Skip to content

dolt

v1.87.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 29d Relational Databases
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

agent-memory agent-memory-server ai-agents ai-database data-version-control data-versioning
+14 more
database database-version-control database-versioning decentralized-database git git-database git-for-data git-for-databases git-sql immutable-database mariadb mysql sql version-controlled-database

Summary

AI summary

Dolt now supports separate author and committer identities, making old Dolt clients incompatible with new commits containing distinct committers.

Full changelog

Backwards Incompatible Changes

The author and committer additions introduced are not interpretable by old Dolt clients. If you attempt to set an explicit committer that is different from the author, this will create a new field in storage.
The dolt_log system table and procedure schemas have also been changed to be static. Compatibility for older clients is not guaranteed for all flags, e.g. --show-signature.

Merged PRs

dolt

  • 10996: cleaned up binlog serialization logic
  • 10995: Fixed deserialization for adaptive types during binlog replication
  • 10993: Fix dolt rm --cached to allow unstaged working changes
    dolt rm --cached incorrectly rejected tables with unstaged working changes or tables already dropped from the working set.
    • --cached branch filters tables absent from working via HasTable before calling RemoveTables.
      Fix dolthub/dolt#10987
  • 10983: Fix dolt_log table and procedure schema to be static and --decoration behavior
    dolt_log now exposes a fixed 12-column schema across the system table and procedure. Parents and signature columns remain opt-in via projection for the system table, and arguments in the dolt_log() procedure.
    • --parents and --show-signature no longer mutate the result of schema
    • Make parents and signature columns populate only when projected for dolt_log system table
    • --decorate=auto is deprecated in the sql-server context since TTY cannot be determined
    • --decorate=auto in CLI now correctly detects interactive terminal
    • Update bats coverage to be bidirectional for the server and client testing in compatibility
      Blocked by dolthub/vitess#467
  • 10979: adaptive encoding tests for mysql client integration
  • 10975: Use TARGET_ROW_SIZE table attribute to guide how aggressively we move adaptive encoded values out-of-band.
    TARGET_ROW_SIZE is a table attribute that can be set on tables. Dolt interprets this value as a size in bytes. When building a tuple, we attempt to keep the tuple under this size by moving adaptive-encoded values out-of-band until the size of the tuple falls below the threshold.
    Because Dolt does not allow tuples larger than 64K, we can always store the target value in 16-bits.
    The GMS interfaces use a uint64 for TARGET_ROW_SIZE, since other storage backends wouldn't necessarily have the same limit. When setting a value for TARGET_ROW_SIZE, Dolt verifies that it fits in 16 bits.
    Currently, this value can only be set while creating the table and can't be modified afterward.
  • 10974: Db/git remote UI
    This PR updates git remotes to push a branch visible on the Git remote's UI that contains a file with some info about the git ref used as the dolt remote. Addresses https://github.com/dolthub/dolt/issues/10525
  • 10969: go-sql-server-driver tests for large adaptive and out-of-band values
    These tests exercise the replication, pull, and GC behavior for various kinds of schemas with large values that may be stored out of band. These tests failed before the inclusion of address serialization bug fixes from https://github.com/dolthub/dolt/pull/10966
    Depends on https://github.com/dolthub/go-mysql-server/pull/3533
  • 10966: bug fix: write addresses field in tuples if they contain only adaptive encoded fields
  • 10964: .github: ci-lambdabats-unix-adaptive.yaml: Add lambdabats DOLT_USE_ADPATIVE_ENCODING=true runs.
  • 10962: /.github/workflows: fix maven link
  • 10959: When merging, use a tuple builder to ensure that we generate the correct representation for the merged row.
    This matters for adaptive encoding columns, whose correct representation depends on other values in the row.
  • 10958: Fix obscure race: make sure that RunF finishes before StopF in sqlServer.Start()
    This is a candidate for race conditions leading to nil pointer exceptions in some doltgres harness setups.
  • 10952: adaptive encoding for JSON columns
    This will be turned on for the 2.0 release.
  • 10941: build(deps): bump go.opentelemetry.io/otel from 1.40.0 to 1.41.0 in /go
    Bumps go.opentelemetry.io/otel from 1.40.0 to 1.41.0. Changelog

    Sourced from go.opentelemetry.io/otel's changelog.

    [1.41.0/0.63.0/0.17.0/0.0.15] 2026-03-02

    This release is the last to support [Go 1.24]. The next release will require at least [Go 1.25].

    Added

    • Support testing of [Go 1.26]. (#7902)

    Fixed

    • Update Baggage in go.opentelemetry.io/otel/propagation and Parse and New in go.opentelemetry.io/otel/baggage to comply with W3C Baggage specification limits. New and Parse now return partial baggage along with an error when limits are exceeded. Errors from baggage extraction are reported to the global error handler. (#7880)
    • Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#7914)
    • Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#7914)
    • Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#7914)
    Commits
    • 4575a97 Release 1.41.0/0.63.0/0.17.0/0.0.15 (#7977)
    • 66fc10d fix: add error handling for insecure HTTP endpoints with TLS client configura...
    • 76e6eec chore(deps): update github/codeql-action action to v4.32.5 (#7980)
    • 0d50f90 Revert "Generate semconv/v1.40.0" (#7978)
    • c38a4a5 Generate semconv/v1.40.0 (#7929)
    • 0f1a224 chore(deps): update module github.com/securego/gosec/v2 to v2.23.0 (#7899)
    • c79ebf4 chore(deps): update module github.com/daixiang0/gci to v0.14.0 (#7973)
    • f758157 chore(deps): update module github.com/sonatard/noctx to v0.5.0 (#7968)
    • 92a1164 fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to d566b...
    • 3cd7c27 chore(deps): update module github.com/protonmail/go-crypto to v1.4.0 (#7969)
    • Additional commits viewable in compare view

  • 10933: build(deps): bump fast-xml-parser from 5.5.9 to 5.7.2 in /.github/actions/ses-email-action
    Bumps fast-xml-parser from 5.5.9 to 5.7.2. Release notes

    Sourced from fast-xml-parser's releases.

    backward compatibility for numerical external entity, fix #705, #817

    • allow numerical external entity for backward compatibility
    • fix #705: attributesGroupName working with preserveOrder
    • fix #817: stackoverflow when tag expression is very long

    upgrade @​nodable/entities and FXB

    • Use @nodable/entities v2.1.0
      • breaking changes
        • single entity scan. You're not allowed to use entity value to form another entity name.
        • you cant add numeric external entity
        • entity error message when expantion limit is crossed might change
      • typings are updated for new options related to process entity
      • please follow documentation of @nodable/entities for more detail.
      • performance
        • if processEntities is false, then there should not be impact on performance.
        • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
        • if processEntities is true, and you pass entity decoder separately
          • if no entity then performance should be same as before
          • if there are entities then performance should be increased from past versions
      • ignoreAttributes is not required to be set to set xml version for NCR entity value
    • update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

    use @​nodable/entities to replace entities

    • No API change
    • No change in performance for basic usage
    • No typing change
    • No config change
    • new dependency
    • breaking: error messages for entities might have been changed.

    Full Changelog: https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.12...v5.6.0

    performance improvment, increase entity expansion default limit

    • increase default entity explansion limit as many projects demand for that
    maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,
    • performance improvement
      • reduce calls to toString
      • early return when entities are not present
      • prepare rawAttrsForMatcher only if user sets jPath: false

    Full Changelog: https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.9...v5.5.10

    Changelog

    Sourced from fast-xml-parser's changelog.

    Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

    Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

    5.7.2 / 2026-04-25

    • allow numerical external entity for backward compatibility
    • fix #705: attributesGroupName working with preserveOrder
    • fix #817: stackoverflow when tag expression is very long

    5.7.1 / 2026-04-20

    • fix typo in CJS typing file

    5.7.0 / 2026-04-17

    • Use @nodable/entities v2.1.0
      • breaking changes
        • single entity scan. You're not allowed to user entity value to form another entity name.
        • you cant add numeric external entity
        • entity error message when expantion limit is crossed might change
      • typings are updated for new options related to process entity
      • please follow documentation of @nodable/entities for more detail.
      • performance
        • if processEntities is false, then there should not be impact on performance.
        • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
        • if processEntities is true, and you pass entity decoder separately
          • if no entity then performance should be same as before
          • if there are entities then performance should be increased from past versions
      • ignoreAttributes is not required to be set to set xml version for NCR entity value
    • update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

    5.6.0 / 2026-04-15

    • fix: entity replacement for numeric entities
    • use @​nodable/entities to replace entities
      • this may change some error messages related to entities expansion limit or inavlid use
      • post check would be exposed in future version

    5.5.12 / 2026-04-13

    • Performance Improvement: update path-expression-matcher
      • use proxy pattern than Proxy class

    5.5.11 / 2026-04-08

    • Performance Improvement
      • integrate ExpressionSet for stopNodes

    5.5.10 / 2026-04-03

    • increase default entity explansion limit as many projects demand for that
    • performance improvement
      • reduce calls to toString
      • early return when entities are not present
      • prepare rawAttrsForMatcher only if user sets jPath: false

    ... (truncated)

    Commits
    • b1d5b90 update releas info
    • 78571ae tests for long tag expression
    • ebaedc0 allow numerical external entities for backward compatibility
    • 91245eb update changelog
    • 79dd40d fix #705: don not group and nest attributes when both preserveOrder and attri...
    • d6bce3b allow long attribute expressions
    • 9a2561b remove unnecessary
    • 0f08303 fix typo
    • f529642 update to release v5.7.0
    • 52a8583 Revert "improve performance of attributes reading"
    • Additional commits viewable in compare view

  • 10832: build(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 in /go
    Bumps go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0. Changelog

    Sourced from go.opentelemetry.io/otel/sdk's changelog.

    [1.43.0/0.65.0/0.19.0] 2026-04-02

    Added

    • Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace for W3C Trace Context Level 2 Random Trace ID Flag support. (#8012)
    • Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#7642)
    • Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#8051)
    • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#8038)
    • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#8038)
    • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#8038)
    • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#8038)
    • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#8038)
    • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#8038)
    • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8038)
    • Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric. Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#8060)
    • Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#7855)

    Changed

    • Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#8038)
    • Improve slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#8039)
    • Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#8067)
    • Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8073)

    Deprecated

    • Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#8038)

    Fixed

    • Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to make the implementation spec-compliant. (#8027)
    • Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#8056)
    • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
    • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
    • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
    • WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#8113)
    • Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#8096)

    [1.42.0/0.64.0/0.18.0/0.0.16] 2026-03-06

    Added

    • Add go.opentelemetry.io/otel/semconv/v1.40.0 package. The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#7985)

    ... (truncated)

    Commits
    • 9276201 Release v1.43.0 / v0.65.0 / v0.19.0 (#8128)
    • 61b8c94 chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 (#8131)
    • 97a086e chore(deps): update github.com/golangci/dupl digest to c99c5cf (#8122)
    • 5e363de limit response body size for OTLP HTTP exporters (#8108)
    • 35214b6 Use an absolute path when calling bsd kenv (#8113)
    • 290024c fix(deps): update module google.golang.org/grpc to v1.80.0 (#8121)
    • e70658e fix: support getBody in otelploghttp (#8096)
    • 4afe468 fix(deps): update googleapis to 9d38bb4 (#8117)
    • b9ca729 chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 (#8115)
    • 69472ec chore(deps): update fossas/fossa-action action to v1.9.0 (#8118)
    • Additional commits viewable in compare view

  • 10827: build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.78.0 to 1.97.3 in /go
    Bumps github.com/aws/aws-sdk-go-v2/service/s3 from 1.78.0 to 1.97.3. Commits
  • 10825: build(deps): bump github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream from 1.6.10 to 1.7.8 in /go
    Bumps github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream from 1.6.10 to 1.7.8. Commits
  • 10805: build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in /go
    Bumps github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4. Release notes

    Sourced from github.com/go-jose/go-jose/v4's releases.

    v4.1.4

    What's Changed

    Fixes Panic in JWE decryption. See https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8

    Full Changelog: https://github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4

    Commits
  • 10804: dolthub/dolt#10813 fix(checkout): enforce --no-overwrite-ignore in DOLT_CHECKOUT -b via direct SQL

    Summary

    When calling DOLT_CHECKOUT('-b', ...) directly via SQL (without --move), the --no-overwrite-ignore flag was silently ignored. CheckOverwrittenIgnoredTables was never called for the isMove=false path in checkoutNewBranch, so creating a branch from a non-HEAD start point would succeed even when ignored tables in the working set differed from the start point.
    The fix captures the current working roots before commitTransaction (which resets session state, making GetRoots return false afterward), then runs the ignored table check before switching the working set to the new branch.

    Changes

    • Call CheckOverwrittenIgnoredTables in the isMove=false path of checkoutNewBranch
    • Capture roots before commitTransaction to avoid session state reset
    • Add engine script tests and bats tests covering --no-overwrite-ignore and
      --overwrite-ignore with a non-HEAD start point
      Closes: #10813
  • 10801: build(deps): bump lodash from 4.17.23 to 4.18.1 in /integration-tests/mysql-client-tests/node
    Bumps lodash from 4.17.23 to 4.18.1. Release notes

    Sourced from lodash's releases.

    4.18.1

    Bugs

    Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

    These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

    There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

    4.18.0

    v4.18.0

    Full Changelog: https://github.com/lodash/lodash/compare/4.17.23...4.18.0

    Security

    _.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

    _.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

    Docs

    • Add security notice for _.template in threat model and API docs (#6099)
    • Document lower > upper behavior in _.random (#6115)
    • Fix quotes in _.compact jsdoc (#6090)

    lodash.* modular packages

    Diff

    We have also regenerated and published a select number of the lodash.* modular packages.

    These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

    Commits
    • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
    • 75535f5 chore: prune stale advisory refs (#6170)
    • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
    • 59be2de release(minor): bump to 4.18.0 (#6161)
    • af63457 fix: broken tests for _.template 879aaa9
    • 1073a76 fix: linting issues
    • 879aaa9 fix: validate imports keys in _.template
    • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
    • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
    • b819080 ci: add dist sync validation workflow (#6137)
    • Additional commits viewable in compare view

  • 10104: Add separate author and committer support
    Dolt now supports separate author (original intent) and committer (actual writer) identity for Dolt commits! Expect commit, cherry-pick, revert and merge operations (including SQL procedures) to pick up different author and committers automatically. The dolt_log, dolt_commits, dolt_diff, dolt_column_diff, dolt_branches, dolt_remote_branches system tables and respective table functions have been updated with author columns too.

    ⚠️ The committer columns in system tables or functions now show the committer identity instead of author. In old Dolt versions this was the result of no committer identity existing in storage, but has since been updated. We maintain backward-compatibility with this old format by duplicating the author identity into the committer identity. At serialization, however, the committer is only stored if the name or email is different from the author identity, allowing us to maintain the same commit hash history.
    ⚠️ We've appended the author columns under to end of each table to prevent issues with older Dolt clients.

New environment variables for committer identity are now available: DOLT_COMMITTER_NAME, DOLT_COMMITTER_EMAIL, DOLT_COMMITTER_DATE which take inspiration from their git counterparts.

⚠️ Environment variables (not SQL system variables) are only interpretable by the Dolt client. MySQL or alternative SQL clients will not pick these Dolt-specific environment variables up automatically in your terminal.

export DOLT_COMMITTER_NAME="Committer User"
export DOLT_COMMITTER_EMAIL="[email protected]"
export DOLT_COMMITTER_DATE="2025-01-01T12:00:00Z"
dolt commit -m "Commit with custom committer date"

+----------------------------------+----------------+-----------------------+---------------------+--------------------------------------+--------------+-----------+------------------+---------------------+
| commit_hash                      | committer      | email                 | date                | message                              | commit_order | author    | author_email     | author_date         |
+----------------------------------+----------------+-----------------------+---------------------+--------------------------------------+--------------+-----------+------------------+---------------------+
| tdf81ch4ug4c9uc2p78rls1iihj95unn | Committer User | [email protected] | 2025-01-01 12:00:00 | Commit with custom committer date    | 4            | Test User | [email protected] | 2025-11-19 10:15:47 |
| 0gonkh11sf1esld53b66jdpbu78sdq6i | Committer User | [email protected] | 2025-11-19 10:15:43 | Add Charlie with different committer | 3            | Test User | [email protected] | 2025-11-19 10:15:43 |
+----------------------------------+----------------+-----------------------+---------------------+--------------------------------------+--------------+-----------+------------------+---------------------+

Since non-Dolt clients cannot interpret these environment variables, we've also added the system variables dolt_committer_name, dolt_committer_email, dolt_committer_date, dolt_committer_author, dolt_committer_email, dolt_committer_date. They enable committer and author identity to travel over the wire.

  • New environment variables for committer identity: DOLT_COMMITTER_NAME, DOLT_COMMITTER_EMAIL, and DOLT_COMMITTER_DATE
  • New session variables for author and committer identity: dolt_committer_name, dolt_committer_email, dolt_committer_date, dolt_committer_author, dolt_committer_email, dolt_committer_date
  • Commit related operations now honor the committer identity system variables over the wire: merge, cherry-pick, commit, revert, DOLT_TAG() etc.
  • dolt clients seed session identity variables from the dolt config on loopback connections, or the SQL client identity for non-loopback
  • Append author columns to dolt_diff, dolt_column_diff, dolt_branches, dolt_remote_branches, dolt_history_* system table, views and table functions
  • Signed commits use a V2 payload that appends CommitterName, CommitterEmail, and CommitterDate after the author fields, using the prior payload as a prefix for forward compatibility
  • Commit flatbuffer gained committer_name and committer_email fields, written only when they differ from author
  • CommitDate struct introduced to explicitly resolve author and committer timestamps at serialization unless otherwise specified by version control operations
    Fix dolthub/dolt#1374
    Blocks dolthub/doltgresql#2039
    Blocks dolthub/docs#2826

go-mysql-server

  • 3535: Enforce inline column references as foreign key constraints
    Fix dolthub/dolt#10970
  • 3533: fixed context reassignment error, which causes a panic in a running d…
    …olt SQL server
  • 3528: Bump go.opentelemetry.io/otel from 1.39.0 to 1.41.0
    Bumps go.opentelemetry.io/otel from 1.39.0 to 1.41.0. Changelog

    Sourced from go.opentelemetry.io/otel's changelog.

    [1.41.0/0.63.0/0.17.0/0.0.15] 2026-03-02

    This release is the last to support [Go 1.24]. The next release will require at least [Go 1.25].

    Added

    • Support testing of [Go 1.26]. (#7902)

    Fixed

    • Update Baggage in go.opentelemetry.io/otel/propagation and Parse and New in go.opentelemetry.io/otel/baggage to comply with W3C Baggage specification limits. New and Parse now return partial baggage along with an error when limits are exceeded. Errors from baggage extraction are reported to the global error handler. (#7880)
    • Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#7914)
    • Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#7914)
    • Return an error when the endpoint is configured as insecure and with TLS configuration in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#7914)

    [1.40.0/0.62.0/0.16.0] 2026-02-02

    Added

    • Add AlwaysRecord sampler in go.opentelemetry.io/otel/sdk/trace. (#7724)
    • Add Enabled method to all synchronous instrument interfaces (Float64Counter, Float64UpDownCounter, Float64Histogram, Float64Gauge, Int64Counter, Int64UpDownCounter, Int64Histogram, Int64Gauge,) in go.opentelemetry.io/otel/metric. This stabilizes the synchronous instrument enabled feature, allowing users to check if an instrument will process measurements before performing computationally expensive operations. (#7763)
    • Add go.opentelemetry.io/otel/semconv/v1.39.0 package. The package contains semantic conventions from the v1.39.0 version of the OpenTelemetry Semantic Conventions. See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.38.0. (#7783, #7789)

    Changed

    • Improve the concurrent performance of HistogramReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by 4x. (#7443)
    • Improve the concurrent performance of FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar. (#7447)
    • Improve performance of concurrent histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7474)
    • Improve performance of concurrent synchronous gauge measurements in go.opentelemetry.io/otel/sdk/metric. (#7478)
    • Add experimental observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutmetric. (#7492)
    • Exporter in go.opentelemetry.io/otel/exporters/prometheus ignores metrics with the scope go.opentelemetry.io/contrib/bridges/prometheus. This prevents scrape failures when the Prometheus exporter is misconfigured to get data from the Prometheus bridge. (#7688)
    • Improve performance of concurrent exponential histogram measurements in go.opentelemetry.io/otel/sdk/metric. (#7702)
    • The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)
    • The rpc.grpc.status_code attribute in the experimental metrics emitted from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc is replaced with the rpc.response.status_code attribute to align with the semantic conventions. (#7854)

    Fixed

    • Fix bad log message when key-value pairs are dropped because of key duplication in go.opentelemetry.io/otel/sdk/log. (#7662)
    • Fix DroppedAttributes on Record in go.opentelemetry.io/otel/sdk/log to not count the non-attribute key-value pairs dropped because of key duplication. (#7662)
    • Fix SetAttributes on Record in go.opentelemetry.io/otel/sdk/log to not log that attributes are dropped when they are actually not dropped. (#7662)
    • Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to correctly handle HTTP/2 GOAWAY frame. (#7794)
    • WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for ioreg command on Darwin (macOS). (#7818)

    ... (truncated)

    Commits
    • 4575a97 Release 1.41.0/0.63.0/0.17.0/0.0.15 (#7977)
    • 66fc10d fix: add error handling for insecure HTTP endpoints with TLS client configura...
    • 76e6eec chore(deps): update github/codeql-action action to v4.32.5 (#7980)
    • 0d50f90 Revert "Generate semconv/v1.40.0" (#7978)
    • c38a4a5 Generate semconv/v1.40.0 (#7929)
    • 0f1a224 chore(deps): update module github.com/securego/gosec/v2 to v2.23.0 (#7899)
    • c79ebf4 chore(deps): update module github.com/daixiang0/gci to v0.14.0 (#7973)
    • f758157 chore(deps): update module github.com/sonatard/noctx to v0.5.0 (#7968)
    • 92a1164 fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to d566b...
    • 3cd7c27 chore(deps): update module github.com/protonmail/go-crypto to v1.4.0 (#7969)
    • Additional commits viewable in compare view

    [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=go.opentelemetry.io/otel&package-manager=go_modules&previous-version=1.39.0&new-version=1.41.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options
    You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/dolthub/go-mysql-server/network/alerts).
  • 3527: Truncate invalid UTF-8 on INSERT IGNORE and warn on LIKE with bad charset pattern
    • INSERT IGNORE with invalid UTF-8 in a utf8mb4 column now truncates at the first bad byte
    • LIKE with an invalid UTF-8 pattern emits warning 1300 and return no match
    • Exported TruncateInvalidUTF8 from sql/types
      Fix dolthub/dolt#10924
      Blocks dolthub/dolt#10926
  • 3523: Add handling of TargetRowSize table attribute to GMS interfaces
    TARGET_ROW_SIZE is a custom table attribute whose exact meaning is implementation-defined by whatever storage backend implements it. It's used by Dolt to describe the threshold at which adaptive-encoded columns should be moved to out-of-band storage instead of being stored inline in the table.

vitess

  • 467: Add ERWarnDeprecatedSyntax 1287
    Blocks dolthub/dolt#10983
  • 466: Add parser support for multiple functional expressions in an index
  • 464: Add TARGET_ROW_SIZE table attribute to parser
    In order to allow users to control how aggressively adaptive encoded values get outlined, we're adding an additional table attribute.
    Our adaptive encoding design is based on Postgres's TOAST types. Postgres has two table attributes, TOAST_TUPLE_THRESHOLD, and TOAST_TUPLE_TARGET. If a row in Postgres is greater than TOAST_TUPLE_THRESHOLD, then Postgres will attempt to move values out-of-band until the row length falls below TOAST_TUPLE_TARGET.
    There doesn't seem to be an obvious benefit for having two separate values here, so I think we can just add one. We could reuse either name to copy Postgres, but it would be potentially confusing to call our table attribute TOAST_TUPLE_TARGET since we don't call the feature TOAST anywhere else.
    This PR names the new table attribute TARGET_ROW_SIZE, but also accepts TOAST_TUPLE_TARGET as an alias in order to match Postgres.
    Since we want to avoid adding business logic to the parser, the parser does not do the aliasing, it just parses both names and allows GMS to do the aliasing. I'm also open to having the parser responsible for aliasing if we have strong opinions.

Closed Issues

  • 10987: dolt rm --cached rejects unstaged changes; git rm --cached does not
  • 10986: docs: add note that Bitbucket does not support storing dolt metadata in "refs/dolt/data" for git-backed dolt remotes
  • 10970: Default FK enforcement differs for PRIMARY KEY vs UNIQUE parent refs
  • 1374: Add "Commiter" and "Commit Date" to Commit Meta
  • 10961: dolt_rebase drops replayed index on successful rebase of disjoint index additions
  • 2945: Add support for function indexes

Breaking Changes

  • New separate author and committer fields are stored in commit metadata; old Dolt clients cannot interpret these new fields, causing incompatibility with repositories containing distinct committers.
  • `dolt_log`, `dolt_commits`, and related system tables now include author columns appended at the end to preserve backward compatibility; older clients may misinterpret or miss these columns.

Security Fixes

  • CVE-2026-4800
  • CVE-2021-23337
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track dolt

Get notified when new releases ship.

Sign up free

About dolt

Dolt – Git for Data

All releases →

Related context

Earlier breaking changes

  • v2.0.4 `DOLT_CHECKOUT('<table>')` now gated with Write permission.

Beta — feedback welcome: [email protected]