fix(deps): upgrade pgtype to v1.14.4 to address CVE-2024-27304

Dementii Priadkorequested to merge
fix/upgrade-pgtype-cve-2024-27304 into master

Summary

  • Upgrade github.com/jackc/pgtype from v1.14.0 to v1.14.4
  • Ensures all transitive dependencies reference fixed pgx versions (v4.18.2+)
  • Addresses potential false positives from security scanners (e.g., GCP) that flag CVE-2024-27304

Background

While the actual build already used the patched pgx v4.18.3 due to Go's Minimal Version Selection algorithm, the old pgtype v1.14.0 referenced vulnerable pgx v4.12.1 in the dependency graph.

CVE-2024-27304: SQL injection vulnerability in pgx due to integer overflow in message size calculation (CVSS 9.8 Critical). Fixed in pgx v4.18.2+.

Merge request reports