diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7c08b1ff8..f61b1c023 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## 2.40.4 / 2022-11-29
+
+* [SECURITY] Fix basic authentication bypass vulnerability (CVE-2022-46146). GHSA-4v48-4q5m-8vx4
+
+## 2.40.3 / 2022-11-23
+
+* [BUGFIX] TSDB: Fix compaction after a deletion is called. #11623
+
 ## 2.40.2 / 2022-11-16
 
 * [BUGFIX] UI: Fix black-on-black metric name color in dark mode. #11572
diff --git a/VERSION b/VERSION
index 29508491c..2d6c3fe67 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.40.2
+2.40.4
diff --git a/go.mod b/go.mod
index 4c38be5f8..dc9a0c2e2 100644
--- a/go.mod
+++ b/go.mod
@@ -46,7 +46,7 @@ require (
 	github.com/prometheus/common v0.37.0
 	github.com/prometheus/common/assets v0.2.0
 	github.com/prometheus/common/sigv4 v0.1.0
-	github.com/prometheus/exporter-toolkit v0.8.1
+	github.com/prometheus/exporter-toolkit v0.8.2
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.9
 	github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749
 	github.com/stretchr/testify v1.8.1
diff --git a/go.sum b/go.sum
index 82b29d916..ecae3bd58 100644
--- a/go.sum
+++ b/go.sum
@@ -704,8 +704,8 @@ github.com/prometheus/common/assets v0.2.0/go.mod h1:D17UVUE12bHbim7HzwUvtqm6gwB
 github.com/prometheus/common/sigv4 v0.1.0 h1:qoVebwtwwEhS85Czm2dSROY5fTo2PAPEVdDeppTwGX4=
 github.com/prometheus/common/sigv4 v0.1.0/go.mod h1:2Jkxxk9yYvCkE5G1sQT7GuEXm57JrvHu9k5YwTjsNtI=
 github.com/prometheus/exporter-toolkit v0.7.1/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g=
-github.com/prometheus/exporter-toolkit v0.8.1 h1:TpKt8z55q1zF30BYaZKqh+bODY0WtByHDOhDA2M9pEs=
-github.com/prometheus/exporter-toolkit v0.8.1/go.mod h1:00shzmJL7KxcsabLWcONwpyNEuWhREOnFqZW7vadFS0=
+github.com/prometheus/exporter-toolkit v0.8.2 h1:sbJAfBXQFkG6sUkbwBun8MNdzW9+wd5YfPYofbmj0YM=
+github.com/prometheus/exporter-toolkit v0.8.2/go.mod h1:00shzmJL7KxcsabLWcONwpyNEuWhREOnFqZW7vadFS0=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
diff --git a/tsdb/db_test.go b/tsdb/db_test.go
index 83ffb5dbc..d4c2840c2 100644
--- a/tsdb/db_test.go
+++ b/tsdb/db_test.go
@@ -2960,6 +2960,24 @@ func TestCompactHead(t *testing.T) {
 	require.NoError(t, seriesSet.Err())
 }
 
+// TestCompactHeadWithDeletion tests https://github.com/prometheus/prometheus/issues/11585.
+func TestCompactHeadWithDeletion(t *testing.T) {
+	db, err := Open(t.TempDir(), log.NewNopLogger(), prometheus.NewRegistry(), nil, nil)
+	require.NoError(t, err)
+
+	app := db.Appender(context.Background())
+	_, err = app.Append(0, labels.FromStrings("a", "b"), 10, rand.Float64())
+	require.NoError(t, err)
+	require.NoError(t, app.Commit())
+
+	err = db.Delete(0, 100, labels.MustNewMatcher(labels.MatchEqual, "a", "b"))
+	require.NoError(t, err)
+
+	// This recreates the bug.
+	require.NoError(t, db.CompactHead(NewRangeHead(db.Head(), 0, 100)))
+	require.NoError(t, db.Close())
+}
+
 func deleteNonBlocks(dbDir string) error {
 	dirs, err := os.ReadDir(dbDir)
 	if err != nil {
diff --git a/tsdb/querier.go b/tsdb/querier.go
index cf6b3c9dc..2d03bd40d 100644
--- a/tsdb/querier.go
+++ b/tsdb/querier.go
@@ -712,12 +712,7 @@ func (p *populateWithDelChunkSeriesIterator) Next() bool {
 	if valueType == chunkenc.ValNone {
 		if err := p.currDelIter.Err(); err != nil {
 			p.err = errors.Wrap(err, "iterate chunk while re-encoding")
-			return false
 		}
-
-		// Empty chunk, this should not happen, as we assume full
-		// deletions being filtered before this iterator.
-		p.err = errors.New("populateWithDelChunkSeriesIterator: unexpected empty chunk found while rewriting chunk")
 		return false
 	}
 
