fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/nats-io/nats-server/v2	v2.12.4 → v2.12.6

---

Release Notes

nats-io/nats-server (github.com/nats-io/nats-server/v2)

v2.12.6

Compare Source

Changelog

Refer to the 2.12 Upgrade Guide for backwards compatibility notes with 2.11.x.

Go Version

• 1.25.8

Dependencies

• golang.org/x/crypto v0.49.0 (#​7953)
• github.com/nats-io/jwt/v2 v2.8.1 (#​7960)
• golang.org/x/sys v0.42.0 (#​7923)
• golang.org/x/time v0.15.0 (#​7923)

CVEs

• Fixes CVE-2026-33216, CVE-2026-33217, CVE-2026-33215 (affecting systems using MQTT)
• Fixes CVE-2026-33246 (affects systems using leafnodes and service imports)
• Fixes CVE-2026-33218 (affects systems using leafnodes)
• Fixes CVE-2026-33219 (affects systems using WebSockets)
• Fixes CVE-2026-33223, CVE-2026-33222 (affects systems using JetStream)
• Fixes CVE-2026-33248 (affects systems using mutual TLS)
• Fixes CVE-2026-33247 (affects systems providing credentials on the command line)
• Fixes CVE-2026-33249 (affects systems where client publish permissions should be restricted)

Improved

General

• Non-WebSocket leafnode connections can now be proxied using HTTP CONNECT (#​7781)
• The $SYS.REQ.USER.INFO response now includes the friendly nametag of the account and/or user if known (#​7973)

JetStream

• The stream peer-remove command now accepts a peer ID as well as a server name (#​7952)

MQTT

• Protocol compliance has been improved, including more error handling on invalid or malformed MQTT packets (#​7933)

Fixed

General

• Client connections are no longer registered after an auth callout timeout (#​7932)
• Improved handling of duplicate headers
• A correctness bug when validating relative distinguished names has been fixed
• Secrets are now redacted correctly in trace logging (#​7942)
• The expvar endpoint on the monitoring port now correctly redacts secrets from the command line arguments
• Trace headers are no longer incorrectly parsed when hitting max payload (#​7954)
• When running as a Windows service, switching to lame duck mode should now correctly exit the process (#​7958)
• The configuration digest no longer removes from the used variable tracking, which could cause configuration fields to disappear from the returned config (#​7959)
• A bug which could result in the service import cycle detection failing to detect a genuine cycle has been fixed (#​7961)
• The PROXY protocol v1 header parser no longer incorrectly discards some early protocol bytes from the client (#​7962)
• The Nats-Trace-Dest message header for message tracing now requires that the client have publish permissions to the specified subject, an error is returned otherwise
• The route pool is now correctly populated if receiving a pong before handling the new route setup (#​7971)

Leafnodes

• A panic when receiving a loop detection error before a connect message has been fixed
• Messages from leafnodes to non-shared service imports now correctly rebuild the request info header
• Leafnodes will now back off on receiving a minimum version required error, no longer requiring blocking the readloop (#​7970)

JetStream

• Stream updates on clustered setups with async snapshots enabled should no longer result in the loss of consumer assignments, fixing the regression introduced in 2.12.5 (#​7939)
• Fixed idempotent stream create with sources (#​7928)
• Fixed a bug where mirror goroutines could get stuck stalling the mirror indefinitely (#​7929)
• A panic that could occur when attempting to scale down a stream with an in-flight stream create and consumer create has been fixed (#​7940)
• A panic when paginating on various JetStream API endpoints has been fixed
• An interior path traversal bug that could occur when purging JetStream accounts has been fixed
• Meta snapshot apply errors are now surfaced correctly so that the cluster monitor does not advance the applied index (#​7944)
• Fixed an issue where extremely large JetStream reservations could overflow and violate tier limits
• Stream restores now ensure that the stream name in the restore subject matches that of the restored snapshot archive
• Stream ingest now correctly strips a NATS status header if present, avoiding incorrect classification of sourced or mirrored messages as control traffic
• The Raft layer now resets the vote correctly when switching to candidate state (#​7956)
• The orphan consumer check no longer unexpectedly deletes direct consumers, which could affect sourcing and mirroring (#​7957)
• The Raft layer no longer commits entries from previous terms by only allowing entries from our current term up to the commit (#​7955)
• Stream restores are now processed directly from the wire without intermediate staging on the filesystem, improving the enforcement of limits and reservations on disk
• Stream sourcing now works correctly when sourcing into a stream with the Discard New Per Subject discard policy (#​7896)

MQTT

• A panic that could occur when processing invalid fixed32 or fixed64 fields has been fixed (#​7941)
• Persisted MQTT sessions can no longer be restored by a non-matching client ID
• Restrict the implicit permissions for MQTT clients to $MQTT.sub. and $MQTT.deliver.pubrel. prefixes
• MQTT password are no longer exposed in the JWT field of monitoring endpoints or advisory messages
• NATS special characters (., >, *, spaces, tabs) are no longer permitted in MQTT client IDs
• MQTT session flapping detection now uses monotonic time, fixing cases where it could be sensitive to NTP adjustments or clock drifts

WebSockets

• WebSocket protocol parsing no longer relies on potentially unbounded in-memory allocations from compressed or uncompressed frames

Complete Changes

v2.12.5

Compare Source

Changelog

Refer to the 2.12 Upgrade Guide for backwards compatibility notes with 2.11.x.

[!WARNING]
A regression has been found in this version where a stream update may result in the loss of consumers in clustered deployments in specific cases. Single-server deployments are not affected. To temporarily mitigate, set meta_compact_sync: true in the jetstream config block and perform a configuration reload. We will soon follow up with a fixed 2.12.6 release.

Go Version

• 1.25.8

Dependencies

• github.com/nats-io/nkeys v0.4.15 (#​7797)
• github.com/klauspost/compress v1.18.4 (#​7812)
• golang.org/x/sys v0.42.0 (#​7923)
• github.com/antithesishq/antithesis-sdk-go v0.6.0-default-no-op (#​7835)
• golang.org/x/crypto v0.48.0 (#​7874)
• github.com/nats-io/nats.go v1.49.0 (#​7835)
• golang.org/x/time v0.15.0 (#​7923)

CVEs

• Fixes CVE-2026-29785 (affects systems with leafnode compression enabled)
• Fixes CVE-2026-27889 (affects systems with WebSockets enabled)

Added

JetStream

• The stream snapshot/backup endpoint now accepts the window_size parameter, to allow improving flow control over slow or unreliable connections (#​7839)

Improved

General

• max_conns in the server configuration can now be configured to 0 (zero) to reject all incoming client connections (#​7877)

JetStream

• "Catchup for stream" log lines are now more consistent (#​7784)
• Raft now only accepts forwarded proposals if caught up as the new leader, limiting potentially unbounded log growth (#​7809)
• Raft now correctly refuses concurrent membership changes if forwarded a peer removal from another node (#​7809)
• The max_consumers limit of a stream can now be updated after stream creation (#​7724)
• The pending messages and bytes are now included in consumer unpin responses (#​7815)
• Stream backups/snapshots are now streamed to clients with improved flow control, which should improve throughput and robustness, particularly over unreliable links, reducing the chance of backups failing due to flow control errors (#​7828)
• Orphaned stream and consumer checks are now aligned with the metalayer snapshot logic (#​7826)
• Wildcard filtering when loading messages is now considerably faster in the memory store (#​7840, #​7855)
• Metalayer snapshots now take place asynchronously when possible, such that JS API operations are not blocked while the snapshot is taking place (#​7827, #​7846)
  • This behaviour can be disabled by setting meta_compact_sync: true in the jetstream configuration block
• Consumers with a single subject filter no longer incorrectly use the multi-filter message lookups (#​7856)
• The check for colliding stream subjects is now faster (#​7870)
• Raft replica lag and current values in stream info, consumer info and /jsz are now more consistent, no longer reporting incorrect values on follower nodes (#​7885)
• Num pending calculations for R1 consumers now happen asynchronously and should no longer block the metalayer (#​7889)

Fixed

General

• Routed message arguments no longer escape to the heap, improving performance (#​7867)
• Malformed functions or operations in user permissions templates or on invalid template expansion during auth should no longer result in a server panic

Leafnodes

• A crash when leafnodes with bad credentials performs an auth callout has been fixed (#​7844)
• Receiving a leafnode subscription before negotiating compression should no longer result in a server panic

JetStream

• A filestore bug which could hold onto a lock when exiting after an error has been fixed (#​7780)
• The filestore now always uses tombstones for recovering trailing deletes (#​7782)
• Fixed a race condition when rebuilding block state during recovery (#​7783)
• The filestore binary search for a message block now correctly sorts blocks that contain only tombstones (#​7787)
• Fixed a data race for streams when acquiring the deduplication sequence (#​7789)
• Raft now correctly checks the closed state when reporting if the node is current (#​7793)
• Raft now sets the election timeout instead of the campaign timeout when leaving observer mode (#​7793)
• The metalayer now tracks in-flight meta changes for invalid stream or consumer updates (#​7798)
• The metalayer no longer incorrectly overwrites local consumer assignments before they are applied, which would result in them being omitted from the meta snapshot (#​7798)
• The inactive threshold clean-up no longer leave lingering goroutines (#​7799)
• Pooled publish message underlying buffer capacity is now reused correctly (#​7790)
• Consumers with overlapping filter subjects where one is not a subset of the other are now allowed (#​7810)
• The filestore now checksums after truncation on compressed or encrypted stores (#​7816)
• The filestore no longer leaks locks in various error states (#​7816)
• The filestore now correctly holds the lock during snapshotting on encrypted stores (#​7816)
• The filestore now ensures that num pending calculations cannot overflow (#​7816)
• The filestore now correctly recalculates the subject state as needed when finding last sequences (#​7816)
• The filestore now sorts configured subjects when checking whether filters represent all of the configured filters (#​7816)
• The filestore now avoids subject and header corruption in more cases (#​7816)
• Consumer unpinning is now handled correctly when stepping down (#​7819)
• Consumer unpinning now allows the next client to pick up the next pin without waiting for new messages (#​7819)
• Fixed a race condition when remapping the underlying group of a replicated asset (#​7820, #​7883)
• An overflowed pull request when min pending or min ack pending is above the threshold is now handled correctly (#​7795)
• Timers are no longer leaked when failing to set up mirrors, which resulted in high CPU usage (#​7825)
• Monitor quit channels are created on demand, fixing cases where an asset restarts with a different underlying Raft group (#​7837)
• Recovered streams and consumers are now correctly handled when not present in a metalayer catchup snapshot (#​7824)
• Ensure that messages that have reached the max deliver state are preserved with the WorkQueue retention policy (#​7845)
• An inconsistency with consumer naming between the current and legacy consumer create endpoints has been fixed (#​7848)
• The Raft layer no longer incorrectly reverts the last snapshot applied sequence when truncating uncommitted entries after a catchup snapshot (#​7849)
• The Raft layer no longer incorrectly restores the cluster size to 1 at startup, which could result in an isolated node incorrectly winning a single-node election (#​7850)
• The memory store correctly refreshes the last sequence of a subject in the subject state tracking (#​7865)
• Tiered reservations are now handled more consistently, fixing issues where replicated assets could be over-counted and where reservations were incorrectly applied on recovery (#​7880)
• When scaling down a replicated consumer to R1, the correct consumer name is now used in the request where no durable name is set (#​7891)
• Consumer deletion will now retry correctly when erroring with a directory not empty error (#​7886)
• The store_max_stream_bytes and memory_max_stream_bytes are no longer incorrectly applied when determining whether account resource limits have been exceeded, fixing a long-standing bug where it would incorrectly limit total reservations (#​7895)
• A race condition in the memory store when updating the delete map has been fixed (#​7897)
• Stream source checks are now enforced correctly when from a different account or domain (#​7903)
• Consumer assignments no longer incorrectly handle or store transition state which could lead to issues on recovery or cause consumer state to be lost (#​7905, #​7908)

MQTT

• SUB and UNSUB packets now correctly detect and reject the Packet Identifier being set to 0 (#​7805)

WebSockets

• Fix invalid parsing of 64-bit payload lengths, which could lead to a server panic
• Correctly reject compressed frames when compression was not negotiated as a part of the handshake
• The Origin header validation now validates the protocol scheme as well as host and port
• Gracefully handle failed connection upgrades
• The CLOSE frame lengths and status codes are now validated correctly
• The compressor state is correctly reset when a max payload error occurs
• Buffers are now correctly reused, reducing memory pressure (#​7901)
• Empty compressed buffers should no longer result in a server panic

Complete Changes

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 6 additional dependencies were updated

Details:

Package	Change
github.com/nats-io/nats.go	v1.48.0 -> v1.49.0
github.com/antithesishq/antithesis-sdk-go	v0.5.0 -> v0.6.0-default-no-op
github.com/nats-io/jwt/v2	v2.8.0 -> v2.8.1
golang.org/x/crypto	v0.48.0 -> v0.49.0
golang.org/x/sys	v0.41.0 -> v0.42.0
golang.org/x/time	v0.14.0 -> v0.15.0