build(deps): bump github.com/nats-io/nats-server/v2 from 2.11.1 to 2.11.12

[dependabot]

Bumps github.com/nats-io/nats-server/v2 from 2.11.1 to 2.11.12.

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.11.12

Changelog

Refer to the 2.11 Upgrade Guide for backwards compatibility notes with 2.10.x.

Go Version

• 1.25.6 (#7736)

Dependencies

• github.com/nats-io/nkeys v0.4.12 (#7578)
• github.com/antithesishq/antithesis-sdk-go v0.5.0-default-no-op (#7604)
• github.com/klauspost/compress v1.18.3 (#7736)
• golang.org/x/crypto v0.47.0 (#7736)
• golang.org/x/sys v0.40.0 (#7736)
• github.com/google/go-tpm v0.9.8 (#7696)
• github.com/nats-io/nats.go v1.48.0 (#7696)

Added

General

• Added WebSocket-specific ping interval configuration with ping_internal in the websocket block (#7614)

Monitoring

• Added tls_cert_not_after to the varz monitoring endpoint for showing when TLS certificates are due to expire (#7709)

Improved

JetStream

• The scan for the last sourced message sequence when setting up a subject-filtered source is now considerably faster (#7553)
• Consumer interest checks on interest-based streams are now significantly faster when there are large gaps in interest (#7656)
• Creating consumer file stores no longer contends on the stream lock, improving consumer create performance on heavily loaded streams (#7700)
• Recalculating num pending with updated filter subjects no longer gathers and sorts the subject filter list twice (#7772)
• Switching to interest-based retention will now remove no-interest messages from the head of the stream (#7766)

MQTT

• Retained messages will now work correctly even when sourced from a different account and has a subject transform (#7636)

Fixed

General

• WebSocket connections will now correctly limit the buffer size during decompression (#7625, thanks to Pavel Kokout at Aisle Research)
• The config parser now correctly detects and errors on self-referencing environment variables (#7737)
• Internal functions for handling headers should no longer corrupt message bodies if appended (#7752)

... (truncated)

Commits

• 2d97cb7 Release v2.11.12
• ea9680a Cherry-picks for 2.11.12 (#7776)
• eb53e0d [IMPROVED] Remove no interest messages from head of stream
• dc0d365 [FIXED] Many concurrent checkInterestState goroutines
• 360db02 [FIXED] Interest stream desync after consumer filter update
• 74802ff [IMPROVED] Simplify recalculate pending with updated filter subject(s)
• 6f77800 Release v2.11.12-RC.7
• 134ebc2 Revert "Perform _writeFullState under read lock only"
• ddd1442 Release v2.11.12-RC.6
• 59b2eb8 Cherry-picks for 2.11.12-RC.6 (#7768)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by CodeRabbit

• Chores
  • Updated multiple core dependencies and system libraries to latest stable versions
  • Enhanced security with updated cryptographic and networking library versions
  • Added optional monitoring and observability capability support
  • Improved overall performance and reliability across utility modules
  • Maintained full backward compatibility; no breaking changes introduced

[coderabbitai]

Walkthrough

Updated Go module dependencies across the project, including patches for compression, cryptography, and networking libraries; added Antithesis SDK as an indirect dependency; adjusted various indirect module versions to maintain compatibility alignment.

Changes

Cohort / File(s)	Summary
Go Module Dependencies go.mod	Updated 13 direct dependencies (klauspost/compress, NATS server/client, x/crypto, x/sync, x/sys, x/term, x/time, x/mod, x/net, x/text, x/tools, google/go-tpm, jwt) with patch and minor version bumps; added antithesis-sdk-go as indirect dependency.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 The dependencies dance in a grand ballet,
Version bumps shimmer, all updated today!
Crypto and NATS waltz in perfect time,
While golang.org/x modules rhyme!
Fresh patches and harmony, tested with care—
Our go.mod bounces through dependency air! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title focuses on bumping nats-server from v2.11.1 to v2.11.12, but the changeset updates many other dependencies (compress, x/crypto, x/sync, x/sys, etc.) and adds a new indirect dependency. The title only covers one of multiple significant dependency updates.	Consider updating the title to reflect the broader scope, such as 'build(deps): update multiple dependencies including nats-server, golang.org/x modules, and compression libraries' to accurately represent all changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dependabot/go_modules/github.com/nats-io/nats-server/v2-2.11.12

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

go.mod (1)

44-105: ⚠️ Potential issue | 🟠 Major

Address nats.go v1.48.0 subject validation behavior change.

nats.go v1.48.0 now validates subject names and rejects subjects with whitespace or control characters by default. Existing NATS notification targets configured with subjects containing spaces, tabs, or newlines will fail after the upgrade. Either validate subject inputs to prevent invalid characters or use nats.SkipSubjectValidation() in the NATS connection options to retain legacy behavior. Document the breaking change for users with existing NATS configs.

golang.org/x/crypto v0.47.0 includes security fixes (CVE-2025-47914, CVE-2025-58181 in ssh/agent) and is safe to merge.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 44 - 105, The upgrade to nats.go v1.48.0 introduces
strict subject validation causing existing NATS notifications with
whitespace/control characters to fail; locate the NATS connection initialization
(e.g., functions/methods like NewNATSClient, connectToNATS, or where
nats.Connect is called) and either sanitize/validate configured subject strings
before use (reject or trim spaces/newlines) or add nats.SkipSubjectValidation()
to the nats.Connect options to preserve legacy behavior; update any
configuration validation code that builds subjects and add a brief comment
documenting this breaking change for operators.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@go.mod`:
- Around line 44-105: The upgrade to nats.go v1.48.0 introduces strict subject
validation causing existing NATS notifications with whitespace/control
characters to fail; locate the NATS connection initialization (e.g.,
functions/methods like NewNATSClient, connectToNATS, or where nats.Connect is
called) and either sanitize/validate configured subject strings before use
(reject or trim spaces/newlines) or add nats.SkipSubjectValidation() to the
nats.Connect options to preserve legacy behavior; update any configuration
validation code that builds subjects and add a brief comment documenting this
breaking change for operators.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 27742d4 and 862c739.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod