Update prom/prometheus Docker tag to v3.11.3

[renovate]

This PR contains the following updates:

Package	Update	Change
prom/prometheus	minor	v3.9.1 → v3.11.3

---

Release Notes

prometheus/prometheus (prom/prometheus)

v3.11.3

Compare Source

v3.11.2: 3.11.2 / 2026-04-13

Compare Source

This release has a fix for a Stored XSS vulnerability that can be triggered via crafted metric names and label values in Prometheus web UI tooltips and metrics explorer. Thanks to Duc Anh Nguyen from TinyxLab for reporting it.

• [SECURITY] UI: Fix stored XSS via unescaped metric names and labels. CVE-2026-40179. #​18506
• [ENHANCEMENT] Consul SD: Introduce health_filter field for Health API filtering. #​18499
• [BUGFIX] Consul SD: Fix filter parameter being incorrectly applied to the Health API. #​18499

v3.11.1: 3.11.1 / 2026-04-07

Compare Source

• [BUGFIX] Tracing: Fix startup failure for OTLP HTTP tracing with insecure: true. #​18469

v3.11.0: 3.11.0 / 2026-04-02

Compare Source

• [CHANGE] Hetzner SD: The __meta_hetzner_datacenter label is deprecated for the role robot but kept for backward compatibility, use the __meta_hetzner_robot_datacenter label instead. For the role hcloud, the label is deprecated and will stop working after the 1 July 2026. #​17850
• [CHANGE] Hetzner SD: The __meta_hetzner_hcloud_datacenter_location and __meta_hetzner_hcloud_datacenter_location_network_zone labels are deprecated, use the __meta_hetzner_hcloud_location and __meta_hetzner_hcloud_location_network_zone labels instead. #​17850
• [CHANGE] Promtool: Redirect debug output to stderr to avoid interfering with stdout-based tool output. #​18346
• [FEATURE] AWS SD: Add Elasticache Role. #​18099
• [FEATURE] AWS SD: Add RDS Role. #​18206
• [FEATURE] Azure SD: Add support for Azure Workload Identity authentication method. #​17207
• [FEATURE] Discovery: Introduce prometheus_sd_last_update_timestamp_seconds metric to track the last time a service discovery update was sent to consumers. #​18194
• [FEATURE] Kubernetes SD: Add support for node role selectors for pod roles. #​18006
• [FEATURE] Kubernetes SD: Introduce pod-based labels for deployment, cronjob, and job controller names: __meta_kubernetes_pod_deployment_name, __meta_kubernetes_pod_cronjob_name and __meta_kubernetes_pod_job_name, respectively. #​17774
• [FEATURE] PromQL: Add </ and >/ operators for trimming observations from native histograms. #​17904
• [FEATURE] PromQL: Add experimental histogram_quantiles variadic function for computing multiple quantiles at once. #​17285
• [FEATURE] TSDB: Add storage.tsdb.retention.percentage configuration to configure the maximum percent of disk usable for TSDB storage. #​18080
• [FEATURE] TSDB: Add an experimental st-storage feature flag. When enabled, Prometheus stores ingested start timestamps (ST, previously called Created Timestamp) from scrape or OTLP in the TSDB and Agent WAL, and exposes them via Remote Write 2. #​18062
• [FEATURE] TSDB: Add an experimental xor2-encoding feature flag for the new TSDB block float sample chunk encoding that is optimized for scraped data and allows encoding start timestamps. #​18062
• [ENHANCEMENT] HTTP client: Add AWS external_id support for sigv4. #​17916
• [ENHANCEMENT] Kubernetes SD: Deduplicate deprecation warning logs from the Kubernetes API to reduce noise. #​17829
• [ENHANCEMENT] TSDB: Remove old temporary checkpoints when creating a Checkpoint. #​17598
• [ENHANCEMENT] UI: Add autocomplete support for experimental first_over_time and ts_of_first_over_time PromQL functions. #​18318
• [ENHANCEMENT] Vultr SD: Upgrade govultr library from v2 to v3 for continued security patches and maintenance. #​18347
• [PERF] PromQL: Improve performance and reduce heap allocations in joins (VectorBinop)/And/Or/Unless. #​17159
• [PERF] PromQL: Partially address performance regression in native histogram aggregations due to using KahanAdd. #​18252
• [PERF] Remote write: Optimize WAL watching used for RW sending to reuse internal buffers. #​18250
• [PERF] TSDB: Optimize LabelValues intersection performance for matchers. #​18069
• [PERF] UI: Skip restacking on hover in stacked series charts. #​18230
• [BUGFIX] AWS SD: Fix EC2 SD ignoring the configured endpoint option, a regression from the AWS SDK v2 migration. #​18133
• [BUGFIX] AWS SD: Fix panic in EC2 SD when DescribeAvailabilityZones returns nil ZoneName or ZoneId. #​18133
• [BUGFIX] Agent: Fix memory leak caused by duplicate SeriesRefs being loaded as active series. #​17538
• [BUGFIX] Alerting: Fix alert state incorrectly resetting to pending when the FOR period is increased in the config file. #​18244
• [BUGFIX] Azure SD: Fix system-assigned managed identity not working when client_id is empty. #​18323
• [BUGFIX] Consul SD: Fix filter parameter not being applied to health service endpoint, causing Node and Node.Meta filters to be ignored. #​17349
• [BUGFIX] Kubernetes SD: Fix duplicate targets generated by *DualStack EndpointSlices policies. #​18192
• [BUGFIX] OTLP: Fix ErrTooOldSample being returned as HTTP 500 instead of 400 in PRW v2 histogram write paths, preventing infinite client retry loops. #​18084
• [BUGFIX] OTLP: Fix exemplars getting mixed between incorrect parts of a histogram. #​18056
• [BUGFIX] PromQL: Do not skip histogram buckets in queries where histogram trimming is used. #​18263
• [BUGFIX] Remote write: Fix prometheus_remote_storage_sent_batch_duration_seconds measuring before the request was sent. #​18214
• [BUGFIX] Rules: Fix alert state restoration when rule labels contain Go template expressions. #​18375
• [BUGFIX] Scrape: Fix panic when parsing bare label names without an equal sign in brace-only metric notation. #​18229
• [BUGFIX] TSDB: Fail early when use-uncached-io feature flag is set on unsupported environments. #​18219
• [BUGFIX] TSDB: Fall back to CLI flag values when retention is removed from config file. #​18200
• [BUGFIX] TSDB: Fix memory leaks in buffer pools by clearing reference fields before returning buffers to pools. #​17895
• [BUGFIX] TSDB: Fix missing mmap of histogram chunks during WAL replay. #​18306
• [BUGFIX] TSDB: Fix storage.tsdb.retention.time unit mismatch in file causing retention to be 1e6 times longer than configured. #​18200
• [BUGFIX] Tracing: Fix missing traceID in query log when tracing is enabled, previously only spanID was emitted. #​18189
• [BUGFIX] UI: Fix tooltip Y-offset drift when using multiple graph panels. #​18228
• [BUGFIX] UI: Update retention display in runtime info when config is reloaded. #​18200

v3.10.0: 3.10.0 / 2026-02-24

Compare Source

Prometheus now offers a distroless Docker image variant alongside the default
busybox image. The distroless variant provides enhanced security with a minimal
base image, uses UID/GID 65532 (nonroot) instead of nobody, and removes the
VOLUME declaration. Both variants are available with -busybox and -distroless
tag suffixes (e.g., prom/prometheus:latest-busybox, prom/prometheus:latest-distroless).
The busybox image remains the default with no suffix for backwards compatibility
(e.g., prom/prometheus:latest points to the busybox variant).

