QuestDB 9.3.1

QuestDB 9.3.1 follows the major 9.3.0 release, focusing on stability, correctness, and performance refinements based on early feedback and production usage.

This release delivers important fixes across joins, views, and checkpointing, alongside continued performance improvements on hot SQL execution paths.

Window functions now support arithmetic expressions directly, allowing analytical queries to compute derived values inline without requiring subqueries or post-processing:

SELECT
  symbol,
  price,
  price - lag(price) OVER (PARTITION BY symbol ORDER BY ts) AS delta
FROM trades

This simplifies common patterns such as calculating deltas, ratios, and scaled values within window definitions.

The tables() system view now exposes two additional columns:

• table_min_timestamp
• table_max_timestamp

These columns provide quick visibility into the temporal bounds of each table, useful for diagnostics, retention checks, and operational tooling.

The ksum() function now works as a window function, using the Kahan summation algorithm for improved floating-point precision. This complements the existing ksum() aggregate function by enabling its use in window contexts:

-- Cumulative sum with reduced floating-point error
SELECT ksum(price) OVER (ORDER BY ts ROWS UNBOUNDED PRECEDING) FROM trades;

-- Sliding window
SELECT ksum(price) OVER (ORDER BY ts ROWS BETWEEN 3 PRECEDING AND CURRENT ROW) FROM trades;

-- Partitioned
SELECT ksum(price) OVER (PARTITION BY symbol) FROM trades;

All standard window frame types are supported: ROWS, RANGE, partitioned, unbounded, and sliding windows.

Parquet exports via the HTTP /exp endpoint now stream directly from page frames, eliminating intermediate temporary tables. This reduces memory overhead and improves export throughput for large result sets.

Parallel query execution has been optimized to reduce garbage generation on hot paths. This lowers GC pressure and improves throughput and tail latency under sustained analytical workloads.

Queries where columns reference other columns now avoid redundant expression evaluation. This improves performance for wide projections and queries with multiple derived columns.

• Fixed an error when using WINDOW JOIN (introduced in 9.3.0) with ORDER BY ts DESC.
• Fixed a crash in ASOF JOIN queries when the ON clause mixes SYMBOL and non-symbol columns.
• Fixed transient "file does not exist" errors that could surface during query execution.

• Fixed an issue where views (introduced in 9.3.0) could become suspended after being altered.
• Fixed a rare bug that could write invalid data into a materialized view under specific conditions.

• Fixed checkpoint restore logic by removing phantom table directories left on disk.
• Fixed a rare issue where process memory was not fully released on Linux when jemalloc is enabled.

Thanks to everyone who reported issues, shared production feedback, and contributed fixes and improvements. Your input continues to shape QuestDB's reliability and performance.

For questions or feedback, please join us on Slack or Discourse, and check the full changelog on GitHub for detailed PR information.

• feat(sql): implement ksum() window function with Kahan summation by @bluestreak01 in https://github.com/questdb/questdb/pull/6642
• perf(core): streaming parquet export by @kafka1991 in https://github.com/questdb/questdb/pull/6300
• feat(sql): implement arithmetic with window functions by @bluestreak01 in https://github.com/questdb/questdb/pull/6626
• fix(sql): WINDOW JOIN with ORDER BY ts DESC returns error by @puzpuzpuz in https://github.com/questdb/questdb/pull/6624
• fix(core): fix checkpoint restore by removing phantom tables directories from disk by @ideoma in https://github.com/questdb/questdb/pull/6614
• perf(sql): reduce garbage generated on parallel query hot path by @puzpuzpuz in https://github.com/questdb/questdb/pull/6597
• fix(sql): fix view metadata race conditions on replica by @bluestreak01 in https://github.com/questdb/questdb/pull/6627
• fix(core): fix for view becomes suspended after it is altered by @glasstiger in https://github.com/questdb/questdb/pull/6623
• fix(core): fix rare bug that can potentially write invalid data in mat view by @ideoma in https://github.com/questdb/questdb/pull/6628
• perf(sql): reduce repeated expression execution when a column is referenced by other columns by @kafka1991 in https://github.com/questdb/questdb/pull/6093
• fix(core): fix transient file does not exist error in queries by @ideoma in https://github.com/questdb/questdb/pull/6629
• fix(sql): fix ASOF JOIN crash when ON clause has symbol and other columns by @jerrinot in https://github.com/questdb/questdb/pull/6634
• fix(core): process memory may not be released on Linux when jemalloc is enabled by @puzpuzpuz in https://github.com/questdb/questdb/pull/6619
• feat(sql): add table_min_ and table_max_timestamp columns to tables() view by @bluestreak01 in https://github.com/questdb/questdb/pull/6630

