RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

OpenTelemetry

Observability昨日2026年7月7日

OpenTelemetry Collector v0.156.0はバグ修正中心のリリースで、オペレータに影響する変更として、memory_limiterプロセッサが連続的な強制GCから指数バックオフに切り替わり、上限を2つの新設定フィールドで制御できるようになりました。otlp_httpの永続エラー処理、レシーバ起動順序、env変数のnil解決、リトライ設定バリデーションの修正も含まれます。

  • enhancementmemory_limiter: GCバックオフが新フィールドで設定可能に

    memory_limiterプロセッサは、GCが非効率と判断された場合(ソフトリミット超過かつ回収率5%未満)に指数バックオフでGC呼び出しを抑制するようになりました。バックオフの上限はmax_gc_interval_when_soft_limitedとmax_gc_interval_when_hard_limitedで設定でき、デフォルトはいずれも30sです。GCの積極性を調整している場合は、これら新フィールドを確認してください。

主な変更 (7)
  • memory_limiterプロセッサ: 非効率なGCに指数バックオフを導入。上限はmax_gc_interval_when_soft_limitedとmax_gc_interval_when_hard_limited(各デフォルト30s)で制御
  • otlp_httpエクスポータ: 切り詰められた2xxレスポンスボディのパースエラーを永続エラーとして扱い、重複エクスポートを防止
  • pkg/service: 他の全コンポーネントが起動完了してからレシーバを開始するよう修正(OTLPなど実装共有レシーバの競合を解消)
  • envプロバイダ: ${env:VAR:-}構文で未設定変数がnilではなく空文字列に解決されるよう修正
  • configretry BackOffConfigのバリデーションをEnabledフラグに関わらず常時実行
  • memory_limiterプロセッサがcomponentstatusヘルスイベントを発行するように
  • mdatagenの強化: リソース属性への安定レベルとセマンティック規約参照の追加、go_structへのfield_nameオプション、enumバリデータ対応、プリミティブ型の名前付きGoタイプ生成
原文

Prometheus

Observability2026年7月1日

Prometheus v3.13.0はLTSリリースで、HIGH深刻度の認証情報転送の脆弱性(CVE-2025-4673・CVE-2023-45289)とMEDIUM深刻度のXSS(CVE-2026-44990)への対応を筆頭に、ページネーショントークン、パス解決、PromQL期間関数名、ライセンスファイル配布の4つの破壊的変更、さらに多数の新機能とパフォーマンス改善を含みます。

  • securityHIGH: クロスホストリダイレクト時に認証情報が転送されなくなった

    リダイレクト先のホストが異なる場合、Authorizationヘッダー・Basic認証・Bearerトークン・OAuth2・カスタムヘッダーなどの認証情報が転送されなくなりました。スクレイプ・リモートread/write・アラート送信・サービスディスカバリのいずれも対象です。CVE-2025-4673とCVE-2023-45289として追跡されており、prometheus/commonのv0.68.xからv0.69.0への更新が起因です。クロスホストリダイレクトに依存するエンドポイントがあれば、認証情報がサイレントに落ちることを確認してください。

  • securityMEDIUM: UI依存ライブラリのXSS修正(CVE-2026-44990)

    UIのsanitize-htmlライブラリにXSS脆弱性(CVE-2026-44990)が存在していたため、バージョンを更新して修正しました。設定変更は不要で、v3.13.0へのアップグレードで対処されます。

  • breakingページネーショントークンのアルゴリズムがSHA-1からSHA-256に変更

    ルールグループのページネーショントークン生成がSHA-1からSHA-256に変わりました。旧バージョンで取得したトークンを保持・比較しているクライアントやツールは、アップグレード後に値が変わります。

  • breaking--http.config.fileの相対パス解決先が変更

    --http.config.fileに渡すファイル内の相対パスが、親ディレクトリではなくそのconfigファイル自身のディレクトリを基準に解決されるようになりました。相対パスを使っている場合は、アップグレード後にパスが正しく解決されるか確認してください。

  • breaking期間表現関数min()/max()がmin_of()/max_of()に改名

    experimental-duration-exprフィーチャーフラグを有効にしている場合、PromQLの期間表現関数min()とmax()がmin_of()とmax_of()に改名されました。これらを使用しているクエリやルールを更新してください。

  • breakingnpm_licenses.tar.bz2を廃止、ライセンスは/assets/third-party-licenses.txtへ移行

    リリースtarballおよびコンテナイメージからnpm_licenses.tar.bz2が削除されました。サードパーティnpmライセンス情報はバイナリに埋め込まれ、/assets/third-party-licenses.txtで提供されます。このアーカイブを展開している自動化処理があれば修正が必要です。

主な変更 (8)
  • HIGH深刻度: クロスホストリダイレクト時の認証情報転送を停止、CVE-2025-4673・CVE-2023-45289に対応(prometheus/common v0.69.0へ更新)
  • MEDIUM深刻度: sanitize-htmlを更新してUIのXSS脆弱性CVE-2026-44990を修正
  • 破壊的変更: ルールグループのページネーショントークンがSHA-256に変わり、旧トークンとの互換性なし
  • 破壊的変更: --http.config.fileの相対パスが親ディレクトリでなくconfigファイルのディレクトリ基準に変更
  • 破壊的変更: 期間表現関数min()/max()がmin_of()/max_of()に改名(experimental-duration-exprフラグ使用時のみ)
  • 破壊的変更: npm_licenses.tar.bz2をtarball/イメージから削除、バイナリ内の/assets/third-party-licenses.txtで提供
  • 新機能: メトリクス名・ラベル名・ラベル値の実験的APIサーチエンドポイント追加、AWS RDSフィルタリング、Scaleway VPC/IPAM対応、ネイティブヒストグラムのsmoothed/anchored rate、クエリ単位のsamplesRead統計、Azure Monitor Workspace証明書対応、ghcr.ioへのイメージ公開
  • パフォーマンス: 大文字小文字を区別しない前置マッチ最大約2倍高速化、チャンク書き込みのサンプル単位オーバーヘッド約12-15%削減、V2ヒストグラムWALデコーダのアロケーション最大50%削減(created-timestamp有効時はメモリ最大10%減); PromQLパニックおよびTSDB破損の複数修正も含む
原文

OpenCost

Observability2026年6月26日

This is a routine patch release for OpenCost, dominated by bug fixes for GPU pricing, data races, and Azure Windows pricing, plus a new STACKIT provider integration. There are no breaking changes, deprecations, or CVE fixes in this release.

主な変更 (7)
  • Several data-race and stability fixes: cloudcost Status coverage read is now guarded and the ClusterMap ticker is stopped to prevent leaks, customcost Status() copies its coverage map, and GPUAllocation.Equal now compares pointer field values correctly
  • On-demand pricing is now OS-aware for Azure Windows nodes, correcting pricing calculations that previously used the wrong base rate
  • Custom provider GPU default pricing is fixed, and a nil filter guard was added to prevent a crash
  • Cloud pricing HTTP clients now have timeouts to prevent hangs
  • STACKIT added as a supported cloud provider
  • New queryProjectID field on BigQueryConfiguration, plus GKE Workload Identity Federation support for accessing Provider Pricing Data
  • Smaller items: step parameter exposed in the get_efficiency tool, Bingen 0.1.1 streaming writer support, UI build tooling switched from parcel to react-router/vite, Dockerfile.debug restored for Tilt, and reduced log verbosity for spot price auth failures
原文

Fluentd

Observability2026年6月25日

Fluentd v1.19.3 is a security and hardening patch that tightens input validation in out_http, buffer/in_http, and output tag handling, and locks down default access for in_monitor_agent and in_debug_agent. The rest of the release is routine bug fixes and small dependency/CI cleanup.

  • securityStricter input validation across out_http, buffer/in_http, and output tag paths

    Applies unconditionally in v1.19.3. out_http now strictly validates hostnames for dynamic endpoints, buffer and in_http enforce size limits on decompressed payloads, and output enforces strict path boundary checks on tag values. Together these close off request-smuggling and decompression-bomb style abuse paths; review any configs that build hosts, tags, or payload sizes from untrusted input.

  • breakingin_monitor_agent and in_debug_agent defaults now expose less by default

    Applies unconditionally in v1.19.3. in_monitor_agent changes default visibility of config, retry, and debug info, and in_debug_agent now accepts connections only from the local machine by default. If you relied on remote access to either agent or exposed their full output externally, update firewall rules or explicit config options to restore the access you need.

