fix(deps): resolve 3 critical Dependabot advisories

- go: bump github.com/jackc/pgx/v5 v5.6.0 -> v5.9.0 (CVE-2026-33815 /
  CVE-2026-33816, memory-safety in the Postgres driver). govulncheck reports
  0 affecting vulnerabilities after the bump.
- ci: pin aquasecurity/trivy-action to commit SHA ed142fd (v0.36.0) instead of
  the mutable @0.28.0 tag (GHSA-69fq-xp46-6x23, brief upstream supply-chain
  compromise). Dependabot now updates the SHA.
- web: bump vitest ^4.0.16 -> ^4.1.0 (lockfile now 4.1.8) for
  GHSA-5xrq-8626-4rwp (Vitest UI server arbitrary file read/exec; dev-only).
This commit is contained in:
tinkle-community
2026-06-05 22:19:27 +08:00
parent 1aea7abc38
commit 220cb7428b
5 changed files with 89 additions and 76 deletions

2
go.mod
View File

@@ -58,7 +58,7 @@ require (
github.com/holiman/uint256 v1.3.2 // indirect
github.com/jackc/pgpassfile v1.0.0 // indirect
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
github.com/jackc/pgx/v5 v5.6.0 // indirect
github.com/jackc/pgx/v5 v5.9.0 // indirect
github.com/jackc/puddle/v2 v2.2.2 // indirect
github.com/jinzhu/inflection v1.0.0 // indirect
github.com/jinzhu/now v1.1.5 // indirect