Blog

Dear community,

Apache CouchDB® 3.4.1 has been released and is available for download. It is a feature and bugfix release, and was originally published on 2024-09-27.

3.4.1? — What happened to 3.4.0?! Great question!

We had 3.4.0 almost ready to be released and mere hours before making it official, we realised that a new feature could lead to an unsatisfactory scenario for some users. Namely: the automatic upgrading of password hashes to a stronger algorithm could lead to folks upgrading to 3.4.1 and them not being able to roll back to the previous version without locking out users that have had their password hashes automatically upgrade.

The CouchDB team aims to make every release safe to upgrade, aside from major releases with well-documented breaking changes. So 3.4.1 would not be safe to upgrade and we decided to not announce its availability, even though everything was ready to go.

Instead we immediately fast-tracked version 3.4.1 that disabled the feature by default and this is instead the release that is safe to upgrade to. Please note that the new hashing algorithm is still enabled by default. User accounts created after the upgrade will not be able to downgrade.

The CouchDB team recommends enabling the feature once you are safely running 3.4.1 and have no longer a need to downgrade.

Release Notes highlights:

• Nouveau (beta) a modern, from-the-ground-up implementation of Lucene-based full-text search for CouchDB. Please test this thoroughly and report back any issues you might find.
  • Setup instructions
  • Usage
  • Report a bug
• QuickJS as a JavaScript engine option. Advantages over SpiderMonkey:
  • Significantly smaller and easier to integrate codebase. We’re using ~6 C files vs 700+ SM91 C++ files.
  • Built with Apache CouchDB as opposed having to maintain a separate SpiderMonkey package for OSs that don’t support it (*cough*RedHat9*cough*).
  • Better sandboxing support.
  • Preliminary test results show multiple performance improvements.
    • 4x faster than SpiderMonkey 1.8.5.
    • 5x faster than SpiderMonkey 91.
    • 6x reduced memory usage per couchjs process (5MB vs 30MB).
  • Allows compiling JavaScript bytecode ahead of time.
  • CouchDB also now includes a scanner plugin that, when enabled, can scan all design docs in all your databases in the background and report incompatibilities between SpiderMonkey and QuickJS. This allows you to safely migrate to QuickJS.
  • SpiderMonkey remains supported and is still the default in 3.4.0. You can opt into QuickJS by setting your design doc language to "javascript_quickjs".
• Mango: add keys-only covering indexes. Improves query response times for certain queries up to 10x at p(95).
• Optionally replace md5 with xxHash for data integrity checksums. 30% speed up on larger (128k) docs, no difference for smaller docs. Note that once you enable this, you cannot go back to an earlier version of CouchDB, if you need a rollback-capable installation. In that case, upgrade to 3.4.0 without changing the default and enable xxHash in 3.5.0 or later so you can roll back to 3.4.0 then.
• Require auth for _replicate endpoint. This continues the 3.x closed-by-default design goal.
• Introduce PBKDF2-SHA256 for password hashing. The existing PBKDF2-SHA1 variant is now deprecated.  Increases the default iteration count to 600000. Also introduce a password hash in-memory cache with a low iteration number, to keep interactive requests fast for a fixed time.
  • Entries in the password hash cache are time-limited, unused entries are automatically deleted, and there is a capacity bound.
  • Existing hashed user doc entries will be automatically upgraded can be configured to be automatically upgraded during the next successful authentication. To disable auto-upgrading set the [chttpd_auth] upgrade_hash_on_auth config setting to false.
  • Also added temporary lockouts for accounts that receive repeated authentication failures to avoid a denial of service. Can be disabled in config.
• Many small and medium performance improvements.
• Many, many bug fixes and improvements to our test suite.
• Heads up RHEL (and compatible) users: our .rpm convenience binaries have changed logging from /var/log/couchdb/couchdb.log to logging to journald directly.

See the official release notes document for an exhaustive list of all changes:

https://docs.couchdb.org/en/stable/whatsnew/3.4.html

Pre-built packages for Windows, macOS, Debian/Ubuntu and RHEL/CentOS as well as Docker images for CouchDB and Nouveau are available alongside the source code distribution: 

https://couchdb.apache.org/#download

Apache CouchDB® lets you access your data where you need it. The Couch Replication Protocol is implemented in a variety of projects and products that span every imaginable computing environment from globally distributed server-clusters, over mobile phones to web browsers.

Store your data safely, on your own servers, or with any leading cloud provider. Your web- and native applications love CouchDB, because it speaks JSON natively and supports binary data for all your data storage needs.

The Couch Replication Protocol lets your data flow seamlessly between server clusters to mobile phones and web browsers, enabling a compelling offline-first user-experience while maintaining high performance and strong reliability. CouchDB comes with a developer-friendly query language, and optionally MapReduce for simple, efficient, and comprehensive data retrieval.

The community would like to thank all contributors for their part in making this release, from the smallest bug report or patch to major contributions in code, design, or marketing, we couldn’t have done it without you!

On behalf of the CouchDB PMC,
Jan Lehnardt
—