主な変更 (7)
  • Security hardening (medium severity): strict host validation in out_http for dynamic endpoints.
  • Security hardening (medium severity): buffer and in_http enforce size limits on decompressed payloads, closing a decompression-bomb style risk.
  • Security hardening (medium severity): output enforces strict path boundary validation on tag values.
  • Default access change: in_monitor_agent now restricts default visibility of config, retry, and debug info.
  • Default access change: in_debug_agent accepts connections only from the local machine by default.
  • Bug fixes: storage_local non-ASCII read encoding error, parser_csv now skips empty/unparseable lines, out_forward stops reusing closed keepalive sockets, buffer resumes correctly with square brackets in its path.
  • Plus minor items: win32-registry added as a Ruby 4.1 runtime dependency, a duplicated word removed from an error message, a shorter Windows shutdown timeout check, a timekey default warning, an antivirus exclusion doc note, and various CI fixes.
原文

OpenTelemetry

Observability2026年6月24日

v0.155.0 is a breaking-change release for operators: seven stabilized feature gates are removed, memory_limiter metrics get a new prefix, and two config/service APIs are deprecated in favor of snapshot-based replacements. The rest is tooling work on mdatagen and the newly relocated schemagen CLI.

  • breakingSeven stabilized feature gates removed

    Applies to any collector build referencing confighttp.framedSnappy, configoptional.AddEnabledField, confmap.newExpandedValueSanitizer, exporter.PersistRequestContext, otelcol.printInitialConfig, telemetry.UseLocalHostAsDefaultMetricsAddress, or pdata.enableRefCounting via --feature-gates flags or config. These gates are gone in v0.155.0; startup will fail if they're still referenced. Drop them from your CLI args and config before upgrading.

  • breakingmemory_limiter metrics renamed with processor prefix

    Applies to anyone scraping or alerting on otelcol_processor_* metrics from the memory_limiter processor. They're renamed to otelcol_processor_memory_limiter_* to disambiguate from other processors. Update dashboards, alert rules, and metric queries to the new names.

  • breakingmdatagen reaggregation_enabled setting removed

    Applies to custom components using mdatagen metadata.yaml with reaggregation_enabled. The setting is removed; per-metric reaggregation config is now always generated. Old files with the field are still accepted but the value is ignored, so check generated output matches expectations.

  • breakingConfig watcher APIs deprecated for snapshot-based equivalents

    Applies to extension or core code using service.Settings.CollectorConf or extensioncapabilities.ConfigWatcher. Both are deprecated in favor of service.Settings.ConfigSnapshot and extensioncapabilities.ConfigSnapshotWatcher. No forced migration yet, but plan to move to the snapshot-based APIs.

主な変更 (8)
  • Seven stabilized feature gates removed outright: confighttp.framedSnappy, configoptional.AddEnabledField, confmap.newExpandedValueSanitizer, exporter.PersistRequestContext, otelcol.printInitialConfig, telemetry.UseLocalHostAsDefaultMetricsAddress, pdata.enableRefCounting. Any explicit reference to these will now fail.
  • memory_limiter processor metrics renamed to otelcol_processor_memory_limiter_* prefix, breaking existing dashboards and alerts built on the old names.
  • mdatagen's reaggregation_enabled metadata setting is removed; reaggregation config is now generated per-metric unconditionally (old files are tolerated but the field is ignored).
  • service.Settings.CollectorConf and extensioncapabilities.ConfigWatcher are deprecated in favor of ConfigSnapshot and ConfigSnapshotWatcher.
  • schemagen CLI moved from opentelemetry-collector-contrib into this repo as cmd/schemagen, and now supports an overlayFile for merging hand-curated schema fragments, a -p flag for custom Go package patterns, a -m component|package override, and fixed mode detection for external packages.
  • mdatagen gains versioned metrics support (for migrating metric names/types/attributes to new semantic conventions) and fixes: no more stale files after removing the last feature gate, correct acronym capitalization in generated identifiers.
  • pdata JSONUnmarshaler adds a DisallowUnknownFields option (off by default) to strictly reject unknown OTLP JSON fields, trading forward compatibility for stricter validation when enabled.
  • Middleware config (pkg/config/configmiddleware) migrated to a schema-based definition.
原文

Prometheus

Observability2026年6月18日

Prometheus v3.5.4 is a security-focused patch: fixes a secret-exposure bug in STACKIT SD and bumps several Go/UI dependencies to patch known CVEs. Upgrade promptly.

  • securityRotate STACKIT SD credentials if you use that SD

    The /-/config endpoint was exposing STACKIT service discovery secrets in plaintext. If your Prometheus instance uses STACKIT SD and /-/config was reachable by anyone other than admins, assume those credentials are compromised and rotate them. Upgrade to v3.5.4 immediately, then restrict access to /-/config behind authentication.

  • securityUpgrade to patch three Go CVEs in golang.org/x/net and OpenTelemetry

    GO-2026-5026, GO-2026-4918, and GO-2026-4985 are addressed by bumping golang.org/x/net to v0.55.0 and OpenTelemetry to v1.43.0. If you run Prometheus exposed to untrusted network traffic, this upgrade should not wait for your next maintenance window.

  • enhancementghcr.io image publishing available as an alternative pull source

    Prometheus images are now also on ghcr.io. If your environment has rate-limit or access issues with Docker Hub, you can switch your image pull source to ghcr.io/prometheus/prometheus without waiting for a feature release.

主な変更 (4)
  • STACKIT SD leaked secrets in plaintext via /-/config endpoint (GHSA-39j6-789q-qxvh) — now fixed
  • golang.org/x/net and OpenTelemetry bumped to patch GO-2026-5026, GO-2026-4918, GO-2026-4985
  • UI dependencies (react-router-dom, vite, vitest, postcss) updated to patched versions
  • Container images now published to ghcr.io in addition to existing registries
原文

Litmus

Observability2026年6月17日

Litmus 3.30.0 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

Chaos Mesh

Observability2026年6月10日

Chaos Mesh v2.8.3 is a security-focused patch: critical/high CVEs addressed via Go 1.25.11 and containerd 1.7.32 upgrades, plus a NetworkChaos recovery bug fix.

  • securityUpgrade to v2.8.3 to patch critical/high CVEs

    The Go toolchain and containerd in the container images had critical/high CVEs. If you're running Chaos Mesh on release-2.8, upgrade to v2.8.3 now. No config changes needed — this is a drop-in image update.

  • breakingVerify NetworkChaos experiments involving crash-looping pods

    NetworkChaos recovery previously failed when the target container was in CrashLoopBackOff. v2.8.3 fixes this by falling back to the pause container's PID. If your test environments include intentionally crash-looping workloads, re-run those experiments to confirm recovery behaves correctly after the upgrade.

主な変更 (5)
  • Go toolchain upgraded to 1.25.11 and containerd to 1.7.32 to patch critical/high container image CVEs
  • memStress helper rebuilt with updated Go toolchain (v0.3.1)
  • chaos-daemon image switched to headless JRE, reducing attack surface
  • NetworkChaos recovery now falls back to sandbox (pause) container PID when the target is in CrashLoopBackOff
  • Deprecated wait.PollImmediate replaced with wait.PollUntilContextTimeout in e2e tests
原文

OpenTelemetry

Observability2026年6月9日

OTel Collector v0.154.0 fixes a startup crash in exporterhelper and changes --skip-get-modules behavior. Two minor enhancements add TLS and CORS config options.

  • securityinclude_insecure_cipher_suites is opt-in — keep it that way

    The new configtls option lets you re-enable weak cipher suites, but they stay disabled by default. Do not set include_insecure_cipher_suites: true in production unless you're forced to by a legacy peer — and if you are, treat it as a temporary workaround and track it.

  • breakingCheck custom build pipelines using --skip-get-modules

    If your OCB-based build scripts pass --skip-get-modules expecting go.mod to be regenerated as a side effect, that no longer happens. Audit any CI pipelines that relied on this implicit behavior and add an explicit go mod tidy step if needed.

  • enhancementUpgrade if you use sending_queue with sizer enabled

    The nil-pointer panic fix in exporterhelper is critical for anyone who sets sending_queue.sizer alongside batch.enabled: false. If your collector was crashing on startup in this config, v0.154.0 resolves it — upgrade directly.

