feat(container)!: Update image ghcr.io/valkey-io/valkey ( 8.1.1 ➔ 9.0.2 )

[renovate]

This PR contains the following updates:

Package	Update	Change
ghcr.io/valkey-io/valkey	major	8.1.1 → 9.0.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

valkey-io/valkey (ghcr.io/valkey-io/valkey)

v9.0.2

Compare Source

Upgrade urgency HIGH: There are critical bugs that may affect a subset of users.

Bug fixes

• Avoid memory leak of new argv when HEXPIRE commands target only non-exiting fields (#​2973)
• Fix HINCRBY and HINCRBYFLOAT to update volatile key tracking (#​2974)
• Avoid empty hash object when HSETEX added no fields (#​2998)
• Fix case-sensitive check for the FNX and FXX arguments in HSETEX (#​3000)
• Prevent assertion in active expiration job after a hash with volatile fields is overwritten (#​3003, #​3007)
• Fix HRANDFIELD to return null response when no field could be found (#​3022)
• Fix HEXPIRE to not delete items when validation rules fail and expiration is in the past (#​3023, #​3048)
• Fix how hash is handling overriding of expired fields overwrite (#​3060)
• HSETEX - Always issue keyspace notifications after validation (#​3001)
• Make zero a valid TTL for hash fields during import mode and data loading (#​3006)
• Trigger prepareCommand on argc change in module command filters (#​2945)
• Restrict TTL from being negative and avoid crash in import-mode (#​2944)
• Fix chained replica crash when doing dual channel replication (#​2983)
• Skip slot cache optimization for AOF client to prevent key duplication and data corruption (#​3004)
• Fix used_memory_dataset underflow due to miscalculated used_memory_overhead (#​3005)
• Avoid duplicate calculations of network-bytes-out in slot stats with copy-avoidance (#​3046)
• Fix XREAD returning error on empty stream with + ID (#​2742)

Performance/Efficiency Improvements

• Track reply bytes in I/O threads if commandlog-reply-larger-than is -1 (#​3086, #​3126).
  This makes it possible to mitigate a performance regression in 9.0.1 caused by the bug fix #​2652.

Full Changelog: valkey-io/valkey@9.0.1...9.0.2

v9.0.1

Compare Source

Upgrade urgency MODERATE: Program an upgrade of the server, but it's not urgent.

Bug fixes

• Authenticate slot migration client on source node to internal user (#​2785)
• Bug fix: reset io_last_written on c->buf resize to prevent stale pointers (#​2786)
• Sentinel: fix regression requiring "+failover" ACL in failover path (#​2780)
• Cluster: Avoid usage of light weight messages to nodes with not ready bidirectional links (#​2817)
• Send duplicate multi meet packet only for node which supports it in mixed clusters (#​2840)
• Fix: LTRIM should not call signalModifiedKey when no elements are removed (#​2787)
• Fix build on some 32-bit ARM by only using NEON on AArch64 (#​2873)
• Fix deadlock in IO-thread shutdown during panic (#​2898)
• Fix COMMANDLOG large-reply when using reply copy avoidance (#​2652)
• Fix CLUSTER SLOTS crash when called from module timer callback (#​2915)

Full Changelog: valkey-io/valkey@9.0.0...9.0.1

v9.0.0

Compare Source

Valkey 9.0.0 GA - October 21, 2025

Upgrade urgency LOW: This is the first release of Valkey 9.0 which
includes stability, bug fixes, and incremental improvements over the third release candidate.

Bug fixes

• HSETEX with FXX should not create an object if it does not exist (#​2716)
• Fix crash when aborting a slot migration while child snapshot is active (#​2721)
• Fix double MOVED reply on unblock at failover (#​2734)
• Fix memory leak with CLIENT LIST/KILL duplicate filters (#​2362)
• Fix incorrect accounting after completed atomic slot migration (#​2749)
• Fix Lua VM crash after FUNCTION FLUSH ASYNC + FUNCTION LOAD (#​1826, #​2750)
• Fix invalid memory address caused by hashtable shrinking during safe iteration (#​2753)

For a high level overview of the release, you can checkout release blog
For the full set of changes for the releases, please review the previous release candidates rc1, rc2 and rc3.

v8.1.5

Compare Source

Upgrade urgency MODERATE: Program an upgrade of the server, but it's not urgent.

Bug fixes

• Fix Lua VM crash after FUNCTION FLUSH ASYNC + FUNCTION LOAD (#​1826)
• Fix invalid memory address caused by hashtable shrinking during safe iteration (#​2753)
• Cluster: Avoid usage of light weight messages to nodes with not ready bidirectional links (#​2817)
• Send duplicate multi meet packet only for node which supports it (#​2840)
• Fix loading AOF files from future Valkey versions (#​2899)

Full Changelog: valkey-io/valkey@8.1.4...8.1.5

v8.1.4

Compare Source

Valkey 8.1.4

Upgrade urgency SECURITY: This release includes security fixes we recommend you
apply as soon as possible.

Security fixes

• (CVE-2025-49844) A Lua script may lead to remote code execution
• (CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
• (CVE-2025-46818) A Lua script can be executed in the context of another user
• (CVE-2025-46819) LUA out-of-bound read

Bug fixes

• Fix accounting for dual channel RDB bytes in replication stats (#​2614)
• Fix EVAL to report unknown error when empty error table is provided (#​2229)
• Fix use-after-free when active expiration triggers hashtable to shrink (#​2257)
• Fix MEMORY USAGE to account for embedded keys (#​2290)
• Fix memory leak when shrinking a hashtable without entries (#​2288)
• Prevent potential assertion in active defrag handling large allocations (#​2353)
• Prevent bad memory access when NOTOUCH client gets unblocked (#​2347)
• Converge divergent shard-id persisted in nodes.conf to primary's shard id (#​2174)
• Fix client tracking memory overhead calculation (#​2360)
• Fix RDB load per slot memory pre-allocation when loading from RDB snapshot (#​2466)
• Don't use AVX2 instructions if the CPU doesn't support it (#​2571)
• Fix bug where active defrag may be unable to defrag sparsely filled pages (#​2656)

Full Changelog: valkey-io/valkey@8.1.3...8.1.4

v8.1.3

Compare Source

Upgrade urgency SECURITY: This release includes security fixes we recommend you
apply as soon as possible.

Bug fixes

• Fix missing response when AUTH is errored inside a transaction (#​2287)

Security fixes

• CVE-2025-32023 prevent out-of-bounds write during hyperloglog operations (#​2146)
• CVE-2025-48367 retry accept on transient errors (#​2315)

v8.1.2

Compare Source

Upgrade urgency HIGH: This release includes CVE fix for valkey-check-aof tool, we recommend you
apply as soon as possible if you use the tool.

Security fixes

• CVE-2025-27151 Check length of AOF file name in valkey-check-aof (#​2146)

Bug fixes

• Properly escape double quotes and backslash in MONITOR command (#​2036)
• Fix high CPU usage when fetching a random element in skewed sparse hash table (#​2085)
• Fix a bug that allowed clients to process commands when the server has paused command processing (#​2109)
• Fix a crash where the wrong slot is used when processing sharded pubsub unsubscribe events (#​2137)
• Fix a crash when a module attempts to write auxiliary data with AOF enabled (#​2132)
• Fix a bug where the engine may crash when establishing new outbound TLS connections (#​2140)
• Fix a bug where a cluster bus packet may be incorrectly marked as invalid (#​2144)
• Fix a bug where CLUSTER SLOTS/NODES information can be stale after updating node port/tls-port (#​2186)
• Fix a bug where replica in cluster mode can't finish failover when config epoch is outdated (#​2178)
• Fix a bug to avoid CLIENT UNBLOCK command to unblock paused clients (#​2117)

Full Changelog: valkey-io/valkey@8.1.1...8.1.2

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.