Bump pgx version to v5

[dsychin]

Description

Increase the version of jackc/pgx from v4 to v5.

Version 4 of pgx is EOL as of July 1, 2025.

Motivation

pgx/v4 depends on the archived jackc/pgproto3/v2 and has an active security advisory GHSA-jqcq-xjh3-6g23.

The latest version which has moved to the pgx repo does not have this vulnerability.

Testing

Ran the docker test container and the test pipeline on my forked repo.

[cla-assistant]

All committers have signed the CLA.

[mado-m]

Thanks @dsychin for putting this up.

We're a downstream user of pg-schema-diff and are running into the same problem from the consumer side. Because pg-schema-diff pulls in github.com/jackc/pgx/v4 as a direct dependency, our go.mod ends up with pgx/v4 as an indirect dependency even though we don't import it ourselves.

This is currently causing two concrete issues for us:

Renovate keeps opening a vulnerability PR for pgx/v4 (CVE-2026-41889 / GHSA-j88v-2chj-qfwx) which we can't merge — go mod tidy reverts the bump back to v4 as long as pg-schema-diff requires it.
pgx/v4 has been EOL since July 1, 2025, so we can no longer expect security fixes there.
Getting this PR merged would unblock the v5 upgrade for everyone who consumes pg-schema-diff transitively. Is there anything we can help with to move this forward (rebase, additional tests, CI fixes, etc.)? Happy to contribute if it helps.