Closed ath88 closed 2 years ago
Thanks for the contribution! Yet I find the suggested solution outside of the library better: https://github.com/jochen-schweizer/express-prom-bundle/issues/25#issuecomment-830426374
The pull request is lacking 2 items:
Thanks for the contribution! Yet I find the suggested solution outside of the library better: #25 (comment)
The pull request is lacking 2 items:
- types/index.d.ts needs to be extended to include the new option
- the code should be covered in unit tests
I see your point. It's cleaner and doesn't pollute the code base and is fully supported by autoregister
. But - I see a two benefits over the solution mentioned in the comments:
collectDefaultMetrics
you'll expose your Node.js version to the world, if you forget to block it in your firewall or proxy or whatever you have. This is an issue that people have. By supporting this directly, people won't have to look through closed issues to find the secure approach. I added the requested changes. :)
@ath88 thanks again! This has been published to npm as version 6.5.0
Fixes #25
Exposing Node.js internals on a public facing API is potentially a security issue. This lets you expose the metrics endpoint on a different node app listening on a different port.