dependabot[bot] opened a new pull request, #17734: URL: https://github.com/apache/pinot/pull/17734
Bumps [org.apache.pulsar:pulsar-bom](https://github.com/apache/pulsar) from 4.0.8 to 4.0.9. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/apache/pulsar/releases";>org.apache.pulsar:pulsar-bom's releases</a>.</em></p> <blockquote> <h2>v4.0.9</h2> <h4>2026-02-19</h4> <h3>Library updates</h3> <ul> <li>[improve][broker] Upgrade bookkeeper to 4.17.3 (<a href="https://redirect.github.com/apache/pulsar/pull/25166";>#25166</a>)</li> <li>[fix][sec] Bump at.yawk.lz4:lz4-java from 1.9.0 to 1.10.1 in /pulsar-common (<a href="https://redirect.github.com/apache/pulsar/pull/25045";>#25045</a>)</li> <li>[fix][sec] Bump org.apache.solr:solr-core from 9.8.0 to 9.10.1 in /pulsar-io/solr (<a href="https://redirect.github.com/apache/pulsar/pull/25175";>#25175</a>)</li> <li>[fix][sec] Eliminate commons-collections dependency (<a href="https://redirect.github.com/apache/pulsar/pull/25024";>#25024</a>)</li> <li>[fix][sec] Exclude org.lz4:lz4-java and standardize on at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566 (<a href="https://redirect.github.com/apache/pulsar/pull/25198";>#25198</a>)</li> <li>[fix][sec] Upgrade jose4j to 0.9.6 to address CVE-2024-29371 (<a href="https://redirect.github.com/apache/pulsar/pull/25095";>#25095</a>)</li> <li>[fix][sec] Upgrade jose4j to 0.9.6 to address CVE-2024-29371 (<a href="https://redirect.github.com/apache/pulsar/pull/25095";>#25095</a>)</li> <li>[fix][sec] Upgrade log4j to 2.25.3 to address CVE-2025-68161 (<a href="https://redirect.github.com/apache/pulsar/pull/25102";>#25102</a>)</li> <li>[fix][sec] Upgrade Netty to 4.1.130.Final (<a href="https://redirect.github.com/apache/pulsar/pull/25078";>#25078</a>)</li> <li>[fix][sec] Upgrade OpenSearch to 2.19.4 to remediate CVE-2025-9624 (<a href="https://redirect.github.com/apache/pulsar/pull/25206";>#25206</a>)</li> <li>[fix][sec] Upgrade vertx to address CVE-2026-1002 (<a href="https://redirect.github.com/apache/pulsar/pull/25152";>#25152</a>)</li> <li>[fix][test] Upgrade docker-java to 3.7.0 (<a href="https://redirect.github.com/apache/pulsar/pull/25209";>#25209</a>)</li> <li>[improve][monitor] Upgrade OpenTelemetry to 1.56.0, Otel instrumentation to 2.21.0 and Otel semconv to 1.37.0 (<a href="https://redirect.github.com/apache/pulsar/pull/24994";>#24994</a>)</li> <li>[improve][monitor] Upgrade OpenTelemetry to 1.56.0, Otel instrumentation to 2.21.0 and Otel semconv to 1.37.0 (<a href="https://redirect.github.com/apache/pulsar/pull/24994";>#24994</a>)</li> <li>[improve][misc] Upgrade snappy version to 1.1.10.8 (<a href="https://redirect.github.com/apache/pulsar/pull/25182";>#25182</a>)</li> <li>[feat][meta] upgrade oxia version to 0.7.2 (<a href="https://redirect.github.com/apache/pulsar/pull/24976";>#24976</a>)</li> <li>[fix] Upgrade gson to 2.13.2 (<a href="https://redirect.github.com/apache/pulsar/pull/25022";>#25022</a>)</li> <li>[improve] Upgrade Apache Commons library versions (<a href="https://redirect.github.com/apache/pulsar/pull/24983";>#24983</a>)</li> <li>[improve] Upgrade Log4j2 to 2.25.2 and slf4j to 2.0.17 (<a href="https://redirect.github.com/apache/pulsar/pull/24985";>#24985</a>)</li> <li>[improve] Upgrade Netty to 4.1.131.Final (<a href="https://redirect.github.com/apache/pulsar/pull/25232";>#25232</a>)</li> <li>[fix][sec] Bump github.com/dvsekhvalnov/jose2go from 1.6.0 to 1.7.0 in /pulsar-function-go (<a href="https://redirect.github.com/apache/pulsar/pull/24987";>#24987</a>)</li> </ul> <h3>Broker</h3> <ul> <li>[fix][broker] Add schema version in rest produce api (<a href="https://redirect.github.com/apache/pulsar/pull/25004";>#25004</a>)</li> <li>[fix][broker] Avoid split non-existent bundle (<a href="https://redirect.github.com/apache/pulsar/pull/25031";>#25031</a>)</li> <li>[fix][broker] Fence reset cursor by timestamp to avoid concurrent timestamp-based position lookups (<a href="https://redirect.github.com/apache/pulsar/pull/25151";>#25151</a>)</li> <li>[fix][broker] Fix chunked message loss when no consumers are available (<a href="https://redirect.github.com/apache/pulsar/pull/25077";>#25077</a>)</li> <li>[fix][broker] Fix compaction horizon might be reset to an old position when phase two is interrupted (<a href="https://redirect.github.com/apache/pulsar/pull/25119";>#25119</a>)</li> <li>[fix][broker] Fix creation of replicated subscriptions for partitioned topics (<a href="https://redirect.github.com/apache/pulsar/pull/24997";>#24997</a>)</li> <li>[fix][broker] Fix cursor position persistence in ledger trimming (<a href="https://redirect.github.com/apache/pulsar/pull/25087";>#25087</a>)</li> <li>[fix][broker] Fix httpProxyTimeout config (<a href="https://redirect.github.com/apache/pulsar/pull/25223";>#25223</a>)</li> <li>[fix][broker] Fix incomplete futures in topic property update/delete methods (<a href="https://redirect.github.com/apache/pulsar/pull/25228";>#25228</a>)</li> <li>[fix][broker] Fix issue with schemaValidationEnforced in geo-replication (<a href="https://redirect.github.com/apache/pulsar/pull/25012";>#25012</a>)</li> <li>[fix][broker] Fix ManagedCursorImpl.asyncDelete() method may lose previous async mark delete properties in race condition (<a href="https://redirect.github.com/apache/pulsar/pull/25165";>#25165</a>)</li> <li>[fix][broker] Fix markDeletedPosition race condition in ManagedLedgerImpl.maybeUpdateCursorBeforeTrimmingConsumedLedger() method (<a href="https://redirect.github.com/apache/pulsar/pull/25110";>#25110</a>)</li> <li>[fix][broker] Fix MultiRolesTokenAuthorizationProvider error when subscription prefix doesn't match. (<a href="https://redirect.github.com/apache/pulsar/pull/25121";>#25121</a>)</li> <li>[fix][broker] Fix potential NPE in InMemTransactionBuffer.appendBufferToTxn by returning a valid Position (<a href="https://redirect.github.com/apache/pulsar/pull/25039";>#25039</a>)</li> <li>[fix][broker] fix prepareInitPoliciesCacheAsync in SystemTopicBasedTopicPoliciesService (<a href="https://redirect.github.com/apache/pulsar/pull/24980";>#24980</a>)</li> <li>[fix][broker] Fix regex matching of namespace name which might contain a regex char (<a href="https://redirect.github.com/apache/pulsar/pull/25136";>#25136</a>)</li> <li>[fix][broker] Fix transactionMetadataFuture completeExceptionally with null value (<a href="https://redirect.github.com/apache/pulsar/pull/25231";>#25231</a>)</li> <li>[fix][broker] Fix various error-prone detected errors mainly in logging and String.format parameters (<a