Prometheus vs Grafana
Side-by-side trajectory, velocity, and editorial themes.
Prometheus enters 3.12 RC while running a coordinated security backport across the 3.5 LTS line.
Prometheus published a 3.12.0 release candidate with PromQL and Service Discovery additions, TSDB performance work, and security fixes for a remote-write denial-of-service and a STAC secret leak. In the same window, 3.11.3 and 3.5.3 shipped coordinated security fixes for snappy decoding, AzureAD client_secret handling, and an old-UI XSS, and the prior 3.11.2/3.5.2 pair fixed a metric-name XSS in the web UI. The project is clearly maintaining 3.5 as a long-term branch alongside the active 3.x line.
Cadence is dominated by responsible-disclosure security work, with feature additions concentrated in the upcoming 3.12 release. The fact that 3.5 keeps receiving coordinated backports months after 3.11 suggests Prometheus is informally treating 3.5 as a stable LTS for environments that cannot upgrade quickly.
Expect 3.12.0 to ship final within a few weeks given the RC has already landed, and a 3.5.4 backport to follow the next security disclosure rather than the next feature batch.
Grafana ships fleet-wide CVE patches across five branches while Dynamic Dashboards anchor the new 13.0 line.
Grafana is on a brisk monthly minor cadence — 12.2, 12.3, 12.4, and 13.0 all landed between late March and mid-April, with 13.0 making Dynamic Dashboards GA as the new dashboarding primitive. Today they cut a coordinated security release across every supported branch (11.6, 12.2, 12.3, 12.4, 13.0) patching the same set of around ten CVEs. The dual pattern — fast feature iteration on top, broad LTS coverage underneath — is intact.
The platform is consolidating around Dynamic Dashboards as the default authoring model and pushing Git-driven workflows (Git Sync, templates, shared queries) into the everyday loop. Logs and Drilldown experiences keep getting structural rewrites rather than cosmetic polish, suggesting Grafana sees the exploration UX as the differentiation lever against newer observability vendors. Maintenance discipline is a feature here, not background work: synchronized multi-branch CVE releases keep enterprise customers on a buyable upgrade path.
Expect a 13.1 minor inside the next month continuing on Dynamic Dashboards, Git Sync, and Drilldown threads, plus follow-up patch releases as the post-disclosure window for these CVEs closes. A public write-up explaining the ten-CVE batch is likely if any of the bugs turn out to be remotely exploitable.
See more alternatives to Prometheus →
See more alternatives to Grafana →