修正依赖问题

vendor/github.com/jackc/pgx/v5/internal/sanitize/sanitize.go

@@ -35,6 +35,11 @@ func (q *Query) Sanitize(args ...any) (string, error) {
 			str = part
 		case int:
 			argIdx := part - 1
+
+			if argIdx < 0 {
+				return "", fmt.Errorf("first sql argument must be > 0")
+			}
+
 			if argIdx >= len(args) {
 				return "", fmt.Errorf("insufficient arguments")
 			}
@@ -58,6 +63,10 @@ func (q *Query) Sanitize(args ...any) (string, error) {
 				return "", fmt.Errorf("invalid arg type: %T", arg)
 			}
 			argUse[argIdx] = true
+
+			// Prevent SQL injection via Line Comment Creation
+			// https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
+			str = " " + str + " "
 		default:
 			return "", fmt.Errorf("invalid Part type: %T", part)
 		}

vendor/github.com/jackc/pgx/v5/internal/stmtcache/lru_cache.go

@@ -34,7 +34,8 @@ func (c *LRUCache) Get(key string) *pgconn.StatementDescription {
 
 }
 
-// Put stores sd in the cache. Put panics if sd.SQL is "". Put does nothing if sd.SQL already exists in the cache.
+// Put stores sd in the cache. Put panics if sd.SQL is "". Put does nothing if sd.SQL already exists in the cache or
+// sd.SQL has been invalidated and HandleInvalidated has not been called yet.
 func (c *LRUCache) Put(sd *pgconn.StatementDescription) {
 	if sd.SQL == "" {
 		panic("cannot store statement description with empty SQL")
@@ -44,6 +45,13 @@ func (c *LRUCache) Put(sd *pgconn.StatementDescription) {
 		return
 	}
 
+	// The statement may have been invalidated but not yet handled. Do not readd it to the cache.
+	for _, invalidSD := range c.invalidStmts {
+		if invalidSD.SQL == sd.SQL {
+			return
+		}
+	}
+
 	if c.l.Len() == c.cap {
 		c.invalidateOldest()
 	}
@@ -73,10 +81,16 @@ func (c *LRUCache) InvalidateAll() {
 	c.l = list.New()
 }
 
-func (c *LRUCache) HandleInvalidated() []*pgconn.StatementDescription {
-	invalidStmts := c.invalidStmts
+// GetInvalidated returns a slice of all statement descriptions invalidated since the last call to RemoveInvalidated.
+func (c *LRUCache) GetInvalidated() []*pgconn.StatementDescription {
+	return c.invalidStmts
+}
+
+// RemoveInvalidated removes all invalidated statement descriptions. No other calls to Cache must be made between a
+// call to GetInvalidated and RemoveInvalidated or RemoveInvalidated may remove statement descriptions that were
+// never seen by the call to GetInvalidated.
+func (c *LRUCache) RemoveInvalidated() {
 	c.invalidStmts = nil
-	return invalidStmts
 }
 
 // Len returns the number of cached prepared statement descriptions.

vendor/github.com/jackc/pgx/v5/internal/stmtcache/stmtcache.go

@@ -2,18 +2,17 @@
 package stmtcache
 
 import (
-	"strconv"
-	"sync/atomic"
+	"crypto/sha256"
+	"encoding/hex"
 
 	"github.com/jackc/pgx/v5/pgconn"
 )
 
-var stmtCounter int64
-
-// NextStatementName returns a statement name that will be unique for the lifetime of the program.
-func NextStatementName() string {
-	n := atomic.AddInt64(&stmtCounter, 1)
-	return "stmtcache_" + strconv.FormatInt(n, 10)
+// StatementName returns a statement name that will be stable for sql across multiple connections and program
+// executions.
+func StatementName(sql string) string {
+	digest := sha256.Sum256([]byte(sql))
+	return "stmtcache_" + hex.EncodeToString(digest[0:24])
 }
 
 // Cache caches statement descriptions.
@@ -30,8 +29,13 @@ type Cache interface {
 	// InvalidateAll invalidates all statement descriptions.
 	InvalidateAll()
 
-	// HandleInvalidated returns a slice of all statement descriptions invalidated since the last call to HandleInvalidated.
-	HandleInvalidated() []*pgconn.StatementDescription
+	// GetInvalidated returns a slice of all statement descriptions invalidated since the last call to RemoveInvalidated.
+	GetInvalidated() []*pgconn.StatementDescription
+
+	// RemoveInvalidated removes all invalidated statement descriptions. No other calls to Cache must be made between a
+	// call to GetInvalidated and RemoveInvalidated or RemoveInvalidated may remove statement descriptions that were
+	// never seen by the call to GetInvalidated.
+	RemoveInvalidated()
 
 	// Len returns the number of cached prepared statement descriptions.
 	Len() int
@@ -39,19 +43,3 @@ type Cache interface {
 	// Cap returns the maximum number of cached prepared statement descriptions.
 	Cap() int
 }
-
-func IsStatementInvalid(err error) bool {
-	pgErr, ok := err.(*pgconn.PgError)
-	if !ok {
-		return false
-	}
-
-	// https://github.com/jackc/pgx/issues/1162
-	//
-	// We used to look for the message "cached plan must not change result type". However, that message can be localized.
-	// Unfortunately, error code "0A000" - "FEATURE NOT SUPPORTED" is used for many different errors and the only way to
-	// tell the difference is by the message. But all that happens is we clear a statement that we otherwise wouldn't
-	// have so it should be safe.
-	possibleInvalidCachedPlanError := pgErr.Code == "0A000"
-	return possibleInvalidCachedPlanError
-}

vendor/github.com/jackc/pgx/v5/internal/stmtcache/unlimited_cache.go

@@ -54,10 +54,16 @@ func (c *UnlimitedCache) InvalidateAll() {
 	c.m = make(map[string]*pgconn.StatementDescription)
 }
 
-func (c *UnlimitedCache) HandleInvalidated() []*pgconn.StatementDescription {
-	invalidStmts := c.invalidStmts
+// GetInvalidated returns a slice of all statement descriptions invalidated since the last call to RemoveInvalidated.
+func (c *UnlimitedCache) GetInvalidated() []*pgconn.StatementDescription {
+	return c.invalidStmts
+}
+
+// RemoveInvalidated removes all invalidated statement descriptions. No other calls to Cache must be made between a
+// call to GetInvalidated and RemoveInvalidated or RemoveInvalidated may remove statement descriptions that were
+// never seen by the call to GetInvalidated.
+func (c *UnlimitedCache) RemoveInvalidated() {
 	c.invalidStmts = nil
-	return invalidStmts
 }
 
 // Len returns the number of cached prepared statement descriptions.