chore(deps): update dependency grafana/grafana to v11.6.0

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
grafana/grafana	minor	11.5.2 -> 11.6.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

grafana/grafana (grafana/grafana)

v11.6.0

Compare Source

Features and enhancements

• API keys: Migrate API keys to service accounts at startup #​96924, @​dmihai
• AccessControl: Allow plugin roles to include plugins:write #​101089, @​gamab
• Alerting: Add DAG errors to alert rule creation and view #​99423, @​soniaAguilarPeiron
• Alerting: Add Jira integration to cloud AMs #​100482, @​soniaAguilarPeiron
• Alerting: Add alert rule version history - part1 #​99490, @​soniaAguilarPeiron
• Alerting: Add migration to clean up rule versions table #​102562, @​yuri-tceretian
• Alerting: Add multiple threshold operators #​99516, @​paulojmdias
• Alerting: Add tracking for the mode used in query and notifications step when c… #​100824, @​soniaAguilarPeiron
• Alerting: Adding color option for slack receiver #​99615, @​wymangr
• Alerting: Allow selection of recording rule write target on per-rule basis. #​101778, @​stevesg
• Alerting: Allow specifying uid for new rules added to groups #​99858, @​moustafab
• Alerting: Improve template testing by trying non-root scopes #​101471, @​JacobsonMT
• Alerting: Include time range in template dashboard and panel urls #​101095, @​JacobsonMT
• Alerting: Keep the latest version of deleted rule in version table #​101481, @​yuri-tceretian
• Alerting: Promote alertingSaveStateCompressed flag to public preview #​99935, @​alexander-akhmetov
• Alerting: Remove ID and OrgID from hash calculation #​100140, @​yuri-tceretian
• Alerting: Remove feature toggle alertingNoNormalState #​99905, @​yuri-tceretian
• Alerting: Remove rule group edit from single rule editor #​100191, @​gillesdemey
• Alerting: Return 404 when /api/ruler/grafana/api/v1/rules/{Namespace}/{Groupname} does not exist #​100264, @​fayzal-g
• Alerting: Rule history restore feature #​100609, @​soniaAguilarPeiron
• Alerting: Support Jira Integration #​100480, @​yuri-tceretian
• Alerting: Track if new gm rules are created with queries and expressions transformable to simple mode #​101121, @​soniaAguilarPeiron
• Alerting: Update IRM copies in Configuration Tracker #​100069, @​teodosii
• Alerting: Update design of rule details tab and add updated by #​99895, @​tomratcliffe
• Alerting: Update irm links for incident and oncall in case new irm plugin is present #​99952, @​soniaAguilarPeiron
• Alerting: Use exponential backoff in the remote Alertmanager readiness check #​99756, @​santihernandezc
• Alerting: Use uid instead of id in AnnotationsStateHistory #​101207, @​soniaAguilarPeiron
• Auth: Add IP address login attempt validation #​98123, @​colin-stuart
• Auth: Add support for the TlsSkipVerify parameter to JWT Auth #​91514, @​Ret2Me
• Auth: Make ssoSettingsSAML GA and enabled by default #​101766, @​mgyongyosi
• Azure Monitor: Filter namespaces by resource group #​100325, @​alyssabull
• Azure: Resource picker improvements #​101462, @​aangelisc
• Azure: Variable editor and resource picker improvements #​101695, @​alyssabull
• Badge: Add darkgrey color #​100699, @​Clarity-89
• Canvas: One click links and actions #​99616, @​adela-almasan
• Chore: Bump Go to 1.23.7 #​101576, @​macabu
• Chore: Bump Go to 1.23.7 (Enterprise)
• Chore: Bump github.com/expr-lang/expr to v1.17.0 to address CVE-2025-29786 #​102533, @​macabu
• Chore: Remove sqlQuerybuilderFunctionParameters feature toggle #​100809, @​zoltanbedi
• CloudWatch: Track Logs Insights query language #​100254, @​idastambuk
• Configuration tracker: Update copy in IRM and point to new IRM slack integration #​100440, @​teodosii
• Dashboard: Folder move unexpected behavior #​100394, @​yincongcyincong
• Dashboards: Allow custom quick time ranges specified in dashboard model #​93724, @​sknaumov
• Dashboards: Monitor dashboard loading performance #​99629, @​dprokop
• Dashboards: Remove default empty string from variable create view #​98922, @​yincongcyincong
• Dashboards: WeekStart is now of type WeekStart | undefined instead of string #​101123, @​oscarkilhed
• DesignSystem: Menu and popover styling update to use new elevated background token #​100255, @​torkelo
• Docker: Use our own glibc 2.40 binaries #​99903, @​DanCech
• Docs: Add a note on query caching for Cloudwatch datasource #​100180, @​idastambuk
• Drilldown: Require datasources:explore RBAC action #​101366, @​svennergr
• Elasticsearch: Remove frontend testDatasource method #​99894, @​idastambuk
• Elasticsearch: Replace level in adhoc filters with level field name #​100315, @​iwysiu
• Elasticsearch: Replace term size dropdown with text input #​99718, @​iwysiu
• Explore: Add hide_logs_download and hide button to download logs #​99512, @​svennergr
• Explore: Move drilldown apps from Explore to a new navbar item "Drilldown" #​100409, @​adrapereira
• ExploreMetrics: Add toggle to enable routing to externalized Explore Metrics app plugin #​99481, @​NWRichmond
• Feat: OSS connections page state filter and update all added #​100688, @​s4kh
• Features: Remove openSearchBackendFlowEnabled feature toggle #​99068, @​idastambuk
• Folders: Add validation that folder is not a parent of itself #​101569, @​stephaniehingtgen
• Geomap: WebGL for Marker Layer #​95457, @​drew08t
• Grafana/ui: Export UsersIndicator #​100698, @​Clarity-89
• Graphite: Compare query builder query to raw query #​101104, @​bossinc
• Histogram: Handle multiple native histograms #​98404, @​domasx2
• Image Renderer: Add support for SSL in plugin mode #​98009, @​nmarrs
• ImportDashboards: Use NestedFolderPicker #​99696, @​joshhunt
• Loki: Removal of Resolution in query editors #​101860, @​svennergr
• Menu: Uniform padding to make menu item hover state look better #​100275, @​torkelo
• MetricsDrilldown: Update name of queryless metrics experience #​100675, @​yangkb09
• MultiCombobox: Export from grafana/ui #​100368, @​Clarity-89
• NodeGraph: Improve view traces for uninstrumented services #​98442, @​edvard-falkskar
• PluginExtensions: Added support for sharing functions #​98888, @​theSuess
• PluginExtensions: Added support for sharing functions (Enterprise)
• PluginExtensions: Exposing registry meta for components returned via usePluginComponents #​100587, @​mckn
• Plugins: Improve plugin details UX for core plugins #​99830, @​oshirohugo
• Plugins: Remove managedPluginsInstall feature toggle #​100416, @​oshirohugo
• Plugins: Remove managedPluginsInstall feature toggle (Enterprise)
• Plugins: Remove uninstall plugin step from cli plugins update-all #​101632, @​oshirohugo
• Prometheus: Get the utcOffset value of timezone when it's specified #​99910, @​itsmylife
• Prometheus: Remove query assistant and related components #​100669, @​edwardcqian
• QueryOptions: Handle invalid time shift values #​101670, @​ivanortegaalba
• RBAC: Remove accessControlOnCall feature toggle #​101222, @​gamab
• RBAC: Remove accessControlOnCall feature toggle (Enterprise)
• Reporting: Add email subject support (Enterprise)
• Security: Update to Go 1.23.5 (Enterprise)
• Tempo: Support TraceQL instant metrics queries #​99732, @​joey-grafana
• Tempo: TraceQL metrics streaming #​99037, @​adrapereira
• Time regions: Add option for cron syntax to support complex schedules #​99548, @​leeoniya
• TimePicker: Ability to manually specify quick ranges #​101465, @​Sergej-Vlasov
• TimeRangePicker: Options list padding #​100343, @​torkelo
• TopNav: Move news into profile menu #​99535, @​bergquist
• Trace View: Add link from the Trace View to the Profiles Drilldown #​101422, @​joey-grafana
• Transformation: Add support for variables to ALL transformations #​100225, @​dprokop
• Transformations: Add round() to Unary mode of Add field from calc #​101295, @​leeoniya
• VizActions: Add confirmation message #​100012, @​adela-almasan
• grafana-ui: Update InlineField error prop type to React.ReactNode #​100347, @​Clarity-89

