chore(deps): bump github.com/nats-io/nats-server/v2 from 2.12.4 to 2.12.5 #3057

Closed

dependabot[bot] wants to merge 1 commit from refs/pull/3057/head into staging

pull from: refs/pull/3057/head

merge into: carverauto:staging

carverauto:staging

carverauto:2406-feat-agent-fleet-management-secure-self-update-system

carverauto:bug/k8s-helm-deployments

carverauto:chore/k8s-arc-update

carverauto:rust-fix

carverauto:2371-analytics-stats-cards-should-abbreviate-numbers

carverauto:chore/perl-cleanup

carverauto:2942-featweb-ng-add-logs-tab-to-device-details-page

carverauto:192-feat-tftp-server

carverauto:mikemiles-dev/feature/netflow_collection

carverauto:testing

carverauto:dependabot/cargo/hostname-0.4.1

carverauto:dependabot/cargo/redis-1.0.1

carverauto:dependabot/cargo/bb8-0.9.0

carverauto:dependabot/cargo/rcgen-0.14.6

carverauto:dependabot/cargo/hyper-1.8.1

carverauto:dependabot/cargo/hyper-util-0.1.19

carverauto:dependabot/cargo/clap-4.5.51

carverauto:dependabot/cargo/thiserror-2.0.17

carverauto:dependabot/cargo/time-tz-2.0.0

carverauto:dependabot/cargo/tonic-build-0.14.2

carverauto:main

carverauto:dependabot/npm_and_yarn/docs/mdast-util-to-hast-13.2.1

carverauto:815-feat-support-win32-for-agentpoller

carverauto:gh-pages

Conversation 1 Commits 1 Files changed 2 +9 -9

dependabot[bot] commented 2026-03-16 02:25:03 +00:00 (Migrated from github.com)

Owner

Copy link

Imported from GitHub pull request.

Original GitHub pull request: #3048
Original author: @dependabot[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/3048
Original created: 2026-03-16T02:25:03Z
Original updated: 2026-03-25T18:40:24Z
Original head: carverauto/serviceradar:dependabot/go_modules/github.com/nats-io/nats-server/v2-2.12.5
Original base: staging

Bumps github.com/nats-io/nats-server/v2 from 2.12.4 to 2.12.5.

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.12.5

Changelog

Refer to the 2.12 Upgrade Guide for backwards compatibility notes with 2.11.x.

[!WARNING] A regression has been found in this version where a stream update may result in the loss of consumers in clustered deployments in specific cases. Single-server deployments are not affected. To temporarily mitigate, set meta_compact_sync: true in the jetstream config block and perform a configuration reload. We will soon follow up with a fixed 2.12.6 release.

Go Version

• 1.25.8

Dependencies

• github.com/nats-io/nkeys v0.4.15 (#7797)
• github.com/klauspost/compress v1.18.4 (#7812)
• golang.org/x/sys v0.42.0 (#7923)
• github.com/antithesishq/antithesis-sdk-go v0.6.0-default-no-op (#7835)
• golang.org/x/crypto v0.48.0 (#7874)
• github.com/nats-io/nats.go v1.49.0 (#7835)
• golang.org/x/time v0.15.0 (#7923)

CVEs

• Fixes CVE-2026-29785 (affects systems with leafnode compression enabled)
• Fixes CVE-2026-27889 (affects systems with WebSockets enabled)

Added

JetStream

• The stream snapshot/backup endpoint now accepts the window_size parameter, to allow improving flow control over slow or unreliable connections (#7839)

Improved

General

• max_conns in the server configuration can now be configured to 0 (zero) to reject all incoming client connections (#7877)

