• [fix][sec] Upgrade jwt/v5 to 5.2.2 to address CVE-2025-30204 (#24140)
• [fix][sec] Upgrade pulsar-function-go dependencies to address CVE-2025-22870 (#24135)
• [improve] Upgrade Netty to 4.1.119.Final (#24049)

• [fix] Avoid negative estimated entry count (#24055)
• [fix][broker] Add expire check for replicator (#23975)
• [fix][broker] Avoid IllegalStateException when marker_type field is not set in publishing (#24087)
• [fix][broker] fix delay queue sequence issue. (#24035)
• [fix][broker] Fix Metadata Event Synchronizer producer creation retry so that the producer gets created eventually (#24081)
• [fix][broker] Fix Metadata event synchronizer should not fail with bad version (#24080)
• [fix][broker] Fix missing validation when setting retention policy on topic level (#24032)
• [fix][broker] Fix NPE while publishing Metadata-Event with not init producer (#24079)
• [fix][broker] Fix UnsupportedOperationException while setting subscription level dispatch rate policy (#24048)
• [fix][broker] http metric endpoint get compaction latency stats always be 0 (#24067)
• [fix][broker] Pattern subscription doesn't work when the pattern excludes the topic domain. (#24072)
• [fix][broker] Restore the behavior to dispatch batch messages according to consumer permits (#24092)
• [fix][broker] topics infinitely failed to delete after remove cluster from replicated clusters modifying when using partitioned system topic (#24097)
• [fix][broker]Fix failed consumption after loaded up a terminated topic (#24063)
• [fix][ml] Corrected pulsar_storage_size metric to not multiply offloaded storage by the write quorum (#24054)
• [fix][ml] Don't estimate number of entries when ledgers are empty, return 1 instead (#24125)
• [fix][ml] Fix issues in estimateEntryCountBySize (#24089)
• [fix][ml] Return 1 when bytes size is 0 or negative for entry count estimation (#24131)
• [improve][broker] Change topic exists log to warn (#24116)
• [improve][broker] extract getMaxEntriesInThisBatch into a method and add unit test for it (#24117)
• [improve][broker] Optimize message expiration rate repeated update issues (#24073)
• [improve][broker] Optimize ThresholdShedder with improved boundary checks and parameter reuse (#24064)
• [improve][broker][branch-4.0] PIP-406: Introduce metrics related to dispatch throttled events (#24111)
• [improve][meta] Change log level from error to warn for unknown notification types in OxiaMetadataStore (#24126)

• [fix][client] Copy eventTime to retry letter topic and DLQ messages (#24059)
• [fix][client] Fix building broken batched message when publishing (#24061)
• [fix][client] Fix consumer leak when thread is interrupted before subscribe completes (#24100)
• [fix][client] Pattern subscription regression when broker-side evaluation is disabled (#24104)
• [fix][client] PIP-409 retry/dead letter topic producer config don't take effect. (#24071)
• [improve][client] PIP-409: support producer configuration for retry/dead letter topic producer (#24020)
• [improve][client] Prevent NullPointException when closing ClientCredentialsFlow (#24123)
• [clean][client] Clean code for the construction of retry/dead letter topic name (#24082)

• [fix][io] Fix KinesisSink json flattening for AVRO's SchemaType.BYTES (#24132)
• [improve][fn] Introduce NewOutputMessageWithError to enable error handling (#24122)
• [improve][io] Enhance Kafka connector logging with focused bootstrap server information (#24128)
• [improve][io] Remove sleep when sourceTask.poll of kafka return null (#24124)

• [fix][doc] fix doc related to chunk message feature. (#24023)
• [fix][doc] Workaround Go Yaml issue go-yaml/yaml#789 in docker-compose example (#24040)
• [improve][monitor] Add version=0.0.4 to /metrics content type for Prometheus 3.x compatibility (#24060)

• [fix][ci] Bump dependency-check to 12.1.0 to fix OWASP Dependency Check job (#24083)
• [fix][test] Fix flaky NonPersistentTopicTest.testMsgDropStat (#24134)
• [fix][test] Fix flaky PrometheusMetricsTest.testBrokerMetrics (#24042)

For the complete list, check the full changelog.

