mirrors/prometheus
1
0
Fork 0
mirror of https://github.com/prometheus/prometheus.git synced 2026-05-04 12:01:06 +02:00
Code Issues Projects Releases Wiki Activity
17,292 Commits 358 Branches 529 Tags
Commit Graph

2567 Commits

Author SHA1 Message Date
Julien Pivotto
f08b9837f9 Release 3.11.2 
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
 2026-04-13 13:12:35 +02:00
Julius Volz
fddbccf79b UI: Fix stored XSS via unescaped metric names and labels 
Metric names, label names, and label values containing HTML/JavaScript were
inserted into `innerHTML` without escaping in several UI code paths, enabling
stored XSS attacks via crafted metrics. This mostly becomes exploitable in
Prometheus 3.x, since it defaults to allowing any UTF-8 characters in metric
and label names.

Apply `escapeHTML()` to all user-controlled values before innerHTML
insertion in:

* Mantine UI chart tooltip
* Old React UI chart tooltip
* Old React UI metrics explorer fuzzy search
* Old React UI heatmap tooltip

See https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99

Signed-off-by: Julius Volz <julius.volz@gmail.com>
 2026-04-10 11:25:03 +02:00
Julien Pivotto
9678641c33 Release 3.11.1 
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
 2026-04-07 15:57:30 +02:00
Julien Pivotto
9b12b3d226 Release 3.11.0 
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
 2026-04-02 11:51:49 +02:00
Julien Pivotto
999a67cc04 Release 3.11.0-rc.0 
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
 2026-03-27 16:08:11 +01:00
Julien
cb3382314d
Merge pull request #18374 from roidelapluie/roidelapluie/retention-percentage-float 
tsdb: use float64 for retention percentage
 2026-03-27 11:17:55 +01:00
Julien Pivotto
3856195bb8 tsdb: use float64 for retention percentage 
The retention.percentage config field was typed as uint, which silently
truncated fractional values. Setting percentage: 1.5 in prometheus.yml
resulted in a retention of 1%, with no warning or error.

Remove the redundant MaxPercentage > 100 clamp in main.go; the config
UnmarshalYAML already returns an error for out-of-range values before
this code is reached.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
 2026-03-26 12:39:22 +01:00
Julien Pivotto
08fcc26479 chore: Update javascript dependencies for 3.11 
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
 2026-03-26 12:14:28 +01:00
Julien Pivotto
bcdc7cd80e chore: Go dependencies update before 3.11 
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
 2026-03-26 10:56:14 +01:00
Pavel Rysnik
69f6ade976 docs: update promql autocomplete 
Signed-off-by: Pavel Rysnik <pavelrysnik@gmail.com>
 2026-03-26 10:50:09 +03:00
Julien
16876bab95
Merge pull request #18200 from roidelapluie/roidelapluie/retention-validation 
Multiple fixes in retention configuration
 2026-03-20 12:27:37 +01:00
Julius Volz
df0504f338
Merge pull request #18328 from rickardsjp/histogram-docs 
docs: clarify that histogram_avg/count/sum/stddev/stdvar are native-histogram-only
 2026-03-19 16:46:55 +00:00
Linas Medziunas
4a400dc3df fix(UI): autocomplete for first_over_time and ts_of_first_over_time 
Signed-off-by: Linas Medziunas <linas.medziunas@gmail.com>
 2026-03-19 16:10:23 +02:00
Jeremy Rickards
7a44a2ddc4
docs: regenerate PromQL function docs for UI 
Signed-off-by: Jeremy Rickards <jeremy.rickards@sap.com>
 2026-03-19 15:03:31 +01:00
Julius Volz
8b25b26a76
Merge pull request #18228 from prometheus/fix/tooltip-y-offset-drift 
UI: Fix tooltip Y-offset drift for multiple graph panels
 2026-03-12 20:30:08 +00:00
renovate[bot]
6b8fc582d1
chore(deps): update mantine ui to v8.3.16 2026-03-05 14:46:53 +00:00
Julius Volz
2df86b24ad UI: Skip restacking on hover in stacked series charts 
See https://github.com/leeoniya/uPlot/issues/988

Signed-off-by: Julius Volz <julius.volz@gmail.com>
 2026-03-04 21:53:11 +01:00
Julius Volz
2aebd269bc UI: Fix tooltip Y-offset drift for multiple graph panels 
getBoundingClientRect() was cached in the setSize hook, which only fires
on chart creation/resize. The cached viewport-relative coordinates became
stale after scrolling, causing the tooltip to appear increasingly offset
on charts further down the page.

Fixed by calling getBoundingClientRect() on every setCursor invocation to
always get accurate viewport-relative coordinates.

Signed-off-by: Julius Volz <julius.volz@gmail.com>
 2026-03-04 14:52:37 +01:00
Jan Fajerski
b7435e675c build: add option to build with only the mantine UI 
This adds the `--mantine-ui` switch to `web/ui/build_ui.sh` which
allows to build without the old react UI. If built with only the mantine
ui and started with `--enable-features=old-ui` the user will get a 404
response on th web port.

Signed-off-by: Jan Fajerski <jfajersk@redhat.com>
 2026-03-04 08:55:37 +01:00
Matthieu MOREL
026d284c43 chore: fix httpNoBody issues from gocritic 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
 2026-03-02 20:06:30 +01:00
Julien Pivotto
bf3c217bbd config: apply retention CLI flags as defaults and update UI on reload 
Introduce DefaultTSDBRetentionConfig, populated from CLI flags before any
config file is loaded, so that retention falls back to CLI flags when the
config file has no storage.tsdb section. Config.UnmarshalYAML always injects
a non-nil TSDBConfig with those defaults, removing the need for nil checks in
main.go. ApplyConfig in web.go now propagates retention settings on each
config reload so the runtime info endpoint stays up to date.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
 2026-02-26 16:36:05 +01:00
Ganesh Vernekar
ccc3062521 Merge branch 'main' into codesome/merge-3.10 
Signed-off-by: Ganesh Vernekar <ganeshvern@gmail.com>
 2026-02-25 17:33:06 -08:00
Ganesh Vernekar
54e010926b
Cut v3.10.0 final release (#18184) 
Signed-off-by: Ganesh Vernekar <ganeshvern@gmail.com>
 2026-02-25 10:54:13 -08:00
George Krajcsovits
5d3f9ee39b
Merge pull request #17904 from linasm/trim_histogram 
promql: Implement </ and >/ operators for trimming native histograms
 2026-02-24 17:16:24 +01:00
Julien
9d38077e50
Merge pull request #18080 from ldufr/ldufresne/retention-size-percentage 
Add percentage based retention
 2026-02-24 15:50:36 +01:00
Jérôme LOYET
696679e50c Add storage.tsdb.retention.percentage config 
Signed-off-by: Jérôme LOYET <822436+fatpat@users.noreply.github.com>
Signed-off-by: Laurent Dufresne <laurent.dufresne@grafana.com>
 2026-02-24 15:27:45 +01:00
renovate[bot]
789f22b931
fix(deps): update module github.com/prometheus/prometheus to v0.309.1 (#18161) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2026-02-23 10:49:49 +01:00
Ganesh Vernekar
decde0b364 Cut v3.10.0-rc.1 
Signed-off-by: Ganesh Vernekar <ganeshvern@gmail.com>
 2026-02-19 15:22:03 -08:00
Linas Medžiūnas
5bd0d00f8c
PromQL: Add experimental histogram_quantiles variadic function (#17285) 
Signed-off-by: Linas Medziunas <linas.medziunas@gmail.com>
Signed-off-by: Björn Rabenstein <github@rabenste.in>
Signed-off-by: beorn7 <beorn@grafana.com>
Co-authored-by: Björn Rabenstein <github@rabenste.in>
Co-authored-by: beorn7 <beorn@grafana.com>
 2026-02-18 17:32:29 +01:00
Ganesh Vernekar
b494365aa7 Cut v3.10.0-rc.0 
Signed-off-by: Ganesh Vernekar <ganesh.vernekar@reddit.com>
 2026-02-17 13:52:55 -08:00
Julien
ece9437624
Merge pull request #18101 from roidelapluie/roidelapluie/wgGo 
chore(lint): enable wg.Go
 2026-02-17 15:48:11 +01:00
Julien Pivotto
7d0a39ac93 chore(lint): enable wg.Go 
Since our minimum supported go version is now go 1.25, we can use wg.Go.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
 2026-02-17 15:21:51 +01:00
Bryan Boreham
f11e1c9fe1
Merge pull request #17476 from sammyqtran/web-test-speedup 
test(web): Wait for server ready instead of sleeping 5 seconds.
 2026-02-17 11:34:48 +00:00
Ganesh Vernekar
216ddb524e Rollback Go version to 1.25.0 in go.mod files 
Signed-off-by: Ganesh Vernekar <ganesh.vernekar@reddit.com>
 2026-02-11 14:40:52 -08:00
Martin Valiente Ainz
eb5a0e1eed
Refactor parse.go into an instance-based Parser interface 
Signed-off-by: Martin Valiente Ainz <64830185+tinitiuset@users.noreply.github.com>
 2026-02-11 11:21:49 +01:00
Martin Valiente Ainz
539936c861
Replace per-component parser options with default instance 
Signed-off-by: Martin Valiente Ainz <64830185+tinitiuset@users.noreply.github.com>
 2026-02-11 11:16:04 +01:00
Martin Valiente Ainz
af16f35ad6
PromQL: Refactor parser to use instance configuration instead of global flags 
Parser configuration is now per-engine/API/loader and no longer uses package-level flags, so behavior is consistent and tests don't rely on save/restore of global variables.

