fix(database): remove pgx/v4 + pgproto3/v2 CVEs via pgx/v5-only credential-refresh fork#124
Merged
Conversation
…ntial-refresh fork Eliminates the two unpatched CVEs (GHSA-jqcq-xjh3-6g23 pgproto3/v2 DoS HIGH, GHSA-j88v-2chj-qfwx pgx/v4 SQLi low) from the dependency graph instead of accepting the risk (supersedes ADR 0002). go-db-credential-refresh@v1.2.1's driver package imports pgx/v4/stdlib unconditionally for an optional "pgxv4" driver, but this module only uses the "pgx" driver which already maps to pgx/v5 — so pgx/v4 + pgproto3/v2 were dead-but-linked. Switched the database module + the verbose-debug / instance-aware-db examples to a pgx/v5-only fork (github.com/GoCodeAlone/go-db-credential-refresh v1.3.0 + store/awsrds v1.3.0) that drops the v4 driver. Direct require (not replace, which doesn't propagate to consumers); go mod tidy then removes pgx/v4 + pgproto3/v2 entirely. Repo-wide: zero pgx/v4 / pgproto3/v2 in any go.mod or go.sum. Build + race tests pass for the database module + both examples. No go.mod exclude is used: all pgx/v4 (<=4.18.3) + pgproto3/v2 (<=2.3.3) versions are vulnerable, so exclude only forces a downgrade to another vulnerable version — removing the importer is what fixes it. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
📋 API Contract Changes Summary✅ No breaking changes detected - only additions and non-breaking modifications Changed Components:Core FrameworkContract diff saved to artifacts/diffs/core.json Module: authContract diff saved to artifacts/diffs/auth.json Module: cacheContract diff saved to artifacts/diffs/cache.json Module: databaseContract diff saved to artifacts/diffs/database.json Module: eventbusContract diff saved to artifacts/diffs/eventbus.json Module: jsonschemaContract diff saved to artifacts/diffs/jsonschema.json Module: letsencryptContract diff saved to artifacts/diffs/letsencrypt.json Module: reverseproxyContract diff saved to artifacts/diffs/reverseproxy.json Artifacts📁 Full contract diffs and JSON artifacts are available in the workflow artifacts. |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Properly fixes (not risk-accepts) the two pgx CVEs from the database module — supersedes ADR 0002.
go-db-credential-refresh@v1.2.1'sdriverpackage importspgx/v4/stdlibunconditionally for an optionalpgxv4driver, but this module only uses thepgxdriver which the lib already maps to pgx/v5. So pgx/v4 + pgproto3/v2 were dead-but-linked.github.com/GoCodeAlone/go-db-credential-refresh(v1.3.0+ nestedstore/awsrds/v1.3.0), dropping the v4 driver + import (pgx/v5/mysql/pq retained).replace— that doesn't propagate to consumers).go mod tidydrops pgx/v4 + pgproto3/v2 entirely. Repo-wide grep: zero pgx/v4 / pgproto3/v2 in any go.mod/go.sum. Build + race tests pass.No
exclude: every pgx/v4 ≤4.18.3 + pgproto3/v2 ≤2.3.3 version is vulnerable, so exclude only forces a downgrade to another vulnerable version — removing the importer is the fix.Resolves Dependabot alerts #23–#25 + #54–#56 (previously dismissed under ADR 0002).