Full Changelog: https://github.com/questdb/questdb/compare/9.3.0...9.3.1

Introduce a MEILI_EXPERIMENTAL_DISABLE_FID_BASED_DATABASES_CLEANUP env var to opt out of the field ID-based database cleanup when upgrading a Meilisearch <1.32.0.

by @ManyTheFish in https://github.com/meilisearch/meilisearch/pull/6096

Full Changelog: https://github.com/meilisearch/meilisearch/compare/v1.32.0...v1.32.1

This is a security release.

lib:

• (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) https://github.com/nodejs-private/node-private/pull/802
• (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) https://github.com/nodejs-private/node-private/pull/797 lib,permission:
• (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) https://github.com/nodejs-private/node-private/pull/760 src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) https://github.com/nodejs-private/node-private/pull/773 src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) https://github.com/nodejs-private/node-private/pull/759 tls:
• (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) https://github.com/nodejs-private/node-private/pull/796

• [8f9ba3f623] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997
• [97fc9b0eb7] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#792
• [14fbbb510c] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#802
• [1febc48d5b] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [494f62dc23] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [d7a5c587c0] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [51f4de4b4a] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [85f73e7057] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

This is a security release.

lib:

• (CVE-2025-59465) add TLSSocket default error handler
• (CVE-2025-55132) disable futimes when permission model is enabled lib,permission:
• (CVE-2025-55130) require full read and write to symlink APIs src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle tls:
• (CVE-2026-21637) route callback exceptions through error handlers

• [6badf4e6f4] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997
• [37509c3ff0] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#791
• [eb8e41f8db] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [ebbf942a83] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
• [6b4849583a] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [ddadc31f09] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [d4d9f3915f] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [25d6799df6] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

This is a security release.

lib:

• (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) https://github.com/nodejs-private/node-private/pull/797
• (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) https://github.com/nodejs-private/node-private/pull/748 lib,permission:
• (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) https://github.com/nodejs-private/node-private/pull/760 src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) https://github.com/nodejs-private/node-private/pull/773 src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) https://github.com/nodejs-private/node-private/pull/759 tls:
• (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) https://github.com/nodejs-private/node-private/pull/796

• [2092785d01] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997
• [3e58b7f2af] - deps: update undici to 7.18.2 (Node.js GitHub Bot) #61283
• [4ba536a5a6] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [89adaa21fd] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
• [7302b4dae1] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [ac030753c4] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [20075692fe] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [20591b0618] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

This is a security release.

lib:

• (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) https://github.com/nodejs-private/node-private/pull/750 permission:
• (CVE-2026-21636) add network check on pipe_wrap connect (RafaelGSS) https://github.com/nodejs-private/node-private/pull/784
• (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) https://github.com/nodejs-private/node-private/pull/760
• (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) https://github.com/nodejs-private/node-private/pull/748 src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) https://github.com/nodejs-private/node-private/pull/773 src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) https://github.com/nodejs-private/node-private/pull/759 tls:
• (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) https://github.com/nodejs-private/node-private/pull/790

• [a6a74b89a7] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997
• [5100614e26] - deps: update undici to 7.18.2 (Node.js GitHub Bot) #61283
• [f0a8916887] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#750
• [b4b887c5f7] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
• [26be208039] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [bdf5873d44] - (CVE-2026-21636) permission: add network check on pipe_wrap connect (RafaelGSS) nodejs-private/node-private#784
• [0578e3e921] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [4d6b55a6d1] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [c357a39e14] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#790

Release 2.3.21.Final fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543 Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.3.21.Final

• [UNDERTOW-2490] - Improve the documentation of UndertowOptions.HTTP_HEADERS_CACHE_SIZE / DEFAULT_HTTP_HEADERS_CACHE_SIZE

