Skip to main content

Apache Pulsar 4.0.9

2026-02-19

Library updates

  • [improve][broker] Upgrade bookkeeper to 4.17.3 (#25166)
  • [fix][sec] Bump at.yawk.lz4:lz4-java from 1.9.0 to 1.10.1 in /pulsar-common (#25045)
  • [fix][sec] Bump org.apache.solr:solr-core from 9.8.0 to 9.10.1 in /pulsar-io/solr (#25175)
  • [fix][sec] Eliminate commons-collections dependency (#25024)
  • [fix][sec] Exclude org.lz4:lz4-java and standardize on at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566 (#25198)
  • [fix][sec] Upgrade jose4j to 0.9.6 to address CVE-2024-29371 (#25095)
  • [fix][sec] Upgrade jose4j to 0.9.6 to address CVE-2024-29371 (#25095)
  • [fix][sec] Upgrade log4j to 2.25.3 to address CVE-2025-68161 (#25102)
  • [fix][sec] Upgrade Netty to 4.1.130.Final (#25078)
  • [fix][sec] Upgrade OpenSearch to 2.19.4 to remediate CVE-2025-9624 (#25206)
  • [fix][sec] Upgrade vertx to address CVE-2026-1002 (#25152)
  • [fix][test] Upgrade docker-java to 3.7.0 (#25209)
  • [improve][monitor] Upgrade OpenTelemetry to 1.56.0, Otel instrumentation to 2.21.0 and Otel semconv to 1.37.0 (#24994)
  • [improve][monitor] Upgrade OpenTelemetry to 1.56.0, Otel instrumentation to 2.21.0 and Otel semconv to 1.37.0 (#24994)
  • [improve][misc] Upgrade snappy version to 1.1.10.8 (#25182)
  • [feat][meta] upgrade oxia version to 0.7.2 (#24976)
  • [fix] Upgrade gson to 2.13.2 (#25022)
  • [improve] Upgrade Apache Commons library versions (#24983)
  • [improve] Upgrade Log4j2 to 2.25.2 and slf4j to 2.0.17 (#24985)
  • [improve] Upgrade Netty to 4.1.131.Final (#25232)
  • [fix][sec] Bump github.com/dvsekhvalnov/jose2go from 1.6.0 to 1.7.0 in /pulsar-function-go (#24987)

Broker

  • [fix][broker] Add schema version in rest produce api (#25004)
  • [fix][broker] Avoid split non-existent bundle (#25031)
  • [fix][broker] Fence reset cursor by timestamp to avoid concurrent timestamp-based position lookups (#25151)
  • [fix][broker] Fix chunked message loss when no consumers are available (#25077)
  • [fix][broker] Fix compaction horizon might be reset to an old position when phase two is interrupted (#25119)
  • [fix][broker] Fix creation of replicated subscriptions for partitioned topics (#24997)
  • [fix][broker] Fix cursor position persistence in ledger trimming (#25087)
  • [fix][broker] Fix httpProxyTimeout config (#25223)
  • [fix][broker] Fix incomplete futures in topic property update/delete methods (#25228)
  • [fix][broker] Fix issue with schemaValidationEnforced in geo-replication (#25012)
  • [fix][broker] Fix ManagedCursorImpl.asyncDelete() method may lose previous async mark delete properties in race condition (#25165)
  • [fix][broker] Fix markDeletedPosition race condition in ManagedLedgerImpl.maybeUpdateCursorBeforeTrimmingConsumedLedger() method (#25110)
  • [fix][broker] Fix MultiRolesTokenAuthorizationProvider error when subscription prefix doesn't match. (#25121)
  • [fix][broker] Fix potential NPE in InMemTransactionBuffer.appendBufferToTxn by returning a valid Position (#25039)
  • [fix][broker] fix prepareInitPoliciesCacheAsync in SystemTopicBasedTopicPoliciesService (#24980)
  • [fix][broker] Fix regex matching of namespace name which might contain a regex char (#25136)
  • [fix][broker] Fix transactionMetadataFuture completeExceptionally with null value (#25231)
  • [fix][broker] Fix various error-prone detected errors mainly in logging and String.format parameters (#25059)
  • [fix][broker] Force EnsemblePolicies to resolve network location after rackInfoMap is updated due to changes in /ledgers/available znode (#25067)
  • [fix][broker] PIP-442: Fix race condition in async semaphore permit updates that causes memory limits to become ineffective (#25066)
  • [fix][broker] Prevent missed topic changes in topic watchers and schedule periodic refresh with patternAutoDiscoveryPeriod interval (#25188)
  • [fix][broker]Fix incorrect backlog if use multiple acknowledge types on the same subscription (#25047)
  • [fix][broker]Fix ledgerHandle failed to read by using new BK API (#25199)
  • [fix][broker]Fix memory leak when using a customized ManagedLedger implementation (#25016)
  • [fix][broker]Incorrect backlog that is larger than expected (#25037)
  • [fix][broker]Infinitely failed to delete topic if the first time failed and enabled transaction (#25073)
  • [fix][broker]pulsar_ml_reads_inflight_bytes and pulsar_ml_reads_available_inflight_bytes are 0 at the same time (#25105)
  • [fix][broker]Topic deleting failed after removed local cluster from namespace policies (#25114)
  • [fix][broker]Wrong backlog: expected 0 but got 1 (#24938)
  • [fix][admin] Fix offload policy incompatible issue. (#25149)
  • [fix][admin] Refactor bookie affinity group sync operations to async in rest api (#25050)
  • [fix][ml] Fix cursor backlog size to account for individual acks (#25089)
  • [fix][ml] Fix NoSuchElementException in EntryCountEstimator caused by a race condition (#25177)
  • [fix][ml] Retry offload reads when OffloadReadHandleClosedException is encountered (#25148)
  • [fix][meta] Metadata cache refresh might not take effect (#25246)
  • [improve][broker] Add idle timeout support for http (#25224)
  • [improve][broker] Add strictAuthMethod to require explicit authentication method (#25185)
  • [improve][broker] Change the log level from error to info when throwing NotAllowedException (#25130)
  • [improve][broker] Enhance logging for adding schema failures in ServerCnx (#25048)
  • [improve][broker] Ensure metadata session state visibility and improve Unstable observability for ServiceUnitStateChannelImpl (#25132)
  • [improve][broker] Fix replicated subscriptions race condition with mark delete update and snapshot completion (#16651)
  • [improve][broker] Fix thread safety issue in ManagedCursorImpl.removeProperty (#25104)
  • [improve][broker] Give the detail error msg when authenticate failed with AuthenticationException (#25221)
  • [improve][broker] Improve replicated subscription snapshot cache so that subscriptions can be replicated when mark delete position update is not frequent (#25044)
  • [improve][broker] Optimize Reader creation in TopicPoliciesService (#24658)
  • [improve][broker] PIP-442: Add memory limits for topic list watcher (part 2) (#25070)
  • [improve][broker] Use atomic counter for ongoing transaction count (#25053)
  • [improve][broker]Add test for getting partitioned topic metadata with PulsarAdmin client (#25026)
  • [improve][broker]Improve error response of failed to delete topic if it has replicators connected (#24975)
  • [improve][broker]Remove the warn log that frequently prints (#25018)
  • [improve][admin] Add counter for marker messages in PersistentTopics.analyzeSubscriptionBacklog() rest api (#25091)
  • [improve][meta] PIP-453: Improve the metadata store threading model (#25187)
  • [fix] Handle TLS close_notify to avoid SslClosedEngineException: SSLEngine closed already (#24986)
  • [fix][broker]Avoid read a entry that entry id is -1 when calling getLastMessagePublishTime (#24579)
  • [fix][admin] Fix asyncGetRequest to handle 204 (#25124)
  • [improve][broker] Cache last publish timestamp for idle topics to reduce storage reads (#24825)
  • [improve][broker][pip-431] PIP-431: Add Creation and Last Publish Timestamps to Topic Stats (#24471)
  • [feat][admin] PIP-415: Support getting message ID by index (#24222)

