github deckhouse/prompp v0.8.0-rc4
on GitHub

pre-release5 hours ago

Enhancements

  1. Snapshot LSS type separation. Decoupled the read-only label set snapshot into a dedicated SnapshotLSS type with its own variant, reducing the active head's variant footprint and improving type safety.
  2. GOST-compliant build hardening. Enabled FORTIFY_SOURCE=2, stack protector, position-independent code, and additional compiler warnings (null-dereference, division-by-zero, array-bounds) across all C++ code including third-party libraries.
  3. GCC 14 and clang-tidy 21. Upgraded the C++ toolchain to GCC 14.2.0 and clang-tidy 21.1.8 with new bugprone-* diagnostics enabled; all findings resolved.
  4. Go /sync/* runtime metrics. The Prometheus Go collector now exports mutex and semaphore contention statistics from runtime/metrics (/sync/*) alongside the existing GC and scheduler metrics, making locker contention observable in production.
  5. Jemalloc resident memory metric. Exposed jemalloc's resident set size as a new metric alongside the existing allocated/mapped stats, giving operators clearer visibility into the C++ allocator's memory footprint.
  6. Chunk recoder optimization. Switched the chunk recoder to a seek-based decode iterator and tuned the Prometheus chunkenc encoder with [[likely]] annotations, giving roughly a 10% speedup on the recoder benchmark.
  7. Remote write data source refactor. Reworked the WAL/encoder pipeline — extracted SegmentSamplesStorage, added a V2 WAL reader and DataSourceV2, and the shard now transparently switches between WAL format versions.
  8. Merge-shard series sets. New generic mergeShardSeriesSet / mergeShardChunkSeriesSet iterators stream across shards without an intermediate merge buffer, lowering query memory pressure on sharded heads.
  9. Jemalloc arena pool recycling. Arenas returned to the free pool are now reset and purged instead of being destroyed, with updated jemalloc build options. New metrics report arena pool releases and reclaimed bytes (prompp_common_jemalloc_arena_pool_*). Carried over from v0.7.11.

Fixes

  1. Remote-read snappy DoS (CVE-2026-42154). Backported the upstream fix (GHSA-8rm2-7qqf-34qm) — /api/v1/read now rejects snappy-compressed payloads whose declared decoded length exceeds the 32 MiB decode limit before allocation, preventing memory exhaustion via crafted small requests.
  2. Range-vector double-counting at step boundaries. Backported the upstream Prometheus 3.0 fix (PR #13904) — both matrix selectors metric[range] and instant-vector lookback now use left-open, right-closed intervals (t-range, t] / (t-lookback, t]. Previously the closed [t-range, t] semantics caused range-vector functions like sum_over_time, count_over_time and rate to systematically include one extra sample at the left boundary, double-counting at step boundaries (upstream issue #14007) and producing inflated results when range and step were equal multiples of the scrape interval. Note: this is a behavior change for queries whose result depends on whether a sample exactly at t-range is included; existing dashboards and recording rules may see small numeric shifts.
  3. Azure AD remote-write client_secret redaction (CVE-2026-42151). Backported the upstream fix (GHSA-wg65-39gg-5wfj) — OAuthConfig.ClientSecret in storage/remote/azuread is now typed as config.Secret instead of a plain string, so the value is redacted (<secret>) when serving the configuration via the /-/config HTTP API.
  4. Stored XSS in React web UI (CVE-2026-40179, CVE-2026-44903, CVE-2026-44990). Backported upstream fixes (GHSA-vffh-x6r8-xx99, GHSA-fw8g-cg8f-9j28) — graph tooltips, the Metrics Explorer fuzzy results, the heatmap bucket tooltip, and the heatmap y-axis tick labels now escapeHTML metric names and label values (including le) before injecting them into innerHTML. As a defense-in-depth measure for the unpatched sanitize-html <xmp> bypass (GHSA-rpr9-rxv7-x643), the Flags page now also HTML-escapes the fuzzy-search output before passing it to sanitize-html, so the sanitizer never sees raw markup. Together this blocks script execution from crafted metrics ingested via scrape, remote-write, or OTLP and from operator-supplied command-line flag values.
  5. OpenTelemetry security update. Upgraded go.opentelemetry.io/otel/sdk and the otlptracehttp exporter to v1.43.0 — mitigates a PATH hijacking CVE (GHSA-hfvc-g4fc-pqhx) in the BSD host-id detector and adds a 4 MiB response body limit to OTLP HTTP exporters, protecting against memory exhaustion from a misbehaving collector.
  6. Close WAL on shard rotation. Shard rotation now explicitly closes the outgoing WAL via a dedicated ClosedWal sentinel instead of leaking the handle, preventing stale WAL readers from racing with newly-rotated shards.
  7. Go 1.26.3. Bumped Go to 1.26.3, pulling in stdlib security fixes from the 1.26.x series.
  8. aarch64 jemalloc page size. Aligned the jemalloc build with the aarch64 host page size so ARM64 builds no longer hit a configuration mismatch under the GCC 14 toolchain.
  9. Gorilla float encoder length overflow. Fixed the XOR value encoder in chunkenc — a 64-bit-wide XOR difference produced a length of 64 that overflowed the 6-bit length field; the value is now masked so it wraps to the 0-means-64 encoding, preventing corrupted samples in chunks containing such values.
  10. Dependency security updates. Bumped google.golang.org/grpc to v1.79.3, golang.org/x/net to v0.55.0, and golang.org/x/crypto to v0.52.0 on the Go side, plus the web UI ws package to v8.20.1, picking up upstream security fixes.

Other

  1. Bazel Bzlmod migration. Migrated pp/ to Bzlmod and refreshed rules_cc, rules_foreign_cc, and bazel_clang_tidy to resolve dependency conflicts that had blocked further updates of the C++ build stack.
Check out latest releases or
releases around deckhouse/prompp v0.8.0-rc4

Don't miss a new prompp release

NewReleases is sending notifications on new releases.

Get notifications