Skip to content

build(deps): bump github.com/ClickHouse/clickhouse-go/v2 from 2.36.0 to 2.40.1 in /core #572

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

build(deps): bump github.com/ClickHouse/clickhouse-go/v2 from 2.36.0 to 2.40.1 in /core #572

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 30, 2025
edited
Loading

Bumps github.com/ClickHouse/clickhouse-go/v2 from 2.36.0 to 2.40.1.

Release notes

Sourced from github.com/ClickHouse/clickhouse-go/v2's releases.

v2.40.1

What's Changed

Bug fixes 🐛

Full Changelog: ClickHouse/clickhouse-go@v2.40.0...v2.40.1

v2.40.0

What's Changed

Enhancements 🎉

Bug fixes 🐛

Other Changes 🛠

Full Changelog: ClickHouse/clickhouse-go@v2.39.0...v2.40.0

v2.39.0

What's Changed

Bug fixes 🐛

Read Timeout behavior changes

This bug fix has potential to affect longer running queries, ensure you're setting clickhouse.Options ReadTimeout to a reasonable value, and that your context.WithDeadline is also set to a reasonable value. The read timeout will now be applied to all blocks, previously it was only set for the first block.

New Contributors

Full Changelog: ClickHouse/clickhouse-go@v2.38.1...v2.39.0

v2.38.1

What's Changed

Bug fixes 🐛

Full Changelog: ClickHouse/clickhouse-go@v2.38.0...v2.38.1

v2.38.0

... (truncated)

Changelog

Sourced from github.com/ClickHouse/clickhouse-go/v2's changelog.

v2.40.1, 2025-07-30

What's Changed

Bug fixes 🐛

Full Changelog: ClickHouse/clickhouse-go@v2.40.0...v2.40.1

v2.40.0, 2025-07-30

What's Changed

Enhancements 🎉

Bug fixes 🐛

Other Changes 🛠

Full Changelog: ClickHouse/clickhouse-go@v2.39.0...v2.40.0

v2.39.0, 2025-07-23

What's Changed

Bug fixes 🐛

Read Timeout behavior changes

This bug fix has potential to affect longer running queries, ensure you're setting clickhouse.Options ReadTimeout to a reasonable value, and that your context.WithDeadline is also set to a reasonable value. The read timeout will now be applied to all blocks, previously it was only set for the first block.

New Contributors

Full Changelog: ClickHouse/clickhouse-go@v2.38.1...v2.39.0

v2.38.1, 2025-07-23

What's Changed

Bug fixes 🐛

Full Changelog: ClickHouse/clickhouse-go@v2.38.0...v2.38.1

v2.38.0, 2025-07-22

What's Changed

Enhancements 🎉

... (truncated)

Commits
  • 7bbaf83 Update release notes
  • 6b6b5b2 Merge pull request #1625 from ClickHouse/stdlib_json_nullable_fix
  • 0bd445c fix: database/sql Nullable(JSON) string scan
  • affd90d Update release notes
  • 500ce05 Merge pull request #1623 from ClickHouse/stdlib_json_scan_string
  • 3fa9e16 Merge pull request #1624 from ClickHouse/fix_nullable_json
  • 487d31d fix min version for json string tests
  • b6978e4 add version check for Nullable(JSON) test
  • 2b866a1 fix: Nullable base types with prefix
  • 783e407 support stdlib scanning json into string/[]byte/json.RawMessage
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 30, 2025
@dependabot dependabot bot mentioned this pull request Jul 30, 2025
Closed
@jazzberry-ai Jazzberry AI
Copy link

jazzberry-ai bot commented Jul 30, 2025
edited
Loading

Bug Report

Redundant conn.SetMaxOpenConns call | Low | db.go | The code sets conn.SetMaxOpenConns(5) twice, which is redundant.

Comments? Email us.

@dependabot dependabot bot force-pushed the dependabot/go_modules/core/github.com/ClickHouse/clickhouse-go/v2-2.40.1 branch from 39089ee to 1ab7c5a Compare July 31, 2025 13:10
@jazzberry-ai Jazzberry AI
Copy link

jazzberry-ai bot commented Jul 31, 2025
edited
Loading

Bug Report

Name Severity Example test case Description
Redundant SetMaxOpenConns Low Inspect the db.go file The code sets conn.SetMaxOpenConns(5) twice in a row, which is redundant and suggests a lack of attention to detail.
Missing Primary Key Constraint Medium Create a table with a 'primary' column The generated CREATE TABLE query only specifies the ORDER BY clause but does not explicitly define a primary key constraint, which could lead to data integrity issues.

Comments? Email us.

@dependabot dependabot bot force-pushed the dependabot/go_modules/core/github.com/ClickHouse/clickhouse-go/v2-2.40.1 branch from 1ab7c5a to e17828d Compare August 5, 2025 22:35
@jazzberry-ai Jazzberry AI
Copy link

jazzberry-ai bot commented Aug 5, 2025
edited
Loading

Bug Report

Name Severity Example test case Description
Incorrect column type retrieved during data export Medium Create two tables in different schemas with the same column name but different data types. Export data from one of the tables. The exported data may have incorrect data types for the common column. The ExportData function in core/src/plugins/clickhouse/export.go retrieves column information from system.columns without including the table name in the SELECT statement. This can lead to incorrect column types being associated with column names if the same column name exists in multiple tables with different data types. This could lead to data corruption or unexpected errors during export.

Comments? Email us.

