FEATURE: vmauth: add default_vm_access_claim field into jwt section of auth config. It could be used at JWT claim placeholders, if JWT token doesn't have vm_access claim. See #11054.
FEATURE: vmagent and vmsingle: reduce CPU usage for storing scrape target labels. See #10919.
FEATURE: vmsingle and vmselect in VictoriaMetrics cluster: add optimize_repeated_binary_op_subexprs=1 query arg to /api/v1/query_range for executing binary operator sides sequentially when they share the same optimized aggregate rollup result expression. This allows the second side to reuse rollup result cache populated by the first side. See #10575. Thanks to @xhebox for the contribution.
FEATURE: vmauth: prevent possible password brute-force attacks with an artificial 2-3 second delay as recommended by OWASP. See #11180.
FEATURE: alerts: add InvalidAuthTokenRequestErrors alerting rule to vmauth alerts. The new rule notifies when vmauth receives requests with invalid or missing auth tokens, which may indicate a client misconfiguration, expired token use, or brute-force attack. See #11180.
FEATURE: vmsingle: Add the support of vmselect RPC to vmsingle so that single node can be queried by a vmselect from a vmcluster deployment. See 4328 and 10926.
FEATURE: vmauth: allow log requests with missing or invalid auth tokens to access log. This is useful for identifying remote_addr IPs performing brute-force attacks. See #11180.
FEATURE: vmauth: fall through to unauthorized_user when a JWT token has no vm_access claim and no default_vm_access_claim is configured. Previously, vmauth returned 401 Unauthorized immediately in this case, which prevented unauthorized_user from handling such requests. See #5740.
FEATURE: MetricsQL: improve the selection algorithm of buckets_limit to remove consecutive empty buckets at the beginning and end to obtain more accurate min and max values. See #10417.
FEATURE: vmalert: expose vmalert_group_rule_results_limit metric to indicate the number of alerts or recording results that a single rule within the group can produce. See #11179. Thanks to @vinyas-bharadwaj for the contribution.
FEATURE: alerts: add AlertingRuleResultsApproachingLimit and RecordingRuleResultsApproachingLimit alerting rules to vmalert alerts. These alerts notify when a rule's last evaluation samples exceed 90% of the configured group results limit. See #11179. Thanks to @vinyas-bharadwaj for the contribution.
BUGFIX: all VictoriaMetrics components: cancel in-flight HTTP requests shortly before -http.maxGracefulShutdownDuration elapses during graceful shutdown, so they can drain and the shutdown completes cleanly within that window instead of timing out and exiting via logger.Fatalf -> os.Exit. This prevents skipping the storage flush and losing in-memory data when long-lived requests are in flight (such as VictoriaLogs live tailing). See #1502.
BUGFIX: vminsert in VictoriaMetrics cluster and vmsingle: properly check values range for the limits configured with flags -maxLabelsPerTimeseries, -maxLabelNameLen and -maxLabelValueLen. It must be in range 1..65535. See #11128.
BUGFIX: vmselect in VictoriaMetrics cluster: propagate cache reset operation to selectNode when /internal/resetRollupResultCache is called. Previously, the propagation only happened when the delete_series API was called. See #11112.
BUGFIX: stream aggregation: fix possible unexpected increases in rate_avg and rate_sum if an out-of-order sample is ingested after the previous flush. See #11140.
BUGFIX: vmctl: properly URL-encode -vm-extra-label values when building import requests, so special characters such as & don't get split into broken query parameters. See #11144. Thanks to @immanuwell for contribution.
BUGFIX: enterprisevmagent: ignore enable.auto.offset.store option in kafka.consumer.topic.options, since vmagent manages offset storage internally. Previously, setting this option could cause vmagent to stop committing Kafka messages. See #11208.
Configuration
📅Schedule: (UTC)
Branch creation
At any time (no schedule defined)
Automerge
At any time (no schedule defined)
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
If you want to rebase/retry this PR, check this box
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [victoriametrics/vmagent](https://github.com/VictoriaMetrics/VictoriaMetrics) | minor | `v1.146.0` → `v1.147.0` |
---
### Release Notes
<details>
<summary>VictoriaMetrics/VictoriaMetrics (victoriametrics/vmagent)</summary>
### [`v1.147.0`](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.147.0)
[Compare Source](https://github.com/VictoriaMetrics/VictoriaMetrics/compare/v1.146.0...v1.147.0)
##### [v1.147.0](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.147.0)
Released at 2026-07-03
- SECURITY: upgrade base docker image (Alpine) from 3.23.4 to 3.24.1. See [Alpine 3.24.1 release notes](https://www.alpinelinux.org/posts/Alpine-3.24.1-released.html).
- FEATURE: [vmauth](https://docs.victoriametrics.com/victoriametrics/vmauth/): add `default_vm_access_claim` field into `jwt` section of auth config. It could be used at [JWT claim placeholders](https://docs.victoriametrics.com/victoriametrics/vmauth/#jwt-claim-based-request-templating), if `JWT` token doesn't have `vm_access` claim. See [#​11054](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11054).
- FEATURE: [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/): reduces CPU usage by 10% at [sharding among remote storages](https://docs.victoriametrics.com/victoriametrics/vmagent/#sharding-among-remote-storages). See [#​11113](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/11113). Thanks to [@​bennf](https://github.com/bennf) for contribution.
- FEATURE: [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/), `vminsert` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/) and [vmsingle](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/): introduce `64KiB` size limit for `metric metadata` fields - `Unit`, `Help` and `MetricFamilyName`. See [#​11128](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11128).
- FEATURE: [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/) and [vmsingle](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/): reduce CPU usage for storing scrape target labels. See [#​10919](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10919).
- FEATURE: [vmsingle](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/) and `vmselect` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/): add `optimize_repeated_binary_op_subexprs=1` query arg to [/api/v1/query\_range](https://docs.victoriametrics.com/victoriametrics/keyconcepts/#range-query) for executing binary operator sides sequentially when they share the same optimized aggregate rollup result expression. This allows the second side to reuse rollup result cache populated by the first side. See [#​10575](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10575). Thanks to [@​xhebox](https://github.com/xhebox) for the contribution.
- FEATURE: [vmauth](https://docs.victoriametrics.com/victoriametrics/vmauth/): prevent possible password brute-force attacks with an artificial 2-3 second delay as recommended by [OWASP](https://owasp.org/Top10/2025/A07_2025-Authentication_Failures). See [#​11180](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11180).
- FEATURE: [alerts](https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/deployment/docker/rules): add `InvalidAuthTokenRequestErrors` alerting rule to [vmauth alerts](https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/deployment/docker/rules/alerts-vmauth.yml). The new rule notifies when vmauth receives requests with invalid or missing auth tokens, which may indicate a client misconfiguration, expired token use, or brute-force attack. See [#​11180](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11180).
- FEATURE: [vmsingle](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/): Add the support of vmselect RPC to vmsingle so that single node can be queried by a vmselect from a vmcluster deployment. See [4328](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4328) and [10926](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10926).
- FEATURE: [vmauth](https://docs.victoriametrics.com/victoriametrics/vmauth/): allow log requests with missing or invalid auth tokens to [access log](https://docs.victoriametrics.com/victoriametrics/vmauth/#access-log). This is useful for identifying `remote_addr` IPs performing brute-force attacks. See [#​11180](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11180).
- FEATURE: [vmauth](https://docs.victoriametrics.com/victoriametrics/vmauth/): fall through to `unauthorized_user` when a [JWT token](https://docs.victoriametrics.com/victoriametrics/vmauth/#jwt-token-auth-proxy) has no `vm_access` claim and no `default_vm_access_claim` is configured. Previously, vmauth returned `401 Unauthorized` immediately in this case, which prevented `unauthorized_user` from handling such requests. See [#​5740](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5740).
- FEATURE: [MetricsQL](https://docs.victoriametrics.com/victoriametrics/metricsql/): improve the selection algorithm of [buckets\_limit](https://docs.victoriametrics.com/victoriametrics/metricsql/#buckets_limit) to remove consecutive empty buckets at the beginning and end to obtain more accurate min and max values. See [#​10417](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10417).
- FEATURE: [vmalert](https://docs.victoriametrics.com/victoriametrics/vmalert/): expose `vmalert_group_rule_results_limit` metric to indicate the number of alerts or recording results that a single rule within the group can produce. See [#​11179](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11179). Thanks to [@​vinyas-bharadwaj](https://github.com/vinyas-bharadwaj) for the contribution.
- FEATURE: [alerts](https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/deployment/docker/rules): add `AlertingRuleResultsApproachingLimit` and `RecordingRuleResultsApproachingLimit` alerting rules to [vmalert alerts](https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/deployment/docker/rules/alerts-vmalert.yml). These alerts notify when a rule's last evaluation samples exceed 90% of the configured group results limit. See [#​11179](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11179). Thanks to [@​vinyas-bharadwaj](https://github.com/vinyas-bharadwaj) for the contribution.
- BUGFIX: all VictoriaMetrics components: cancel in-flight HTTP requests shortly before `-http.maxGracefulShutdownDuration` elapses during graceful shutdown, so they can drain and the shutdown completes cleanly within that window instead of timing out and exiting via `logger.Fatalf` -> `os.Exit`. This prevents skipping the storage flush and losing in-memory data when long-lived requests are in flight (such as VictoriaLogs live tailing). See [#​1502](https://github.com/VictoriaMetrics/VictoriaLogs/issues/1502).
- BUGFIX: `vminsert` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/) and [vmsingle](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/): properly check values range for the limits configured with flags `-maxLabelsPerTimeseries`, `-maxLabelNameLen` and `-maxLabelValueLen`. It must be in range `1..65535`. See [#​11128](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11128).
- BUGFIX: `vminsert` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/): fixes unexpected rare rerouting. See [#​11162](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/11162).
- BUGFIX: `vmselect` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/): propagate cache reset operation to `selectNode` when `/internal/resetRollupResultCache` is called. Previously, the propagation only happened when the `delete_series` API was called. See [#​11112](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11112).
- BUGFIX: [stream aggregation](https://docs.victoriametrics.com/victoriametrics/stream-aggregation/): fix possible unexpected increases in `rate_avg` and `rate_sum` if an out-of-order sample is ingested after the previous flush. See [#​11140](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/11140).
- BUGFIX: [vmctl](https://docs.victoriametrics.com/victoriametrics/vmctl/): properly URL-encode `-vm-extra-label` values when building import requests, so special characters such as `&` don't get split into broken query parameters. See [#​11144](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/11144). Thanks to [@​immanuwell](https://github.com/immanuwell) for contribution.
- BUGFIX: [enterprise](https://docs.victoriametrics.com/enterprise/) [vmagent](https://docs.victoriametrics.com/vmagent/): ignore `enable.auto.offset.store` option in `kafka.consumer.topic.options`, since `vmagent` manages offset storage internally. Previously, setting this option could cause `vmagent` to stop committing Kafka messages. See [#​11208](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11208).
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNTMuMCIsInVwZGF0ZWRJblZlciI6IjQzLjI1My4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
This PR contains the following updates:
v1.146.0→v1.147.0Release Notes
VictoriaMetrics/VictoriaMetrics (victoriametrics/vmagent)
v1.147.0Compare Source
v1.147.0
Released at 2026-07-03
SECURITY: upgrade base docker image (Alpine) from 3.23.4 to 3.24.1. See Alpine 3.24.1 release notes.
FEATURE: vmauth: add
default_vm_access_claimfield intojwtsection of auth config. It could be used at JWT claim placeholders, ifJWTtoken doesn't havevm_accessclaim. See #11054.FEATURE: vmagent: reduces CPU usage by 10% at sharding among remote storages. See #11113. Thanks to @bennf for contribution.
FEATURE: vmagent,
vminsertin VictoriaMetrics cluster and vmsingle: introduce64KiBsize limit formetric metadatafields -Unit,HelpandMetricFamilyName. See #11128.FEATURE: vmagent and vmsingle: reduce CPU usage for storing scrape target labels. See #10919.
FEATURE: vmsingle and
vmselectin VictoriaMetrics cluster: addoptimize_repeated_binary_op_subexprs=1query arg to /api/v1/query_range for executing binary operator sides sequentially when they share the same optimized aggregate rollup result expression. This allows the second side to reuse rollup result cache populated by the first side. See #10575. Thanks to @xhebox for the contribution.FEATURE: vmauth: prevent possible password brute-force attacks with an artificial 2-3 second delay as recommended by OWASP. See #11180.
FEATURE: alerts: add
InvalidAuthTokenRequestErrorsalerting rule to vmauth alerts. The new rule notifies when vmauth receives requests with invalid or missing auth tokens, which may indicate a client misconfiguration, expired token use, or brute-force attack. See #11180.FEATURE: vmsingle: Add the support of vmselect RPC to vmsingle so that single node can be queried by a vmselect from a vmcluster deployment. See 4328 and 10926.
FEATURE: vmauth: allow log requests with missing or invalid auth tokens to access log. This is useful for identifying
remote_addrIPs performing brute-force attacks. See #11180.FEATURE: vmauth: fall through to
unauthorized_userwhen a JWT token has novm_accessclaim and nodefault_vm_access_claimis configured. Previously, vmauth returned401 Unauthorizedimmediately in this case, which preventedunauthorized_userfrom handling such requests. See #5740.FEATURE: MetricsQL: improve the selection algorithm of buckets_limit to remove consecutive empty buckets at the beginning and end to obtain more accurate min and max values. See #10417.
FEATURE: vmalert: expose
vmalert_group_rule_results_limitmetric to indicate the number of alerts or recording results that a single rule within the group can produce. See #11179. Thanks to @vinyas-bharadwaj for the contribution.FEATURE: alerts: add
AlertingRuleResultsApproachingLimitandRecordingRuleResultsApproachingLimitalerting rules to vmalert alerts. These alerts notify when a rule's last evaluation samples exceed 90% of the configured group results limit. See #11179. Thanks to @vinyas-bharadwaj for the contribution.BUGFIX: all VictoriaMetrics components: cancel in-flight HTTP requests shortly before
-http.maxGracefulShutdownDurationelapses during graceful shutdown, so they can drain and the shutdown completes cleanly within that window instead of timing out and exiting vialogger.Fatalf->os.Exit. This prevents skipping the storage flush and losing in-memory data when long-lived requests are in flight (such as VictoriaLogs live tailing). See #1502.BUGFIX:
vminsertin VictoriaMetrics cluster and vmsingle: properly check values range for the limits configured with flags-maxLabelsPerTimeseries,-maxLabelNameLenand-maxLabelValueLen. It must be in range1..65535. See #11128.BUGFIX:
vminsertin VictoriaMetrics cluster: fixes unexpected rare rerouting. See #11162.BUGFIX:
vmselectin VictoriaMetrics cluster: propagate cache reset operation toselectNodewhen/internal/resetRollupResultCacheis called. Previously, the propagation only happened when thedelete_seriesAPI was called. See #11112.BUGFIX: stream aggregation: fix possible unexpected increases in
rate_avgandrate_sumif an out-of-order sample is ingested after the previous flush. See #11140.BUGFIX: vmctl: properly URL-encode
-vm-extra-labelvalues when building import requests, so special characters such as&don't get split into broken query parameters. See #11144. Thanks to @immanuwell for contribution.BUGFIX: enterprise vmagent: ignore
enable.auto.offset.storeoption inkafka.consumer.topic.options, sincevmagentmanages offset storage internally. Previously, setting this option could causevmagentto stop committing Kafka messages. See #11208.Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.