Commit graph

17437 commits

Author SHA1 Message Date
Ayoub Mrini
83962c35a4
test(cmd/prometheus): add TestFeatureFlagsDocumented and adjust --enable-feature description (#18487)
Some checks are pending
buf.build / lint and publish (push) Waiting to run
CI / Go tests (push) Waiting to run
CI / More Go tests (push) Waiting to run
CI / Go tests for Prometheus upgrades and downgrades (push) Waiting to run
CI / Go tests with previous Go version (push) Waiting to run
CI / UI tests (push) Waiting to run
CI / Go tests on Windows (push) Waiting to run
CI / Mixins tests (push) Waiting to run
CI / Compliance testing (push) Waiting to run
CI / Build Prometheus for common architectures (push) Waiting to run
CI / Build Prometheus for all architectures (push) Waiting to run
CI / Report status of build Prometheus for all architectures (push) Blocked by required conditions
CI / Check generated parser (push) Waiting to run
CI / golangci-lint (push) Waiting to run
CI / fuzzing (push) Waiting to run
CI / codeql (push) Waiting to run
CI / Publish main branch artifacts (push) Blocked by required conditions
CI / Publish release artefacts (push) Blocked by required conditions
CI / Publish UI on npm Registry (push) Blocked by required conditions
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
* test(cmd/prometheus): add TestFeatureFlagsDocumented and fix help text

Add TestFeatureFlagsDocumented to ensure the --enable-feature help text
in and docs/feature_flags.md list the same set of flags.

The help text was out of sync with the documentation:
- Flags present in docs but missing from help text: `auto-reload-config`,
  `metadata-wal-records`, `otlp-native-delta-ingestion`,
  `promql-delayed-name-removal`, `type-and-unit-labels`. Added them.
- Flags present in help text but missing from docs: `auto-gomaxprocs`,
  `expand-external-labels`. Removed them.

The help text is now sorted for better readability and kept in sync
with the documentation.

Also, the parsing of an empty `--enable-feature` was changed to
print `msg="Unknown option for --enable-feature" option=""` instead of nothing.

Signed-off-by: Ayoub Mrini <ayoubmrini424@gmail.com>

* main.go remove default for --enable-feature to avoid unwanted

Signed-off-by: Ayoub Mrini <ayoubmrini424@gmail.com>

---------

Signed-off-by: Ayoub Mrini <ayoubmrini424@gmail.com>
2026-04-20 16:08:42 +02:00
Julien
57821524d5
Merge pull request #18548 from roidelapluie/roidelapluie/remove-registry-arch-exclusions
build: remove DOCKER_REGISTRY_ARCH_EXCLUSIONS and DOCKERFILE_ARCH_EXCLUSIONS logic
2026-04-20 12:12:02 +02:00
Julien Pivotto
dd03bb4476 build: remove DOCKERFILE_ARCH_EXCLUSIONS logic
Upstream distroless now supports all architectures, so there is no
longer a need to exclude specific dockerfile/arch combinations from
the build.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
2026-04-20 11:44:25 +02:00
Julien Pivotto
7f31983569 build: remove DOCKER_REGISTRY_ARCH_EXCLUSIONS logic
This mechanism was introduced to skip pushing riscv64 images to
registries that were misconfigured to not accept that architecture.
The misconfiguration has now been fixed across all repositories, so
this workaround is no longer needed.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
2026-04-20 10:23:09 +02:00
Julien
de717d30c2
Merge pull request #18545 from gaganhr94/fix/token-permissions
fix: adding required permissions to top level and jobs in the workflow
2026-04-20 10:12:01 +02:00
Gagan H R
bfcaa44c2c fix: adding required permissions to top level and jobs in the workflow
Signed-off-by: Gagan H R <hrgagan4@gmail.com>
2026-04-19 11:41:48 +00:00
Julien
f39fff9691
Merge pull request #18537 from roidelapluie/roidelapluie/roidelapluie/funcs-ui
promql/ui: highlight start()/end()/range()/step() as functions; start () /end() as modifiers only after @
2026-04-17 18:35:34 +02:00
Arve Knudsen
c7b2210ac3
tsdb: cache collected head chunks on ChunkReader for O(1) lookup (#18302)
tsdb: cache collected head chunks on ChunkReader for O(1) lookup

The query path calls s.chunk() once per chunk meta via
ChunkOrIterableWithCopy. Each call walks the head chunks linked list
from the head to the target position. For a series with N head chunks
iterated oldest-first, total work is O(N²).

