Update grafana monorepo (patch)

[renovate]

This PR contains the following updates:

Package	Update	Change
grafana/grafana	patch	12.4.3 → 12.4.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

grafana/grafana (grafana/grafana)

v12.4.5

v12.4.4: 12.4.4

Download page
What's new highlights

Features and enhancements

• Browse dashboards: Make elements visible and flow better when zoomed #​120678, @​aocenas
• Docker: Bump Alpine-based images to 3.23.4 #​123027, @​Proximyst
• Go: Update version to 1.26.3 #​124456, @​macabu
• Graphite: Strip tagged path from tags.name when aliasSub wrapping is detected #​122619, @​adamyeats
• LibraryPanels: Return 403 instead of 500 for insufficient permissions #​123470, @​MissingRoberto
• Plugins: Sanitise header values to printable ASCII for gRPC compatibility #​122474, @​adamyeats

Bug fixes

• Alerting: Fix AlertManagerPicker visibility to check Alertmanager datasources #​124073, @​konrad147
• Alerting: Treat not found error when fetching plugins as not installed #​122989, @​rodrigopk
• DashboardDS: Fix Mixed panels not updating on time-range change with stale upstreams #​124893, @​ivanortegaalba
• Jaeger: Fix log event timestamp unit conversion in trace view #​123711, @​ktw4071
• PostgreSQL: Allow sql_engine to return results for EXPLAIN queries #​123245, @​sdague
• Security: CVE-2026-9029
• Security: CVE-2026-33382
• Security: CVE-2026-42127
• Security: CVE-2026-42129
• Security: CVE-2026-10601
• Security: CVE-2026-8609
• Security: CVE-2026-8595

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[anshulg-dep-review]

Triage: GREEN -- safe to merge

Patch-level security update from 12.4.3 to 12.4.5. Both releases are legitimate with proper source correspondence and documented fixes. No breaking changes in patch releases. Provenance is trusted.

Package	Old	New	Breaking	Changelog	Provenance
grafana/grafana	12.4.3	12.4.5	skipped (user focus)	security + bug fixes	trusted

Required actions

None -- safe to merge.

Update summary

grafana/grafana 12.4.3 → 12.4.5

• v12.4.4 (2026-06-09): 7 security CVEs fixed (CVE-2026-9029, CVE-2026-33382, CVE-2026-42127, CVE-2026-42129, CVE-2026-10601, CVE-2026-8609, CVE-2026-8595). Snyk rates the three indexed CVEs as "low" severity pending NVD analysis; full Grafana security advisories not yet published.
• v12.4.5 (2026-06-23): Datasource API validation fix (now returns 400 for mismatched UIDs in PUT /api/datasources/uid/:uid); Alpine base image bumped to 3.24.1.
• No breaking changes — both are patch releases within the 12.4.x line.
• Note: The datasource UID validation change in 12.4.5 is a behavior correction (not labeled breaking by maintainers), but API clients relying on the old permissive behavior may see 400 responses for previously-accepted mismatched UIDs.

Provenance

All updates from the legitimate Grafana Labs publisher with proper source correspondence, consistent metadata, and documented security patches. No signature or metadata drift detected.

Sub-agent reports — grafana/grafana

Breaking-change impact

RESEARCH_SKIPPED: the breaking researcher was not run for this update because the user's focus targeted only specific researchers. Do NOT downgrade the verdict on this basis alone -- the user explicitly opted out of this angle.

Upstream changelog

I now have all the information I need. The CVEs in 12.4.4 (CVE-2026-33382, CVE-2026-42127, CVE-2026-42129, CVE-2026-10601, CVE-2026-8609, CVE-2026-8595, CVE-2026-9029) are newly disclosed with no public advisories yet on the Grafana security page and no NVD analysis — they were under embargo and are just now being disclosed. The Snyk entries rate them as "low" severity based on default assessment pending NVD analysis. I have enough to compile the full output.

---

grafana/grafana 12.4.3 → 12.4.5

Summary

• Artifact type: Executable (Grafana OSS self-hosted application)
• Input format: SemVer patch versions
• Resolved references: v12.4.3 → v12.4.4 (commit 42cdc39124912a8506a0c613c319c345aa950b29, tagged 2026-06-09T11:14:52Z) → v12.4.5 (commit 6deded007f365327405cbfe2fd05186281155b3c, tagged 2026-06-23T12:17:55Z)
• Versions in range: 12.4.4 (2026-06-09), 12.4.5 (2026-06-23)
• Source repo: https://github.com/grafana/grafana
• Primary sources used:
  • GitHub Release v12.4.4: https://github.com/grafana/grafana/releases/tag/v12.4.4
  • GitHub Release v12.4.5: https://github.com/grafana/grafana/releases/tag/v12.4.5
  • Grafana Security Advisories: https://grafana.com/security/security-advisories/
  • Snyk CVE entries for CVE-2026-33382, CVE-2026-42127, CVE-2026-9029
• Versioning scheme: SemVer — patch releases only; no major/minor boundary crossed
• Major version boundary crossed: No (12.x → 12.x)
• Confidence: high — both releases have official GitHub release notes; security CVEs are listed by identifier but full public advisories are not yet published for the 12.4.4 batch

Breaking Changes

None found. Both 12.4.4 and 12.4.5 are patch releases. No breaking changes are documented or inferred in either release.

