-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Used Prometheus package is pinned to a really old version #254
Comments
Hi @chombium, unfortunately there were many breaking changes in the prometheus package between October 2019 and now, which makes this a non-trivial change. That package is not intended for stable, public consumption, and pulling it in was a questionable choice from a maintenance perspective IMO. Even if we fix the code now, we should expect breaking changes in the future that will make this process hard once again. Check out Prometheus' own description of the go code versioning: https://github.com/prometheus/prometheus#prometheus-code-base. I did attempt to fix this up some time ago, but never saw it through. The changes I had made are on this branch: https://github.com/cloudfoundry/log-cache-release/tree/fix/prometheus-dependency. I'm in favor of fixing this, not sure when I would get to it though. PRs would be welcome 😄 |
Hi @ctlong, I've taken a quick look at your branch and saw that there are too many things going on a part from the prometheus changes. I suggest that we create a new PR based on the current state in the main branch and your initial changes. We will prepare a PR. |
At SAP are running security checks on the Log Cache's codebase and we (me and @ZPascal) have seen that the used Prometheus package is pinned to a really old version. The pinned version is 2.13 from October 2019 and the current version is 2.44.
I've went through the code today and I've seen that the only place where the Prometheus package is used is in promql.go.
Why is the Prometheus package pinned to an old version? What kind of incompatibilities are there with the newer versions?
As the the Prometheus package is used only in one file I guess it won't be hard to refactor it, so that the newest stable version can be used...
The text was updated successfully, but these errors were encountered: