Skip to content

Bump github.com/nats-io/nats-server/v2 from 2.12.4 to 2.12.5#523

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/github.com/nats-io/nats-server/v2-2.12.5
Open

Bump github.com/nats-io/nats-server/v2 from 2.12.4 to 2.12.5#523
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/github.com/nats-io/nats-server/v2-2.12.5

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 10, 2026

Bumps github.com/nats-io/nats-server/v2 from 2.12.4 to 2.12.5.

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.12.5

Changelog

Refer to the 2.12 Upgrade Guide for backwards compatibility notes with 2.11.x.

Go Version

  • 1.25.8

Dependencies

  • github.com/nats-io/nkeys v0.4.15 (#7797)
  • github.com/klauspost/compress v1.18.4 (#7812)
  • golang.org/x/sys v0.42.0 (#7923)
  • github.com/antithesishq/antithesis-sdk-go v0.6.0-default-no-op (#7835)
  • golang.org/x/crypto v0.48.0 (#7874)
  • github.com/nats-io/nats.go v1.49.0 (#7835)
  • golang.org/x/time v0.15.0 (#7923)

CVEs

  • Fixes CVE-2026-29785 (affects systems with leafnode compression enabled)
  • Fixes CVE-2026-27889 (affects systems with WebSockets enabled)

Added

JetStream

  • The stream snapshot/backup endpoint now accepts the window_size parameter, to allow improving flow control over slow or unreliable connections (#7839)

Improved

General

  • max_conns in the server configuration can now be configured to 0 (zero) to reject all incoming client connections (#7877)

JetStream

  • "Catchup for stream" log lines are now more consistent (#7784)
  • Raft now only accepts forwarded proposals if caught up as the new leader, limiting potentially unbounded log growth (#7809)
  • Raft now correctly refuses concurrent membership changes if forwarded a peer removal from another node (#7809)
  • The max_consumers limit of a stream can now be updated after stream creation (#7724)
  • The pending messages and bytes are now included in consumer unpin responses (#7815)
  • Stream backups/snapshots are now streamed to clients with improved flow control, which should improve throughput and robustness, particularly over unreliable links, reducing the chance of backups failing due to flow control errors (#7828)
  • Orphaned stream and consumer checks are now aligned with the metalayer snapshot logic (#7826)
  • Wildcard filtering when loading messages is now considerably faster in the memory store (#7840, #7855)
  • Metalayer snapshots now take place asynchronously when possible, such that JS API operations are not blocked while the snapshot is taking place (#7827, #7846)
    • This behaviour can be disabled by setting meta_compact_sync: true in the jetstream configuration block
  • Consumers with a single subject filter no longer incorrectly use the multi-filter message lookups (#7856)
  • The check for colliding stream subjects is now faster (#7870)

... (truncated)

Commits
  • 0f6c831 Release v2.12.5
  • d9cce39 Update dependencies
  • 44d8abd Fix TestMonitorWebsocket
  • 55db52b Update to Go 1.25.8
  • 358cdc4 Fix int32 overflow of JWT account and user limits
  • a1488de Fix panic on LS protocol when compression enabled
  • cadc948 Fix panic on X-Forwarded-For empty slice (shouldn't be possible from the wire)
  • 6cf715d Fix panic in WebSocket when reading an empty compressed buffer
  • 667d14d Fix panic in WebSocket on extremely large payload length
  • d82c4b7 Fix panic on title case on empty error message
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump github.com/nats-io/nats-server/v2 from 2.12.4 to 2.12.5
e30a34b 
Bumps [github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server) from 2.12.4 to 2.12.5.
- [Release notes](https://github.com/nats-io/nats-server/releases)
- [Changelog](https://github.com/nats-io/nats-server/blob/main/RELEASES.md)
- [Commits](nats-io/nats-server@v2.12.4...v2.12.5)

---
updated-dependencies:
- dependency-name: github.com/nats-io/nats-server/v2
  dependency-version: 2.12.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants