RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Mar 2026Clear ×

Jaeger

ObservabilityMar 30, 2026

v2.17.0 ships a security fix for XSS in the UI, two major UI features (side panel span details, trace log aggregation), and several backend stability fixes including a panic guard and clock skew correction.

  • securityUpdate UI immediately to fix XSS vulnerability

    The UI was rendering user-supplied trace data using innerHTML, which opens the door to XSS if trace attribute values contain malicious HTML. This is fixed by switching to textContent. If you expose Jaeger UI to users who can influence span data (e.g., shared environments, multi-tenant setups), treat this as a priority upgrade. Pull the v2.17.0 image and redeploy.

  • breakingClock skew fix changes span end timestamps — verify your trace data expectations

    The clock skew adjuster previously only corrected span start times, leaving end timestamps unadjusted. Now both are corrected. For teams with strict SLO calculations or latency assertions based on adjusted trace data, this behavioral change could shift computed durations. Validate your dashboards and alerting rules against real traces after upgrading.

  • enhancementSide panel span view reduces trace analysis friction

    Span details previously expanded inline, collapsing the trace timeline context. The new side panel mode keeps the timeline visible while inspecting a span. Useful immediately for deep trace debugging — no configuration needed, just click a span in the UI. Worth showing to your team as a workflow improvement.

Key changes (6)
  • Security: replaced innerHTML with textContent in the UI to eliminate an XSS attack vector
  • New UI feature: span details can now open in a side panel instead of inline, reducing context-switching during trace analysis
  • New UI feature: trace logs view aggregates all span events in one place for easier debugging
  • Backend fix: clock skew adjuster now correctly adjusts span end timestamps, not just start times
  • Backend fix: panic guard added for zero/sub-nanosecond durations in jitter calculation (fixes production crash #8149)
  • Experimental ClickHouse backend received query optimization and schema fixes for trace ID deduplication
Source

Chaos Mesh

ObservabilityMar 25, 2026

Chaos Mesh v2.8.2 is a security-focused patch that resolves CVEs across Go and UI dependencies, drops install.sh, and fixes cert-manager webhook conflicts.

  • securityUpgrade now — this release exists specifically to fix CVEs

    Both Go and UI packages were upgraded in bulk to address vulnerabilities tracked in issue #4830. No specific CVE IDs are listed in the release notes, but the scope (all direct dependencies) suggests broad exposure. If you're running v2.8.1 or earlier, treat this as an urgent upgrade, especially for clusters where Chaos Mesh's dashboard is internet-accessible or exposed internally to untrusted users.

  • breakingStop using install.sh — it's been deleted, not just deprecated

    install.sh is physically removed in this release. Any CI/CD pipelines, runbooks, or onboarding docs that reference it will break immediately. Migrate to the Helm chart or the official quick-start guide before upgrading. Check your automation scripts and internal documentation now.

  • enhancementFix cert-manager server-side apply conflicts before they hit you in prod

    If you use cert-manager to manage Chaos Mesh's webhook certificates, the caBundle placeholder in webhook templates was causing server-side apply (SSA) field ownership conflicts — a subtle issue that silently breaks reconciliation. After upgrading to v2.8.2, re-apply your Helm release or manifests to let SSA recalculate field ownership cleanly. If you've been seeing unexpected webhook certificate errors or Helm diff noise, this is likely the cause.

Key changes (5)
  • All direct Go and UI dependencies upgraded to remediate known CVEs
  • install.sh removed — deprecated installer is gone, Helm/kubectl is now the only supported path
  • Go runtime bumped to 1.25.8
  • go-ethereum JSON-RPC replaced with creachadair/jrpc2 to eliminate a vulnerable transitive dependency
  • Fixed cert-manager + server-side apply conflict caused by caBundle placeholder in webhook templates
Source

Litmus

ObservabilityMar 18, 2026

Litmus 3.27.0 ships Job targeting for chaos experiments and fixes a cluster of stability bugs: nil pointer crashes, GitOps deadlocks, race conditions, and probe detection failures.

  • breakingGitOps two-way sync was silently broken — verify your sync state after upgrading

    The GitOps sync handler goroutine was disabled, meaning changes in Git were not propagating back to Litmus in two-way mode. After upgrading to 3.27.0, manually trigger a sync and confirm experiment state matches your Git source of truth. Any drift that accumulated should be reconciled.

  • enhancementTarget Kubernetes Jobs in chaos experiments

    If your team runs batch workloads or CI pipelines as Kubernetes Jobs, you can now inject chaos directly into them. Update your experiment manifests to reference Job resources and validate resilience of batch processing paths — something previously impossible without workarounds.

  • enhancementMultiple nil pointer and race condition fixes reduce silent failures

    At least three separate nil pointer dereferences are fixed in this release (subscriber, QueryServerVersion, YAML parser), plus experiment run race conditions. If you've seen intermittent crashes or experiments stuck in inconsistent states, upgrading is the straightforward fix — no config changes needed.

Key changes (5)
  • New: Kubernetes Jobs can now be targeted in chaos experiments, expanding workload coverage beyond Deployments and StatefulSets
  • 503 returned when MongoDB is down, enabling probes to correctly detect infrastructure failures instead of hanging
  • Subscriber crash on Workflow ADD events (nil pointer dereference) fixed — previously could silently break experiment scheduling
  • GitOps deadlock in GitMutexLock.Unlock resolved, and the GitOps sync handler goroutine re-enabled to restore two-way sync
  • CMD probe command limit raised from 1024 characters, unblocking complex probe scripts
Source

Jaeger

ObservabilityMar 7, 2026

Jaeger v2.16.0 introduces breaking changes requiring Go 1.25.7 and removes legacy remote sampling format, while improving ClickHouse performance and adding Elasticsearch health-check timeout support.

  • breakingUpgrade Go to version 1.25.7 before deploying

    The Go version requirement is now enforced across the codebase. Teams running older Go versions will face build failures. Update your build environments, CI/CD pipelines, and container images to Go 1.25.7 before attempting to upgrade or build from source.

  • breakingUpdate remote sampling client integrations

    The legacy remote sampling endpoint response format has been removed. If your applications use custom remote sampling clients that depend on the old format, they will break. Review your sampling configuration and update any custom clients to use the current format before upgrading.

  • enhancementEnable Elasticsearch health-check timeout for improved startup reliability

    New startup health-check timeout configuration prevents indefinite blocking during Elasticsearch connectivity issues. Add health-check timeout settings to your Elasticsearch storage configuration to improve service startup reliability in environments with intermittent connectivity.

Key changes (6)
  • Go version requirement bumped to 1.25.7 across the entire codebase
  • Legacy remote sampling endpoint response format removed
  • ClickHouse query performance improved through findtraceids restructuring
  • Elasticsearch health-check timeout support added for startup reliability
  • HTTP servers migrated from Gorilla Mux to stdlib http.ServeMux
  • UI fixes for critical path visualization and v3 API client base path handling
Source
Browse by month