RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Jul 2026Clear ×

Litmus

ObservabilityTodayJul 15, 2026

Litmus 3.31.0 is a routine bugfix release addressing memory leaks in GraphQL subscriptions, probe initialization and validation issues, user handler correctness, and infrastructure resolver safety. Documentation updates include Node experiment Tunables and otel-demo OpenSearch integration; test coverage has been expanded.

Key changes (10)
  • Probe comparator type reference now initialized correctly from loaded probe data
  • GraphQL subscription resolvers fixed to prevent memory leaks and deadlocks under load
  • FileHandler now properly stopped after error responses
  • bcrypt failures in CreateUser handler now return errors instead of proceeding silently
  • GetInfraDetails resolver now enforces ValidateRole error checks and guards against empty ExperimentDetails slice panics
  • UI state synchronization for queued experiments fixed via GraphQL
  • Probe uniqueness check added to prevent duplicates
  • Username validation checks fixed
  • Makefile paths corrected for event-tracker and subscriber build targets
  • Test coverage expanded with fuzz and unit tests for ChaosHub GitOps, subscriber labels, image registry, and MongoDB operator logic
Source

Thanos

ObservabilityJul 8, 2026

Thanos v0.42.0 is a mixed release: it patches a critical gRPC authorization-bypass vulnerability (CVE-2026-33186, CVSS 9.1) that could defeat path-based deny rules, alongside several breaking flag removals in Receive and Store, a gRPC keepalive policy change, and a batch of new TLS/cipher configuration options. Upgrade promptly for the security fix, but review the removed flags and renamed Query-Frontend field before rolling out.

  • securityFix critical gRPC authorization bypass (CVE-2026-33186)

    A malformed `:path` header in gRPC requests can bypass path-based "deny" rules in `grpc/authz` interceptors, effectively defeating authorization checks. Fixed via an updated `thanos-community/grpc-go` fork. CVSS 9.1, critical, tracked as CVE-2026-33186. Upgrade to v0.42.0 immediately if you rely on gRPC path-based authorization.

  • breakingReceive: --shipper.ignore-unequal-block-size removed

    `--shipper.ignore-unequal-block-size` is gone. TSDB now delays compaction until the shipper finishes uploading blocks, so compaction can safely proceed during upload without the risk this flag used to guard against. Remove any references to it from Receive configs.

  • breakingStore: --debug.advertise-compatibility-label removed

    `--debug.advertise-compatibility-label` is gone and Store no longer advertises the `@thanos_compatibility_store_type=store` external label by default. This breaks compatibility with Thanos Query instances older than v0.8.0; upgrade Queriers first if you still run pre-v0.8.0 components.

  • breakingQuery-Frontend: time_taken field renamed to time_taken_ms

    The Query-Frontend JSON field `time_taken` is now `time_taken_ms`, aligning naming with its unit for easier log parsing. Update any log collector rules or dashboards that key off the old field name.

Key changes (8)
  • Critical: gRPC authorization bypass via malformed :path headers fixed (CVE-2026-33186, CVSS 9.1) by bumping the thanos-community/grpc-go fork
  • Breaking: Receive drops --shipper.ignore-unequal-block-size; TSDB now delays compaction until shipper upload completes instead
  • Breaking: Store drops --debug.advertise-compatibility-label, no longer advertising the store-type compatibility label by default (breaks pre-v0.8.0 Query compatibility)
  • Breaking: Query-Frontend JSON field time_taken renamed to time_taken_ms
  • All gRPC servers now enforce a KeepaliveEnforcementPolicy with MinTime 10s, matching client keepalive interval
  • New TLS/cipher configuration options added across components: --grpc-server-tls-ciphers/-curves, Receive's remote-write TLS cipher/curve flags, and per-endpoint TLS support in Query
  • Several bugfixes: exemplar proxy label stripping in multi-tier Query setups, OTLP tracing TLS config being ignored, a Query-Frontend panic in AnalyzesMerge, spurious Receive 503s on restart, and tenant ID path-traversal validation in Receive
  • Plus smaller enhancements: TSDB stats endpoint on Ruler/Sidecar gRPC servers, os.Root filesystem confinement for Receive/Compact/Sidecar, Rueidis SendToReplicas support, and S3 directory marker cleanup in Compactor
Source

OpenTelemetry

ObservabilityJul 7, 2026

OpenTelemetry Collector v0.156.0 is a bugfix rollup with one operator-relevant behavior change: the memory_limiter processor switches from continuous forced GC to exponential backoff, with the cap exposed via two new config fields. Several targeted fixes address permanent-error handling in otlp_http, receiver startup ordering, env var nil resolution, and retry config validation.

