build(deps): bump the minor-and-patch group across 1 directory with 3 updates

[dependabot]

Bumps the minor-and-patch group with 3 updates in the / directory: github.com/jackc/pgx/v5, github.com/xraph/forge and go.mongodb.org/mongo-driver/v2.

Updates github.com/jackc/pgx/v5 from 5.8.0 to 5.9.2

Changelog

Sourced from github.com/jackc/pgx/v5's changelog.

5.9.2 (April 18, 2026)

Fix SQL Injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx)

SQL injection can occur when:

1. The non-default simple protocol is used.
2. A dollar quoted string literal is used in the SQL query.
3. That query contains text that would be would be interpreted outside as a placeholder outside of a string literal.
4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

5.9.1 (March 22, 2026)

• Fix: batch result format corruption when using cached prepared statements (reported by Dirkjan Bussink)

5.9.0 (March 21, 2026)

This release includes a number of new features such as SCRAM-SHA-256-PLUS support, OAuth authentication support, and PostgreSQL protocol 3.2 support.

It significantly reduces the amount of network traffic when using prepared statements (which are used automatically by default) by avoiding unnecessary Describe Portal messages. This also reduces local memory usage.

It also includes multiple fixes for potential DoS due to panic or OOM if connected to a malicious server that sends deliberately malformed messages.

• Require Go 1.25+
• Add SCRAM-SHA-256-PLUS support (Adam Brightwell)
• Add OAuth authentication support for PostgreSQL 18 (David Schneider)
• Add PostgreSQL protocol 3.2 support (Dirkjan Bussink)
• Add tsvector type support (Adam Brightwell)
• Skip Describe Portal for cached prepared statements reducing network round trips
• Make LoadTypes query easier to support on "postgres-like" servers (Jelte Fennema-Nio)
• Default empty user to current OS user matching libpq behavior (ShivangSrivastava)
• Optimize LRU statement cache with custom linked list and node pooling (Mathias Bogaert)
• Optimize date scanning by replacing regex with manual parsing (Mathias Bogaert)
• Optimize pgio append/set functions with direct byte shifts (Mathias Bogaert)
• Make RowsAffected faster (Abhishek Chanda)
• Fix: Pipeline.Close panic when server sends multiple FATAL errors (Varun Chawla)
• Fix: ContextWatcher goroutine leak (Hank Donnay)
• Fix: stdlib discard connections with open transactions in ResetSession (Jeremy Schneider)

... (truncated)

Commits

• 0aeabbc Release v5.9.2
• 60644f8 Fix SQL sanitizer bugs with dollar-quoted strings and placeholder overflow
• a5680bc Merge pull request #2531 from dolmen-go/godoc-add-links
• e34e452 doc: Add godoc links
• 08c9bb1 Fix Stringer types encoded as text instead of numeric value in composite fields
• 96b4dbd Remove unstable test
• acf88e0 Merge pull request #2526 from abrightwell/abrightwell-min-proto
• 2f81f1f Update max_protocol_version and min_protocol_version defaults
• 4e4eaed Release v5.9.1
• 6273188 Fix batch result format corruption when using cached prepared statements
• Additional commits viewable in compare view

Updates github.com/xraph/forge from 1.6.0 to 1.6.2

Release notes

Sourced from github.com/xraph/forge's releases.

v1.6.2

Forge Framework v1.6.2 (2026-05-05T04:19:50Z)

Welcome to this new release of Forge Framework!

Changelog

New Features

• 6e53722d044cab0697eb170637578ecb3103f7b3: feat(contributor): implement header forwarding and proxying for remote page requests (@​juicycleff)
• 405d586a1ec97419793d2e292d38f0ba605a06fb: feat(dashboard): implement remote contributor registration and management with auto-filtering for local services (@​juicycleff)

Documentation Updates

• e3ad82924f7ad4b9b7e11ba8687c0f0d9cb8999b: docs(changelog): update CHANGELOG.md for v1.6.1 (@​github-actions[bot])

Installation

Using Go Install

go install github.com/xraph/forge/cmd/forge@v1.6.2

Download Binary

Download the appropriate binary for your platform from the assets below.

Using Package Managers

# Homebrew (macOS/Linux)
brew install xraph/tap/forge
Scoop (Windows)
scoop bucket add xraph https://github.com/xraph/scoop-bucket
scoop install forge

What's Changed

Full changelog: xraph/forge@v1.6.1...v1.6.2

v1.6.1

Forge Framework v1.6.1 (2026-05-01T16:58:33Z)

Welcome to this new release of Forge Framework!

Changelog

Bug Fixes

• 9d521da0bd889152d90b463879dbca5858333576: fix(dashboard): refactor contributor registration to handle early returns correctly (@​juicycleff)

Documentation Updates

• dfb1d9118d6871d1c7b908d050cd6e0a61fe2f50: docs(changelog): update CHANGELOG.md for v1.6.0 (@​github-actions[bot])

Other Changes

• 40b2ddce2133eef44c33a2e09b8416aae9f9b0bd: Refactor dashboard extension to support remote contributors (@​juicycleff)

Installation

... (truncated)

Changelog

Sourced from github.com/xraph/forge's changelog.