Signed-off-by: Martin Valiente Ainz <64830185+tinitiuset@users.noreply.github.com>
 2026-02-11 11:16:04 +01:00
Ganesh Vernekar
1698aada1e Update Go dependencies for v3.10 release 
Signed-off-by: Ganesh Vernekar <ganesh.vernekar@reddit.com>
 2026-02-10 12:39:33 -08:00
Ganesh Vernekar
43eaaf55a4
Merge pull request #18025 from prometheus/codesome/3-10-npm-deps 
Update npm dependencies for v3.10
 2026-02-10 12:31:39 -08:00
dependabot[bot]
effa3c5c25
chore(deps): bump github.com/hashicorp/consul/api from 1.32.0 to 1.33.2 (#17449) 
Bumps [github.com/hashicorp/consul/api](https://github.com/hashicorp/consul) from 1.32.0 to 1.33.2.
- [Release notes](https://github.com/hashicorp/consul/releases)
- [Changelog](https://github.com/hashicorp/consul/blob/main/CHANGELOG.md)
- [Commits](https://github.com/hashicorp/consul/compare/api/v1.32.0...api/v1.33.2)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/consul/api
  dependency-version: 1.33.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
 2026-02-10 08:24:26 +00:00
Bartlomiej Plotka
3155c95c1f
feat: add fgprof debug pprof (wall-time profiling capability) (#18027) 
Signed-off-by: bwplotka <bwplotka@gmail.com>
 2026-02-06 10:23:54 +00:00
Ganesh Vernekar
213bc8e538 UI: Move HistoryCompleteStrategy into its own file and fix lint 
Signed-off-by: Ganesh Vernekar <ganesh.vernekar@reddit.com>
 2026-02-05 14:48:47 -08:00
Ganesh Vernekar
e6b14eaf0b Fix critical npm vulnerabilities with npm audit fix 
Signed-off-by: Ganesh Vernekar <ganesh.vernekar@reddit.com>
 2026-02-05 14:22:40 -08:00
Ganesh Vernekar
7bbce150b4 Update npm dependencies for v3.10 
Signed-off-by: Ganesh Vernekar <ganesh.vernekar@reddit.com>
 2026-02-05 14:20:46 -08:00
Julien
37058a3154
Merge pull request #17975 from roidelapluie/roidelapluie/openapistats 
OpenAPI: Add support for stats
 2026-02-05 10:55:44 +01:00
Bartlomiej Plotka
7769495a4a
refactor: switch OTLP handler to AppendableV2 (#17996) 
* refactor: switch OTLP handler to AppendableV2

Signed-off-by: bwplotka <bwplotka@gmail.com>

* addressed comments

Signed-off-by: bwplotka <bwplotka@gmail.com>

---------

Signed-off-by: bwplotka <bwplotka@gmail.com>
 2026-02-03 16:44:40 +00:00
Julius Volz
dbfc635a5a
Merge pull request #17611 from prometheus/default-hide-alert-annotations 
Hide alert annotations by default
 2026-02-03 15:23:11 +01:00
Arve Knudsen
51d33be878
web: switch from gopkg.in/yaml to go.yaml.in/yaml (#17979) 
Replace gopkg.in/yaml.v2 and gopkg.in/yaml.v3 imports with
go.yaml.in/yaml/v2 and go.yaml.in/yaml/v3 respectively.

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
 2026-02-03 14:15:35 +00:00
Julien Pivotto
e2d028a46e OpenAPI: Add support for stats 
An oversight on the OpenAPI specification; which did not include stats.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
 2026-01-30 14:21:03 +01:00
Julien
22f6d5d335
Merge pull request #17970 from roidelapluie/roidelapluie/ffapiopenapi 
Features API: Add OpenAPI 3.1 and 3.2
 2026-01-29 21:18:04 +01:00