Pinning Prometheus to 0.12.x for Micrometer 1.8.x #2965
Comments
|
Hey @jonatan-ivanov Does micrometer not working with newer prometheus java client versions than 0.12.x ? |
|
We don't generally upgrade minor versions of dependencies we compile against in patch releases. This is pinning the minor version for our 1.8.x maintenance branch. Micrometer should work with newer versions of the prometheus java client as long as they don't have breaking changes. Our |
|
@shakuzen Thanks for clarification ! |
|
Yepp, if you check our latest milestone release (1.9.0-M2 or you can check 2.x too), you can see that the Prometheus Client version is |
|
This triggers https://nvd.nist.gov/vuln/detail/CVE-2019-3826 if I upgrade micrometer-registry-prometheus. Should I file a separate issue? |
|
Isn't that CVE is for the Prometheus server. I can't seem to find the Prometheus client exposure. Could you help me understand? Please open a separate ticket. |
|
I'm hardly an expert, I have about a month of JVM experience 😅 all I know is I upgraded micrometer-registry-prometheus to 1.8.2 and that bombed me with that CVE. I can try to inspect my dependency tree if it helps. And yes it's almost certainly a separate ticket, but we might as well make sure this is the right place for it first 🤔 |
|
Ok false alarm, sorry for the noise. Seems the OWASP dependency check tool is bad at handling hyphens 🤦 it thinks your package is Prometheus… I'll go hit their issue tracker instead. Sigh… |
|
FYI (and in case anyone arrives here via google) — jeremylong/DependencyCheck#1927 |
So that automated dependency update won't resolve newer versions
The text was updated successfully, but these errors were encountered: