build(deps): bump github.com/jackc/pgx/v5 from 5.7.6 to 5.10.0 in /integrations/pgxguard

[dependabot]

Bumps github.com/jackc/pgx/v5 from 5.7.6 to 5.10.0.

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.10.0 (June 3, 2026)

This release includes a significant amount of hardening against malicious or compromised PostgreSQL servers, contributed by Sean Chittenden at CrowdStrike, Inc. This work bounds binary decoders against attacker-controlled message sizes, caps server-supplied SCRAM iteration counts, adds require_auth to restrict which authentication methods a server may use (mitigating downgrade attacks under sslmode=prefer), and ensures cancellation requests are sent over TLS when the original connection used TLS.

Features

• Add require_auth to restrict accepted server authentication methods (Sean Chittenden at CrowdStrike, Inc.)
• Add ParseConfigOptions.ConnStringAllowedKeys to restrict allowed connection string keys (Sean Chittenden at CrowdStrike, Inc.)
• Add StructArgs and StrictStructArgs for @-named queries (Tubelight30)
• Add ErrConnClosed sentinel error and unwrap it from connLockError (Charlie Tonneslan)
• pgxpool: check if connection is expired before acquire (arthurdotwork)

Security Hardening

• Encrypt CancelRequest connection when the primary connection used TLS (Sean Chittenden at CrowdStrike, Inc.)
• Cap server-supplied SCRAM iteration count (Sean Chittenden at CrowdStrike, Inc.)
• Default Frontend max message body length to ~1 GiB (Sean Chittenden at CrowdStrike, Inc.)
• Bound hstore binary decode against malicious server input (Sean Chittenden at CrowdStrike, Inc.)
• Bound array binary decode element length against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)
• Bound array element count against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)
• Bound range, multirange, and tsvector binary decoders (Sean Chittenden at CrowdStrike, Inc.)
• Document secure connection configuration (Sean Chittenden at CrowdStrike, Inc.)
• Fix panic on malformed geometric text; return an error instead (MaIII)

Fixes

• Fix scanning "char" (OID 18) into *string in binary format (luongs3)
• Fix handling of typed-nil driver.Valuer in array and composite codecs (Donncha Fahy)
• Fix CopyData.Data hex decoding in UnmarshalJSON (Charlie Tonneslan)
• Fix data race when context is cancelled during connect
• Fix parseKeywordValueSettings rejecting trailing whitespace (alliasgher)
• pgconn: preserve full error chain in normalizeTimeoutError (Charlie Tonneslan)
• pgconn: use a fresh context for the fallback connection in connectPreferred (Charlie Tonneslan)
• pgxpool: fix MaxLifetimeDestroyCount and ping order for acquire-time expiry check
• Add missing error check of rows.Err to load types (Jen Altavilla)

5.9.2 (April 18, 2026)

Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)

SQL injection can occur when:

1. The non-default simple protocol is used.
2. A dollar quoted string literal is used in the SQL query.
3. That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
4. The value of that placeholder is controllable by the attacker.

... (truncated)

Commits

• 7293fb1 Update changelog for v5.10.0
• 1ade285 pgconn: document secure connection configuration
• b4d6d4d pgtype: bound range, multirange, and tsvector binary decoders
• 0639b37 pgconn: add ParseConfigOptions.ConnStringAllowedKeys
• b28e65b pgtype: bound array element count against remaining message bytes
• cd1f389 pgtype: bound array binary decode element length against remaining bytes
• ff27b5b pgtype: bound hstore binary decode against malicious server input
• a6002e1 pgproto3: default Frontend max message body length to ~1 GiB
• 44f6173 pgconn: cap server-supplied SCRAM iteration count
• 1a976f7 pgconn: add require_auth to restrict accepted server auth methods
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated internal dependencies to maintain compatibility and stability.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: b0cd7a6d-4160-40de-b4d1-d5ed0417dae3

📥 Commits

Reviewing files that changed from the base of the PR and between 6903d4f and 7bc5605.

⛔ Files ignored due to path filters (1)

• integrations/pgxguard/go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• integrations/pgxguard/go.mod

---

Walkthrough

The pgxguard integration module dependency file updates pgx to v5.10.0, advances golang.org/x/text to v0.29.0, removes an indirect golang.org/x/crypto constraint, and reorganizes the require block structure while preserving the local sqlguard replacement.

Changes

PGXGuard Dependency Updates

Layer / File(s)	Summary
pgx and text version updates integrations/pgxguard/go.mod	github.com/jackc/pgx/v5 bumped to v5.10.0 from v5.7.6, golang.org/x/text updated to v0.29.0, indirect golang.org/x/crypto removed, require blocks reorganized.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🔗 Dependencies dance, pgx ascends two versions high,
Text strings speak in newer tongues, crypto fades goodbye,
Require blocks realign with grace—clean schemas reign,
Zero-dependency dreams drift onward through the chain. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: a dependency bump of pgx/v5 in the pgxguard integration, matching the actual modification in go.mod.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/integrations/pgxguard/github.com/jackc/pgx/v5-5.10.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}