Cache the collected []*memChunk slice on headChunkReader, keyed by
series ref, head pointer, and mmapped chunks length. Collected once
per series under lock; reused on subsequent chunk lookups for the same
series. The backing array is reused across series (zero alloc after
first use).

Series with 0 or 1 head chunks skip the cache entirely to avoid
per-series overhead that dominates for typical workloads where most
series have a single head chunk.

The cache is gated behind an enableCache flag, toggled via an optional
chunkCacheToggler interface only when hints.Step > 0 (range queries).
Instant queries only need one chunk per series, so the cache overhead
is not recouped.

Also replace O(N²) linked-list traversals in appendSeriesChunks with
O(N) collectHeadChunks + slice iteration, and thread reusable
headChunksBuf through the index reader paths to avoid per-series
allocations.


---------

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
Co-authored-by: George Krajcsovits <krajorama@users.noreply.github.com>
2026-04-17 18:34:41 +02:00
Julien
ff144f16fb
Merge pull request #18531 from roidelapluie/roidelapluie/smoothed-vector-binop
promql: fix smoothSeries() @ modifier timestamp mismatch
2026-04-17 17:05:50 +02:00
Julien Pivotto
504c5e67ea promql/ui: highlight start()/end()/range()/step() as functions; start()/end() as modifiers only after @
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
2026-04-17 16:48:54 +02:00
Julien
4c50ef989d
Update promql/promqltest/testdata/extended_vectors.test
Co-authored-by: George Krajcsovits <krajorama@users.noreply.github.com>
Signed-off-by: Julien <291750+roidelapluie@users.noreply.github.com>
2026-04-17 16:38:36 +02:00
Julien
5d0bc055ef
Merge pull request #17877 from roidelapluie/roidelapluie/funcs
PromQL: Add start() end() range() and step() functions
2026-04-17 13:51:37 +02:00
Julien Pivotto
85dbc3cc76 promql: fix smoothSeries() @ modifier timestamp mismatch
smoothSeries() was stamping output points at offset-adjusted timestamps
instead of evaluator timestamps. When the @ modifier is used, this
causes gatherVector() to miss the points because it matches by exact
timestamp equality against evaluator step timestamps.

Fix by iterating over evaluator timestamps and deriving data timestamps
by subtracting the offset, so output points align with what
gatherVector() expects.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
2026-04-16 13:44:58 +02:00
Julien Pivotto
ae9e52c868 PromQL: Add start() end() range() and step() functions
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
2026-04-16 10:59:23 +02:00
Ben Kochie
25d678b502
Cleanup promci action (#18524)
Use new `promci-setup` action for version upgrade test job.

Signed-off-by: SuperQ <superq@gmail.com>
2026-04-16 10:19:05 +02:00
Ben Kochie
a2e000133b
Fix quay.io riscv64 publishing (#18527)
Because quay.io requires manual creation of new repos, we missed
creating one for riscv64. This has been created so publish should now
work.

Signed-off-by: SuperQ <superq@gmail.com>
2026-04-16 10:14:00 +02:00
Julien
c4c1c55a82
Merge pull request #18523 from roidelapluie/roidelapluie/smoothed-rate
promql: fix smoothed rate returning zero for data only after range
2026-04-16 10:00:46 +02:00
Julien
f1c02cc7f1
Merge pull request #18420 from roidelapluie/roidelapluie/fuzzing-jobs
chore(fuzzing): limit number of CI jobs
2026-04-16 09:36:24 +02:00
Julien Pivotto
93ec767fed promql: fix smoothed rate returning zero for data only after range
For smoothed rate/increase, a result should only be returned
when there is data available to interpolate across the range. If the
range has a single data point only on one side, the result is
meaningless and should be empty.