主な変更 (5)
  • cmd/builder: --skip-get-modules no longer rewrites go.mod — it now truly skips module operations as documented
  • pkg/exporterhelper: fixes nil-pointer panic at startup when sending_queue.sizer is set and sending_queue.batch.enabled is false
  • pkg/config/configtls: new include_insecure_cipher_suites option, disabled by default
  • pkg/confighttp: CORSConfig gains ExposedHeaders field to control Access-Control-Expose-Headers response header
  • cmd/mdatagen: numeric validators (minimum, maximum, exclusiveMinimum, exclusiveMaximum) now supported in generated config structs
原文

Cortex

Observability2026年6月6日

v1.21.1 is a security-focused patch release addressing findings from a formal security audit, including XSS, gzip bomb, and memory amplification vulnerabilities — upgrade immediately.

  • securityUpgrade immediately — multiple audit findings patched

    This release backports fixes from a formal security audit (V01–V07). The vulnerabilities include a stored XSS on status pages, a gzip bomb in the OTLP ingestion path, memory amplification via malformed native histogram payloads, and gossip port exposure to flood/OOM attacks. These are not theoretical — they are exploitable by any client that can reach your Cortex endpoints. Upgrade to v1.21.1 now. After upgrading, review your -distributor.otlp-max-recv-msg-size setting; the default may be too permissive depending on your ingest volume.

  • securityAudit your /config endpoint exposure

    Prior to this release, Swift, etcd, Redis, and HTTP basic-auth credentials were exposed in plaintext on the /config endpoint. If that endpoint was accessible to internal users or scraping systems, treat those credentials as compromised and rotate them. Going forward, restrict /config access via network policy or auth middleware regardless of masking.

  • enhancementHarden memberlist gossip with new bounding flags

    Three new flags (-memberlist.packet-read-timeout, -memberlist.max-packet-size, -memberlist.max-concurrent-connections) cap inbound gossip TCP behavior. The defaults are reasonable, but if your Cortex cluster is exposed to less-trusted network segments or you've seen gossip-related OOM events, tune these explicitly. Add them to your Helm values or config management before the next planned maintenance window.

主な変更 (7)
  • Stored XSS fixed in Alertmanager and Store Gateway status pages (text/template replaced with html/template)
  • Gzip decompression now capped by -distributor.otlp-max-recv-msg-size to prevent decompression bomb attacks
  • Native histogram protobuf size limited to 16 KB by default via -validation.max-native-histogram-size-bytes to block memory amplification
  • Memberlist gossip port hardened with new flags for packet read timeout, max packet size, and max concurrent connections
  • Credentials for Swift, etcd, Redis, and HTTP basic-auth are now masked on the /config endpoint
  • PushStream requests with mismatched TenantID are rejected; HMAC-SHA256 stream auth added via -distributor.sign-write-requests-keys
  • Panic fixed when grpc_compression is set to snappy on ingester or store-gateway clients
原文

Jaeger

Observability2026年6月3日

v2.19.0 ships the new /api/v3/trace-summaries endpoint and migrates the UI search to use it, plus TLS for ClickHouse and a configurable gRPC max message size.

  • breakingUI search migration to /api/v3/trace-summaries requires compatible backend

    The UI now exclusively uses /api/v3/trace-summaries for search results. If you run a custom or older storage backend via the gRPC storage plugin, it must implement the SummaryReader interface or the fallback full-trace aggregation path kicks in. Verify your storage plugin supports this before upgrading. If you pin the UI separately from the backend, do not upgrade the UI to this version without also upgrading the backend to v2.19.0.

  • breakingRename query.num_traces to query.search_depth in any API v3 clients

    Any scripts, dashboards, or integrations that pass query.num_traces to the v3 API will still work via the deprecated alias, but you should migrate to query.search_depth now. The deprecated alias will eventually be removed. Also check for snake_case HTTP query params — camelCase is now the canonical form, with snake_case kept as deprecated aliases.

  • enhancementSet max_recv_msg_size_mib if you see gRPC message size errors in remote storage

    Teams using the gRPC remote storage plugin with large traces often hit the default gRPC message size cap. The new max_recv_msg_size_mib config option on the gRPC storage client lets you raise this limit explicitly. If you've been seeing 'received message larger than max' errors from your storage backend, configure this value in your Jaeger deployment config to fix it without workarounds.

  • enhancementEnable TLS for ClickHouse storage in production

    The ClickHouse storage plugin now supports TLS configuration. If you're running ClickHouse as a Jaeger backend in any environment where the connection crosses a network boundary, configure TLS now rather than relying on network-level controls alone.

主な変更 (6)
  • UI search now calls /api/v3/trace-summaries instead of fetching full traces — this is a breaking UI change requiring a backend that supports the new endpoint
  • New GET /api/v3/trace-summaries HTTP endpoint and matching gRPC FindTraceSummaries handler for lightweight search results without full trace payloads
  • query.num_traces renamed to query.search_depth in API v3; old name kept as deprecated alias — update any tooling or scripts using the old parameter
  • ClickHouse storage plugin now supports TLS configuration
  • gRPC storage client gains max_recv_msg_size_mib config to handle large trace payloads that previously hit message size limits
  • Elasticsearch index templates now include missing scope and link fields — existing indices may need reindexing
原文

OpenCost

Observability2026年5月30日

v1.120.3 patches two Go CVEs and ships a wide range of bug fixes across AWS, Azure, Oracle, and DigitalOcean providers, plus OVH support and cosign image signing.

  • securityPatch vulnerable Go dependencies — upgrade immediately

    A Go dependency update patches GHSA-xmrv-pmrh-hhx2 and CVE-2026-34986. If you're running any v1.120.x release prior to v1.120.3, upgrade now — these are dependency-level vulnerabilities, not just code changes.

  • breakingMCP server is now opt-in — check your config before upgrading

    The MCP server now defaults to disabled (MCP_SERVER_ENABLED=false). If you were relying on it being on by default, set the env var explicitly after upgrading. Check your deployment manifests before rolling out.

  • enhancementEnable cosign image verification in your admission pipeline

    Container images are now signed with cosign keyless signing and include SLSA provenance attestations. If your admission policy requires image signature verification, you can now enforce it against OpenCost images. Update your policy tooling (e.g., Kyverno, Cosign verify) to validate these attestations in CI or at deploy time.

主な変更 (7)
  • Security: vulnerable Go dependencies patched (GHSA-xmrv-pmrh-hhx2, CVE-2026-34986)
  • MCP server now opt-in via MCP_SERVER_ENABLED=false default
  • OVH cloud provider added; DigitalOcean and Oracle/Karpenter pricing fixes
  • AWS Spot Price History API now cached; toggle added to disable spot data feed entirely
  • Memory leak fixed in scrape target parsing; CPU usage counter overflow protection added
  • Container images now signed with cosign and include SLSA provenance attestations
  • CUR 2.0 support added for AWS cost data ingestion
原文

Prometheus

Observability2026年5月29日

Prometheus 3.12.0 ships two security patches (Remote Write DoS, STACKIT SD secret leak), fixes a WAL race in Agent mode, and cuts TSDB range query CPU with a quadratic-to-constant head chunk lookup fix.

  • securityPatch two security fixes now — especially if using STACKIT SD

    Two CVEs patched in this release. First: Remote Write now rejects snappy-compressed payloads where the declared decoded size exceeds 32 MB — this closes a DoS vector against your remote-write receiver endpoint. Second: STACKIT SD was leaking secrets in plaintext via the `/-/config` endpoint (GHSA-39j6-789q-qxvh). If you use STACKIT SD, rotate any credentials that may have been exposed before upgrading.

  • breakingAgent mode WAL race and remote_write panic bug fixed — upgrade Agent deployments

    A race condition in the agent appender could produce duplicate in-memory series and duplicate WAL records when concurrent appends target the same label set. If you run Prometheus in Agent mode under high write concurrency, this bug could silently corrupt your WAL. Upgrade to 3.12.0 to fix it. Also, `remote_write` queue_config fields are now validated at load time — misconfigurations that previously caused silent runtime panics will now fail at startup, which is the right behavior but means you should test configs before rolling out.

  • enhancementTSDB range query CPU cut and auto-reload-config is now stable

    TSDB head chunk lookup in range queries drops from quadratic to constant time, and mmap operations now skip series that don't need work. At production scale with large head chunks, this can meaningfully cut CPU. No config changes needed — just upgrade. Separately, `auto-reload-config` is now stable (no longer experimental), so you can drop any caveats around it in runbooks.

主な変更 (18)
  • Security: Remote Write rejects snappy payloads with decoded size over 32 MB (DoS fix); STACKIT SD secret leak via /-/config endpoint patched (GHSA-39j6-789q-qxvh)
  • TSDB performance: head chunk range query lookup is now O(1) instead of O(n²); mmap skips clean series, reducing CPU at scale
  • PromQL: new experimental functions start(), end(), range(), step(); rate()/irate()/increase()/resets() updated to use start timestamps behind the use-start-timestamps feature flag
  • Service Discovery: DigitalOcean Managed Databases and Outscale VM added; AWS EC2 SD gains IPv6 support; AWS SD gets optional external_id for ECS/MSK/RDS/ElastiCache
  • Bug fixes: agent WAL race condition patched; scrape panics on malformed histograms fixed; TSDB native histogram query panic fixed; remote_write queue_config now validated at startup
  • UI: time series deletion and tombstone cleanup now available from the Status menu
  • auto-reload-config promoted to stable
  • OTLP gzip body size now capped to prevent decompression abuse
  • SD target updates propagate faster via dynamic backoff instead of static 5s interval
  • Consul SD health_filter fix for Catalog-only fields like ServiceTags
  • prometheus_sd_refresh and prometheus_sd_discovered_targets metrics cleaned up when scrape jobs are removed
  • PromQL warns when sort/sort_by_label used in range queries (no-op in that context)
  • sort/sort_by_label warning in range queries, NaN/infinite duration expressions now rejected
  • Scrape: st-synthesis feature flag added to synthesize start timestamps for cumulative metrics when using Remote Write 2.0
  • promtool query instant gains --header flag
  • aix/ppc64 compilation target added
  • /api/v1/status/self_metrics endpoint added
  • Tracing: OTLP HTTP insecure startup failure fixed
原文

OpenTelemetry

Observability2026年5月25日

v0.153.0 stabilizes seven feature gates (breaking), fixes a critical memory corruption bug in gRPC Snappy compression, and ships several mdatagen enhancements for component authors.

  • securityUpgrade immediately if you use gRPC with Snappy compression

    The Snappy fix in configgrpc addresses memory corruption that can cause fatal errors — this is a process-crash-level issue, not just a performance concern. If your exporters or receivers use gRPC with Snappy compression enabled, treat this as a priority upgrade. Check your exporter configs for compression: snappy settings.

  • breakingAudit your feature gate overrides before upgrading

    All seven stabilized gates are now permanent behavior — you can no longer toggle them. If your collector config or startup flags reference configoptional.AddEnabledField, confmap.newExpandedValueSanitizer, exporter.PersistRequestContext, otelcol.printInitialConfig, pdata.useCustomProtoEncoding, telemetry.UseLocalHostAsDefaultMetricsAddress, or pdata.enableRefCounting, remove those references or the collector will fail to start. The metrics address change (UseLocalHostAsDefaultMetricsAddress) is the one most likely to surprise teams — your metrics endpoint is now localhost-bound by default.

  • breakingmdatagen reaggregation config is now on by default

    If you maintain custom collector components using mdatagen, the reaggregation config fields are now generated by default. To preserve the old behavior (metrics config with only the enabled field), explicitly set reaggregation_enabled: false in your metadata.yaml. Run mdatagen on your components after upgrading and review the generated output before committing.

主な変更 (5)
  • Seven feature gates stabilized and removed — including telemetry.UseLocalHostAsDefaultMetricsAddress, otelcol.printInitialConfig, and pdata.enableRefCounting — meaning any code still gating on these will break
  • Critical bug fix: memory corruption and fatal error in configgrpc's Snappy compression (CVE-adjacent, upgrade immediately if you use gRPC with Snappy)
  • pdata.useCustomProtoEncoding feature gate fully removed — no opt-out path remains, custom proto encoding is now always on
  • mdatagen now generates config documentation tables injected into README.md automatically, and enables reaggregation config generation by default
  • New Walker interface in xextension/storage enables storage migration and TTL-based garbage collection patterns
原文

OpenTelemetry

Observability2026年5月20日

v0.152.1 is a bug-fix-heavy release with one useful new metric. The most operationally impactful changes are snappy decompression security fixes and a Prometheus metric naming regression fix.

  • securityconfighttp snappy fixes limit memory exposure from compressed payloads

    Three snappy decompression fixes land in `pkg/confighttp`: body is now closed after reading, panics in decompression libraries return HTTP 400 instead of crashing with 500, and `max_request_body_size` is enforced before the decoded buffer is allocated. The size-check fix in particular prevents a potential memory spike from a maliciously crafted compressed payload. If you accept compressed OTLP over HTTP from untrusted sources, upgrade.

  • breakingPrometheus metric name format may change if you customized telemetry host

    If you explicitly set the `host` field in the telemetry metrics section of your collector config, check whether your Prometheus metric names changed after upgrading to recent versions. The bug caused `WithoutScopeInfo`, `WithoutUnits`, and `WithoutTypeSuffix` to default to false instead of true in that code path, which means your metrics may have had unexpected suffixes or scope labels. This release restores the correct defaults — metric names may shift again on upgrade, so update dashboards and alerts accordingly.

  • enhancementAdd in-flight exporter metric to your dashboards

    The new `otelcol_exporter_in_flight_requests` UpDownCounter metric is available in `pkg/exporterhelper`. Add it to your dashboards to see when exporters are queuing up requests or saturating worker pools — it's a direct signal of export backpressure that was previously hard to observe without custom instrumentation.

主な変更 (7)
  • New `otelcol_exporter_in_flight_requests` metric tracks concurrent export requests per exporter, useful for detecting worker pool saturation
  • Three `pkg/confighttp` fixes for snappy decompression: panic recovery (now returns 400), body cleanup, and pre-allocation size enforcement
  • `pcommon.Value.AsString` no longer HTML-escapes `<`, `>`, `&` in map and slice values — output may change if you relied on escaped output
  • Noisy gRPC disconnect messages (`connection reset by peer`) no longer emit at WARN level during normal client disconnects
  • Prometheus config default mismatch fixed: explicitly setting telemetry host no longer silently changes metric name format
  • Return noop tracer provider when no trace processors are configured, avoiding unnecessary overhead
  • API: `xconfmap.Validator` deprecated; migrate to `confmap.Validator` and `confmap.Validate`
原文

OpenCost

Observability2026年5月19日

v1.120.2 is a substantial release with security fixes, memory leak patches, AWS CUR 2.0 support, OVH cloud provider, and supply chain security improvements via cosign image signing.

  • securityUpgrade immediately for CVE-2026-34986 fix

    This release patches GHSA-xmrv-pmrh-hhx2 and CVE-2026-34986 in Go dependencies. If you're running any prior v1.120.x or v1.119.x version, upgrade to v1.120.2 now. Check your vulnerability scanner output to confirm the affected packages are resolved post-upgrade.

  • enhancementVerify cosign image signatures in your admission pipeline

    OpenCost images are now signed with cosign keyless signing and include SLSA provenance attestations. If your cluster uses an admission controller (e.g., Kyverno, Connaisseur), add a policy to enforce signature verification on opencost images. This closes a real supply-chain gap for teams running OpenCost in regulated environments.

  • enhancementEnable AWS CUR 2.0 and tune spot data feed behavior

    If your AWS billing is already on CUR 2.0, you can now configure OpenCost to use it directly. Additionally, if you don't use the AWS spot data feed, set the new toggle to disable it — this suppresses noisy warnings and avoids unnecessary config polling. Teams with spot-heavy workloads should also benefit from the new spot price API caching layer reducing API call volume.

主な変更 (5)
  • Security: Patched vulnerable Go dependencies (GHSA-xmrv-pmrh-hhx2, CVE-2026-34986) — upgrade promptly
  • AWS CUR 2.0 support added, plus a configurable toggle to disable the spot data feed and spot price API caching
  • Memory leak fixed in scrape target parsing; CPU counter overflow/reset protection added
  • Container images now signed with cosign keyless signing and SLSA provenance attestation
  • OVH cloud provider added; PV pricing can now be set via annotations; PV capacity parsing fixed for Ki/Mi/Gi/Ti units
原文

Litmus

Observability2026年5月19日

Litmus 3.29.0 patches a gRPC CVE, fixes duplicate chaos triggers under concurrent reconciles, and adds Prometheus metrics support for experiment observability.

  • securityPatch CVE-2026-33186 by upgrading to 3.29.0 now

    The gRPC library was upgraded to v1.79.3 to fix CVE-2026-33186. If you're running any Litmus version prior to 3.29.0, your control plane is exposed. Upgrade immediately — this isn't a 'schedule it next sprint' situation.

  • breakingVerify event-tracker behavior after the duplicate-trigger fix

    The fix for duplicate chaos experiment triggers under concurrent reconciles changes how the event-tracker handles race conditions. If you rely on the event-tracker for automated chaos injection, test your pipelines post-upgrade to confirm expected trigger counts. Duplicate runs may have been masking gaps in your experiment coverage.

  • enhancementWire up Prometheus metrics to your existing dashboards

    Prometheus metrics are now natively exposed by ChaosCenter. The release includes a getting-started guide and unit tests, so integration is straightforward. Add Litmus as a scrape target and start tracking experiment pass/fail rates, run durations, and infra connectivity — this fills a long-standing observability gap for chaos workflows.

主な変更 (5)
  • Security: gRPC bumped to v1.79.3 to address CVE-2026-33186
  • Bug fix: concurrent reconciliation no longer triggers duplicate chaos experiments via the event-tracker
  • New feature: Prometheus metrics added to ChaosCenter for experiment observability, with unit tests and a getting-started guide
  • Bug fix: experiments can now be stopped even when the connected infra is disconnected
  • Bug fix: CronWorkflow run history no longer shows a blank page in the UI
原文

Jaeger

Observability2026年5月14日

Jaeger v2.18.0 brings two breaking changes (OTEL metrics overhaul and removed min-step API), useful header-forwarding for ES/OpenSearch, and a massive UI refactor migrating state management from Redux to Zustand.

  • breakingAudit your metrics dashboards before upgrading

    The OTEL collector package upgrade changed metric names and shapes. Before upgrading, compare your current Jaeger metrics against the new ones by running both versions in parallel or checking the PR diff. Any Grafana dashboards, Prometheus alerts, or monitoring rules built on Jaeger's internal metrics need to be reviewed and updated. The min_step removal is a smaller blast radius — only affects custom tooling that calls the metricstore API directly — but still requires a code or config change before upgrading.

  • enhancementUse header forwarding if you authenticate ES/OpenSearch with custom headers

    If your Elasticsearch or OpenSearch cluster requires auth headers beyond basic username/password (e.g., custom JWT, IAM proxy headers), configure the new header-forwarding feature. This also helps in multi-tenant setups where storage routing depends on request headers. Configure via the storage backend settings in jaeger-query or the gRPC storage plugin config.

  • enhancementEvaluate ClickHouse as a storage backend if you want SPM without Prometheus

    ClickHouse SPM support is experimental but now covers the full metrics trifecta: call rates, error rates, and latencies. TTL support is also added. If you're running ClickHouse already or want a single-store solution for both traces and metrics, this is the release to start testing against. Don't use it in production yet, but set up a staging environment to track maturity.

主な変更 (6)
  • Breaking: OTEL collector package upgrades changed metric names/shapes — dashboards and alerts referencing old metric names will break
  • Breaking: min_step API removed from metricstore — any tooling calling this endpoint needs updating
  • New: UI auto-detects base path from browser URL, removing the need to manually configure UI base paths in reverse-proxy setups
  • New: Configurable header forwarding to ES/OpenSearch and gRPC storage backends — useful for auth tokens and custom routing headers
  • Experimental: ClickHouse SPM (Service Performance Monitoring) now has call rates, error rates, and latencies, plus TTL support — the storage backend is maturing fast
  • UI breaking: Legacy browser support dropped — IE and very old Chromium/Firefox users will have problems
原文

OpenTelemetry

Observability2026年5月11日

v0.152.0 fixes a silent Prometheus metric name regression when telemetry host is customized, changes AsString HTML-escaping behavior for map/slice values, and adds an in-flight exporter requests metric.

  • breakingCheck Prometheus metric names if you customized telemetry host

    The Prometheus exporter boolean fields (WithoutScopeInfo, WithoutUnits, WithoutTypeSuffix) now default correctly when you explicitly set the telemetry host. Before this fix, those fields defaulted to false instead of true, so your metric names would silently change format. If you run a Collector with a custom telemetry host configured, verify your Prometheus metric names after upgrading — dashboards and alerts keyed on metric name format may need updating.

  • breakingAsString output change for map/slice values — check downstream consumers

    pcommon.Value.AsString no longer HTML-escapes <, >, and & in map and slice values. If your pipeline or downstream consumers were relying on escaped output (e.g., &lt; or &gt;) from attribute maps or slices, the raw characters will now appear instead. Audit any log parsers, attribute processors, or exporters that inspect string representations of map/slice values.

  • enhancementAdd otelcol_exporter_in_flight_requests to exporter dashboards

    A new UpDownCounter metric otelcol_exporter_in_flight_requests tracks concurrent export requests per exporter. Add it to your Collector dashboards to detect exporter worker pool saturation before it causes backpressure or dropped data. No config change needed — it emits automatically.

主な変更 (5)
  • New otelcol_exporter_in_flight_requests metric tracks concurrent in-flight export requests per exporter
  • pcommon.Value.AsString no longer HTML-escapes <, >, & in map/slice values — behavior now consistent with ValueTypeStr
  • Prometheus config defaults bug fixed: explicit telemetry host config no longer silently flips metric name format
  • pkg/confighttp: snappy decompression now enforces max_request_body_size before allocating buffer, and panics in decompression libs return HTTP 400 instead of 500
  • Noisy gRPC 'connection reset by peer' log lines no longer emit at WARN during normal client disconnects
原文

OpenTelemetry

Observability2026年4月29日

v0.151.0 has one API-level breaking change in the OTLP receiver config struct and changes the default behavior of the builder's go.mod generation. Dual-stack gRPC connection fixes and a pprofile data corruption fix are the most operationally relevant improvements.

  • breakingUpdate OTLP receiver config field access in custom collectors

    The OTLP receiver's Config.Protocols is now a named field — any code accessing cfg.GRPC or cfg.HTTP directly will fail to compile. Update those references to cfg.Protocols.GRPC and cfg.Protocols.HTTP before upgrading collector builds that embed or extend the OTLP receiver.

  • breakingCheck generated collector go.mod if you commit builder output

    cmd/builder now writes relative paths in Go module replace statements by default. For teams that build the collector, commit the generated source, and run it on multiple machines, this is an improvement. If you have tooling that depends on absolute paths (e.g., scripts parsing go.mod), set dist::use_absolute_replace_paths: true to preserve the old behavior while you migrate.

  • enhancementFix dual-stack DNS connection issues with passthrough gRPC resolver

    Teams running OTLP gRPC exporters in dual-stack DNS environments have reported connection issues since the grpc.NewClient migration. You can now work around this by setting the endpoint to passthrough:///host:port in your exporter config. If you've seen intermittent connection failures in IPv4/IPv6 mixed environments, try this first.

主な変更 (6)
  • cmd/builder: generated go.mod now uses relative replace paths by default; use dist::use_absolute_replace_paths to revert
  • receiver/otlp API: cfg.GRPC and cfg.HTTP must be accessed via cfg.Protocols.GRPC and cfg.Protocols.HTTP
  • configgrpc: passthrough:/// resolver scheme now accepted in endpoint field, fixing dual-stack DNS issues
  • pkg/pprofile: data corruption bug fixed in resource/scope attributes after marshal-unmarshal-merge round-trips
  • pkg/service: non-string resource attributes in telemetry config now return an error instead of panicking
  • framedSnappy feature gate in confighttp is now stable (no longer behind a flag)
原文

OpenCost

Observability2026年4月29日

v1.120.1 is a patch release focused on carbon cost fixes, AWS Spot pricing performance, memory optimization, and a security-relevant MCP server default change.

  • breakingCheck if MCP server was relied upon — it's now off by default

    The MCP server flipped from opt-out to opt-in. If any tooling or integrations depended on the MCP server being active without explicit configuration, they will silently stop working after this upgrade. Before deploying, audit whether MCP_SERVER_ENABLED needs to be explicitly set to true in your environment config.

