> ## Documentation Index > Fetch the complete documentation index at: https://docs.streamnative.io/llms.txt > Use this file to discover all available pages before exploring further. # V4.1.3.1 # StreamNative Weekly Release Notes v4.1.3.1 ## Download ### Distributions * [https://github.com/streamnative/pulsar/releases/tag/v4.1.3.1](https://github.com/streamnative/pulsar/releases/tag/v4.1.3.1) ### Packages * [Maven Central](https://search.maven.org/artifact/io.streamnative/pulsar/4.1.3.1/pom) ### Images * [sn-platform](https://hub.docker.com/layers/streamnative/sn-platform/4.1.3.1/images/sha256-390047b8c922594631de007d0aeace9f232117c30b7f36930b52be21c7ad0883) * [sn-platform-slim](https://hub.docker.com/layers/streamnative/sn-platform-slim/4.1.3.1/images/sha256-6ec2ee8552da73f89b7e3056a3faa812759346351804a5e954f4df507da5ef55) * [private-cloud](https://hub.docker.com/layers/streamnative/private-cloud/4.1.3.1/images/sha256-6ec2ee8552da73f89b7e3056a3faa812759346351804a5e954f4df507da5ef55) ## General Changes ### Apache Pulsar ([#25269](https://github.com/apache/pulsar/pull/25269)) \[improve]\[broker] Optimize AsyncTokenBucket overflow solution further to reduce fallback to BigInteger ([#25262](https://github.com/apache/pulsar/pull/25262)) \[fix]\[broker] Guard AsyncTokenBucket against long overflow ([#25255](https://github.com/apache/pulsar/pull/25255)) \[fix]\[broker] Use compatible Avro name validator in JsonSchemaCompatibilityCheck ([#25193](https://github.com/apache/pulsar/pull/25193)) \[fix]\[broker] Use compatible Avro name validator to allow '\$' in schema record names ([#25254](https://github.com/apache/pulsar/pull/25254)) \[fix]\[client] Reduce logging in OAuth auth to fix parsing of Pulsar cli command output ([#25253](https://github.com/apache/pulsar/pull/25253)) \[improve] Upgrade RoaringBitmap to 1.6.9 version ([#25251](https://github.com/apache/pulsar/pull/25251)) \[improve]\[fn] Upgrade Pulsar Python client version to 3.10.0 ([#25246](https://github.com/apache/pulsar/pull/25246)) \[fix]\[meta] Metadata cache refresh might not take effect ([#25247](https://github.com/apache/pulsar/pull/25247)) \[fix]\[test] Fix ResourceQuotaCalculatorImplTest#testNeedToReportLocalUsage ([#25241](https://github.com/apache/pulsar/pull/25241)) \[fix]\[test] fix testBatchMetadataStoreMetrics. ([#25232](https://github.com/apache/pulsar/pull/25232)) \[improve] Upgrade Netty to 4.1.131.Final ([#25187)](https://github.com/apache/pulsar/pull/25187))) Reapply "\[improve]\[meta] PIP-453: Improve the metadata store threading model ([#25187)](https://github.com/apache/pulsar/pull/25187))) Revert "\[improve]\[meta] PIP-453: Improve the metadata store threading model ([#25231](https://github.com/apache/pulsar/pull/25231)) \[fix]\[broker] Fix transactionMetadataFuture completeExceptionally with null value ([#25229](https://github.com/apache/pulsar/pull/25229)) \[fix]\[client] Send all chunkMessageIds to broker for redelivery ([#25221](https://github.com/apache/pulsar/pull/25221)) \[improve]\[broker] Give the detail error msg when authenticate failed with AuthenticationException ([#25227](https://github.com/apache/pulsar/pull/25227)) \[fix]\[test] Fix Mockito stubbing race in TopicListServiceTest ([#25228](https://github.com/apache/pulsar/pull/25228)) \[fix]\[broker] Fix incomplete futures in topic property update/delete methods ([#25224](https://github.com/apache/pulsar/pull/25224)) \[improve]\[broker] Add idle timeout support for http ([#25052](https://github.com/apache/pulsar/pull/25052)) \[improve]\[client] Make authorization server metadata path configurable in AuthenticationOAuth2 ([#24944](https://github.com/apache/pulsar/pull/24944)) \[feat]\[client] oauth2 trustcerts file and timeouts ([#25185](https://github.com/apache/pulsar/pull/25185)) \[improve]\[broker] Add strictAuthMethod to require explicit authentication method ([#25223](https://github.com/apache/pulsar/pull/25223)) \[fix]\[broker] Fix httpProxyTimeout config ([#25200](https://github.com/apache/pulsar/pull/25200)) \[improve]\[broker] Change log level from warn to debug when cursor mark-deleted position ledger doesn't exist ([#25195](https://github.com/apache/pulsar/pull/25195)) \[feat]\[io] implement pip-297 for jdbc sinks ([#25127](https://github.com/apache/pulsar/pull/25127)) \[improve]\[admin] Add client side looping to analyze-backlog in Topics to avoid potential HTTP call timeout ([#25188](https://github.com/apache/pulsar/pull/25188)) \[fix]\[broker] Prevent missed topic changes in topic watchers and schedule periodic refresh with patternAutoDiscoveryPeriod interval ([#25207](https://github.com/apache/pulsar/pull/25207)) \[fix]\[client] Fix producer synchronous retry handling in failPendingMessages method ([#25199](https://github.com/apache/pulsar/pull/25199)) \[fix]\[broker]Fix ledgerHandle failed to read by using new BK API ([#25165](https://github.com/apache/pulsar/pull/25165)) \[fix]\[broker] Fix ManagedCursorImpl.asyncDelete() method may lose previous async mark delete properties in race condition ([#25216](https://github.com/apache/pulsar/pull/25216)) \[fix]\[test]Fix flaky ExtensibleLoadManagerImplTest\_testGetMetrics ([#25211](https://github.com/apache/pulsar/pull/25211)) \[improve]\[proxy] Add regression tests for package upload with 'Expect: 100-continue' ([#24994](https://github.com/apache/pulsar/pull/24994)) \[improve]\[monitor] Upgrade OpenTelemetry to 1.56.0, Otel instrumentation to 2.21.0 and Otel semconv to 1.37.0 ([#25187](https://github.com/apache/pulsar/pull/25187)) \[improve]\[meta] PIP-453: Improve the metadata store threading model ([#25208](https://github.com/apache/pulsar/pull/25208)) \[fix]\[client] Fix race condition between isDuplicate() and flushAsync() method in PersistentAcknowledgmentsGroupingTracker due to incorrect use Netty Recycler ([#25209](https://github.com/apache/pulsar/pull/25209)) \[fix] \[test] Upgrade docker-java to 3.7.0 ([#25179](https://github.com/apache/pulsar/pull/25179)) \[fix]\[proxy] Close client connection immediately when credentials expire and forwardAuthorizationCredentials is disabled ([#25197](https://github.com/apache/pulsar/pull/25197)) \[fix]\[misc] Allow JWT tokens in OpenID auth without nbf claim ([#25186](https://github.com/apache/pulsar/pull/25186)) \[fix]\[test] Bump org.assertj:assertj-core from 3.27.5 to 3.27.7 ([#25182](https://github.com/apache/pulsar/pull/25182)) \[improve]\[misc] Upgrade snappy version to 1.1.10.8 ([#25178](https://github.com/apache/pulsar/pull/25178)) \[fix]\[client] ControlledClusterFailover avoid unnecessary reconnection. ([#25172](https://github.com/apache/pulsar/pull/25172)) \[improve]\[client]Reduce unnecessary getPartitionedTopicMetadata requests when using retry and DLQ topics. ([#25177](https://github.com/apache/pulsar/pull/25177)) \[fix]\[ml] Fix NoSuchElementException in EntryCountEstimator caused by a race condition ([#25166](https://github.com/apache/pulsar/pull/25166)) \[improve]\[broker] Upgrade bookkeeper to 4.17.3 ([#25132](https://github.com/apache/pulsar/pull/25132)) \[improve]\[broker] Ensure metadata session state visibility and improve Unstable observability for ServiceUnitStateChannelImpl ([#25070](https://github.com/apache/pulsar/pull/25070)) \[improve]\[broker] PIP-442: Add memory limits for topic list watcher (part 2) ([#25157](https://github.com/apache/pulsar/pull/25157)) \[fix]\[fn] Fix graceful Pulsar Function shutdown so that consumers and producers are closed ([#25151](https://github.com/apache/pulsar/pull/25151)) \[fix]\[broker] Fence reset cursor by timestamp to avoid concurrent timestamp-based position lookups ([#25148](https://github.com/apache/pulsar/pull/25148)) \[fix]\[ml] Retry offload reads when OffloadReadHandleClosedException is encountered ([#25149](https://github.com/apache/pulsar/pull/25149)) \[fix]\[admin] Fix offload policy incompatible issue. ([#25142](https://github.com/apache/pulsar/pull/25142)) \[fix]\[proxy] Fix memory leaks in ParserProxyHandler ([#25140](https://github.com/apache/pulsar/pull/25140)) \[fix]\[fn] complete flushAsync before closeAsync in ProducerCache and wait for completion in closing the cache ([#25031](https://github.com/apache/pulsar/pull/25031)) \[fix]\[broker] Avoid split non-existent bundle ([#25136](https://github.com/apache/pulsar/pull/25136)) \[fix]\[broker] Fix regex matching of namespace name which might contain a regex char ([#25110](https://github.com/apache/pulsar/pull/25110)) \[fix]\[broker] Fix markDeletedPosition race condition in ManagedLedgerImpl.maybeUpdateCursorBeforeTrimmingConsumedLedger() method ([#25125](https://github.com/apache/pulsar/pull/25125)) \[fix]\[test] Wait for txn.abort() to complete to avoid AdminApiTransactionTest.testAnalyzeSubscriptionBacklogWithTransactionMarker() flaky test ([#25114](https://github.com/apache/pulsar/pull/25114)) \[fix]\[broker]Topic deleting failed after removed local cluster from namespace policies ([#25130](https://github.com/apache/pulsar/pull/25130)) \[improve]\[broker] Change the log level from error to info when throwing NotAllowedException ([#25048](https://github.com/apache/pulsar/pull/25048)) \[improve]\[broker] Enhance logging for adding schema failures in ServerCnx ([#25121](https://github.com/apache/pulsar/pull/25121)) \[fix]\[broker] Fix MultiRolesTokenAuthorizationProvider error when subscription prefix doesn't match. ([#25119](https://github.com/apache/pulsar/pull/25119)) \[fix]\[broker] Fix compaction horizon might be reset to an old position when phase two is interrupted ([#25104](https://github.com/apache/pulsar/pull/25104)) \[improve]\[broker] Fix thread safety issue in ManagedCursorImpl.removeProperty ([#25091](https://github.com/apache/pulsar/pull/25091)) \[improve]\[admin] Add counter for marker messages in PersistentTopics.analyzeSubscriptionBacklog() rest api ([#25089](https://github.com/apache/pulsar/pull/25089)) \[fix]\[ml] Fix cursor backlog size to account for individual acks ([#25077](https://github.com/apache/pulsar/pull/25077)) \[fix]\[broker] Fix chunked message loss when no consumers are available ([#25101](https://github.com/apache/pulsar/pull/25101)) \[fix]\[test] Fix ManagedCursorTest and NonDurableCursorTest flaky tests ([#25106](https://github.com/apache/pulsar/pull/25106)) \[fix]\[client]Producer stuck or geo-replication stuck due to wrong value of message.numMessagesInBatch ([#25105](https://github.com/apache/pulsar/pull/25105)) \[fix]\[broker]pulsar\_ml\_reads\_inflight\_bytes and pulsar\_ml\_reads\_available\_inflight\_bytes are 0 at the same time ([#25087](https://github.com/apache/pulsar/pull/25087)) \[fix]\[broker] Fix cursor position persistence in ledger trimming ([#25085](https://github.com/apache/pulsar/pull/25085)) \[improve]\[io] Replace Qpid in tests with RabbitMQ in Testcontainers and upgrade RabbitMQ client version ([#25084](https://github.com/apache/pulsar/pull/25084)) \[fix]\[build] Activate jdk21 and jdk24 profiles on Java 25 ([#25073](https://github.com/apache/pulsar/pull/25073)) \[fix]\[broker]Infinitely failed to delete topic if the first time failed and enabled transaction ([#25047](https://github.com/apache/pulsar/pull/25047)) \[fix]\[broker]Fix incorrect backlog if use multiple acknowledge types on the same subscription ([#24980](https://github.com/apache/pulsar/pull/24980)) \[fix]\[broker] fix prepareInitPoliciesCacheAsync in SystemTopicBasedTopicPoliciesService ([#24658](https://github.com/apache/pulsar/pull/24658)) \[improve]\[broker] Optimize Reader creation in TopicPoliciesService ([#25053](https://github.com/apache/pulsar/pull/25053)) \[improve]\[broker] Use atomic counter for ongoing transaction count ([#25069](https://github.com/apache/pulsar/pull/25069)) \[fix]\[client] Fix