Skip to content

build(deps): bump the arcadedb group across 9 directories with 1 update#146

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/customer-360/java/arcadedb-ae0bfe1656
Open

build(deps): bump the arcadedb group across 9 directories with 1 update#146
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/customer-360/java/arcadedb-ae0bfe1656

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor

Bumps the arcadedb group with 1 update in the /customer-360/java directory: com.arcadedb:arcadedb-network.
Bumps the arcadedb group with 1 update in the /feature-store/java directory: com.arcadedb:arcadedb-network.
Bumps the arcadedb group with 1 update in the /fraud-detection/java directory: com.arcadedb:arcadedb-network.
Bumps the arcadedb group with 1 update in the /iam/java directory: com.arcadedb:arcadedb-network.
Bumps the arcadedb group with 1 update in the /knowledge-graphs/java directory: com.arcadedb:arcadedb-network.
Bumps the arcadedb group with 1 update in the /realtime-analytics/java directory: com.arcadedb:arcadedb-network.
Bumps the arcadedb group with 1 update in the /recommendation-engine/java directory: com.arcadedb:arcadedb-network.
Bumps the arcadedb group with 1 update in the /social-network-analytics/java directory: com.arcadedb:arcadedb-network.
Bumps the arcadedb group with 1 update in the /supply-chain/java directory: com.arcadedb:arcadedb-network.

Updates com.arcadedb:arcadedb-network from 26.6.1 to 26.7.1

Release notes

Sourced from com.arcadedb:arcadedb-network's releases.

26.7.1

ArcadeDB 26.7.1 Release Notes

Overview

ArcadeDB 26.7.1 is a large stability, resilience and security release with over 420 commits, 238 resolved issues and 32 merged pull requests. The headline theme is a deep High Availability / Raft hardening wave that makes clustered deployments far more robust under leader churn, node restarts, snapshot transfers and Kubernetes scale events. On top of that come a security hardening pass (polyglot scripting lockdown, gRPC and cluster-management authorization, DoS bounding), a new OpenTelemetry distributed-tracing module plus structured JSON logging, native BM25 full-text scoring, continued ISO GQL compliance and vector engine work, and a long list of gRPC, MongoDB wire-protocol, SQL, OpenCypher, time-series and Studio fixes.

New Features

  • OpenTelemetry distributed tracing - an optional module for end-to-end request tracing, with opt-in OTLP export. (#4467, #4465)
  • Structured JSON logging with per-request correlation IDs. (#4466)
  • Native BM25 full-text scoring - field boosts, caret syntax and EXPLAIN / PROFILE support. (#4687)
  • ISO GQL compliance - strict numeric types (schema round-trip), session management (SESSION SET / RESET / CLOSE) and transaction control (START TRANSACTION / COMMIT / ROLLBACK). (#4141)
  • New vector formats and helpers - MATLAB / MATLAB_COLUMN, JULIA and NUMPY formats, asVector(), asSparse(), RRF array input and vectorDequantizeBinary. (#3099)
  • MongoDB wire protocol - update, delete and createIndexes commands plus SASL PLAIN authentication. (#4750, #4751, #4746)
  • HA auto-acquire of unseen databases - a joining node bootstraps databases it has never seen. (#4727)
  • Kubernetes health probes - liveness/readiness/startup endpoints for orchestrated deployments. (#4464)
  • Paginated remote fetching of edges and vertices across the remote API.
  • Studio - cluster HA alerts and Restore / Delete row actions on the backup list. (#4737)

Major Highlights

High Availability & Raft resilience

The bulk of this release goes into making the Raft-based HA cluster survive real-world failure modes without data loss or node self-halt:

  • No more node-wide halt on apply errors. Apply-time failures are now quarantined per-database instead of taking the whole node down, transient NeedRetryExceptions are retried in Raft apply, and unexpected throwables no longer kill the process. (#4797, #4659)
  • Divergence self-recovery. A follower stuck on a divergent Raft log now performs follower-side reformat-and-rejoin instead of spinning on INCONSISTENCY, and a WAL-version-gap / phase-2 commit failure no longer causes a node to self-halt. (#4741, #4740)
  • Snapshot integrity. Snapshot extraction, markers and the final swap are now fsynced before the backup is deleted, transfer completeness is verified with a manifest, takeSnapshot() persists a real snapshot marker so a log purge can no longer orphan applied state, and the database-registry lock is held across snapshot close -> swap -> reopen. (#4830, #4831, #4829, #4832)
  • Membership & quorum safety. Raft membership now uses atomic deltas instead of last-write-wins setConfiguration, removePeer / leaveCluster are guarded against dropping below quorum, and stepDown selects the highest-priority non-lagging peer while skipping priority-0 witnesses. (#4795, #4796, #4808)
  • Per-database applied-index tracking, so mixed-database clusters track progress correctly. (#4824)
  • Silent write loss eliminated when replication times out after dispatch: the leader no longer acknowledges a write it failed to replicate. (#4790)
  • Accurate lag diagnosis. New heartbeat-lag metrics, byte-bounded replication backpressure, resync logging (leader flood suppression + follower resync visibility), and a slow-but-progressing follower is now treated as catching up rather than stale. ClusterMonitor per-replica lag state is reset on each new leadership term to prevent false STALLED reports. (#4812, #4810, #4840, #4841)
  • Auto-acquire of unseen databases so a joining node bootstraps databases it has never seen, with a single deterministic bootstrap source instead of abandoning databases on first transfer. (#4727, #4807)