@dependabot dependabot bot force-pushed the dependabot/go_modules/core/github.com/ClickHouse/clickhouse-go/v2-2.40.1 branch from e17828d to 85285a1 Compare August 5, 2025 22:36
@jazzberry-ai Jazzberry AI
Copy link

jazzberry-ai bot commented Aug 5, 2025
edited
Loading

Bug Report

Name Severity Example test case Description
SQL Injection in EscapeIdentifier High Create a table with a column name containing a single quote: test'column. Attempt to export data from this table. Observe that the generated SQL query is vulnerable to SQL injection. The EscapeIdentifier function in export.go is not robust enough to prevent SQL injection in all cases. It only escapes backticks, which might not be sufficient to handle all malicious characters in identifiers.

Comments? Email us.

@dependabot dependabot bot force-pushed the dependabot/go_modules/core/github.com/ClickHouse/clickhouse-go/v2-2.40.1 branch from 85285a1 to 3b93a57 Compare August 6, 2025 18:49
@jazzberry-ai Jazzberry AI
Copy link

jazzberry-ai bot commented Aug 6, 2025
edited
Loading

Bug Report

Name Severity Example test case Description
Potential issue with ConnOpenStrategy Medium Connect to a ClickHouse instance. The ConnOpenInOrder option in clickhouse.Options might be deprecated or changed in clickhouse-go v2.40.1. This could prevent the application from establishing connections to the ClickHouse database. It is used in core/src/plugins/clickhouse/db.go.

Comments? Email us.

@dependabot dependabot bot force-pushed the dependabot/go_modules/core/github.com/ClickHouse/clickhouse-go/v2-2.40.1 branch from 3b93a57 to 972d230 Compare August 6, 2025 18:52
@jazzberry-ai Jazzberry AI
Copy link

jazzberry-ai bot commented Aug 6, 2025
edited
Loading

Bug Report

Name Severity Example test case Description
ClickHouse Compression Configuration Medium Configure ClickHouse plugin with HTTP protocol enabled. The clickhouse.CompressionLZ4 and clickhouse.CompressionGZIP constants or the way compression is configured might have changed in the updated clickhouse-go library.
ClickHouse Settings Configuration Medium Configure ClickHouse plugin with readonly or max_execution_time settings. The structure and validity of the clickhouse.Settings struct and its readonly and max_execution_time fields might have changed in the updated clickhouse-go library.
ClickHouse SSLMode Configuration Medium Configure ClickHouse plugin with SSLMode enabled. The way TLS configuration is handled could have been updated in the new clickhouse-go library.

Comments? Email us.

@dependabot dependabot bot force-pushed the dependabot/go_modules/core/github.com/ClickHouse/clickhouse-go/v2-2.40.1 branch from 972d230 to 5da84a5 Compare August 18, 2025 17:13
@jazzberry-ai Jazzberry AI
Copy link

jazzberry-ai bot commented Aug 18, 2025
edited
Loading

Bug Report

Name Severity Example test case Description
ClickHouse SQL Injection in ExportData High Provide a crafted schema or storageUnit string containing special characters or SQL commands to the ExportData function. The ExportData function in export.go constructs a SELECT query using fmt.Sprintf and escapes identifiers using EscapeIdentifier. However, there's no input validation on the schema and storageUnit variables before they are passed to ExportData, which could lead to SQL injection.

Comments? Email us.

@dependabot dependabot bot force-pushed the dependabot/go_modules/core/github.com/ClickHouse/clickhouse-go/v2-2.40.1 branch from 5da84a5 to 3b0a80d Compare August 20, 2025 19:24
@jazzberry-ai Jazzberry AI
Copy link

jazzberry-ai bot commented Aug 20, 2025
edited
Loading

Bug Report

Name: SQL Injection Vulnerability in Graph Query
Severity: High
Example test case: Provide a malicious schema name containing SQL code, such as "; DROP TABLE users; --".
Description: The GetGraphQueryDB function in core/src/plugins/clickhouse/graph.go is vulnerable to SQL injection. The schema variable, which is user-controlled, is directly injected into the graphQuery without proper escaping. This allows an attacker to execute arbitrary SQL code, potentially compromising the database.

Comments? Email us.

@dependabot
build(deps): bump github.com/ClickHouse/clickhouse-go/v2 in /core
01f85ef 
Bumps [github.com/ClickHouse/clickhouse-go/v2](https://github.com/ClickHouse/clickhouse-go) from 2.36.0 to 2.40.1.
- [Release notes](https://github.com/ClickHouse/clickhouse-go/releases)
- [Changelog](https://github.com/ClickHouse/clickhouse-go/blob/main/CHANGELOG.md)
- [Commits](ClickHouse/clickhouse-go@v2.36.0...v2.40.1)

---
updated-dependencies:
- dependency-name: github.com/ClickHouse/clickhouse-go/v2
  dependency-version: 2.40.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/go_modules/core/github.com/ClickHouse/clickhouse-go/v2-2.40.1 branch from 3b0a80d to 01f85ef Compare August 21, 2025 15:23
@jazzberry-ai Jazzberry AI
Copy link

jazzberry-ai bot commented Aug 21, 2025
edited
Loading

Bug Report

Name Severity Example test case Description
Formula Injection in ClickHouse Data Export Medium Create a ClickHouse table with a column containing the value =SYSTEM("calc"). Export the table data to a CSV file. Open the CSV file in a spreadsheet application. The EscapeFormula function in core/src/common/csv.go is not sufficient to prevent formula injection. An attacker could craft malicious data that, when exported and opened in a spreadsheet application, could execute arbitrary code or disclose sensitive information.

Comments? Email us.

@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Sep 15, 2025

Superseded by #623.

@dependabot dependabot bot closed this Sep 15, 2025
@dependabot dependabot bot deleted the dependabot/go_modules/core/github.com/ClickHouse/clickhouse-go/v2-2.40.1 branch September 15, 2025 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants