github dolthub/dolt v1.83.7
1.83.7
on GitHub

8 hours ago

Merged PRs

dolt

  • 10702: Special handling of comment delimiters in StreamScanner
    fixes #10694
  • 10700: Fix Dolt table function privilege checks when current database is revision-qualified
    MySQL privilege grants are stored against the base database name, so when a user called a Dolt table function with mydb/revision as the current database, the privilege check looked up the revision-qualfied name instead of mydb.
    • Update dolt_schema_diff, dolt_diff, dolt_diff_stat, dolt_diff_summary, dolt_log, dolt_patch, dolt_preview_merge_conflicts, dolt_preview_merge_conflicts_summary, and dolt_query_diff to strip revision qualifier before performing privilege checks.
      Fix #10695
      Companion dolthub/docs#2804
  • 10696: go: doltcore/sqle: database_provider.go: Fix a deadlock in DROP DATABASE.
    A lock-acquisition order error could cause DROP DATABASE to conflict on lock acquisition with a DoltSession's own Mutex. The result was that all sessions would then block indefinitely and irrecoverably on trying to access any database loaded in the server.
    This changes the order of operations and the lock acquisition sequencing to not dead lock.
    Note: finalization of DROP DATABASE with regards to sessions and ongoing queries which may be accessing the database is still somewhat lacking. To be improved in the future.
    Fixes: #10692.
  • 10691: Have fsTablePersister implement movingTableFilePersister
    The movingTableFilePersister interface is for tablePersister implementations that build a temporary table file and have the ability to move the temporary file into the final location instead of copying the contents into a new one.
    #9118 added support for persisting archive files. As part of this change, the signature of a method on movingTableFilePersister was changed to accept the more generic GenericTableWriter interface instead of the more specific CmpChunkTableWriter.
    Unfortunately, the signature was not also updated on the fsTablePersister implementation, resulting in it no longer implementing the interface. As a result, we lost the ability move table files during garbage collection. This had no impact on correctness, but potentially had a performance impact.
    This PR fixes this issue.
  • 10690: /go/{cmd,libraries} check for valid dbs, close opened dbs on error
  • 10689: /{dist,package-lock.json}: rebuild dist
  • 10683: Bump undici from 6.23.0 to 6.24.0 in /.github/actions/ses-email-action
    Bumps undici from 6.23.0 to 6.24.0.
    Release notes

    Sourced from undici's releases.

    v6.24.0

    Undici v6.24.0 Security Release Notes (LTS)

    This release backports fixes for security vulnerabilities affecting the v6 line.

    Upgrade guidance

    All users on v6 should upgrade to v6.24.0 or later.

    Fixed advisories

    • GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
      Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

    • GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
      Malicious WebSocket 64-bit frame length handling could crash the client.

    • GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
      CRLF injection via the upgrade option.

    • GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
      Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

    • GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
      Unbounded memory consumption in WebSocket permessage-deflate decompression.

    Not applicable to v6

    Affected and patched ranges (v6)

    • CVE-2026-1525: affected < 6.24.0, patched 6.24.0
    • CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
    • CVE-2026-1527: affected < 6.24.0, patched 6.24.0
    • CVE-2026-2229: affected < 6.24.0, patched 6.24.0
    • CVE-2026-1526: affected < 6.24.0, patched 6.24.0

    References

    Commits
    • 8873c94 Bumped v6.24.0
    • 411bd01 test(websocket): use node:assert for Node 18 compatibility
    • 844bf59 test: fix http2 lint regressions in backport
    • a444e4f test: stabilize h2 and tls-cert-leak under current test runner
    • dc032a1 fix: h2 CI (#4395)
    • 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
    • 7df6442 fix: adapt websocket frame-limit handling for v6 parser
    • 4e0179a fix: reject duplicate content-length and host headers
    • 5a97f08 Fix websocket 64-bit length overflow
    • e43e898 fix: validate upgrade header to prevent CRLF injection
    • Additional commits viewable in compare view

    [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=undici&package-manager=npm_and_yarn&previous-version=6.23.0&new-version=6.24.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
    Dependabot commands and options
    You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/dolthub/dolt/network/alerts).
  • 10680: Fix panic during merge when FK is dropped and re-added on a branch with a composite PK child table
    Fix #10676
    dolt merge could panic with index out of range when one branch dropped and re-added a foreign key (creating a new backing index) while the other branch had new rows in a child table with a composite primary key. This fix limits the FK column type compatibility check to only the columns relevant to the foreign key, ignoring extra primary key columns that are not part of the FK relationship.

Closed Issues

  • 10694: Parse error when two lines follow a comment containing singlequote
  • 10695: Command Denied when calling Dolt Function where SQL users do not have explicit grant access to the branch database.
  • 10692: Server permanently unresponsive after client crash during CREATE/DROP DATABASE
  • 10676: Panic attempting to merge : index out of range [1] with length 1
  • 10687: Embedded engine panics with nil pointer dereference on concurrent access
  • 10657: ON_UPDATE columns should only update if other column values have actually changed
Check out latest releases or
releases around dolthub/dolt v1.83.7

Don't miss a new dolt release

NewReleases is sending notifications on new releases.

Get notifications