Open AB-xdev opened 1 day ago
Another extrem good example why it's not wise to ship all dependencies (that are likely barely used) by default and use a more modulare approach: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
For now we create a "workaround" project: https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf
Also:
In https://github.com/prometheus/client_java/commit/c9bb30bd361870ff412c1d817c41f573e457670e protobuf is now directly shaded into prometheus-metrics-exposition-formats
and it can no longer be ignored -.-
I think it would be good to revert this.
Overview:
Context: I'm using Spring Boot and as metrics implementation for actuator
micrometer-registry-prometheus
which then usesprometheus-metrics-exposition-formats
While inspecting our final built jar I noticed that your dependency is shipped with protobuf which is rather big (when compared to the rest):
I'm also not actively using protobuf and therefore it would be great if this could somehow be excluded.
It's also noted in the docs that protobuf is somewhat obsolete/experimental so shipping this by default is maybe not needed in the first place.