github robintra/perf-sentinel v0.9.1
on GitHub

latest release: chart-v0.9.1
5 hours ago

What's new in v0.9.1

v0.9.1 is a security patch. It updates the transitive opentelemetry_sdk dependency to 0.32.1, resolving CVE-2026-48504 (unbounded memory allocation in W3C Baggage propagation). There is no behavior change on any surface: the pipeline, the daemon HTTP routes, the OTLP wire protocol, the configuration format, and every machine-output shape are identical to v0.9.0. The minimum supported Rust version stays 1.96.0.

Security: opentelemetry_sdk updated to 0.32.1

The opentelemetry_sdk crate moves from 0.32.0 to 0.32.1, the patch release that fixes CVE-2026-48504, an unbounded memory allocation in W3C Baggage propagation. It is a transitive dependency, so the change is confined to Cargo.lock and the resulting binary. No perf-sentinel code, CLI flag, configuration key, or output format changes.

Operator-visible behavior change

None. No daemon HTTP route, OTLP wire shape, configuration key, Prometheus metric, or machine export changes from v0.9.0. The only difference is the patched opentelemetry_sdk version embedded in the binary.

Why this is a patch and not a minor

The release is a single transitive dependency bump that resolves a CVE, with no functional change. It adds no CLI flag, no configuration, no daemon route, and no change to any output format. The minimum supported Rust version stays 1.96.0.

Validation

The simulation-lab release-gate was skipped for this release, a transitive dependency bump that does not change perf-sentinel's behavior on any surface. CI covers the build, the full test suite (cargo test --workspace), clippy at -D warnings, cargo fmt, and both the default and --no-default-features builds. The published Docker image now passes the Trivy HIGH/CRITICAL gate that the v0.9.0 image, which carried opentelemetry_sdk 0.32.0, did not.

Verifying this release

# Binary integrity via SLSA Build L3 attestation
gh attestation verify perf-sentinel-linux-amd64 \
  --owner robintra --repo perf-sentinel

# A periodic disclosure produced by this binary
perf-sentinel verify-hash --report perf-sentinel-report.json \
  --expected-identity "https://github.com/robintra/perf-sentinel/.github/workflows/release.yml@refs/tags/v0.9.1" \
  --expected-issuer "https://token.actions.githubusercontent.com"

gh CLI 2.49 or newer required for gh attestation verify.

Full Changelog: v0.9.0...v0.9.1

Check out latest releases or
releases around robintra/perf-sentinel v0.9.1

Don't miss a new perf-sentinel release

NewReleases is sending notifications on new releases.

Get notifications