Skip to content

Bump the go-dependencies group across 1 directory with 3 updates#46

Merged
bgentry merged 1 commit into
masterfrom
dependabot/go_modules/go-dependencies-1be2ff1847
Jun 9, 2026
Merged

Bump the go-dependencies group across 1 directory with 3 updates#46
bgentry merged 1 commit into
masterfrom
dependabot/go_modules/go-dependencies-1be2ff1847

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown
Contributor

Bumps the go-dependencies group with 3 updates in the / directory: github.com/go-playground/validator/v10, github.com/jackc/pgx/v5 and github.com/riverqueue/river/rivershared.

Updates github.com/go-playground/validator/v10 from 10.30.2 to 10.30.3

Release notes

Sourced from github.com/go-playground/validator/v10's releases.

v10.30.3

What's Changed

New Contributors

Full Changelog: go-playground/validator@v10.30.2...v10.30.3

Commits
  • ac4c1ba fix(docs): correct ripemd160 tag name in README validation table (#1582)
  • feacb34 feat: omit blank tag names from namespace (#1567)
  • 5ed0a7e chore(deps): bump golang.org/x/crypto from 0.51.0 to 0.52.0 (#1580)
  • 0364541 fix(cron): anchor regex and accept full cron syntax (#1577)
  • 8eb2659 chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 (#1571)
  • f7e1721 chore(deps): bump golang.org/x/text from 0.36.0 to 0.37.0 (#1572)
  • cf37fce fix(lint): correctly disable govet inline analyzer & deprecated gomodguard (#...
  • 7c334e5 fix: reject hostnames with trailing hyphen in RFC 952 validator (#1569)
  • 6bcb7bc feat: add origin validator for web origin URLs (#1565)
  • 6fd2fa8 docs: fix typos (#1568)
  • Additional commits viewable in compare view

Updates github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.10.0 (June 3, 2026)

This release includes a significant amount of hardening against malicious or compromised PostgreSQL servers, contributed by Sean Chittenden at CrowdStrike, Inc. This work bounds binary decoders against attacker-controlled message sizes, caps server-supplied SCRAM iteration counts, adds require_auth to restrict which authentication methods a server may use (mitigating downgrade attacks under sslmode=prefer), and ensures cancellation requests are sent over TLS when the original connection used TLS.

Features

  • Add require_auth to restrict accepted server authentication methods (Sean Chittenden at CrowdStrike, Inc.)
  • Add ParseConfigOptions.ConnStringAllowedKeys to restrict allowed connection string keys (Sean Chittenden at CrowdStrike, Inc.)
  • Add StructArgs and StrictStructArgs for @-named queries (Tubelight30)
  • Add ErrConnClosed sentinel error and unwrap it from connLockError (Charlie Tonneslan)
  • pgxpool: check if connection is expired before acquire (arthurdotwork)

Security Hardening

  • Encrypt CancelRequest connection when the primary connection used TLS (Sean Chittenden at CrowdStrike, Inc.)
  • Cap server-supplied SCRAM iteration count (Sean Chittenden at CrowdStrike, Inc.)
  • Default Frontend max message body length to ~1 GiB (Sean Chittenden at CrowdStrike, Inc.)
  • Bound hstore binary decode against malicious server input (Sean Chittenden at CrowdStrike, Inc.)
  • Bound array binary decode element length against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)
  • Bound array element count against remaining message bytes (Sean Chittenden at CrowdStrike, Inc.)
  • Bound range, multirange, and tsvector binary decoders (Sean Chittenden at CrowdStrike, Inc.)
  • Document secure connection configuration (Sean Chittenden at CrowdStrike, Inc.)
  • Fix panic on malformed geometric text; return an error instead (MaIII)

Fixes

  • Fix scanning "char" (OID 18) into *string in binary format (luongs3)
  • Fix handling of typed-nil driver.Valuer in array and composite codecs (Donncha Fahy)
  • Fix CopyData.Data hex decoding in UnmarshalJSON (Charlie Tonneslan)
  • Fix data race when context is cancelled during connect
  • Fix parseKeywordValueSettings rejecting trailing whitespace (alliasgher)
  • pgconn: preserve full error chain in normalizeTimeoutError (Charlie Tonneslan)
  • pgconn: use a fresh context for the fallback connection in connectPreferred (Charlie Tonneslan)
  • pgxpool: fix MaxLifetimeDestroyCount and ping order for acquire-time expiry check
  • Add missing error check of rows.Err to load types (Jen Altavilla)
Commits
  • 7293fb1 Update changelog for v5.10.0
  • 1ade285 pgconn: document secure connection configuration
  • b4d6d4d pgtype: bound range, multirange, and tsvector binary decoders
  • 0639b37 pgconn: add ParseConfigOptions.ConnStringAllowedKeys
  • b28e65b pgtype: bound array element count against remaining message bytes
  • cd1f389 pgtype: bound array binary decode element length against remaining bytes
  • ff27b5b pgtype: bound hstore binary decode against malicious server input
  • a6002e1 pgproto3: default Frontend max message body length to ~1 GiB
  • 44f6173 pgconn: cap server-supplied SCRAM iteration count
  • 1a976f7 pgconn: add require_auth to restrict accepted server auth methods
  • Additional commits viewable in compare view

Updates github.com/riverqueue/river/rivershared from 0.38.0 to 0.39.0

Release notes

Sourced from github.com/riverqueue/river/rivershared's releases.

v0.39.0

⚠️ Breaking API change: rivermigrate.Migrator.Validate and rivermigrate.Migrator.ValidateTx now take a *rivermigrate.ValidateOpts parameter. Pass nil to preserve previous behavior. We normally endeavor not to make any breaking API changes, but this one will keep the API in a much nicer state, and is on an ancillary function that most installations won't be using. [PR #1259](riverqueue/river#1259)

