Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: prometheus/prometheus
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v3.11.2
Choose a base ref
...
head repository: prometheus/prometheus
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v3.11.3
Choose a head ref
  • 8 commits
  • 12 files changed
  • 2 contributors

Commits on Apr 27, 2026

  1. remote: validate snappy decoded length before allocation in read endp… 

    …oint

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
    @roidelapluie
    roidelapluie committed Apr 27, 2026
    Configuration menu
    Copy the full SHA
    3273935 View commit details
    Browse the repository at this point in the history

  2. remote/azuread: use Secret type for OAuth client_secret 

    The ClientSecret field in OAuthConfig was typed as plain string,
causing it to be exposed in plaintext via the /-/config HTTP endpoint.
Change it to config_util.Secret so Prometheus redacts it as <secret>.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
    @roidelapluie
    roidelapluie committed Apr 27, 2026
    Configuration menu
    Copy the full SHA
    5ccebcd View commit details
    Browse the repository at this point in the history

  3. ui: fix stored XSS in old UI heatmap chart tick labels 

    This fixes the stored XSS as described in:

GHSA-fw8g-cg8f-9j28

Signed-off-by: Julius Volz <julius.volz@gmail.com>
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
    @juliusv @roidelapluie
    juliusv authored and roidelapluie committed Apr 27, 2026
    Configuration menu
    Copy the full SHA
    38f23b9 View commit details
    Browse the repository at this point in the history

  4. Merge pull request #18584 from roidelapluie/roidelapluie/snappylength 

    remote: validate snappy decoded length before allocation in read endpoint
    @roidelapluie
    roidelapluie authored Apr 27, 2026
    Configuration menu
    Copy the full SHA
    04055ee View commit details
    Browse the repository at this point in the history

  5. Merge pull request #18588 from roidelapluie/roidelapluie/react-escape 

    ui: fix stored XSS in old UI heatmap chart tick labels
    @roidelapluie
    roidelapluie authored Apr 27, 2026
    Configuration menu
    Copy the full SHA
    ecbde5f View commit details
    Browse the repository at this point in the history

  6. Merge pull request #18590 from roidelapluie/roidelapluie/azadsecret 

    remote/azuread: use Secret type for OAuth client_secret
    @roidelapluie
    roidelapluie authored Apr 27, 2026
    Configuration menu
    Copy the full SHA
    26dae7f View commit details
    Browse the repository at this point in the history

  7. Release 3.11.3 

    Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
    @roidelapluie
    roidelapluie committed Apr 27, 2026
    Configuration menu
    Copy the full SHA
    5ba3545 View commit details
    Browse the repository at this point in the history

  8. Merge pull request #18594 from roidelapluie/roidelapluie/cut-rel-3.11.3 

    Release 3.11.3
    @roidelapluie
    roidelapluie authored Apr 27, 2026
    Configuration menu
    Copy the full SHA
    eb173f5 View commit details
    Browse the repository at this point in the history
Loading