Changelog
Go Version
- 1.25.11
Dependencies
- golang.org/x/crypto v0.53.0 (#8297)
- golang.org/x/sys v0.46.0 (#8297)
- github.com/nats-io/jwt/v2 v2.8.2
- github.com/nats-io/nkeys v0.4.16
Improved
General
- Per-connection log lines that could be noisy in normal operation have been demoted to debug level (#8289)
- Writer options are now applied consistently when using the
s2_fastcompression mode (#8047)
JetStream
- Stream and consumer assignment handling has been refactored for more consistent migration and info behavior (#8262)
- Meta, stream and consumer write errors are now registered more consistently for health and recovery handling (#8293)
Removed
Monitoring
- JSONP callback support has been removed from monitoring endpoints
Fixed
General
- Inherited JWT default permissions are now refreshed when account claims are updated (#8276)
- External auth configuration is now cleared correctly when account claims are updated (#8275)
- PROXY protocol detection, TLS sniffing with
allow_non_tlsand PROXY v1 address-family parsing have been fixed (#8302) - A race in gateway
CONNECThandling has been fixed (#8306) - Trusted proxy tracking no longer leaks closed clients during concurrent updates (#8307)
- Service import replies can now be delivered across cluster routes (#8317)
- Message tracing now works correctly with service imports and exports
- Several panic, fatal and data race conditions in authentication, routing, monitoring and clustered request handling have been fixed
NoAuthUsernow checks connection restrictionsCONNZandSUBSZpagination now guard againstOffsetandLimitinteger overflow panics- Fixed a nil pointer panic when starting up when the resolver parent directory is missing (#8329)
MQTT
- Partial
CONNECTpackets can no longer exhaust pre-authentication memory PUBLISHremaining-length underflow no longer causes a server panic- Subscriptions to internal
$MQTT.deliver.pubrelsubjects are now rejected - Subscribe deny rules are now enforced on retained message and QoS replay paths
- WebSocket
/mqttupgrades no longer panic when MQTT is disabled
Monitoring
- JetStream remote usage updates no longer panic on length integer overflow
JetStream
- A data race on the cluster meta node during JetStream shutdown has been fixed (#8260)
- Meta proposal inflight tracking is now kept consistent during stream moves and related operations (#8261)
- Stream catchup is no longer skipped when limits are exceeded, preventing possible stream desync (#8265)
- Malformed TTL and schedule state is now rejected during decode (#8269)
- Zero consumer limits are now treated as unlimited during stream updates (#8286)
- Raft nodes no longer participate in voting or candidacy after write errors (#8290)
- Raft checkpoint handling now aborts if the node is closed (#8296)
- Raft
ApplyCommitnow handles the post-snapshot index correctly (#8321) - Consumer ack subscriptions now match correctly when consumer names contain
%(#8301) - Atomic batch end-of-batch max-size checks and R1 message rewrites have been fixed (#8305)
- Peer state decoding now bounds peer ID reads to the buffer length (#8310)
- Counter stream staging no longer corrupts the committed running total (#8311)
- Filestore compaction no longer corrupts compressed or encrypted blocks (#8312)
- Memory store
NumPendingno longer overcounts forDeliverLastPerSubjectconsumers (#8313) - Consumer inactive-delete grace period handling and pull request
MaxBytesbudgeting have been fixed (#8314) MultiLastSeqsno longer reorders stream config subjects throughfilterIsAllhandling (#8315)- Meta recovery snapshots no longer leave phantom streams or consumers behind (#8324)
- Skipped messages last time no longer violates ordering that could lead to issues with starting by time (#8237)
- Raft now reverts uncommitted membership changes correctly when truncating or snapshotting (#8332)
Credits
While CVE advisory notices are credited individually, a number of fixes in this release were the result of non-CVE reports from the following contributors:
- Koda Reef
- @Emin-ACIKGOZ
- @0xVijay
- Yaohui Wang
- @alanturing881