• feat(obs): improve metrics coverage and dashboard performance by @houseme in https://github.com/rustfs/rustfs/pull/2682
• chore(deps): update flake.lock by @houseme in https://github.com/rustfs/rustfs/pull/2683
• test(utils): cover disk-check env alias precedence by @overtrue in https://github.com/rustfs/rustfs/pull/2684
• fix(admin): map IAM not found errors to 404 by @GatewayJ in https://github.com/rustfs/rustfs/pull/2685
• feat: add console-managed audit and notify module switches by @houseme in https://github.com/rustfs/rustfs/pull/2690
• perf(memory): add reclaim signals and cache controls by @houseme in https://github.com/rustfs/rustfs/pull/2689
• test(server): cover default module switch source by @overtrue in https://github.com/rustfs/rustfs/pull/2697
• build(deps): bump the dependencies group with 2 updates by @dependabot[bot] in https://github.com/rustfs/rustfs/pull/2694
• fix(replication): fan out single-bucket rules to all targets by @weisd in https://github.com/rustfs/rustfs/pull/2701
• fix(iam): propagate cache miss load failures by @GatewayJ in https://github.com/rustfs/rustfs/pull/2692
• fix(replication): prevent target state loss across buckets by @weisd in https://github.com/rustfs/rustfs/pull/2704
• fix(ilm): harden signer failures and guard remote tier delete storms by @houseme in https://github.com/rustfs/rustfs/pull/2706
• fix: honor bucket-scoped ListBucket policies with s3:prefix by @overtrue in https://github.com/rustfs/rustfs/pull/2707
• fix(ecstore): log walk failures in IAM listing path by @GatewayJ in https://github.com/rustfs/rustfs/pull/2705
• build(deps): bump the dependencies group with 2 updates by @houseme in https://github.com/rustfs/rustfs/pull/2709
• fix(iam): preserve portable IAM storage and derived auth by @weisd in https://github.com/rustfs/rustfs/pull/2713
• fix(storage): avoid faulting local drives on transient timeouts by @weisd in https://github.com/rustfs/rustfs/pull/2714
• fix(lifecycle): prevent eager date-expiry deletion on config update by @houseme in https://github.com/rustfs/rustfs/pull/2708
• fix(policy): allow AssumeRole in system policies by @cxymds in https://github.com/rustfs/rustfs/pull/2718
• fix(obs): disable profiling export by default and fix Helm env name by @houseme in https://github.com/rustfs/rustfs/pull/2719
• fix(webdav): decode URL-encoded filenames in path parsing by @giter in https://github.com/rustfs/rustfs/pull/2722
• fix(policy): preserve gateway ListBucket resources by @overtrue in https://github.com/rustfs/rustfs/pull/2710
• test(signer): cover header fallback helpers by @overtrue in https://github.com/rustfs/rustfs/pull/2711
• fix(window): Compatible with Windows Path by @reatang in https://github.com/rustfs/rustfs/pull/2691
• fix(helm): only render rollingUpdate when strategy type is RollingUpdate by @rafaelperoco in https://github.com/rustfs/rustfs/pull/2728
• chore: update version from alpha to beta by @majinghe in https://github.com/rustfs/rustfs/pull/2720
• test(get): reject range with part number by @RamakrishnaChilaka in https://github.com/rustfs/rustfs/pull/2725

• @giter made their first contribution in https://github.com/rustfs/rustfs/pull/2722
• @rafaelperoco made their first contribution in https://github.com/rustfs/rustfs/pull/2728

Full Changelog: https://github.com/rustfs/rustfs/compare/1.0.0-alpha.99...v1.0.0-beta.1

This release contains bug fixes since the 2.26.3 release. We recommend that you upgrade at the next available opportunity.