• [fix] Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /pulsar-function-go (#22261)
• [fix][sec] Upgrade jwt/v5 to 5.2.2 to address CVE-2025-30204 (#24140)
• [fix][sec] Upgrade pulsar-function-go dependencies to address CVE-2025-22870 (#24135)
• [improve] Upgrade Netty to 4.1.119.Final (#24049)

• [fix] Avoid negative estimated entry count (#24055)
• [fix][broker] Add expire check for replicator (#23975)
• [fix][broker] Avoid IllegalStateException when marker_type field is not set in publishing (#24087)
• [fix][broker] Fix Metadata Event Synchronizer producer creation retry so that the producer gets created eventually (#24081)
• [fix][broker] Fix Metadata event synchronizer should not fail with bad version (#24080)
• [fix][broker] Fix missing validation when setting retention policy on topic level (#24032)
• [fix][broker] Fix NPE while publishing Metadata-Event with not init producer (#24079)
• [fix][broker] Pattern subscription doesn't work when the pattern excludes the topic domain. (#24072)
• [fix][broker] topics infinitely failed to delete after remove cluster from replicated clusters modifying when using partitioned system topic (#24097)
• [fix][broker]Fix failed consumption after loaded up a terminated topic (#24063)
• [fix][ml] Corrected pulsar_storage_size metric to not multiply offloaded storage by the write quorum (#24054)
• [fix][ml] Don't estimate number of entries when ledgers are empty, return 1 instead (#24125)
• [fix][ml] Fix issues in estimateEntryCountBySize (#24089)
• [fix][ml] Return 1 when bytes size is 0 or negative for entry count estimation (#24131)
• [improve][broker] Change topic exists log to warn (#24116)
• [improve][broker] Optimize message expiration rate repeated update issues (#24073)
• [improve][broker] Optimize ThresholdShedder with improved boundary checks and parameter reuse (#24064)
• [improve][broker] Separate offload read and write thread pool (#24025)
• [improve][meta] Change log level from error to warn for unknown notification types in OxiaMetadataStore (#24126)

• [fix][client] Copy eventTime to retry letter topic and DLQ messages (#24059)
• [fix][client] Fix building broken batched message when publishing (#24061)
• [fix][client] Fix consumer leak when thread is interrupted before subscribe completes (#24100)
• [fix][client] Pattern subscription regression when broker-side evaluation is disabled (#24104)
• [improve][client] Prevent NullPointException when closing ClientCredentialsFlow (#24123)
• [clean][client] Clean code for the construction of retry/dead letter topic name (#24082)

• [fix][io] Fix KinesisSink json flattening for AVRO's SchemaType.BYTES (#24132)
• [improve][io] Enhance Kafka connector logging with focused bootstrap server information (#24128)
• [improve][io] Remove sleep when sourceTask.poll of kafka return null (#24124)

• [fix][doc] fix doc related to chunk message feature. (#24023)
• [improve][monitor] Add version=0.0.4 to /metrics content type for Prometheus 3.x compatibility (#24060)

• [fix][ci] Bump dependency-check to 12.1.0 to fix OWASP Dependency Check job (#24083)
• [fix][test] Fix flaky NonPersistentTopicTest.testMsgDropStat (#24134)
• [fix][test] Fix flaky PrometheusMetricsTest.testBrokerMetrics (#24042)

For the complete list, check the full changelog.

• [fix] Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /pulsar-function-go (#22261)
• [fix][sec] Upgrade jwt/v5 to 5.2.2 to address CVE-2025-30204 (#24140)
• [fix][sec] Upgrade pulsar-function-go dependencies to address CVE-2025-22870 (#24135)
• [improve] Upgrade Netty to 4.1.119.Final (#24049)

• [fix] Avoid negative estimated entry count (#24055)
• [fix][admin] Verify is policies read only before revoke permissions on topic (#23730)
• [fix][broker] Add expire check for replicator (#23975)
• [fix][broker] Avoid IllegalStateException when marker_type field is not set in publishing (#24087)
• [fix][broker] fix broker identifying incorrect stuck topic (#24006)
• [fix][broker] Fix BucketDelayedDeliveryTracker thread safety (#24014)
• [fix][broker] Fix get outdated compactedTopicContext after compactionHorizon has been updated (#20984)
• [fix][broker] Fix Metadata Event Synchronizer producer creation retry so that the producer gets created eventually (#24081)
• [fix][broker] Fix Metadata event synchronizer should not fail with bad version (#24080)
• [fix][broker] Fix NPE while publishing Metadata-Event with not init producer (#24079)
• [fix][broker] Fix UnsupportedOperationException while setting subscription level dispatch rate policy (#24048)
• [fix][broker] Geo Replication lost messages or frequently fails due to Deduplication is not appropriate for Geo-Replication (#23697)
• [fix][broker] http metric endpoint get compaction latency stats always be 0 (#24067)
• [fix][broker] Pattern subscription doesn't work when the pattern excludes the topic domain. (#24072)
• [fix][broker] topics infinitely failed to delete after remove cluster from replicated clusters modifying when using partitioned system topic (#24097)
• [fix][broker]Fix failed consumption after loaded up a terminated topic (#24063)
• [fix][ml] Corrected pulsar_storage_size metric to not multiply offloaded storage by the write quorum (#24054)
• [fix][ml] Don't estimate number of entries when ledgers are empty, return 1 instead (#24125)
• [fix][ml] Fix issues in estimateEntryCountBySize (#24089)
• [fix][ml] Return 1 when bytes size is 0 or negative for entry count estimation (#24131)
• [improve][broker] Change topic exists log to warn (#24116)
• [improve][broker] Fix non-persistent system topic schema compatibility (#23286)
• [improve][broker] Improve CompactedTopicImpl lock (#20697)
• [improve][broker] Make the estimated entry size more accurate (#23931)
• [improve][broker] Optimize message expiration rate repeated update issues (#24073)
• [improve][broker] Optimize ThresholdShedder with improved boundary checks and parameter reuse (#24064)
• [improve][ml] Use lock-free queue in InflightReadsLimiter since there's no concurrent access (#23962)

• [fix][client] Copy eventTime to retry letter topic and DLQ messages (#24059)
• [fix][client] Fix building broken batched message when publishing (#24061)
• [fix][client] Fix consumer leak when thread is interrupted before subscribe completes (#24100)
• [fix][client] Pattern subscription regression when broker-side evaluation is disabled (#24104)
• [improve][client] Prevent NullPointException when closing ClientCredentialsFlow (#24123)
• [clean][client] Clean code for the construction of retry/dead letter topic name (#24082)

• [fix][io] Fix KinesisSink json flattening for AVRO's SchemaType.BYTES (#24132)
• [improve][fn] Set default tenant and namespace for ListFunctions cmd (#23881)
• [improve][io] Enhance Kafka connector logging with focused bootstrap server information (#24128)
• [improve][io] Remove sleep when sourceTask.poll of kafka return null (#24124)

• [fix][doc] fix doc related to chunk message feature. (#24023)
• [improve][cli] Support additional msg metadata for V1 topic on peek message cmd (#23978)
• [improve][monitor] Add version=0.0.4 to /metrics content type for Prometheus 3.x compatibility (#24060)

• [fix][test] Fix flaky test OneWayReplicatorUsingGlobalZKTest.testConfigReplicationStartAt (#24011)
• [fix][test]Fix flaky test V1_ProducerConsumerTest.testConcurrentConsumerReceiveWhileReconnect (#24019)
• [fix][ci] Bump dependency-check to 12.1.0 to fix OWASP Dependency Check job (#24083)
• [improve][test] Upgrade Testcontainers to 1.20.4 and docker-java to 3.4.0 (#24003)
• [improve][ci] Upgrade Gradle Develocity Maven Extension to 1.23.1 (#24004)

For the complete list, check the full changelog.

