dependabot[bot] opened a new pull request, #4191: URL: https://github.com/apache/arrow-adbc/pull/4191
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.48.0 to 1.48.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md";>modernc.org/sqlite's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <ul> <li> <p>2026-04-06 v1.48.2:</p> <ul> <li>Fix ABI mapping mismatch in the pre-update hook trampoline that caused silent truncation of large 64-bit RowIDs.</li> <li>Ensure the Go trampoline signature correctly aligns with the public <code>sqlite3_preupdate_hook</code> C API, preventing data corruption for high-entropy keys (e.g., Snowflake IDs).</li> <li>See [GitLab merge request <a href="https://gitlab.com/cznic/sqlite/issues/98";>#98</a>](<a href="https://gitlab.com/cznic/sqlite/-/merge_requests/98";>https://gitlab.com/cznic/sqlite/-/merge_requests/98</a>), thanks Josh Bleecher Snyder!</li> <li>Fix the memory allocator used in <code>(*conn).Deserialize</code>.</li> <li>Replace <code>tls.Alloc</code> with <code>sqlite3_malloc64</code> to prevent internal allocator corruption. This ensures the buffer is safely owned by SQLite, which may resize or free it due to the <code>SQLITE_DESERIALIZE_RESIZEABLE</code> and <code>SQLITE_DESERIALIZE_FREEONCLOSE</code> flags.</li> <li>Prevent a memory leak by properly freeing the allocated buffer if fetching the main database name fails before handing ownership to SQLite.</li> <li>See [GitLab merge request <a href="https://gitlab.com/cznic/sqlite/issues/100";>#100</a>](<a href="https://gitlab.com/cznic/sqlite/-/merge_requests/100";>https://gitlab.com/cznic/sqlite/-/merge_requests/100</a>), thanks Josh Bleecher Snyder!</li> <li>Fix <code>(*conn).Deserialize</code> to explicitly reject <code>nil</code> or empty byte slices.</li> <li>Prevent silent database disconnection and connection pool corruption caused by SQLite's default behavior when <code>sqlite3_deserialize</code> receives a 0-length buffer.</li> <li>See [GitLab merge request <a href="https://gitlab.com/cznic/sqlite/issues/101";>#101</a>](<a href="https://gitlab.com/cznic/sqlite/-/merge_requests/101";>https://gitlab.com/cznic/sqlite/-/merge_requests/101</a>), thanks Josh Bleecher Snyder!</li> <li>Fix <code>commitHookTrampoline</code> and <code>rollbackHookTrampoline</code> signatures by removing the unused <code>pCsr</code> parameter.</li> <li>Aligns internal hook callbacks accurately with the underlying SQLite C API, cleaning up the code to prevent potential future confusion or bugs.</li> <li>See [GitLab merge request <a href="https://gitlab.com/cznic/sqlite/issues/102";>#102</a>](<a href="https://gitlab.com/cznic/sqlite/-/merge_requests/102";>https://gitlab.com/cznic/sqlite/-/merge_requests/102</a>), thanks Josh Bleecher Snyder!</li> <li>Fix <code>checkptr</code> instrumentation failures during <code>go test -race</code> when registering and using virtual tables (<code>vtab</code>).</li> <li>Allocate <code>sqlite3_module</code> instances using the C allocator (<code>libc.Xcalloc</code>) instead of the Go heap. This ensures transpiled C code can safely perform pointer operations on the struct without tripping Go's pointer checks.</li> <li>See [GitLab merge request <a href="https://gitlab.com/cznic/sqlite/issues/103";>#103</a>](<a href="https://gitlab.com/cznic/sqlite/-/merge_requests/103";>https://gitlab.com/cznic/sqlite/-/merge_requests/103</a>), thanks Josh Bleecher Snyder!</li> <li>Fix data race on <code>mutex.id</code> in the <code>mutexTry</code> non-recursive path.</li> <li>Ensure consistent atomic writes (<code>atomic.StoreInt32</code>) to prevent data races with atomic loads in <code>mutexHeld</code> and <code>mutexNotheld</code> during concurrent execution.</li> <li>See [GitLab merge request <a href="https://gitlab.com/cznic/sqlite/issues/104";>#104</a>](<a href="https://gitlab.com/cznic/sqlite/-/merge_requests/104";>https://gitlab.com/cznic/sqlite/-/merge_requests/104</a>), thanks Josh Bleecher Snyder!</li> <li>Fix resource leak in <code>(*Backup).Commit</code> where the destination connection was not closed on error.</li> <li>Ensure <code>dstConn</code> is properly closed when <code>sqlite3_backup_finish</code> fails, preventing file descriptor, TLS, and memory leaks.</li> <li>See [GitLab merge request <a href="https://gitlab.com/cznic/sqlite/issues/105";>#105</a>](<a href="https://gitlab.com/cznic/sqlite/-/merge_requests/105";>https://gitlab.com/cznic/sqlite/-/merge_requests/105</a>), thanks Josh Bleecher Snyder!</li> <li>Fix <code>Exec</code> to fully drain rows when encountering <code>SQLITE_ROW</code>, preventing silent data loss in DML statements.</li> <li>Previously, <code>Exec</code> aborted after the first row, meaning <code>INSERT</code>, <code>UPDATE</code>, or <code>DELETE</code> statements with a <code>RETURNING</code> clause would fail to process subsequent rows. The execution path now correctly loops until <code>SQLITE_DONE</code> and properly respects context cancellations during the drain loop, fully aligning with native C <code>sqlite3_exec</code> semantics.</li> <li>See [GitLab merge request <a href="https://gitlab.com/cznic/sqlite/issues/106";>#106</a>](<a href="https://gitlab.com/cznic/sqlite/-/merge_requests/106";>https://gitlab.com/cznic/sqlite/-/merge_requests/106</a>), thanks Josh Bleecher Snyder!</li> <li>Fix "Shadowed err value (stmt.go)".</li> <li>See [GitLab issue <a href="https://gitlab.com/cznic/sqlite/issues/249";>#249</a>](<a href="https://gitlab.com/cznic/sqlite/-/work_items/249";>https://gitlab.com/cznic/sqlite/-/work_items/249</a>), thanks Emrecan BATI!</li> <li>Fix silent omission of virtual table savepoint callbacks by correctly setting the sqlite3_module version.</li> <li>See [GitLab merge request <a href="https://gitlab.com/cznic/sqlite/issues/107";>#107</a>](<a href="https://gitlab.com/cznic/sqlite/-/merge_requests/107";>https://gitlab.com/cznic/sqlite/-/merge_requests/107</a>), thanks Josh Bleecher Snyder!</li> <li>Fix <code>vfsRead</code> to properly handle partial and fragmented reads from <code>io.Reader</code>.</li> <li>Replace <code>f.Read</code> with <code>io.ReadFull</code> to ensure the buffer is fully populated, preventing premature <code>SQLITE_IOERR_SHORT_READ</code> errors on valid mid-stream partial reads. Unread tail bytes at EOF are now efficiently zero-filled using the built-in <code>clear</code> function.</li> <li>See [GitLab merge request <a href="https://gitlab.com/cznic/sqlite/issues/108";>#108</a>](<a href="https://gitlab.com/cznic/sqlite/-/merge_requests/108";>https://gitlab.com/cznic/sqlite/-/merge_requests/108</a>), thanks Josh Bleecher Snyder!</li> <li>Refactor internal error formatting to safely handle uninitialized or closed database pointers.</li> <li>Prevent a misleading "out of memory" error message when an operation fails and the underlying SQLite database handle is <code>NULL</code> (<code>db == 0</code>).</li> <li>See [GitLab merge request <a href="https://gitlab.com/cznic/sqlite/issues/109";>#109</a>](<a href="https://gitlab.com/cznic/sqlite/-/merge_requests/109";>https://gitlab.com/cznic/sqlite/-/merge_requests/109</a>), thanks Josh Bleecher Snyder!</li> </ul> </li> <li> <p>2026-04-03 v1.48.1:</p> <ul> <li>Fix memory leaks and double-free vulnerabilities in the multi-statement query execution path.</li> <li>Ensure bind-parameter allocations are reliably freed via strict ownership transfer if an error occurs mid-loop or if multiple statements bind parameters.</li> <li>Fix a resource leak where a subsequent statement's error could orphan a previously generated <code>rows</code> object without closing it, leaking the prepared statement handle.</li> <li>See [GitLab merge request <a href="https://gitlab.com/cznic/sqlite/issues/96";>#96</a>](<a href="https://gitlab.com/cznic/sqlite/-/merge_requests/96";>https://gitlab.com/cznic/sqlite/-/merge_requests/96</a>), thanks Josh Bleecher Snyder!</li> </ul> </li> <li> <p>2026-03-27 v1.48.0:</p> <ul> <li>Add <code>_timezone</code> DSN query parameter to apply IANA timezones (e.g., "America/New_York") to both reads and writes.</li> <li>Writes will convert <code>time.Time</code> values to the target timezone before formatting as a string.</li> <li>Reads will interpret timezone-less strings as being in the target timezone.</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://gitlab.com/cznic/sqlite/commit/51d1f91256bcb466efed1dd68e0cba740727b64c";><code>51d1f91</code></a> CHANGELOG.md: document v1.48.1...</li> <li><a href="https://gitlab.com/cznic/sqlite/commit/50a8b7f6450f1beb34a8e4e5455c3d70226d5c29";><code>50a8b7f</code></a> CHANGELOG.md: document v1.48.1</li> <li><a href="https://gitlab.com/cznic/sqlite/commit/60500243df654c8ef068a91517de0ec30bc34a44";><code>6050024</code></a> Merge branch 'multi-stmt-double-free' into 'master'</li> <li><a href="https://gitlab.com/cznic/sqlite/commit/ef93ba85ea85f92ab04b4a51ff501dfd4b7e4667";><code>ef93ba8</code></a> improve memory safety of allocs in stmt.query</li> <li><a href="https://gitlab.com/cznic/sqlite/commit/2a97c686c0d08529ca1138200bf6afe3d8dda66b";><code>2a97c68</code></a> add conn.freeAllocs</li> <li>See full diff in <a href="https://gitlab.com/cznic/sqlite/compare/v1.48.0...v1.48.1";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
