Merge pull request #2860 from emqx/5.8.6-release-notes

Release notes for v/e5.8.6

Author: Meggielqk

en_US/changes/all-changes-ce.md

@@ -4,6 +4,7 @@ The release notes page for EMQX provides a comprehensive and detailed record of
 
 ## v5.8
 
+- [5.8.6](./changes-ce-v5.md#_5-8-6): 2025-03-25
 - [5.8.5](./changes-ce-v5.md#_5-8-5): 2025-02-25
 - [5.8.4](./changes-ce-v5.md#_5-8-4): 2024-12-26
 - [5.8.3](./changes-ce-v5.md#_5-8-3): 2024-12-05

en_US/changes/all-changes-ee.md

@@ -4,6 +4,7 @@ The release notes page for EMQX Enterprise provides a comprehensive and detailed
 
 ## v5.8
 
+- [5.8.6](./changes-ee-v5.md#_5-8-6): 2025-03-25
 - [5.8.5](./changes-ee-v5.md#_5-8-5): 2025-02-25
 - [5.8.4](./changes-ee-v5.md#_5-8-4): 2024-12-26
 - [5.8.3](./changes-ee-v5.md#_5-8-3): 2024-12-05

en_US/changes/breaking-changes-ce-5.8.md

@@ -1,5 +1,15 @@
 # Incompatible Changes in EMQX 5.8
 
+## v5.8.6
+
+- [#14802](https://github.com/emqx/emqx/pull/14802) Starting from this version, plugin installation via the REST API or Dashboard requires explicit permission. Users must obtain this permission using the following CLI command before installing.
+
+  ```bash
+  emqx ctl plugins allow NAME-VSN
+  ```
+
+  This change enhances security by preventing unauthorized plugin installations. Users managing plugins via the API or Dashboard must adjust their workflows accordingly.
+
 ## v5.8.5
 
 - [#14703](https://github.com/emqx/emqx/pull/14703) Introduced a change to the maximum allowed value for `force_shutdown.max_heap_size`, which is now set to `128GB`. If the `max_heap_size` was previously set to a value exceeding 128GB, this could lead to issues after upgrading, such as during configuration reloading or updates.

en_US/changes/breaking-changes-ee-5.8.md

@@ -1,5 +1,15 @@
 # Incompatible Changes in EMQX 5.8
 
+## e5.8.6
+
+- [#14802](https://github.com/emqx/emqx/pull/14802) Starting from this version, plugin installation via the REST API or Dashboard requires explicit permission. Users must obtain this permission using the following CLI command before installing.
+
+  ```bash
+  emqx ctl plugins allow NAME-VSN
+  ```
+
+  This change enhances security by preventing unauthorized plugin installations. Users managing plugins via the API or Dashboard must adjust their workflows accordingly.
+
 ## e5.8.5
 
 - [#14703](https://github.com/emqx/emqx/pull/14703) Introduced a change to the maximum allowed value for `force_shutdown.max_heap_size`, which is now set to `128GB`. If the `max_heap_size` was previously set to a value exceeding 128GB, this could lead to issues after upgrading, such as during configuration reloading or updates.

en_US/changes/changes-ce-v5.md

@@ -1,5 +1,67 @@
 # EMQX Open Source Version 5
 
+## 5.8.6
+
+*Release Date: 2025-03-25*
+
+Make sure to check the breaking changes and known issues before upgrading to EMQX 5.8.6.
+
+### Enhancement
+
+- [#14869](https://github.com/emqx/emqx/pull/14869) Added the `connected_at` timestamp field to the `$events/client_disconnected` event payload. This enhancement enables tracking the original connection session time for disconnected clients, preventing outdated disconnect events from overriding newer connection states.
+
+  Previously, when clients frequently reconnected due to unstable networks, delayed disconnect events could lead to incorrect session tracking. With this update, the `connected_at` field is now included in the event payload, aligning its behavior with system topics and ensuring accurate session state management.
+
+### Bug Fixes
+
+#### Core MQTT Functionalities
+
+- [#14815](https://github.com/emqx/emqx/pull/14815) Fixed packet ID release for QoS 2 messages. Previously, if a client failed to send a PUBREL for the maximum configured number of pending QoS 2 messages and then disconnected, the packet IDs remained occupied even after exceeding the configured Max Awaiting PUBREL Timeout.
+
+#### Installation and Deployment
+
+- [#14797](https://github.com/emqx/emqx/pull/14797) Fixed macOS release package startup issue due to OpenSSL dynamic linking (backport #14624).
+
+  Previously, the EMQX ZIP package on macOS could fail to start because the `quicer` application dynamically linked to the system-installed OpenSSL, which was not signed during the EMQX build process. Now we have disabled dynamic linking for OpenSSL, aligning with the OTP shipped on macOS. This ensures EMQX starts reliably on macOS 13 and later.
+
+#### Authentication
+
+- [#14847](https://github.com/emqx/emqx/pull/14847) Fixed JWKS authentication failure for wildcard HTTPS endpoints. Previously, JWKS authentication failed to retrieve keys from HTTPS endpoints that used wildcard hostnames, preventing successful authentication.
+- [#14786](https://github.com/emqx/emqx/pull/14786) Fixed JWT authentication settings update when using an external JWKS endpoint. Previously, when updating JWT authentication settings with JWKS (key server) enabled in both the old and new configurations, some settings were not correctly applied.
+
+
+#### REST API
+
+- [#14834](https://github.com/emqx/emqx/pull/14834) Fixed incorrect `Content-Type` header when downloading data backup files. Previously, the response header for downloaded backup files incorrectly used `application/json` instead of `application/octet-stream`.
+
+
+#### Rule Engine
+
+- [#14824](https://github.com/emqx/emqx/pull/14824) Fixed HTTP 500 error in SQL Rule Tester when handling `details` key in alarm events. Previously, when testing `alarm_activated` or `alarm_deactivated` events in the SQL Rule Tester, certain values in the `details` key could cause an HTTP 500 error due to improper handling of nested map keys.
+
+
+#### Observability
+
+- [#14800](https://github.com/emqx/emqx/pull/14800) Throttled `warning` level log `dropped_qos0_msg`.
+
+- [#14793](https://github.com/emqx/emqx/pull/14793) Added trace log for `protocol_error` in MQTT connections.
+
+  Previously, when a client sent invalid or unexpected MQTT packets causing a `protocol_error`, EMQX logs provided limited details, making it difficult to diagnose the issue.
+
+  For example, if a client sent a second `CONNECT` packet while already connected, EMQX would log `socket_force_closed` with `protocol_error`, but without indicating the exact cause.
+
+  With this update, EMQX now logs `unexpected_connect_packet` with `conn_state=connected` before `socket_force_closed`, providing clearer context for debugging protocol violations.
+
+#### Plugin
+
+- [#14802](https://github.com/emqx/emqx/pull/14802) Introduced a new CLI command for plugins:
+
+  ```bash
+   emqx ctl plugins allow NAME-VSN
+  ```
+
+  Before installing a plugin via the HTTP API or Dashboard, this command must be executed to explicitly allow the package, improving security and preventing unauthorized installations.
+
 ## 5.8.5
 
 *Release Date: 2025-02-25*
@@ -983,8 +1045,6 @@ Note: This is a breaking change. This option is enabled by default, so the defau
 
 - [#13118](https://github.com/emqx/emqx/pull/13118) Fixed a performance issue in the rule engine template rendering.
 
-- [#12880](https://github.com/emqx/emqx/pull/12880) Fixed an issue in the InfluxDB action configuration where serialization failed when a tag set value contained a literal integer or float. Tag set values are now correctly treated as strings. For more details on tag sets, refer to the [Line Protocol - Tag Set](https://docs.influxdata.com/influxdb/v2/reference/syntax/line-protocol/#tag-set).
-
 #### Observability
 
 - [#12765](https://github.com/emqx/emqx/pull/12765) Make sure stats `subscribers.count` `subscribers.max` contains shared-subscribers. It only contains non-shared subscribers previously.

