Pinning Prometheus to 0.12.x for Micrometer 1.8.x

[jonatan-ivanov]

So that automated dependency update won't resolve newer versions

[CEikermann]

Hey @jonatan-ivanov

Does micrometer not working with newer prometheus java client versions than 0.12.x ?

[shakuzen]

We don't generally upgrade minor versions of dependencies we compile against in patch releases. This is pinning the minor version for our 1.8.x maintenance branch. Micrometer should work with newer versions of the prometheus java client as long as they don't have breaking changes. Our main branch used for Micrometer 1.9 development compiles against the latest version of the prometheus java client without any corresponding changes that I remember.

[CEikermann]

@shakuzen Thanks for clarification !

[jonatan-ivanov]

Yepp, if you check our latest milestone release (1.9.0-M2 or you can check 2.x too), you can see that the Prometheus Client version is 0.14.1 there (latest at the time of creating that release).

[lalomartins]

This triggers https://nvd.nist.gov/vuln/detail/CVE-2019-3826 if I upgrade micrometer-registry-prometheus. Should I file a separate issue?

[checketts]

Isn't that CVE is for the Prometheus server. I can't seem to find the Prometheus client exposure. Could you help me understand? Please open a separate ticket.

[lalomartins]

I'm hardly an expert, I have about a month of JVM experience 😅 all I know is I upgraded micrometer-registry-prometheus to 1.8.2 and that bombed me with that CVE. I can try to inspect my dependency tree if it helps.

And yes it's almost certainly a separate ticket, but we might as well make sure this is the right place for it first 🤔

[lalomartins]

Ok false alarm, sorry for the noise. Seems the OWASP dependency check tool is bad at handling hyphens 🤦 it thinks your package is Prometheus… I'll go hit their issue tracker instead. Sigh…

[lalomartins]

FYI (and in case anyone arrives here via google) — jeremylong/DependencyCheck#1927