The "data only before" case was already handled: if the last fetched
sample is at or before rangeStart, extendedRate returns nothing.

Add the symmetric guard for the "data only after" case: if the first
fetched sample is strictly after rangeEnd, return nothing as well.

This mirrors the behaviour described in prometheus/prometheus#18295,
where a smoothed rate that has no data before the range should not
return zero.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
2026-04-16 09:34:16 +02:00
Julius Volz
34cebfe953
Merge pull request #18411 from prometheus/self-metrics-api
Some checks failed
buf.build / lint and publish (push) Has been cancelled
CI / Go tests (push) Has been cancelled
CI / More Go tests (push) Has been cancelled
CI / Go tests for Prometheus upgrades and downgrades (push) Has been cancelled
CI / Go tests with previous Go version (push) Has been cancelled
CI / UI tests (push) Has been cancelled
CI / Go tests on Windows (push) Has been cancelled
CI / Mixins tests (push) Has been cancelled
CI / Compliance testing (push) Has been cancelled
CI / Build Prometheus for common architectures (push) Has been cancelled
CI / Build Prometheus for all architectures (push) Has been cancelled
CI / Check generated parser (push) Has been cancelled
CI / golangci-lint (push) Has been cancelled
CI / fuzzing (push) Has been cancelled
CI / codeql (push) Has been cancelled
Scorecards supply-chain security / Scorecards analysis (push) Has been cancelled
CI / Report status of build Prometheus for all architectures (push) Has been cancelled
CI / Publish main branch artifacts (push) Has been cancelled
CI / Publish release artefacts (push) Has been cancelled
CI / Publish UI on npm Registry (push) Has been cancelled
Add API endpoint for getting Prometheus' metrics about itself
2026-04-15 14:47:38 +02:00
Julien
6e83b49dd6
Merge pull request #17685 from akshatsinha0/fix-aws-sd-setdirectory
Fix(discovery/aws): Added SetDirectory method to EC2SDConfig.
2026-04-15 14:35:46 +02:00
Julien
c6d2fa3596
Merge pull request #18519 from alliasgher/fix-testfstype-unknown-fs
util/runtime: let TestFsType tolerate filesystems absent from FsType map
2026-04-15 14:12:13 +02:00
alliasgher
ae063a499a util/runtime: simplify TestFsType comment per review
Remove issue reference and trim the comment down to the assertion's
intent, per @roidelapluie review.

Signed-off-by: alliasgher <alliasgher123@gmail.com>
2026-04-15 15:54:02 +05:00
Toni Cárdenas
2ad75b0ef0
util/strutil: remove duplicate isASCII declaration (#18522)
Some checks are pending
buf.build / lint and publish (push) Waiting to run
CI / Go tests (push) Waiting to run
CI / More Go tests (push) Waiting to run
CI / Go tests for Prometheus upgrades and downgrades (push) Waiting to run
CI / Go tests with previous Go version (push) Waiting to run
CI / UI tests (push) Waiting to run
CI / Go tests on Windows (push) Waiting to run
CI / Mixins tests (push) Waiting to run
CI / Compliance testing (push) Waiting to run
CI / Build Prometheus for common architectures (push) Waiting to run
CI / Build Prometheus for all architectures (push) Waiting to run
CI / Report status of build Prometheus for all architectures (push) Blocked by required conditions
CI / Check generated parser (push) Waiting to run
CI / golangci-lint (push) Waiting to run
CI / fuzzing (push) Waiting to run
CI / codeql (push) Waiting to run
CI / Publish main branch artifacts (push) Blocked by required conditions
CI / Publish release artefacts (push) Blocked by required conditions
CI / Publish UI on npm Registry (push) Blocked by required conditions
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
Signed-off-by: Toni Cárdenas <toni.cardenasvargas@grafana.com>
2026-04-14 16:46:11 +00:00
alliasgher
6994b4cb4e util/runtime: simplify TestFsType to check != 0 instead of _MAGIC
Signed-off-by: alliasgher <alliasgher123@gmail.com>
2026-04-14 20:26:13 +05:00
Arve Knudsen
98809e40c6
tsdb: Skip clean series during periodic head chunk mmap (#18272)
tsdb: Skip clean series during periodic head chunk mmap

The periodic mmapHeadChunks cycle previously acquired a per-series
lock on every series, even though typically >99% have nothing to
mmap. This was identified as a CPU bottleneck in Grafana Mimir.

