Bump pulsarVersion from 4.0.5 to 4.0.7 #1273

dependabot · 2025-10-03T14:13:21Z

Bumps pulsarVersion from 4.0.5 to 4.0.7.
Updates org.apache.pulsar:pulsar-client-all from 4.0.5 to 4.0.7

Release notes

Sourced from org.apache.pulsar:pulsar-client-all's releases.

v4.0.7

2025-09-27

Library updates

[fix][sec] Upgrade bouncycastle bcpkix-fips version to 1.79 to address CVE-2025-8916 (#24650)

[fix][sec] Upgrade Netty to 4.1.127.Final to address CVEs (#24717)

[fix][sec] Upgrade to Netty 4.1.124.Final to address CVE-2025-55163 (#24637)

[improve][io] Upgrade AWS SDK v1 & v2, Kinesis KPL and KPC versions (#24661)

[fix][misc] Upgrade dependencies to fix critical security vulnerabilities (#24532)

[improve][build] Upgrade Lombok to 1.18.42 to fully support JDK25 (#24763)

[improve][broker] Upgrade avro version to 1.12.0 (#24617)

[fix][misc] Upgrade fastutil to 8.5.16 (#24659)

[improve][build] Upgrade Apache Parent POM to version 35 (#24742)

[improve][build] Upgrade Mockito, AssertJ and ByteBuddy to fully support JDK25 (#24764)

[improve][build] Upgrade SpotBugs to a version that supports JDK25 (#24768)

[feat][misc] upgrade oxia version to 0.6.2 (#24689)

Broker

[fix][broker] Key_Shared subscription doesn't always deliver messages from the replay queue after a consumer disconnects and leaves a backlog (#24736)

[fix][broker] Ensure KeyShared sticky mode consumer respects assigned ranges (#24730)

[fix][broker] PIP-428: Fix corrupted topic policies issues with sequential topic policy updates (#24427)

[fix][broker][branch-4.0]Can not access topic policies if topic partitions have not been created (#24680)

[fix][broker] Add double-check for non-durable cursor creation (#24643)

[fix][broker] First entry will be skipped if opening NonDurableCursor while trimmed ledger is adding first entry. (#24738)

[fix][broker] Fix cannot shutdown broker gracefully by admin api (#24731)

[fix][broker] Fix duplicate watcher registration after SessionReestablished (#24621)

[fix][broker] Fix memory leak when metrics are updated in a thread other than FastThreadLocalThread (#24719)

[fix][broker] Fix race condition in MetadataStoreCacheLoader causing inconsistent availableBroker list caching (#24639)

[fix][broker] Fix REST API to produce messages to single-partitioned topics (#24450)

[fix][broker] Invalid regex in PulsarLedgerManager causes zk data notification to be ignored (#23977)

[fix][broker] Prevent unexpected recycle failure in dispatcher's read callback (#24741)

[fix][broker]Fix never recovered metadata store bad version issue if received a large response from ZK (#24580)

[fix][ml]Fix EOFException after enabled topics offloading (#24753)

[fix][broker] Fix incorrect AuthData passed to AuthorizationService in proxy scenarios (#24593)

[fix][broker] Fix namespace deletion TLS URL selection for geo-replication (#24591)

[fix][broker] Fix NPE and annotate nullable return values for ManagedCursorContainer (#24706)

[fix][broker] Fix NPE being logged if load manager class name is blank (#24570)

[fix][broker]Dispatcher did unnecessary sort for recentlyJoinedConsumers and printed noisy error logs (#24634)

[fix][broker]Failed to create partitions after the partitions were deleted because topic GC (#24651)

[fix][broker]Fix dirty reading of namespace level offload thresholds (#24696)

[fix][broker]Fix thread safety issues in BucketDelayedDeliveryTracker with StampedLock optimistic reads (#24542)

[fix][broker]User topic failed to delete after removed cluster because of failed delete data from transaction buffer topic (#24648)

[fix][ml] Negative backlog & acked positions does not exist & message lost when concurrently occupying topic owner (#24722)

[fix][meta] Use getChildrenFromStore to read children data to avoid lost data (#24665)

[improve][admin] PIP-422 part 1: Support global topic-level replicated clusters policy (#24390)

[improve][broker]Part-2 Add Admin API to delete topic policies (#24602)

[improve][broker] If there is a deadlock in the service, the probe should return a failure because the service may be unavailable (#23634)

[improve][ml] Optimize ledger opening by skipping fully acknowledged ledgers (#24655)

... (truncated)

Commits

ce00d7a Release 4.0.7
b4ba39c [fix][test] Flaky-test: BrokerServiceTest.testShutDownWithMaxConcurrentUnload...
9c9bed3 [improve][build] Upgrade Mockito, AssertJ and ByteBuddy to fully support JDK2...
c65715d [fix][client] Exclude io.prometheus:simpleclient_caffeine from client-side de...
003e5d0 [improve][build] Upgrade Lombok to 1.18.42 to fully support JDK25 (#24763)
e199b24 [improve][broker] If there is a deadlock in the service, the probe should ret...
f427b97 [fix][broker] First entry will be skipped if opening NonDurableCursor while t...
9bc3856 [fix][ml]Fix EOFException after enabled topics offloading (#24753)
d6b00f9 [fix][misc] Fix compareTo contract violation for NamespaceBundleStats, TimeAv...
8cdba30 [improve][build] Upgrade SpotBugs to a version that supports JDK25 (#24768)
Additional commits viewable in compare view

Updates org.apache.pulsar:pulsar-functions-api from 4.0.5 to 4.0.7

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps `pulsarVersion` from 4.0.5 to 4.0.7. Updates `org.apache.pulsar:pulsar-client-all` from 4.0.5 to 4.0.7 - [Release notes](https://github.com/apache/pulsar/releases) - [Commits](apache/pulsar@v4.0.5...v4.0.7) Updates `org.apache.pulsar:pulsar-functions-api` from 4.0.5 to 4.0.7 --- updated-dependencies: - dependency-name: org.apache.pulsar:pulsar-client-all dependency-version: 4.0.7 dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.apache.pulsar:pulsar-functions-api dependency-version: 4.0.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added the type: dependency-upgrade A dependency upgrade label Oct 3, 2025

onobc merged commit 3adf85a into main Oct 6, 2025
12 of 13 checks passed

onobc deleted the dependabot/gradle/main/pulsarVersion-4.0.7 branch October 6, 2025 13:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump pulsarVersion from 4.0.5 to 4.0.7 #1273

Bump pulsarVersion from 4.0.5 to 4.0.7 #1273

Uh oh!

dependabot bot commented on behalf of github Oct 3, 2025

Uh oh!

Uh oh!

Uh oh!

Bump pulsarVersion from 4.0.5 to 4.0.7 #1273

Bump pulsarVersion from 4.0.5 to 4.0.7 #1273

Uh oh!

Conversation

dependabot bot commented on behalf of github Oct 3, 2025

v4.0.7

2025-09-27

Library updates

Broker

Uh oh!

Uh oh!

Uh oh!