Bugfixes

• #9360 Sanitize DT_NOBEGIN next_start to recover jobs stuck after primary failover
• #9515 Fix now() constification for continuous aggregate queries
• #9550 Fix out of memory when propagating ALTER TABLE to many chunks
• #9605 Fix InstrStartNode called twice in a row
• #9607 Fix use-after-free of PlaceHolderVar.phrels in cached ChunkAppend plans
• #9612 Fix PlaceHolderVar error in runtime chunk exclusion
• #9614 Remove stale hypertable entries during upgrade
• #9615 Fix segfault with transition tables after column drop
• #9616 Use DROP CASCADE for trigger removal
• #9623 Error when querying compressed chunks under Apache license
• #9625 Make timescaledb_post_restore() reliably restart background workers in a single call
• #9639 Fix lost orderby sparse index
• #9646 Replace ERRCODE_INTERNAL_ERROR on user-reachable error paths
• #9652 Add Error on missing custom job function in ts_bgw_job_get_funci
• #9655 Fix data corruption when merging chunks with different compression settings
• #9654 Fix sort_transform crash with hypertable on nullable side of outer join
• #9656 Fix concurrent merge of compressed chunks dropping the new heap
• #9641 Fix COPY path with transition tables after column drop
• #9660 Fix incremental continuous aggregate refresh so that extend_last_bucket only applies to the boundary batch
• #9674 Fix segmentby crash in cagg invalidation tracking

Thanks

• @GetsuDer and @WeiJie-JL for reporting an error with timescaledb and extensions using Explain
• @igor2x for reporting a problem when trying to query compressed data with the Apache license
• @ivaaaan for reporting an issue with constraint pushdown in continuous aggregate queries
• @patstrom for reporting a segfault with transition table triggers after dropping a column
• @patstrom for reporting an out-of-memory error when dropping constraints
• @pcayen for reporting an issue with GROUP BY ROLLUP on views over hypertables

Upgrade urgency LOW: This is the second release candidate of Valkey 9.1.0.

• Revert strict TLS certificate validation at config load as it is a breaking change, deferred to next major version (#3572)

• Do the failover immediately if the replica is the best ranked replica by @enjoy-binbin (#2227)
• Add cluster-config-save-behavior option to control nodes.conf save behavior by @enjoy-binbin (#3372)
• Lua scripting engine is now statically linked by default instead of dynamically linked by @eifrah-aws (#3392)
• Module command result callback addition by @martinrvisser (#2936)

• Redesign IO threading communication model with lock-free queues (8-17% throughput gain) by @akashkgit (#3324)
• Increase embedded string threshold from 64 to 128 bytes (30% GET throughput gain) by @Nikhil-Manglore (#3397)
• ARM NEON SIMD optimization for pvFind() in vset.c (2-3x speedup) by @ahmadbelb (#3033)
• Optimize WATCH duplicate key check from O(N) to O(1) using per-db hashtable by @enjoy-binbin (#3360)
• Optimize CLUSTERSCAN MATCH so that it uses a specific slot if given by @nmvk (#3380)
• Improve COB memory tracking with copy avoidance by @dvkashapov (#3306)

• Fix valkey-cli --cluster del-node for unreachable nodes by @yang-z-o (#3209)
• Enhance cluster stale packet detection to prevent sub-replica and empty primary by @zhijun42 (#2811)
• Big endian bitmap byte order mismatch fix by @nmvk (#3401)
• Fix slot-migration-max-failover-repl-bytes unable to accept -1 by @enjoy-binbin (#3443)
• Fix config rewrite producing negative values for unsigned memory configs by @enjoy-binbin (#3440)
• Fix HPERSIST RESP protocol violation on wrong-type key by @madolson (#3516)
• Fix lua-enable-insecure-api default value cannot be changed to yes by @enjoy-binbin (#3548)

Full Changelog: https://github.com/valkey-io/valkey/compare/9.1.0-rc1...9.1.0-rc2

This is the third Milestone of Redis 8.8 in Redis Open Source.

Milestones are non-feature-complete pre-releases. Pre-releases are not suitable for production use.

Redis 8.8 introduces new features and performance improvements.

• Ubuntu 22.04 (Jammy Jellyfish), 24.04 (Noble Numbat), 26.04 (Resolute Raccoon)
• Rocky Linux 8.10, 9.7, 10.1
• AlmaLinux 8.10, 9.7, 10.1
• Debian 12.13 (Bookworm), Debian 13.4 (Trixie)
• Alpine 3.23
• macOS 14.8.4 (Sonoma), 15.7.4 (Sequoia), 26.3 (Tahoe) - for both Intel and ARM

• #14958 Subkey notification for hash fields - field-level notifications
• RediSearch/RediSearch#8227 FT.HYBRID KNN clause: new argument to request fewer candidates per shard
• RediSearch/RediSearch#8060 FT.PROFILE HYBRID: profiling support for FT.HYBRID

• #15034, #15081 Issues processing corrupt RDB data
• #15059 Use-after-free
• #15073 CLIENT TRACKING: self-overlap returning non-zero loop index
• #14982 SCAN commands: integer overflow in COUNT parameter
• #14956 Crash on HSETEX when a field appears more than once and an expiry is specified
• #15015 Change log level for unknown extension types from LL_WARNING to LL_VERBOSE
• #14995 Unnecessary -ERR and \r\n
• RediSearch/RediSearch#8708 Crash when many keys receive expirations under heavy TTL activity
• RediSearch/RediSearch#8774 Coordinator deadlock under mixed FT.SEARCH and FT.AGGREGATE load
• RediSearch/RediSearch#8415 Crash on FT.SEARCH when topology validation fails (for example, some nodes unreachable)
• RediSearch/RediSearch#8322 Crash when indexing negative zero (-0.0)
• RediSearch/RediSearch#8843 HNSW vector index memory growth under high-churn workloads until shard restart
• RediSearch/RediSearch#8396 FILTER returns inconsistent results with multiple indexes sharing field aliases
• RediSearch/RediSearch#8205 FT.HYBRID VSIM RANGE + FILTER incorrectly returns zero results
• RediSearch/RediSearch#8817 Instability and crashes in long-running search cursors during concurrent index updates
• RediSearch/RediSearch#8388 FT.SEARCH fails with “Query requires unavailable slots” after shard restart or failover
• RediSearch/RediSearch#8548 FILTER behavior depends on property order in the expression
• RediSearch/RediSearch#8320 Index FILTER applied inconsistently when documents are missing filtered fields
• RediSearch/RediSearch#8752 Missing blocked-client FAIL timeout mechanism for coordinator-level FT.AGGREGATE
• RediSearch/RediSearch#8657 Missing shard-level FAIL timeout handling for FT.HYBRID queries
• RediSearch/RediSearch#8420 Missing coordinator-level FAIL timeout handling for FT.HYBRID queries
• RediSearch/RediSearch#8335 Legacy shard-level FAIL handling for FT.SEARCH / FT.AGGREGATE
• RediSearch/RediSearch#8191 FT.SEARCH coordinator lacks strict FAIL timeout enforcement

• #15114 Optimize SET key value GET
• #15065, #15118 Scan commands key collection: replace list with append-only pointer vector
• #15061 Widen fast_float_strtod fast path to 17-19 digit mantissas
• RediSearch/RediSearch#8378 Optimize filter expression evaluation: skip indexes not matching the document type (MOD-14064)

• RediSearch/RediSearch#8246 ‘frontend_buffer_size’, ‘HNSW_main_thread_insertion’: metrics for tiered vector indexes (MOD-13819)
• RediSearch/RediSearch#8210 FT.PROFILE: added queue time tracking (MOD-13602)
• RediSearch/RediSearch#8283 INFO: Skip metrics when there are no indices (MOD-13903)
• RediSearch/RediSearch#7417 Add unique error message ids for improved debugging and troubleshooting (MOD-11806)

• RediSearch/RediSearch#8876 ‘search-workers’: change default to 16 (MOD-14486)
• RediSearch/RediSearch#8352 BG_INDEX_SLEEP_DURATION_US: sleep duration during background indexing (MOD-13994)

• Remove decoded path in HttpRequestMessageImpl by @fool1280 in https://github.com/Netflix/zuul/pull/2115

Full Changelog: https://github.com/Netflix/zuul/compare/v3.6.1...v3.6.2

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

• Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.

• Brett Gervasoni for the AzureAD OAuth client_secret vulnerability.

• @iiihaiii and @Ngocnn97 for the Old UI XSS vulnerability.

• [SECURITY] AzureAD remote write: Fix OAuth client_secret being exposed in plaintext via /-/config endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18590

• [SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18584

• [SECURITY] UI: Fix stored XSS via unescaped le label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18588

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

• Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.
• Brett Gervasoni for the AzureAD OAuth client_secret vulnerability.
• @iiihaiii and @Ngocnn97 for the Old UI XSS vulnerability.