Add a headChunkCount field (sync/atomic.Uint32) to memSeries that
tracks the number of head chunks. It is incremented in
cutNewHeadChunk and the histogram new-chunk paths, and reset by
mmapChunks and truncateChunksBefore. mmapHeadChunks uses a lock-free
Load to skip series with fewer than 2 head chunks, avoiding the
per-series lock for clean series.

sync/atomic.Uint32 (4 bytes) is used instead of go.uber.org/atomic
(8 bytes) to fit in existing struct padding without growing
memSeries. Chunk counts are bounded by the 3-byte field in
HeadChunkRef, so cannot overflow uint32.

Also fix pre-existing comment inaccuracies in the touched code:
headChunks.next -> headChunks.prev, mmapHeadChunks() -> mmapChunks()
in the doc comment, and a grammar error.

---------

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2026-04-14 17:11:35 +02:00
Julien
1c449737e1
util/strutil: add Jaro-Winkler similarity implementation (#18405)
* util/strutil: add Jaro-Winkler similarity implementation

This is part of the implementation of prometheus/proposals#74

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>

* util/strutil: optimise JaroWinkler with string-native ASCII path

Replace the generic jaroWinkler[T byte|rune] with two specialised
functions: jaroWinklerString (ASCII path) operates directly on the
string values and avoids the []byte conversion that previously caused
two heap allocations per call; jaroWinklerRunes (Unicode path) is
unchanged in algorithm but split out from the generic.

Both paths replace the repeated float64 divisions in the Jaro formula
with precomputed reciprocals (invL1, invL2).

Result: short ASCII strings drop from 2 allocs/op to 0 allocs/op;
long ASCII drops from 4 allocs/op to 2 allocs/op (bool match arrays
only).

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>

* util/strutil: replace JaroWinkler with JaroWinklerMatcher

Remove the free JaroWinkler function and replace it with a
JaroWinklerMatcher struct. NewJaroWinklerMatcher pre-computes the
ASCII check and rune conversion for the search term once; Score then
runs the comparison against each candidate without repeating that work.

This is the expected usage pattern in Prometheus: one fixed term scored
against many label names or values.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>

* Update util/strutil/jarowinkler.go and util/strutil/jarowinkler_test.go

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
Signed-off-by: Julien <291750+roidelapluie@users.noreply.github.com>
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>

---------

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
Signed-off-by: Julien <291750+roidelapluie@users.noreply.github.com>
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2026-04-14 16:58:46 +02:00
Julien
0b067888c7
Merge pull request #18402 from roidelapluie/roidelapluie/strutil_subsequence
util/strutil: add subsequence matching implementation
2026-04-14 16:55:56 +02:00
Ali
48f4a41e38 util/runtime: skip TestFsType on unknown filesystems instead of accepting hex format
Rather than widening the assertion to accept raw hex codes, skip the
strict _MAGIC format check with t.Skipf when the filesystem is not in
the known map. The test still exercises the error paths and will run
fully on standard Linux/macOS filesystems.

