Update docker minor+patch+digest updates #76
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Thilawyn/website#76
Reference in New Issue
Block a user
Delete Branch "renovate/docker-minor-patch-digest"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
793c871→135f4b9cfe9b6a→5408df722.21.1-trixie-slim→22.22.3-trixie-slim22.21.1→22.22.31.3.4→1.3.141.3.4→1.3.14v3.8.0→v3.11.3Release Notes
nodejs/node (node)
v22.22.3: 2026-05-13, Version 22.22.3 'Jod' (LTS), @marco-ippolitoCompare Source
Commits
4f780905c5] - crypto: fix potential null pointer dereference when BIO_meth_new() fails (Nora Dossche) #617884a09efb947] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485e4c0d99839] - deps: update timezone to 2026a (Node.js GitHub Bot) #621640226c8dd7a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #62382e742ab748c] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #6225673cac0571a] - deps: update amaro to 1.1.8 (Node.js GitHub Bot) #62151ae5c162b93] - deps: update amaro to 1.1.7 (Node.js GitHub Bot) #61730b819cb9977] - deps: update amaro to 1.1.6 (Node.js GitHub Bot) #61603bbcce09dc7] - deps: update sqlite to 3.52.0 (Node.js GitHub Bot) #6215022ff2d81ce] - deps: update simdjson to 4.3.1 (Node.js GitHub Bot) #61930f49b51d75c] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #619281a5cec0d49] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #61925d339497688] - deps: update nbytes to 0.1.3 (Node.js GitHub Bot) #618793ff8ffd459] - deps: remove stale OpenSSL arch configs (René) #61834b8ddbc1e9a] - deps: update llhttp to 9.3.1 (Node.js GitHub Bot) #61827ffda97afd4] - deps: update googletest to2461743(Node.js GitHub Bot) #6248479aa32cf4f] - deps: update googletest to73a63ea(Node.js GitHub Bot) #61927b6957e13b6] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #626293a27669063] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #62629d568a1bb53] - deps: upgrade npm to 10.9.8 (npm team) #62463ec11f3c1d5] - deps: V8: backport85b3900(Thibaud Michaud) #6278308609712ed] - deps: V8: backport1b27e46(Thibaud Michaud) #62783dcc60d5ab2] - deps: V8: backport9997fc0(Thibaud Michaud) #627831d1f4451fb] - deps: V8: cherry-pickb96e40d(Clemens Backes) #627832268567237] - deps: V8: cherry-pick7cb6188(Thibaud Michaud) #6278392804cdbea] - deps: V8: cherry-picke7ccf0a(Thibaud Michaud) #62783eae2c27a40] - deps: V8: cherry-pick8e214ec(Thibaud Michaud) #62783a1799a49bb] - deps: V8: backport63b8849(Thibaud Michaud) #62783a2df2d8731] - deps: V8: backport3239427(Thibaud Michaud) #62783e3d65c7dca] - deps: V8: backport89dc6ea(Thibaud Michaud) #627835e7db133de] - deps: V8: backport910cb91(Jakob Kummerow) #62783d0c24a28af] - deps: V8: cherry-pickb8f91e5(Thibaud Michaud) #62783d358687824] - deps: V8: cherry-pickcf03d55(Thibaud Michaud) #6278367c8b2c349] - deps: V8: cherry-pick692f3d5(Sébastien Doeraene) #6278371e5a59ffd] - deps: V8: cherry-pickc734674(Manos Koukoutos) #62783f0dbe81c7b] - deps: V8: cherry-pickb2f3aea(Thibaud Michaud) #62783d333f480c3] - deps: V8: cherry-pick5f1342c(Matthias Liedtke) #62783db722725bb] - deps: use npm undici@six tag inupdate-undici.sh(Matteo Collina) #630129b57979d9c] - doc: add Rafael to last security release steward (Rafael Gonzaga) #62423d8075585bf] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #623556ec9a70204] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #622081fc86fcb6e] - doc: add note (and caveat) formock.moduleabout customization hooks (Jacob Smith) #62075491be80bd9] - doc: add efekrskl as triager (Efe) #6187618558293a3] - doc: fix module.stripTypeScriptTypes indentation (René) #619928e20976522] - doc: explicitly mention Slack handle (Rafael Gonzaga) #6198670b8e6b4fb] - doc: rename invalidfunctionparameter (René) #619424045c76f6c] - doc: clarify status of feature request issues (Antoine du Hamel) #61505c54652f2aa] - doc: remove incorrect mention ofmoduleintypescript.md(Rob Palmer) #618399fad6cedf5] - doc: clarify async caveats forevents.once()(René) #615722f1e5733fe] - doc: update Juan's security steward info (Juan José) #61754a64bdb5068] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #6220602797de923] - doc: fix small environment_variables typo (chris) #62279f22ebdc809] - doc: fix small logic error in DETECT_MODULE_SYNTAX (René) #620259f4508062a] - doc: fix methods being documented as properties inprocess.md(Antoine du Hamel) #617653ea39ff135] - doc: fix dropdown menu being obscured at <600px due to stacking context (Jeff) #61735c22445079b] - doc: fix spacing in process message event (Aviv Keller) #6175632831b5223] - doc: fix broken links of net.md (YuSheng Chen) #61673005508d509] - doc: remove obsolete Boxstarter automated install (Mike McCready) #6178537c2fd6f7d] - esm: fix path normalization infinalizeResolution(Antoine du Hamel) #620801769d74613] - esm: populate separate cache for require(esm) in imported CJS (Joyee Cheung) #59679ee02966ffc] - http: fix keep-alive socket reuse race in requestOnFinish (Martin Slota) #617102fdb5ce6cc] - http2: fix FileHandle leak in respondWithFile (sangwook) #61707aa2c1eca04] - lib: fix source map url parse in dynamic imports (Chengzhong Wu) #61990785b00cbeb] - meta: pass release version to release worker (flakey5) #62777447fb9a0b5] - meta: persist sccache daemon until end of build workflows (René) #616395065a0acb3] - module: do not invoke resolve hooks twice for imported cjs (Joyee Cheung) #615299a2e21305d] - module: do not wrap module._load when tracing is not enabled (Joyee Cheung) #61479b9240bc063] - module: fix sync resolve hooks for require with node: prefixes (Joyee Cheung) #610882e91b28aaf] - module: handle null source from async loader hooks in sync hooks (Joyee Cheung) #5992939147c154e] - module: use sync cjs when importing cts (Marco Ippolito) #6007212a2462b2c] - module: only put directly require-d ESM into require.cache (Joyee Cheung) #59874cf39566277] - src: fix flags argument offset in JSUdpWrap (Weixie Cui) #61948578a9a9230] - src: clamp WriteUtf8 capacity to INT_MAX in EncodeInto (semimikoh) #6262157c3035fec] - stream: fix decoded fromList chunk boundary check (Thomas Watson) #6188457fb008bb8] - test: update tls junk data error expectations (Filip Skokan) #62629363f9a9d18] - test: skiptest-urlon--shared-adabuilds (Antoine du Hamel) #62019daaead342b] - test: simplify encodeInto large buffer regression test (semimikoh) #62621ecfa766b41] - tools: fix auto-start-ci (Antoine du Hamel) #6190017c0a610af] - tools: fix parsing of commit trailers inlint-release-proposalGHA (Antoine du Hamel) #6207789ad7dc63b] - tools: enforce removal oflts-watch-*labels on release proposals (Antoine du Hamel) #616725f9bb8ef0c] - tools: revert tools GHA workflow to ubuntu-latest (Richard Lau) #62024977ef80ac1] - url: process crash via malformed UNC hostname in pathToFileURL() (Nicola Del Gobbo) #62574ad8f518a81] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #62325v22.22.2: 2026-03-24, Version 22.22.2 'Jod' (LTS), @RafaelGSS prepared by @aduh95Compare Source
This is a security release.
Notable Changes
SNICallbackinvocation intry/catch(Matteo Collina) - HighheadersDistinct/trailersDistinct(Matteo Collina) - HighNGHTTP2_ERR_FLOW_CONTROLerror code (RafaelGSS) - Mediumrealpath.native(RafaelGSS) - Lowlib/fs/promises(RafaelGSS) - LowCommits
6f14ee5101] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#80952a52ef619] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#82230a3ab11e2] - (CVE-2026-21717) deps: V8: cherry-pickaac14dd(Joyee Cheung) nodejs-private/node-private#809e3f4d6a42e] - (CVE-2026-21717) deps: V8: backport1361b2a(Joyee Cheung) nodejs-private/node-private#8097dc00fa5f4] - (CVE-2026-21717) deps: V8: backport185f0fe(Joyee Cheung) nodejs-private/node-private#809076acd052d] - (CVE-2026-21717) deps: V8: backport0a8b1cd(snek) nodejs-private/node-private#809963c60a951] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344a688117d5d] - deps: upgrade npm to 10.9.7 (npm team) #62330859c8c761b] - deps: update undici to v6.24.1 (Matteo Collina) #62285d5ed384a2f] - deps: upgrade npm to 10.9.6 (npm team) #62215a2fe9fd81a] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#82173deff77c1] - lib: backport_tls_commonand_tls_wraprefactors (Dario Piotrowicz) #5764306fc3436f6] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795db48d9c675] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#7942a6105a63b] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#83291b970886f] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819v22.22.1: 2026-03-05, Version 22.22.1 'Jod' (LTS)Compare Source
Notable Changes
7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #599836063d888fe] - cli: mark--heapsnapshot-near-heap-limitas stable (Joyee Cheung) #60956d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #614194f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741b6ebf2cd53] - doc: add avivkeller to collaborators (Aviv Keller) #6111535854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #610945c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #60714Commits
5f773488c2] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #61076feecbb0eab] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #61388096095b127] - benchmark: add SQLite benchmarks (Guilherme Araújo) #61401b5fe481415] - benchmark: use boolean options in benchmark tests (SeokhunEom) #60129fa9faacacb] - benchmark: allow boolean option values (SeokhunEom) #60129ba8714ac21] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #6084153596de876] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #60663e8930e9d7c] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #606031155e412b1] - benchmark: add per-suite setup option (Joyee Cheung) #60574e01903d304] - benchmark: improve cpu.sh for safety and usability (Nam Yooseong) #60162623a405747] - benchmark: add benchmark for leaf source text modules (Joyee Cheung) #602057f5e7b9f7f] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #60991db132b85a8] - bootstrap: initialize http proxy after user module loader setup (Joyee Cheung) #5893866aab9f987] - buffer: let Buffer.of use heap (Сковорода Никита Андреевич) #60503c3cf00c671] - buffer: speed up concat via TypedArray#set (Gürgün Dayıoğlu) #60399f6fad231e9] - build: skip sscache action on non-main branches (Joyee Cheung) #617902145f91f6b] - build: update android-patches/trap-handler.h.patch (Mo Luo) #603695b49759dd8] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #6141424724cde40] - build: fix misplaced comma in ldflags (hqzing) #61294c57a19934e] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #613298659d7cd07] - build: fix inconsistent quoting inMakefile(Antoine du Hamel) #6051144f339b315] - build: remove temporal updater (Chengzhong Wu) #61151d60a6cebd5] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #6102434ccf187f5] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #610737b19e101a2] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #608509408c4459f] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #599842166ec7f0f] - build: use call command when calling python configure (Jacob Nichols) #6009873ef70145d] - build: remove V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE defs (Joyee Cheung) #602967b93a65f27] - build: test on Python 3.14 (Christian Clauss) #59983508ce6ec6c] - build, src: fix include paths for vtune files (Rahul) #59999c89d3cd570] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #6132140904a0591] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #614316d6742e7db] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #613446063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #609563d324a0f88] - cluster: fix port reuse between cluster (Ryuhei Shima) #6014140a58709b4] - console: optimize single-string logging (Gürgün Dayıoğlu) #60422d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #614194f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741a87499ae25] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #606628c65cc11e2] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #5995691dc00a2c1] - debugger: fix event listener leak in the run command (Joyee Cheung) #604640781bd3764] - deps: V8: backport6a0a25a(Vivian Wang) #616880cf1f9c3e9] - deps: update googletest to8508785(Node.js GitHub Bot) #61417521b4b1f07] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #6133958b9d219a3] - deps: update icu to 78.2 (Node.js GitHub Bot) #60523cbc1e4306d] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #61135db59c35ed8] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #61271c18518ee3c] - deps: update nbytes to 0.1.2 (Node.js GitHub Bot) #61270376df62d63] - deps: update timezone to 2025c (Node.js GitHub Bot) #61138993e905302] - deps: update simdjson to 4.2.4 (Node.js GitHub Bot) #61056b72fd2a5d3] - deps: update googletest to065127f(Node.js GitHub Bot) #61055d765147405] - deps: update sqlite to 3.51.1 (Node.js GitHub Bot) #6089937abe2a7d2] - deps: update zlib to 1.3.1-63d7e16 (Node.js GitHub Bot) #6089897241fcb86] - deps: update sqlite to 3.51.0 (Node.js GitHub Bot) #606143669c7b4f4] - deps: update simdjson to 4.2.2 (Node.js GitHub Bot) #607409a056ec89c] - deps: update googletest to1b96fa1(Node.js GitHub Bot) #60739b5803b3ea0] - deps: update minimatch to 10.1.1 (Node.js GitHub Bot) #605435bf99f3d46] - deps: update cjs-module-lexer to 2.1.1 (Node.js GitHub Bot) #60646801f187357] - deps: update simdjson to 4.2.1 (Node.js GitHub Bot) #6064403c16e5a4c] - deps: update simdjson to 4.1.0 (Node.js GitHub Bot) #605422ebfc2ca56] - deps: update amaro to 1.1.5 (Node.js GitHub Bot) #60541d24ba4fed6] - deps: update simdjson to 4.0.7 (Node.js GitHub Bot) #598839480a139bf] - deps: update googletest to279f847(Node.js GitHub Bot) #60219635e67379e] - deps: update archs files for openssl-3.5.5 (Node.js GitHub Bot) #61547c7b774047d] - deps: upgrade openssl sources to openssl-3.5.5 (Node.js GitHub Bot) #615475b324d7d7f] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #61510eef8ba0667] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #60842490f7c7fb1] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #6064366903ea3b3] - deps: update corepack to 0.34.2 (Node.js GitHub Bot) #60550a2f0b69282] - deps: update corepack to 0.34.1 (Node.js GitHub Bot) #60314c8044a48a6] - deps: V8: backport2e4c5cf(Michaël Zasso) #60654642f518198] - doc: supported toolchain with Visual Studio 2022 only (Mike McCready) #61451625f674487] - doc: move Security-Team from TSC to SECURITY (Rafael Gonzaga) #61495029e32f8ba] - doc: addedrequestOCSPoption totls.connect(ikeyan) #6106468e33dfa89] - doc: restore @ChALkeR to collaborators (Сковорода Никита Андреевич) #61553e016770d62] - doc: update IBM/Red Hat volunteers with dedicated project time (Beth Griggs) #61588ec63954657] - doc: mention constructor comparison in assert.deepStrictEqual (Hamza Kargin) #60253c8e1563a98] - doc: add CVE delay mention (Rafael Gonzaga) #614654b00cf2b54] - doc: include OpenJSF handle for security stewards (Rafael Gonzaga) #614544b73bf5bc8] - doc: clarify process.argv[1] behavior for -e/--eval (Jeevankumar S) #61366d3151df4b3] - doc: remove Windows Dev Home instructions from BUILDING (Mike McCready) #614342323462e35] - doc: clarify TypedArray properties on Buffer (Roman Reiss) #613556c5478c8b2] - doc: note resume build should not be done on node-test-commit (Stewart X Addison) #61373ba4a043103] - doc: refine WebAssembly error documentation (sangwook) #61382cd315ea589] - doc: add deprecation history for url.parse (Eng Zer Jun) #6138942db0c392d] - doc: add marco and rafael in last sec release (Marco Ippolito) #613834c3b680fc7] - doc: packages: example of private import switch to internal (coderaiser) #61343684d15e421] - doc: add esm and cjs examples to node:v8 (Alfredo González) #61328c3f9c7a7d9] - doc: added 'secure' event to tls.TLSSocket (ikeyan) #61066aa9acad5ca] - doc: restore @watilde to collaborators (Daijiro Wachi) #613509cafec084e] - doc: run license-builder (github-actions[bot]) #61348cdb12ccbc6] - doc: document ALPNCallback option for TLSSocket constructor (ikeyan) #61331461c5e65c5] - doc: update MDN links (Livia Medeiros) #61062dde45baeab] - doc: add documentation for process.traceProcessWarnings (Alireza Ebrahimkhani) #5364159a7aeec92] - doc: fix filename typo (Hardanish Singh) #612979a0a40d1ed] - doc: fix typos and grammar inBUILDING.md&onboarding.md(Hardanish Singh) #61267dca7005f9d] - doc: mention --newVersion release script (Rafael Gonzaga) #61255c0dc8ddf85] - doc: correct typo in api contributing doc (Mike McCready) #61260066af38fe1] - doc: add PR-URL requirement for security backports (Rafael Gonzaga) #6125671dd46bd0c] - doc: add reusePort error behavior to net module (mag123c) #61250f6abe3ba33] - doc: note corepack package removal in distribution doc (Mike McCready) #612079059d49d8c] - doc: fix tls.connect() timeout documentation (Azad Gupta) #61079e7b34b76b0] - doc: missingpassed,errorandpassedproperties onTestContext(Xavier Stouder) #611859ae2dcfbb6] - doc: clarify threat model for application-level API exposure (Rafael Gonzaga) #611849902331a7c] - doc: correct options for net.Socket class and socket.connect (Xavier Stouder) #61179a80122d2fe] - doc: document error event on readline InterfaceConstructor (Xavier Stouder) #6117038d73c9cfa] - doc: add a smooth scrolling effect to the sidebar (btea) #5900795c51fa984] - doc: correct invalid collaborator profile (JJ) #61091f5a044763c] - doc: exclude compile-time flag features from security policy (Matteo Collina) #61109b6ebf2cd53] - doc: add @avivkeller to collaborators (Aviv Keller) #6111535854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #610944932322c29] - doc: add File modes cross-references in fs methods (Mohit Raj Saxena) #60286c84904e047] - doc: add missingzstdto mjs example of zlib (Deokjin Kim) #60915e615b9e2f2] - doc: clarify fileURLToPath security considerations (Rafael Gonzaga) #6088799e384e6d4] - doc: replace column with columnNumber in example ofutil.getCallSites(Deokjin Kim) #608819351bb4d02] - doc: correct spelling in BUILDING.md (Rich Trott) #60875e1f6e7fc4d] - doc: update debuglog examples to use 'foo-bar' instead of 'foo' (xiaoyao) #60867ccbb2d7300] - doc: fix typos in changelogs (Rich Trott) #608551cb2fe8b35] - doc: mark module.register as active development (Chengzhong Wu) #60849ceeb4968a6] - doc: add fullName property to SuiteContext (PaulyBearCoding) #6076256155909dd] - doc: keep sidebar module visible when navigating docs (Botato) #604106b637763d5] - doc: correct concurrency wording in test() documentation (Azad Gupta) #607737183e8ffa1] - doc: clarify that CQ only picks up PRs targetingmain(René) #60731d5d94303be] - doc: clarify license section and add contributor note (KaleruMadhu) #60590e0210c8f53] - doc: correct tls ALPNProtocols types (René) #60143eff87b498a] - doc: remove mention of SMS 2FA (Antoine du Hamel) #60707e77ef94a51] - doc:domain.add()does not accept timer objects (René) #606754fe19c95ea] - doc: update Collaborators list to reflect hybrist handle change (Antoine du Hamel) #60650eece59b6ce] - doc: fix linter issues (Antoine du Hamel) #606366e17e596e4] - doc: correct values/references for buffer.kMaxLength (René) #60305ac327ae9a7] - doc: recommend events.once to manage 'close' event (Dan Fabulich) #60017d9b149ea42] - doc: highlight module loading difference between import and require (Ajay A) #59815f6d62cb22c] - doc: fix typo inprocess.unrefdocumentation (우혁) #596986d5078b196] - doc: add some entries toglossary.md(Mohataseem Khan) #59277b0a5820dea] - doc: improve agent.createConnection docs for http and https agents (JaeHo Jang) #58205b5db02fe67] - doc: fix pseudo code in modules.md (chirsz) #57677e9b912d481] - doc: add missing variable in code snippet (Koushil Mankali) #5547844c06c7812] - doc: add missing word insingle-executable-applications.md(Konstantin Tsabolov) #53864482b43f160] - doc: fix typo in http.md (Michael Solomon) #59354cd323bc718] - doc: update devcontainer.json and add documentation (Joyee Cheung) #60472c7c70f3a16] - doc: add haramj as triager (Haram Jeong) #6034804b8c4d14e] - doc: clarify require(esm) description (dynst) #60520de382dc832] - doc: instantiate resolver object (Donghoon Nam) #60476b6845ce460] - doc: clarify --use-system-ca support status (Joyee Cheung) #603400894dae9bc] - doc: add missing CAA type to dns.resolveAny() & dnsPromises.resolveAny() (Jimmy Leung) #58899c86a69f692] - doc: useanyforworker_threads.Worker'error' event argumenterr(Jonas Geiler) #603000c5031e233] - doc: update decorator documentation to reflect actual policy (Muhammad Salman Aziz) #60288b01f710175] - doc: document wildcard supported by tools/test.py (Joyee Cheung) #60265b4524dabcc] - doc: fixblob.bytes()heading level (XTY) #602525df02776e3] - doc: fix not working code example in vm docs (Artur Gawlik) #602246a4359a0b5] - doc: improve code snippet alternative of url.parse() using WHATWG URL (Steven) #60209ad06bee70d] - doc: use markdown when branch-diff major release (Rafael Gonzaga) #60179c0d4b11ed4] - doc: update teams in collaborator-guide.md and add links (Bart Louwers) #6006520b5ffcac3] - doc: update previous version links in BUILDING (Mike McCready) #61457de345ea3a3] - doc: correct description oferror.stackaccessor behavior (René) #61090d8418d9de7] - doc: fix link in--env-file=filesection (N. Bighetti) #605631107bda21e] - doc: fix v22 changelog after security release (Marco Ippolito) #6137142aab9469a] - doc: add missing history entry forsqlite.md(Antoine du Hamel) #60607deb6d5deff] - doc, module: change async customization hooks to experimental (Gerhard Stöbich) #60302c659add7d1] - doc,src,lib: clarify experimental status of Web Storage support (Antoine du Hamel) #60708dda95e91b9] - esm: avoid throw when module specifier is not url (Craig Macomber (Microsoft)) #61000912945be89] - events: remove redundant todo (Gürgün Dayıoğlu) #6059522e156eb10] - events: remove eventtarget custom inspect branding (Efe) #61128df6fd9b03f] - fs: remove duplicate getValidatedPath calls (Mert Can Altin) #613596ea3e4d850] - fs: fix errorOnExist behavior for directory copy in fs.cp (Nicholas Paun) #60946dd918b9980] - fs: fix ENOTDIR in globSync when file is treated as dir (sangwook) #612594908e67ba0] - fs: remove duplicate fd validation in sync functions (Mert Can Altin) #613614a27bce3d9] - fs: detect dot files when using globstar (Robin van Wijngaarden) #61012b0186ff65c] - fs: validate statfs path (Efe) #612306689775023] - gyp: aix: change gcc version detection so CXX="ccache g++" works (Stewart X Addison) #614645c4f4db663] - http: fix rawHeaders exceeding maxHeadersCount limit (Max Harari) #612857599e2eccd] - http: replace startsWith with strict equality (btea) #5939499a85213bf] - http: lazy allocate cookies array (Robert Nagy) #597347669e6a5ad] - http: fix http client leaky with double response (theanarkh) #60062f074c126a8] - http,https: fix double ERR_PROXY_TUNNEL emission (Shima Ryuhei) #60699d8ac368363] - http2: add diagnostics channels for client stream request body (Darshan Sen) #60480e26a7e464d] - http2: rename variable to additionalPseudoHeaders (Tobias Nießen) #602085df634f46e] - http2: validate initialWindowSize per HTTP/2 spec (Matteo Collina) #614022ccc9a6205] - http2: do not crash on mismatched ping buffer length (René) #601353e68a5f78a] - inspector: inspect HTTP response body (Chengzhong Wu) #60572a86ffa9a5d] - inspector: add network payload buffer size limits (Chengzhong Wu) #60236ea60ef5d74] - lib: fix typo inutil.jscomment (Taejin Kim) #613659d8d9322a4] - lib: fix TypeScript support check in jitless mode (sangwook) #61382fc26f5c78f] - lib: gbk decoder is gb18030 decoder per spec (Сковорода Никита Андреевич) #610993b87030012] - lib: enforce use ofURLParse(Antoine du Hamel) #610162a7479d4fc] - lib: useFastBufferfor empty buffer allocation (Gürgün Dayıoğlu) #605587cf4c43582] - lib: fix constructor in _errnoException stack tree (SeokHun) #60156f9d87fbfaa] - lib: fix typo in QuicSessionStats (SeokHun) #601558d26ccc652] - lib: remove redundant destroyHook checks (Gürgün Dayıoğlu) #60120705832a1be] - lib,src: isInsideNodeModules should test on the first non-internal frame (Chengzhong Wu) #609916f39ad190b] - meta: do not fast-track npm updates (Antoine du Hamel) #61475a6a0ff9486] - meta: fix typos in issue template config (Daijiro Wachi) #61399ec88c9b378] - meta: label v8 module PRs (René) #6132583143835de] - meta: bump step-security/harden-runner from 2.13.2 to 2.14.0 (dependabot[bot]) #612450802dc663a] - meta: bump actions/setup-node from 6.0.0 to 6.1.0 (dependabot[bot]) #61244587db55796] - meta: bump actions/cache from 4.3.0 to 5.0.1 (dependabot[bot]) #61243262c9d37a6] - meta: bump github/codeql-action from 4.31.6 to 4.31.9 (dependabot[bot]) #61241d9763b5afd] - meta: bump codecov/codecov-action from 5.5.1 to 5.5.2 (dependabot[bot]) #612400af73d1811] - meta: bump peter-evans/create-pull-request from 7.0.9 to 8.0.0 (dependabot[bot]) #612378be6afd239] - meta: move lukekarrys to emeritus (Node.js GitHub Bot) #60985c497de5c74] - meta: bump actions/setup-python from 6.0.0 to 6.1.0 (dependabot[bot]) #60927774920f169] - meta: bump github/codeql-action from 4.31.3 to 4.31.6 (dependabot[bot]) #60926ef3b1e5991] - meta: bump peter-evans/create-pull-request from 7.0.8 to 7.0.9 (dependabot[bot]) #609243ed667379f] - meta: bump github/codeql-action from 4.31.2 to 4.31.3 (dependabot[bot]) #607707c0cefb126] - meta: bump step-security/harden-runner from 2.13.1 to 2.13.2 (dependabot[bot]) #607695c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #607144f4dda2a18] - meta: bump actions/download-artifact from 5.0.0 to 6.0.0 (dependabot[bot]) #60532c436f8d57c] - meta: bump actions/upload-artifact from 4.6.2 to 5.0.0 (dependabot[bot]) #60531402d9f87a6] - meta: bump github/codeql-action from 3.30.5 to 4.31.2 (dependabot[bot]) #6053361be78e326] - meta: bump actions/setup-node from 5.0.0 to 6.0.0 (dependabot[bot]) #605297e4164a623] - meta: bump actions/stale from 10.0.0 to 10.1.0 (dependabot[bot]) #605281bf6e1d010] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #60325c66fc0e9cf] - meta: loop userland-migrations in deprecations (Chengzhong Wu) #60299e4be0791e7] - meta: callcreate-release-post.ymlpost release (Aviv Keller) #603668674f6527f] - module: preserve URL in the parent created by createRequire() (Joyee Cheung) #6097441db87a975] - msi: fix WiX warnings (Stefan Stojanovic) #60251884f313f40] - node-api: use Node-API in comments (Vladimir Morozov) #61320375164190b] - node-api: use local files for instanceof test (Vladimir Morozov) #60190972a1107c0] - os: freeze signals constant (Xavier Stouder) #61038e992057ab7] - perf_hooks: fix stack overflow error (Antoine du Hamel) #600840bb1814fdf] - repl: fix pasting after moving the cursor to the left (Ruben Bridgewater) #6047035a12fb996] - src: replaceranges::sortfor libc++13 compatibility on armhf (Rebroad) #61789dbf00d4664] - src: add missing override specifier to Clean() (Tobias Nießen) #61429140eba35d3] - src: cache context lookup in vectored io loops (Mert Can Altin) #6138793e7e1708b] - src: use C++ nullptr in webstorage (Tobias Nießen) #61407ef868447bc] - src: fix pointer alignment (jhofstee) #61336a96256524c] - src: dump snapshot source with node:generate_default_snapshot_source (Joyee Cheung) #61101ec051b9efd] - src: add HandleScope to edge loop in heap_utils (Mert Can Altin) #6088541749eb5d6] - src: remove redundant CHECK (Tobias Nießen) #6113057c81e5af3] - src: fix off-thread cert loading in bundled cert mode (Joyee Cheung) #607644b0616e024] - src: handle DER decoding errors from system certificates (Joyee Cheung) #6078793393371f9] - src: use static_cast instead of C-style cast (Michaël Zasso) #60868900445b655] - src: move Node-API version detection to where it is used (Anna Henningsen) #605128353a6da2a] - src: avoid C strings in more C++ exception throws (Anna Henningsen) #6059227c860c51f] - src: movenapi_addon_register_functonode_api_types.h(Anna Henningsen) #60512e0517752e7] - src: remove unconditional NAPI_EXPERIMENTAL in node.h (Chengzhong Wu) #6034521e2a52f8e] - src: clean up generic counter implementation (Anna Henningsen) #60447aed23cb8ca] - src: add enum handle for ToStringHelper + formatting (Burkov Egor) #568292e93650ebc] - src: fix timing of snapshot serialize callback (Joyee Cheung) #60434ece4acc18f] - src: add COUNT_GENERIC_USAGE utility for tests (Joyee Cheung) #6043431c8e9d9ff] - src: use cached primordials_string (Sohyeon Kim) #602557f0ffddc14] - src: implement Windows-1252 encoding support and update related tests (Mert Can Altin) #60893c2ba56d6b2] - src,permission: fix permission.has on empty param (Rafael Gonzaga) #60674e55a2b895a] - src,permission: add debug log on is_tree_granted (Rafael Gonzaga) #60668902a78b43c] - stream: fix isErrored/isWritable for WritableStreams (René) #60905221b77cf41] - stream: don't try to read more if reading (Robert Nagy) #6045446d12d826f] - test: skip strace test with shared openssl (Richard Lau) #6198752e6b01a44] - test: marktest-strace-openat-opensslas flaky (Antoine du Hamel) #619214d7468d0e0] - test: skip --build-sea tests on platforms where SEA is flaky (Joyee Cheung) #61504f604b7ae67] - test: fix flaky debugger test (Ryuhei Shima) #58324fc2dc4024b] - test: ensure removeListener event fires for once() listeners (sangwook) #601375fba382816] - test: delay writing the files only on macOS (Luigi Pinca) #6153285cc9e20e4] - test: asserts that import.meta.resolve invokes sync loader hooks (Chengzhong Wu) #6115813831685ca] - test: check util.parseArgs argv parsing with actual process execution (René) #61089ec4b722cb8] - test: remove unneccessary repl magic_mode tests (Dario Piotrowicz) #610535c811106bc] - test: skip sea tests on riscv64 (Stewart X Addison) #611114e4a631c07] - test: mark stringbytes-external-max flaky on AIX (Stewart X Addison) #609959af0787043] - test: update test426 fixtures (Rich Trott) #60982277f16d247] - test: skip SEA inspect test if inspector is not available (Livia Medeiros) #608727dfa8c96bf] - test: useassert.matchfor non-literal regexp tests (René) #6087941e6cd8ce5] - test: fix embedtest in debug windows (Vladimir Morozov) #60806f65147b226] - test: fix debug test crashes caused by sea tests (Vladimir Morozov) #60807a93dff9e92] - test: replace deprecated regex test assertions in http trailers test (Aditya Chopra) #60831f90d5b954f] - test: prefer major GC in cppgc-object teardown (sangwook) #60672e1645cc78d] - test: skip test that cause timeout on IBM i (SRAVANI GUNDEPALLI) #607004f23eba22f] - test: limit the concurrency of WPTRunner for RISC-V (Levi Zim) #60591c2bef6522b] - test: fix test-strace-openat-openssl for RISC-V (Levi Zim) #605884c03a7f864] - test: fix status when compiled without inspector (Antoine du Hamel) #602892ef146a074] - test: apply a delay towatch-mode-kill-signaltests (Joyee Cheung) #60610dc3000c504] - test: async iife in repl (Tony Gorez) #448785e06e84db1] - test: parallelize sea tests when there's enough disk space (Joyee Cheung) #60604940d2752bc] - test: only show overridden env in child process failures (Joyee Cheung) #60556558a5743c6] - test: add more logs to test-esm-loader-hooks-inspect-wait (Joyee Cheung) #6046610fac8de45] - test: mark stringbytes-external-exceed-max tests as flaky on AIX (Joyee Cheung) #605658bc84046be] - test: correct conditional secure heap flags test (Shelley Vohr) #60385ccc805f184] - test: fix flaky test-watch-mode-kill-signal-* (Joyee Cheung) #604431b8274453d] - test: capture stack trace in debugger timeout errors (Joyee Cheung) #604579fcf889279] - test: ensure assertions are reachable intest/async-hooks(Antoine du Hamel) #601507f5230333e] - test: increase debugger waitFor timeout on macOS (Chengzhong Wu) #603670e5ea3b795] - test: fix small compile warning in test_network_requests_buffer.cc (xiaocainiao633) #60281012780c7e8] - test: split test-runner-watch-mode-kill-signal (Joyee Cheung) #60298b53d35a8f8] - test: fix incorrect calculation in test-perf-hooks.js (Joyee Cheung) #60271b8ef464c08] - test: skip sea tests on x64 macOS (Joyee Cheung) #60250a3c4d905da] - test: move sea tests into test/sea (Joyee Cheung) #6025080bec9fd07] - test: skip tests that cause timeouts on IBM i (SRAVANI GUNDEPALLI) #601481d05b44c7c] - test: deflake test-fs-promises-watch-iterator (Luigi Pinca) #600608958096840] - test: deflaketest-repl-paste-big-data(Livia Medeiros) #60975e261a59ca4] - test: add newstartNewREPLSevertesting utility (Dario Piotrowicz) #59964d4a2d8aa8a] - test: skip failing tests when compiled without amaro (Yuki Okita) #608150e407a88bb] - test: skip failing test on macOS 15.7+ (Antoine du Hamel) #60419a253b7b6dc] - tools: switch to ARM runners on GHA jobs (Antoine du Hamel) #619038862c41494] - tools: avoid building twice in coverage jobs (Antoine du Hamel) #618997d11a22802] - tools: use ubuntu-slim runner in GHA (Antoine du Hamel) #61759d0e7d6cb89] - tools: use ubuntu-slim runner in GHA (Antoine du Hamel) #61734cf5ddd1811] - tools: use ubuntu-latest runner innotify-on-pushworkflow (Antoine du Hamel) #6174218bcf8e260] - tools: use ubuntu-slim runner in meta GitHub Actions (Tierney Cyren) #61663db76733b55] - tools: update gyp-next to 0.21.1 (Node.js GitHub Bot) #615281dd9d8a3b2] - tools: fix vcbuild lint-js-build (Vladimir Morozov) #61318ec67f8f9b5] - tools: only report commit validation failure on Slack (Antoine du Hamel) #611248e385c8c66] - tools: use sparse-checkout in linter jobs (Antoine du Hamel) #61123aed2e9c8eb] - tools: simplifynotify-on-push(Antoine du Hamel) #6105032680feefb] - tools: fix update-nghttp2 signature verification (Richard Lau) #61035c5f68f41e6] - tools: improve log output ofcreate-release-proposal(Antoine du Hamel) #6102832e0ae0ec7] - tools: fixvcbuild testwhen path contain spaces (stduhpf) #564819e0858e4a2] - tools: do not runtest-linuxworkflow for changes onvcbuild.bat(Antoine du Hamel) #60979fd656a79fc] - tools: disable some new cpplint rules before update (Michaël Zasso) #60901df4df52e67] - tools: don't fetch V8 deps in the source tree (Richard Lau) #60883e5c2fe8d6d] - tools: add temporal updater (Chengzhong Wu) #608287f031e097e] - tools: dump config.gypi as json (Chengzhong Wu) #607945e69488a5a] - tools: bump js-yaml from 4.1.0 to 4.1.1 in /tools/lint-md (dependabot[bot]) #607815119c50931] - tools: bump js-yaml from 4.1.0 to 4.1.1 in /tools/doc in the doc group (dependabot[bot]) #60766a4b073123d] - tools: remove unsupportedcooldownfrom Dependabot config (Antoine du Hamel) #60747a3df6b87bb] - tools: update sccache to v0.12.0 (Michaël Zasso) #607232efbd54a4a] - tools: update gyp-next to 0.21.0 (Node.js GitHub Bot) #60645bb7876e4f9] - tools: replace invalid expression in dependabot config (Riddhi) #60649e444e44d6a] - tools: skip unaffected GHA jobs for changes intest/internet(Antoine du Hamel) #60517a6a0ec107c] - tools: do not use short hashes for deps versioning to avoid collision (Antoine du Hamel) #60407c6e2eed65f] - tools: fix update-icu script (Michaël Zasso) #6052176fb3d123b] - tools: fix linter for semver-major release proposals (Antoine du Hamel) #60481f02889e24e] - tools: fix failing release-proposal linter for LTS transitions (Antoine du Hamel) #604658203df4432] - tools: remove undici from daily wpt.fyi job (Filip Skokan) #60444a58242b666] - tools: add lint rule to ensure assertions are reached (Antoine du Hamel) #6012558e3ef398f] - tools: update gyp-next to 0.20.5 (Node.js GitHub Bot) #60313996494482a] - tools: optimize wildcard execution in tools/test.py (Joyee Cheung) #60266cf84756d0d] - tools: use cooldown property correctly (Rafael Gonzaga) #601345469cb2651] - tools: validate release commit diff as part oflint-release-proposal(Antoine du Hamel) #614401b9eab4a1c] - tools,doc: fix format-md files list (Stefan Stojanovic) #61147b20d9c2ce7] - tools,doc: update JavaScript primitive types to match MDN Web Docs (JustApple) #6058131760b1beb] - typings: add typing for string_decoder (Taejin Kim) #61368d6b908917c] - typings: add missing properties and method in Worker (Woohyun Sung) #602571e8b6d5686] - typings: add missing properties in HTTPParser (Woohyun Sung) #6025727ae9b4a26] - typings: delete undefined property in ConfigBinding (Woohyun Sung) #60257f43c6434e2] - typings: add buffer internalBinding typing (방진혁) #60163e7f954f63a] - url: add fast path to getPathFromURL decoder (Gürgün Dayıoğlu) #60749c149b64473] - url: remove array.reduce usage (Gürgün Dayıoğlu) #607480bd291bff1] - util: optimize toASCIILower function using V8s native toLowerCase (Mert Can Altin) #61107bbc54b3c96] - util: limitinspectto only show own properties (Ruben Bridgewater) #6103278e5fa23c4] - util: fix parseArgs skipping positional arg with --eval and --print (azadgupta1) #60814f75ec19105] - util: assert getCallSites does not invoke Error.prepareStackTrace (Chengzhong Wu) #60922d77da9306c] - util: fix stylize of special properties in inspect (Ge Gao) #604793a4edc8f6d] - util: use more defensive code when inspecting error objects (Antoine du Hamel) #6013925c33af752] - util: mark special properties when inspecting them (Ruben Bridgewater) #601313f98b46716] - vm: make vm.Module.evaluate() conditionally synchronous (Joyee Cheung) #60205f64a691493] - win: upgrade Visual Studio workload from 2019 to 2022 (Jiawen Geng) #603188e04327954] - worker: update code examples fornode:worker_threadsmodule (fisker Cheung) #58264c4440dcc60] - worker: remove not implemented declarations (Artur Gawlik) #60655df4cc62954] - zlib: validate write_result array length (Ryuhei Shima) #61342v22.22.0: 2026-01-13, Version 22.22.0 'Jod' (LTS), @marco-ippolitoCompare Source
This is a security release.
Notable Changes
lib:
lib,permission:
src:
src,lib:
tls:
Commits
6badf4e6f4] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #6099737509c3ff0] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#791eb8e41f8db] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797ebbf942a83] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#7486b4849583a] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760ddadc31f09] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773d4d9f3915f] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#75925d6799df6] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796prometheus/prometheus (prom/prometheus)
v3.11.3: 3.11.3 / 2026-04-27Compare Source
This release fixes mutiple security issues.
We would like to thank the following people for the responsible disclosures:
Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.
Brett Gervasoni for the AzureAD OAuth
client_secretvulnerability.@iiihaiii and @Ngocnn97 for the Old UI XSS vulnerability.
[SECURITY] AzureAD remote write: Fix OAuth
client_secretbeing exposed in plaintext via/-/configendpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18590[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18584
[SECURITY] UI: Fix stored XSS via unescaped
lelabel values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18588v3.11.2: 3.11.2 / 2026-04-13Compare Source
This release has a fix for a Stored XSS vulnerability that can be triggered via crafted metric names and label values in Prometheus web UI tooltips and metrics explorer. Thanks to Duc Anh Nguyen from TinyxLab for reporting it.
health_filterfield for Health API filtering. #18499v3.11.1: 3.11.1 / 2026-04-07Compare Source
insecure: true. #18469v3.11.0: 3.11.0 / 2026-04-02Compare Source
__meta_hetzner_datacenterlabel is deprecated for the rolerobotbut kept for backward compatibility, use the__meta_hetzner_robot_datacenterlabel instead. For the rolehcloud, the label is deprecated and will stop working after the 1 July 2026. #17850__meta_hetzner_hcloud_datacenter_locationand__meta_hetzner_hcloud_datacenter_location_network_zonelabels are deprecated, use the__meta_hetzner_hcloud_locationand__meta_hetzner_hcloud_location_network_zonelabels instead. #17850prometheus_sd_last_update_timestamp_secondsmetric to track the last time a service discovery update was sent to consumers. #18194__meta_kubernetes_pod_deployment_name,__meta_kubernetes_pod_cronjob_nameand__meta_kubernetes_pod_job_name, respectively. #17774</and>/operators for trimming observations from native histograms. #17904histogram_quantilesvariadic function for computing multiple quantiles at once. #17285storage.tsdb.retention.percentageconfiguration to configure the maximum percent of disk usable for TSDB storage. #18080st-storagefeature flag. When enabled, Prometheus stores ingested start timestamps (ST, previously called Created Timestamp) from scrape or OTLP in the TSDB and Agent WAL, and exposes them via Remote Write 2. #18062xor2-encodingfeature flag for the new TSDB block float sample chunk encoding that is optimized for scraped data and allows encoding start timestamps. #18062external_idsupport for sigv4. #17916first_over_timeandts_of_first_over_timePromQL functions. #18318KahanAdd. #18252endpointoption, a regression from the AWS SDK v2 migration. #18133client_idis empty. #18323*DualStackEndpointSlices policies. #18192prometheus_remote_storage_sent_batch_duration_secondsmeasuring before the request was sent. #18214use-uncached-iofeature flag is set on unsupported environments. #18219v3.10.0: 3.10.0 / 2026-02-24Compare Source
Prometheus now offers a distroless Docker image variant alongside the default
busybox image. The distroless variant provides enhanced security with a minimal
base image, uses UID/GID 65532 (nonroot) instead of nobody, and removes the
VOLUME declaration. Both variants are available with
-busyboxand-distrolesstag suffixes (e.g.,
prom/prometheus:latest-busybox,prom/prometheus:latest-distroless).The busybox image remains the default with no suffix for backwards compatibility
(e.g.,
prom/prometheus:latestpoints to the busybox variant).For users migrating existing named volumes from the busybox image to the distroless variant, the ownership can be adjusted with:
Then, the container can be started with the old volume with:
User migrating from bind mounts might need to ajust permissions too, depending on their setup.
alertmanagerdimension to following metrics:prometheus_notifications_dropped_total,prometheus_notifications_queue_capacity,prometheus_notifications_queue_length. #16355/alertspage. #17611fill()/fill_left()/fill_right()binop modifiers for specifying default values for missing series. #17644/api/v1/openapi.yaml. #17825<URL>/debug/pprof/fgprof. #18027stale_series_compaction_thresholdin the config file. #16929remove_all_sdand individual service discoveries can be re-added with the build tagsenable_<sd name>_sd. Users can build a custom Prometheus with only the necessary SDs for a smaller binary size. #17736promql-duration-exprandpromql-extended-range-selectors. #17926.*-.*-.*. #17707/api/v1/targets/relabel_stepsin a single pass instead of re-running relabeling for each prefix. #17969X-Prometheus-Stoppingheader for/-/readyendpoint inNotReadystate. #17795info()function returning empty results when filtering by a label that exists on both the input metric andtarget_info. #17817__name__from OTLP attributes to prevent duplicate labels. #17917@modifier on empty ranges. #18020avg_over_timefor a single native histogram. #18058v3.9.1: 3.9.1 / 2026-01-07Compare Source
v3.9.0: 3.9.0 / 2026-01-06Compare Source
Note for users of Native Histograms
In version 3.9, Native Histograms is no longer experimental, and the feature flag
native-histogramhas no effect. You must now turn onthe config setting
scrape_native_histogramsto collect Native Histogram samples from exporters.Changelog
native-histogramfeature flag a no-op. Usescrape_native_histogramsconfig option instead. #17528start_timestampfield for unit tests. #17636--format seriesjsonoption totsdb dumpto output just series labels in JSON format. #13409--storage.tsdb.delay-compact-file.pathflag for better interoperability with Thanos. #17435--storage.tsdb.block-reload-intervalto configure TSDB Block Reload Interval. #16728prometheus_notifications_latency_histogram_secondsto complement the existing summary. #16637configlabel with job name for mostprometheus_sd_refreshmetrics. #17138prometheus_tsdb_sample_ooo_delta, the distribution of out-of-order samples in seconds. Collected for all samples, accepted or not. #17477_total. #17682ignoring()and non-empty grouping. #17643rate/increase/deltaof histograms results in a gauge histogram. #17608v3.8.1: 3.8.1 / 2025-12-16Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.
Update grafana/tempo:latest Docker digest to d82487fto Update docker minor+patch+digest updatesEdited/Blocked Notification
Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠️ Warning: custom changes will be lost.
View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.