Changelog
Refer to the 2.12 Upgrade Guide for backwards compatibility notes with 2.11.x.
Go Version
- 1.25.9 (#8017)
Dependencies
- github.com/nats-io/nats.go v1.50.0 (#8000)
CVEs
- TBD
Improved
JetStream
- Purging subjects from a stream now only loads filestore blocks within the range of where those subjects appear (#8004)
- Multi-filtered load next or previous message code paths now correctly identify single subject filters or full wildcards and switch to optimized paths (#8012, 8013)
- The
max_mem_storeandmax_file_storeconfiguration options can now be increased (but not decreased) via config reload (#8014)
Fixed
General
no_auth_useris now restricted to client connections only- Overlapping wildcard patterns in ACL
denypatterns are now enforced correctly - Queue subscriptions can no longer incorrectly bypass non-queue ACL
denypatterns
Leafnodes
- Pre-
CONNECTguard improvements for leafnode connections, fixing a potential panic - ACL permissions are now correctly enforced for inbound leaf messages in all cases
- Duplicate
INFOpermissions updates are now only accepted for solicited leaf connections - The
max_payloadlimit is now correctly enforced for leafnode connections - A panic on leafnode connect when failing to resolve an account has been fixed (#7991)
JetStream
- Consumer
max_ack_pendingshould no longer become stuck due to deleted messages being left in the consumer pending state (#7984) - When scaling up a stream and adding subjects at the same time, the new subject filters are now correctly subscribed (#8003)
- Filestore caches are no longer expired and evicted from memory too eagerly after a recent write (#8009)
- Stream leaders can catch up from a snapshot if required (#8021)
MQTT
- The
jwtis now correctly sent to auth callout for MQTT clients, fixing a regression introduced in 2.12.6 (#7997, #7999)
WebSockets
- The fast-path for connections with no
CONNECTblock will now use the WebSocket-specificno_auth_userinstead of the global one if configured