Kubernetes operations

  • StatefulSet scale-up beyond HA_SERVER_LIST no longer crash-loops: a local Raft peer is synthesized and auto-joins when the pod ordinal exceeds the static list. (#4836)
  • Raft storage is persisted by default under Kubernetes, so a pod restart no longer wipes the PVC-backed Raft log. (#4835)
  • Kubernetes health/liveness/readiness probes and a graceful cluster-leave path owned solely by RaftHAServer.stop(). (#4464, #4837)

Security hardening

  • Polyglot scripting now requires admin privileges and the GraalVM sandbox has been hardened (reflection deny-list), closing an advisory (GHSA-48qw-824m-86pr) where a reader-role user could read host files via JavaScript on /api/v1/command.
  • gRPC authorization is enforced centrally instead of being blanket-skipped: getDatabase rejects path-traversal names and enforces auth, admin operations require admin auth, and cross-database access is covered by regression tests. (#4793, #4792, #4794)
  • Cluster-management HTTP endpoints now require root. (#4791)
  • DoS bounding on gRPC: result materialization and worker busy-wait are bounded, abandoned gRPC transactions are reaped to stop an executor/transaction leak, and in-band command failures are correctly counted as errors. (#4803, #4802, #4804)
  • Hardened FileUtils path-traversal guard.

Observability

... (truncated)

Commits
  • 5347ff5 Set release version to 26.7.1
  • 8ca396c fix(GHSA-48qw-824m-86pr): require admin privileges for polyglot scripting and...
  • f621b00 fix(#4849): preserve temporal element types in projected collections and maps...
  • dce2071 fix(#4857): HTTP session idle-timeout sweep racing an in-flight command's rol...
  • a681d5c fix(#4855): GROUP BY silently dropped on cached execution-plan reuse (#4856)
  • 616ff0b chore(deps): bump jline.version from 4.2.1 to 4.3.1 [skip ci]
  • 55a32b9 chore(deps): bump graalvm.version from 25.0.3 to 25.1.3 [skip ci]
  • 3a1b987 chore(deps): bump org.postgresql:postgresql from 42.7.11 to 42.7.12 [skip ci]
  • 565dcaf chore(deps-dev): bump redis.clients:jedis from 7.5.2 to 7.5.3 [skip ci]
  • 4ba0db4 chore(deps): bump io.github.ascopes:protobuf-maven-plugin from 5.1.6 to 5.1.7...
  • Additional commits viewable in compare view

Updates com.arcadedb:arcadedb-network from 26.6.1 to 26.7.1

Release notes

Sourced from com.arcadedb:arcadedb-network's releases.

26.7.1

ArcadeDB 26.7.1 Release Notes

Overview

ArcadeDB 26.7.1 is a large stability, resilience and security release with over 420 commits, 238 resolved issues and 32 merged pull requests. The headline theme is a deep High Availability / Raft hardening wave that makes clustered deployments far more robust under leader churn, node restarts, snapshot transfers and Kubernetes scale events. On top of that come a security hardening pass (polyglot scripting lockdown, gRPC and cluster-management authorization, DoS bounding), a new OpenTelemetry distributed-tracing module plus structured JSON logging, native BM25 full-text scoring, continued ISO GQL compliance and vector engine work, and a long list of gRPC, MongoDB wire-protocol, SQL, OpenCypher, time-series and Studio fixes.

New Features

  • OpenTelemetry distributed tracing - an optional module for end-to-end request tracing, with opt-in OTLP export. (#4467, #4465)
  • Structured JSON logging with per-request correlation IDs. (#4466)
  • Native BM25 full-text scoring - field boosts, caret syntax and EXPLAIN / PROFILE support. (#4687)
  • ISO GQL compliance - strict numeric types (schema round-trip), session management (SESSION SET / RESET / CLOSE) and transaction control (START TRANSACTION / COMMIT / ROLLBACK). (#4141)
  • New vector formats and helpers - MATLAB / MATLAB_COLUMN, JULIA and NUMPY formats, asVector(), asSparse(), RRF array input and vectorDequantizeBinary. (#3099)
  • MongoDB wire protocol - update, delete and createIndexes commands plus SASL PLAIN authentication. (#4750, #4751, #4746)
  • HA auto-acquire of unseen databases - a joining node bootstraps databases it has never seen. (#4727)
  • Kubernetes health probes - liveness/readiness/startup endpoints for orchestrated deployments. (#4464)
  • Paginated remote fetching of edges and vertices across the remote API.
  • Studio - cluster HA alerts and Restore / Delete row actions on the backup list. (#4737)

Major Highlights

High Availability & Raft resilience

The bulk of this release goes into making the Raft-based HA cluster survive real-world failure modes without data loss or node self-halt:

  • No more node-wide halt on apply errors. Apply-time failures are now quarantined per-database instead of taking the whole node down, transient NeedRetryExceptions are retried in Raft apply, and unexpected throwables no longer kill the process. (#4797, #4659)
  • Divergence self-recovery. A follower stuck on a divergent Raft log now performs follower-side reformat-and-rejoin instead of spinning on INCONSISTENCY, and a WAL-version-gap / phase-2 commit failure no longer causes a node to self-halt. (#4741, #4740)
  • Snapshot integrity. Snapshot extraction, markers and the final swap are now fsynced before the backup is deleted, transfer completeness is verified with a manifest, takeSnapshot() persists a real snapshot marker so a log purge can no longer orphan applied state, and the database-registry lock is held across snapshot close -> swap -> reopen. (#4830, #4831, #4829, #4832)
  • Membership & quorum safety. Raft membership now uses atomic deltas instead of last-write-wins setConfiguration, removePeer / leaveCluster are guarded against dropping below quorum, and stepDown selects the highest-priority non-lagging peer while skipping priority-0 witnesses. (#4795, #4796, #4808)
  • Per-database applied-index tracking, so mixed-database clusters track progress correctly. (#4824)
  • Silent write loss eliminated when replication times out after dispatch: the leader no longer acknowledges a write it failed to replicate. (#4790)
  • Accurate lag diagnosis. New heartbeat-lag metrics, byte-bounded replication backpressure, resync logging (leader flood suppression + follower resync visibility), and a slow-but-progressing follower is now treated as catching up rather than stale. ClusterMonitor per-replica lag state is reset on each new leadership term to prevent false STALLED reports. (#4812, #4810, #4840, #4841)
  • Auto-acquire of unseen databases so a joining node bootstraps databases it has never seen, with a single deterministic bootstrap source instead of abandoning databases on first transfer. (#4727, #4807)

Kubernetes operations

  • StatefulSet scale-up beyond HA_SERVER_LIST no longer crash-loops: a local Raft peer is synthesized and auto-joins when the pod ordinal exceeds the static list. (#4836)
  • Raft storage is persisted by default under Kubernetes, so a pod restart no longer wipes the PVC-backed Raft log. (#4835)
  • Kubernetes health/liveness/readiness probes and a graceful cluster-leave path owned solely by RaftHAServer.stop(). (#4464, #4837)

Security hardening

  • Polyglot scripting now requires admin privileges and the GraalVM sandbox has been hardened (reflection deny-list), closing an advisory (GHSA-48qw-824m-86pr) where a reader-role user could read host files via JavaScript on /api/v1/command.
  • gRPC authorization is enforced centrally instead of being blanket-skipped: getDatabase rejects path-traversal names and enforces auth, admin operations require admin auth, and cross-database access is covered by regression tests. (#4793, #4792, #4794)
  • Cluster-management HTTP endpoints now require root. (#4791)
  • DoS bounding on gRPC: result materialization and worker busy-wait are bounded, abandoned gRPC transactions are reaped to stop an executor/transaction leak, and in-band command failures are correctly counted as errors. (#4803, #4802, #4804)
  • Hardened FileUtils path-traversal guard.

Observability

... (truncated)

Commits
  • 5347ff5 Set release version to 26.7.1
  • 8ca396c fix(GHSA-48qw-824m-86pr): require admin privileges for polyglot scripting and...
  • f621b00 fix(#4849): preserve temporal element types in projected collections and maps...
  • dce2071 fix(#4857): HTTP session idle-timeout sweep racing an in-flight command's rol...
  • a681d5c fix(#4855): GROUP BY silently dropped on cached execution-plan reuse (#4856)
  • 616ff0b chore(deps): bump jline.version from 4.2.1 to 4.3.1 [skip ci]
  • 55a32b9 chore(deps): bump graalvm.version from 25.0.3 to 25.1.3 [skip ci]
  • 3a1b987 chore(deps): bump org.postgresql:postgresql from 42.7.11 to 42.7.12 [skip ci]
  • 565dcaf chore(deps-dev): bump redis.clients:jedis from 7.5.2 to 7.5.3 [skip ci]
  • 4ba0db4 chore(deps): bump io.github.ascopes:protobuf-maven-plugin from 5.1.6 to 5.1.7...
  • Additional commits viewable in compare view

Updates com.arcadedb:arcadedb-network from 26.6.1 to 26.7.1

Release notes

Sourced from com.arcadedb:arcadedb-network's releases.

26.7.1

ArcadeDB 26.7.1 Release Notes

Overview

ArcadeDB 26.7.1 is a large stability, resilience and security release with over 420 commits, 238 resolved issues and 32 merged pull requests. The headline theme is a deep High Availability / Raft hardening wave that makes clustered deployments far more robust under leader churn, node restarts, snapshot transfers and Kubernetes scale events. On top of that come a security hardening pass (polyglot scripting lockdown, gRPC and cluster-management authorization, DoS bounding), a new OpenTelemetry distributed-tracing module plus structured JSON logging, native BM25 full-text scoring, continued ISO GQL compliance and vector engine work, and a long list of gRPC, MongoDB wire-protocol, SQL, OpenCypher, time-series and Studio fixes.

New Features

  • OpenTelemetry distributed tracing - an optional module for end-to-end request tracing, with opt-in OTLP export. (#4467, #4465)
  • Structured JSON logging with per-request correlation IDs. (#4466)
  • Native BM25 full-text scoring - field boosts, caret syntax and EXPLAIN / PROFILE support. (#4687)
  • ISO GQL compliance - strict numeric types (schema round-trip), session management (SESSION SET / RESET / CLOSE) and transaction control (START TRANSACTION / COMMIT / ROLLBACK). (#4141)
  • New vector formats and helpers - MATLAB / MATLAB_COLUMN, JULIA and NUMPY formats, asVector(), asSparse(), RRF array input and vectorDequantizeBinary. (#3099)
  • MongoDB wire protocol - update, delete and createIndexes commands plus SASL PLAIN authentication. (#4750, #4751, #4746)
  • HA auto-acquire of unseen databases - a joining node bootstraps databases it has never seen. (#4727)
  • Kubernetes health probes - liveness/readiness/startup endpoints for orchestrated deployments. (#4464)
  • Paginated remote fetching of edges and vertices across the remote API.
  • Studio - cluster HA alerts and Restore / Delete row actions on the backup list. (#4737)

Major Highlights

High Availability & Raft resilience

The bulk of this release goes into making the Raft-based HA cluster survive real-world failure modes without data loss or node self-halt:

  • No more node-wide halt on apply errors. Apply-time failures are now quarantined per-database instead of taking the whole node down, transient NeedRetryExceptions are retried in Raft apply, and unexpected throwables no longer kill the process. (#4797, #4659)
  • Divergence self-recovery. A follower stuck on a divergent Raft log now performs follower-side reformat-and-rejoin instead of spinning on INCONSISTENCY, and a WAL-version-gap / phase-2 commit failure no longer causes a node to self-halt. (#4741, #4740)
  • Snapshot integrity. Snapshot extraction, markers and the final swap are now fsynced before the backup is deleted, transfer completeness is verified with a manifest, takeSnapshot() persists a real snapshot marker so a log purge can no longer orphan applied state, and the database-registry lock is held across snapshot close -> swap -> reopen. (#4830, #4831, #4829, #4832)
  • Membership & quorum safety. Raft membership now uses atomic deltas instead of last-write-wins setConfiguration, removePeer / leaveCluster are guarded against dropping below quorum, and stepDown selects the highest-priority non-lagging peer while skipping priority-0 witnesses. (#4795, #4796, #4808)
  • Per-database applied-index tracking, so mixed-database clusters track progress correctly. (#4824)
  • Silent write loss eliminated when replication times out after dispatch: the leader no longer acknowledges a write it failed to replicate. (#4790)
  • Accurate lag diagnosis. New heartbeat-lag metrics, byte-bounded replication backpressure, resync logging (leader flood suppression + follower resync visibility), and a slow-but-progressing follower is now treated as catching up rather than stale. ClusterMonitor per-replica lag state is reset on each new leadership term to prevent false STALLED reports. (#4812, #4810, #4840, #4841)
  • Auto-acquire of unseen databases so a joining node bootstraps databases it has never seen, with a single deterministic bootstrap source instead of abandoning databases on first transfer. (#4727, #4807)

Kubernetes operations

  • StatefulSet scale-up beyond HA_SERVER_LIST no longer crash-loops: a local Raft peer is synthesized and auto-joins when the pod ordinal exceeds the static list. (#4836)
  • Raft storage is persisted by default under Kubernetes, so a pod restart no longer wipes the PVC-backed Raft log. (#4835)
  • Kubernetes health/liveness/readiness probes and a graceful cluster-leave path owned solely by RaftHAServer.stop(). (#4464, #4837)

Security hardening

  • Polyglot scripting now requires admin privileges and the GraalVM sandbox has been hardened (reflection deny-list), closing an advisory (GHSA-48qw-824m-86pr) where a reader-role user could read host files via JavaScript on /api/v1/command.
  • gRPC authorization is enforced centrally instead of being blanket-skipped: getDatabase rejects path-traversal names and enforces auth, admin operations require admin auth, and cross-database access is covered by regression tests. (#4793, #4792, #4794)
  • Cluster-management HTTP endpoints now require root. (#4791)
  • DoS bounding on gRPC: result materialization and worker busy-wait are bounded, abandoned gRPC transactions are reaped to stop an executor/transaction leak, and in-band command failures are correctly counted as errors. (#4803, #4802, #4804)
  • Hardened FileUtils path-traversal guard.

