0.56.8
Merged PRs
doltgresql
- 2888: Add tests for composite unique indexes with extended types and adaptive encoding types
Fixes: #2886
Depends on: dolthub/dolt#11266 - 2882: Remove unnecessary case for apd.Decimal
Follow up to #2881 to remove some unneeded code - 2864: Changing doltgres sql logic test harness to run tests in parallel
Depends on: dolthub/sqllogictest#21 - 2858: Bump golang.org/x/crypto from 0.17.0 to 0.45.0 in /integration-tests/go-sql-server-driver
Bumps golang.org/x/crypto from 0.17.0 to 0.45.0.Commits
4e0068cgo.mod: update golang.org/x dependenciese79546essh: curb GSSAPI DoS risk by limiting number of specified OIDsf91f7a7ssh/agent: prevent panic on malformed constraint2df4153acme/autocert: let automatic renewal work with short lifetime certsbcf6a84acme: pass context to requestb4f2b62ssh: fix error message on unsupported cipher79ec3a5ssh: allow to bind to a hostname in remote forwarding122a78fgo.mod: update golang.org/x dependenciesc0531f9all: eliminate vet diagnostics0997000all: fix some comments- Additional commits viewable in compare view
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/dolthub/doltgresql/network/alerts). - 2857: Bump github.com/jackc/pgx/v5 from 5.6.1-0.20240826124046-97d20ccfadaa to 5.9.2 in /integration-tests/go-sql-server-driver
Bumps github.com/jackc/pgx/v5 from 5.6.1-0.20240826124046-97d20ccfadaa to 5.9.2.Changelog
Sourced from github.com/jackc/pgx/v5's changelog.
5.9.2 (April 18, 2026)
Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)
SQL injection can occur when:
- The non-default simple protocol is used.
- A dollar quoted string literal is used in the SQL query.
- That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
- The value of that placeholder is controllable by the attacker.
e.g.
attackValue := `$tag$; drop table canary; --` _, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)
This is unlikely to occur outside of a contrived scenario.
5.9.1 (March 22, 2026)
- Fix: batch result format corruption when using cached prepared statements (reported by Dirkjan Bussink)
5.9.0 (March 21, 2026)
This release includes a number of new features such as SCRAM-SHA-256-PLUS support, OAuth authentication support, and PostgreSQL protocol 3.2 support.
It significantly reduces the amount of network traffic when using prepared statements (which are used automatically by default) by avoiding unnecessary Describe Portal messages. This also reduces local memory usage.
It also includes multiple fixes for potential DoS due to panic or OOM if connected to a malicious server that sends deliberately malformed messages.
- Require Go 1.25+
- Add SCRAM-SHA-256-PLUS support (Adam Brightwell)
- Add OAuth authentication support for PostgreSQL 18 (David Schneider)
- Add PostgreSQL protocol 3.2 support (Dirkjan Bussink)
- Add tsvector type support (Adam Brightwell)
- Skip Describe Portal for cached prepared statements reducing network round trips
- Make LoadTypes query easier to support on "postgres-like" servers (Jelte Fennema-Nio)
- Default empty user to current OS user matching libpq behavior (ShivangSrivastava)
- Optimize LRU statement cache with custom linked list and node pooling (Mathias Bogaert)
- Optimize date scanning by replacing regex with manual parsing (Mathias Bogaert)
- Optimize pgio append/set functions with direct byte shifts (Mathias Bogaert)
- Make RowsAffected faster (Abhishek Chanda)
- Fix: Pipeline.Close panic when server sends multiple FATAL errors (Varun Chawla)
- Fix: ContextWatcher goroutine leak (Hank Donnay)
- Fix: stdlib discard connections with open transactions in ResetSession (Jeremy Schneider)
... (truncated)
Commits
- See full diff in compare view
- 2855: allow querying column or sql value with star expr and add client tests
Closed Issues
- 2886: INSERT panic on composite UNIQUE(uuid, text) index — regression since 0.56.5 (store/val/tuple_compare.go:173)