dependabot[bot] opened a new pull request, #16918: URL: https://github.com/apache/pinot/pull/16918
Bumps [org.apache.pulsar:pulsar-bom](https://github.com/apache/pulsar) from 4.0.6 to 4.0.7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/apache/pulsar/releases";>org.apache.pulsar:pulsar-bom's releases</a>.</em></p> <blockquote> <h2>v4.0.7</h2> <h4>2025-09-27</h4> <h3>Library updates</h3> <ul> <li>[fix][sec] Upgrade bouncycastle bcpkix-fips version to 1.79 to address CVE-2025-8916 (<a href="https://redirect.github.com/apache/pulsar/pull/24650";>#24650</a>)</li> <li>[fix][sec] Upgrade Netty to 4.1.127.Final to address CVEs (<a href="https://redirect.github.com/apache/pulsar/pull/24717";>#24717</a>)</li> <li>[fix][sec] Upgrade to Netty 4.1.124.Final to address CVE-2025-55163 (<a href="https://redirect.github.com/apache/pulsar/pull/24637";>#24637</a>)</li> <li>[improve][io] Upgrade AWS SDK v1 & v2, Kinesis KPL and KPC versions (<a href="https://redirect.github.com/apache/pulsar/pull/24661";>#24661</a>)</li> <li>[fix][misc] Upgrade dependencies to fix critical security vulnerabilities (<a href="https://redirect.github.com/apache/pulsar/pull/24532";>#24532</a>)</li> <li>[improve][build] Upgrade Lombok to 1.18.42 to fully support JDK25 (<a href="https://redirect.github.com/apache/pulsar/pull/24763";>#24763</a>)</li> <li>[improve][broker] Upgrade avro version to 1.12.0 (<a href="https://redirect.github.com/apache/pulsar/pull/24617";>#24617</a>)</li> <li>[fix][misc] Upgrade fastutil to 8.5.16 (<a href="https://redirect.github.com/apache/pulsar/pull/24659";>#24659</a>)</li> <li>[improve][build] Upgrade Apache Parent POM to version 35 (<a href="https://redirect.github.com/apache/pulsar/pull/24742";>#24742</a>)</li> <li>[improve][build] Upgrade Mockito, AssertJ and ByteBuddy to fully support JDK25 (<a href="https://redirect.github.com/apache/pulsar/pull/24764";>#24764</a>)</li> <li>[improve][build] Upgrade SpotBugs to a version that supports JDK25 (<a href="https://redirect.github.com/apache/pulsar/pull/24768";>#24768</a>)</li> <li>[feat][misc] upgrade oxia version to 0.6.2 (<a href="https://redirect.github.com/apache/pulsar/pull/24689";>#24689</a>)</li> </ul> <h3>Broker</h3> <ul> <li>[fix][broker] Key_Shared subscription doesn't always deliver messages from the replay queue after a consumer disconnects and leaves a backlog (<a href="https://redirect.github.com/apache/pulsar/pull/24736";>#24736</a>)</li> <li>[fix][broker] Ensure KeyShared sticky mode consumer respects assigned ranges (<a href="https://redirect.github.com/apache/pulsar/pull/24730";>#24730</a>)</li> <li>[fix][broker] PIP-428: Fix corrupted topic policies issues with sequential topic policy updates (<a href="https://redirect.github.com/apache/pulsar/pull/24427";>#24427</a>)</li> <li>[fix][broker][branch-4.0]Can not access topic policies if topic partitions have not been created (<a href="https://redirect.github.com/apache/pulsar/pull/24680";>#24680</a>)</li> <li>[fix][broker] Add double-check for non-durable cursor creation (<a href="https://redirect.github.com/apache/pulsar/pull/24643";>#24643</a>)</li> <li>[fix][broker] First entry will be skipped if opening NonDurableCursor while trimmed ledger is adding first entry. (<a href="https://redirect.github.com/apache/pulsar/pull/24738";>#24738</a>)</li> <li>[fix][broker] Fix cannot shutdown broker gracefully by admin api (<a href="https://redirect.github.com/apache/pulsar/pull/24731";>#24731</a>)</li> <li>[fix][broker] Fix duplicate watcher registration after SessionReestablished (<a href="https://redirect.github.com/apache/pulsar/pull/24621";>#24621</a>)</li> <li>[fix][broker] Fix memory leak when metrics are updated in a thread other than FastThreadLocalThread (<a href="https://redirect.github.com/apache/pulsar/pull/24719";>#24719</a>)</li> <li>[fix][broker] Fix race condition in MetadataStoreCacheLoader causing inconsistent availableBroker list caching (<a href="https://redirect.github.com/apache/pulsar/pull/24639";>#24639</a>)</li> <li>[fix][broker] Fix REST API to produce messages to single-partitioned topics (<a href="https://redirect.github.com/apache/pulsar/pull/24450";>#24450</a>)</li> <li>[fix][broker] Invalid regex in PulsarLedgerManager causes zk data notification to be ignored (<a href="https://redirect.github.com/apache/pulsar/pull/23977";>#23977</a>)</li> <li>[fix][broker] Prevent unexpected recycle failure in dispatcher's read callback (<a href="https://redirect.github.com/apache/pulsar/pull/24741";>#24741</a>)</li> <li>[fix][broker]Fix never recovered metadata store bad version issue if received a large response from ZK (<a href="https://redirect.github.com/apache/pulsar/pull/24580";>#24580</a>)</li> <li>[fix][ml]Fix EOFException after enabled topics offloading (<a href="https://redirect.github.com/apache/pulsar/pull/24753";>#24753</a>)</li> <li>[fix][broker] Fix incorrect AuthData passed to AuthorizationService in proxy scenarios (<a href="https://redirect.github.com/apache/pulsar/pull/24593";>#24593</a>)</li> <li>[fix][broker] Fix namespace deletion TLS URL selection for geo-replication (<a href="https://redirect.github.com/apache/pulsar/pull/24591";>#24591</a>)</li> <li>[fix][broker] Fix NPE and annotate nullable return values for ManagedCursorContainer (<a href="https://redirect.github.com/apache/pulsar/pull/24706";>#24706</a>)</li> <li>[fix][broker] Fix NPE being logged if load manager class name is blank (<a href="https://redirect.github.com/apache/pulsar/pull/24570";>#24570</a>)</li> <li>[fix][broker]Dispatcher did unnecessary sort for recentlyJoinedConsumers and printed noisy error logs (<a href="https://redirect.github.com/apache/pulsar/pull/24634";>#24634</a>)</li> <li>[fix][broker]Failed to create partitions after the partitions were deleted because topic GC (<a href="https://redirect.github.com/apache/pulsar/pull/24651";>#24651</a>)</li> <li>[fix][broker]Fix dirty reading of namespace level offload thresholds (<a href="https://redirect.github.com/apache/pulsar/pull/24696";>#24696</a>)</li> <li>[fix][broker]Fix thread safety issues in BucketDelayedDeliveryTracker with StampedLock optimistic reads (<a href="https://redirect.github.com/apache/pulsar/pull/24542";>#24542</a>)</li> <li>[fix][broker]User topic failed to delete after removed cluster because of failed delete data from transaction buffer topic (<a href="https://redirect.github.com/apache/pulsar/pull/24648";>#24648</a>)</li> <li>[fix][ml] Negative backlog & acked positions does not exist & message lost when concurrently occupying topic owner (<a href="https://redirect.github.com/apache/pulsar/pull/24722";>#24722</a>)</li> <li>[fix][meta] Use <code>getChildrenFromStore</code> to read children data to avoid lost data (<a href="https://redirect.github.com/apache/pulsar/pull/24665";>#24665</a>)</li> <li>[improve][admin] PIP-422 part 1: Support global topic-level replicated clusters policy (<a href="https://redirect.github.com/apache/pulsar/pull/24390";>#24390</a>)</li> <li>[improve][broker]Part-2 Add Admin API to delete topic policies (<a href="https://redirect.github.com/apache/pulsar/pull/24602";>#24602</a>)</li> <li>[improve][broker] If there is a deadlock in the service, the probe should return a failure because the service may be unavailable (<a href="https://redirect.github.com/apache/pulsar/pull/23634";>#23634</a>)</li> <li>[improve][ml] Optimize ledger opening by skipping fully acknowledged ledgers (<a href="https://redirect.github.com/apache/pulsar/pull/24655";>#24655</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/apache/pulsar/commit/ce00d7a4a040ad34399d44df54dc8e0fdc67eb35";><code>ce00d7a</code></a> Release 4.0.7</li> <li><a href="https://github.com/apache/pulsar/commit/b4ba39c2b2e0637968cd61e7af91d41c536a055c";><code>b4ba39c</code></a> [fix][test] Flaky-test: BrokerServiceTest.testShutDownWithMaxConcurrentUnload...</li> <li><a href="https://github.com/apache/pulsar/commit/9c9bed36431e891d8d08a98f46f46d6c864df89a";><code>9c9bed3</code></a> [improve][build] Upgrade Mockito, AssertJ and ByteBuddy to fully support JDK2...</li> <li><a href="https://github.com/apache/pulsar/commit/c65715da2aed357cc508d19ed728f828ce8c9edf";><code>c65715d</code></a> [fix][client] Exclude io.prometheus:simpleclient_caffeine from client-side de...</li> <li><a href="https://github.com/apache/pulsar/commit/003e5d0dcec67abb566ecf36a19117e59eeadcb3";><code>003e5d0</code></a> [improve][build] Upgrade Lombok to 1.18.42 to fully support JDK25 (<a href="https://redirect.github.com/apache/pulsar/issues/24763";>#24763</a>)</li> <li><a href="https://github.com/apache/pulsar/commit/e199b24ef2277da0df9888211b98e1d5c8c789bc";><code>e199b24</code></a> [improve][broker] If there is a deadlock in the service, the probe should ret...</li> <li><a href="https://github.com/apache/pulsar/commit/f427b97cd9a59a60dee22f1f244baea148885fc1";><code>f427b97</code></a> [fix][broker] First entry will be skipped if opening NonDurableCursor while t...</li> <li><a href="https://github.com/apache/pulsar/commit/9bc38565421bbbea3753a540b4566c6adda7a2e7";><code>9bc3856</code></a> [fix][ml]Fix EOFException after enabled topics offloading (<a href="https://redirect.github.com/apache/pulsar/issues/24753";>#24753</a>)</li> <li><a href="https://github.com/apache/pulsar/commit/d6b00f99704b70b27495da4ca32f4244f9625e6f";><code>d6b00f9</code></a> [fix][misc] Fix compareTo contract violation for NamespaceBundleStats, TimeAv...</li> <li><a href="https://github.com/apache/pulsar/commit/8cdba3073c6d39c3f2428f0a1736d83af2708b7b";><code>8cdba30</code></a> [improve][build] Upgrade SpotBugs to a version that supports JDK25 (<a href="https://redirect.github.com/apache/pulsar/issues/24768";>#24768</a>)</li> <li>Additional commits viewable in <a href="https://github.com/apache/pulsar/compare/v4.0.6...v4.0.7";>compare view</a></li> </ul> </details> <br /> <details> <summary>Most Recent Ignore Conditions Applied to This Pull Request</summary> | Dependency Name | Ignore Conditions | | --- | --- | | org.apache.pulsar:pulsar-bom | [>= 4.1.a0, < 4.2] | </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
