@prometheus-io/lezer-promql 0.305.0 → 0.305.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/CHANGELOG.md +13 -0
  2. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -2,6 +2,19 @@
2
2
 
3
3
  ## main / unreleased
4
4
 
5
+ ## 3.5.2 / 2026-04-13
6
+
7
+ This release has a fix for a Stored XSS vulnerability that can be triggered via crafted metric names and label values in Prometheus web UI tooltips and metrics explorer. Thanks to Duc Anh Nguyen from TinyxLab for reporting it.
8
+
9
+ * [SECURITY] UI: Fix stored XSS via unescaped metric names and labels. CVE-2026-40179. #18507
10
+ * [PERF] Regex: Stop calling Simplify. #17908
11
+
12
+ ## 3.5.1 / 2026-01-07
13
+
14
+ No code changes, just some dependency updates:
15
+ * Docker library updated from 28.2.2 to 28.5.2. #17821
16
+ * Built with Go 1.24.11.
17
+
5
18
  ## 3.5.0 / 2025-07-14
6
19
 
7
20
  * [FEATURE] PromQL: Add experimental type and unit metadata labels, behind feature flag `type-and-unit-labels`. #16228 #16632 #16718 #16743
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@prometheus-io/lezer-promql",
3
- "version": "0.305.0",
3
+ "version": "0.305.2",
4
4
  "description": "lezer-based PromQL grammar",
5
5
  "main": "dist/index.cjs",
6
6
  "type": "module",