Bump pgx/v5 for memory-safety CVE

[simonsmallchua]

Summary

• Bumps github.com/jackc/pgx/v5 from v5.7.6 → v5.9.2 to resolve Dependabot alert #54 (Critical, memory-safety).
• Production DB driver — the only Dependabot alert touching the Go backend. Remaining open alerts are transitive dev deps under webflow-designer-extension-cli (not shipped to production) and should be snoozed.

Test plan

• go build ./... clean
• go test ./... all packages green
• Server boots cleanly under Claude preview; pgx initiates connection (DB itself not started locally — Docker unavailable)
• CI green

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

Summary by CodeRabbit

• Security

  • Upgraded a database driver to address a memory-safety issue, improving runtime safety.

• Chores

  • Bumped development tooling and dependency versions and removed an unused indirect dependency to simplify dependency state.

• Documentation

  • Updated the changelog "Unreleased" section to record the security and tooling upgrades.

[supabase]

Updates to Preview Branch (work/pgx-bump-cve) ↗︎

Deployments	Status	Updated
Database	✅	Tue, 12 May 2026 10:29:10 UTC
Services	✅	Tue, 12 May 2026 10:29:10 UTC
APIs	✅	Tue, 12 May 2026 10:29:10 UTC

Tasks are run on every commit but only new migration files are pushed.
Close and reopen this PR if you want to apply changes from existing seed or migration files.

Tasks	Status	Updated
Configurations	✅	Tue, 12 May 2026 10:29:12 UTC
Migrations	✅	Tue, 12 May 2026 10:29:14 UTC
Seeding	✅	Tue, 12 May 2026 10:29:16 UTC
Edge Functions	✅	Tue, 12 May 2026 10:29:16 UTC

---

View logs for this Workflow Run ↗︎.
Learn more about Supabase for Git ↗︎.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 486d26ca-19eb-4051-a027-3c661876bf7b

📥 Commits

Reviewing files that changed from the base of the PR and between 7252c55 and fbd47b5.

⛔ Files ignored due to path filters (1)

• webflow-designer-extension-cli/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• CHANGELOG.md
• webflow-designer-extension-cli/package.json

✅ Files skipped from review due to trivial changes (1)

• webflow-designer-extension-cli/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• CHANGELOG.md

---

📝 Walkthrough

Walkthrough

Updated go.mod to github.com/jackc/pgx/v5 v5.9.2, removed an indirect golang.org/x/crypto entry, bumped @webflow/webflow-cli in webflow-designer-extension-cli/package.json, and added corresponding Unreleased Security bullets in CHANGELOG.md.

Changes

Dependency Version Maintenance

Layer / File(s)	Summary
go.mod, changelog, and webflow devDependency go.mod, CHANGELOG.md, webflow-designer-extension-cli/package.json	Upgraded github.com/jackc/pgx/v5 from v5.7.6 to v5.9.2, removed indirect golang.org/x/crypto v0.50.0 from go.mod, updated @webflow/webflow-cli devDependency from ^1.12.4 to ^1.21.0, and added Unreleased Security notes in CHANGELOG.md documenting both bumps.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• Good-Native/hover#378: Also modifies go.mod dependency declarations and related module bumps.

Poem

🐰 A hop and a skip through the module dance,
pgx climbs up to v5.9.2 in a prance.
Old crypto traces softly swept away,
webflow gets bumped to brighten the day.
CHANGELOG sings the security chance.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: bumping pgx/v5 dependency to resolve a memory-safety CVE, which aligns with the primary objective of addressing Dependabot alert #54.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch work/pgx-bump-cve

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Release Versions

App patch: v0.34.13 → v0.34.14

Changelog

Security

• Bump github.com/jackc/pgx/v5 from v5.7.6 to v5.9.2 to resolve a
  memory-safety vulnerability (Dependabot alert chore/Add Codecov static analysis configuration #54).
• Bump @webflow/webflow-cli from ^1.12.4 to ^1.21.0 in
  webflow-designer-extension-cli/ to clear transitive dev-dep vulnerabilities
  (axios, follow-redirects, fast-uri, babel, postcss). Webflow extension is
  dev-only tooling and does not ship to production.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[github-actions]

🐝 Review App Deployed

Homepage: https://hover-pr-387.fly.dev
Dashboard: https://hover-pr-387.fly.dev/dashboard

[github-actions]

🐝 Review App Deployed

Homepage: https://hover-pr-387.fly.dev
Dashboard: https://hover-pr-387.fly.dev/dashboard