Week 2 - January 2026

This week: 41 releases from the Cloud Native ecosystem.

👋 Welcome

This week in Cloud Native brought a flurry of activity, particularly in the areas of security, observability, and core infrastructure components. We saw significant updates addressing critical vulnerabilities, enhancing operational reliability, and pushing forward key features like Prometheus’s Native Histograms.

🚀 Notable Releases

Monitoring & Observability

  • Prometheus v3.9.1 - This bugfix release addresses a crash shortly after startup in the agent and fixes an issue with relabel keep/drop not working.
  • Prometheus v3.9.0 - A major update where Native Histograms are no longer experimental, now requiring the scrape_native_histograms config option.
  • OpenTelemetry Collector v0.143.0 - Enhancements include updating the semconv import, adding profiles support to the nop exporter, and optimizing pdata structs for better performance.
  • Inspektor Gadget v0.48.0 - A focused release that updates to Go 1.25.5.
  • OpenObserve v0.40.4 - Fixes the use of selected stream type for validating queries.
  • OpenObserve v0.40.3 - Improves metrics labels load performance.
  • OpenObserve v0.40.2 - Addresses issues with match_all rewrites, dashboard share URLs, and adds metrics query retention configuration.
  • OpenObserve v0.40.1 - Includes fixes for dashboard raw query saving, metrics streaming output, and PromQL result loading progress.

Networking

  • CoreDNS v1.14.0 - This release significantly focuses on security hardening and operational reliability, introducing a regex length limit, Kubernetes API rate limiting, and enhanced metrics.
  • Kubernetes Gateway API monthly-2026.01 - The latest monthly experimental channel release, bringing new features and fixes from the main branch.

Container Runtimes & Build

  • CRI-O v1.34.4 - A maintenance release including minor bug fixes and documentation updates.
  • CRI-O v1.33.8 - Another maintenance release with various minor updates.
  • CRI-O v1.32.12 - Continues the trend of maintenance releases for older stable branches.
  • Buildah v1.41.8 - Addresses CVE-2025-47913 and bumps runc to v1.3.4.
  • Buildah v1.39.8 - Resolves CVE-2025-49713 and updates runc to v1.2.9.
  • Buildah v1.37.8 - Contains fixes for CVE-2025-49713 and CVE-2025-52881, bumping runc to v1.2.8.
  • Buildah v1.33.14 - Addresses CVE-2025-49713, CVE-2025-52881, CVE-2025-31133, and CVE-2025-52565 by updating runc to v1.2.9.

Policy & Security

  • Open Policy Agent v1.12.2 - This bug fix release addresses issues found in the new string interpolation feature, including serialization and reference safety.
  • Kyverno v1.16.2 - A maintenance release with bug fixes, notably reverting an accidentally introduced breaking change for the kyverno_policy_results metric.
  • Sigstore Cosign v3.0.4 - Resolves security advisory GHSA-whqx-f9j3-ch6m, optimizes tree performance, and adds support for offline verification without a trusted root.
  • Sigstore Cosign v2.6.2 - Provides a fix for security advisory GHSA-whqx-f9j3-ch6m.

Runtime & Service Mesh

  • Dapr v1.16.6 - This update includes bug fixes for the sidecar injector’s logging, workflow scenario initialization, and UID checks.
  • Meshery v0.8.196 - Brings general cleanups, enhancements to mesheryctl for registry generation, and UI fixes.
  • Meshery v0.8.195 - Features mesheryctl improvements for custom labels in Docker Compose and e2e tests, along with UI configuration updates.

Cluster Management & CLI Tools

  • Kubernetes Cluster API v1.10.10 - A bugfix release improving client certificate/key rotation for the Runtime SDK, supporting Kubernetes v1.28.x through v1.33.x.
  • k9s v0.50.18 - A post-holiday release with general fixes and enhancements.
  • k9s v0.50.17 - Another post-holiday release focusing on general fixes and improvements.

Serverless

  • Nuclio v1.15.12 - Introduces a blocking stream writer for processors, fixes HTTP trigger validation in the dashboard, and updates documentation.

Cost Management

  • OpenCost v1.119.1 - Addresses issues with cloud cost transformation, improves Dependabot maintainer checks, and includes updates related to AWS Fargate pricing.

📰 This Week in Cloud Native

This week highlighted a strong emphasis on refining existing cloud native tools and fortifying their security posture. A significant development came from the Prometheus project, which officially moved Native Histograms out of experimental status in version 3.9.0. This change simplifies their adoption, indicating a maturation of advanced monitoring capabilities within the ecosystem. Simultaneously, CoreDNS v1.14.0 underscored the critical need for robust networking infrastructure by focusing on security hardening, introducing measures like regex length limits and Kubernetes API rate limiting to mitigate resource exhaustion risks.

Security remained a dominant theme, with several projects releasing critical updates. Sigstore Cosign, a cornerstone of supply chain security, issued multiple patches (v3.0.4 and v2.6.2) to resolve a specific security advisory, enhancing the integrity verification of container images. The container build space also saw substantial activity, with Buildah releasing numerous versions across its stable branches (v1.41.8, v1.39.8, v1.37.8, v1.33.14) to address a series of CVEs and update its runc dependency, reinforcing the security of the container image build process.

The observability and policy enforcement landscapes continued their rapid evolution. The OpenTelemetry Collector pushed out enhancements for data optimization, reflecting ongoing efforts to standardize and improve telemetry data handling. OpenObserve saw multiple rapid-fire releases, focusing on bug fixes and performance improvements across its logging, metrics, and dashboard functionalities. In policy, Open Policy Agent (OPA) and Kyverno both released bugfix versions, ensuring the reliability of declarative policy enforcement across cloud native environments.

Finally, the broader ecosystem saw steady progress. The Kubernetes Gateway API issued its monthly experimental update, signaling continuous development in traffic management. Dapr and Meshery delivered bug fixes and feature refinements, highlighting the ongoing work in distributed application runtimes and service mesh management. Even foundational components like CRI-O received multiple maintenance releases, ensuring stability across various Kubernetes versions.

💬 Community Buzz

Discussions across cloud native communities this week revolved heavily around the implications of the latest security advisories and the ongoing efforts to harden core infrastructure components. Many were also keen on the general availability of Prometheus’s Native Histograms, exploring how this could impact their monitoring strategies and data granularity. The continuous stream of updates from projects like OpenObserve and Buildah also sparked conversations about release cadences and the balance between rapid innovation and long-term stability in critical tools.

📊 Week in Numbers

  • 29 stable releases across 17 projects
  • Multiple critical CVEs addressed in container build tools and supply chain security
  • A major feature (Native Histograms) transitioned from experimental to stable in Prometheus

📚 View all articles from this week →