invalid parameter type passed to Map.get in TopicsImpl.getListAsync method ([#25066](https://github.com/apache/pulsar/pull/25066)) \[fix]\[broker] PIP-442: Fix race condition in async semaphore permit updates that causes memory limits to become ineffective ([#25044](https://github.com/apache/pulsar/pull/25044)) \[improve]\[broker] Improve replicated subscription snapshot cache so that subscriptions can be replicated when mark delete position update is not frequent ([#25067](https://github.com/apache/pulsar/pull/25067)) \[fix]\[broker] Force EnsemblePolicies to resolve network location after rackInfoMap is updated due to changes in /ledgers/available znode ([#25050](https://github.com/apache/pulsar/pull/25050)) \[fix]\[admin] Refactor bookie affinity group sync operations to async in rest api ([#25059](https://github.com/apache/pulsar/pull/25059)) \[fix]\[broker] Fix various error-prone detected errors mainly in logging and String.format parameters ([#25054](https://github.com/apache/pulsar/pull/25054)) \[improve]\[build] Upgrade errorprone to 2.45.0 version ([#25056](https://github.com/apache/pulsar/pull/25056)) \[fix]\[cli] Fix output of --print-metadata in cli consume ([#25051](https://github.com/apache/pulsar/pull/25051)) \[fix]\[cli] Fix some pulsar-admin topicPolicies commands exiting before async operations complete ([#16651](https://github.com/apache/pulsar/pull/16651)) \[improve]\[broker] Fix replicated subscriptions race condition with mark delete update and snapshot completion ([#25027](https://github.com/apache/pulsar/pull/25027)) \[improve]\[misc] Add log4j-layout-template-json to server distribution to enable e.g. ECS template support in log4j configurations for Pulsar server components. ([#25032](https://github.com/apache/pulsar/pull/25032)) \[fix]\[test] Replace LZ4FastDecompressor with LZ4SafeDecompressor in test ([#25034](https://github.com/apache/pulsar/pull/25034)) \[improve]\[misc]introduce log4j Console appender ConsoleJson ([#25039](https://github.com/apache/pulsar/pull/25039)) \[fix]\[broker] Fix potential NPE in InMemTransactionBuffer.appendBufferToTxn by returning a valid Position ([#25026](https://github.com/apache/pulsar/pull/25026)) \[improve]\[broker]Add test for getting partitioned topic metadata with PulsarAdmin client ([#25029](https://github.com/apache/pulsar/pull/25029)) \[improve]\[io] Upgrade Debezium version to 3.2.5.Final ([#25036](https://github.com/apache/pulsar/pull/25036)) \[improve]\[client] Add null checks for MessageAcknowledger methods to prevent NullPointerException ([#25037](https://github.com/apache/pulsar/pull/25037)) \[fix]\[broker]Incorrect backlog that is larger than expected ([#24994)](https://github.com/apache/pulsar/pull/24994))) Revert "\[improve]\[monitor] Upgrade OpenTelemetry to 1.56.0, Otel instrumentation to 2.21.0 and Otel semconv to 1.37.0 ([#25022](https://github.com/apache/pulsar/pull/25022)) \[fix] Upgrade gson to 2.13.2 ([#25018](https://github.com/apache/pulsar/pull/25018)) \[improve]\[broker]Remove the warn log that frequently prints ([#25016](https://github.com/apache/pulsar/pull/25016)) \[fix]\[broker]Fix memory leak when using a customized ManagedLedger implementation ([#25015](https://github.com/apache/pulsar/pull/25015)) \[fix]\[client] Fix AutoProduceBytesSchema.clone() method ([#25014](https://github.com/apache/pulsar/pull/25014)) \[fix]\[client] Fix thread-safety of AutoProduceBytesSchema ([#25013](https://github.com/apache/pulsar/pull/25013)) \[improve]\[client] Test no exception could be thrown for invalid epoch in message ([#25011](https://github.com/apache/pulsar/pull/25011)) \[improve] Eliminate unnecessary duplicate schema lookups for partitioned topics in client and geo-replication ([#25004](https://github.com/apache/pulsar/pull/25004)) \[fix]\[broker] Add schema version in rest produce api ([#25012](https://github.com/apache/pulsar/pull/25012)) \[fix]\[broker] Fix issue with schemaValidationEnforced in geo-replication ([#25008](https://github.com/apache/pulsar/pull/25008)) \[fix]\[client] Fix double recycling of the message in isValidConsumerEpoch method ([#25007](https://github.com/apache/pulsar/pull/25007)) \[fix]\[client] PIP-84: Skip processing a message in the message listener if the consumer epoch is no longer valid ([#25006](https://github.com/apache/pulsar/pull/25006)) \[fix]\[client] Skip processing messages in the listener when the consumer has been closed ([#24994](https://github.com/apache/pulsar/pull/24994)) \[improve]\[monitor] Upgrade OpenTelemetry to 1.56.0, Otel instrumentation to 2.21.0 and Otel semconv to 1.37.0 ([#24997](https://github.com/apache/pulsar/pull/24997)) \[fix]\[broker] Fix creation of replicated subscriptions for partitioned topics ([#24983](https://github.com/apache/pulsar/pull/24983)) \[improve] Upgrade Apache Commons library versions ([#24995](https://github.com/apache/pulsar/pull/24995)) \[improve]\[test] Use Oxia project docker container for integration tests ([#24986](https://github.com/apache/pulsar/pull/24986)) \[fix] Handle TLS close\_notify to avoid SslClosedEngineException: SSLEngine closed already ([#24982](https://github.com/apache/pulsar/pull/24982)) \[improve]\[build] Upgrade Testcontainers to 1.21.3 ([#24975](https://github.com/apache/pulsar/pull/24975)) \[improve]\[broker]Improve error response of failed to delete topic if it has replicators connected ([#24938](https://github.com/apache/pulsar/pull/24938)) \[fix]\[broker]Wrong backlog: expected 0 but got 1 ([#24985](https://github.com/apache/pulsar/pull/24985)) \[improve] Upgrade Log4j2 to 2.25.2 and slf4j to 2.0.17 ([#24984](https://github.com/apache/pulsar/pull/24984)) \[improve] Upgrade Caffeine to 3.2.3 ([#24871](https://github.com/apache/pulsar/pull/24871)) \[fix]\[test] Fixed Non-Guaranteed Order in PoliciesDataTest.propertyAdmin ([#24981](https://github.com/apache/pulsar/pull/24981)) \[fix]\[build] Remove Confluent and Restlet maven repositories from top level pom.xml ([#24976](https://github.com/apache/pulsar/pull/24976)) \[feat]\[meta] upgrade oxia version to 0.7.2 ## Security Fixes ### Apache Pulsar ([#25256](https://github.com/apache/pulsar/pull/25256)) \[fix]\[sec] Upgrade aircompressor to 2.0.3 to resolve CVE-2025-67721 ([#25250](https://github.com/apache/pulsar/pull/25250)) \[fix]\[sec] Upgrade Python protobuf version to 6.33.5 to address CVE-2026-0994 ([#25095](https://github.com/apache/pulsar/pull/25095)) \[fix]\[sec] Upgrade jose4j to 0.9.6 to address CVE-2024-29371 ([#25206](https://github.com/apache/pulsar/pull/25206)) \[fix]\[sec] Upgrade OpenSearch to 2.19.4 to remediate CVE-2025-9624 ([#25198](https://github.com/apache/pulsar/pull/25198)) \[fix]\[sec] Exclude org.lz4:lz4-java and standardize on at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566 ([#25175](https://github.com/apache/pulsar/pull/25175)) \[fix]\[sec] Bump org.apache.solr:solr-core from 9.8.0 to 9.10.1 in /pulsar-io/solr ([#25152](https://github.com/apache/pulsar/pull/25152)) \[fix]\[sec] Upgrade vertx to address CVE-2026-1002 ([#25102](https://github.com/apache/pulsar/pull/25102)) \[fix]\[sec] Upgrade log4j to 2.25.3 to address CVE-2025-68161 ([#25095](https://github.com/apache/pulsar/pull/25095)) \[fix]\[sec] Upgrade jose4j to 0.9.6 to address CVE-2024-29371 ([#25078](https://github.com/apache/pulsar/pull/25078)) \[fix]\[sec] Upgrade Netty to 4.1.130.Final ([#25045](https://github.com/apache/pulsar/pull/25045)) \[fix]\[sec] Bump at.yawk.lz4:lz4-java from 1.9.0 to 1.10.1 in /pulsar-common ([#25024](https://github.com/apache/pulsar/pull/25024)) \[fix]\[sec] Eliminate commons-collections dependency ([#24987](https://github.com/apache/pulsar/pull/24987)) \[fix]\[sec] Bump github.com/dvsekhvalnov/jose2go from 1.6.0 to 1.7.0 in /pulsar-function-go