Cherry-picked changes

Cherry-picked changes

Cherry-picked changes

Cherry-picked changes

• [fix][sec] Bump commons-io version to 2.18.0 (#23684)
• [fix][sec] Mitigate CVE-2024-53990 by disabling AsyncHttpClient CookieStore (#23725)
• [fix][sec] Upgrade async-http-client to 2.12.4 to address CVE-2024-53990 (#23732)
• [fix][sec] Upgrade golang.org/x/crypto from 0.21.0 to 0.31.0 in pulsar-function-go (#23743)
• [improve] Upgrade lombok to 1.18.36 (#23752)
• [improve] Upgrade to Netty 4.1.116.Final and io_uring to 0.0.26.Final (#23813)

• [fix][broker] Msg delivery is stuck due to items in the collection recentlyJoinedConsumers are out-of-order (#23795)
• [fix][broker] Add consumer name for subscription stats (#23671)
• [fix][broker] Catch exception for entry payload interceptor processor (#23683)
• [fix][broker] Continue using the next provider for authentication if one fails (#23797)
• [fix][broker] Fix config replicationStartAt does not work when set it to earliest (#23719)
• [fix][broker] Fix enableReplicatedSubscriptions (#23781)
• [fix][broker] Fix items in dispatcher.recentlyJoinedConsumers are out-of-order, which may cause a delivery stuck (#23802)
• [fix][broker] Remove failed OpAddEntry from pendingAddEntries (#23817)
• [fix][broker] Skip to persist cursor info if it failed by cursor closed (#23615)
• [fix][broker] fix NPE when calculating a topic's backlogQuota (#23720)
• [fix][admin] Fix exception loss in getMessageId method (#23766)
• [fix][admin] Fix exception thrown in getMessageId method (#23784)
• [fix][admin] Listen partitioned topic creation event (#23680)
• [improve][admin] Opt-out of topic-existence check (#23709)
• [improve][log] Print ZK path if write to ZK fails due to data being too large to persist (#23652)
• [fix][ml] Topic load timeout due to ml data ledger future never finishes (#23772)

• [Fix][Client] Fix pending message not complete when closeAsync (#23761)
• [fix][client] Cannot access message data inside ProducerInterceptor#onSendAcknowledgement (#23791)
• [fix][client] Fix enableRetry for consumers using legacy topic naming where cluster name is included (#23753)
• [fix][client] Fix memory leak when publishing encountered a corner case error (#23738)
• [fix][client] Fix wrong start message id when it's a chunked message id (#23713)
• [fix][client] Make DeadLetterPolicy & KeySharedPolicy serializable (#23718)
• [fix][client] Prevent retry topic and dead letter topic producer leaks when sending of message fails (#23824)
• [fix][client][branch-3.0] Fix compatibility between kerberos and tls (#23801)
• [improve][client] Make replicateSubscriptionState nullable (#23757)
• [fix][doc] Refine ClientBuilder#memoryLimit and ConsumerBuilder#autoScaledReceiverQueueSizeEnabled javadoc (#23687)

• [improve][fn] Improve closing of producers in Pulsar Functions ProducerCache invalidation (#23734)
• [improve][fn] Improve implementation for maxPendingAsyncRequests async concurrency limit when return type is CompletableFuture (#23708)
• [improve][io] Bump io.lettuce:lettuce-core from 5.0.2.RELEASE to 6.5.1.RELEASE in /pulsar-io/redis (#23685)
• [fix][fn][branch-3.0] Fix pulsar-function-go compilation

• [fix][common] TopicName: Throw IllegalArgumentException if localName is whitespace only (#23691)

• [fix][test] Remove useless test code (#23823)
• [fix][test]: Flaky-test: GetPartitionMetadataMultiBrokerTest.testCompatibilityDifferentBrokersForNonPersistentTopic (#23666)

For the complete list, check the full changelog.

Cherry-picked changes

Cherry-picked changes