For users migrating existing named volumes from the busybox image to the distroless variant, the ownership can be adjusted with:

docker run --rm -v prometheus-data:/prometheus alpine chown -R 65532:65532 /prometheus

Then, the container can be started with the old volume with:

docker run -v prometheus-data:/prometheus prom/prometheus:latest-distroless

User migrating from bind mounts might need to ajust permissions too, depending on their setup.

• [CHANGE] Alerting: Add alertmanager dimension to following metrics: prometheus_notifications_dropped_total, prometheus_notifications_queue_capacity, prometheus_notifications_queue_length. #​16355
• [CHANGE] UI: Hide expanded alert annotations by default, enabling more information density on the /alerts page. #​17611
• [FEATURE] AWS SD: Add MSK Role. #​17600
• [FEATURE] PromQL: Add fill() / fill_left() / fill_right() binop modifiers for specifying default values for missing series. #​17644
• [FEATURE] Web: Add OpenAPI 3.2 specification for the HTTP API at /api/v1/openapi.yaml. #​17825
• [FEATURE] Dockerfile: Add distroless image variant using UID/GID 65532 and no VOLUME declaration. Busybox image remains default. #​17876
• [FEATURE] Web: Add on-demand wall time profiling under <URL>/debug/pprof/fgprof. #​18027
• [ENHANCEMENT] PromQL: Add more detail to histogram quantile monotonicity info annotations. #​15578
• [ENHANCEMENT] Alerting: Independent alertmanager sendloops. #​16355
• [ENHANCEMENT] TSDB: Experimental support for early compaction of stale series in the memory with configurable threshold stale_series_compaction_threshold in the config file. #​16929
• [ENHANCEMENT] Service Discovery: Service discoveries are now removable from the Prometheus binary through the Go build tag remove_all_sd and individual service discoveries can be re-added with the build tags enable_<sd name>_sd. Users can build a custom Prometheus with only the necessary SDs for a smaller binary size. #​17736
• [ENHANCEMENT] Promtool: Support promql syntax features promql-duration-expr and promql-extended-range-selectors. #​17926
• [PERF] PromQL: Avoid unnecessary label extraction in PromQL functions. #​17676
• [PERF] PromQL: Improve performance of regex matchers like .*-.*-.*. #​17707
• [PERF] OTLP: Add label caching for OTLP-to-Prometheus conversion to reduce allocations and improve latency. #​17860
• [PERF] API: Compute /api/v1/targets/relabel_steps in a single pass instead of re-running relabeling for each prefix. #​17969
• [PERF] tsdb: Optimize LabelValues intersection performance for matchers. #​18069
• [BUGFIX] PromQL: Prevent query strings containing only UTF-8 continuation bytes from crashing Prometheus. #​17735
• [BUGFIX] Web: Fix missing X-Prometheus-Stopping header for /-/ready endpoint in NotReady state. #​17795
• [BUGFIX] PromQL: Fix PromQL info() function returning empty results when filtering by a label that exists on both the input metric and target_info. #​17817
• [BUGFIX] TSDB: Fix a bug during exemplar buffer grow/shrink that could cause exemplars to be incorrectly discarded. #​17863
• [BUGFIX] UI: Fix broken graph display after page reload, due to broken Y axis min encoding/decoding. #​17869
• [BUGFIX] TSDB: Fix memory leaks in buffer pools by clearing reference fields (Labels, Histogram pointers, metadata strings) before returning buffers to pools. #​17879
• [BUGFIX] PromQL: info function: fix series without identifying labels not being returned. #​17898
• [BUGFIX] OTLP: Filter __name__ from OTLP attributes to prevent duplicate labels. #​17917
• [BUGFIX] TSDB: Fix division by zero when computing stale series ratio with empty head. #​17952
• [BUGFIX] OTLP: Fix potential silent data loss for sum metrics. #​17954
• [BUGFIX] PromQL: Fix smoothed interpolation across counter resets. #​17988
• [BUGFIX] PromQL: Fix panic with @ modifier on empty ranges. #​18020
• [BUGFIX] PromQL: Fix avg_over_time for a single native histogram. #​18058

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.