JetStream

• "Catchup for stream" log lines are now more consistent (#7784)
• Raft now only accepts forwarded proposals if caught up as the new leader, limiting potentially unbounded log growth (#7809)
• Raft now correctly refuses concurrent membership changes if forwarded a peer removal from another node (#7809)
• The max_consumers limit of a stream can now be updated after stream creation (#7724)
• The pending messages and bytes are now included in consumer unpin responses (#7815)
• Stream backups/snapshots are now streamed to clients with improved flow control, which should improve throughput and robustness, particularly over unreliable links, reducing the chance of backups failing due to flow control errors (#7828)
• Orphaned stream and consumer checks are now aligned with the metalayer snapshot logic (#7826)
• Wildcard filtering when loading messages is now considerably faster in the memory store (#7840, #7855)
• Metalayer snapshots now take place asynchronously when possible, such that JS API operations are not blocked while the snapshot is taking place (#7827, #7846)

... (truncated)

Commits

• 0f6c831 Release v2.12.5
• d9cce39 Update dependencies
• 44d8abd Fix TestMonitorWebsocket
• 55db52b Update to Go 1.25.8
• 358cdc4 Fix int32 overflow of JWT account and user limits
• a1488de Fix panic on LS protocol when compression enabled
• cadc948 Fix panic on X-Forwarded-For empty slice (shouldn't be possible from the wire)
• 6cf715d Fix panic in WebSocket when reading an empty compressed buffer
• 667d14d Fix panic in WebSocket on extremely large payload length
• d82c4b7 Fix panic on title case on empty error message
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Imported from GitHub pull request. Original GitHub pull request: #3048 Original author: @dependabot[bot] Original URL: https://github.com/carverauto/serviceradar/pull/3048 Original created: 2026-03-16T02:25:03Z Original updated: 2026-03-25T18:40:24Z Original head: carverauto/serviceradar:dependabot/go_modules/github.com/nats-io/nats-server/v2-2.12.5 Original base: staging --- Bumps [github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server) from 2.12.4 to 2.12.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nats-io/nats-server/releases">github.com/nats-io/nats-server/v2's releases</a>.</em></p> <blockquote> <h2>Release v2.12.5</h2> <h2>Changelog</h2> <p>Refer to the <a href="https://docs.nats.io/release-notes/whats_new/whats_new_212">2.12 Upgrade Guide</a> for backwards compatibility notes with 2.11.x.</p> <blockquote> <p>[!WARNING] A regression has been found in this version where a stream update may result in the loss of consumers in clustered deployments in specific cases. Single-server deployments are not affected. To temporarily mitigate, set <code>meta_compact_sync: true</code> in the <code>jetstream</code> config block and perform a configuration reload. We will soon follow up with a fixed 2.12.6 release.</p> </blockquote> <h3>Go Version</h3> <ul> <li>1.25.8</li> </ul> <h3>Dependencies</h3> <ul> <li>github.com/nats-io/nkeys v0.4.15 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7797">#7797</a>)</li> <li>github.com/klauspost/compress v1.18.4 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7812">#7812</a>)</li> <li>golang.org/x/sys v0.42.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7923">#7923</a>)</li> <li>github.com/antithesishq/antithesis-sdk-go v0.6.0-default-no-op (<a href="https://redirect.github.com/nats-io/nats-server/issues/7835">#7835</a>)</li> <li>golang.org/x/crypto v0.48.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7874">#7874</a>)</li> <li>github.com/nats-io/nats.go v1.49.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7835">#7835</a>)</li> <li>golang.org/x/time v0.15.