ -30,19 +32,11 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sts v1.38.2 // indirect
 	github.com/aws/smithy-go v1.23.0 // indirect
 	github.com/cloudevents/sdk-go/v2 v2.16.2 // indirect
-	github.com/davepgreene/go-db-credential-refresh v1.2.1 // indirect
-	github.com/davepgreene/go-db-credential-refresh/store/awsrds v1.2.1 // indirect
 	github.com/go-sql-driver/mysql v1.9.3 // indirect
 	github.com/golobby/cast v1.3.3 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
-	github.com/jackc/pgconn v1.14.3 // indirect
-	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgproto3/v2 v2.3.3 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgtype v1.14.4 // indirect
-	github.com/jackc/pgx/v4 v4.18.3 // indirect
 	github.com/jackc/pgx/v5 v5.9.2 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -51,7 +45,6 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/sync v0.18.0 // indirect
 	golang.org/x/text v0.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

examples/verbose-debug/go.mod

@@ -13,7 +13,9 @@ require (
 require (
 	filippo.io/edwards25519 v1.1.1 // indirect
 	github.com/BurntSushi/toml v1.6.0 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.38.3 // indirect
+	github.com/GoCodeAlone/go-db-credential-refresh v1.3.0 // indirect
+	github.com/GoCodeAlone/go-db-credential-refresh/store/awsrds v1.3.0 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.39.0 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.31.0 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.18.10 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.6 // indirect
@@ -28,20 +30,12 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sts v1.38.2 // indirect
 	github.com/aws/smithy-go v1.23.0 // indirect
 	github.com/cloudevents/sdk-go/v2 v2.16.2 // indirect
-	github.com/davepgreene/go-db-credential-refresh v1.2.1 // indirect
-	github.com/davepgreene/go-db-credential-refresh/store/awsrds v1.2.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/go-sql-driver/mysql v1.9.3 // indirect
 	github.com/golobby/cast v1.3.3 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
-	github.com/jackc/pgconn v1.14.3 // indirect
-	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgproto3/v2 v2.3.3 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgtype v1.14.4 // indirect
-	github.com/jackc/pgx/v4 v4.18.3 // indirect
 	github.com/jackc/pgx/v5 v5.9.2 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -53,7 +47,6 @@ require (
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
 	golang.org/x/sync v0.18.0 // indirect
 	golang.org/x/sys v0.38.0 // indirect