github Basekick-Labs/arc v26.04.1
Arc 26.04.1
on GitHub

7 hours ago

Performance

  • Native DuckDB Arrow query path — bypasses database/sql row scanning entirely; results read as Arrow record batches directly from DuckDB.
    • JSON endpoint: +59% (1.43M → 2.28M rows/sec)
    • Arrow IPC endpoint: +157% (2.45M → 6.29M rows/sec)
    • Tested on 1.88B row dataset
  • Typed JSON streaming serialization — zero-allocation streaming writer replaces json.Marshal. ~8KB constant memory regardless of result size. 2.3x faster serialization, 99.9% fewer allocations
  • Basekick-Labs/msgpack v6 — lower-allocation decode path
    • Sustained throughput: 16.78M → 18.23M rec/s
    • 60s degradation: 22% → 13%

Security

⚠️ Update recommended. See RBAC fix below.

  • RBAC write permission bypass fixedCheckWritePermissions used wrong context key ("token" vs "token_info"), silently bypassing all RBAC write restrictions. Update immediately if running RBAC.
  • Token privilege escalation fixed — Token create/update API now validates permission strings
  • RequireAdmin middleware added to all mutating endpoints (continuous queries, delete, retention policies, compaction, scheduler)
  • WAL reader OOM — payload length now validated before allocation on corrupt WAL
  • MessagePack decoder data race — non-atomic totalDecoded/totalErrors counters fixed
  • Ingestion buffer Close() race — iterator/lock race during shutdown fixed
  • MQTT /stats and /health endpoints now require authentication
  • ARC_DATABASE_MEMORY_LIMIT SQL injection — value now validated against allowlist before being passed to DuckDB SET
  • Delete WHERE clause hardened — blocks UNION, SELECT, CREATE, COPY, ATTACH, LOAD, PRAGMA, CALL, SET
  • Temp directory permissions — changed from 0755 to 0700

New Features

  • Automatic compaction deduplication — last-write-wins on identical tag+timestamp combinations. Zero config, zero overhead when no duplicates exist. Tag columns auto-detected from arc:tags Parquet metadata written at ingestion time
  • Decimal128 type support — native Parquet DECIMAL for financial/scientific precision. Configure via ARC_INGEST_DECIMAL_COLUMNS (format: measurement:col=precision,scale)
  • S3 path prefix (ARC_STORAGE_S3_PREFIX) — prepends a prefix to all S3 operations for shared-bucket multi-tenant isolation
  • Bootstrap token (ARC_AUTH_BOOTSTRAP_TOKEN) — set a known admin token at deploy time instead of catching a random one from startup logs
  • Auth recovery (ARC_AUTH_FORCE_BOOTSTRAP) — adds a arc-recovery admin token without removing existing tokens
  • WAL drops metricarc_wal_dropped_entries_total Prometheus counter for real-time alerting. Buffer size configurable via ARC_WAL_BUFFER_SIZE
  • Slow query logging — configurable threshold via ARC_QUERY_SLOW_QUERY_THRESHOLD_MS. Logs SQL, execution time, row count, token name at WARN level. Prometheus counter: arc_slow_queries_total

Bug Fixes

  • Hourly compaction race with active ingestion — compaction now enforces a 1-hour minimum file age before compacting. Default config corrected: hourly_min_age_hours = 1, hourly_min_files = 10
  • CQ scheduler reload on update — continuous query updates now immediately reload the scheduler. Previously required a restart
  • Atomic CQ execution recording — execution state + last_processed_time now wrapped in a SQLite transaction, preventing duplicate or missing windows on failure
  • S3 delete-rewrite OOM — now streams through temp file instead of loading entire Parquet files into memory
  • Backup restore OOM — same fix: large Parquet files streamed instead of fully loaded
  • Token expiration display — non-expiring tokens no longer show as "Expired". Changed ExpiresAt from time.Time to *time.Time
  • Auth bootstrap TOCTOU race — initial admin token creation replaced with INSERT ... WHERE NOT EXISTS (safe under concurrent startup)
  • Helm: deployment strategy defaults to Recreate — fixes RollingUpdate deadlock with single replica + ReadWriteOnce PVC

Dependencies

Package From To Notable fixes
DuckDB (duckdb-go) 1.4.3 1.4.4 Parquet UTF-8 string stats tolerance, Arrow string view pushdown correctness, mode() use-after-free, S3 credential secure clear
Arrow Go v18.4.1 v18.5.2 Large string Parquet write corruption fix, decompression regression fix, GC pressure reduction
gRPC 1.79.1 1.79.3 Authorization bypass fix for malformed :path headers missing leading slash

How to Update

Docker: 

docker pull ghcr.io/basekick-labs/arc:26.04.1

Helm: 

helm upgrade arc https://github.com/Basekick-Labs/arc/releases/download/v26.04.1/arc-26.04.1.tgz

Config check: If running the default arc.toml, update your hourly compaction settings: 

[compaction]
hourly_min_age_hours = 1   # was 0
hourly_min_files = 10      # was 5

What's Changed

  • feat(auth): add ARC_AUTH_BOOTSTRAP_TOKEN and ARC_AUTH_FORCE_BOOTSTRAP for predictable deployments and recovery by @xe-nvdk in #360
  • fix(helm): default deployment strategy to Recreate for RWO volume compatibility by @xe-nvdk in #361
  • fix(security): restrict temp file permissions and validate memory_limit by @xe-nvdk in #368

Full Changelog: v26.03.2...v26.04.1

📖 Full release blog post · Documentation · Discord

Check out latest releases or
releases around Basekick-Labs/arc v26.04.1

Don't miss a new arc release

NewReleases is sending notifications on new releases.

Get notifications