​

StreamNative Weekly Release Notes v4.0.8.8

​

Download

​

Distributions

• https://github.com/streamnative/pulsar/releases/tag/v4.0.8.8

​

Packages

• Maven Central

​

Images

• sn-platform
• sn-platform-slim
• private-cloud

​

General Changes

​

Apache Pulsar

(#25231) [fix][broker] Fix transactionMetadataFuture completeExceptionally with null value (#25229) [fix][client] Send all chunkMessageIds to broker for redelivery (#25221) [improve][broker] Give the detail error msg when authenticate failed with AuthenticationException (#25227) [fix][test] Fix Mockito stubbing race in TopicListServiceTest (#25228) [fix][broker] Fix incomplete futures in topic property update/delete methods (#25224) [improve][broker] Add idle timeout support for http (#25052) [improve][client] Make authorization server metadata path configurable in AuthenticationOAuth2 (#24944) [feat][client] oauth2 trustcerts file and timeouts (#25185) [improve][broker] Add strictAuthMethod to require explicit authentication method (#25223) [fix][broker] Fix httpProxyTimeout config (#25195) [feat][io] implement pip-297 for jdbc sinks (#25188) [fix][broker] Prevent missed topic changes in topic watchers and schedule periodic refresh with patternAutoDiscoveryPeriod interval (#25207) [fix][client] Fix producer synchronous retry handling in failPendingMessages method (#25199) [fix][broker]Fix ledgerHandle failed to read by using new BK API (#25165) [fix][broker] Fix ManagedCursorImpl.asyncDelete() method may lose previous async mark delete properties in race condition (#25216) [fix][test]Fix flaky ExtensibleLoadManagerImplTest_testGetMetrics (#25187) [improve][meta] PIP-453: Improve the metadata store threading model (#25211) [improve][proxy] Add regression tests for package upload with ‘Expect: 100-continue’ (#24994) [improve][monitor] Upgrade OpenTelemetry to 1.56.0, Otel instrumentation to 2.21.0 and Otel semconv to 1.37.0 (#25208) [fix][client] Fix race condition between isDuplicate() and flushAsync() method in PersistentAcknowledgmentsGroupingTracker due to incorrect use Netty Recycler (#25209) [fix] [test] Upgrade docker-java to 3.7.0 (#25197) [fix][misc] Allow JWT tokens in OpenID auth without nbf claim (#25172) [improve][client]Reduce unnecessary getPartitionedTopicMetadata requests when using retry and DLQ topics. (#25173) [improve][pip] PIP-453: Improve the metadata store threading model (#25178) [fix][client] ControlledClusterFailover avoid unnecessary reconnection. (#25179) [fix][proxy] Close client connection immediately when credentials expire and forwardAuthorizationCredentials is disabled (#25182) [improve][misc] Upgrade snappy version to 1.1.10.8 (#25186) [fix][test] Bump org.assertj:assertj-core from 3.27.5 to 3.27.7

​

KoP

Some operations can’t work with super-user role Fix race condition in concurrent Schema Registry requests handling [branch-4.0] Upgrade pulsar version to 4.0.8.8 [branch-4.1] Upgrade unified rbac dependency to 1.7.3 Fix potential concurrent modification issue Return references when getting schema by subject and version Fix flaky test IdempotentProducerTest

​

StreamNative Pulsar Plugins

898f3b879 fix incompatible with pulsar Upgrade detector build image to 1.25 07dfa85d0 fix: update pulsar and sn.bom versions to 4.0.8.8 in pom.xml b1f864ff0 fix: update Maven command to include update flag for dependencies db522f9ed build detector multi-platform d9b7c56ec fix: remove opentelemetry-sdk-testing dependency from pom.xml dd9968bc1 using streamnative-bom opentelemetry version fix: patch CVE-2025-61726, CVE-2025-61728, CVE-2025-61730 in stdlib Fix OIDCServlet to use local metadata store instead of configuration metadata store fix: upgrade zookeeper to 3.9.4 to patch CVE-2025-58457

​

pulsarctl

fix: upgrade Go to 1.25.7 to fix CVE-2025-68121 fix: upgrade Go from 1.25.5 to 1.25.6 to patch CVE-2025-61726, CVE-2025-61728, CVE-2025-61730

​

Cloud Pulsar Plugins

a2882f8 Revert “Add OpenTelemetry SDK extension dependency to test pom.xml” 93ed760 Add OpenTelemetry SDK extension dependency to test pom.xml

​

Function Mesh Worker Service

3b32d782 Fix CI Reuse authorization service when possible a448fef3 Enhance CI

​

Security Fixes

​

Apache Pulsar

(#25095) [fix][sec] Upgrade jose4j to 0.9.6 to address CVE-2024-29371 (#25206) [fix][sec] Upgrade OpenSearch to 2.19.4 to remediate CVE-2025-9624 (#25198) [fix][sec] Exclude org.lz4:lz4-java and standardize on at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566 (#25175) [fix][sec] Bump org.apache.solr:solr-core from 9.8.0 to 9.10.1 in /pulsar-io/solr