JavaGolangJavaScriptSwiftAndroidRustMiddleware
3 hours ago
MeiliSearch
meilisearch

v1.48.1 🫎

Revert #6432 due to a dumpless upgrade bug report.

Full Changelog: https://github.com/meilisearch/meilisearch/compare/v1.48.0...v1.48.1

5 hours ago
prometheus
prometheus

3.13.0-rc.1 / 2026-06-22

Release notes of the 3.13-rc.1 release:

The 3.13.0-rc.0 release was only partially successful due to the migration from NPM to PNPM and subsequent CI issues, so most of the changes in this release candidate are CI/build-related. The only user-facing change is:

  • [CHANGE] UI: Third-party npm dependency licenses are now embedded in the Prometheus binary and served at /assets/third-party-licenses.txt, replacing the npm_licenses.tar.bz2 archive previously shipped in release tarballs and container images. #18997

Release notes of the 3.13-rc.0 release, as it was not published in partial state:

  • [SECURITY] UI: Bump sanitize-html to fix a cross-site scripting vulnerability (CVE-2026-44990). #18697
  • [CHANGE] API: Use SHA-256 instead of SHA-1 to generate rule group pagination tokens. #18927
  • [CHANGE] HTTP clients: Credentials (Authorization header, basic auth, bearer token, OAuth2, configured headers) are no longer forwarded when following a redirect to a different host; affects scraping, remote read/write, alerting, and service discovery. Via prometheus/common v0.69.0 (CVE-2025-4673 CVE-2023-45289). #18949
  • [CHANGE] promtool: Relative file paths in the file passed to --http.config.file are now resolved relative to that config file's directory instead of its parent directory. Via prometheus/common v0.69.0. #18949
  • [CHANGE] PromQL: Rename the min() and max() duration-expression functions (experimental feature flag experimental-duration-expr) to min_of() and max_of() to avoid confusion with the min and max aggregate operators. #18687
  • [FEATURE] API: Add experimental search endpoints to search metric names, label names, and label values. #18573
  • [FEATURE] Discovery/AWS: Add ability to filter RDS instances. #18859
  • [FEATURE] PromQL: Add min_of(a, b) and max_of(a, b) scalar experimental functions, returning the smaller or larger of two scalar values. #18687
  • [FEATURE] PromQL: Add support for smoothed/anchored rate with native histograms. #18564
  • [FEATURE] PromQL: Expose per-query samplesRead (and samplesReadPerStep with stats=all and the promql-per-step-stats feature flag) in the query stats response, and add the prometheus_engine_query_samples_read_total engine counter. samplesRead reflects storage I/O distinct from totalQueryableSamples, which counts samples loaded into the evaluator (and so over-counts when a sample is reused across multiple range-vector windows). #18081
  • [FEATURE] Scrape: Add __convert_classic_histograms_to_nhcb__ internal label to allow per-target override of convert_classic_histograms_to_nhcb scrape configuration via relabeling. #18840
  • [FEATURE] TSDB: Add storage.tsdb.chunk_encoding.floats configuration field to select float chunk encoding (xor or xor2) at runtime, independently of the --enable-feature=xor2-encoding flag. #18769
  • [FEATURE] remote_write: Add Certificate support for ingesting data into an Azure Monitor Workspace. #18217
  • [FEATURE] Scrape: Add __always_scrape_classic_histograms__ and __scrape_native_histograms__ internal labels to allow per-target override of the always_scrape_classic_histograms and scrape_native_histograms scrape configuration via relabeling. #18929
  • [ENHANCEMENT] Release: Container images are now also published to the GitHub Container Registry (ghcr.io). #18791
  • [ENHANCEMENT] PromQL: Prettify fill_left(x) fill_right(x) as fill(x) when both fill values are equal. #18851
  • [ENHANCEMENT] UI: Improve autocompletion after closing a function bracket. #18894
  • [PERF] Labels: Add case-insensitive prefix matching to speed up evaluation of long case-insensitive regular expressions (up to ~2x faster). #18540
  • [PERF] TSDB: Reduce per-sample overhead in chunk population, speeding up affected queries by ~12-15% in benchmarks. #18699
  • [PERF] TSDB: Eliminate unnecessary heap allocations in the V2 histogram WAL decoder, reducing allocations by up to 50% and memory by up to 10% for deployments using native histograms with created-timestamp storage enabled (--enable-feature=created-timestamp-zero-ingestion). #18813
  • [BUGFIX] Discovery/AWS: Fix failure when processing an AWS RDS cluster without instances. #18845
  • [BUGFIX] Fix race condition in initTime that could cause ErrOutOfBounds. #18629
  • [BUGFIX] PromQL: A range query whose end was not aligned to step caused subqueries inside it to evaluate past the parent's last actual step, inflating peakSamples in the query stats and against the query.max-samples limit, and wasting storage I/O reading samples that were never used in the result. #18081
  • [BUGFIX] PromQL: A range query containing an at-modifier-unsafe function over a range-vector with an @ modifier (e.g. predict_linear(metric[60s] @ T, X)) silently under-counted totalQueryableSamples for steps after step 0. #18081
  • [BUGFIX] PromQL: Fix fill_left/fill_right producing missing samples in range queries when using group_left/group_right. #18850
  • [BUGFIX] PromQL: Fix for resets() and changes() in anchored range extenders with histograms. #18906
  • [BUGFIX] PromQL: Fix panic on 1[5m] smoothed and similar expressions when extended range selectors are enabled. #18764
  • [BUGFIX] PromQL: Fix panic when a smoothed instant vector selector produces no samples for a series. #18943
  • [BUGFIX] PromQL: Fix panic when using a parenthesised plain number as an offset (e.g. foo offset -(5)). #18768
  • [BUGFIX] promtool: Fix panic when parsing exposition text containing empty braces {}. Via prometheus/common v0.69.0. #18949
  • [BUGFIX] Promtool: Fix check healthy and check ready when --url ends with a trailing slash. #18854
  • [BUGFIX] Rules: Close PromQL query after each rule evaluation to ensure resources are released. #18733
  • [BUGFIX] Scaleway SD: Resolve VPC/IPAM-only instances that have no legacy private_ip or public_ip field, but do have private NICs attached. #18772
  • [BUGFIX] TSDB: Do not leak head series when an integer histogram append is rejected (e.g. out-of-order). #18838
  • [BUGFIX] UI: Escape label values offered by PromQL autocomplete. #18658
  • [BUGFIX] TSDB: Fix chunk snapshot encoding for EncXOR2 chunks, preventing corruption on TSDB restart when EncXOR2-encoded series were present. #18739
  • [BUGFIX] TSDB: Store a millisecond timestamp (not a WAL segment number) in walExpiries when a series is evicted via CompactStaleHead/CompactSelectedSeries, so the series's label record is correctly retained in the next WAL checkpoint and replays cleanly. #18847
  • [BUGFIX] TSDB: Prevent loss of samples at the chunk-range boundary when CompactSelectedSeries (and CompactStaleHead) evict the series — the per-slice compaction loop now runs one more iteration so the boundary timestamp is captured in a block before the in-memory copy is removed. #18849
11 hours ago
MeiliSearch
meilisearch

v1.48.0 🫎​

✨ Enhancement

[Experimental] Render 🫎​ template route

by @Mubelotix in https://github.com/meilisearch/meilisearch/pull/5765

Introduces a new POST /render-template route that can be used to render any template or fragment on any input and associated renderRoute experimental feature that gates access to the route.

This route can be used to test document templates and fragments before and after having configured an embedder.

A body payload for the route is of the form:

{
  "template": /* templateTarget object */,
  "input": /* inputTarget object or null */
}

where template describes the template or fragment to render, and input describes what to use to render the template.

Upon calling this route, Meilisearch responds with:

{
  "template": "{{doc.text}}",
  "rendered": "template text after rendering using the input"
}

where template contains the unrendered base text of the document template, or the unrendered base JSON object of a fragment, and rendered contains the result of rendering the template of the chosen input.

If input is null in the request, then rendered is null in the response, and the route can be used solely to retrieve a template or fragment from the settings of an index.

Before calling the route

The API of this route is subject to change, so before calling this route, please enable the renderRoute experimental feature:

PATCH /experimental-features --json '{"renderRoute": true}'

Examples

  1. Rendering a document from an index on a document template from an embedder of that index
request 
// POST /render-template

{
  "template": {
    "kind": "documentTemplate",
    "indexUid": "movies",
    "embedder": "myMoviesEmbedder"
  },
  "input": {
    "kind": "indexDocument",
    "indexUid": "movies",
    "id": "2"
}
response 
{
  "template": "A movie titled {{doc.title}} whose description starts with {{doc.overview|truncatewords:10}}",
  "rendered": "A movie titled Ariel whose description starts with Taisto Kasurinen is a Finnish coal miner whose father has..."
}
  1. Rendering an inline document on a fragment from an embedder of an index
request 
// POST /render-template

{
  "template": { 
    "kind": "indexingFragment", 
    "indexUid": "dogs", 
    "embedder": "multi",
    "fragment": "captionedImage" 
  },
  "input": { 
    "kind": "inlineDocument", 
    "inline": { // pass your document inline as a JSON object
      "kind": "dog",
      "name": "iko",
      "breed": "jack russell",
      "mime": "image/png",
      "image": "/9j/4AAQSk..."
    } 
  }
}
response 
{
  "template": {
    "content": [
      {
        "type": "text",
        "text": "A picture of a {{doc.kind}} of breed {{doc.breed}}"
      },
      {
        "type": "image_base64",
        "image_base64": "data:{{doc.mime}};base64,{{doc.image}}"
      }
    ]
  },
  "rendered": {
    "content": [
      {
        "type": "text",
        "text": "A picture of a dog of breed jack russell"
      },
      {
        "type": "image_base64",
        "image_base64": "data:image/png;base64,/9j/4AAQSk..."
      }
    ]
  }
}
  1. Rendering a search query on a search fragment from a multimodal embedder of an index
request 
// POST /render-template
{
  "template": { 
    "kind": "searchFragment", 
    "indexUid": "testIndex", 
    "embedder": "testEmbedder",
    "fragment": "justBreed"
  },
  "input": {
    "kind": "inlineSearch",
    "inline": { // pass the search query inline
      "q": "unused",
      "media": {
        "name": "iko",
        "breed": "jack russell"
      },
      "filter": "ignored"
    }
  }
}
response 
    {
      "template": "It's a {{ media.breed }}",
      "rendered": "It's a jack russell"
    }
  1. Rendering an inline document on the document template from the chat settings of an index
request 
// POST /render-template