• [UNDERTOW-2580] - Support SameSite and custom cookie attributes

• [UNDERTOW-1359] - HTTP2 - java.lang.IllegalStateException: UT000091: Buffer has already been freed
• [UNDERTOW-1561] - ServletContext.getResourcePaths() omits Resources that are not available directly on the file system
• [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
• [UNDERTOW-2165] - READ_TIMEOUT is not taken into account in HTTP2 listener
• [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
• [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
• [UNDERTOW-2421] - ServletSessionConfig is missing support for arbitrary cookie attributes
• [UNDERTOW-2534] - ClassLoader of deployed websockets application leaks to XnioWorker
• [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
• [UNDERTOW-2591] - SSEHandler header Connection is set to close
• [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
• [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
• [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
• [UNDERTOW-2662] - Quoted cookie versions cannot be parsed correctly
• [UNDERTOW-2668] - ServletRelativePathAttribute switch to %U from %R and return absolute path
• [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
• [UNDERTOW-2675] - Make Undertow compatible with RFC6265

• [UNDERTOW-2103] - Enable open ssl building in CI
• [UNDERTOW-2653] - Add back servlets and websockets-jsr to Ci

• [UNDERTOW-2644] - Upgrade wildfly openssl to 2.2.5.Final

• [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
• [UNDERTOW-2638] - Process all buffers in ChunkedStreamSinkConduit.write(ByteBuffer[], int, int)
• [UNDERTOW-2643] - At ServletOutputStreamImpl.close remove the conversion of int to String

• #18138 config Add missing validation for labels in plugins
• #18108 config Make labels and selectors conform to specification
• #18144 inputs.procstat Isolate process cache per filter to fix tag collision
• #18191 outputs.sql Populate column cache for existing tables

• #18125 deps Bump cloud.google.com/go/auth from 0.17.0 to 0.18.0
• #18140 deps Bump cloud.google.com/go/auth from 0.17.0 to 0.18.0
• #18094 deps Bump cloud.google.com/go/storage from 1.57.2 to 1.58.0
• #18157 deps Bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0
• #18124 deps Bump github.com/ClickHouse/clickhouse-go/v2 from 2.41.0 to 2.42.0
• #18101 deps Bump github.com/SAP/go-hdb from 1.14.13 to 1.14.14
• #18153 deps Bump github.com/SAP/go-hdb from 1.14.14 to 1.14.15
• #18199 deps Bump github.com/SAP/go-hdb from 1.14.15 to 1.14.16
• #18123 deps Bump github.com/apache/arrow-go/v18 from 18.4.1 to 18.5.0
• #18200 deps Bump github.com/apache/inlong/inlong-sdk/dataproxy-sdk-twins/dataproxy-sdk-golang from 1.0.6 to 1.0.7
• #18197 deps Bump github.com/gophercloud/gophercloud/v2 from 2.9.0 to 2.10.0
• #18198 deps Bump github.com/gosnmp/gosnmp from 1.42.1 to 1.43.1
• #18132 deps Bump github.com/jedib0t/go-pretty/v6 from 6.7.5 to 6.7.7
• #18169 deps Bump github.com/jedib0t/go-pretty/v6 from 6.7.7 to 6.7.8
• #18189 deps Bump github.com/likexian/whois from 1.15.6 to 1.15.7
• #18187 deps Bump github.com/likexian/whois-parser from 1.24.20 to 1.24.21
• #18150 deps Bump github.com/lxc/incus/v6 from 6.19.1 to 6.20.0
• #18130 deps Bump github.com/miekg/dns from 1.1.68 to 1.1.69
• #18149 deps Bump github.com/nats-io/nats-server/v2 from 2.12.2 to 2.12.3
• #18147 deps Bump github.com/nats-io/nats.go from 1.47.0 to 1.48.0
• #18172 deps Bump github.com/netsampler/goflow2/v2 from 2.2.3 to 2.2.6
• #18190 deps Bump github.com/prometheus/common from 0.67.4 to 0.67.5
• #18102 deps Bump github.com/prometheus/prometheus from 0.307.3 to 0.308.0
• #18155 deps Bump github.com/prometheus/prometheus from 0.308.0 to 0.308.1
• #18129 deps Bump github.com/snowflakedb/gosnowflake from 1.18.0 to 1.18.1
• #18103 deps Bump github.com/tinylib/msgp from 1.5.0 to 1.6.1
• #18188 deps Bump github.com/tinylib/msgp from 1.6.1 to 1.6.3
• #18186 deps Bump github.com/yuin/goldmark from 1.7.13 to 1.7.15
• #18201 deps Bump github.com/yuin/goldmark from 1.7.15 to 1.7.16
• #18092 deps Bump go.step.sm/crypto from 0.74.0 to 0.75.0
• #18098 deps Bump golang.org/x/crypto from 0.45.0 to 0.46.0
• #18100 deps Bump golang.org/x/mod from 0.30.0 to 0.31.0
• #18127 deps Bump golang.org/x/net from 0.47.0 to 0.48.0
• #18095 deps Bump golang.org/x/oauth2 from 0.33.0 to 0.34.0
• #18093 deps Bump golang.org/x/sync from 0.18.0 to 0.19.0
• #18096 deps Bump golang.org/x/sys from 0.38.0 to 0.39.0
• #18099 deps Bump golang.org/x/term from 0.37.0 to 0.38.0
• #18097 deps Bump golang.org/x/text from 0.31.0 to 0.32.0
• #18104 deps Bump google.golang.org/api from 0.256.0 to 0.257.0
• #18173 deps Bump google.golang.org/grpc from 1.77.0 to 1.78.0
• #18131 deps Bump google.golang.org/protobuf from 1.36.10 to 1.36.11
• #18128 deps Bump k8s.io/api from 0.34.2 to 0.34.3
• #18148 deps Bump k8s.io/apimachinery from 0.34.3 to 0.35.0
• #18126 deps Bump k8s.io/client-go from 0.34.2 to 0.34.3
• #18154 deps Bump k8s.io/client-go from 0.34.3 to 0.35.0
• #18152 deps Bump modernc.org/sqlite from 1.40.1 to 1.41.0
• #18171 deps Bump modernc.org/sqlite from 1.41.0 to 1.42.2
• #18170 deps Bump software.sslmate.com/src/go-pkcs12 from 0.6.0 to 0.7.0
• #18158 deps Bump super-linter/super-linter from 8.3.0 to 8.3.1
• #18174 deps Bump super-linter/super-linter from 8.3.1 to 8.3.2
• #18091 deps Bump the aws-sdk-go-v2 group with 11 updates
• #18146 deps Bump the aws-sdk-go-v2 group with 3 updates
• #18121 deps Bump the aws-sdk-go-v2 group with 8 updates
• #18120 deps Bump tj-actions/changed-files from 47.0.0 to 47.0.1
• #18115 deps Update golangci-lint to 2.7.2

