Bump org.apache.pulsar:pulsar-client-all from 3.3.8 to 3.3.9

[dependabot]

Bumps org.apache.pulsar:pulsar-client-all from 3.3.8 to 3.3.9.

Release notes

Sourced from org.apache.pulsar:pulsar-client-all's releases.

v3.3.9

2025-09-27

Library updates

• [fix][sec] Upgrade bouncycastle bcpkix-fips version to 1.79 to address CVE-2025-8916 (#24650)
• [fix][sec] Upgrade Netty to 4.1.127.Final to address CVEs (#24717)
• [fix][sec] Upgrade to Netty 4.1.124.Final to address CVE-2025-55163 (#24637)
• [improve][build] Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 (#24514)
• [improve][io] Upgrade AWS SDK v1 & v2, Kinesis KPL and KPC versions (#24661)
• [fix][misc] Upgrade dependencies to fix critical security vulnerabilities (#24532)
• [improve][build] Upgrade Lombok to 1.18.42 to fully support JDK25 (#24763)
• [improve][build] Upgrade Apache Parent POM to version 35 (#24742)

Broker

• [fix][broker] Add double-check for non-durable cursor creation (#24643)
• [fix][broker] Ensure KeyShared sticky mode consumer respects assigned ranges (#24730)
• [fix][broker] First entry will be skipped if opening NonDurableCursor while trimmed ledger is adding first entry. (#24738)
• [fix][broker] Fix cannot shutdown broker gracefully by admin api (#24731)
• [fix][broker] Fix duplicate watcher registration after SessionReestablished (#24621)
• [fix][broker] Fix memory leak when metrics are updated in a thread other than FastThreadLocalThread (#24719)
• [fix][broker] Fix race condition in MetadataStoreCacheLoader causing inconsistent availableBroker list caching (#24639)
• [fix][broker] Fix REST API to produce messages to single-partitioned topics (#24450)
• [fix][broker] Invalid regex in PulsarLedgerManager causes zk data notification to be ignored (#23977)
• [fix][broker] Prevent unexpected recycle failure in dispatcher's read callback (#24741)
• [improve][broker] If there is a deadlock in the service, the probe should return a failure because the service may be unavailable (#23634)
• [fix][meta] Use getChildrenFromStore to read children data to avoid lost data (#24665)
• [improve][broker]Remove block calling that named cursor.asyncGetNth when expiring messages (#24606)

Client

• [fix][client] Avoid recycling the same ConcurrentBitSetRecyclable among different threads (#24725)
• [fix][client] fix ArrayIndexOutOfBoundsException in SameAuthParamsLookupAutoClusterFailover (#24662)
• [fix][client] Fix ArrayIndexOutOfBoundsException when using SameAuthParamsLookupAutoClusterFailover (#23336)
• [fix][client] Fix receiver queue auto-scale without memory limit (#24743)
• [fix][client] Retry for unknown exceptions when creating a producer or consumer (#24599)
• [fix][client] Skip schema validation when sending messages to DLQ to avoid infinite loop when schema validation fails on an incoming message (#24663)
• [fix][client]Prevent ZeroQueueConsumer from receiving batch messages when using MessagePayloadProcessor (#24610)
• [fix][client]TopicListWatcher not closed when calling PatternMultiTopicsConsumerImpl.closeAsync() method (#24698)
• [fix][client] rollback TopicListWatcher retry behavior (#24752)
• [improve][client] Support load RSA PKCS#8 private key (#24582)

Pulsar IO and Pulsar Functions

• [fix][io] Improve Kafka Connect source offset flushing logic (#24654)
• [improve][io] Add dependency file name information to error message when .nar file validation fails with ZipException (#24604)
• [improve][io] Support specifying Kinesis KPL native binary path with 1.0 version specific path (#24669)
• [feat][fn] Fallback to using STATE_STORAGE_SERVICE_URL in PulsarMetadataStateStoreProviderImpl.init (#24721)

... (truncated)

Commits

• 084b90b Release 3.3.9
• d1ff4c5 [fix][misc] Fix compareTo contract violation for NamespaceBundleStats, TimeAv...
• ec79549 [fix][test] Flaky-test: BrokerServiceTest.testShutDownWithMaxConcurrentUnload...
• 8367620 [fix][ci] Fix CI for Java 25 including upgrade of Gradle Develocity Maven ext...
• 16ae3b0 [improve][build] Upgrade Lombok to 1.18.42 to fully support JDK25 (#24763)
• 0e877bd [improve][broker] If there is a deadlock in the service, the probe should ret...
• 3407074 [fix][broker] First entry will be skipped if opening NonDurableCursor while t...
• 65ddd44 [fix][broker] Prevent unexpected recycle failure in dispatcher's read callbac...
• 96a6d72 [fix][client] rollback TopicListWatcher retry behavior (#24752)
• 99dbc69 [fix][client]TopicListWatcher not closed when calling PatternMultiTopicsConsu...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)