Fixes prometheus/prometheus#18471

Signed-off-by: Ali <ali@kscope.ai>
2026-04-14 16:49:46 +05:00
Julien
12de1243c0
Merge pull request #18518 from prometheus/release-3.11
Some checks are pending
buf.build / lint and publish (push) Waiting to run
CI / Go tests (push) Waiting to run
CI / More Go tests (push) Waiting to run
CI / Go tests for Prometheus upgrades and downgrades (push) Waiting to run
CI / Go tests with previous Go version (push) Waiting to run
CI / UI tests (push) Waiting to run
CI / Go tests on Windows (push) Waiting to run
CI / Mixins tests (push) Waiting to run
CI / Compliance testing (push) Waiting to run
CI / Build Prometheus for common architectures (push) Waiting to run
CI / Build Prometheus for all architectures (push) Waiting to run
CI / Report status of build Prometheus for all architectures (push) Blocked by required conditions
CI / Check generated parser (push) Waiting to run
CI / golangci-lint (push) Waiting to run
CI / fuzzing (push) Waiting to run
CI / codeql (push) Waiting to run
CI / Publish main branch artifacts (push) Blocked by required conditions
CI / Publish release artefacts (push) Blocked by required conditions
CI / Publish UI on npm Registry (push) Blocked by required conditions
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
Merge back release 3.11.2
2026-04-14 10:26:38 +02:00
Ali
366ee531bb util/runtime: let TestFsType tolerate filesystems absent from FsType map
FsType() returns the known magic-name string when the filesystem is
present in its internal map, and falls back to strconv.FormatInt(..., 16)
otherwise. The test was asserting the *MAGIC regex only, so it failed
whenever it happened to run on a filesystem not yet mapped — the
downstream Arch Linux packager hit this with a btrfs subvolume.

Extend the regex to accept either a magic-name or the numeric
lowercase-hex fallback, keeping the test stable across OS upgrades and
exotic filesystems.

Fixes #18471

Signed-off-by: Ali <alliasgher123@gmail.com>
2026-04-14 01:21:26 +05:00
Julien
f0f0fdd679
Merge pull request #18517 from roidelapluie/roidelapluie/cut-3.11.2
Some checks failed
CI / Go tests (push) Has been cancelled
CI / More Go tests (push) Has been cancelled
CI / Go tests with previous Go version (push) Has been cancelled
CI / UI tests (push) Has been cancelled
CI / Go tests on Windows (push) Has been cancelled
CI / Mixins tests (push) Has been cancelled
CI / Compliance testing (push) Has been cancelled
CI / Build Prometheus for common architectures (push) Has been cancelled
CI / Build Prometheus for all architectures (push) Has been cancelled
CI / Check generated parser (push) Has been cancelled
CI / golangci-lint (push) Has been cancelled
CI / fuzzing (push) Has been cancelled
CI / codeql (push) Has been cancelled
CI / Report status of build Prometheus for all architectures (push) Has been cancelled
CI / Publish main branch artifacts (push) Has been cancelled
CI / Publish release artefacts (push) Has been cancelled
CI / Publish UI on npm Registry (push) Has been cancelled
Release 3.11.2
2026-04-13 13:39:08 +02:00
Julien Pivotto
f08b9837f9 Release 3.11.2
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
2026-04-13 13:12:35 +02:00
Julien
931b2daf6f
Merge pull request #18510 from mrvarmazyar/fix/consul-health-filter-config-fixtures
Some checks are pending
CI / Go tests (push) Waiting to run
CI / More Go tests (push) Waiting to run
CI / Go tests with previous Go version (push) Waiting to run
CI / UI tests (push) Waiting to run
CI / Go tests on Windows (push) Waiting to run
CI / Mixins tests (push) Waiting to run
CI / Compliance testing (push) Waiting to run
CI / Build Prometheus for common architectures (push) Waiting to run
CI / Build Prometheus for all architectures (push) Waiting to run
CI / Report status of build Prometheus for all architectures (push) Blocked by required conditions
CI / Check generated parser (push) Waiting to run
CI / golangci-lint (push) Waiting to run
CI / fuzzing (push) Waiting to run
CI / codeql (push) Waiting to run
CI / Publish main branch artifacts (push) Blocked by required conditions
CI / Publish release artefacts (push) Blocked by required conditions
CI / Publish UI on npm Registry (push) Blocked by required conditions
config: add consul health_filter fixture coverage
2026-04-13 10:51:00 +02:00
Julius Volz
53a811bef4
Merge pull request #18514 from prometheus/remove-gitpod-files-and-badge
Some checks failed
buf.build / lint and publish (push) Waiting to run
CI / Go tests (push) Waiting to run
CI / More Go tests (push) Waiting to run
CI / Go tests for Prometheus upgrades and downgrades (push) Waiting to run
CI / Go tests with previous Go version (push) Waiting to run
CI / UI tests (push) Waiting to run
CI / Go tests on Windows (push) Waiting to run
CI / Mixins tests (push) Waiting to run
CI / Compliance testing (push) Waiting to run
CI / Build Prometheus for common architectures (push) Waiting to run
CI / Build Prometheus for all architectures (push) Waiting to run
CI / Report status of build Prometheus for all architectures (push) Blocked by required conditions
CI / Check generated parser (push) Waiting to run
CI / golangci-lint (push) Waiting to run
CI / fuzzing (push) Waiting to run
CI / codeql (push) Waiting to run
CI / Publish main branch artifacts (push) Blocked by required conditions
CI / Publish release artefacts (push) Blocked by required conditions
CI / Publish UI on npm Registry (push) Blocked by required conditions
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
Push README to Docker Hub / Push README to Docker Hub (push) Has been cancelled
Push README to Docker Hub / Push README to quay.io (push) Has been cancelled
Remove Gitpod config files and badge in README.md
2026-04-13 10:39:40 +02:00
Julius Volz
d946df2b66 Remove Gitpod config files and badge in README.md
Gitpod has rebranded to Ona a while ago and is now focusing on AI-agentic
coding, so at least the traditional links that opened the repo in a cloud-based
coding environment without login don't work anymore. So let's remove the files
and badge to get rid of old cruft.

Signed-off-by: Julius Volz <julius.volz@gmail.com>
2026-04-13 10:09:39 +02:00
Mohammad Varmazyar
06b7f1f625 config: add consul health_filter fixture coverage
Signed-off-by: Mohammad Varmazyar <mrvarmazyar@gmail.com>
2026-04-10 23:36:56 +02:00
Julius Volz
d4935fbf6e Fix OpenAPI defs
Signed-off-by: Julius Volz <julius.volz@gmail.com>
2026-04-10 19:13:39 +02:00
Julius Volz
d456d314d2 Add some missing metrics protobuf field TypeScript definitions
Signed-off-by: Julius Volz <julius.volz@gmail.com>
2026-04-10 16:06:33 +02:00
Julius Volz
034c29411a Use ProtoJSON, allow regex-based filtering of metric names
Signed-off-by: Julius Volz <julius.volz@gmail.com>
2026-04-10 16:05:40 +02:00
Julius Volz
318c913fe2 Add API endpoint for getting Prometheus' metrics about itself
This adds a /api/v1/status/self_metrics endpoint that allows the frontend to
fetch metrics about the server itself, making it easier to construct frontend
pages that show the current server state. This is needed because fetching
metrics from its own /metrics endpoint would be both hard to parse and also
require CORS permissions on that endpoint (for cases where the frontend
dashboard is not the same origin, at least).

Signed-off-by: Julius Volz <julius.volz@gmail.com>
2026-04-10 16:05:08 +02:00
Julien
fac097b161
Merge pull request #18499 from roidelapluie/roidelapluie/consul-health-filter-3.11
Some checks failed
CI / Go tests (push) Has been cancelled
CI / More Go tests (push) Has been cancelled
CI / Go tests with previous Go version (push) Has been cancelled
CI / UI tests (push) Has been cancelled
CI / Go tests on Windows (push) Has been cancelled
CI / Mixins tests (push) Has been cancelled
CI / Compliance testing (push) Has been cancelled
CI / Build Prometheus for common architectures (push) Has been cancelled
CI / Build Prometheus for all architectures (push) Has been cancelled
CI / Check generated parser (push) Has been cancelled
CI / golangci-lint (push) Has been cancelled
CI / fuzzing (push) Has been cancelled
CI / codeql (push) Has been cancelled
CI / Report status of build Prometheus for all architectures (push) Has been cancelled
CI / Publish main branch artifacts (push) Has been cancelled
CI / Publish release artefacts (push) Has been cancelled
CI / Publish UI on npm Registry (push) Has been cancelled
discovery/consul: add health_filter for Health API filtering
2026-04-10 15:15:47 +02:00
Julien
d09ea56b38
Update docs/configuration/configuration.md
Co-authored-by: George Krajcsovits <krajorama@users.noreply.github.com>
Signed-off-by: Julien <291750+roidelapluie@users.noreply.github.com>
2026-04-10 14:50:54 +02:00
Julien
e95d2e38e3
Merge pull request #18506 from roidelapluie/roidelapluie/backport-xss-issue
UI: Fix stored XSS via unescaped metric names and labels
2026-04-10 14:17:05 +02:00
Julius Volz
fddbccf79b UI: Fix stored XSS via unescaped metric names and labels
Metric names, label names, and label values containing HTML/JavaScript were
inserted into `innerHTML` without escaping in several UI code paths, enabling
stored XSS attacks via crafted metrics. This mostly becomes exploitable in
Prometheus 3.x, since it defaults to allowing any UTF-8 characters in metric
and label names.

Apply `escapeHTML()` to all user-controlled values before innerHTML
insertion in:

* Mantine UI chart tooltip
* Old React UI chart tooltip
* Old React UI metrics explorer fuzzy search
* Old React UI heatmap tooltip

See https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99

Signed-off-by: Julius Volz <julius.volz@gmail.com>
2026-04-10 11:25:03 +02:00
George Krajcsovits
971e64756e
Merge pull request #18498 from ldufr/revive-emit-warning-when-sort-is-used-range
Some checks failed
buf.build / lint and publish (push) Has been cancelled
CI / Go tests (push) Has been cancelled
CI / More Go tests (push) Has been cancelled
CI / Go tests for Prometheus upgrades and downgrades (push) Has been cancelled
CI / Go tests with previous Go version (push) Has been cancelled
CI / UI tests (push) Has been cancelled
CI / Go tests on Windows (push) Has been cancelled
CI / Mixins tests (push) Has been cancelled
CI / Compliance testing (push) Has been cancelled
CI / Build Prometheus for common architectures (push) Has been cancelled
CI / Build Prometheus for all architectures (push) Has been cancelled
CI / Check generated parser (push) Has been cancelled
CI / golangci-lint (push) Has been cancelled
CI / fuzzing (push) Has been cancelled
CI / codeql (push) Has been cancelled
Scorecards supply-chain security / Scorecards analysis (push) Has been cancelled
CI / Report status of build Prometheus for all architectures (push) Has been cancelled
CI / Publish main branch artifacts (push) Has been cancelled
CI / Publish release artefacts (push) Has been cancelled
CI / Publish UI on npm Registry (push) Has been cancelled
annotations: add warning for ineffective sort in range queries
2026-04-10 11:17:52 +02:00
Julius Volz
07c6232d15
Merge commit from fork
UI: Fix stored XSS via unescaped metric names and labels
2026-04-10 09:30:55 +01:00
Julien Pivotto
4cc50803ff discovery/consul: fix catalog watch trigger and improve filter tests
When health_filter is set without explicit services, the catalog needs
to be watched to enumerate services. Add watchedFilter to the condition
that triggers catalog watching.

Improve the filter test suite:
- Replace defer with t.Cleanup for stub servers.
- Rewrite TestFilterOption to assert that the catalog receives the filter
  and the health endpoint does not.
- Rewrite TestHealthFilterOption to assert that health_filter is routed
  correctly to the health endpoint only.
- Add TestBothFiltersOption to verify both filters are routed to their
  respective endpoints when both are configured.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
2026-04-10 10:26:40 +02:00
Ben Kochie
92281f6542
Fix markdown format (#18505)
Fix the markdown format in SECURITY.md to satisfy `mdox fmt`.

Signed-off-by: SuperQ <superq@gmail.com>
2026-04-10 10:23:24 +02:00
George Krajcsovits
31b40c75b0
Apply suggestion from @krajorama
Signed-off-by: George Krajcsovits <krajorama@users.noreply.github.com>
2026-04-10 10:13:38 +02:00