apache · wu-sheng · Jun 20, 2026 · Jun 19, 2026 · Jun 19, 2026
diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md
@@ -304,6 +304,7 @@
 * Bump Apache Curator `4.3.0` → `5.9.0` and Apache ZooKeeper `3.5.7` → `3.9.5` together to clear CVE-2023-44981 (the bundled ZooKeeper jar carried it; OAP is a ZooKeeper client only, so the server-side bug was never reachable, but the jar tripped Dependabot). The cluster-zookeeper and configuration-zookeeper plugins use only stable Curator APIs, so no source changes were required. Operator-facing change: the supported ZooKeeper server version is now 3.6+ (Curator 5.x uses ZooKeeper persistent watches, added in server 3.6.0); older servers (3.5.x, 3.4.x) are no longer supported.
 * Migrate the Consul cluster and configuration client from the abandoned `com.orbitz.consul:consul-client` `1.5.3` to the maintained fork `org.kiwiproject:consul-client` `0.9.0` to clear the okhttp CVE the old client carried (CVE-2021-0341; the old client pinned okhttp `3.14.9`, fixed in okhttp `4.9.2+`), so the BOM now pins okhttp to `4.12.0`. The fork's `0.9.x` line is the last one built for JDK 11 (which SkyWalking still targets); `1.0.0+` is compiled to JDK 17 bytecode, so the migration stays on `0.9.0`. The cluster-consul and configuration-consul plugins use only stable Consul client APIs, so the change is a package rename (`com.orbitz.consul` → `org.kiwiproject.consul`); okhttp is pulled only by the Consul plugins (the fabric8 Kubernetes client excludes its okhttp transport), so no other module is affected.
 * Bump test-scope assertj-core `3.20.2` → `3.27.7` to clear CVE-2026-24400 (XXE in `isXmlEqualTo`, not used by any test).
+* Clear three security alerts: bump the Airflow e2e mock's pinned `protobuf` `4.25.8` → `5.29.6` (with `opentelemetry-proto` `1.24.0` → `1.28.0`, whose `protobuf<5.0` cap was the blocker, and `grpcio` `1.62.2` → `1.63.2`, required because `opentelemetry-proto` `1.28.0`'s gRPC stubs call `unary_unary(_registered_method=...)`) to clear CVE-2026-0994 — a CI-only test fixture, never shipped; and widen the cumulative `count` accumulator from `int` to `long` in `SumHistogramPercentileFunction` / `AvgHistogramPercentileFunction` to clear the CodeQL `implicit-cast-in-compound-assignment` alerts (`count += value` silently narrowed a `long` bucket-count sum back to `int`, while `total` was already `long`).
 * Fix: continuous profiling policy validation now rejects a threshold / count of `0` to match the error messages and rover's `value >= threshold` trigger semantics (a `0` threshold would always trigger). CPU percent and HTTP error rate are tightened from `[0-100]` to `(0-100]`.
 * Fix wrong BanyanDB resource options in record data.
 * Align the default BanyanDB stage `segmentInterval` values so each coarser stage is an integer multiple of the finer one (`records` cold `3` → `4`, `metricsMinute` cold `5` → `6`, `metricsHour` warm `7` → `10` and cold `15` → `20`), keeping hot → warm → cold lifecycle migration on the cheap whole-segment fast path.

diff --git a/...kywalking/oap/server/core/analysis/meter/function/avg/AvgHistogramPercentileFunction.java b/...kywalking/oap/server/core/analysis/meter/function/avg/AvgHistogramPercentileFunction.java
@@ -248,7 +248,7 @@ public void calculate() {
                         roofs[i] = Math.round(total * ranks.get(i) * 1.0f / 100);
                     }
 
-                    int count = 0;
+                    long count = 0;
                     final List<String> sortedKeys = subDataset.sortedKeys(Comparator.comparingLong(Long::parseLong));
 
                     int loopIndex = 0;

diff --git a/...kywalking/oap/server/core/analysis/meter/function/sum/SumHistogramPercentileFunction.java b/...kywalking/oap/server/core/analysis/meter/function/sum/SumHistogramPercentileFunction.java
@@ -214,7 +214,7 @@ public void calculate() {
                         roofs[i] = Math.round(total * ranks.get(i) * 1.0f / 100);
                     }
 
-                    int count = 0;
+                    long count = 0;
                     final List<String> sortedKeys = subDataset.sortedKeys(Comparator.comparingLong(Long::parseLong));
 
                     int loopIndex = 0;

diff --git a/test/e2e-v2/cases/airflow/mock/requirements-replay.txt b/test/e2e-v2/cases/airflow/mock/requirements-replay.txt
@@ -1,4 +1,4 @@
 flask==3.1.3
-grpcio==1.62.2
-protobuf==4.25.8
-opentelemetry-proto==1.24.0
+grpcio==1.63.2
+protobuf==5.29.6
+opentelemetry-proto==1.28.0