  • enhancementmemory_limiter GC backoff now configurable via two new fields

    The memory_limiter processor now backs off GC calls exponentially when GC is deemed ineffective (soft limit still exceeded and less than 5% memory reclaimed). The backoff cap is controlled by max_gc_interval_when_soft_limited and max_gc_interval_when_hard_limited, both defaulting to 30s. If you tune GC aggressiveness, review these new fields; the default behavior changes from continuous forced GC to capped backoff.

Key changes (7)
  • memory_limiter processor: forced GC now uses exponential backoff when ineffective, capped by new fields max_gc_interval_when_soft_limited and max_gc_interval_when_hard_limited (default 30s each)
  • otlp_http exporter: parse errors on truncated 2xx response bodies are now permanent errors, preventing duplicate exports on retry
  • pkg/service: receivers now start only after all other components have fully initialized, fixing a race with shared-implementation receivers like OTLP
  • env provider: an unset variable with ${env:VAR:-} syntax now resolves to empty string instead of nil
  • configretry BackOffConfig fields validated regardless of the Enabled flag
  • memory_limiter processor now emits componentstatus health events reflecting its current state
  • mdatagen enhancements: stability levels for resource attributes, semantic convention references, field_name option in go_struct, enum validator support, and distinct named Go types for primitive exported config schemas
Source

Prometheus

ObservabilityJul 1, 2026

Prometheus v3.13.0 is an LTS release leading with a HIGH-severity credential-forwarding fix (CVE-2025-4673, CVE-2023-45289) and a MEDIUM XSS fix (CVE-2026-44990), alongside four breaking changes to pagination tokens, path resolution, PromQL duration function names, and license file packaging, plus a broad set of new features and performance improvements.

  • securityHIGH: Credentials no longer forwarded on cross-host redirects

    Credentials (Authorization header, basic auth, bearer token, OAuth2, and configured headers) are no longer forwarded when following a redirect to a different host. This affects scraping, remote read/write, alerting, and service discovery where credentials are configured and cross-host redirects occur. Tracked as CVE-2025-4673 and CVE-2023-45289; driven by upgrading prometheus/common from v0.68.x to v0.69.0. Review any targets or endpoints that rely on redirects, as credentials will now be dropped silently on host change.

  • securityMEDIUM: XSS fix in UI dependency (CVE-2026-44990)

    sanitize-html was bumped to fix a cross-site scripting vulnerability (CVE-2026-44990) in the Prometheus UI. No configuration change needed; upgrade to v3.13.0.

  • breakingPagination token algorithm changed from SHA-1 to SHA-256

    Rule group pagination tokens now use SHA-256 instead of SHA-1. Any client or tooling that stores or compares pagination tokens across versions will see different token values after upgrade.

  • breaking--http.config.file relative path resolution changed

    Relative file paths inside the file passed to --http.config.file are now resolved relative to that config file's own directory, not its parent directory. If you use relative paths in that config, verify they still resolve correctly after upgrading.

  • breakingDuration-expression functions min()/max() renamed to min_of()/max_of()

    If you use the experimental-duration-expr feature flag, the PromQL duration functions min() and max() have been renamed to min_of() and max_of(). Update any queries or rules that use the old names.

  • breakingnpm_licenses.tar.bz2 removed; licenses now at /assets/third-party-licenses.txt

    npm_licenses.tar.bz2 is no longer shipped in release tarballs or container images. Third-party npm license text is now embedded in the binary and served at /assets/third-party-licenses.txt. Any automation that extracted that archive needs updating.

Key changes (8)
  • HIGH security fix: credentials (auth headers, bearer token, OAuth2, basic auth) dropped on cross-host redirects, fixing CVE-2025-4673 and CVE-2023-45289 via prometheus/common v0.69.0
  • MEDIUM security fix: sanitize-html bumped to patch XSS vulnerability CVE-2026-44990 in the UI
  • Breaking: rule group pagination tokens now SHA-256; stored tokens from older versions will differ
  • Breaking: --http.config.file relative paths now resolved relative to the config file's directory, not its parent
  • Breaking: duration-expression functions min()/max() renamed to min_of()/max_of() (experimental-duration-expr flag only)
  • Breaking: npm_licenses.tar.bz2 removed from tarballs/images; licenses served from /assets/third-party-licenses.txt in the binary
  • New experimental API search endpoints for metric names, label names, and label values; AWS RDS filtering; Scaleway VPC/IPAM-only instance support; native histogram smoothed/anchored rate; per-query samplesRead stats; Azure Monitor Workspace certificate support; container images on ghcr.io
  • Performance: case-insensitive prefix matching up to ~2x faster; per-sample chunk overhead down ~12-15%; V2 histogram WAL decoder allocations cut up to 50% (up to 10% memory reduction for native-histogram deployments with created-timestamp storage); plus multiple PromQL panic and TSDB corruption fixes
Source
Browse by month