  • enhancementAWS Spot users: Spot Price History caching reduces API pressure

    If you run workloads on AWS Spot instances, OpenCost was previously hitting the Spot Price History API more aggressively. The new caching layer cuts down on AWS API calls, which matters both for rate limiting and for cost attribution latency. No action required, but worth validating your Spot cost data accuracy after upgrading.

  • enhancementCarbon cost data was wrong — upgrade if you track emissions

    The carbon cost fixes address incorrect provider detection and broken fallback logic, meaning prior carbon cost figures may have been inaccurate. If you surface carbon/emissions data to teams or dashboards, re-baseline your metrics post-upgrade rather than comparing historical data across this version boundary.

主な変更 (5)
  • MCP server now defaults to disabled (MCP_SERVER_ENABLED=false) — previously it was opt-out, now it's opt-in
  • Carbon cost lookups fixed: provider detection, fallback logic, and network cost support corrected
  • AWS Spot Price History API now has a caching layer, reducing API call volume and latency
  • Memory usage tweaks in a second pass of optimizations, continuing work from prior releases
  • Local storage cost queries replaced with direct math, removing Prometheus query dependency for that path
原文

Prometheus

Observability2026年4月28日

Prometheus v3.11.3 patches three security vulnerabilities: a credential leak, a DoS vector via malformed snappy payloads, and a stored XSS in the classic UI.

  • securityRotate AzureAD client secrets if /-/config was accessible

    If you use AzureAD remote write and the /-/config endpoint was reachable by anyone other than trusted admins, treat your client_secret as compromised. Rotate it in Azure AD immediately, then upgrade to v3.11.3. Also audit who has access to that endpoint — it should never be public-facing.

  • securityUpgrade immediately if remote-read is enabled and exposed

    The snappy decode vulnerability lets an attacker send a crafted request with an inflated declared length, potentially exhausting memory. If your Prometheus remote-read endpoint is reachable from outside your trust boundary, this is a real DoS risk. Upgrade to v3.11.3 as soon as possible — there's no config-level workaround short of disabling remote-read entirely.

  • securityAssess XSS exposure if you still run the classic UI

    The stored XSS in the old UI heatmap affects any deployment where users can influence label values (e.g., via instrumented applications) and other users view those charts. If you've already migrated to the new UI, you're not affected. If you haven't, upgrade now — or at minimum restrict UI access to trusted users until you do.

主な変更 (3)
  • CVE-2026-42151: AzureAD OAuth client_secret was exposed in plaintext through the /-/config endpoint
  • CVE-2026-42154: Remote-read now rejects snappy-compressed requests where declared decoded length exceeds the configured limit, closing a potential DoS vector
  • Stored XSS fixed in the old/classic UI heatmap chart — unescaped 'le' label values in tick labels were the injection point
原文

Prometheus

Observability2026年4月27日

Prometheus v3.5.3 is a security-only release patching four vulnerabilities: credential exposure, two snappy decompression bombs, and a stored XSS in the legacy UI.

  • securityRotate AzureAD client_secret immediately if /-/config was exposed

    Any Prometheus instance using AzureAD remote write had its OAuth client_secret visible in plaintext at the /-/config endpoint. If that endpoint was reachable by untrusted users or scraped by monitoring tools, treat the secret as compromised. Rotate it in Azure AD, update your Prometheus config, and then upgrade to v3.5.3. After upgrading, restrict /-/config access via --web.enable-admin-api controls or a reverse proxy allowlist.

  • securityUpgrade now if you accept remote-read or remote-write from untrusted sources

    Both remote-read and remote-write endpoints were vulnerable to decompression bomb attacks — a crafted snappy request with an inflated declared size could exhaust memory. If your Prometheus is internet-facing or accepts data from multiple tenants, this is a denial-of-service risk. Upgrade to v3.5.3 immediately. There is no config-level workaround; the fix is in the code.

  • securityPatch stored XSS if anyone uses the legacy UI with untrusted label values

    The old UI heatmap rendered 'le' label values without escaping, allowing stored XSS. If your users browse the legacy UI and your metrics include 'le' labels sourced from external or user-controlled systems, malicious JavaScript could execute in their browsers. Upgrade to v3.5.3. As a short-term measure, direct users to the new UI instead.

主な変更 (4)
  • CVE-2026-42151: AzureAD OAuth client_secret leaked in plaintext via /-/config endpoint
  • CVE-2026-42154: Remote-read snappy decompression bomb — oversized declared decode length now rejected
  • Remote-write snappy decompression bomb fixed with same decode limit enforcement (no separate CVE listed)
  • Stored XSS via unescaped 'le' label values in legacy UI heatmap tick labels (GHSA-fw8g-cg8f-9j28)
原文

Cortex

Observability2026年4月27日

Cortex v1.21.0 graduates several experimental features to stable, fixes multiple PRW2 data corruption and panic bugs, and introduces a new Parquet mode for Store Gateway alongside an Overrides API.

  • breakingAudit and update renamed flags before upgrading

    Several flags were renamed: -experimental.ruler.enable-api → -ruler.enable-api, -experimental.alertmanager.enable-api → -alertmanager.enable-api, -distributor.otlp.enable-type-and-unit-labels is now a no-op (consolidated into -distributor.enable-type-and-unit-labels), and parquet cache flags/configs dropped 'queryable' from their names. The users-scanner cleanup-interval became update-interval. Old flags are deprecated but not removed yet — audit your config files and Helm values now, before they disappear in a future release.

  • breakingPRW2 data corruption and panic fixes require validation of existing pipelines

    Three separate bugs in the Remote Write V2 handler were fixed: shallow copying of Samples/Histograms caused data corruption, dirty sync.Pool reuse caused index-out-of-range panics, and Symbols backing array wasn't cleared on pool return causing memory leaks. If you're using PRW2, treat this upgrade as mandatory. Validate your ingestion pipeline after upgrading and check that downstream metrics are intact.

  • enhancementBucket index is now on by default — verify storage permissions

    The bucket index is enabled by default in this release. If your object storage IAM policies restrict list operations or your Cortex deployment had bucket index disabled intentionally, verify that the bucket index can be written and read correctly post-upgrade. Cortex will generate and maintain the index automatically, but storage permission errors will surface as query failures rather than obvious configuration errors.

主な変更 (5)
  • Bucket index enabled by default — disabling it in production is explicitly unsupported
  • Multiple flag and config renames: ruler, alertmanager, users-scanner, and parquet cache config keys have changed
  • PRW2 bugs fixed: data corruption from shallow copying Samples/Histograms, index-out-of-range panics, and memory leaks in sync.Pool reuse
  • New Overrides API module for managing tenant limits via API; old module renamed to overrides-configs
  • Alertmanager upgraded to v0.31.1 with IncidentIO and Mattermost integrations; config disappearance bug on ring unavailability fixed
原文

Litmus

Observability2026年4月15日

Litmus 3.28.0 is a focused maintenance release fixing a probe config leak, a subscriber crash on workflow events, and a Python vulnerability in the frontend base image.

  • securityUpgrade frontend to resolve Python CVE in base image

    The frontend container was running on a ubi8 base image with a Python vulnerability. The fix upgrades it to ubi9. If you run Litmus in environments with strict image scanning policies (e.g., Trivy in CI, ACS, or Prisma), this upgrade will clear those alerts. Pull the 3.28.0 frontend image and redeploy — no config changes needed.

  • breakingProbe config leak fix may change behavior for shared-type probe setups

    If you run multiple probes of the same type in a single experiment, previous releases silently shared stale config between them. The fix now isolates config per probe. Audit any experiments where multiple probes of the same type are defined — if you were unknowingly relying on config bleed-over, results may differ after upgrading.

  • enhancementSubscriber crash fix improves reliability for GitOps and event-driven workflows

    Teams using Litmus in GitOps mode or triggering experiments via Argo Workflow ADD events with ChaosEngine nodes were hitting silent subscriber crashes. After upgrading to 3.28.0, those workflows should resume without manual subscriber restarts. No action required beyond the upgrade, but verify subscriber pod stability post-deploy if you've been seeing unexplained restarts.