---

• [SECURITY] AzureAD remote write: Fix OAuth client_secret being exposed in plaintext via /-/config endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18587
• [SECURITY] Remote-Write: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. #18591
• [SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18585
• [SECURITY] UI: Fix stored XSS via unescaped le label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18589

• [fix][sec] Upgrade BouncyCastle to 1.84 (CVE-2026-5588, CVE-2026-0636) (#25569)
• [fix][sec] Upgrade Jetty to address CVE-2026-2332 (#25527)
• [fix][sec] Upgrade Jetty to address CVE-2026-5795 (#25532)
• [fix][sec] Upgrade to async-http-client 2.14.5 to address CVE-2026-40490 (#25546)
• [fix][sec] Upgrade to Netty 4.1.132.Final to address CVEs (#25399)
• [fix][sec] Upgrade log4j to 2.25.4 to address CVE-2026-34477, CVE-2026-34478, CVE-2026-34480, CVE-2026-34481
• [fix] Upgrade Jetty to 12.1.6 to fix CVE-2026-1605 (#25485)

• [fix][broker] Change the schema incompatible log from ERROR to WARN level (#25483)
• [fix][broker] Fix backlog clearing for unloaded namespace bundles (#25272)
• [fix][broker] Lower log level of DrainingHashesTracker not-found entry to DEBUG (#25558)
• [fix][broker] Prevent timed-out producer creation from racing with retry (#25460)
• [fix][broker] pulsar admin stats internal with metadata command (#25557)
• [fix][broker] Revert "[improve][broker] Enhance advertised address resolution with fallback to localhost (#25238)" (#25523)
• [fix][broker] Unthrottle producers immediately when publish rate limiting is disabled (#25502)
• [fix][broker]Namespaces can be created with may empty replication_clusters policy (#25551)
• [fix][admin] Refactor namespace migration operation to async in rest api (#25478)
• [improve][broker] Close connection when close consumer write fails (#25520)
• [improve][broker] Use full bundle name for namespace bundle destination affinity in ModularLoadManagerImpl (#25518)

• [fix][client] Fix thread-safety and refactor MessageCryptoBc key management (#25400)

• [fix][io] Restore lz4 compression with Kafka IO connector after #25198 exclusion

• [improve][common] Optimize TopicName.get() to reduce lock contention on cache lookup (#25367)
• [improve][broker] Improve the performance of TopicName constructor (#24463)

• [fix][ci] Ensure discard_max_bytes is set to 0 only for existing block devices (#25510)
• [fix][test] Extend SameAuthParamsLookupAutoClusterFailoverTest phase timeouts (#25563)
• [fix][test] Fix flaky BrokerRegistryIntegrationTest port binding race (#25463)
• [fix][test] Fix flaky ExtensibleLoadManagerImpl client reconnection tests: PulsarClientException$AlreadyClosedException: Client already closed (#25509)
• [fix][test] Fix flaky ExtensibleLoadManagerTest.startBroker timeout (#25500)
• [fix][test] Fix flaky OffloadPrefixTest.testPositionOnEdgeOfLedger race with ledger rollover (#25561)
• [fix][test] Fix flaky ServerCnxTest.testCreateProducerTimeoutThenCreateSameNamedProducerShouldFail (#25497)
• [fix][test] Fix flaky testLoadBalancerServiceUnitTableViewSyncer (#25427)
• [fix][test] Flaky SameAuthParamsLookupAutoClusterFailoverTest (#25566)
• [fix][test] Recreate EventLoop in PublishRateLimiterTest setup (#25560)
• [fix][test] Relax BrokerRegistryIntegrationTest broker-close threshold (#25562)
• [improve][ci] Cleanup tune-runner-vm and clean-disk actions (#25444)
• [cleanup][ci] Remove documentation label bot (#25469)
• [cleanup][ci] Remove ready-to-test label enforcement (#25470)
• [cleanup][build] Bumped version to 4.2.1-SNAPSHOT
• [fix][build][branch-4.2] Use correct Jetty ee8 BOM coordinates
• [improve][ci] Backport fix for ssh-access action

For the complete list, check the full changelog.

This release upgrades Jetty from 9.4.x to 12.1.8 to address several high-severity CVEs in Jetty 9.4.x (#25534). For background and discussion, see the dev list thread.

The upgrade introduces the following breaking changes:

1. AdditionalServlet interface change. The org.apache.pulsar.broker.web.plugin.servlet.AdditionalServlet interface was coupled directly to the Jetty 9 org.eclipse.jetty.servlet.ServletHolder class. This coupling has been removed, so external implementations of this plugin API need to be updated.

2. Athenz authentication requires Java 17+. pulsar-client-auth-athenz now depends on Jetty and therefore requires Java 17+. The Pulsar Client and Pulsar Admin client themselves remain Java 8+ compatible.

3. Prometheus metrics provider class relocation. The default Prometheus metrics provider classes for BookKeeper and ZooKeeper have been replaced because the previous defaults depended on Jetty 9.4.x. If you are using the previous default configuration file in your deployment, update the following settings:

   Config file	Setting	Old value	New value
   bookkeeper.conf	statsProviderClass	org.apache.bookkeeper.stats.prometheus.PrometheusMetricsProvider	org.apache.pulsar.metrics.prometheus.bookkeeper.PrometheusMetricsProvider
   zookeeper.conf	metricsProvider.className	org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider	org.apache.pulsar.metrics.prometheus.zookeeper.PrometheusMetricsProvider

• [fix][sec] Upgrade BouncyCastle to 1.84 (CVE-2026-5588, CVE-2026-0636) (#25569)
• [fix][sec] Upgrade to async-http-client 2.14.5 to address CVE-2026-40490 (#25546)
• [fix][sec] Upgrade to Netty 4.1.132.Final to address CVEs (#25399)
• [fix][sec] Bump google.golang.org/grpc from 1.60.0 to 1.79.3 in /pulsar-function-go (#25353)
• [fix][sec] Bump org.apache.zookeeper:zookeeper from 3.9.4 to 3.9.5 (#25303)
• [fix][sec] Upgrade aircompressor to 2.0.3 to resolve CVE-2025-67721 (#25256)
• [fix][sec] Upgrade Jackson version to 2.18.6 (#25264)
• [fix][sec] Upgrade Python protobuf version to 6.33.5 to address CVE-2026-0994 (#25250)
• [fix][sec][branch-4.0] Upgrade to Jetty 12.1.8 to address several CVEs (#25534)
• [improve][fn] Upgrade Pulsar Python client version to 3.10.0 (#25251)
• [fix][sec] Upgrade log4j to 2.25.4 to address CVE-2026-34477, CVE-2026-34478, CVE-2026-34480, CVE-2026-34481
• [improve] Upgrade RoaringBitmap to 1.6.9 version (#25253)

• [fix][broker] Change the schema incompatible log from ERROR to WARN level (#25483)
• [fix][broker] Fix backlog clearing for unloaded namespace bundles (#25272)
• [fix][broker] Lower log level of DrainingHashesTracker not-found entry to DEBUG (#25558)
• [fix][broker] Prevent timed-out producer creation from racing with retry (#25460)
• [fix][broker] pulsar admin stats internal with metadata command (#25557)
• [fix][broker] Unthrottle producers immediately when publish rate limiting is disabled (#25502)
• [fix][broker]Namespaces can be created with may empty replication_clusters policy (#25551)
• [fix][admin] Refactor namespace migration operation to async in rest api (#25478)
• [improve][broker] Close connection when close consumer write fails (#25520)
• [improve][broker] Use full bundle name for namespace bundle destination affinity in ModularLoadManagerImpl (#25518)
• [fix][broker] Fix concurrency bug in BucketDelayedDeliveryTracker (#25346)
• [fix][broker] Fix ExtensibleLoadManagerImpl stuck Assigning bundle state after broker restart (#25379)
• [fix][broker] fix flaky test in SystemTopicBasedTopicPoliciesServiceTest (#25098)
• [fix][broker] Fix IllegalArgumentException in BucketDelayedDeliveryTracker.addMessage (#25371)
• [fix][broker] Fix race condition in ServerCnx producer/consumer async callbacks (#25352)
• [fix][broker] Guard AsyncTokenBucket against long overflow (#25262)
• [fix][broker] Handle missing replicator during snapshot request processing (#25266)
• [fix][broker] Return failed future instead of throwing exception in async methods (#25289)
• [fix][broker] Support namespace unsubscribe when bundles are unloaded (#25276)
• [fix][broker]Producer with AUTO_PRODUCE schema failed to reconnect, which caused by schema incompatible (#25437)
• [fix][broker]system topic was created with different partitions acrossing clusters after enabled namespace-level replication (#25312)
• [fix][admin] Refactor namespace anti affinity group sync operations to async in rest api (#25086)
• [fix][offload] Close all resources in BlobStoreBackedReadHandleImplV2.closeAsync (#25296)
• [improve][broker] Change log level from warn to debug when cursor mark-deleted position ledger doesn't exist (#25200)
• [improve][broker] Optimize AsyncTokenBucket overflow solution further to reduce fallback to BigInteger (#25269)
• [improve][broker]Reduce the lock range of SimpleCache to enhance performance (#25293)
• [refactor][broker] Decouple delayed delivery trackers from dispatcher (#25384)

• [fix][client] Fix thread-safety and refactor MessageCryptoBc key management (#25400)
• [fix][client] Fail messages immediately in ProducerImpl when in terminal state (#25317)
• [fix][client] Fix async APIs to return failed futures on validation errors (#25287)
• [fix][client] Reduce logging in OAuth auth to fix parsing of Pulsar cli command output (#25254)
• [improve][client][branch-4.0] Deduplicate in-progress lookup requests also for HttpLookupService (#25017)

• [fix][io][kca] kafka headers silently dropped (#25325)
• [fix][io] Restore lz4 compression with Kafka IO connector after #25198 exclusion

• [improve][common] Optimize TopicName.get() to reduce lock contention on cache lookup (#25367)
• [improve][broker] Improve the performance of TopicName constructor (#24463)
• [feat][bookkeeper] add certs refresh (#25370)

• [fix][ci] Ensure discard_max_bytes is set to 0 only for existing block devices (#25510)
• [fix][test] Extend SameAuthParamsLookupAutoClusterFailoverTest phase timeouts (#25563)
• [fix][test] Fix flaky BrokerRegistryIntegrationTest port binding race (#25463)
• [fix][test] Fix flaky ExtensibleLoadManagerImpl client reconnection tests: PulsarClientException$AlreadyClosedException: Client already closed (#25509)
• [fix][test] Fix flaky ExtensibleLoadManagerTest.startBroker timeout (#25500)
• [fix][test] Fix flaky OffloadPrefixTest.testPositionOnEdgeOfLedger race with ledger rollover (#25561)
• [fix][test] Fix flaky ServerCnxTest.testCreateProducerTimeoutThenCreateSameNamedProducerShouldFail (#25497)
• [fix][test] Fix flaky testLoadBalancerServiceUnitTableViewSyncer (#25427)
• [fix][test] Flaky SameAuthParamsLookupAutoClusterFailoverTest (#25566)
• [fix][test] Recreate EventLoop in PublishRateLimiterTest setup (#25560)
• [fix][test] Relax BrokerRegistryIntegrationTest broker-close threshold (#25562)
• [improve][ci] Cleanup tune-runner-vm and clean-disk actions (#25444)
• [cleanup][ci] Remove documentation label bot (#25469)
• [cleanup][ci] Remove ready-to-test label enforcement (#25470)
• [fix][ci] Disable trivy-action (#25373)
• [fix][ci] Fix .github/actions/ssh-access which is used for debugging Pulsar CI in forks (#25075)
• [fix][test] Fix flaky ExtensibleLoadManagerImplTest.testLoadBalancerServiceUnitTableViewSyncer (#25378)
• [fix][test] Fix flaky OneWayReplicatorUsingGlobalZKTest cleanup (#25313)
• [fix][test] Fix flaky OneWayReplicatorUsingGlobalZKTest.cleanup (#25389)
• [fix][test] Fix flaky PersistentStickyKeyDispatcherMultipleConsumersClassicTest.testSkipRedeliverTemporally (#25385)
• [fix][test] Fix flaky PulsarDebeziumOracleSourceTest (#25314)
• [fix][test] Fix flaky ReplicatorTest.testResumptionAfterBacklogRelaxed (#25358)
• [fix][test] Fix flaky SingleThreadNonConcurrentFixedRateSchedulerTest.testPeriodicTaskCancellation (#24823)
• [fix][test] Stabilize FunctionAssignmentTailerTest.testErrorNotifier by synchronizing mock stubbing with CountDownLatch (#24875)
• [fix] Fix flaky OneWayReplicatorTest.testTopicPoliciesReplicationRule (#25316)
• [fix] Fix flaky testEstimatedTimeBasedBacklogQuotaCheckWhenNoBacklog (#25307)
• [cleanup][build] Bumped version to 4.0.10-SNAPSHOT
• [fix][build] Fix license file for shell distribution
• [fix][build][branch-4.0] Fix broken compilation after cherry-picking #25400
• [fix][build][branch-4.0] Fix missing exclusion in cherry-picking #25264
• [fix][test][branch-4.0] Backport Pulsar IO Debezium connector test framework changes
• [improve][build][branch-4.0] Support docker.golang.image/GOLANG_IMAGE in latest-version-image
• [improve][ci] Backport fix for ssh-access action

For the complete list, check the full changelog.

• [fix][sec] Upgrade BouncyCastle to 1.84 (CVE-2026-5588, CVE-2026-0636) (#25569)
• [fix][sec] Upgrade to async-http-client 2.14.5 to address CVE-2026-40490 (#25546)
• [fix][sec] Upgrade to Netty 4.1.132.Final to address CVEs (#25399)
• [fix][sec] Bump org.apache.zookeeper:zookeeper from 3.9.4 to 3.9.5 (#25303)
• [fix][sec] Upgrade aircompressor to 2.0.3 to resolve CVE-2025-67721 (#25256)
• [fix][sec] Upgrade Jackson version to 2.18.6 (#25264)
• [fix][sec] Upgrade Python protobuf version to 6.33.5 to address CVE-2026-0994 (#25250)
• [improve][fn] Upgrade Pulsar Python client version to 3.10.0 (#25251)
• [fix][sec] Exclude org.lz4:lz4-java and standardize on at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566 (#25198)
• [fix][sec] Override kafka-clients in kinesis-kpl-shaded to remediate CVE-2024-31141 and CVE-2025-27817 (#24935)
• [fix][sec] Upgrade log4j to 2.25.4 to address CVE-2026-34477, CVE-2026-34478, CVE-2026-34480, CVE-2026-34481 (#25521)
• [fix][sec]Upgrade jackson to 2.17.2 (#23174)
• [improve] Upgrade Netty to 4.1.131.Final (#25232)

• [improve][broker] Close connection when close consumer write fails (#25520)

• [fix][client] Fail messages immediately in ProducerImpl when in terminal state (#25317)

• [fix][io] Restore lz4 compression with Kafka IO connector after #25198 exclusion

• [improve][common] Optimize TopicName.get() to reduce lock contention on cache lookup (#25367)
• [improve][broker] Improve the performance of TopicName constructor (#24463)

• [improve][ci] Cleanup tune-runner-vm and clean-disk actions (#25444)
• [cleanup][ci] Remove documentation label bot (#25469)
• [cleanup][ci] Remove ready-to-test label enforcement (#25470)
• [fix][ci] Fix .github/actions/ssh-access which is used for debugging Pulsar CI in forks (#25075)
• [fix][test] Stabilize FunctionAssignmentTailerTest.testErrorNotifier by synchronizing mock stubbing with CountDownLatch (#24875)
• [cleanup][build] Bumped version to 3.0.17-SNAPSHOT
• [fix][build][branch-3.0] Fix presto-distribution license file
• [fix][build][branch-3.0] Fix trino license
• [fix][build][branch-3.0] Fix trino license file
• [fix][ci][branch-3.0] Fix docker daemon configuration for branch-3.0
• [fix][ci][branch-3.0] Revert adding min-api-version: 1.24 to /etc/docker/daemon.json
• [improve][ci] Backport fix for ssh-access action

For the complete list, check the full changelog.