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7923">#7923</a>)</li> </ul> <h3>CVEs</h3> <ul> <li>Fixes CVE-2026-29785 (affects systems with leafnode compression enabled)</li> <li>Fixes CVE-2026-27889 (affects systems with WebSockets enabled)</li> </ul> <h3>Added</h3> <p>JetStream</p> <ul> <li>The stream snapshot/backup endpoint now accepts the <code>window_size</code> parameter, to allow improving flow control over slow or unreliable connections (<a href="https://redirect.github.com/nats-io/nats-server/issues/7839">#7839</a>)</li> </ul> <h3>Improved</h3> <p>General</p> <ul> <li><code>max_conns</code> in the server configuration can now be configured to <code>0</code> (zero) to reject all incoming client connections (<a href="https://redirect.github.com/nats-io/nats-server/issues/7877">#7877</a>)</li> </ul> <p>JetStream</p> <ul> <li>&quot;Catchup for stream&quot; log lines are now more consistent (<a href="https://redirect.github.com/nats-io/nats-server/issues/7784">#7784</a>)</li> <li>Raft now only accepts forwarded proposals if caught up as the new leader, limiting potentially unbounded log growth (<a href="https://redirect.github.com/nats-io/nats-server/issues/7809">#7809</a>)</li> <li>Raft now correctly refuses concurrent membership changes if forwarded a peer removal from another node (<a href="https://redirect.github.com/nats-io/nats-server/issues/7809">#7809</a>)</li> <li>The <code>max_consumers</code> limit of a stream can now be updated after stream creation (<a href="https://redirect.github.com/nats-io/nats-server/issues/7724">#7724</a>)</li> <li>The pending messages and bytes are now included in consumer unpin responses (<a href="https://redirect.github.com/nats-io/nats-server/issues/7815">#7815</a>)</li> <li>Stream backups/snapshots are now streamed to clients with improved flow control, which should improve throughput and robustness, particularly over unreliable links, reducing the chance of backups failing due to flow control errors (<a href="https://redirect.github.com/nats-io/nats-server/issues/7828">#7828</a>)</li> <li>Orphaned stream and consumer checks are now aligned with the metalayer snapshot logic (<a href="https://redirect.github.com/nats-io/nats-server/issues/7826">#7826</a>)</li> <li>Wildcard filtering when loading messages is now considerably faster in the memory store (<a href="https://redirect.github.com/nats-io/nats-server/issues/7840">#7840</a>, <a href="https://redirect.github.com/nats-io/nats-server/issues/7855">#7855</a>)</li> <li>Metalayer snapshots now take place asynchronously when possible, such that JS API operations are not blocked while the snapshot is taking place (<a href="https://redirect.github.com/nats-io/nats-server/issues/7827">#7827</a>, <a href="https://redirect.github.com/nats-io/nats-server/issues/7846">#7846</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nats-io/nats-server/commit/0f6c831ec1df25bc3dc81d25faae0ed0bac15a96"><code>0f6c831</code></a> Release v2.12.5</li> <li><a href="https://github.com/nats-io/nats-server/commit/d9cce3905916d634dc27b7981441641c51c613c6"><code>d9cce39</code></a> Update dependencies</li> <li><a href="https://github.com/nats-io/nats-server/commit/44d8abdb75a5fd7b8d258852490d856548100b09"><code>44d8abd</code></a> Fix <code>TestMonitorWebsocket</code></li> <li><a href="https://github.com/nats-io/nats-server/commit/55db52ba5d26082e5d245a07a783b05ef278072b"><code>55db52b</code></a> Update to Go 1.25.8</li> <li><a href="https://github.com/nats-io/nats-server/commit/358cdc44367a1f1b2a63f601d7d16fa792135d74"><code>358cdc4</code></a> Fix int32 overflow of JWT account and user limits</li> <li><a href="https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8"><code>a1488de</code></a> Fix panic on LS protocol when compression enabled</li> <li><a href="https://github.com/nats-io/nats-server/commit/cadc9486cce8c0ddebe322ef22cff8388620b9e2"><code>cadc948</code></a> Fix panic on <code>X-Forwarded-For</code> empty slice (shouldn't be possible from the wire)</li> <li><a href="https://github.com/nats-io/nats-server/commit/6cf715d6fade68e403197841d46e8067c26b1e4c"><code>6cf715d</code></a> Fix panic in WebSocket when reading an empty compressed buffer</li> <li><a href="https://github.com/nats-io/nats-server/commit/667d14d7b7525e76db1b9588f7555fa8a1e158e5"><code>667d14d</code></a> Fix panic in WebSocket on extremely large payload length</li> <li><a href="https://github.com/nats-io/nats-server/commit/d82c4b7fd86cd70135dc3e7ae471c42a51ff7a11"><code>d82c4b7</code></a> Fix panic on title case on empty error message</li> <li>Additional commits viewable in <a href="https://github.com/nats-io/nats-server/compare/v2.12.4...v2.12.5">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

dependabot[bot] commented 2026-03-25 18:40:21 +00:00 (Migrated from github.com)

Author

Owner

Copy link

Imported GitHub PR comment.

