fix: downgrade pgx/v4 to v4.18.3 to address buffer overflow vulnerability

2026-04-09 19:09:25 +00:00
parent 5b85d18217
commit 615e5a95f5
2 changed files with 39 additions and 2 deletions
--- a/2
+++ b/2
@@ -383,7 +383,7 @@ RUN go get github.com/expr-lang/expr@v${EXPR_LANG_VERSION} && \
    go get google.golang.org/grpc@v1.80.0 && \
    # CVE-2026-32286: pgproto3/v2 buffer overflow (no v2 fix exists; bump pgx/v4 to latest patch)
    # renovate: datasource=go depName=github.com/jackc/pgx/v4
-    go get github.com/jackc/pgx/v4@v5.9.1 && \
+    go get github.com/jackc/pgx/v4@v4.18.3 && \
    # GHSA-xmrv-pmrh-hhx2: AWS SDK v2 event stream injection
    # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
    go get github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream@v1.7.8 && \