docs/release_notes/v1.17.6.md
This update contains a bug fix and a security fix:
golang.org/x/image to v0.39.0During graceful shutdown or hot-reload of a Pulsar pub/sub component, messages that arrived after the subscription started closing were rejected by the sidecar with a subscription is closed error.
The pluggable component layer translated this rejection into a NACK, and the broker forwarded the message to the dead-letter queue (DLQ) instead of redelivering it to a healthy consumer.
Any deployment using the Pulsar pub/sub component (or any pluggable pub/sub component that surfaced the subscription is closed error) could lose messages to the DLQ during a routine restart, hot-reload, or rolling update.
The dropped messages were valid and would have been processed normally if the broker had been allowed to redeliver them, so the DLQ filled with messages that should never have failed.
Streaming subscriptions were affected even when the closed flag had not yet been set, because the streamer's connection could close before the subscription registered itself as closing.
The subscription handler returned the subscription is closed sentinel as soon as the close flag was observed, but the broker connection was still open and accepting deliveries.
The pluggable component contract treats any non-context error returned from a handler as a NACK, so messages received during the close window were eagerly NACKed instead of being held until the broker could withdraw them.
For streaming subscriptions, there was no equivalent sentinel for the closing-but-not-closed state, so the streamer could mistake a transient close-side disconnection for a handler failure.
The subscription handler now blocks new messages until the broker connection is fully torn down, allowing the broker to treat the in-flight messages as unacknowledged and redeliver them to a healthy consumer rather than routing them to the DLQ.
For streaming subscriptions, a dedicated ErrSubscriptionClosed sentinel ensures the handler detects the closing state even when the streamer's connection closes before the subscription's own closed flag is set.
golang.org/x/image to v0.39.0A vulnerability was disclosed in golang.org/x/image v0.38.0 (the version pinned by Dapr 1.17.5).
Any deployment running v1.17.5 with a code path that processes untrusted image input through golang.org/x/image was potentially exposed to the upstream vulnerability.
The issue originated in the upstream golang.org/x/image library.
This release upgrades golang.org/x/image from v0.38.0 to v0.39.0.
Transitive bumps from go mod tidy updated golang.org/x/mod to v0.34.0, golang.org/x/text to v0.36.0, and golang.org/x/tools to v0.43.0.
Users are strongly encouraged to upgrade to this release.