client_golang icon indicating copy to clipboard operation
client_golang copied to clipboard

Published 20 hours ago verified publisher icon prometheus

Circular dependency on prometheus/common

Open cornfeedhobo opened this issue 2 years ago • 3 comments

This repo pulls vulnerable dependencies. For example, yaml.v2 <2.4.0

I noticed this when a dependency of mine ended up pulling in v1.11.1, which depends on prometheus/[email protected], which depends on v1.7.1.

This circular dependency is causing a bunch of older dependencies to linger.

As far as I can tell, this is still happening right now on main.

cornfeedhobo avatar Nov 16 '23 15:11 cornfeedhobo

Thanks for pointing! There was already an discussion about that in https://github.com/prometheus/common/issues/58 - circular dep is unlikely to change. I believe you should be able to pin yaml.v2 to version you want in your go mod file, is that right?

bwplotka avatar Nov 20 '23 10:11 bwplotka

I don't believe client_golang itself use YAML for any logic itself.

bwplotka avatar Nov 20 '23 10:11 bwplotka

You can't pin it to a specific version because sum will always calculate the entire tree of hashes. The only way is for everyone that depends on this package to include a lot of exclude directives. The YAML package alone pulls like 8 flagged versions.

cornfeedhobo avatar Nov 20 '23 17:11 cornfeedhobo

Circular dependency has been solved after moving the version collector to client_golang!

https://github.com/prometheus/common/pull/579 https://github.com/prometheus/common/pull/591 https://github.com/prometheus/client_golang/pull/1422

ArthurSens avatar May 13 '24 22:05 ArthurSens

Thanks everyone! 💪🏽

bwplotka avatar May 14 '24 09:05 bwplotka