LoginSign Up
← Back to all sparks
Prometheus logo

Prometheus

DEVOPS
Velocity5.0

Monitoring system

prometheus.io

Prometheus ships PromQL and TSDB advances on a disciplined security-patch cadence

monitoringpromqltsdbsecuritynative-histogramsobservability
Current state
Prometheus is a mature monitoring core in steady release mode, running parallel 3.5 LTS and 3.x mainline branches. Recent work centers on experimental start-timestamp PromQL semantics, native-histogram support, TSDB performance, and an unusually heavy run of coordinated CVE fixes across both branches.
Where it's heading
The feature arc is incremental refinement of the query engine (start-timestamps for rate/increase, new scalar functions, search endpoints) and storage efficiency, not directional change. The standout pattern is security discipline: secret-exposure and XSS fixes backported in lockstep to 3.5 and 3.11/3.12.
Prediction
Expect 3.13 to reach GA with the start-timestamp and native-histogram experiments maturing toward stability, given their repeated appearance across recent release candidates.

Recent moves

  1. 5d ago

    v3.13 RC: PromQL search endpoints, native-histogram rates, CVE fixes

    The 3.13 release candidate carries forward rc.0's substantial PromQL work (search endpoints, min_of/max_of, smoothed/anchored histogram rates) plus an XSS fix and redirect-credential hardening. rc.1 itself is mostly CI cleanup after a packaging migration.

    View source ↗
  2. 10d ago

    v3.5.4 LTS: secret-exposure leak and dependency CVE fixes

    A 3.5 LTS patch fixing a STACKIT secret-exposure leak plus golang.org/x/net and OpenTelemetry CVE bumps. Security work admins on the LTS line should apply.

    View source ↗
  3. 1mo ago

    v3.12.0: start-timestamp PromQL, new service discovery, TSDB perf

    The 3.12.0 feature release lands start-timestamp PromQL, DigitalOcean/Outscale service discovery, constant-time head-chunk lookup, and a UI for deleting time series. A broad incremental step for the mainline.

    View source ↗
  4. 1mo ago

    v3.12.0 release candidate (superseded by GA)

    The 3.12.0 release candidate, superseded by the identical-content GA a week later. No incremental signal beyond the GA it preceded.

    View source ↗
  5. 2mo ago

    v3.11.3: AzureAD secret leak, remote-read DoS, XSS fixes

    A 3.11 security release fixing an AzureAD client_secret exposure, a remote-read snappy-decode DoS, and an old-UI XSS. Action-required hardening across three disclosed CVEs.

    View source ↗
  6. 2mo ago

    v3.5.3 LTS: backport of AzureAD, remote-read, and XSS fixes

    The same CVE set backported to the 3.5 LTS branch the same day, so users pinned to 3.5 get the secret-exposure, DoS, and XSS fixes too. Mirrors the 3.11 release for a different support line.

    View source ↗