diff --git a/web/ui/module/codemirror-promql/package.json b/web/ui/module/codemirror-promql/package.json
index 5b3818274..9ca156934 100644
--- a/web/ui/module/codemirror-promql/package.json
+++ b/web/ui/module/codemirror-promql/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@prometheus-io/codemirror-promql",
-  "version": "0.40.2",
+  "version": "0.40.4",
   "description": "a CodeMirror mode for the PromQL language",
   "types": "dist/esm/index.d.ts",
   "module": "dist/esm/index.js",
@@ -29,7 +29,7 @@
   },
   "homepage": "https://github.com/prometheus/prometheus/blob/main/web/ui/module/codemirror-promql/README.md",
   "dependencies": {
-    "@prometheus-io/lezer-promql": "^0.40.2",
+    "@prometheus-io/lezer-promql": "^0.40.4",
     "lru-cache": "^6.0.0"
   },
   "devDependencies": {
diff --git a/web/ui/module/lezer-promql/package.json b/web/ui/module/lezer-promql/package.json
index 51d8bbf72..b7b8724b1 100644
--- a/web/ui/module/lezer-promql/package.json
+++ b/web/ui/module/lezer-promql/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@prometheus-io/lezer-promql",
-  "version": "0.40.2",
+  "version": "0.40.4",
   "description": "lezer-based PromQL grammar",
   "main": "index.cjs",
   "type": "module",
diff --git a/web/ui/package-lock.json b/web/ui/package-lock.json
index 14420e540..78f57e532 100644
--- a/web/ui/package-lock.json
+++ b/web/ui/package-lock.json
@@ -28,10 +28,10 @@
     },
     "module/codemirror-promql": {
       "name": "@prometheus-io/codemirror-promql",
-      "version": "0.40.2",
+      "version": "0.40.4",
       "license": "Apache-2.0",
       "dependencies": {
-        "@prometheus-io/lezer-promql": "^0.40.2",
+        "@prometheus-io/lezer-promql": "^0.40.4",
         "lru-cache": "^6.0.0"
       },
       "devDependencies": {
@@ -61,7 +61,7 @@
     },
     "module/lezer-promql": {
       "name": "@prometheus-io/lezer-promql",
-      "version": "0.40.2",
+      "version": "0.40.4",
       "license": "Apache-2.0",
       "devDependencies": {
         "@lezer/generator": "^1.1.1",
@@ -20674,7 +20674,7 @@
     },
     "react-app": {
       "name": "@prometheus-io/app",
-      "version": "0.40.2",
+      "version": "0.40.4",
       "dependencies": {
         "@codemirror/autocomplete": "^6.2.0",
         "@codemirror/commands": "^6.1.2",
@@ -20692,7 +20692,7 @@
         "@lezer/lr": "^1.2.3",
         "@nexucis/fuzzy": "^0.4.1",
         "@nexucis/kvsearch": "^0.8.1",
-        "@prometheus-io/codemirror-promql": "^0.40.2",
+        "@prometheus-io/codemirror-promql": "^0.40.4",
         "bootstrap": "^4.6.2",
         "css.escape": "^1.5.1",
         "downshift": "^7.0.1",
@@ -23321,7 +23321,7 @@
         "@lezer/lr": "^1.2.3",
         "@nexucis/fuzzy": "^0.4.1",
         "@nexucis/kvsearch": "^0.8.1",
-        "@prometheus-io/codemirror-promql": "^0.40.2",
+        "@prometheus-io/codemirror-promql": "^0.40.4",
         "@testing-library/react-hooks": "^7.0.2",
         "@types/enzyme": "^3.10.12",
         "@types/flot": "0.0.32",
@@ -23372,7 +23372,7 @@
         "@lezer/common": "^1.0.1",
         "@lezer/highlight": "^1.1.2",
         "@lezer/lr": "^1.2.3",
-        "@prometheus-io/lezer-promql": "^0.40.2",
+        "@prometheus-io/lezer-promql": "^0.40.4",
         "@types/lru-cache": "^5.1.1",
         "isomorphic-fetch": "^3.0.0",
         "lru-cache": "^6.0.0",
diff --git a/web/ui/react-app/package.json b/web/ui/react-app/package.json
index 2aad662ea..6874a393d 100644
--- a/web/ui/react-app/package.json
+++ b/web/ui/react-app/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@prometheus-io/app",
-  "version": "0.40.2",
+  "version": "0.40.4",
   "private": true,
   "dependencies": {
     "@codemirror/autocomplete": "^6.2.0",
@@ -19,7 +19,7 @@
     "@lezer/common": "^1.0.1",
     "@nexucis/fuzzy": "^0.4.1",
     "@nexucis/kvsearch": "^0.8.1",
-    "@prometheus-io/codemirror-promql": "^0.40.2",
+    "@prometheus-io/codemirror-promql": "^0.40.4",
     "bootstrap": "^4.6.2",
     "css.escape": "^1.5.1",
     "downshift": "^7.0.1",