chore(deps): bump com.arcadedb:arcadedb-network from 26.4.2 to 26.6.1

[dependabot]

Bumps com.arcadedb:arcadedb-network from 26.4.2 to 26.6.1.

Release notes

Sourced from com.arcadedb:arcadedb-network's releases.

26.6.1

ArcadeDB 26.6.1 Release Notes

Overview

ArcadeDB 26.6.1 is a stability, durability and security hardening release with over 280 commits and 66 resolved issues. The headline news is end-to-end TLS/SSL for the HA cluster, a deep wave of durability and crash-recovery hardening across the WAL, page and serialization layers, and a broad security hardening pass (schema authorization, IMPORT DATABASE source validation, injection fixes and a full CodeQL cleanup). On top of that comes a long list of High Availability / Raft, OpenCypher, SQL, vector index and wire-protocol fixes, plus Studio and operational improvements.

Major Highlights

TLS/SSL Across the HA Cluster

The Raft-based HA cluster can now run fully encrypted. Inter-node replication traffic supports SSL/TLS, and the snapshot installer was fixed so a follower can download a leader snapshot over the HTTPS listener instead of crashing with Unsupported or unrecognized SSL message. (#4470)

Durability & Crash-Recovery Hardening

A large batch of fixes closes data-integrity gaps in the storage, WAL and serialization layers so committed transactions survive crashes and power loss, and recovery never silently drops data:

• WAL is now fsynced on commit by default, and data files are fsynced before WAL files are deleted on clean close. (#4330, #4332)
• Crash recovery now aborts on a WAL version gap and preserves the WAL files instead of silently skipping the gap. (#4331, #4320)
• MutablePage.move no longer mis-tracks the modified range on backward shifts, so defrag bytes are no longer omitted from the WAL. (#4319)
• Binary serialization fixes: property count now matches the bytes written, and partial reads are handled via readFully. (#4328, #4329)
• Short-write / short-read returns are now respected in PaginatedComponentFile. (#4321)
• LZ4 compression no longer corrupts data when Binary.position() > 0. (#4317)
• Simple-8b codec validation no longer silently truncates Long.MAX_VALUE / Long.MIN_VALUE. (#4336)
• migratedFileIds is now persisted in schema.json, so compaction no longer silently drops in-flight transactions across restart. (#4333)
• java.lang.NegativeArraySizeException on transaction commit fixed. (#4420)

Security Hardening

• All LocalDocumentType / LocalProperty schema mutators now require the UPDATE_SCHEMA permission (previously only createProperty was gated). (#4423)
• IMPORT DATABASE now validates its source and requires admin privilege, closing SSRF / LFI vectors. (#4422)
• SQL injection fixed in RemoteVertex.newEdge by switching to parameter binding (also fixes breakage on apostrophes). (#4327)
• JavaScript injection in the polyglot engine closed by replacing the "looks-like-JSON" source-concatenation heuristic with Value.execute(). (#4326)
• Full CodeQL cleanup: open Java and JavaScript code-scanning alerts resolved at their true sources (workflow permissions, ReDoS, path-injection). (#4383, #4386, #4388)

Major Fixes

High Availability & Clustering

• TimeSeries data now replicates correctly across an HA cluster, and a compaction/append deadlock that caused a WAL version gap on Raft followers was eliminated. (#4414, #4458)
• Concurrent single-row time-series INSERTs no longer silently lose samples (sealed-slot lost update). (#4453)
• Bolt writes to a follower no longer fail with "no authenticated user in the current security context"; the authenticated user is now bound on DatabaseContext in the Bolt executor. (#4456)
• PeerAddressAllowlistFilter no longer rejects legitimate peers during a Kubernetes DNS-resolution race (incomplete allowlist on startup/restart). (#4471)
• Stale-follower recovery is fixed when a snapshot download fails on a quiet cluster.
• New configurable paths: arcadedb.ha.raftStorageDirectory for the Raft storage directory (#4446), configurable server log directory for read-only root filesystems (#4451), and arcadedb.ha.clusterTokenPath to read the cluster shared secret from a file (#4431).
• RemoteDatabase no longer reuses a session id across servers on HA failover during an open transaction; a TransactionException is now raised on server switch. (#4373)
• RemoteHttpComponent no longer mutates leaderServer / currentServer non-atomically during retries. (#4372)
• New STICKY strategy pins HTTP transactions to a concrete cluster member. (#4273)
• getReplicaAddresses now excludes the local peer instead of the leader. (#4274)
• /api/v1/server?mode=cluster returns the ha section again after the Raft migration. (#4261)

... (truncated)

Commits

• 8cd72b1 Set release version to 26.6.1
• 9f77595 fix: [ha] PeerAddressAllowlistFilter rejects legitimate peers during k8s DNS-...
• a857e57 feat: supported SSL in HA cluster
• 69cc67a fix(#4468): expand primitive-array IN params through indexed path (#4469)
• 716cfa5 test: fixed failing test because of HA_CLUSTER_TOKEN_PATH defaults to null
• 151eb96 fix: [ha] stale follower recovery when snapshot download fails on a quiet clu...
• ee90cc7 test: added regression test for #4354
• 678620b fix(#4451): configurable server log directory for read-only root filesystems ...
• d5e6666 fix: [ha] fixed node aliases
• 6e63d43 fix: [sql] issues with MOVE VERTEX command
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}