Release steampipe-postgres-fdw v2.2.4#675
Merged
Merged
Conversation
pgx/v5 was resolved to v5.7.3 (indirect, via steampipe/v2 -> steampipeconfig). CVE-2026-41889 (GHSA-j88v-2chj-qfwx) is fixed in pgx v5.9.2. - go get github.com/jackc/pgx/v5@v5.9.2 && go mod tidy - Explicit `// indirect` pin at v5.9.2 retained in go.mod so the FDW artifact asserts the security floor regardless of what the upstream steampipe/pipe-fittings requires resolve to (Vanta scans this artifact directly). No FDW code imports pgx; risk is compile-only. Non-CGo packages (including hub, the only pgx-reachable package) build clean at v5.9.2.
* fix: honour statement_timeout when a plugin call hangs (#671) Bridge Postgres cancellation into the iterator's Go context so a hung plugin gRPC stream no longer leaves the backend stuck `active` with locks held and statement_timeout never firing. Changes: - fdw/fdw_helpers.h: add fdw_query_cancel_pending() which reads QueryCancelPending || ProcDiePending. These are volatile sig_atomic_t globals, safe to read from a Go-scheduled goroutine. - hub/cancel.go: small package-level setter (SetQueryCancelChecker) so the cgo layer can register the check function without forcing a cgo dependency on the hub package. - hub/scan_iterator_base.go: spawn watchForCancellation goroutine alongside readThread in Start(); it polls every 250ms and calls i.cancel() on observed cancellation, exiting naturally when the scan ends. - hub/scan_iterator_base.go: buffer the rcvChan / errChan in readPluginResult by 1 so the inner Recv() goroutine can complete its send and exit when the outer select returns via ctx.Done() — closes a pre-existing goroutine leak on every cancelled scan. - fdw.go: register the cgo-backed checker after CreateHub() in init(). Closes #671. * review: skip watchForCancellation when no checker is registered Per Copilot review on #672 — when the hub is used outside the FDW cgo init (e.g. unit tests, or non-cgo consumers), no cancellation checker is ever installed and the watcher just polls forever doing nothing. Early-return in that case so the goroutine exits immediately rather than accumulating idle tickers per scan. Adds queryCancelCheckerConfigured() to hub/cancel.go and a guard at the top of watchForCancellation. * v2.2.4 --------- Co-authored-by: Victor Hadianto <victor@turbot.com>
SumitPopat
approved these changes
Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge release branch
v2.2.xintomain. Brings the released security fixes (incl. pgx v5.9.2 for the pgx CVE) ontomain.