{
  "template": {
    "kind": "chatDocumentTemplate",
    "indexUid": "movies"
	// no embedder to specify since chat document template is global to index
  },
  "input": {
    "kind": "indexDocument",
    "indexUid": "movies",
    "id": "2"
}
response 
{
  "template": "{% for field in fields %}{% if field.is_searchable and field.value != nil %}{{ field.name }}: {{ field.value }}\n{% endif %}{% endfor %}",
  "rendered": "id: 2\ntitle: Ariel\noverview: Taisto Kasurinen is a Finnish coal miner whose father has just committed suicide and who is framed for a crime he did not commit. In jail, he starts to dream about leaving the country and starting a new life. He escapes from prison but things don't go as planned...\ngenres: DramaCrimeComedy\nposter: https://image.tmdb.org/t/p/w500/ojDg0PGvs6R9xYFodRct2kdI6wC.jpg\nrelease_date: 593395200\n"
}
  1. Rendering a document from an index on an inline document template
request 
// POST /render-template

{
  "template": {
    "kind": "inlineDocumentTemplate",
    "inline": "You can pass templates inline as well: nice to test them! {{doc.id}}"
  },
  "input": {
    "kind": "indexDocument",
    "indexUid": "movies",
    "id": "2"
}
response 
{
  "template": "You can pass templates inline as well: nice to test them! {{doc.id}}",
  "rendered": "You can pass templates inline as well: nice to test them! 2"
}
  1. Rendering an inline document on an inline indexing fragment
request 
// POST /render-template

{
  "template": {
    "kind": "inlineFragment",
    "inline": {
      "json_maps": "supported for fragments",
      "any_string": "is in liquid format: {{doc.test}}"
    }
  },
  "input": {
     "kind": "inlineDocument",
    "inline": {
      "test": true
    }
  }
}
response 
{
  "template": {
    "json_maps": "supported for fragments",
    "any_string": "is in liquid format: {{doc.test}}"
  },
  "rendered": {
    "json_maps": "supported for fragments",
    "any_string": "is in liquid format: true"
  }
}

[Experimental] Only support foreign filters on retrieval routes

by @ManyTheFish in https://github.com/meilisearch/meilisearch/pull/6446

Foreign filters are meant to be used in a retrieval context (search, get document...), but all the actions related to writing or modifying a document could have several unexpected behaviors if foreign filters are accepted. We prefer forbidding the usage of this feature on the writing routes.

The following routes do not support Foreign-filter anymore:

Additional change: we now ensure that the experimental features are checked when parsing a filter

🪲 Bug fixes

🔒 Security

🔩 Miscellaneous

❤️ Thanks again to @genisis0x and @antcybersec

12 hours ago
seaweedfs
seaweedfs

4.35

What's Changed

New Contributors

Full Changelog: https://github.com/seaweedfs/seaweedfs/compare/4.34...4.35

2 days ago
dgraph
hypermodeinc

v25.3.6

What's Changed

New Contributors

Full Changelog: https://github.com/dgraph-io/dgraph/compare/v25.3.5...v25.3.6

2 days ago
dgraph
dgraph-io

v25.3.6

What's Changed

New Contributors

Full Changelog: https://github.com/dgraph-io/dgraph/compare/v25.3.5...v25.3.6

4 days ago
zuul
Netflix

v3.6.15

What's Changed

Full Changelog: https://github.com/Netflix/zuul/compare/v3.6.14...v3.6.15

4 days ago
node
nodejs

2026-06-18, Version 26.3.1 (Current), @aduh95

This is a security release.

Notable Changes

  • (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
  • (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
  • (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
  • (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
  • (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
  • (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
  • (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
  • (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
  • (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
  • (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
  • (CVE-2026-48936) permission: guard pipe open and chmod with net scope (RafaelGSS) – Low

Commits

4 days ago
node
nodejs

2026-06-18, Version 24.17.0 'Krypton' (LTS), @aduh95

This is a security release.

Notable Changes

  • (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
  • (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
  • (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
  • (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
  • (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
  • (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
  • (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
  • (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
  • (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
  • (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
  • (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

Commits

4 days ago
node
nodejs

2026-06-18, Version 22.23.0 'Jod' (LTS), @aduh95

This is a security release.

Notable Changes

  • (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
  • (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
  • (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
  • (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
  • (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
  • (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
  • (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
  • (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
  • (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
  • (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
  • (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

Commits