Bump github.com/nats-io/nats-server/v2 from 2.11.15 to 2.12.6

[dependabot]

Bumps github.com/nats-io/nats-server/v2 from 2.11.15 to 2.12.6.

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.12.6

Changelog

Refer to the 2.12 Upgrade Guide for backwards compatibility notes with 2.11.x.

Go Version

• 1.25.8

Dependencies

• golang.org/x/crypto v0.49.0 (#7953)
• github.com/nats-io/jwt/v2 v2.8.1 (#7960)
• golang.org/x/sys v0.42.0 (#7923)
• golang.org/x/time v0.15.0 (#7923)

CVEs

• Fixes CVE-2026-33216, CVE-2026-33217, CVE-2026-33215 (affecting systems using MQTT)
• Fixes CVE-2026-33246 (affects systems using leafnodes and service imports)
• Fixes CVE-2026-33218 (affects systems using leafnodes)
• Fixes CVE-2026-33219 (affects systems using WebSockets)
• Fixes CVE-2026-33223, CVE-2026-33222 (affects systems using JetStream)
• Fixes CVE-2026-33248 (affects systems using mutual TLS)
• Fixes CVE-2026-33247 (affects systems providing credentials on the command line)
• Fixes CVE-2026-33249 (affects systems where client publish permissions should be restricted)

Improved

General

• Non-WebSocket leafnode connections can now be proxied using HTTP CONNECT (#7781)
• The $SYS.REQ.USER.INFO response now includes the friendly nametag of the account and/or user if known (#7973)

JetStream

• The stream peer-remove command now accepts a peer ID as well as a server name (#7952)

MQTT

• Protocol compliance has been improved, including more error handling on invalid or malformed MQTT packets (#7933)

Fixed

General

• Client connections are no longer registered after an auth callout timeout (#7932)
• Improved handling of duplicate headers
• A correctness bug when validating relative distinguished names has been fixed
• Secrets are now redacted correctly in trace logging (#7942)

... (truncated)

Commits

• 0e06390 Release v2.12.6
• f593d27 Cherry-picks for 2.12.6 (#61)
• 9f904de [FIXED] Incomplete route pool on premature pong
• b510192 [FIXED] Avoid stalling read loop on leafnode ErrMinimumVersionRequired
• 53941c2 Report the account and user name in USER.INFO request
• 1ab002a [IMPROVED] Support HTTP proxy connection from leaf nodes also for TCP
• 8b64082 Release v2.12.6-RC.3
• e6ab7e9 Cherry-picks for 2.12.6-RC.3 (#59)
• 9f4d960 Make the deduplication window actually work for deduplication for sourcing
• 304e184 Remove FIXME about auth callout nonce
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[qltysh]

Coverage Impact

⬇️ Merging this pull request will decrease total coverage on master by 0.02%.

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.