Skip to content

chore(deps): bump com.arcadedb:arcadedb-network from 26.6.1 to 26.7.2#963

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/com.arcadedb-arcadedb-network-26.7.2
Open

chore(deps): bump com.arcadedb:arcadedb-network from 26.6.1 to 26.7.2#963
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/com.arcadedb-arcadedb-network-26.7.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 9, 2026

Copy link
Copy Markdown
Contributor

Bumps com.arcadedb:arcadedb-network from 26.6.1 to 26.7.2.

Release notes

Sourced from com.arcadedb:arcadedb-network's releases.

26.7.2

ArcadeDB 26.7.2

Overview

This release is a large stability and correctness milestone. It ships the results of a deep engine audit (storage, WAL/recovery, transactions/MVCC, LSM indexes and concurrency), hardens High Availability (Raft) recovery, completes the Neo4j Bolt driver compatibility certification, and fixes a broad set of OpenCypher and SQL query bugs.

It also closes five security advisories from an internal audit (see Security Advisories below); upgrading is strongly recommended for server-mode and multi-tenant deployments.

Two changes require attention before upgrading (see Breaking Changes): Raft storage is now durable by default, and the Bolt protocol now carries native temporal types instead of ISO-8601 strings.

Over 130 issues were closed for this milestone.

Security Advisories

This release closes several security advisories found in an internal audit. Upgrading is strongly recommended for any server-mode or multi-tenant deployment.

  • RCE via JavaScript triggers (GHSA-x9f9-r4m8-9xc2). A JavaScript trigger could look up java.lang.* host classes and reach Runtime.getRuntime().exec(...), obtaining OS command execution with only UPDATE_SCHEMA privileges. java.lang.* is removed from the trigger host-class allow-list; only the benign value packages (java.util, java.time, java.math) remain.
  • Arbitrary JavaScript execution via DEFINE FUNCTION ... LANGUAGE js (GHSA-vwjc-v7x7-cm6g). The SQL route to JavaScript bypassed the polyglot scripting gate, letting a user with schema (or lesser) access define and run arbitrary JavaScript. Defining a js function now requires UPDATE_SECURITY, and the polyglot engine runs with IOAccess.NONE (closing load(path|url) host-file read and SSRF) and PolyglotAccess.NONE (no cross-language pivot). SQL and Cypher user functions keep the standard schema-level protection.
  • Secret disclosure / root impersonation via GET /api/v1/server (GHSA-46hj-24h4-j8gf). The server-settings export masked only keys literally containing "password", leaking arcadedb.ha.clusterToken in clear - which, combined with the cluster-forwarded-auth headers, let a low-privilege authenticated user impersonate root. Every setting flagged isHidden() (clusterToken and all password/secret keys) is now redacted, for both the current and default value.
  • Cross-database IDOR on time-series / batch / Prometheus / Grafana endpoints (GHSA-x8mg-6r4p-87pf). Fourteen handlers extended the base HTTP handler directly and resolved the path database with no canAccessToDatabase check, so a user authorized for one database could read and write any other database on the server. All affected handlers now enforce database authorization (HTTP 403) before any payload handling and fail closed on a missing database name; the batch handler checks before leader-forwarding.
  • Read-only identity could mutate persisted schema (GHSA-8vr5-263f-x5r3). Several schema/config mutators reachable from a remote command were missing the UPDATE_SCHEMA guard: ALTER TYPE ... CUSTOM / BUCKETSELECTIONSTRATEGY, ALTER MATERIALIZED VIEW ... REFRESH, DROP MATERIALIZED VIEW / DROP CONTINUOUS AGGREGATE, ALTER TIMESERIES TYPE ... DOWNSAMPLING POLICY, DEFINE FUNCTION, and the stats-only REBUILD INDEX path. All are now gated (database-settings mutators use UPDATE_DATABASE_SETTINGS); every guard is a no-op for embedded, schema-load and HA-replication paths.

Major Highlights

Engine deep-audit 2026-07 (storage, transactions, LSM, concurrency)

A multi-area audit (#4962) hardened the core engine against data-loss and corruption edge cases under crashes, concurrency and load. Notable outcomes:

  • The WAL append is now the transaction's point of no return. Page versions are validated and bumped before the WAL write, so an aborted transaction can no longer be left in the WAL and partially replayed by recovery; a post-append failure is resolved by recovery replay and fences the database until reopen (#4936, #4937).
  • Torn 64KB page writes are repaired on recovery even when the on-disk version header already advanced (#4926); a clean close whose data fsync failed now preserves the WAL for recovery instead of deleting it (#4934).
  • Page-cache correctness: an older page version can no longer overwrite a newer committed one (lost update) and RAM accounting can no longer drift negative and disable eviction (unbounded growth) (#4925, #4933).
  • LSM index hardening: compaction no longer loses re-inserted keys or leaks orphaned pages on failure, range scans are no longer truncated by tombstoned keys, and non-unique point lookups no longer resurrect deleted RIDs (#4942, #4943, #4944, #4945, #4946, #4947).
  • Transactions: updating the same indexed record twice in one transaction no longer corrupts the index (#4935); dead-thread cleanup now rolls back abandoned transactions and releases their file locks, and is correct for virtual threads (#4941, #4956, #4939, #4940).
  • Async executor and shutdown: the stall detector no longer false-positives on slow tasks, shutdown no longer drops queued tasks or hangs completion waiters, and close()/drop() are now bounded so a wedged worker cannot hang shutdown forever (#4953, #4954, #5080, #4991).

