Skip to content

0.56.8

Choose a tag to compare

@github-actions github-actions released this 30 Jun 22:00

Merged PRs

doltgresql

  • 2888: Add tests for composite unique indexes with extended types and adaptive encoding types
    Fixes: #2886
    Depends on: dolthub/dolt#11266
  • 2882: Remove unnecessary case for apd.Decimal
    Follow up to #2881 to remove some unneeded code
  • 2864: Changing doltgres sql logic test harness to run tests in parallel
    Depends on: dolthub/sqllogictest#21
  • 2858: Bump golang.org/x/crypto from 0.17.0 to 0.45.0 in /integration-tests/go-sql-server-driver
    Bumps golang.org/x/crypto from 0.17.0 to 0.45.0.
    Commits
    • 4e0068c go.mod: update golang.org/x dependencies
    • e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
    • f91f7a7 ssh/agent: prevent panic on malformed constraint
    • 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
    • bcf6a84 acme: pass context to request
    • b4f2b62 ssh: fix error message on unsupported cipher
    • 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
    • 122a78f go.mod: update golang.org/x dependencies
    • c0531f9 all: eliminate vet diagnostics
    • 0997000 all: fix some comments
    • Additional commits viewable in compare view

    [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/crypto&package-manager=go_modules&previous-version=0.17.0&new-version=0.45.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
    Dependabot commands and options
    You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/dolthub/doltgresql/network/alerts).
  • 2857: Bump github.com/jackc/pgx/v5 from 5.6.1-0.20240826124046-97d20ccfadaa to 5.9.2 in /integration-tests/go-sql-server-driver
    Bumps github.com/jackc/pgx/v5 from 5.6.1-0.20240826124046-97d20ccfadaa to 5.9.2.
    Changelog

    Sourced from github.com/jackc/pgx/v5's changelog.

    5.9.2 (April 18, 2026)

    Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)

    SQL injection can occur when:

    1. The non-default simple protocol is used.
    2. A dollar quoted string literal is used in the SQL query.
    3. That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
    4. The value of that placeholder is controllable by the attacker.

    e.g.

    attackValue := `$tag$; drop table canary; --`
    _, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

    This is unlikely to occur outside of a contrived scenario.

    5.9.1 (March 22, 2026)

    • Fix: batch result format corruption when using cached prepared statements (reported by Dirkjan Bussink)

    5.9.0 (March 21, 2026)

    This release includes a number of new features such as SCRAM-SHA-256-PLUS support, OAuth authentication support, and PostgreSQL protocol 3.2 support.

    It significantly reduces the amount of network traffic when using prepared statements (which are used automatically by default) by avoiding unnecessary Describe Portal messages. This also reduces local memory usage.

    It also includes multiple fixes for potential DoS due to panic or OOM if connected to a malicious server that sends deliberately malformed messages.

    • Require Go 1.25+
    • Add SCRAM-SHA-256-PLUS support (Adam Brightwell)
    • Add OAuth authentication support for PostgreSQL 18 (David Schneider)
    • Add PostgreSQL protocol 3.2 support (Dirkjan Bussink)
    • Add tsvector type support (Adam Brightwell)
    • Skip Describe Portal for cached prepared statements reducing network round trips
    • Make LoadTypes query easier to support on "postgres-like" servers (Jelte Fennema-Nio)
    • Default empty user to current OS user matching libpq behavior (ShivangSrivastava)
    • Optimize LRU statement cache with custom linked list and node pooling (Mathias Bogaert)
    • Optimize date scanning by replacing regex with manual parsing (Mathias Bogaert)
    • Optimize pgio append/set functions with direct byte shifts (Mathias Bogaert)
    • Make RowsAffected faster (Abhishek Chanda)
    • Fix: Pipeline.Close panic when server sends multiple FATAL errors (Varun Chawla)
    • Fix: ContextWatcher goroutine leak (Hank Donnay)
    • Fix: stdlib discard connections with open transactions in ResetSession (Jeremy Schneider)

    ... (truncated)

    Commits

  • 2855: allow querying column or sql value with star expr and add client tests

Closed Issues

  • 2886: INSERT panic on composite UNIQUE(uuid, text) index — regression since 0.56.5 (store/val/tuple_compare.go:173)