deckhouse/prompp v0.8.0-rc2

on GitHub

Enhancements

1. Snapshot LSS type separation. Decoupled the read-only label set snapshot into a dedicated SnapshotLSS type with its own variant, reducing the active head's variant footprint and improving type safety.
2. GOST-compliant build hardening. Enabled FORTIFY_SOURCE=2, stack protector, position-independent code, and additional compiler warnings (null-dereference, division-by-zero, array-bounds) across all C++ code including third-party libraries.
3. GCC 14 and clang-tidy 21. Upgraded the C++ toolchain to GCC 14.2.0 and clang-tidy 21.1.8 with new bugprone-* diagnostics enabled; all findings resolved.
4. Go /sync/* runtime metrics. The Prometheus Go collector now exports mutex and semaphore contention statistics from runtime/metrics (/sync/*) alongside the existing GC and scheduler metrics, making locker contention observable in production.
5. Jemalloc resident memory metric. Exposed jemalloc's resident set size as a new metric alongside the existing allocated/mapped stats, giving operators clearer visibility into the C++ allocator's memory footprint.

Fixes

1. OpenTelemetry security update. Upgraded go.opentelemetry.io/otel/sdk and the otlptracehttp exporter to v1.43.0 — mitigates a PATH hijacking CVE (GHSA-hfvc-g4fc-pqhx) in the BSD host-id detector and adds a 4 MiB response body limit to OTLP HTTP exporters, protecting against memory exhaustion from a misbehaving collector.
2. Close WAL on shard rotation. Shard rotation now explicitly closes the outgoing WAL via a dedicated ClosedWal sentinel instead of leaking the handle, preventing stale WAL readers from racing with newly-rotated shards.