Added

  • Added MetadataSet to stage job metadata updates from worker middleware, HookWorkBegin, workers, or HookWorkEnd, with changes persisted when the job is completed. [PR #1269](riverqueue/river#1269)

Changed

  • Add rivermigrate.ValidateOpts.TargetVersion so validation can check migrations up to a specific target version, matching the target-version behavior available on Migrate and MigrateTx. Notably, this is a breaking API change as the validate functions previously didn't take any options. [PR #1259](riverqueue/river#1259)
  • When using (*Migrator[TTx]).Migrate with a TargetVersion that's already applied, River now no-ops idempotently instead of returning an error as a user convenience. [PR #1260](riverqueue/river#1260)
  • Add logging statement for dropped job and queue subscription events at warn level when a subscriber buffer is full. [PR #1271](riverqueue/river#1271)

Fixed

  • Add a 10-second timeout around StandardPilot.JobGetAvailable so a stalled standard-pilot fetch no longer hangs a producer indefinitely. [PR #1255](riverqueue/river#1255)
  • Fixed rivertest.Worker.Work and WorkJob to honor a configured custom Config.Schema when transitioning a job to its running state. Previously, the running-state update ran unqualified and could fail on a connection whose search_path didn't include the configured schema. [PR #1262](riverqueue/river#1262)
Changelog

Sourced from github.com/riverqueue/river/rivershared's changelog.

[0.39.0] - 2026-06-03

⚠️ Breaking API change: rivermigrate.Migrator.Validate and rivermigrate.Migrator.ValidateTx now take a *rivermigrate.ValidateOpts parameter. Pass nil to preserve previous behavior. We normally endeavor not to make any breaking API changes, but this one will keep the API in a much nicer state, and is on an ancillary function that most installations won't be using. [PR #1259](riverqueue/river#1259)

Added

  • Added MetadataSet to stage job metadata updates from worker middleware, HookWorkBegin, workers, or HookWorkEnd, with changes persisted when the job is completed. [PR #1269](riverqueue/river#1269)

Changed

  • Add rivermigrate.ValidateOpts.TargetVersion so validation can check migrations up to a specific target version, matching the target-version behavior available on Migrate and MigrateTx. Notably, this is a breaking API change as the validate functions previously didn't take any options. [PR #1259](riverqueue/river#1259)
  • When using (*Migrator[TTx]).Migrate with a TargetVersion that's already applied, River now no-ops idempotently instead of returning an error as a user convenience. [PR #1260](riverqueue/river#1260)
  • Add logging statement for dropped job and queue subscription events at warn level when a subscriber buffer is full. [PR #1271](riverqueue/river#1271)

Fixed

  • Add a 10-second timeout around StandardPilot.JobGetAvailable so a stalled standard-pilot fetch no longer hangs a producer indefinitely. [PR #1255](riverqueue/river#1255)
  • Fixed rivertest.Worker.Work and WorkJob to honor a configured custom Config.Schema when transitioning a job to its running state. Previously, the running-state update ran unqualified and could fail on a connection whose search_path didn't include the configured schema. [PR #1262](riverqueue/river#1262)
Commits
  • 5535390 Prepare release v0.39.0 (#1273)
  • eead0e5 Standardize "hot" operation timeout (#1268)
  • 1ca3420 Log dropped subscription events (#1271)
  • dfc32de Add helper for job metadata updates (#1269)
  • 9e7035d Bump the go-dependencies group across 3 directories with 1 update (#1267)
  • 0808652 Clarify worker cancellation requirements for stuck jobs (#1264)
  • 965dbad Add timeout to standard pilot fetch (#1255)
  • 698d808 Make up migrations with TargetVersion idempotent (#1261)
  • 87e82c3 Honor Config.Schema for the running-state transition in rivertest.Worker ...
  • 61c6ac7 Add options to migrator Validate functions + option for TargetVersion (#1...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the go-dependencies group across 1 directory with 3 updates
2960984 
Bumps the go-dependencies group with 3 updates in the / directory: [github.com/go-playground/validator/v10](https://github.com/go-playground/validator), [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) and [github.com/riverqueue/river/rivershared](https://github.com/riverqueue/river).


Updates `github.com/go-playground/validator/v10` from 10.30.2 to 10.30.3
- [Release notes](https://github.com/go-playground/validator/releases)
- [Commits](go-playground/validator@v10.30.2...v10.30.3)

Updates `github.com/jackc/pgx/v5` from 5.9.2 to 5.10.0
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](jackc/pgx@v5.9.2...v5.10.0)

Updates `github.com/riverqueue/river/rivershared` from 0.38.0 to 0.39.0
- [Release notes](https://github.com/riverqueue/river/releases)
- [Changelog](https://github.com/riverqueue/river/blob/master/CHANGELOG.md)
- [Commits](riverqueue/river@v0.38.0...v0.39.0)

---
updated-dependencies:
- dependency-name: github.com/go-playground/validator/v10
  dependency-version: 10.30.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-dependencies
- dependency-name: github.com/jackc/pgx/v5
  dependency-version: 5.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
- dependency-name: github.com/riverqueue/river/rivershared
  dependency-version: 0.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jun 8, 2026
@bgentry bgentry merged commit 64f48e0 into master Jun 9, 2026
3 checks passed
@bgentry bgentry deleted the dependabot/go_modules/go-dependencies-1be2ff1847 branch June 9, 2026 00:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgentry bgentry bgentry approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bgentry