Observability

... (truncated)

Commits
  • 5347ff5 Set release version to 26.7.1
  • 8ca396c fix(GHSA-48qw-824m-86pr): require admin privileges for polyglot scripting and...
  • f621b00 fix(#4849): preserve temporal element types in projected collections and maps...
  • dce2071 fix(#4857): HTTP session idle-timeout sweep racing an in-flight command's rol...
  • a681d5c fix(#4855): GROUP BY silently dropped on cached execution-plan reuse (#4856)
  • 616ff0b chore(deps): bump jline.version from 4.2.1 to 4.3.1 [skip ci]
  • 55a32b9 chore(deps): bump graalvm.version from 25.0.3 to 25.1.3 [skip ci]
  • 3a1b987 chore(deps): bump org.postgresql:postgresql from 42.7.11 to 42.7.12 [skip ci]
  • 565dcaf chore(deps-dev): bump redis.clients:jedis from 7.5.2 to 7.5.3 [skip ci]
  • 4ba0db4 chore(deps): bump io.github.ascopes:protobuf-maven-plugin from 5.1.6 to 5.1.7...
  • Additional commits viewable in compare view

Updates com.arcadedb:arcadedb-network from 26.6.1 to 26.7.1

Release notes

Sourced from com.arcadedb:arcadedb-network's releases.

26.7.1

ArcadeDB 26.7.1 Release Notes

Overview

ArcadeDB 26.7.1 is a large stability, resilience and security release with over 420 commits, 238 resolved issues and 32 merged pull requests. The headline theme is a deep High Availability / Raft hardening wave that makes clustered deployments far more robust under leader churn, node restarts, snapshot transfers and Kubernetes scale events. On top of that come a security hardening pass (polyglot scripting lockdown, gRPC and cluster-management authorization, DoS bounding), a new OpenTelemetry distributed-tracing module plus structured JSON logging, native BM25 full-text scoring, continued ISO GQL compliance and vector engine work, and a long list of gRPC, MongoDB wire-protocol, SQL, OpenCypher, time-series and Studio fixes.

New Features

  • OpenTelemetry distributed tracing - an optional module for end-to-end request tracing, with opt-in OTLP export. (#4467, #4465)
  • Structured JSON logging with per-request correlation IDs. (#4466)
  • Native BM25 full-text scoring - field boosts, caret syntax and EXPLAIN / PROFILE support. (#4687)
  • ISO GQL compliance - strict numeric types (schema round-trip), session management (SESSION SET / RESET / CLOSE) and transaction control (START TRANSACTION / COMMIT / ROLLBACK). (#4141)
  • New vector formats and helpers - MATLAB / MATLAB_COLUMN, JULIA and NUMPY formats, asVector(), asSparse(), RRF array input and vectorDequantizeBinary. (#3099)
  • MongoDB wire protocol - update, delete and createIndexes commands plus SASL PLAIN authentication. (#4750, #4751, #4746)
  • HA auto-acquire of unseen databases - a joining node bootstraps databases it has never seen. (#4727)
  • Kubernetes health probes - liveness/readiness/startup endpoints for orchestrated deployments. (#4464)
  • Paginated remote fetching of edges and vertices across the remote API.
  • Studio - cluster HA alerts and Restore / Delete row actions on the backup list. (#4737)

Major Highlights

High Availability & Raft resilience

The bulk of this release goes into making the Raft-based HA cluster survive real-world failure modes without data loss or node self-halt:

  • No more node-wide halt on apply errors. Apply-time failures are now quarantined per-database instead of taking the whole node down, transient NeedRetryExceptions are retried in Raft apply, and unexpected throwables no longer kill the process. (#4797, #4659)
  • Divergence self-recovery. A follower stuck on a divergent Raft log now performs follower-side reformat-and-rejoin instead of spinning on INCONSISTENCY, and a WAL-version-gap / phase-2 commit failure no longer causes a node to self-halt. (#4741, #4740)
  • Snapshot integrity. Snapshot extraction, markers and the final swap are now fsynced before the backup is deleted, transfer completeness is verified with a manifest, takeSnapshot() persists a real snapshot marker so a log purge can no longer orphan applied state, and the database-registry lock is held across snapshot close -> swap -> reopen. (#4830, #4831, #4829, #4832)
  • Membership & quorum safety. Raft membership now uses atomic deltas instead of last-write-wins setConfiguration, removePeer / leaveCluster are guarded against dropping below quorum, and stepDown selects the highest-priority non-lagging peer while skipping priority-0 witnesses. (#4795, #4796, #4808)
  • Per-database applied-index tracking, so mixed-database clusters track progress correctly. (#4824)
  • Silent write loss eliminated when replication times out after dispatch: the leader no longer acknowledges a write it failed to replicate. (#4790)
  • Accurate lag diagnosis. New heartbeat-lag metrics, byte-bounded replication backpressure, resync logging (leader flood suppression + follower resync visibility), and a slow-but-progressing follower is now treated as catching up rather than stale. ClusterMonitor per-replica lag state is reset on each new leadership term to prevent false STALLED reports. (#4812, #4810, #4840, #4841)
  • Auto-acquire of unseen databases so a joining node bootstraps databases it has never seen, with a single deterministic bootstrap source instead of abandoning databases on first transfer. (#4727, #4807)

Kubernetes operations

  • StatefulSet scale-up beyond HA_SERVER_LIST no longer crash-loops: a local Raft peer is synthesized and auto-joins when the pod ordinal exceeds the static list. (#4836)
  • Raft storage is persisted by default under Kubernetes, so a pod restart no longer wipes the PVC-backed Raft log. (#4835)
  • Kubernetes health/liveness/readiness probes and a graceful cluster-leave path owned solely by RaftHAServer.stop(). (#4464, #4837)

