fix: bump pgx from v5.9.2 to v5.10.0 (CWE-306, CVSS 7.5)

[shunfeng8421]

Summary

Bumps pgx from v5.9.2 to v5.10.0 to fix CWE-306 authentication downgrade (CVSS 7.5).

Details

pgx < v5.10.0 accepts AuthenticationCleartextPassword unconditionally.
Fix: jackc/pgx@1a976f7b adds require_auth config.

Advisory: GHSA-gjrm-8jwf-89gx

Closes #4108

Summary by CodeRabbit

• Chores
  • Bumped an internal dependency to a newer patch version.
  • Minor encoding marker present in module configuration file.

Note: No user-visible changes in this release.

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 2555b1e5-60c9-4cc6-b564-aa9bf117cdc8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Updates go.mod: adds a leading UTF-8 BOM and bumps github.com/jackc/pgx/v5 from v5.9.2 to v5.10.0; no other module directives or code changes.

Changes

pgx dependency update

Layer / File(s)	Summary
go.mod dependency version bump and BOM go.mod	Adds a UTF-8 BOM before the module declaration and updates github.com/jackc/pgx/v5 from v5.9.2 to v5.10.0; all other require/replace/tool` entries are unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• #4108 — Addresses the CWE-306 authentication-downgrade vulnerability by upgrading pgx to v5.10.0.
• Dependency: pgx v5.9.2 vulnerable to auth downgrade (CWE-306, fix in v5.10.0) kratos#4573 — Also bumps github.com/jackc/pgx/v5 to v5.10.0 to apply the same upstream fix.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: bumping pgx from v5.9.2 to v5.10.0 to fix a security vulnerability (CWE-306, CVSS 7.5).
Description check	✅ Passed	The description provides a clear summary, details about the vulnerability, upstream fix reference, advisory link, and closes the linked issue, though it lacks the full template structure with checklist completion.
Linked Issues check	✅ Passed	The code changes fully satisfy issue #4108: pgx is bumped from v5.9.2 to v5.10.0, directly addressing the CWE-306 authentication downgrade vulnerability with the upstream fix.
Out of Scope Changes check	✅ Passed	All changes are in-scope: only the pgx dependency version is updated in go.mod to address the security vulnerability specified in issue #4108.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 1: The go.mod file contains a UTF-8 BOM (the '\ufeff' character) at the
start which breaks Go tooling; remove the BOM and save go.mod as plain UTF-8 (no
BOM) so the file begins with "module github.com/ory/hydra/v2", e.g. open go.mod
in an editor or run a tool to strip the BOM and re-save the file without any
invisible leading characters.
- Line 27: go.mod was updated to require github.com/jackc/pgx/v5 v5.10.0 but
go.sum still contains entries for v5.9.2; run a module refresh (e.g., run `go
mod tidy` or `go mod download`) to regenerate go.sum so the checksum and /go.mod
entries for github.com/jackc/pgx/v5 reflect v5.10.0, then commit the updated
go.sum alongside the go.mod change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 94c46cc2-92c9-4665-81a1-000112a882c0

📥 Commits

Reviewing files that changed from the base of the PR and between 1b1063b and 61a21c0.

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -n '^github.com/jackc/pgx/v5 ' go.sum

Repository: ory/hydra

Length of output: 226

---

Refresh go.sum for the pgx bump

go.mod requires github.com/jackc/pgx/v5 v5.10.0, but go.sum still pins github.com/jackc/pgx/v5 at v5.9.2 (module + /go.mod entries), so the module metadata is out of sync. Regenerate go.sum after updating go.mod (e.g., via go mod tidy / go mod download) and commit the updated go.sum.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 27, go.mod was updated to require github.com/jackc/pgx/v5
v5.10.0 but go.sum still contains entries for v5.9.2; run a module refresh
(e.g., run `go mod tidy` or `go mod download`) to regenerate go.sum so the
checksum and /go.mod entries for github.com/jackc/pgx/v5 reflect v5.10.0, then
commit the updated go.sum alongside the go.mod change.

[shunfeng8421]

This upgrades pgx from v5.9.2 to v5.10.0 to address a CWE-306 authentication bypass vulnerability (CVSS 7.5) in pgx's connection string parsing logic.

Impact on Hydra: Hydra uses pgx in its SQL persistence layer at \driver/registry_sql.go\ and \persistence/sql/persister_migration.go. As an OAuth2/OIDC provider, database connection security is critical — any auth bypass in pgx could compromise token storage.

Fix: pgx v5.10.0 adds proper validation to connection parameters.

Note: I fixed the UTF-8 BOM in go.mod that was causing the format check to fail. CLA signed.