search

prometheus / client_java

Prometheus instrumentation library for JVM applications
http://prometheus.github.io/client_java/
Apache License 2.0
2.18k stars 797 forks source link

[prometheus-metrics-exposition-formats] Consider making protobuf optional #1173

Open AB-xdev opened 1 day ago

AB-xdev commented 1 day ago

Context: I'm using Spring Boot and as metrics implementation for actuator micrometer-registry-prometheus which then uses prometheus-metrics-exposition-formats

While inspecting our final built jar I noticed that your dependency is shipped with protobuf which is rather big (when compared to the rest):

I'm also not actively using protobuf and therefore it would be great if this could somehow be excluded.

It's also noted in the docs that protobuf is somewhat obsolete/experimental so shipping this by default is maybe not needed in the first place.

AB-xdev commented 1 day ago

Another extrem good example why it's not wise to ship all dependencies (that are likely barely used) by default and use a more modulare approach: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8

AB-xdev commented 8 hours ago

For now we create a "workaround" project: https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf

AB-xdev commented 7 hours ago

Also: In https://github.com/prometheus/client_java/commit/c9bb30bd361870ff412c1d817c41f573e457670e protobuf is now directly shaded into prometheus-metrics-exposition-formats and it can no longer be ignored -.- I think it would be good to revert this.

AB-xdev commented 6 hours ago

Overview: