dolt

v2.0.5 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 14d Relational Databases

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

agent-memory agent-memory-server ai-agents ai-database data-version-control data-versioning

+14 more

database database-version-control database-versioning decentralized-database git git-database git-for-data git-for-databases git-sql immutable-database mariadb mysql sql version-controlled-database

Affected surfaces

deps rce_ssrf

ReleasePort's take

Light signal

editorial:auto 14d

Dolt v2.0.5 patches two security vulnerabilities: a CVE in golang.org/x/image causing out-of-memory via crafted TIFF files, and SQL injection/prototype pollution in @mikro-orm. Additionally, it fixes a critical bug causing database corruption after process crashes from empty journal files.

Why it matters: Patch immediately if processing untrusted TIFF images or using @mikro-orm with MySQL. All deployments must upgrade to prevent data loss from the journal file bug during unexpected process termination.

Summary

AI summary

Updates dolt, go-mysql-server, and Merged PRs across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Upgrades golang.org/x/image to v0.38.0 fixing CVE out-of-memory via crafted TIFF file. Upgrades golang.org/x/image to v0.38.0 fixing CVE out-of-memory via crafted TIFF file. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Security	Medium	Upgrades @mikro-orm/core and @mikro-orm/mysql to v6.6.10+ fixing SQL injection and prototype pollution. Upgrades @mikro-orm/core and @mikro-orm/mysql to v6.6.10+ fixing SQL injection and prototype pollution. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	Adds tests for IndexedJsonDocument.Compare ensuring type fallback consistency. Adds tests for IndexedJsonDocument.Compare ensuring type fallback consistency. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	Allows star expression usage in functions within go-mysql-server. Allows star expression usage in functions within go-mysql-server. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Fixes a bug causing broken databases after process crash due to empty journal file. Fixes a bug causing broken databases after process crash due to empty journal file. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Refactor	Medium	Deletes in-flight table file on write error to prevent disk space waste. Deletes in-flight table file on write error to prevent disk space waste. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Refactor	Medium	Modifies CompareJSON to use sorted object keys in go-mysql-server. Modifies CompareJSON to use sorted object keys in go-mysql-server. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—

Full changelog

Merged PRs

dolt

11076: More revert dirty-set rules to sync with git
Git will reject revert when there is anything staged, regardless of conflicts or not in the changed. This change makes dolt follow the same pattern.
Related: https://github.com/dolthub/dolt/pull/11073
11074: go/store/nbs: journal.go: Fix a bug which could result in broken databases after a process crash.
If Dolt crashed immediately after creating an empty journal file, and before it wrote the initial set-root record to it, then the next time Dolt ran it would treat the root of the database as 0000....
This could also happen for certain observed filesystem states after an operating system crash.
11072: go/store/nbs: Delete the in-flight table file in (*fileTablePersister).writeAndProtect when we experience an error on the write.
Leaving it behind needlessly wastes disk space. It will never be usable and is in an indeterminate state.
This is currently relevant even when FatalBehaviorFatal, because Conjoin's write is currently allowed to fail before we take the hard dependency on it. There are still some I/O errors which leave the file behind, including a failure at ftp.Open().
11063: Tests for IndexedJsonDocument.Compare
When an IndexedJsonDocument compares a sql.JsonDocument of a different type, it falls back to using Json.Compare. This PR adds tests to ensure that the two implementations match.
10775: Fix open Dependabot security alerts
Upgrade golang.org/x/image v0.18.0 -> v0.38.0 to address CVE for out-of-memory via crafted TIFF file. Upgrade @mikro-orm/core and @mikro-orm/mysql from v5 to v6.6.10+ to address critical SQL injection and high-severity prototype pollution vulnerabilities.

go-mysql-server

3551: star expression used in function
3550: modify CompareJSON to use sorted object keys

Closed Issues

Security Fixes

Upgrade golang.org/x/image from v0.18.0 to v0.38.0 – fixes CVE for out‑of‑memory via crafted TIFF file
Upgrade @mikro-orm/core and @mikro-orm/mysql from v5 to v6.6.10+ – addresses critical SQL injection and high‑severity prototype pollution vulnerabilities

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track dolt

Get notified when new releases ship.

About dolt

Dolt – Git for Data

All releases →

Related context

Related tools

Earlier breaking changes

v2.0.4 `DOLT_CHECKOUT('<table>')` now gated with Write permission.