Bug fixes

• Alerting: Add error handling for missing data source #​101508, @​gillesdemey
• Alerting: Call RLock() before reading sendAlertsTo map #​99812, @​santihernandezc
• Alerting: Disable create rule menu item from panel when unifiedAlerting is disabled #​100701, @​soniaAguilarPeiron
• Alerting: Fix KeyValueMap input bug #​101367, @​soniaAguilarPeiron
• Alerting: Fix crash when invalid matcher is used in silence query params #​101500, @​gillesdemey
• Alerting: Fix evaluation of rules with no-op math expressions #​101436, @​moustafab
• Alerting: Fix exporting new rule with a new group #​101404, @​soniaAguilarPeiron
• Alerting: Fix fieldSelector encoding #​99751, @​gillesdemey
• Alerting: Fix inheritance of the timing options for policy tree #​99398, @​gillesdemey
• Alerting: Fix notification templates layout #​101232, @​gillesdemey
• Alerting: Fix state reason #​101530, @​yuri-tceretian
• Alerting: Fix token-based Slack image upload to work with channel names #​100988, @​JacobsonMT
• App Platform: Pin bleve to fix CVE-2022-31022 #​102531, @​Proximyst
• App: Fix web app behaviour on iOS #​100382, @​ashharrison90
• Auth: Fix AzureAD config UI's ClientAuthentication dropdown #​100752, @​mgyongyosi
• Auth: Fix redirect with JWT auth URL login #​100295, @​mgyongyosi
• AuthN: Refetch user on "ErrUserAlreadyExists" #​100346, @​kalleep
• Caching: Fix duplicate metric registration for cache size (Enterprise)
• CloudWatch: Fix condition for running annotation queries to require dimensions #​101660, @​kevinwcyu
• Combobox: Fix list not being virtualized initially in some cases #​100188, @​tskarhed
• Dashboard: Fix for overwriting an edited dashboard in the old architecture #​100247, @​bfmatei
• Dashboard: Fix the unintentional time range and variables updates on saving #​101475, @​harisrozajac
• Dashboard: Playlist - Fix issue with back button #​99401, @​yincongcyincong
• DashboardList: Throttle the re-renders #​99982, @​bfmatei
• Dashboards: Bring back scripted dashboards #​100575, @​dprokop
• Dashboards: Fix missing v/e/i keybindings to return back to dashboard #​102364, @​mdvictor
• Explore: Fix resizing split view with Loki query editor #​100257, @​ifrost
• ExploreMetrics: Fix escaping of regex metacharacters in label filters #​100513, @​NWRichmond
• Fix: Optimise frontend Postgresql plugin cache busting #​100406, @​jackw
• InfluxDB: Improve handling of template variables contained in regular expressions (InfluxQL) #​100762, @​aangelisc
• Interval variable: Fix $__auto value behavior #​100479, @​yincongcyincong
• Log Context: Fix bug where variables are not replaced in dashboards #​100433, @​svennergr
• OpenTSDB: Support v2.4 #​100673, @​aangelisc
• PDF: Fix repeating panels when there are less items than maxPerRow (Enterprise)
• Plugin Metrics: Eliminate data race in plugin metrics middleware #​99396, @​clord
• Plugins: Fix update button behavior on downgrade #​101048, @​oshirohugo
• Plugins: Fix version tab breaking for non semantic version #​101225, @​oshirohugo
• PromLib: Take AdHoc filters into account when requesting suggestions without label #​101555, @​tskarhed
• Prometheus: Fix cursor jump in prometheus code editor #​100273, @​itsmylife
• Prometheus: Fix operator handling when making label expressions utf-8 friendly #​100475, @​NWRichmond
• Prometheus: Fix setting utcOffset when absolute time range is used #​101065, @​itsmylife
• RBAC: Don't check folder access if annotationPermissionUpdate FT is enabled #​99717, @​IevaVasiljeva
• SSO: Fix team_ids validation for Generic OAuth #​100732, @​dmihai
• Service Accounts: Don't show error pop-ups for Service Account and Renderer UI flows #​101776, @​IevaVasiljeva
• Share: Fix short links when root_url is different from the browser URL #​99950, @​AgnesToulet

Breaking changes

• Data source: Change Permissions for query to only have query and not read OR query (Enterprise)

Plugin development fixes & changes

• GrafanaUI: Deprecate Select in favor of Combobox #​100294, @​joshhunt
• Multi/Combobox: Use pointer cursor when not focused #​100878, @​tskarhed
• Slider: Fix text input box being too wide #​100138, @​joshhunt

v11.5.3

Compare Source

Features and enhancements

• Chore: Bump Go to 1.23.7 #​101581, @​macabu
• Chore: Bump Go to 1.23.7 (Enterprise)

Bug fixes

• Alerting: Fix token-based Slack image upload to work with channel names #​101078, @​JacobsonMT
• Auth: Fix AzureAD config UI's ClientAuthentication dropdown #​100869, @​mgyongyosi
• Dashboard: Fix the unintentional time range and variables updates on saving #​101671, @​harisrozajac
• Dashboards: Fix missing v/e/i keybindings to return back to dashboard #​102365, @​mdvictor
• InfluxDB: Improve handling of template variables contained in regular expressions (InfluxQL) #​100977, @​aangelisc
• Org redirection: Fix linking between orgs #​102089, @​ashharrison90

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/grafana:11.6.0

📦 Image Reference ghcr.io/uniget-org/tools/grafana:11.6.0

digest	sha256:0374b15ed7b03c9271ad1b42333c02d420def4bc45921effbe4ea8564c3ab11b
vulnerabilities
platform	linux/amd64
size	100 MB
packages	491

github.com/golang-jwt/jwt/v5 5.2.1 (golang) pkg:golang/github.com/golang-jwt/jwt/[email protected] Asymmetric Resource Consumption (Amplification) Affected range >=5.0.0-rc.1 <5.2.2 Fixed version 5.2.2 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Description Summary Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification) Details See parse.ParseUnverified Impact Excessive memory allocation

github.com/golang-jwt/jwt/v4 4.5.1 (golang) pkg:golang/github.com/golang-jwt/jwt/[email protected] Asymmetric Resource Consumption (Amplification) Affected range <4.5.2 Fixed version 4.5.2 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Description Summary Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification) Details See parse.ParseUnverified Impact Excessive memory allocation

github.com/aws/aws-sdk-go 1.55.5 (golang) pkg:golang/github.com/aws/[email protected] Affected range >=0 Fixed version Not Fixed Description A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files. Affected range >=0 Fixed version Not Fixed Description A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.

github.com/blevesearch/bleve/v2 2.4.4-0.20250319135056-b82baf10b205 (golang) pkg:golang/github.com/blevesearch/bleve/[email protected] Affected range >=0 Fixed version Not Fixed Description HTTP handlers provide unauthenticated access to the local filesystem. The Bleve http package is intended for demonstration purposes and contains no authentication, authorization, or validation of user inputs. Exposing handlers from this package can permit attackers to create files and delete directories.

k8s.io/apiserver 0.32.1 (golang) pkg:golang/k8s.io/[email protected] OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <1.15.10 Fixed version 1.15.10, 1.16.7, 1.17.3 CVSS Score 4.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Description The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.

github.com/redis/go-redis/v9 9.7.0 (golang) pkg:golang/github.com/redis/go-redis/[email protected] Improper Input Validation Affected range >=9.7.0-beta.1 <9.7.3 Fixed version 9.7.3 CVSS Score 3.7 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N Description Impact The issue only occurs when the CLIENT SETINFO command times out during connection establishment. The following circumstances can cause such a timeout: The client is configured to transmit its identity. This can be disabled via the DisableIndentity flag. There are network connectivity issues The client was configured with aggressive timeouts The impact differs by use case: Sticky connections: Rather than using a connection from the pool on-demand, the caller can stick with a connection. Then you receive persistent out-of-order responses for the lifetime of the connection. Pipelines: All commands in the pipeline receive incorrect responses. Default connection pool usage without pipelining: When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. Patches We prepared a fix in redis/go-redis#3295 and plan to release patch versions soon. Workarounds You can prevent the vulnerability by setting the flag DisableIndentity (BTW: We also need to fix the spelling.) to true when constructing the client instance. Credit Akhass Wasti Ramin Ghorashi Anton Amlinger Syed Rahman Mahesh Venkateswaran Sergey Zavoloka Aditya Adarwal Abdulla Anam Abd-Alhameed Alex Vanlint Gaurav Choudhary Vedanta Jha Yll Kelani Ryan Picard

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/14078992319.

[github-actions]

PR has unknown mergeable_state (dirty) and cannot be merged. See https://github.com/uniget-org/tools/actions/runs/14078992319.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/14081959159.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/14081959159.