Update prom/prometheus Docker tag to v3#56
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
ce51872 to
af350d5
Compare
af350d5 to
619c276
Compare
619c276 to
7166fe0
Compare
7166fe0 to
b8df828
Compare
b8df828 to
e05bd0f
Compare
e05bd0f to
db741b0
Compare
db741b0 to
7790598
Compare
7790598 to
b0a45ec
Compare
b0a45ec to
7d2e7fd
Compare
7d2e7fd to
0e905dd
Compare
2e2ff9d to
f0f7690
Compare
f0f7690 to
6ac3560
Compare
6ac3560 to
9c017de
Compare
9c017de to
a433b7b
Compare
a433b7b to
67ca704
Compare
694cdca to
b5c4766
Compare
b5c4766 to
c425af5
Compare
7815c06 to
daeb3a8
Compare
daeb3a8 to
b899bfb
Compare
b899bfb to
8eaebaa
Compare
8eaebaa to
fd66eb8
Compare
fd66eb8 to
945bd92
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.36.2→v3.13.0Release Notes
prometheus/prometheus (prom/prometheus)
v3.13.0: 3.13.0 / 2026-07-01Compare Source
This is a Long Term Support LTS release.
sanitize-htmlto fix a cross-site scripting vulnerability (CVE-2026-44990). #18697/assets/third-party-licenses.txt, replacing thenpm_licenses.tar.bz2archive previously shipped in release tarballs and container images. #18997--http.config.fileare now resolved relative to that config file's directory instead of its parent directory. Via prometheus/common v0.69.0. #18949min()andmax()duration-expression functions (experimental feature flagexperimental-duration-expr) tomin_of()andmax_of()to avoid confusion with theminandmaxaggregate operators. #18687min_of(a, b)andmax_of(a, b)scalar experimental functions, returning the smaller or larger of two scalar values. #18687samplesRead(andsamplesReadPerStepwithstats=alland thepromql-per-step-statsfeature flag) in the query stats response, and add theprometheus_engine_query_samples_read_totalengine counter.samplesReadreflects storage I/O distinct fromtotalQueryableSamples, which counts samples loaded into the evaluator (and so over-counts when a sample is reused across multiple range-vector windows). #18081__convert_classic_histograms_to_nhcb__internal label to allow per-target override ofconvert_classic_histograms_to_nhcbscrape configuration via relabeling. #18840storage.tsdb.chunk_encoding.floatsconfiguration field to select float chunk encoding (xororxor2) at runtime, independently of the--enable-feature=xor2-encodingflag. #18769__always_scrape_classic_histograms__and__scrape_native_histograms__internal labels to allow per-target override of thealways_scrape_classic_histogramsandscrape_native_histogramsscrape configuration via relabeling. #18929fill_left(x) fill_right(x)asfill(x)when both fill values are equal. #18851--enable-feature=created-timestamp-zero-ingestion). #18813endwas not aligned tostepcaused subqueries inside it to evaluate past the parent's last actual step, inflatingpeakSamplesin the query stats and against thequery.max-sampleslimit, and wasting storage I/O reading samples that were never used in the result. #18081@modifier (e.g.predict_linear(metric[60s] @​ T, X)) silently under-countedtotalQueryableSamplesfor steps after step 0. #18081fill_left/fill_rightproducing missing samples in range queries when usinggroup_left/group_right. #188501[5m] smoothedand similar expressions when extended range selectors are enabled. #18764smoothedinstant vector selector produces no samples for a series. #18943foo offset -(5)). #18768{}. Via prometheus/common v0.69.0. #18949check healthyandcheck readywhen--urlends with a trailing slash. #18854private_iporpublic_ipfield, but do have private NICs attached. #18772v3.12.0: 3.12.0 / 2026-05-28Compare Source
This release contains security fixes, new features (especially around PromQL and Service Discovery), performance improvements in TSDB, Start Timestamp improvements and numerous bug fixes.
Thanks to all contributors!
Key Highlights
rate(),irate(),increase(), andresets(). New experimental functionsstart(),end(),range(), andstep()are introduced.Changelog
/-/configendpoint. Thanks to @August829 and @Phaxma for reporting. GHSA-39j6-789q-qxvh #18649st-storageflag is enabled. #18221/api/v1/status/self_metricsendpoint returning the current state of the Prometheus server's own metrics about itself as JSON. #18411outscale_sd_configs) for discovering scrape targets from the Outscale Cloud API. #18139sort,sort_by_labelorsort_by_label_descis used within range (matrix) queries, as these functions do not have effect in that context. #18498start(),end(),range(), andstep()experimental functions #17877resets()function to consider start timestamp resets. Hidden behinduse-start-timestampsfeature flag. #18627CheckpointFromInMemorySeriesoption toagent.DBthat enables checkpoint based on in-memory series. #17948rate(),irate(), andincrease()calculations, behind a feature flaguse-start-timestamps. Doesn't work together with extended range selectorsanchoredandsmoothed. #18344st-synthesiswhich synthesizes unknown STs for scraped cumulative metrics. Useful when Remote Writing 2.0 with delta or Otel-based backends. #18279@stannotation inloadblocks to specify per-sample start timestamps. #18360external_idfield to ECS/MSK/RDS/Elasticache. #18579external_idfield. #17171--headerflag toquery instantcommand, matching existingquery rangebehaviour. #18418info()function incorrectly handling negated__name__matchers #17932/parse_ast. #18624health_filterfor Health API filtering, fixing breakage when using Catalog-only fields likeServiceTagsinfilter. #18479 #18499smoothedrate/increase returning zero instead of no result when all data falls strictly after the query range. #18523range()keyword in duration expressions such asfoo[5m+range()]. #18623@modifier is used. #18531prometheus_sd_refresh*andprometheus_sd_discovered_targetsmetrics for specific scrape jobs are deleted when the scrape job is removed. #17614--enable-featureflag description and sort feature names. #18487v3.11.3: 3.11.3 / 2026-04-27Compare Source
This release fixes mutiple security issues.
We would like to thank the following people for the responsible disclosures:
Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.
Brett Gervasoni for the AzureAD OAuth
client_secretvulnerability.@iiihaiii and @Ngocnn97 for the Old UI XSS vulnerability.
[SECURITY] AzureAD remote write: Fix OAuth
client_secretbeing exposed in plaintext via/-/configendpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18590[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18584
[SECURITY] UI: Fix stored XSS via unescaped
lelabel values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18588v3.11.2: 3.11.2 / 2026-04-13Compare Source
This release has a fix for a Stored XSS vulnerability that can be triggered via crafted metric names and label values in Prometheus web UI tooltips and metrics explorer. Thanks to Duc Anh Nguyen from TinyxLab for reporting it.
health_filterfield for Health API filtering. #18499v3.11.1: 3.11.1 / 2026-04-07Compare Source
insecure: true. #18469v3.11.0: 3.11.0 / 2026-04-02Compare Source
__meta_hetzner_datacenterlabel is deprecated for the rolerobotbut kept for backward compatibility, use the__meta_hetzner_robot_datacenterlabel instead. For the rolehcloud, the label is deprecated and will stop working after the 1 July 2026. #17850__meta_hetzner_hcloud_datacenter_locationand__meta_hetzner_hcloud_datacenter_location_network_zonelabels are deprecated, use the__meta_hetzner_hcloud_locationand__meta_hetzner_hcloud_location_network_zonelabels instead. #17850prometheus_sd_last_update_timestamp_secondsmetric to track the last time a service discovery update was sent to consumers. #18194__meta_kubernetes_pod_deployment_name,__meta_kubernetes_pod_cronjob_nameand__meta_kubernetes_pod_job_name, respectively. #17774</and>/operators for trimming observations from native histograms. #17904histogram_quantilesvariadic function for computing multiple quantiles at once. #17285storage.tsdb.retention.percentageconfiguration to configure the maximum percent of disk usable for TSDB storage. #18080st-storagefeature flag. When enabled, Prometheus stores ingested start timestamps (ST, previously called Created Timestamp) from scrape or OTLP in the TSDB and Agent WAL, and exposes them via Remote Write 2. #18062xor2-encodingfeature flag for the new TSDB block float sample chunk encoding that is optimized for scraped data and allows encoding start timestamps. #18062external_idsupport for sigv4. #17916first_over_timeandts_of_first_over_timePromQL functions. #18318KahanAdd. #18252endpointoption, a regression from the AWS SDK v2 migration. #18133client_idis empty. #18323*DualStackEndpointSlices policies. #18192prometheus_remote_storage_sent_batch_duration_secondsmeasuring before the request was sent. #18214use-uncached-iofeature flag is set on unsupported environments. #18219v3.10.0: 3.10.0 / 2026-02-24Compare Source
Prometheus now offers a distroless Docker image variant alongside the default
busybox image. The distroless variant provides enhanced security with a minimal
base image, uses UID/GID 65532 (nonroot) instead of nobody, and removes the
VOLUME declaration. Both variants are available with
-busyboxand-distrolesstag suffixes (e.g.,
prom/prometheus:latest-busybox,prom/prometheus:latest-distroless).The busybox image remains the default with no suffix for backwards compatibility
(e.g.,
prom/prometheus:latestpoints to the busybox variant).For users migrating existing named volumes from the busybox image to the distroless variant, the ownership can be adjusted with:
Then, the container can be started with the old volume with:
User migrating from bind mounts might need to ajust permissions too, depending on their setup.
alertmanagerdimension to following metrics:prometheus_notifications_dropped_total,prometheus_notifications_queue_capacity,prometheus_notifications_queue_length. #16355/alertspage. #17611fill()/fill_left()/fill_right()binop modifiers for specifying default values for missing series. #17644/api/v1/openapi.yaml. #17825<URL>/debug/pprof/fgprof. #18027stale_series_compaction_thresholdin the config file. #16929remove_all_sdand individual service discoveries can be re-added with the build tagsenable_<sd name>_sd. Users can build a custom Prometheus with only the necessary SDs for a smaller binary size. #17736promql-duration-exprandpromql-extended-range-selectors. #17926.*-.*-.*. #17707/api/v1/targets/relabel_stepsin a single pass instead of re-running relabeling for each prefix. #17969X-Prometheus-Stoppingheader for/-/readyendpoint inNotReadystate. #17795info()function returning empty results when filtering by a label that exists on both the input metric andtarget_info. #17817__name__from OTLP attributes to prevent duplicate labels. #17917@modifier on empty ranges. #18020avg_over_timefor a single native histogram. #18058v3.9.1: 3.9.1 / 2026-01-07Compare Source
v3.9.0: 3.9.0 / 2026-01-06Compare Source
Note for users of Native Histograms
In version 3.9, Native Histograms is no longer experimental, and the feature flag
native-histogramhas no effect. You must now turn onthe config setting
scrape_native_histogramsto collect Native Histogram samples from exporters.Changelog
native-histogramfeature flag a no-op. Usescrape_native_histogramsconfig option instead. #17528start_timestampfield for unit tests. #17636--format seriesjsonoption totsdb dumpto output just series labels in JSON format. #13409--storage.tsdb.delay-compact-file.pathflag for better interoperability with Thanos. #17435--storage.tsdb.block-reload-intervalto configure TSDB Block Reload Interval. #16728prometheus_notifications_latency_histogram_secondsto complement the existing summary. #16637configlabel with job name for mostprometheus_sd_refreshmetrics. #17138prometheus_tsdb_sample_ooo_delta, the distribution of out-of-order samples in seconds. Collected for all samples, accepted or not. #17477_total. #17682ignoring()and non-empty grouping. #17643rate/increase/deltaof histograms results in a gauge histogram. #17608v3.8.1: 3.8.1 / 2025-12-16Compare Source
v3.8.0: 3.8.0 / 2025-11-28Compare Source
Note for users of Native Histograms
This is the first release with Native Histograms as a stable feature. However, scraping Native Histograms has to be activated explicitly via the
scrape_native_histogramsconfig setting (newly introduced in this release). To ease the transition, the--enable-feature=native-histogramsflag is not a complete no-op in this release, but changes the default value ofscrape_native_histogramstotrue. In the next release (v3.9), the feature flag will be a complete no-op, and the default value ofscrape_native_histogramswill always befalse. If you have been using the feature flag so far, the recommended course of action is the following:scrape_native_histogramstotruein all relevant scrape configs. (There is a global and a per-scrape-config version ofscrape_native_histograms, allowing granular control if needed. It is a good idea to also setscrape_native_histogramsexplicitly tofalsewhere you do not want to scrape Native Histograms. In this way, you do not depend on the default value of the setting anymore.)Changelog
scrape_native_histogramsconfig setting. #17232 #17315promtool push metricsvia the--protobuf_messageflag. #17417AddandSub. #17278target_infosamples with the same timestamp for the same series. #17400use_fips_sts_endpointinsigv4config sections. #17304/api/v1/targets. #17306infocall. #17379histogram_fractionfor classic histograms and NHCB if lower bound is in the first bucket. #17424v3.7.3: 3.7.3 / 2025-10-29Compare Source
-web.external-urlif-web.route-prefixis configured, which was introduced in #17240. #17389check configwould fail when--lint=noneflag was set. #17399 #17414v3.7.2: 3.7.2 / 2025-10-22[Compare Source](https://redirect.github.com/prometheus/prometheus/compare/v3.7.1...
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.