Skip to content

chore(deps): bump com.arcadedb:arcadedb-network from 26.6.1 to 26.7.1#942

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/com.arcadedb-arcadedb-network-26.7.1
Open

chore(deps): bump com.arcadedb:arcadedb-network from 26.6.1 to 26.7.1#942
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/com.arcadedb-arcadedb-network-26.7.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor

Bumps com.arcadedb:arcadedb-network from 26.6.1 to 26.7.1.

Release notes

Sourced from com.arcadedb:arcadedb-network's releases.

26.7.1

ArcadeDB 26.7.1 Release Notes

Overview

ArcadeDB 26.7.1 is a large stability, resilience and security release with over 420 commits, 238 resolved issues and 32 merged pull requests. The headline theme is a deep High Availability / Raft hardening wave that makes clustered deployments far more robust under leader churn, node restarts, snapshot transfers and Kubernetes scale events. On top of that come a security hardening pass (polyglot scripting lockdown, gRPC and cluster-management authorization, DoS bounding), a new OpenTelemetry distributed-tracing module plus structured JSON logging, native BM25 full-text scoring, continued ISO GQL compliance and vector engine work, and a long list of gRPC, MongoDB wire-protocol, SQL, OpenCypher, time-series and Studio fixes.

New Features

  • OpenTelemetry distributed tracing - an optional module for end-to-end request tracing, with opt-in OTLP export. (#4467, #4465)
  • Structured JSON logging with per-request correlation IDs. (#4466)
  • Native BM25 full-text scoring - field boosts, caret syntax and EXPLAIN / PROFILE support. (#4687)
  • ISO GQL compliance - strict numeric types (schema round-trip), session management (SESSION SET / RESET / CLOSE) and transaction control (START TRANSACTION / COMMIT / ROLLBACK). (#4141)
  • New vector formats and helpers - MATLAB / MATLAB_COLUMN, JULIA and NUMPY formats, asVector(), asSparse(), RRF array input and vectorDequantizeBinary. (#3099)
  • MongoDB wire protocol - update, delete and createIndexes commands plus SASL PLAIN authentication. (#4750, #4751, #4746)
  • HA auto-acquire of unseen databases - a joining node bootstraps databases it has never seen. (#4727)
  • Kubernetes health probes - liveness/readiness/startup endpoints for orchestrated deployments. (#4464)
  • Paginated remote fetching of edges and vertices across the remote API.
  • Studio - cluster HA alerts and Restore / Delete row actions on the backup list. (#4737)

Major Highlights

High Availability & Raft resilience

The bulk of this release goes into making the Raft-based HA cluster survive real-world failure modes without data loss or node self-halt:

  • No more node-wide halt on apply errors. Apply-time failures are now quarantined per-database instead of taking the whole node down, transient NeedRetryExceptions are retried in Raft apply, and unexpected throwables no longer kill the process. (#4797, #4659)
  • Divergence self-recovery. A follower stuck on a divergent Raft log now performs follower-side reformat-and-rejoin instead of spinning on INCONSISTENCY, and a WAL-version-gap / phase-2 commit failure no longer causes a node to self-halt. (#4741, #4740)
  • Snapshot integrity. Snapshot extraction, markers and the final swap are now fsynced before the backup is deleted, transfer completeness is verified with a manifest, takeSnapshot() persists a real snapshot marker so a log purge can no longer orphan applied state, and the database-registry lock is held across snapshot close -> swap -> reopen. (#4830, #4831, #4829, #4832)
  • Membership & quorum safety. Raft membership now uses atomic deltas instead of last-write-wins setConfiguration, removePeer / leaveCluster are guarded against dropping below quorum, and stepDown selects the highest-priority non-lagging peer while skipping priority-0 witnesses. (#4795, #4796, #4808)
  • Per-database applied-index tracking, so mixed-database clusters track progress correctly. (#4824)
  • Silent write loss eliminated when replication times out after dispatch: the leader no longer acknowledges a write it failed to replicate. (#4790)
  • Accurate lag diagnosis. New heartbeat-lag metrics, byte-bounded replication backpressure, resync logging (leader flood suppression + follower resync visibility), and a slow-but-progressing follower is now treated as catching up rather than stale. ClusterMonitor per-replica lag state is reset on each new leadership term to prevent false STALLED reports. (#4812, #4810, #4840, #4841)
  • Auto-acquire of unseen databases so a joining node bootstraps databases it has never seen, with a single deterministic bootstrap source instead of abandoning databases on first transfer. (#4727, #4807)

Kubernetes operations

  • StatefulSet scale-up beyond HA_SERVER_LIST no longer crash-loops: a local Raft peer is synthesized and auto-joins when the pod ordinal exceeds the static list. (#4836)
  • Raft storage is persisted by default under Kubernetes, so a pod restart no longer wipes the PVC-backed Raft log. (#4835)
  • Kubernetes health/liveness/readiness probes and a graceful cluster-leave path owned solely by RaftHAServer.stop(). (#4464, #4837)

Security hardening

  • Polyglot scripting now requires admin privileges and the GraalVM sandbox has been hardened (reflection deny-list), closing an advisory (GHSA-48qw-824m-86pr) where a reader-role user could read host files via JavaScript on /api/v1/command.
  • gRPC authorization is enforced centrally instead of being blanket-skipped: getDatabase rejects path-traversal names and enforces auth, admin operations require admin auth, and cross-database access is covered by regression tests. (#4793, #4792, #4794)
  • Cluster-management HTTP endpoints now require root. (#4791)
  • DoS bounding on gRPC: result materialization and worker busy-wait are bounded, abandoned gRPC transactions are reaped to stop an executor/transaction leak, and in-band command failures are correctly counted as errors. (#4803, #4802, #4804)
  • Hardened FileUtils path-traversal guard.

Observability

... (truncated)

Commits
  • 5347ff5 Set release version to 26.7.1
  • 8ca396c fix(GHSA-48qw-824m-86pr): require admin privileges for polyglot scripting and...
  • f621b00 fix(#4849): preserve temporal element types in projected collections and maps...
  • dce2071 fix(#4857): HTTP session idle-timeout sweep racing an in-flight command's rol...
  • a681d5c fix(#4855): GROUP BY silently dropped on cached execution-plan reuse (#4856)
  • 616ff0b chore(deps): bump jline.version from 4.2.1 to 4.3.1 [skip ci]
  • 55a32b9 chore(deps): bump graalvm.version from 25.0.3 to 25.1.3 [skip ci]
  • 3a1b987 chore(deps): bump org.postgresql:postgresql from 42.7.11 to 42.7.12 [skip ci]
  • 565dcaf chore(deps-dev): bump redis.clients:jedis from 7.5.2 to 7.5.3 [skip ci]
  • 4ba0db4 chore(deps): bump io.github.ascopes:protobuf-maven-plugin from 5.1.6 to 5.1.7...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [com.arcadedb:arcadedb-network](https://github.com/ArcadeData/arcadedb) from 26.6.1 to 26.7.1.
- [Release notes](https://github.com/ArcadeData/arcadedb/releases)
- [Changelog](https://github.com/ArcadeData/arcadedb/blob/main/docs/RELEASE-27.7.1.md)
- [Commits](ArcadeData/arcadedb@26.6.1...26.7.1)

---
updated-dependencies:
- dependency-name: com.arcadedb:arcadedb-network
  dependency-version: 26.7.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jul 2, 2026
@mergify

mergify Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric Results
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants