Enhancements

1. Snapshot LSS type separation. Decoupled the read-only label set snapshot into a dedicated SnapshotLSS type with its own variant, reducing the active head's variant footprint and improving type safety.
2. GOST-compliant build hardening. Enabled FORTIFY_SOURCE=2, stack protector, position-independent code, and additional compiler warnings (null-dereference, division-by-zero, array-bounds) across all C++ code including third-party libraries.
3. GCC 14 and clang-tidy 21. Upgraded the C++ toolchain to GCC 14.2.0 and clang-tidy 21.1.8 with new bugprone-* diagnostics enabled; all findings resolved.
4. Go /sync/* runtime metrics. The Prometheus Go collector now exports mutex and semaphore contention statistics from runtime/metrics (/sync/*) alongside the existing GC and scheduler metrics, making locker contention observable in production.
5. Jemalloc resident memory metric. Exposed jemalloc's resident set size as a new metric alongside the existing allocated/mapped stats, giving operators clearer visibility into the C++ allocator's memory footprint.
6. Chunk recoder optimization. Switched the chunk recoder to a seek-based decode iterator and tuned the Prometheus chunkenc encoder with [[likely]] annotations, giving roughly a 10% speedup on the recoder benchmark.
7. Remote write data source refactor. Reworked the WAL/encoder pipeline — extracted SegmentSamplesStorage, added a V2 WAL reader and DataSourceV2, and the shard now transparently switches between WAL format versions.
8. Merge-shard series sets. New generic mergeShardSeriesSet / mergeShardChunkSeriesSet iterators stream across shards without an intermediate merge buffer, lowering query memory pressure on sharded heads.
9. Jemalloc arena pool recycling. Arenas returned to the free pool are now reset and purged instead of being destroyed, with updated jemalloc build options. New metrics report arena pool releases and reclaimed bytes (prompp_common_jemalloc_arena_pool_*). Carried over from v0.7.11.

Fixes

1. Remote-read snappy DoS (CVE-2026-42154). Backported the upstream fix (GHSA-8rm2-7qqf-34qm) — /api/v1/read now rejects snappy-compressed payloads whose declared decoded length exceeds the 32 MiB decode limit before allocation, preventing memory exhaustion via crafted small requests.
2. OpenTelemetry security update. Upgraded go.opentelemetry.io/otel/sdk and the otlptracehttp exporter to v1.43.0 — mitigates a PATH hijacking CVE (GHSA-hfvc-g4fc-pqhx) in the BSD host-id detector and adds a 4 MiB response body limit to OTLP HTTP exporters, protecting against memory exhaustion from a misbehaving collector.
3. Close WAL on shard rotation. Shard rotation now explicitly closes the outgoing WAL via a dedicated ClosedWal sentinel instead of leaking the handle, preventing stale WAL readers from racing with newly-rotated shards.
4. Go 1.26.3. Bumped Go to 1.26.3, pulling in stdlib security fixes from the 1.26.x series.
5. aarch64 jemalloc page size. Aligned the jemalloc build with the aarch64 host page size so ARM64 builds no longer hit a configuration mismatch under the GCC 14 toolchain.

Other

1. Bazel Bzlmod migration. Migrated pp/ to Bzlmod and refreshed rules_cc, rules_foreign_cc, and bazel_clang_tidy to resolve dependency conflicts that had blocked further updates of the C++ build stack.

Enhancements

1. Jemalloc arena pool recycling. Arenas returned to the free pool are reset and purged instead of being destroyed, with updated jemalloc build options. New metrics report arena pool releases and reclaimed bytes (prompp_common_jemalloc_arena_pool_*).

Other

1. GCC 14 C++ toolchain. The CI/devcontainer image and Bazel configuration on this branch build the C++ core with GCC 14.

Enhancements

1. Snapshot LSS type separation. Decoupled the read-only label set snapshot into a dedicated SnapshotLSS type with its own variant, reducing the active head's variant footprint and improving type safety.
2. GOST-compliant build hardening. Enabled FORTIFY_SOURCE=2, stack protector, position-independent code, and additional compiler warnings (null-dereference, division-by-zero, array-bounds) across all C++ code including third-party libraries.
3. GCC 14 and clang-tidy 21. Upgraded the C++ toolchain to GCC 14.2.0 and clang-tidy 21.1.8 with new bugprone-* diagnostics enabled; all findings resolved.
4. Go /sync/* runtime metrics. The Prometheus Go collector now exports mutex and semaphore contention statistics from runtime/metrics (/sync/*) alongside the existing GC and scheduler metrics, making locker contention observable in production.
5. Jemalloc resident memory metric. Exposed jemalloc's resident set size as a new metric alongside the existing allocated/mapped stats, giving operators clearer visibility into the C++ allocator's memory footprint.

Fixes

1. OpenTelemetry security update. Upgraded go.opentelemetry.io/otel/sdk and the otlptracehttp exporter to v1.43.0 — mitigates a PATH hijacking CVE (GHSA-hfvc-g4fc-pqhx) in the BSD host-id detector and adds a 4 MiB response body limit to OTLP HTTP exporters, protecting against memory exhaustion from a misbehaving collector.
2. Close WAL on shard rotation. Shard rotation now explicitly closes the outgoing WAL via a dedicated ClosedWal sentinel instead of leaking the handle, preventing stale WAL readers from racing with newly-rotated shards.

Fixes

1. highestSentTimestamp reported in milliseconds. The prometheus_remote_storage_queue_highest_sent_timestamp_seconds metric was emitted in milliseconds, causing the shard controller to compute a huge lag and falsely trigger the PrometheusRemoteWriteDesiredShards alert.
2. Catalog sync with deleted records. When reading the catalog and compacting the log, records with deletedAt != 0 are now dropped eagerly instead of lingering in memory until the next cleanup pass.
3. lastPri in the priority-weighted locker. Fixed the lastPri pointer update in util/locker/priweighted when the tail waiter is cancelled — the priority-prefix invariant could previously be violated, leading to potential hangs.
4. Go 1.25.9. Bumped Go from 1.25.8 to 1.25.9, pulling in stdlib security fixes for crypto/x509 (chain building and policy validation DoS), crypto/tls (TLS 1.3 KeyUpdate DoS), html/template (XSS via JS template literal context tracking), archive/tar (unbounded allocation on GNU sparse), and os (TOCTOU in Root.Chmod on Linux).
5. npm dependency security updates. Updated follow-redirects (auth header leak on cross-domain redirect) and lodash (prototype pollution and code injection in _.template) in the web UI.

Enhancements

1. Snapshot LSS type separation. Decoupled the read-only label set snapshot into a dedicated SnapshotLSS type with its own variant, reducing the active head's variant footprint and improving type safety.
2. GOST-compliant build hardening. Enabled FORTIFY_SOURCE=2, stack protector, position-independent code, and additional compiler warnings (null-dereference, division-by-zero, array-bounds) across all C++ code including third-party libraries.
3. GCC 14 and clang-tidy 21. Upgraded the C++ toolchain to GCC 14.2.0 and clang-tidy 21.1.8 with new bugprone-* diagnostics enabled; all findings resolved.

Fixes

1. npm dependency security update. Updated lodash to 4.18.1 to fix prototype pollution and code injection vulnerabilities.

Features

1. WAL v2 and remote write encoding. Introduces a new WAL read/write path (v2) with refactored segment sample storage and remote-write protobuf encoding, version-aware segment handling when switching between WAL file formats, and related metrics and Go bindings updates.

Fixes

1. op_top in query strings. Fixed PromQL string serialization for the op_top aggregator so expressions round-trip correctly in rules and anywhere queries are printed.
2. Outdated corrupted head on GC. Catalog garbage collection now removes stale corrupted head directories instead of leaving them on disk indefinitely.

Enhancements

1. Environment-driven defaults in configuration. Settings that were only applied via environment variables are now folded into default configuration, aligning operator defaults with the main configuration model.

Fixes

1. Jemalloc VmPTE growth. Tuned jemalloc configuration to prevent unbounded virtual address space growth when using custom arenas (create/destroy pattern). Added retain:false, abort_conf:true, and set muzzy_decay_ms:0, eliminating multi-GB page table overhead.
2. gRPC authorization bypass CVE. Updated google.golang.org/grpc from v1.78.0 to v1.79.3 to fix an authorization bypass via missing leading slash in :path (GO-2026-4762).
3. npm dependency security update. Updated picomatch to fix a high-severity ReDoS and method injection vulnerability.

Features

1. Custom PromQL functions. Added op_defined, op_replace_nan, op_smoothie, op_zero_if_none window functions and op_top aggregation operator for operational monitoring — checking metric freshness, replacing NaN values, smoothing time series, and top-K aggregation.

Performance

1. Three-stage remote write parallelization. Remote write pipeline now uses a three-stage parallel architecture, improving throughput for high-volume metric delivery.
2. Reworked remote write encoding. Remote write protobuf encoding redesigned with message boundary tracking and improved segment iteration, reducing encoding overhead.
3. Jemalloc arena allocators. DataStorage now uses jemalloc arena-based allocators with size class awareness, improving memory allocation patterns and reducing fragmentation.
4. Composite type independence. Refactored internal composite types (Symbol, LabelNameSet, LabelSet) to be independent of underlying filament storage, improving data access patterns.
5. Removed unnecessary indirections. Eliminated std::unique_ptr overhead from LabelSet storage and simplified the scrape adapter interface by removing the redundant AppendScraperHashdex method.

Fixes

1. OpenTelemetry PATH hijacking CVE. Upgraded OpenTelemetry SDK to v1.40.0 to address a high-severity arbitrary code execution vulnerability via PATH hijacking.
2. Go 1.25.8. Updated Go from 1.25.7 to 1.25.8; the release includes security fixes for html/template, os, and net/url.
3. npm dependency security updates. Updated vulnerable npm packages in the web UI, including immutable (prototype pollution).

Fixes

1. Sample count in WAL batch segments. Fixed incorrect sample counting when adding segments to a batch: the segment now properly returns sampleCount from SamplesStorage and resets the counter, preventing miscounted ingestion metrics.

Features

1. DefaultSampleAgeLimit feature flag. Added a feature flag to control the default sample age limit, allowing operators to enable or disable the age-based sample filtering without changing global configuration.

Enhancements

1. Label limits applied at adapter level. The adapter now reads label limits from the global configuration via a new ApplyConfig method and stores them atomically, ensuring label limits are enforced consistently without restarts. Configuration errors now cause an immediate exit to prevent silent misconfigurations.

Fixes

1. Platform-specific jemalloc page size for ARM64. On ARM64 systems (e.g. Raspberry Pi 5) the kernel page size can be 16KB or 64KB, while jemalloc was hardcoded to 4KB. This caused an immediate crash with "Unsupported system page size". The build now sets the appropriate lg-page for ARM64 (64KB) and keeps 4KB for x86_64.
2. Vector erase bug. Fixed a bug in BareBones::Vector::erase that could cause incorrect behavior in optimized builds; the implementation now uses destroy_n / uninitialized_default_construct_n instead of manual loops.

Enhancements

1. WALGoHeadHashdex. WALGoHeadHashdex has been introduced to optimize the addition of data from rules stored in the transaction head, avoiding unnecessary copying and allocation.
2. C++ malloc metrics. Added metrics for memory allocations from C++ code (atomic counters and optimized calculation), enabling better observability of allocator behavior.
3. Remote write parallel encoding. Refactored remote write message encoding: encoding from a batch to a protobuf message is now parallelized, which speeds up the encoder.
4. Go 1.25.7. Updated Go from 1.25.5 to 1.25.7; the release includes security fixes for crypto/tls, crypto/x509, and the go command, plus compiler fixes.

Performance

1. More pools. Head and related code now use a pool provider for reusable objects, which has reduced the number of allocations.

Other

1. CI: workflow_dispatch and golang lint image. Added manual trigger (workflow_dispatch) to the CI image build workflow and corrected the golang lint image tag (gcc-tools-x86_64 → gcc-tools-amd64) to match the built image.