Security hardening

  • Polyglot scripting now requires admin privileges and the GraalVM sandbox has been hardened (reflection deny-list), closing an advisory (GHSA-48qw-824m-86pr) where a reader-role user could read host files via JavaScript on /api/v1/command.
  • gRPC authorization is enforced centrally instead of being blanket-skipped: getDatabase rejects path-traversal names and enforces auth, admin operations require admin auth, and cross-database access is covered by regression tests. (#4793, #4792, #4794)
  • Cluster-management HTTP endpoints now require root. (#4791)
  • DoS bounding on gRPC: result materialization and worker busy-wait are bounded, abandoned gRPC transactions are reaped to stop an executor/transaction leak, and in-band command failures are correctly counted as errors. (#4803, #4802, #4804)
  • Hardened FileUtils path-traversal guard.

Observability

... (truncated)

Commits
  • 5347ff5 Set release version to 26.7.1
  • 8ca396c fix(GHSA-48qw-824m-86pr): require admin privileges for polyglot scripting and...
  • f621b00 fix(#4849): preserve temporal element types in projected collections and maps...
  • dce2071 fix(#4857): HTTP session idle-timeout sweep racing an in-flight command's rol...
  • a681d5c fix(#4855): GROUP BY silently dropped on cached execution-plan reuse (#4856)
  • 616ff0b chore(deps): bump jline.version from 4.2.1 to 4.3.1 [skip ci]
  • 55a32b9 chore(deps): bump graalvm.version from 25.0.3 to 25.1.3 [skip ci]
  • 3a1b987 chore(deps): bump org.postgresql:postgresql from 42.7.11 to 42.7.12 [skip ci]
  • 565dcaf chore(deps-dev): bump redis.clients:jedis from 7.5.2 to 7.5.3 [skip ci]
  • 4ba0db4 chore(deps): bump io.github.ascopes:protobuf-maven-plugin from 5.1.6 to 5.1.7...
  • Additional commits viewable in compare view

Updates com.arcadedb:arcadedb-network from 26.6.1 to 26.7.1

Release notes

Sourced from com.arcadedb:arcadedb-network's releases.

26.7.1

ArcadeDB 26.7.1 Release Notes

Overview

ArcadeDB 26.7.1 is a large stability, resilience and security release with over 420 commits, 238 resolved issues and 32 merged pull requests. The headline theme is a deep High Availability / Raft hardening wave that makes clustered deployments far more robust under leader churn, node restarts, snapshot transfers and Kubernetes scale events. On top of that come a security hardening pass (polyglot scripting lockdown, gRPC and cluster-management authorization, DoS bounding), a new OpenTelemetry distributed-tracing module plus structured JSON logging, native BM25 full-text scoring, continued ISO GQL compliance and vector engine work, and a long list of gRPC, MongoDB wire-protocol, SQL, OpenCypher, time-series and Studio fixes.

New Features

  • OpenTelemetry distributed tracing - an optional module for end-to-end request tracing, with opt-in OTLP export. (#4467, #4465)
  • Structured JSON logging with per-request correlation IDs. (#4466)
  • Native BM25 full-text scoring - field boosts, caret syntax and EXPLAIN / PROFILE support. (#4687)
  • ISO GQL compliance - strict numeric types (schema round-trip), session management (SESSION SET / RESET / CLOSE) and transaction control (START TRANSACTION / COMMIT / ROLLBACK). (#4141)
  • New vector formats and helpers - MATLAB / MATLAB_COLUMN, JULIA and NUMPY formats, asVector(), asSparse(), RRF array input and vectorDequantizeBinary. (#3099)
  • MongoDB wire protocol - update, delete and createIndexes commands plus SASL PLAIN authentication. (#4750, #4751, #4746)
  • HA auto-acquire of unseen databases - a joining node bootstraps databases it has never seen. (#4727)
  • Kubernetes health probes - liveness/readiness/startup endpoints for orchestrated deployments. (#4464)
  • Paginated remote fetching of edges and vertices across the remote API.
  • Studio - cluster HA alerts and Restore / Delete row actions on the backup list. (#4737)

Major Highlights

High Availability & Raft resilience

The bulk of this release goes into making the Raft-based HA cluster survive real-world failure modes without data loss or node self-halt:

  • No more node-wide halt on apply errors. Apply-time failures are now quarantined per-database instead of taking the whole node down, transient NeedRetryExceptions are retried in Raft apply, and unexpected throwables no longer kill the process. (#4797, #4659)
  • Divergence self-recovery. A follower stuck on a divergent Raft log now performs follower-side reformat-and-rejoin instead of spinning on INCONSISTENCY, and a WAL-version-gap / phase-2 commit failure no longer causes a node to self-halt. (#4741, #4740)
  • Snapshot integrity. Snapshot extraction, markers and the final swap are now fsynced before the backup is deleted, transfer completeness is verified with a manifest, takeSnapshot() persists a real snapshot marker so a log purge can no longer orphan applied state, and the database-registry lock is held across snapshot close -> swap -> reopen. (#4830, #4831, #4829, #4832)
  • Membership & quorum safety. Raft membership now uses atomic deltas instead of last-write-wins setConfiguration, removePeer / leaveCluster are guarded against dropping below quorum, and stepDown selects the highest-priority non-lagging peer while skipping priority-0 witnesses. (#4795, #4796, #4808)
  • Per-database applied-index tracking, so mixed-database clusters track progress correctly. (#4824)
  • Silent write loss eliminated when replication times out after dispatch: the leader no longer acknowledges a write it failed to replicate. (#4790)
  • Accurate lag diagnosis. New heartbeat-lag metrics, byte-bounded replication backpressure, resync logging (leader flood suppression + follower resync visibility), and a slow-but-progressing follower is now treated as catching up rather than stale. ClusterMonitor per-replica lag state is reset on each new leadership term to prevent false STALLED reports. (#4812, #4810, #4840, #4841)
  • Auto-acquire of unseen databases so a joining node bootstraps databases it has never seen, with a single deterministic bootstrap source instead of abandoning databases on first transfer. (#4727, #4807)

Kubernetes operations

  • StatefulSet scale-up beyond HA_SERVER_LIST no longer crash-loops: a local Raft peer is synthesized and auto-joins when the pod ordinal exceeds the static list. (#4836)
  • Raft storage is persisted by default under Kubernetes, so a pod restart no longer wipes the PVC-backed Raft log. (#4835)
  • Kubernetes health/liveness/readiness probes and a graceful cluster-leave path owned solely by RaftHAServer.stop(). (#4464, #4837)

Security hardening

  • Polyglot scripting now requires admin privileges and the GraalVM sandbox has been hardened (reflection deny-list), closing an advisory (GHSA-48qw-824m-86pr) where a reader-role user could read host files via JavaScript on /api/v1/command.
  • gRPC authorization is enforced centrally instead of being blanket-skipped: getDatabase rejects path-traversal names and enforces auth, admin operations require admin auth, and cross-database access is covered by regression tests. (#4793, #4792, #4794)
  • Cluster-management HTTP endpoints now require root. (#4791)
  • DoS bounding on gRPC: result materialization and worker busy-wait are bounded, abandoned gRPC transactions are reaped to stop an executor/transaction leak, and in-band command failures are correctly counted as errors. (#4803, #4802, #4804)
  • Hardened FileUtils path-traversal guard.

Observability

... (truncated)

Commits
  • 5347ff5 Set release version to 26.7.1
  • 8ca396c fix(GHSA-48qw-824m-86pr): require admin privileges for polyglot scripting and...
  • f621b00 fix(#4849): preserve temporal element types in projected collections and maps...
  • dce2071 fix(#4857): HTTP session idle-timeout sweep racing an in-flight command's rol...
  • a681d5c fix(#4855): GROUP BY silently dropped on cached execution-plan reuse (#4856)
  • 616ff0b chore(deps): bump jline.version from 4.2.1 to 4.3.1 [skip ci]
  • 55a32b9 chore(deps): bump graalvm.version from 25.0.3 to 25.1.3 [skip ci]
  • 3a1b987 chore(deps): bump org.postgresql:postgresql from 42.7.11 to 42.7.12 [skip ci]
  • 565dcaf chore(deps-dev): bump redis.clients:jedis from 7.5.2 to 7.5.3 [skip ci]
  • 4ba0db4 chore(deps): bump io.github.ascopes:protobuf-maven-plugin from 5.1.6 to 5.1.7...
  • Additional commits viewable in compare view

Updates com.arcadedb:arcadedb-network from 26.6.1 to 26.7.1

Release notes

Sourced from com.arcadedb:arcadedb-network's releases.

26.7.1

ArcadeDB 26.7.1 Release Notes

Overview

ArcadeDB 26.7.1 is a large stability, resilience and security release with over 420 commits, 238 resolved issues and 32 merged pull requests. The headline theme is a deep High Availability / Raft hardening wave that makes clustered deployments far more robust under leader churn, node restarts, snapshot transfers and Kubernetes scale events. On top of that come a security hardening pass (polyglot scripting lockdown, gRPC and cluster-management authorization, DoS bounding), a new OpenTelemetry distributed-tracing module plus structured JSON logging, native BM25 full-text scoring, continued ISO GQL complianceDescription has been truncated

Bumps the arcadedb group with 1 update in the /customer-360/java directory: [com.arcadedb:arcadedb-network](https://github.com/ArcadeData/arcadedb).
Bumps the arcadedb group with 1 update in the /feature-store/java directory: [com.arcadedb:arcadedb-network](https://github.com/ArcadeData/arcadedb).
Bumps the arcadedb group with 1 update in the /fraud-detection/java directory: [com.arcadedb:arcadedb-network](https://github.com/ArcadeData/arcadedb).
Bumps the arcadedb group with 1 update in the /iam/java directory: [com.arcadedb:arcadedb-network](https://github.com/ArcadeData/arcadedb).
Bumps the arcadedb group with 1 update in the /knowledge-graphs/java directory: [com.arcadedb:arcadedb-network](https://github.com/ArcadeData/arcadedb).
Bumps the arcadedb group with 1 update in the /realtime-analytics/java directory: [com.arcadedb:arcadedb-network](https://github.com/ArcadeData/arcadedb).
Bumps the arcadedb group with 1 update in the /recommendation-engine/java directory: [com.arcadedb:arcadedb-network](https://github.com/ArcadeData/arcadedb).
Bumps the arcadedb group with 1 update in the /social-network-analytics/java directory: [com.arcadedb:arcadedb-network](https://github.com/ArcadeData/arcadedb).
Bumps the arcadedb group with 1 update in the /supply-chain/java directory: [com.arcadedb:arcadedb-network](https://github.com/ArcadeData/arcadedb).


