Upgrade urgency HIGH: There are critical bugs that may affect a subset of users.

• Avoid memory leak of new argv when HEXPIRE commands target only non-exiting fields (#2973)
• Fix HINCRBY and HINCRBYFLOAT to update volatile key tracking (#2974)
• Avoid empty hash object when HSETEX added no fields (#2998)
• Fix case-sensitive check for the FNX and FXX arguments in HSETEX (#3000)
• Prevent assertion in active expiration job after a hash with volatile fields is overwritten (#3003, #3007)
• Fix HRANDFIELD to return null response when no field could be found (#3022)
• Fix HEXPIRE to not delete items when validation rules fail and expiration is in the past (#3023, #3048)
• Fix how hash is handling overriding of expired fields overwrite (#3060)
• HSETEX - Always issue keyspace notifications after validation (#3001)
• Make zero a valid TTL for hash fields during import mode and data loading (#3006)
• Trigger prepareCommand on argc change in module command filters (#2945)
• Restrict TTL from being negative and avoid crash in import-mode (#2944)
• Fix chained replica crash when doing dual channel replication (#2983)
• Skip slot cache optimization for AOF client to prevent key duplication and data corruption (#3004)
• Fix used_memory_dataset underflow due to miscalculated used_memory_overhead (#3005)
• Avoid duplicate calculations of network-bytes-out in slot stats with copy-avoidance (#3046)
• Fix XREAD returning error on empty stream with + ID (#2742)

• Track reply bytes in I/O threads if commandlog-reply-larger-than is -1 (#3086, #3126). This makes it possible to mitigate a performance regression in 9.0.1 caused by the bug fix #2652.

Full Changelog: https://github.com/valkey-io/valkey/compare/9.0.1...9.0.2

Upgrade urgency MODERATE: Program an upgrade of the server, but it's not urgent.

• Authenticate slot migration client on source node to internal user (#2785)
• Bug fix: reset io_last_written on c->buf resize to prevent stale pointers (#2786)
• Sentinel: fix regression requiring "+failover" ACL in failover path (#2780)
• Cluster: Avoid usage of light weight messages to nodes with not ready bidirectional links (#2817)
• Send duplicate multi meet packet only for node which supports it in mixed clusters (#2840)
• Fix: LTRIM should not call signalModifiedKey when no elements are removed (#2787)
• Fix build on some 32-bit ARM by only using NEON on AArch64 (#2873)
• Fix deadlock in IO-thread shutdown during panic (#2898)
• Fix COMMANDLOG large-reply when using reply copy avoidance (#2652)
• Fix CLUSTER SLOTS crash when called from module timer callback (#2915)

Full Changelog: https://github.com/valkey-io/valkey/compare/9.0.0...9.0.1

Upgrade urgency MODERATE: Program an upgrade of the server, but it's not urgent.

• Fix Lua VM crash after FUNCTION FLUSH ASYNC + FUNCTION LOAD (#1826)
• Fix invalid memory address caused by hashtable shrinking during safe iteration (#2753)
• Cluster: Avoid usage of light weight messages to nodes with not ready bidirectional links (#2817)
• Send duplicate multi meet packet only for node which supports it (#2840)
• Fix loading AOF files from future Valkey versions (#2899)

Full Changelog: https://github.com/valkey-io/valkey/compare/8.1.4...8.1.5

Upgrade urgency LOW: This is the first release of Valkey 9.0 which includes stability, bug fixes, and incremental improvements over the third release candidate.

• HSETEX with FXX should not create an object if it does not exist (#2716)
• Fix crash when aborting a slot migration while child snapshot is active (#2721)
• Fix double MOVED reply on unblock at failover (#2734)
• Fix memory leak with CLIENT LIST/KILL duplicate filters (#2362)
• Fix incorrect accounting after completed atomic slot migration (#2749)
• Fix Lua VM crash after FUNCTION FLUSH ASYNC + FUNCTION LOAD (#1826, #2750)
• Fix invalid memory address caused by hashtable shrinking during safe iteration (#2753)

Upgrade urgency LOW: This is the third release candidate of Valkey 9.0.0, focused on stability, bug fixes, and incremental improvements.

• (CVE-2025-49844) A Lua script may lead to remote code execution
• (CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
• (CVE-2025-46818) A Lua script can be executed in the context of another user
• (CVE-2025-46819) LUA out-of-bound read

• Optimize skiplist random level generation logic (#2631)

• Redirect blocked clients after failover (#2329)
• Prevent exposure of importing keys on replicas during atomic slot migration (#2635)
• Add slot migration client flags and module context flags (#2639)
• Introduce SYNCSLOTS CAPA for forwards compatibility (#2688)

• Fix atomic slot migration snapshot never proceeding with hz 1 (#2636)
• Defrag if slab 1/8 full to fix defrag didn't stop issue (#2656)
• Fix module key memory usage accounting (#2661)
• Fix dual rdb channel connection error log (#2658)

• Implement a lolwut for version 9 (#2646)

Upgrade urgency SECURITY: This release includes security fixes we recommend you apply as soon as possible.

• (CVE-2025-49844) A Lua script may lead to remote code execution
• (CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
• (CVE-2025-46818) A Lua script can be executed in the context of another user
• (CVE-2025-46819) LUA out-of-bound read

• Fix accounting for dual channel RDB bytes in replication stats (#2616)
• Minor fix for dual rdb channel connection conn error log (#2658)
• Fix unsigned difference expression compared to zero (#2101)

Full Changelog: https://github.com/valkey-io/valkey/compare/8.0.5...8.0.6

Upgrade urgency SECURITY: This release includes security fixes we recommend you apply as soon as possible.

• (CVE-2025-49844) A Lua script may lead to remote code execution
• (CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
• (CVE-2025-46818) A Lua script can be executed in the context of another user
• (CVE-2025-46819) LUA out-of-bound read

• Fix accounting for dual channel RDB bytes in replication stats (#2614)
• Fix EVAL to report unknown error when empty error table is provided (#2229)
• Fix use-after-free when active expiration triggers hashtable to shrink (#2257)
• Fix MEMORY USAGE to account for embedded keys (#2290)
• Fix memory leak when shrinking a hashtable without entries (#2288)
• Prevent potential assertion in active defrag handling large allocations (#2353)
• Prevent bad memory access when NOTOUCH client gets unblocked (#2347)
• Converge divergent shard-id persisted in nodes.conf to primary's shard id (#2174)
• Fix client tracking memory overhead calculation (#2360)
• Fix RDB load per slot memory pre-allocation when loading from RDB snapshot (#2466)
• Don't use AVX2 instructions if the CPU doesn't support it (#2571)
• Fix bug where active defrag may be unable to defrag sparsely filled pages (#2656)

Full Changelog: https://github.com/valkey-io/valkey/compare/8.1.3...8.1.4

Upgrade urgency SECURITY: This release includes security fixes we recommend you apply as soon as possible.

• (CVE-2025-49844) A Lua script may lead to remote code execution
• (CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
• (CVE-2025-46818) A Lua script can be executed in the context of another user
• (CVE-2025-46819) LUA out-of-bound read

• Ensure empty error tables in Lua scripts don't crash Valkey (#2229)
• Fix client tracking memory overhead calculation (#2360)

Full Changelog: https://github.com/valkey-io/valkey/compare/7.2.10...7.2.11

Upgrade urgency levels:

Level	Meaning
LOW	No need to upgrade unless there are new features you want to use.
MODERATE	Program an upgrade of the server, but it's not urgent.
HIGH	There is a critical bug that may affect a subset of users. Upgrade!
CRITICAL	There is a critical bug affecting MOST USERS. Upgrade ASAP.
SECURITY	There are security fixes in the release.

Upgrade urgency LOW: This is the second release candidate of Valkey 9.0.0, focused on stability, bug fixes, and incremental improvements.

Attention Valkey Module maintainers: There is a new module option to indicate support for the Atomic Slot Migration (ASM) feature. Modules must explicitly opt in to ASM; otherwise, this feature will be disabled in clusters that load modules without ASM support.

• Fix module context object re-use in scripting engines (#2358)
• Fix pre-size hashtables per slot when reading RDB files (#2466)
• Do not migrate script functions in atomic slot migration (#2547)
• Don't use AVX2 instructions if the CPU don't support it (#2571)

• Optimized pipelining by parsing and prefetching multiple commands (#2092)

• Make cluster failover delay relative to node timeout (#2449)
• Separate RDB snapshotting from atomic slot migration (#2533)

• Added new module API event for tracking authentication attempts (#2237)
• Added READONLY flag to ClientInfo.flags output structure (#2522)
• Make modules opt-in to atomic slot migration and add server events (#2593)

• Added new cluster-announce-client-(port|tls-port) configs (#2429)
• CONFIG RESETSTATS now also resets cluster related stats (#2458)
• Make CONFIG GET command return sorted output (#2493)

• Update reply schema for LMOVE and BLMOVE (#2541)
• Most deprecated commands are now un-deprecated (#2546)

• Relaxed RDB check for foreign RDB formats (#2543)

• Added word-jump navigation (Alt/Option/Ctrl + ←/→) to valkey-cli (#2583)

Upgrade urgency SECURITY: This release includes security fixes we recommend you apply as soon as possible.

• Fix clients remaining blocked when reprocessing commands after certain blocking operations (#2109)
• Fix a memory corruption issue in the sharded pub/sub unsubscribe logic (#2137)
• Fix potential memory leak by ensuring module context is freed when aux_save2 callback writes no data (#2132)
• Fix CLIENT UNBLOCK triggering unexpected errors when used on paused clients (#2117)
• Fix missing NULL check on SSL_new() when creating outgoing TLS connections (#2140)
• Fix incorrect casting of ping extension lengths to prevent silent packet drops (#2144)
• Fix replica failover stall due to outdated config epoch (#2178)
• Fix incorrect port/tls-port info in CLUSTER SLOTS/CLUSTER NODES after dynamic config change (#2186)
• Ensure empty error tables in Lua scripts don't crash Valkey (#2229)
• Fix client tracking memory overhead calculation (#2360)
• Handle divergent shard-id from nodes.conf and reconcile to the primary node's shard-id (#2174)
• Fix pre-size hashtables per slot when reading RDB files (#2466)

• Trigger election immediately during a forced manual failover (CLUSTER FAILOVER FORCE) to avoid delay (#1067)
• Reset ongoing election state when initiating a new manual failover (#1274)

• Add support to drop all cluster packets (#1252)
• Improve log clarity in failover auth denial message (#1341)

• CVE-2025-27151: Check length of AOF file name in valkey-check-aof and reject paths longer than PATH_MAX (#2146)

Full Changelog: 8.0.4...8.0.5