1.6.2 (2026-05-05)

Maintenance

• changelog: update CHANGELOG.md for v1.6.1 (e3ad829)

1.6.1 (2026-05-01)

Maintenance

• changelog: update CHANGELOG.md for v1.6.0 (dfb1d91)

Commits

• 80f5e19 Merge branch 'main' of github.com:xraph/forge
• 6e53722 feat(contributor): implement header forwarding and proxying for remote page r...
• 405d586 feat(dashboard): implement remote contributor registration and management wit...
• e3ad829 docs(changelog): update CHANGELOG.md for v1.6.1
• 40b2ddc Refactor dashboard extension to support remote contributors
• 15a7889 Merge branch 'main' of github.com:xraph/forge
• 9d521da fix(dashboard): refactor contributor registration to handle early returns cor...
• dfb1d91 docs(changelog): update CHANGELOG.md for v1.6.0
• See full diff in compare view

Updates go.mongodb.org/mongo-driver/v2 from 2.5.0 to 2.6.0

Release notes

Sourced from go.mongodb.org/mongo-driver/v2's releases.

MongoDB Go Driver 2.6.0

The MongoDB Go Driver Team is pleased to release version 2.6.0 of the official MongoDB Go Driver.

Release Highlights

[!IMPORTANT] Go Driver v2.6 will be the last minor version to support MongoDB 4.2. Go Driver v2.7 will require MongoDB 4.4 or newer.

This release adds support for MongoDB's Intelligent Workload Management (IWM) and ingress connection rate limiting features. The driver now gracefully handles write-blocking scenarios and optimizes connection establishment during high-load conditions to maintain application availability.

Two new methods of ClientOptions are available:

• SetMaxAdaptiveRetries - specifies the maximum number of times the driver should retry operations that fail with a server side overload error. If not invoked, the default is 2. MaxAdaptiveRetries can also be set through the "maxAdaptiveRetries" URI option (e.g. "maxAdaptiveRetries=5").
• SetEnableOverloadRetargeting - specifies whether the driver should enable overload retargeting for operations that fail with a server side overload error. If not invoked, the default is false. EnableOverloadRetargeting can also be set through the "enableOverloadRetargeting" URI option (e.g. "enableOverloadRetargeting=true").

What's Changed

✨ New Features

• GODRIVER-3734 Add TransactionRunning to Session API by @​prestonvasquez in mongodb/mongo-go-driver#2309
• GODRIVER-3719: Expand server deprioritization to all topologies by @​RafaelCenzano in mongodb/mongo-go-driver#2292
• GODRIVER-3647 Add backoff for transaction retry. by @​qingyang-hu in mongodb/mongo-go-driver#2327
• GODRIVER-3646 Implement backpressure error labels for connection establishment by @​tadjik1 in mongodb/mongo-go-driver#2330
• GODRIVER-3822 Server selection deprioritization only for overload errors on replica sets. by @​qingyang-hu in mongodb/mongo-go-driver#2341
• GODRIVER-3658 Implement backpressure retry logic. by @​qingyang-hu in mongodb/mongo-go-driver#2353
• GODRIVER-3810 Update WithTransaction to raise timeout error. by @​qingyang-hu in mongodb/mongo-go-driver#2344
• GODRIVER-3844 Add maxAdaptiveRetries and enableOverloadRetargeting options for backpressure. by @​qingyang-hu in mongodb/mongo-go-driver#2363
• GODRIVER-3778 Add code examples for non-backpressure drivers handling backpressure errors. by @​qingyang-hu in mongodb/mongo-go-driver#2338

Full Changelog: mongodb/mongo-go-driver@v2.5.1...v2.6.0

For a full list of tickets included in this release, please see the list of fixed issues.

Documentation for the Go Driver can be found on pkg.go.dev and the MongoDB documentation site. BSON library documentation is also available on pkg.go.dev. For issues with, questions about, or feedback for the Go Driver, please look into our support channels, including StackOverflow. Bugs can be reported in the Go Driver project in the MongoDB JIRA where a list of current issues can be found. Your feedback on the Go Driver is greatly appreciated!

MongoDB Go Driver 2.5.1

The MongoDB Go Driver Team is pleased to release version 2.5.1 of the official MongoDB Go Driver.

Release Highlights

This release fixes two BSON unmarshaling edge cases.

What's Changed

🐛 Fixed

• GODRIVER-3768 Check unmatched type in Unmarshal(). by @​qingyang-hu in mongodb/mongo-go-driver#2318
• GODRIVER-3809 Fix *streamingByteSrc.readSlice(). by @​qingyang-hu in mongodb/mongo-go-driver#2326

... (truncated)

Commits

• fd85a83 BUMP v2.6.0
• 52b385d GODRIVER-3829 Cleanup skip list. (#2369)
• 71375d7 Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.1...
• 65f4e94 GODRIVER-3870 Use a generic type parameter for retry func in overload code ex...
• 00ab776 GODRIVER-3849 Update backpressure errors handling examples. (#2365)
• fa56c25 Bump github/codeql-action from 4.35.1 to 4.35.2 in the actions group (#2367)
• 4ee727e GODRIVER-3844 Add maxAdaptiveRetries and enableOverloadRetargeting option...
• 881269a GODRIVER-3810 Update WithTransaction to raise timeout error. (#2344)
• c1d47f7 Bump actions/upload-artifact from 7.0.0 to 7.0.1 in the actions group (#2361)
• 9a15470 GODRIVER-3658 Implement backpressure retry logic. (#2353)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, go. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
warden	Ready	Preview, Comment	May 8, 2026 4:59pm