RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Jun 2026Clear ×

OpenCost

ObservabilityJun 25, 2026

This is a routine patch release for OpenCost, dominated by bug fixes for GPU pricing, data races, and Azure Windows pricing, plus a new STACKIT provider integration. There are no breaking changes, deprecations, or CVE fixes in this release.

Key changes (7)
  • Several data-race and stability fixes: cloudcost Status coverage read is now guarded and the ClusterMap ticker is stopped to prevent leaks, customcost Status() copies its coverage map, and GPUAllocation.Equal now compares pointer field values correctly
  • On-demand pricing is now OS-aware for Azure Windows nodes, correcting pricing calculations that previously used the wrong base rate
  • Custom provider GPU default pricing is fixed, and a nil filter guard was added to prevent a crash
  • Cloud pricing HTTP clients now have timeouts to prevent hangs
  • STACKIT added as a supported cloud provider
  • New queryProjectID field on BigQueryConfiguration, plus GKE Workload Identity Federation support for accessing Provider Pricing Data
  • Smaller items: step parameter exposed in the get_efficiency tool, Bingen 0.1.1 streaming writer support, UI build tooling switched from parcel to react-router/vite, Dockerfile.debug restored for Tilt, and reduced log verbosity for spot price auth failures
Source

Fluentd

ObservabilityJun 25, 2026

Fluentd v1.19.3 is a security and hardening patch: it tightens validation in out_http (host checks) and output (tag path boundaries), enforces size limits on decompressed payloads in buffer and in_http, and restricts default access and visibility for in_monitor_agent and in_debug_agent. Bug fixes address storage, parsing, and connection reuse issues.

  • breakingout_http: strict host validation for dynamic endpoints

    Host validation for dynamic endpoints in out_http is now strictly enforced in v1.19.3. Configuration that supplies hostnames to out_http at runtime must now conform to stricter validation rules.

  • breakingbuffer, in_http: decompressed payload size limits

    Decompressed payload sizes are now limited in buffer and in_http as of v1.19.3. Requests or buffered data that decompress beyond the enforced limit will be rejected.

  • breakingin_monitor_agent: sensitive info visibility restricted by default

    in_monitor_agent changes default visibility of config, retry, and debug info in v1.19.3. Sensitive information previously exposed by default is now hidden unless explicitly enabled.

  • breakingoutput: strict tag path boundary validation

    Output tag path boundaries are now strictly validated in v1.19.3. Tag paths that do not conform to the enforced boundary rules will be rejected.

  • breakingin_debug_agent: local-only access by default

    in_debug_agent accepts connections only from the local machine by default in v1.19.3. Remote connections to the debug agent will be rejected unless the bind address is explicitly changed.

Key changes (5)
  • out_http host validation and tag path boundaries tightened, decompressed payload size limits enforced
  • in_monitor_agent sensitive info hidden by default, in_debug_agent local-only by default
  • storage_local encoding error fixed, parser_csv handles empty lines, out_forward socket reuse fixed
  • buffer resumes correctly with square bracket paths
  • gem adds win32-registry dependency for Ruby 4.1
Source

OpenTelemetry

ObservabilityJun 23, 2026

v0.155.0 is a breaking-change release for operators: seven stabilized feature gates are removed, memory_limiter metrics get a new prefix, and two config/service APIs are deprecated in favor of snapshot-based replacements. The rest is tooling work on mdatagen and the newly relocated schemagen CLI.

  • breakingSeven stabilized feature gates removed

    Applies to any collector build referencing confighttp.framedSnappy, configoptional.AddEnabledField, confmap.newExpandedValueSanitizer, exporter.PersistRequestContext, otelcol.printInitialConfig, telemetry.UseLocalHostAsDefaultMetricsAddress, or pdata.enableRefCounting via --feature-gates flags or config. These gates are gone in v0.155.0; startup will fail if they're still referenced. Drop them from your CLI args and config before upgrading.

  • breakingmemory_limiter metrics renamed with processor prefix

    Applies to anyone scraping or alerting on otelcol_processor_* metrics from the memory_limiter processor. They're renamed to otelcol_processor_memory_limiter_* to disambiguate from other processors. Update dashboards, alert rules, and metric queries to the new names.

  • breakingmdatagen reaggregation_enabled setting removed

    Applies to custom components using mdatagen metadata.yaml with reaggregation_enabled. The setting is removed; per-metric reaggregation config is now always generated. Old files with the field are still accepted but the value is ignored, so check generated output matches expectations.

  • breakingConfig watcher APIs deprecated for snapshot-based equivalents

    Applies to extension or core code using service.Settings.CollectorConf or extensioncapabilities.ConfigWatcher. Both are deprecated in favor of service.Settings.ConfigSnapshot and extensioncapabilities.ConfigSnapshotWatcher. No forced migration yet, but plan to move to the snapshot-based APIs.

Key changes (8)
  • Seven stabilized feature gates removed outright: confighttp.framedSnappy, configoptional.AddEnabledField, confmap.newExpandedValueSanitizer, exporter.PersistRequestContext, otelcol.printInitialConfig, telemetry.UseLocalHostAsDefaultMetricsAddress, pdata.enableRefCounting. Any explicit reference to these will now fail.
  • memory_limiter processor metrics renamed to otelcol_processor_memory_limiter_* prefix, breaking existing dashboards and alerts built on the old names.
  • mdatagen's reaggregation_enabled metadata setting is removed; reaggregation config is now generated per-metric unconditionally (old files are tolerated but the field is ignored).
  • service.Settings.CollectorConf and extensioncapabilities.ConfigWatcher are deprecated in favor of ConfigSnapshot and ConfigSnapshotWatcher.
  • schemagen CLI moved from opentelemetry-collector-contrib into this repo as cmd/schemagen, and now supports an overlayFile for merging hand-curated schema fragments, a -p flag for custom Go package patterns, a -m component|package override, and fixed mode detection for external packages.
  • mdatagen gains versioned metrics support (for migrating metric names/types/attributes to new semantic conventions) and fixes: no more stale files after removing the last feature gate, correct acronym capitalization in generated identifiers.
  • pdata JSONUnmarshaler adds a DisallowUnknownFields option (off by default) to strictly reject unknown OTLP JSON fields, trading forward compatibility for stricter validation when enabled.
  • Middleware config (pkg/config/configmiddleware) migrated to a schema-based definition.
Source

Prometheus

ObservabilityJun 17, 2026

Prometheus v3.5.4 is a security-focused patch: fixes a secret-exposure bug in STACKIT SD and bumps several Go/UI dependencies to patch known CVEs. Upgrade promptly.

  • securityRotate STACKIT SD credentials if you use that SD

    The /-/config endpoint was exposing STACKIT service discovery secrets in plaintext. If your Prometheus instance uses STACKIT SD and /-/config was reachable by anyone other than admins, assume those credentials are compromised and rotate them. Upgrade to v3.5.4 immediately, then restrict access to /-/config behind authentication.

  • securityUpgrade to patch three Go CVEs in golang.org/x/net and OpenTelemetry

    GO-2026-5026, GO-2026-4918, and GO-2026-4985 are addressed by bumping golang.org/x/net to v0.55.0 and OpenTelemetry to v1.43.0. If you run Prometheus exposed to untrusted network traffic, this upgrade should not wait for your next maintenance window.

  • enhancementghcr.io image publishing available as an alternative pull source

    Prometheus images are now also on ghcr.io. If your environment has rate-limit or access issues with Docker Hub, you can switch your image pull source to ghcr.io/prometheus/prometheus without waiting for a feature release.

Key changes (4)
  • STACKIT SD leaked secrets in plaintext via /-/config endpoint (GHSA-39j6-789q-qxvh) — now fixed
  • golang.org/x/net and OpenTelemetry bumped to patch GO-2026-5026, GO-2026-4918, GO-2026-4985
  • UI dependencies (react-router-dom, vite, vitest, postcss) updated to patched versions
  • Container images now published to ghcr.io in addition to existing registries
Source

Chaos Mesh

ObservabilityJun 10, 2026

Chaos Mesh v2.8.3 is a security-focused patch: critical/high CVEs addressed via Go 1.25.11 and containerd 1.7.32 upgrades, plus a NetworkChaos recovery bug fix.

  • securityUpgrade to v2.8.3 to patch critical/high CVEs

    The Go toolchain and containerd in the container images had critical/high CVEs. If you're running Chaos Mesh on release-2.8, upgrade to v2.8.3 now. No config changes needed — this is a drop-in image update.

  • breakingVerify NetworkChaos experiments involving crash-looping pods

    NetworkChaos recovery previously failed when the target container was in CrashLoopBackOff. v2.8.3 fixes this by falling back to the pause container's PID. If your test environments include intentionally crash-looping workloads, re-run those experiments to confirm recovery behaves correctly after the upgrade.

Key changes (5)
  • Go toolchain upgraded to 1.25.11 and containerd to 1.7.32 to patch critical/high container image CVEs
  • memStress helper rebuilt with updated Go toolchain (v0.3.1)
  • chaos-daemon image switched to headless JRE, reducing attack surface
  • NetworkChaos recovery now falls back to sandbox (pause) container PID when the target is in CrashLoopBackOff
  • Deprecated wait.PollImmediate replaced with wait.PollUntilContextTimeout in e2e tests
Source

OpenTelemetry

ObservabilityJun 8, 2026

OTel Collector v0.154.0 fixes a startup crash in exporterhelper and changes --skip-get-modules behavior. Two minor enhancements add TLS and CORS config options.

  • securityinclude_insecure_cipher_suites is opt-in — keep it that way

    The new configtls option lets you re-enable weak cipher suites, but they stay disabled by default. Do not set include_insecure_cipher_suites: true in production unless you're forced to by a legacy peer — and if you are, treat it as a temporary workaround and track it.

  • breakingCheck custom build pipelines using --skip-get-modules

    If your OCB-based build scripts pass --skip-get-modules expecting go.mod to be regenerated as a side effect, that no longer happens. Audit any CI pipelines that relied on this implicit behavior and add an explicit go mod tidy step if needed.

  • enhancementUpgrade if you use sending_queue with sizer enabled

    The nil-pointer panic fix in exporterhelper is critical for anyone who sets sending_queue.sizer alongside batch.enabled: false. If your collector was crashing on startup in this config, v0.154.0 resolves it — upgrade directly.

Key changes (5)
  • cmd/builder: --skip-get-modules no longer rewrites go.mod — it now truly skips module operations as documented
  • pkg/exporterhelper: fixes nil-pointer panic at startup when sending_queue.sizer is set and sending_queue.batch.enabled is false
  • pkg/config/configtls: new include_insecure_cipher_suites option, disabled by default
  • pkg/confighttp: CORSConfig gains ExposedHeaders field to control Access-Control-Expose-Headers response header
  • cmd/mdatagen: numeric validators (minimum, maximum, exclusiveMinimum, exclusiveMaximum) now supported in generated config structs
Source

Cortex

ObservabilityJun 5, 2026

v1.21.1 is a security-focused patch release addressing findings from a formal security audit, including XSS, gzip bomb, and memory amplification vulnerabilities — upgrade immediately.

  • securityUpgrade immediately — multiple audit findings patched

    This release backports fixes from a formal security audit (V01–V07). The vulnerabilities include a stored XSS on status pages, a gzip bomb in the OTLP ingestion path, memory amplification via malformed native histogram payloads, and gossip port exposure to flood/OOM attacks. These are not theoretical — they are exploitable by any client that can reach your Cortex endpoints. Upgrade to v1.21.1 now. After upgrading, review your -distributor.otlp-max-recv-msg-size setting; the default may be too permissive depending on your ingest volume.

  • securityAudit your /config endpoint exposure

    Prior to this release, Swift, etcd, Redis, and HTTP basic-auth credentials were exposed in plaintext on the /config endpoint. If that endpoint was accessible to internal users or scraping systems, treat those credentials as compromised and rotate them. Going forward, restrict /config access via network policy or auth middleware regardless of masking.

  • enhancementHarden memberlist gossip with new bounding flags

    Three new flags (-memberlist.packet-read-timeout, -memberlist.max-packet-size, -memberlist.max-concurrent-connections) cap inbound gossip TCP behavior. The defaults are reasonable, but if your Cortex cluster is exposed to less-trusted network segments or you've seen gossip-related OOM events, tune these explicitly. Add them to your Helm values or config management before the next planned maintenance window.

Key changes (7)
  • Stored XSS fixed in Alertmanager and Store Gateway status pages (text/template replaced with html/template)
  • Gzip decompression now capped by -distributor.otlp-max-recv-msg-size to prevent decompression bomb attacks
  • Native histogram protobuf size limited to 16 KB by default via -validation.max-native-histogram-size-bytes to block memory amplification
  • Memberlist gossip port hardened with new flags for packet read timeout, max packet size, and max concurrent connections
  • Credentials for Swift, etcd, Redis, and HTTP basic-auth are now masked on the /config endpoint
  • PushStream requests with mismatched TenantID are rejected; HMAC-SHA256 stream auth added via -distributor.sign-write-requests-keys
  • Panic fixed when grpc_compression is set to snappy on ingester or store-gateway clients
Source

Jaeger

ObservabilityJun 3, 2026

v2.19.0 ships the new /api/v3/trace-summaries endpoint and migrates the UI search to use it, plus TLS for ClickHouse and a configurable gRPC max message size.

  • breakingUI search migration to /api/v3/trace-summaries requires compatible backend

    The UI now exclusively uses /api/v3/trace-summaries for search results. If you run a custom or older storage backend via the gRPC storage plugin, it must implement the SummaryReader interface or the fallback full-trace aggregation path kicks in. Verify your storage plugin supports this before upgrading. If you pin the UI separately from the backend, do not upgrade the UI to this version without also upgrading the backend to v2.19.0.

  • breakingRename query.num_traces to query.search_depth in any API v3 clients

    Any scripts, dashboards, or integrations that pass query.num_traces to the v3 API will still work via the deprecated alias, but you should migrate to query.search_depth now. The deprecated alias will eventually be removed. Also check for snake_case HTTP query params — camelCase is now the canonical form, with snake_case kept as deprecated aliases.

  • enhancementSet max_recv_msg_size_mib if you see gRPC message size errors in remote storage

    Teams using the gRPC remote storage plugin with large traces often hit the default gRPC message size cap. The new max_recv_msg_size_mib config option on the gRPC storage client lets you raise this limit explicitly. If you've been seeing 'received message larger than max' errors from your storage backend, configure this value in your Jaeger deployment config to fix it without workarounds.

  • enhancementEnable TLS for ClickHouse storage in production

    The ClickHouse storage plugin now supports TLS configuration. If you're running ClickHouse as a Jaeger backend in any environment where the connection crosses a network boundary, configure TLS now rather than relying on network-level controls alone.

Key changes (6)
  • UI search now calls /api/v3/trace-summaries instead of fetching full traces — this is a breaking UI change requiring a backend that supports the new endpoint
  • New GET /api/v3/trace-summaries HTTP endpoint and matching gRPC FindTraceSummaries handler for lightweight search results without full trace payloads
  • query.num_traces renamed to query.search_depth in API v3; old name kept as deprecated alias — update any tooling or scripts using the old parameter
  • ClickHouse storage plugin now supports TLS configuration
  • gRPC storage client gains max_recv_msg_size_mib config to handle large trace payloads that previously hit message size limits
  • Elasticsearch index templates now include missing scope and link fields — existing indices may need reindexing
Source
Browse by month