Introduces comprehensive progress tracking and logging for search operations in Meilisearch. It adds detailed timing information for each step of the search process, enabling better observability and performance analysis.

by @ManyTheFish in https://github.com/meilisearch/meilisearch/pull/6072

We accelerate document indexing by processing a large number of tasks in batches or a large number of records in parallel. We expedited the preparation of the payloads by extracting the various changes and assigning internal IDs in parallel. We achieved a 7x speedup on a four-million-document insertion using four CPUs, and the performance scales with the number of CPUs.

The indexedDocuments field in tasks using skipCreation no longer precisely reflects the number of document operations performed, specifically for POST and PUT operations. This count may be higher than the actual number of operations, but it doesn't affect the computation; only the reported count is impacted. We prioritize speed over perfect accuracy here, and the documents are still correctly indexed as before.

by @Kerollmops in https://github.com/meilisearch/meilisearch/pull/6080

Fixed vector sort bucketing so documents with identical similarity scores are grouped together, ensuring subsequent ranking rules are applied correctly.

by @dureuill in https://github.com/meilisearch/meilisearch/pull/6081

Fixes a bug where changing searchableAttributes from ["*"] to a subset of fields left orphaned data in fid-based databases, causing corruption and warnings during search.

by @ManyTheFish in https://github.com/meilisearch/meilisearch/pull/6076

Bumps hannoy to v0.1.3-nested-rtxns, which fixes graph-related recall issues and adds a method to rebuild graph links to recover previously malformed graphs. Also fixes a minor issue in the dumpless upgrade flow where the upgrade description was not displayed correctly and related operations were not properly associated with the upgrade.

by @Kerollmops in https://github.com/meilisearch/meilisearch/pull/6055

Updated the JavaScript SDK tests to use pnpm instead of yarn in CI workflows, switching the package manager across test configurations to ensure the SDK test suite runs correctly and consistently with the current tooling.

by @Strift in https://github.com/meilisearch/meilisearch/pull/6075

Updated the SDK tests CI workflow for the JavaScript SDKs

by @curquiza in https://github.com/meilisearch/meilisearch/pull/6050

Fix Stacked Borrows violation in IterMut.

by @dependabot[bot] in https://github.com/meilisearch/meilisearch/pull/6087

Full Changelog: https://github.com/meilisearch/meilisearch/compare/v1.31.0...v1.32.0