Updates `com.arcadedb:arcadedb-network` from 26.6.1 to 26.7.1
- [Release notes](https://github.com/ArcadeData/arcadedb/releases)
- [Changelog](https://github.com/ArcadeData/arcadedb/blob/main/docs/RELEASE-27.7.1.md)
- [Commits](ArcadeData/arcadedb@26.6.1...26.7.1)

Updates `com.arcadedb:arcadedb-network` from 26.6.1 to 26.7.1
- [Release notes](https://github.com/ArcadeData/arcadedb/releases)
- [Changelog](https://github.com/ArcadeData/arcadedb/blob/main/docs/RELEASE-27.7.1.md)
- [Commits](ArcadeData/arcadedb@26.6.1...26.7.1)

Updates `com.arcadedb:arcadedb-network` from 26.6.1 to 26.7.1
- [Release notes](https://github.com/ArcadeData/arcadedb/releases)
- [Changelog](https://github.com/ArcadeData/arcadedb/blob/main/docs/RELEASE-27.7.1.md)
- [Commits](ArcadeData/arcadedb@26.6.1...26.7.1)

Updates `com.arcadedb:arcadedb-network` from 26.6.1 to 26.7.1
- [Release notes](https://github.com/ArcadeData/arcadedb/releases)
- [Changelog](https://github.com/ArcadeData/arcadedb/blob/main/docs/RELEASE-27.7.1.md)
- [Commits](ArcadeData/arcadedb@26.6.1...26.7.1)

Updates `com.arcadedb:arcadedb-network` from 26.6.1 to 26.7.1
- [Release notes](https://github.com/ArcadeData/arcadedb/releases)
- [Changelog](https://github.com/ArcadeData/arcadedb/blob/main/docs/RELEASE-27.7.1.md)
- [Commits](ArcadeData/arcadedb@26.6.1...26.7.1)

Updates `com.arcadedb:arcadedb-network` from 26.6.1 to 26.7.1
- [Release notes](https://github.com/ArcadeData/arcadedb/releases)
- [Changelog](https://github.com/ArcadeData/arcadedb/blob/main/docs/RELEASE-27.7.1.md)
- [Commits](ArcadeData/arcadedb@26.6.1...26.7.1)

Updates `com.arcadedb:arcadedb-network` from 26.6.1 to 26.7.1
- [Release notes](https://github.com/ArcadeData/arcadedb/releases)
- [Changelog](https://github.com/ArcadeData/arcadedb/blob/main/docs/RELEASE-27.7.1.md)
- [Commits](ArcadeData/arcadedb@26.6.1...26.7.1)

Updates `com.arcadedb:arcadedb-network` from 26.6.1 to 26.7.1
- [Release notes](https://github.com/ArcadeData/arcadedb/releases)
- [Changelog](https://github.com/ArcadeData/arcadedb/blob/main/docs/RELEASE-27.7.1.md)
- [Commits](ArcadeData/arcadedb@26.6.1...26.7.1)

Updates `com.arcadedb:arcadedb-network` from 26.6.1 to 26.7.1
- [Release notes](https://github.com/ArcadeData/arcadedb/releases)
- [Changelog](https://github.com/ArcadeData/arcadedb/blob/main/docs/RELEASE-27.7.1.md)
- [Commits](ArcadeData/arcadedb@26.6.1...26.7.1)

---
updated-dependencies:
- dependency-name: com.arcadedb:arcadedb-network
  dependency-version: 26.7.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: arcadedb
- dependency-name: com.arcadedb:arcadedb-network
  dependency-version: 26.7.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: arcadedb
- dependency-name: com.arcadedb:arcadedb-network
  dependency-version: 26.7.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: arcadedb
- dependency-name: com.arcadedb:arcadedb-network
  dependency-version: 26.7.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: arcadedb
- dependency-name: com.arcadedb:arcadedb-network
  dependency-version: 26.7.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: arcadedb
- dependency-name: com.arcadedb:arcadedb-network
  dependency-version: 26.7.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: arcadedb
- dependency-name: com.arcadedb:arcadedb-network
  dependency-version: 26.7.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: arcadedb
- dependency-name: com.arcadedb:arcadedb-network
  dependency-version: 26.7.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: arcadedb
- dependency-name: com.arcadedb:arcadedb-network
  dependency-version: 26.7.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: arcadedb
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jul 2, 2026
@mergify

mergify Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants