pm2-prometheus-exporter icon indicating copy to clipboard operation
pm2-prometheus-exporter copied to clipboard

Published 20 hours ago verified publisher icon saikatharryc

Please update pm2 to 5.1.2 to resolve transitive dependencies to a fixed ws

Open jdstrand opened this issue 2 years ago • 3 comments

We've been getting dependabot alerts for ws and traced this back to our use of https://www.npmjs.com/package/pm2-metrics. https://github.com/saikatharryc/pm2-prometheus-exporter/blob/master/package.json specifies "pm2": "^4.4.0", which pulls in the old pm2/agent 1.0.8 that pulls in ws ~7.2.0, which is affected by https://github.com/advisories/GHSA-6fc8-4gx4-v693. I've seen that [email protected]'s dependencies ultimately pull in an updated ws, so perhaps this could address the dependabot alerts for consumers of pm2-metrics.

Thanks!

jdstrand avatar Dec 08 '21 15:12 jdstrand

As an aside, I noticed that this repository lists 1.0.47, but https://www.npmjs.com/package/pm2-metrics only lists 1.0.43. AFAICS, 1.0.47 wouldn't solve this issue, but it appears that people specifying pm2-metrics in their package.json and yarn.lock files aren't benefiting from your updates to this repo. Is npm install pm2-metrics supported by the project?

jdstrand avatar Feb 23 '22 14:02 jdstrand

As an aside, I noticed that this repository lists 1.0.47, but https://www.npmjs.com/package/pm2-metrics only lists 1.0.43.

Yes, pm2 install pm2-metrics installs 1.0.43 and it does not work with pm2 5.2.0.

"pm2 start .../exports.js --name pm2-metrics" (after npm install . -g) works, but this installs it as a managed process and not as a module.

But, I like to have it separated from the managed processes, I like to install pm2-metrics as a pm2 module.

I'm using this to install pm2-metrics in a Dockerfile:

RUN wget https://github.com/autonoma-cloud/pm2-prometheus-exporter/archive/refs/tags/1.0.47.1.tar.gz
RUN  tar xf                1.0.47.1.tar.gz                             \
  && mv                    pm2-prometheus-exporter-*          module   \
  && npm install -g                                           module/  \
  && tar czf               pm2-prometheus-exporter-module.tgz module/  \
  && pm2 install --tarball pm2-prometheus-exporter-module.tgz          \
  && rm -rf module pm2-prometheus-exporter-module.tgz 1.0.47.1.tar.gz  \

The npm install -g is is needed because otherwise, the dependencies of the pm2-exporter are not installed and the errors are only shown by pm2 logs when deployed.

bernhardkaindl avatar Jun 23 '22 00:06 bernhardkaindl

For pm2 5.2 and above you can try to use my module https://www.npmjs.com/package/pm2-prom-module

VeXell avatar Mar 07 '23 20:03 VeXell