href="https://redirect.github.com/apache/pulsar/pull/25059";>#25059</a>)</li> <li>[fix][broker] Force EnsemblePolicies to resolve network location after rackInfoMap is updated due to changes in /ledgers/available znode (<a href="https://redirect.github.com/apache/pulsar/pull/25067";>#25067</a>)</li> <li>[fix][broker] PIP-442: Fix race condition in async semaphore permit updates that causes memory limits to become ineffective (<a href="https://redirect.github.com/apache/pulsar/pull/25066";>#25066</a>)</li> <li>[fix][broker] Prevent missed topic changes in topic watchers and schedule periodic refresh with patternAutoDiscoveryPeriod interval (<a href="https://redirect.github.com/apache/pulsar/pull/25188";>#25188</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/apache/pulsar/commit/6d812924514bee525557aa4d2ce955c04cbdaf5d";><code>6d81292</code></a> [fix][meta] Metadata cache refresh might not take effect (<a href="https://redirect.github.com/apache/pulsar/issues/25246";>#25246</a>)</li> <li><a href="https://github.com/apache/pulsar/commit/93438374921e5a4fab84317dffabf01c0fb449a7";><code>9343837</code></a> [fix][test] Fix ResourceQuotaCalculatorImplTest#testNeedToReportLocalUsage (#...</li> <li><a href="https://github.com/apache/pulsar/commit/abbd4786b45bb0fe70ff737d7cf979c4b1b396a8";><code>abbd478</code></a> [fix][test] fix testBatchMetadataStoreMetrics. (<a href="https://redirect.github.com/apache/pulsar/issues/25241";>#25241</a>)</li> <li><a href="https://github.com/apache/pulsar/commit/a6c602aea34715a6cddaee86fb4f67f2a791209a";><code>a6c602a</code></a> [improve] Upgrade Netty to 4.1.131.Final (<a href="https://redirect.github.com/apache/pulsar/issues/25232";>#25232</a>)</li> <li><a href="https://github.com/apache/pulsar/commit/4f9b2ca7cd7f5a3d8ae73bdc8ef9da83324e1ec6";><code>4f9b2ca</code></a> Reapply "[improve][meta] PIP-453: Improve the metadata store threading model ...</li> <li><a href="https://github.com/apache/pulsar/commit/a6aab863b4a86b5dcb9be21045f1333f1c4501f2";><code>a6aab86</code></a> Revert "[improve][meta] PIP-453: Improve the metadata store threading model (...</li> <li><a href="https://github.com/apache/pulsar/commit/fe9a55d065d3f0953745de2192c0ba1586df430c";><code>fe9a55d</code></a> Release 4.0.9</li> <li><a href="https://github.com/apache/pulsar/commit/42283f4a37e14e19913a9d88d9392a6a21fc11c6";><code>42283f4</code></a> [fix][broker] Fix transactionMetadataFuture completeExceptionally with null v...</li> <li><a href="https://github.com/apache/pulsar/commit/f49c7b288a1d0f62cafe2bf80b25aa53c097dc2a";><code>f49c7b2</code></a> [fix][client] Send all chunkMessageIds to broker for redelivery (<a href="https://redirect.github.com/apache/pulsar/issues/25229";>#25229</a>)</li> <li><a href="https://github.com/apache/pulsar/commit/2a46c70ba66c26776c0edfb9d9257ecea30a31d0";><code>2a46c70</code></a> [improve][broker] Give the detail error msg when authenticate failed with Aut...</li> <li>Additional commits viewable in <a href="https://github.com/apache/pulsar/compare/v4.0.8...v4.0.9";>compare view</a></li> </ul> </details> <br /> <details> <summary>Most Recent Ignore Conditions Applied to This Pull Request</summary> | Dependency Name | Ignore Conditions | | --- | --- | | org.apache.pulsar:pulsar-bom | [>= 4.1.a0, < 4.2] | </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
