dolt 1.83.7

[BrewTestBot]

Created by brew bump

---

Created with brew bump-formula-pr.

Details

release notes

# Merged PRs
dolt

10702: Special handling of comment delimiters in StreamScanner

fixes #10694
10700: Fix Dolt table function privilege checks when current database is revision-qualified

MySQL privilege grants are stored against the base database name, so when a user called a Dolt table function with mydb/revision as the current database, the privilege check looked up the revision-qualfied name instead of mydb.

Update dolt_schema_diff, dolt_diff, dolt_diff_stat, dolt_diff_summary, dolt_log, dolt_patch, dolt_preview_merge_conflicts, dolt_preview_merge_conflicts_summary, and dolt_query_diff to strip revision qualifier before performing privilege checks.

Fix dolthub/dolt#10695

Companion dolthub/docs#2804


10696: go: doltcore/sqle: database_provider.go: Fix a deadlock in DROP DATABASE.

A lock-acquisition order error could cause DROP DATABASE to conflict on lock acquisition with a DoltSession's own Mutex. The result was that all sessions would then block indefinitely and irrecoverably on trying to access any database loaded in the server.

This changes the order of operations and the lock acquisition sequencing to not dead lock.

Note: finalization of DROP DATABASE with regards to sessions and ongoing queries which may be accessing the database is still somewhat lacking. To be improved in the future.

Fixes: #10692.
10691: Have fsTablePersister implement movingTableFilePersister

The movingTableFilePersister interface is for tablePersister implementations that build a temporary table file and have the ability to move the temporary file into the final location instead of copying the contents into a new one.

Enable the GC process to write to archive files dolthub/dolt#9118 added support for persisting archive files. As part of this change, the signature of a method on movingTableFilePersister was changed to accept the more generic GenericTableWriter interface instead of the more specific CmpChunkTableWriter.

Unfortunately, the signature was not also updated on the fsTablePersister implementation, resulting in it no longer implementing the interface. As a result, we lost the ability move table files during garbage collection. This had no impact on correctness, but potentially had a performance impact.

This PR fixes this issue.
10690: /go/{cmd,libraries} check for valid dbs, close opened dbs on error
10689: /{dist,package-lock.json}: rebuild dist
10683: Bump undici from 6.23.0 to 6.24.0 in /.github/actions/ses-email-action

Bumps undici from 6.23.0 to 6.24.0.

Release notes
Sourced from undici's releases.

v6.24.0
Undici v6.24.0 Security Release Notes (LTS)
This release backports fixes for security vulnerabilities affecting the v6 line.
Upgrade guidance
All users on v6 should upgrade to v6.24.0 or later.
Fixed advisories


GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)

Inconsistent interpretation of HTTP requests (request/response smuggling class issue).


GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)

Malicious WebSocket 64-bit frame length handling could crash the client.


GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)

CRLF injection via the upgrade option.


GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)

Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.


GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)

Unbounded memory consumption in WebSocket permessage-deflate decompression.


Not applicable to v6

GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

CVE-2026-1525: affected < 6.24.0, patched 6.24.0
CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
CVE-2026-1527: affected < 6.24.0, patched 6.24.0
CVE-2026-2229: affected < 6.24.0, patched 6.24.0
CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526




Commits

8873c94 Bumped v6.24.0
411bd01 test(websocket): use node:assert for Node 18 compatibility
844bf59 test: fix http2 lint regressions in backport
a444e4f test: stabilize h2 and tls-cert-leak under current test runner
dc032a1 fix: h2 CI (#4395)
4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
7df6442 fix: adapt websocket frame-limit handling for v6 parser
4e0179a fix: reject duplicate content-length and host headers
5a97f08 Fix websocket 64-bit length overflow
e43e898 fix: validate upgrade header to prevent CRLF injection
Additional commits viewable in compare view




[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=undici&package-manager=npm_and_yarn&previous-version=6.23.0&new-version=6.24.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---

Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/dolthub/dolt/network/alerts).


10680: Fix panic during merge when FK is dropped and re-added on a branch with a composite PK child table

Fix #10676

dolt merge could panic with index out of range when one branch dropped and re-added a foreign key (creating a new backing index) while the other branch had new rows in a child table with a composite primary key. This fix limits the FK column type compatibility check to only the columns relevant to the foreign key, ignoring extra primary key columns that are not part of the FK relationship.

Closed Issues

10694: Parse error when two lines follow a comment containing singlequote
10695: Command Denied when calling Dolt Function where SQL users do not have explicit grant access to the branch database.
10692: Server permanently unresponsive after client crash during CREATE/DROP DATABASE
10676: Panic attempting to merge : index out of range [1] with length 1
10687: Embedded engine panics with nil pointer dereference on concurrent access
10657: ON_UPDATE columns should only update if other column values have actually changed

View the full release notes at https://github.com/dolthub/dolt/releases/tag/v1.83.7.

---

[github-actions]

🤖 An automated task has requested bottles to be published to this PR.

Caution

Please do not push to this PR branch before the bottle commits have been pushed, as this results in a state that is difficult to recover from. If you need to resolve a merge conflict, please use a merge commit. Do not force-push to this PR branch.