en_US/changes/changes-ee-v5.md

@@ -1,5 +1,89 @@
 # EMQX Enterprise Version 5
 
+## 5.8.6
+
+*Release Date: 2025-03-25*
+
+Make sure to check the breaking changes and known issues before upgrading to EMQX 5.8.6.
+
+### Enhancements
+
+- [#14869](https://github.com/emqx/emqx/pull/14869) Added the `connected_at` timestamp field to the `$events/client_disconnected` event payload. This enhancement enables tracking the original connection session time for disconnected clients, preventing outdated disconnect events from overriding newer connection states.
+
+  Previously, when clients frequently reconnected due to unstable networks, delayed disconnect events could lead to incorrect session tracking. With this update, the `connected_at` field is now included in the event payload, aligning its behavior with system topics and ensuring accurate session state management.
+
+- [#14855](https://github.com/emqx/emqx/pull/14855) Added a new configuration option `ignore_unsupported_frames` to the JT/T 808 gateway. This option prevents devices from being disconnected when sending messages that the gateway cannot parse.
+
+- [#14858](https://github.com/emqx/emqx/pull/14858) EMQX supports data integration with TDengine Cloud. The TDengine Cloud requires an additional token parameter for authentication, which is now supported in the TDengine connector.
+
+### Bug Fixes
+
+#### Core MQTT Functionalities
+
+- [#14815](https://github.com/emqx/emqx/pull/14815) Fixed packet ID release for QoS 2 messages. Previously, if a client failed to send a PUBREL for the maximum configured number of pending QoS 2 messages and then disconnected, the packet IDs remained occupied even after exceeding the configured Max Awaiting PUBREL Timeout.
+
+#### Installation and Deployment
+
+- [#14797](https://github.com/emqx/emqx/pull/14797) Fixed macOS release package startup issue due to OpenSSL dynamic linking (backport #14624).
+
+  Previously, the EMQX ZIP package on macOS could fail to start because the `quicer` application dynamically linked to the system-installed OpenSSL, which was not signed during the EMQX build process. Now we have disabled dynamic linking for OpenSSL, aligning with the OTP shipped on macOS. This ensures EMQX starts reliably on macOS 13 and later.
+
+#### Authentication
+
+- [#14847](https://github.com/emqx/emqx/pull/14847) Fixed JWKS authentication failure for wildcard HTTPS endpoints. Previously, JWKS authentication failed to retrieve keys from HTTPS endpoints that used wildcard hostnames, preventing successful authentication.
+- [#14786](https://github.com/emqx/emqx/pull/14786) Fixed JWT authentication settings update when using an external JWKS endpoint. Previously, when updating JWT authentication settings with JWKS (key server) enabled in both the old and new configurations, some settings were not correctly applied.
+
+
+#### REST API
+
+- [#14834](https://github.com/emqx/emqx/pull/14834) Fixed incorrect `Content-Type` header when downloading data backup files. Previously, the response header for downloaded backup files incorrectly used `application/json` instead of `application/octet-stream`.
+- [#14863](https://github.com/emqx/emqx/pull/14863) Fixed a problem with `cluster/:node/invite_async` REST API. Previously, this API could attempt to use a down node as the coordinator.
+
+
+#### Rule Engine
+
+- [#14824](https://github.com/emqx/emqx/pull/14824) Fixed an HTTP 500 error in SQL Rule Tester when handling the `details` key in alarm events. Previously, when testing `alarm_activated` or `alarm_deactivated` events in the SQL Rule Tester, certain values in the `details` key could cause an HTTP 500 error due to improper handling of nested map keys.
+
+#### Data Integration
+
+- [#14796](https://github.com/emqx/emqx/pull/14796) Fixed Pulsar producer inflight state leak. Prior to this fix, the Pulsar client's inflight state could leak, preventing the connector’s inflight counter from returning to zero. This fix also included a performance improvement for Pulsar and Kafka producers on x86.
+
+  Also, implemented proper support for the `buffer.memory_overload_protection` parameter in Pulsar Action. Previously, this configuration had no effect, leading to uncontrolled memory usage.
+
+- [#14902](https://github.com/emqx/emqx/pull/14902) Improved error handling in the SQL Server action for connection failures by treating `IMC0x` SQLSTATE errors as recoverable. This prevents message loss when the external MSSQL service is temporarily unavailable and ensures messages are properly cached for retry.
+  Also enhances connection health checks to correctly detect broken connections and initiate connector reconnection attempts, improving the reliability of the SQL Server connector in unstable network environments.
+
+
+#### Observability
+
+- [#14800](https://github.com/emqx/emqx/pull/14800) Throttled `warning` level log `dropped_qos0_msg`.
+
+- [#14793](https://github.com/emqx/emqx/pull/14793) Added trace log for `protocol_error` in MQTT connections.
+
+  Previously, when a client sent invalid or unexpected MQTT packets causing a `protocol_error`, EMQX logs provided limited details, making it difficult to diagnose the issue.
+  
+  For example, if a client sent a second `CONNECT` packet while already connected, EMQX would log `socket_force_closed` with `protocol_error`, but without indicating the exact cause.
+  
+  With this update, EMQX now logs `unexpected_connect_packet` with `conn_state=connected` before `socket_force_closed`, providing clearer context for debugging protocol violations.
+
+- [#14813](https://github.com/emqx/emqx/pull/14813) Fixed the issue that the outgoing messages sent to the WebSocket clients were not traced in end-to-end tracing.
+
+- [#14880](https://github.com/emqx/emqx/pull/14880) Improved logging for SQL Server connector health-check failures. With this update, the logs now provide more precise failure reasons, such as `timeout errors` or `unexpected_SELECT_1_result`, along with detailed diagnostic information to aid in troubleshooting.
+
+#### Plugin
+
+- [#14802](https://github.com/emqx/emqx/pull/14802) Introduced a new CLI command for plugins:
+
+  ```bash
+   emqx ctl plugins allow NAME-VSN
+  ```
+
+  Before installing a plugin via the HTTP API or Dashboard, this command must be executed to explicitly allow the package, improving security and preventing unauthorized installations.
+
+#### Gateway
+
+- [#14756](https://github.com/emqx/emqx/pull/14756) Improved the JT/T 808 gateway so that when anonymous authentication is enabled, the registration response will carry the default authentication code `anonymous`. This is used to avoid the issue where some clients are unable to parse an empty authentication code.
+
 ## 5.8.5
 
 *Release Date: 2025-02-25*

zh_CN/changes/all-changes-ce.md

@@ -4,6 +4,7 @@ EMQX 版本发布页面全面详细地记录了 EMQX 每个版本中的更新、
 
 ## v5.8
 
+- [5.8.6](./changes-ce-v5.md#_5-8-6): 2025-03-25
 - [5.8.5](./changes-ce-v5.md#_5-8-5): 2025-02-25
 - [5.8.4](./changes-ce-v5.md#_5-8-4): 2024-12-26
 - [5.8.3](./changes-ce-v5.md#_5-8-3): 2024-12-05

zh_CN/changes/all-changes-ee.md

@@ -4,6 +4,7 @@ EMQX 企业版版本发布页面全面详细地记录了 EMQX 企业版每个版
 
 ## v5.8
 
+- [5.8.6](./changes-ee-v5.md#_5-8-6): 2025-03-25
 - [5.8.5](./changes-ee-v5.md#_5-8-5): 2025-02-25
 - [5.8.4](./changes-ee-v5.md#_5-8-4): 2024-12-26
 - [5.8.3](./changes-ee-v5.md#_5-8-3): 2024-12-05

zh_CN/changes/breaking-changes-ce-5.8.md

@@ -1,5 +1,16 @@
 # EMQX 5.8 中的不兼容更改
 
+## v5.8.6
+
+- [#14802](https://github.com/emqx/emqx/pull/14802) 从此版本开始，通过 REST API 或 Dashboard 安装插件需要显式授权。
+   用户必须在安装插件前，使用以下 CLI 命令获取权限：
+
+  ```bash
+  emqx ctl plugins allow NAME-VSN
+  ```
+
+  此更改提升了安全性，可防止未经授权的插件安装。使用 API 或 Dashboard 管理插件的用户需相应调整操作流程。
+
 ## v5.8.5
 
 - [#14703](https://github.com/emqx/emqx/pull/14703) 引入了 `force_shutdown.max_heap_size` 最大允许值的变更，现将其设置为 `128GB`。如果之前将 `max_heap_size` 设置为超过 128GB 的值，升级后可能会导致问题，例如在更新或重新加载配置时出现问题。

zh_CN/changes/breaking-changes-ee-5.8.md

@@ -1,5 +1,16 @@
 # EMQX 5.8 中的不兼容变更
 
+## e5.8.6
+
+- [#14802](https://github.com/emqx/emqx/pull/14802) 从此版本开始，通过 REST API 或 Dashboard 安装插件需要显式授权。
+   用户必须在安装插件前，使用以下 CLI 命令获取权限：
+
+  ```bash
+  emqx ctl plugins allow NAME-VSN
+  ```
+
+  此更改提升了安全性，可防止未经授权的插件安装。使用 API 或 Dashboard 管理插件的用户需相应调整操作流程。
+
 ## e5.8.5
 
 - [#14703](https://github.com/emqx/emqx/pull/14703) 引入了 `force_shutdown.max_heap_size` 最大允许值的变更，现将其设置为 `128GB`。如果之前将 `max_heap_size` 设置为超过 128GB 的值，升级后可能会导致问题，例如在更新或重新加载配置时出现问题。