Original author: @dependabot[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/3048#issuecomment-4128902620
Original created: 2026-03-25T18:40:21Z

Looks like github.com/nats-io/nats-server/v2 is up-to-date now, so this is no longer needed.

Imported GitHub PR comment. Original author: @dependabot[bot] Original URL: https://github.com/carverauto/serviceradar/pull/3048#issuecomment-4128902620 Original created: 2026-03-25T18:40:21Z --- Looks like github.com/nats-io/nats-server/v2 is up-to-date now, so this is no longer needed.

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

1week

  

2weeks

  

Failed compliance check

  

IP cameras

  

NATS

NATS JetStream

  

Possible security concern

  

Review effort 1/5

  

Review effort 2/5

  

Review effort 3/5

  

Review effort 4/5

  

Review effort 5/5

  

UI

  

aardvark

  

accessibility

  

amd64

  

api

  

arm64

  

auth

  

back-end

  

bgp

  

blog

  

bug

Something isn't working

  

build

  

checkers

  

ci-cd

continuous integration-continuous deployments

  

cleanup

  

cnpg

cloud-native postgres

  

codex

  

core

core service

  

dependencies

Pull requests that update a dependency file

  

device-management

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

dusk

  

ebpf

  

enhancement

New feature or request

  

eta 1d

  

eta 1hr

  

eta 3d

  

eta 3hr

  

feature

  

fieldsurvey

  

github_actions

Pull requests that update GitHub Actions code

  

go

Pull requests that update Go code

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

javascript

Pull requests that update Javascript code

  

k8s

  

log-collector

  

mapper

  

mtr

multi traceroute

  

needs-triage

  

netflow

  

network-sweep

  

observability

  

oracle

Oracle Linux related issues

  

otel

opentelemetry logs, traces, metrics

  

plug-in

  

proton

timeplus proton streaming database

  

python

  

question

Further information is requested

  

reddit

  

redhat

  

research

  

rperf

  

rperf-checker

  

rust

Pull requests that update rust code

  

sdk

  

security

  

serviceradar-agent

  

serviceradar-agent-gateway

  

serviceradar-web

  

serviceradar-web-ng

  

siem

  

snmp

  

sysmon

  

topology

  

ubiquiti

  

wasm

  

wontfix

This will not be worked on

  

zen-engine

No labels

1week

2weeks

Failed compliance check

IP cameras

NATS

Possible security concern

Review effort 1/5

Review effort 2/5

Review effort 3/5

Review effort 4/5

Review effort 5/5

UI

aardvark

accessibility

amd64

api

arm64

auth

back-end

bgp

blog

bug

build

checkers

ci-cd

cleanup

cnpg

codex

core

dependencies

device-management

documentation

duplicate

dusk

ebpf

enhancement

eta 1d

eta 1hr

eta 3d

eta 3hr

feature

fieldsurvey

github_actions

go

good first issue

help wanted

invalid

javascript

k8s

log-collector

mapper

mtr

needs-triage

netflow

network-sweep

observability

oracle

otel

plug-in

proton

python

question

reddit

redhat

research

rperf

rperf-checker

rust

sdk

security

serviceradar-agent

serviceradar-agent-gateway

serviceradar-web

serviceradar-web-ng

siem

snmp

sysmon

topology

ubiquiti

wasm

wontfix

zen-engine

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

carverauto/serviceradar!3057

No description provided.