Client

  • [fix][client] ControlledClusterFailover avoid unnecessary reconnection. (#25178)
  • [fix][client] Fix AutoProduceBytesSchema.clone() method (#25015)
  • [fix][client] Fix double recycling of the message in isValidConsumerEpoch method (#25008)
  • [fix][client] Fix invalid parameter type passed to Map.get in TopicsImpl.getListAsync method (#25069)
  • [fix][client] Fix producer synchronous retry handling in failPendingMessages method (#25207)
  • [fix][client] Fix race condition between isDuplicate() and flushAsync() method in PersistentAcknowledgmentsGroupingTracker due to incorrect use Netty Recycler (#25208)
  • [fix][client] Fix thread-safety of AutoProduceBytesSchema (#25014)
  • [fix][client] PIP-84: Skip processing a message in the message listener if the consumer epoch is no longer valid (#25007)
  • [fix][client] Send all chunkMessageIds to broker for redelivery (#25229)
  • [fix][client] Skip processing messages in the listener when the consumer has been closed (#25006)
  • [fix][client]Producer stuck or geo-replication stuck due to wrong value of message.numMessagesInBatch (#25106)
  • [improve][client] Add null checks for MessageAcknowledger methods to prevent NullPointerException (#25036)
  • [improve][client] Make authorization server metadata path configurable in AuthenticationOAuth2 (#25052)
  • [improve][client] Test no exception could be thrown for invalid epoch in message (#25013)
  • [improve][client]Reduce unnecessary getPartitionedTopicMetadata requests when using retry and DLQ topics. (#25172)
  • [feat][client] oauth2 trustcerts file and timeouts (#24944)
  • [improve] Upgrade Netty to 4.1.131.Final (#25232)
  • [fix][sec] Eliminate commons-collections dependency (#25024)
  • [improve] Upgrade Apache Commons library versions (#24983)
  • [fix] Handle TLS close_notify to avoid SslClosedEngineException: SSLEngine closed already (#24986)

Pulsar IO and Pulsar Functions

  • [fix][fn] complete flushAsync before closeAsync in ProducerCache and wait for completion in closing the cache (#25140)
  • [fix][fn] Fix graceful Pulsar Function shutdown so that consumers and producers are closed (#25157)
  • [feat][io] implement pip-297 for jdbc sinks (#25195)
  • [improve][io] Replace Qpid in tests with RabbitMQ in Testcontainers and upgrade RabbitMQ client version (#25085)

Others

  • [fix][proxy] Close client connection immediately when credentials expire and forwardAuthorizationCredentials is disabled (#25179)
  • [fix][proxy] Fix memory leaks in ParserProxyHandler (#25142)
  • [improve][proxy] Add regression tests for package upload with 'Expect: 100-continue' (#25211)
  • [fix][cli] Fix output of --print-metadata in cli consume (#25056)
  • [fix][cli] Fix some pulsar-admin topicPolicies commands exiting before async operations complete (#25051)
  • [fix][misc] Allow JWT tokens in OpenID auth without nbf claim (#25197)
  • [improve][misc] Add log4j-layout-template-json to server distribution to enable e.g. ECS template support in log4j configurations for Pulsar server components. (#25027)
  • [improve][misc]introduce log4j Console appender ConsoleJson (#25034)
  • [improve] Eliminate unnecessary duplicate schema lookups for partitioned topics in client and geo-replication (#25011)
  • [fix][cli] Print result of GetMessageIdByIndex command (#24446)
  • [improve][pip] PIP-453: Improve the metadata store threading model (#25173)
  • [fix][branch-4.0] Fix checkstyle
  • [fix][branch-4.0] Fix checkstyle issue in commit 83503521
  • [fix][branch-4.0] Remove unnecessary files added in 83503521
  • [feat] PIP-442: Add memory limits for CommandGetTopicsOfNamespace (#24833)

Tests & CI

  • [improve][build] Upgrade errorprone to 2.45.0 version (#25054)
  • [improve][build] Upgrade Testcontainers to 1.21.3 (#24982)
  • [fix][build] Activate jdk21 and jdk24 profiles on Java 25 (#25084)
  • [fix][build] Remove Confluent and Restlet maven repositories from top level pom.xml (#24981)
  • [fix][test] Bump org.assertj:assertj-core from 3.27.5 to 3.27.7 (#25186)
  • [fix][test] Fix ManagedCursorTest and NonDurableCursorTest flaky tests (#25101)
  • [fix][test] Fix Mockito stubbing race in TopicListServiceTest (#25227)
  • [fix][test] Fix ResourceQuotaCalculatorImplTest#testNeedToReportLocalUsage (#25247)
  • [fix][test] fix testBatchMetadataStoreMetrics. (#25241)
  • [fix][test] Fixed Non-Guaranteed Order in PoliciesDataTest.propertyAdmin (#24871)
  • [fix][test] Replace LZ4FastDecompressor with LZ4SafeDecompressor in test (#25032)
  • [fix][test] Wait for txn.abort() to complete to avoid AdminApiTransactionTest.testAnalyzeSubscriptionBacklogWithTransactionMarker() flaky test (#25125)
  • [fix][test]Fix flaky ExtensibleLoadManagerImplTest_testGetMetrics (#25216)
  • [improve][test] Use Oxia project docker container for integration tests (#24995)

For the complete list, check the full changelog.

Was this helpful?
💡 Suggest changes🛟 Get support