主な変更 (5)
  • Fixed stale config leak across multiple probes of the same type — this could cause probes to incorrectly inherit config from a previous probe run
  • Subscriber no longer crashes when Workflow ADD events contain ChaosEngine nodes, improving experiment reliability
  • Frontend base image upgraded from ubi8 to ubi9, resolving a known Python vulnerability
  • Fixed image registry bug when editing or cloning experiments in Litmus Checker
  • Canonical added as an official adopter
原文

OpenCost

Observability2026年4月14日

OpenCost v1.120.0 adds OVH cloud provider support, AWS CUR 2.0 compatibility, and fixes several resource leaks and bugs across AWS, DigitalOcean, and S3 integrations.

  • breakingCheck PV cost accuracy after upgrading — unit parsing was broken

    PV capacity was previously mishandled for Ki/Mi/Gi/Ti units, which means PV cost allocations may have been wrong in earlier versions. After upgrading, verify your PV cost data looks correct, especially if you were seeing anomalous persistent volume costs.

  • enhancementMigrate to AWS CUR 2.0 if you haven't already

    AWS is deprecating CUR 1.0 — this release adds CUR 2.0 support. If you're still on CUR 1.0 exports, now is the time to update your AWS billing export configuration and point OpenCost at the new format. Don't wait for AWS to force the migration.

  • enhancementSuppress noisy Spot feed warnings with the new toggle

    Teams not using AWS Spot instances were getting misleading log warnings about spot data feeds. You can now explicitly disable the Spot Data Feed via config. Set the toggle if you're not using Spot — it cleans up your logs and removes the misleading provider log noise fixed in this release.

主な変更 (7)
  • New OVH cloud provider integration for cost tracking
  • AWS CUR 2.0 (Cost and Usage Report) support added
  • Memory leak fixed in Prometheus scrape target parsing
  • Plugin processes now properly killed on ingestor shutdown, preventing zombie processes
  • PV capacity parsing fixed to correctly handle Ki, Mi, Gi, and Ti units
  • Account field added to allocation data, cluster name added to CSV exports
  • Configuration toggle added to disable AWS Spot Data Feed when not in use
原文

Prometheus

Observability2026年4月14日

Prometheus v3.11.2 patches a stored XSS vulnerability (CVE-2026-40179) in the web UI, plus two Consul SD fixes. Upgrade immediately if your UI is exposed.

  • securityPatch CVE-2026-40179 immediately if your Prometheus UI is reachable

    A stored XSS can be triggered by crafted metric names or label values — meaning any scrape target you ingest data from could potentially inject malicious scripts into your UI. If your Prometheus endpoint is accessible to users beyond the ops team (internal dashboards, federated setups), treat this as urgent. Upgrade to v3.11.2 now. If you can't upgrade immediately, restrict UI access via network policy or auth proxy until you can.

  • breakingVerify Consul SD behavior after the Health API filter fix

    The filter parameter was previously applied incorrectly to the Consul Health API. After upgrading, your Consul service discovery results may change if you were relying on that filter — intentionally or not. Review your Consul SD configs and validate that the services being scraped post-upgrade match your expectations before rolling out to production.

  • enhancementUse `health_filter` in Consul SD to reduce noise from unhealthy services

    The new `health_filter` field lets you filter Consul Health API responses directly at the SD layer. If you've been working around this with relabeling rules to drop unhealthy instances, you can now clean that up. Set `health_filter` to `healthy` in your Consul SD config to only scrape passing services and reduce unnecessary target churn.

主な変更 (3)
  • SECURITY: Stored XSS via unescaped metric names and label values in UI tooltips and metrics explorer — CVE-2026-40179
  • Consul SD: New `health_filter` field for fine-grained Health API filtering
  • Consul SD: Fixed a bug where the filter parameter was incorrectly applied to the Health API
原文

Prometheus

Observability2026年4月14日

Prometheus v3.5.2 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

OpenTelemetry

Observability2026年4月13日

v0.150.0 is a maintenance release with targeted bug fixes: corrects the print-config unredacted output, redacts internal telemetry OTLP headers in marshaled config, and fixes a bounds-check crash in the debug exporter.

  • securityTelemetry exporter headers now redacted in marshaled config

    Internal telemetry OTLP exporter headers are now redacted when configuration is marshaled. If you log or store marshaled config output anywhere, headers (which may contain auth tokens) were previously exposed in plaintext. Upgrade and audit any stored config snapshots.

  • enhancementFix print-config unredacted mode to show defaults

    The print-config command's unredacted mode previously dropped all default-valued options from output. Fixed by introducing confmap.WithUnredacted MarshalOption. If your team uses print-config for auditing or debugging configuration, re-run it after upgrading — the output is now complete and trustworthy.

主な変更 (5)
  • semconv package bumped from 1.38.0 to 1.40.0 across all components
  • debug exporter now guards against out-of-bounds profiles dictionary index access
  • pdata/pprofile creates a defensive copy when input is read-only
  • print-config --unredacted now correctly includes default-valued fields
  • Internal OTLP exporter headers are redacted when config is marshaled
原文

Prometheus

Observability2026年4月8日

Prometheus v3.11.1 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

Prometheus

Observability2026年4月2日

Prometheus v3.11.0 ships significant new discovery capabilities, TSDB experimental features, and a critical retention bug fix that could cause data to be kept 1,000,000x longer than configured.

  • breakingFix TSDB retention unit bug before your disk fills up

    A unit mismatch in the config file parser caused `storage.tsdb.retention.time` to be interpreted as 1,000,000x the intended value. If you set retention via the config file (not CLI flags), your TSDB may be holding far more data than expected. Upgrade to 3.11.0 immediately and verify disk usage post-upgrade. Also note: CLI flag values are now the fallback when retention is removed from config, so review your configuration carefully.

  • breakingMigrate Hetzner hcloud SD label references before July 2026

    `__meta_hetzner_datacenter` and `__meta_hetzner_hcloud_datacenter_location*` labels are deprecated for hcloud roles and will stop working after July 1, 2026. Audit all relabeling configs and recording rules that reference these labels. Replace with `__meta_hetzner_hcloud_location` and `__meta_hetzner_hcloud_location_network_zone`. The robot role keeps the old label for backward compatibility.

  • enhancementCap TSDB disk usage with retention.percentage

    The new `storage.tsdb.retention.percentage` setting lets you define a maximum percentage of available disk that TSDB can use. This is a cleaner safety net than estimating byte-based retention limits, especially in environments with variable data volumes. Consider pairing it with the existing time-based retention rather than replacing it — both constraints apply.

主な変更 (6)
  • CRITICAL BUG: TSDB retention time unit mismatch caused retention to run 1e6x longer than configured — patch immediately
  • Hetzner SD labels deprecated: `__meta_hetzner_datacenter` for hcloud role dies July 1, 2026; migrate relabeling configs now
  • New AWS SD roles for Elasticache and RDS, plus Azure Workload Identity auth support
  • New `storage.tsdb.retention.percentage` config to cap TSDB disk usage by percentage
  • Experimental `fast-startup` flag writes series state to WAL dir, reducing restart time for large TSDB instances
  • OTLP fix: ErrTooOldSample now returns HTTP 400 instead of 500, breaking infinite client retry loops
原文

Jaeger

Observability2026年3月31日

v2.17.0 ships a security fix for XSS in the UI, two major UI features (side panel span details, trace log aggregation), and several backend stability fixes including a panic guard and clock skew correction.

  • securityUpdate UI immediately to fix XSS vulnerability

    The UI was rendering user-supplied trace data using innerHTML, which opens the door to XSS if trace attribute values contain malicious HTML. This is fixed by switching to textContent. If you expose Jaeger UI to users who can influence span data (e.g., shared environments, multi-tenant setups), treat this as a priority upgrade. Pull the v2.17.0 image and redeploy.

  • breakingClock skew fix changes span end timestamps — verify your trace data expectations

    The clock skew adjuster previously only corrected span start times, leaving end timestamps unadjusted. Now both are corrected. For teams with strict SLO calculations or latency assertions based on adjusted trace data, this behavioral change could shift computed durations. Validate your dashboards and alerting rules against real traces after upgrading.

  • enhancementSide panel span view reduces trace analysis friction

    Span details previously expanded inline, collapsing the trace timeline context. The new side panel mode keeps the timeline visible while inspecting a span. Useful immediately for deep trace debugging — no configuration needed, just click a span in the UI. Worth showing to your team as a workflow improvement.

主な変更 (6)
  • Security: replaced innerHTML with textContent in the UI to eliminate an XSS attack vector
  • New UI feature: span details can now open in a side panel instead of inline, reducing context-switching during trace analysis
  • New UI feature: trace logs view aggregates all span events in one place for easier debugging
  • Backend fix: clock skew adjuster now correctly adjusts span end timestamps, not just start times
  • Backend fix: panic guard added for zero/sub-nanosecond durations in jitter calculation (fixes production crash #8149)
  • Experimental ClickHouse backend received query optimization and schema fixes for trace ID deduplication
原文

Chaos Mesh

Observability2026年3月25日

Chaos Mesh v2.8.2 is a security-focused patch that resolves CVEs across Go and UI dependencies, drops install.sh, and fixes cert-manager webhook conflicts.

  • securityUpgrade now — this release exists specifically to fix CVEs

    Both Go and UI packages were upgraded in bulk to address vulnerabilities tracked in issue #4830. No specific CVE IDs are listed in the release notes, but the scope (all direct dependencies) suggests broad exposure. If you're running v2.8.1 or earlier, treat this as an urgent upgrade, especially for clusters where Chaos Mesh's dashboard is internet-accessible or exposed internally to untrusted users.

  • breakingStop using install.sh — it's been deleted, not just deprecated

    install.sh is physically removed in this release. Any CI/CD pipelines, runbooks, or onboarding docs that reference it will break immediately. Migrate to the Helm chart or the official quick-start guide before upgrading. Check your automation scripts and internal documentation now.

  • enhancementFix cert-manager server-side apply conflicts before they hit you in prod

    If you use cert-manager to manage Chaos Mesh's webhook certificates, the caBundle placeholder in webhook templates was causing server-side apply (SSA) field ownership conflicts — a subtle issue that silently breaks reconciliation. After upgrading to v2.8.2, re-apply your Helm release or manifests to let SSA recalculate field ownership cleanly. If you've been seeing unexpected webhook certificate errors or Helm diff noise, this is likely the cause.

主な変更 (5)
  • All direct Go and UI dependencies upgraded to remediate known CVEs
  • install.sh removed — deprecated installer is gone, Helm/kubectl is now the only supported path
  • Go runtime bumped to 1.25.8
  • go-ethereum JSON-RPC replaced with creachadair/jrpc2 to eliminate a vulnerable transitive dependency
  • Fixed cert-manager + server-side apply conflict caused by caBundle placeholder in webhook templates
原文

Litmus

Observability2026年3月18日

Litmus 3.27.0 ships Job targeting for chaos experiments and fixes a cluster of stability bugs: nil pointer crashes, GitOps deadlocks, race conditions, and probe detection failures.

  • breakingGitOps two-way sync was silently broken — verify your sync state after upgrading

    The GitOps sync handler goroutine was disabled, meaning changes in Git were not propagating back to Litmus in two-way mode. After upgrading to 3.27.0, manually trigger a sync and confirm experiment state matches your Git source of truth. Any drift that accumulated should be reconciled.

  • enhancementTarget Kubernetes Jobs in chaos experiments

    If your team runs batch workloads or CI pipelines as Kubernetes Jobs, you can now inject chaos directly into them. Update your experiment manifests to reference Job resources and validate resilience of batch processing paths — something previously impossible without workarounds.

  • enhancementMultiple nil pointer and race condition fixes reduce silent failures

    At least three separate nil pointer dereferences are fixed in this release (subscriber, QueryServerVersion, YAML parser), plus experiment run race conditions. If you've seen intermittent crashes or experiments stuck in inconsistent states, upgrading is the straightforward fix — no config changes needed.

主な変更 (5)
  • New: Kubernetes Jobs can now be targeted in chaos experiments, expanding workload coverage beyond Deployments and StatefulSets
  • 503 returned when MongoDB is down, enabling probes to correctly detect infrastructure failures instead of hanging
  • Subscriber crash on Workflow ADD events (nil pointer dereference) fixed — previously could silently break experiment scheduling
  • GitOps deadlock in GitMutexLock.Unlock resolved, and the GitOps sync handler goroutine re-enabled to restore two-way sync
  • CMD probe command limit raised from 1024 characters, unblocking complex probe scripts
原文

Jaeger

Observability2026年3月7日

Jaeger v2.16.0 introduces breaking changes requiring Go 1.25.7 and removes legacy remote sampling format, while improving ClickHouse performance and adding Elasticsearch health-check timeout support.

  • breakingUpgrade Go to version 1.25.7 before deploying

    The Go version requirement is now enforced across the codebase. Teams running older Go versions will face build failures. Update your build environments, CI/CD pipelines, and container images to Go 1.25.7 before attempting to upgrade or build from source.

  • breakingUpdate remote sampling client integrations

    The legacy remote sampling endpoint response format has been removed. If your applications use custom remote sampling clients that depend on the old format, they will break. Review your sampling configuration and update any custom clients to use the current format before upgrading.

  • enhancementEnable Elasticsearch health-check timeout for improved startup reliability

    New startup health-check timeout configuration prevents indefinite blocking during Elasticsearch connectivity issues. Add health-check timeout settings to your Elasticsearch storage configuration to improve service startup reliability in environments with intermittent connectivity.

主な変更 (6)
  • Go version requirement bumped to 1.25.7 across the entire codebase
  • Legacy remote sampling endpoint response format removed
  • ClickHouse query performance improved through findtraceids restructuring
  • Elasticsearch health-check timeout support added for startup reliability
  • HTTP servers migrated from Gorilla Mux to stdlib http.ServeMux
  • UI fixes for critical path visualization and v3 API client base path handling
原文

Prometheus

Observability2026年2月26日

Prometheus 3.10.0 introduces distroless Docker images for enhanced security, new PromQL fill() functions for handling missing data, and numerous performance improvements across query execution and TSDB operations.

  • enhancementConsider migrating to distroless images for production

    The new distroless variant provides better security with minimal attack surface and uses proper nonroot UID/GID 65532. Plan migration by adjusting volume ownership and permissions - existing named volumes require ownership changes, and bind mounts may need permission adjustments depending on your setup.

  • enhancementOptimize memory usage with stale series compaction

    Enable experimental `stale_series_compaction_threshold` in your config to automatically compact stale series in memory, reducing memory footprint for workloads with high series churn. Start with conservative thresholds and monitor memory usage patterns.

  • enhancementBuild custom Prometheus binaries for resource optimization

    Use new build tags `remove_all_sd` and `enable_<sd name>_sd` to create smaller Prometheus binaries containing only the service discovery mechanisms you actually use, reducing binary size and potential attack surface in containerized deployments.

主な変更 (5)
  • Distroless Docker image variant with UID/GID 65532 for enhanced security alongside existing busybox image
  • New PromQL fill(), fill_left(), and fill_right() functions for handling missing series with default values
  • Experimental stale series compaction in memory with configurable threshold for TSDB optimization
  • Independent alertmanager sendloops with new alertmanager dimension in notification metrics
  • Modular service discovery build system allowing custom Prometheus builds with only required SDs
原文

Fluentd

Observability2026年2月19日

Fluentd v1.19.2 delivers critical bug fixes for socket leaks and connection timeouts, with Ruby 4.0 compatibility improvements. Priority fix for production stability issues affecting out_forward and HTTP server plugins.

  • securityUpgrade immediately to fix socket leak vulnerability

    HTTP server plugin had socket leaks in POST requests that could lead to resource exhaustion. This is a critical fix for production environments using HTTP input plugins. Update immediately and monitor socket usage after deployment.

  • breakingUpdate out_forward configurations for timeout handling

    The out_forward plugin now properly handles connection timeouts to prevent infinite loops. Review your forward output configurations and monitor for any connection behavior changes, especially in high-throughput environments where connection stability is critical.

  • enhancementPrepare for Ruby 4.0 migration

    This release adds Ruby 4.0 compatibility with updated gem dependencies including ostruct and net-http. Plan your Ruby upgrade path and test this version in staging environments if you're planning to move to Ruby 4.0.

主な変更 (5)
  • Fixed out_forward plugin timeout issue preventing infinite connection loops
  • Resolved socket leaks in HTTP server plugin POST requests
  • Fixed in_tail plugin errors when encountering unreadable files in glob patterns
  • Added Ruby 4.0 compatibility with updated gem dependencies
  • Fixed duplicate config file loading in config_include_dir
原文