Other Notable Changes

v12.4.4 — Security fixes (7 CVEs, published 2026-06-09)

• Security: CVE-2026-9029 — Fixed in 12.4.4. No public Grafana advisory yet; Snyk rates as "low" pending NVD analysis. Source: GitHub release, Snyk
• Security: CVE-2026-33382 — Fixed in 12.4.4 (and 12.3.7, 12.2.9, 11.6.15). No public Grafana advisory yet; Snyk rates as "low" pending NVD analysis. Source: GitHub release, Snyk
• Security: CVE-2026-42127 — Fixed in 12.4.4. No public Grafana advisory yet; Snyk rates as "low" pending NVD analysis. Source: GitHub release, Snyk
• Security: CVE-2026-42129 — Fixed in 12.4.4. No public Grafana advisory yet; severity unknown. Source: GitHub release
• Security: CVE-2026-10601 — Fixed in 12.4.4 (and 12.3.7, 12.2.9, 11.6.15). No public Grafana advisory yet; severity unknown. Source: GitHub release
• Security: CVE-2026-8609 — Fixed in 12.4.4 (and 12.3.7, 12.2.9, 11.6.15). No public Grafana advisory yet; severity unknown. Source: GitHub release
• Security: CVE-2026-8595 — Fixed in 12.4.4 (unique to 12.4.x and 13.x; not backported to 12.3.7/12.2.9). No public Grafana advisory yet; severity unknown. Source: GitHub release

v12.4.4 — Features and enhancements

• Browse dashboards: Make elements visible and flow better when zoomed
• Docker: Bump Alpine-based images to 3.23.4
• Go: Update runtime to version 1.26.3
• Graphite: Strip tagged path from tags.name when aliasSub wrapping is detected
• LibraryPanels: Return 403 instead of 500 for insufficient permissions
• Plugins: Sanitise header values to printable ASCII for gRPC compatibility

v12.4.4 — Bug fixes

• Alerting: Fix AlertManagerPicker visibility to check Alertmanager datasources
• Alerting: Treat not-found error when fetching plugins as not installed
• DashboardDS: Fix Mixed panels not updating on time-range change with stale upstreams
• Jaeger: Fix log event timestamp unit conversion in trace view
• PostgreSQL: Allow sql_engine to return results for EXPLAIN queries

v12.4.5 — Security fix and enhancement (published 2026-06-23)

• Docker: Bump Alpine-based images to 3.24.1
• Datasources: Return 400 when payload UID does not match URL UID in PUT /api/datasources/uid/:uid — corrects an API validation gap; not a breaking change but callers sending mismatched UIDs will now receive a 400 error instead of a silent success

Deprecations Introduced

None found.

Gaps and Caveats

• 7 CVEs in 12.4.4 have no public Grafana security advisories yet (CVE-2026-9029, CVE-2026-33382, CVE-2026-42127, CVE-2026-42129, CVE-2026-10601, CVE-2026-8609, CVE-2026-8595). These were disclosed with the release on 2026-06-09 but Grafana's security advisories page (last checked 2026-06-23) only lists advisories through CVE-2026-11769 (2026-06-13). Snyk rates the three it has indexed (CVE-2026-9029, CVE-2026-33382, CVE-2026-42127) as "low" severity based on default assessment pending NVD analysis. Severity for the remaining four is unknown. Grafana's pattern is to publish full advisories after the embargo window closes — check https://grafana.com/security/security-advisories/ for updates.
• CVE-2026-8595 and CVE-2026-9029 appear unique to 12.4.x (and 13.x) — they were not backported to 12.3.7, 12.2.9, or 11.6.15, suggesting they affect code paths introduced in 12.4.x.
• Note on 12.4.3: The old version (12.4.3) was itself a security release (12.4.3+security-02, 2026-05-12) that fixed 10 CVEs (CVE-2026-28374, CVE-2026-28376, CVE-2026-28379, CVE-2026-28380, CVE-2026-28383, CVE-2026-33376, CVE-2026-33377, CVE-2026-33378, CVE-2026-33380, CVE-2026-33381). Those are already resolved in the old version and are not re-listed here.
• No migration guide exists for this patch range — none expected for patch releases.
• PUT /api/datasources/uid/:uid validation change in 12.4.5 (#125769): callers that currently send a mismatched UID in the request body vs. the URL path will receive a 400 response instead of a silent success. This is technically a behavior change to an API endpoint; downstream API clients or provisioning scripts that rely on the old (permissive) behavior may be affected. Not labeled breaking by maintainers.

Provenance

Good! The search confirms that v12.4.5 is a legitimate release with proper security patches. Now let me compile the final verdict:

---

Provenance verdict: grafana/grafana 12.4.3 → 12.4.5

Verdict

trusted

The v12.4.5 release is a legitimate patch release from Grafana Labs with proper source correspondence, consistent publisher identity, and documented bug fixes and security patches. Both versions are properly tagged on the source repository with official GitHub releases.

Resolved references

• Artifact type: OCI container image (Docker Hub grafana/grafana)
• Old: docker.io/grafana/grafana:12.4.3 → sha256:2e986801428cd689c2358605289c90ab37d2b39e24808874971f54c99bcdc412
• New: docker.io/grafana/grafana:12.4.5 → sha256:26b8f35a9e4e4431995cf64c3f396505a4faf17bcfc19f9ed84943ec6bfd5ecd
• Declared source repo: https://github.com/grafana/grafana (verified)
• Publisher namespace: grafana (old) → grafana (new) — same

Indicators

Severity	Category	Finding	Evidence
info	source_correspondence	v12.4.3 git tag exists and points to a commit on the source repository	https://github.com/grafana/grafana/releases/tag/v12.4.3
info	source_correspondence	v12.4.5 git tag exists and points to a commit on the source repository	https://github.com/grafana/grafana/releases/tag/v12.4.5
info	publisher_continuity	Both images have identical maintainer label and source URL	org.opencontainers.image.source: https://github.com/grafana/grafana
info	release_documentation	v12.4.3 has official GitHub release with changelog	Published 2026-04-14, 3 features/enhancements, 1 bug fix
info	release_documentation	v12.4.5 has official GitHub release with changelog	Published 2026-06-23, 1 feature, 1 bug fix documented
info	build_provenance	v12.4.5 release commit authored by a Grafana team member	Verified on source repository
info	external_signal	v12.4.5 addresses known security issues in 12.4.x line	Datasource UID validation fix, Alpine base image bump to 3.24.1

Source ↔ artifact correspondence

• Old version anchor: Git tag v12.4.3 → verified on source repository ✓
• New version anchor: Git tag v12.4.5 → verified on source repository ✓
• Method: Git tag lookup on source repo; both tags exist and are signed/annotated

Signatures and attestations

	Old	New
Cosign signature present	no	no
Signing identity	n/a	n/a
SLSA provenance present	no	no
Builder identity	n/a	n/a
SBOM attached	no	no

Note: Grafana does not publish cosign signatures or SLSA provenance for container images. This is consistent across both versions and is not a regression. Presence-only check via skopeo.

Metadata drift

Field	Old (12.4.3)	New (12.4.5)	Status
org.opencontainers.image.source	https://github.com/grafana/grafana	https://github.com/grafana/grafana	expected
maintainer	Grafana Labs <hello@grafana.com>	Grafana Labs <hello@grafana.com>	expected
Base image (first layer)	sha256:589002ba0eaed121a1dbf42f6648f29e5be55d5c8a6ee0f8eaa0285cc21ac153	sha256:55afa1ecc21d2bb5e5045f32dafee56272ffd89860bac26f6c32123439af26a4	expected (Alpine bump)
Environment variables	Identical set (7 vars)	Identical set (7 vars)	expected
Entrypoint/Cmd	Not exposed in skopeo output	Not exposed in skopeo output	n/a
Architecture	amd64	amd64	expected

The base image layer change is consistent with the documented feature: "Docker: Bump Alpine-based images to 3.24.1" in the v12.4.5 release notes.

Typosquat / confusable check

• Nearest popular alternative names checked: grafana/grafana-enterprise, grafana/grafana-oss, grafana/grafana-image-renderer, grafana/grafana-server
• Findings: None. The image is in the official grafana namespace on Docker Hub, which is the canonical publisher.

Repo health

• Ownership transfer in last 90d: No (repo remains under grafana org)
• Archived: No (repo is active)
• New committers in version range (12.4.3 → 12.4.5): No unexpected new committers; commits authored by established Grafana team members and automation bots
• Workflow file changes affecting release pipeline: Yes, but expected and documented in release notes (CI: Backport release-build changes)

Gaps

• Cryptographic signature verification: Not applicable. Grafana does not publish cosign signatures for container images. This is consistent with the project's practices and not a security concern.
• SLSA provenance: Not published by Grafana for container images. Not a regression from v12.4.3.
• Private registry access: Not applicable; images are public on Docker Hub.

Summary

The upgrade from v12.4.3 to v12.4.5 is safe from a provenance perspective. Both versions:

1. Have corresponding git tags and commits on the legitimate source repository
2. Have official GitHub release pages with documented changes
3. Are published by the same organization (Grafana Labs) with consistent metadata
4. Show no signs of tampering, unauthorized access, or supply chain compromise
5. Include legitimate bug fixes and security patches (datasource UID validation, Alpine base image security update)

The release follows Grafana's standard practices for patch releases on the 12.4.x maintenance branch.