chore(deps): bump github.com/nats-io/nats-server/v2 from 2.12.6 to 2.12.7

[dependabot]

Bumps github.com/nats-io/nats-server/v2 from 2.12.6 to 2.12.7.

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.12.7

Changelog

Refer to the 2.12 Upgrade Guide for backwards compatibility notes with 2.11.x.

Go Version

• 1.25.9 (#8017)

Dependencies

• github.com/nats-io/nats.go v1.50.0 (#8000)

CVEs

• TBD

Improved

JetStream

• Purging subjects from a stream now only loads filestore blocks within the range of where those subjects appear (#8004)
• Multi-filtered load next or previous message code paths now correctly identify single subject filters or full wildcards and switch to optimized paths (#8012, 8013)
• The max_mem_store and max_file_store configuration options can now be increased (but not decreased) via config reload (#8014)

Fixed

General

• no_auth_user is now restricted to client connections only
• Overlapping wildcard patterns in ACL deny patterns are now enforced correctly
• Queue subscriptions can no longer incorrectly bypass non-queue ACL deny patterns

Leafnodes

• Pre-CONNECT guard improvements for leafnode connections, fixing a potential panic
• ACL permissions are now correctly enforced for inbound leaf messages in all cases
• Duplicate INFO permissions updates are now only accepted for solicited leaf connections
• The max_payload limit is now correctly enforced for leafnode connections
• A panic on leafnode connect when failing to resolve an account has been fixed (#7991)

JetStream

• Consumer max_ack_pending should no longer become stuck due to deleted messages being left in the consumer pending state (#7984)
• When scaling up a stream and adding subjects at the same time, the new subject filters are now correctly subscribed (#8003)
• Filestore caches are no longer expired and evicted from memory too eagerly after a recent write (#8009)
• Stream leaders can catch up from a snapshot if required (#8021)

MQTT

... (truncated)

Commits

• b4ce0f9 Release v2.12.7
• 195b07a Fix fast-path no_auth_user for WebSockets where WS-specific account configured
• 213391e [FIXED] Stream leader can catchup from snapshot if required
• e0b0bda Release v2.12.7-RC.3
• d2c6139 Cherry-picks for 2.12.7-RC.3 (#79)
• 97a3f84 Update to Go 1.25.9
• a824f30 [IMPROVED] Allow reloading increased max memory and store
• 56548be LoadNextMsgMulti and LoadPrevMsgMulti use fast path for single filter
• b1776c6 Add MatchesSingleFilter to generic sublist
• 807d653 Complete filtered LoadPrevMsg implementation
• Additional commits viewable in compare view

[cursor]

PR Summary

Low Risk
Dependency-only bump with no application code changes; risk is limited to potential behavior changes in the embedded/managed NATS server version at runtime.

Overview
Updates the Go module dependency github.com/nats-io/nats-server/v2 from v2.12.6 to v2.12.7, with corresponding go.sum checksum changes.

^{Reviewed by Cursor Bugbot for commit 90fe21e. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/​nats-io/​nats-server/​v2@​v2.12.6 ⏵ v2.12.7	+4

View full report