Parallel query safety

Parallel bucket scans (enabled by default) could self-deadlock under pool saturation and wedge HTTP workers, race on the shared command context, or pin a CPU core at 100% when a consumer stopped draining. Scan producers now run on a dedicated pool, each worker gets its own context, and the native select().parallel() iterator bounds its producer offer and closes cleanly (#4948, #4949, #4950, #4951, #5065).

... (truncated)

Changelog

Sourced from com.arcadedb:arcadedb-network's changelog.

ArcadeDB v.26.7.2 Release Highlights

This is a living document: fixes, improvements, new features, and breaking changes are collected here as they land during the 26.7.2 development cycle, so the release notes are ready at tag time.

This release hardens High Availability (Raft) recovery. Raft storage is now durable by default (previously ephemeral outside Kubernetes), which removes a class of permanent follower divergence after a full-cluster cold restart - see Breaking Changes below. It also removes a diverged-follower log flood that could starve the very snapshot resync meant to heal the node.

Fixes

  • OpenCypher: repeating a node variable across single-node MATCH parts is no longer order-sensitive. A query such as MATCH (n0:L1:L5), (n0), (n1) ran up to ~16x slower when the parts were written in a different order, e.g. MATCH (n1), (n0), (n0:L1:L5) (#5116). The multi-label conjunction (n0:L1:L5) disqualifies the cost-based optimizer, so the query runs on the legacy step-chain path, which chained comma-separated pattern parts in textual order as a nested-loop Cartesian product. When the bare (n0) was chained before the labeled (n0:L1:L5), n0 was first bound to every node (full scan) and only afterwards filtered by the labels. The legacy planner now orders the parts of each independent component so the most selective (labeled) occurrence of a shared variable binds first, and breaks ties between disconnected node components by descending label count, making the plan independent of the written order. Extends the pattern-part reordering introduced for #5117.

  • Graph: concurrent edge insertion into the same super-node (hot) vertex no longer silently drops edges. Under many transactions appending edges to one vertex at once, an edge record could commit with no back-reference in the target vertex's edge list - the edge count came up short and CHECK DATABASE reported missingReferenceBack (#5147). Root cause was a deferred-update MVCC gap: the edge-list head chunk was read via an immutable lookup that (under READ_COMMITTED) did not retain the page in the transaction, and the page was only captured later by the deferred record update - at the newer version if a concurrent append committed in between. The commit-time page-version check then compared the newer version against itself, found no conflict, and the stale chunk buffer overwrote the concurrent append (a lost update). The head chunk's page is now anchored in the transaction at read time, so a concurrent commit is detected and the transaction retries. Pre-existing and independent of the new edge-append merge (it reproduced with that feature disabled).

  • Cypher: COUNT { ... } (and other block subqueries) inside a pattern-comprehension WHERE no longer swallow a trailing comparison. A filter such as [(a)-[:E]->(b) WHERE COUNT { MATCH (b)-[:E]->() } = 0 | b.name] was parsed as just the COUNT { ... } block, dropping the = 0, so the predicate evaluated to a non-boolean count and every candidate passed the filter (#5140). The special-function detector (COUNT/COLLECT/EXISTS/CASE/shortestPath) guarded its "does this cover the whole expression?" check with a 2-character text-length tolerance, which a short trailing operator like = 0 or > 0 slipped through. The guard now uses exact parse-tree token boundaries, so the surrounding comparison is retained and the comprehension filters correctly, matching Neo4j.

  • Cypher: dynamic bracket property mutations (SET n[key] = value, REMOVE n[key]) are now applied instead of being silently ignored. ArcadeDB parsed these forms but never lowered them into a property write, so the query succeeded while doing nothing; only dot-syntax (SET n.key) and reads (RETURN n['key']) worked (#5141). Both the literal-key (SET d['propA'] = 'hello') and computed-key (SET d[k] = 'world') variants now behave like their dot-syntax equivalents, matching Neo4j. As with SET n.key, assigning null removes the property.

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [com.arcadedb:arcadedb-network](https://github.com/ArcadeData/arcadedb) from 26.6.1 to 26.7.2.
- [Release notes](https://github.com/ArcadeData/arcadedb/releases)
- [Changelog](https://github.com/ArcadeData/arcadedb/blob/main/docs/release-26.7.2.md)
- [Commits](ArcadeData/arcadedb@26.6.1...26.7.2)

---
updated-dependencies:
- dependency-name: com.arcadedb:arcadedb-network
  dependency-version: 26.7.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jul 9, 2026
@mergify

mergify Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric Results
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants