You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At SAP are running security checks on the Log Cache's codebase and we (me and @ZPascal) have seen that the used Prometheus package is pinned to a really old version. The pinned version is 2.13 from October 2019 and the current version is 2.44.
I've went through the code today and I've seen that the only place where the Prometheus package is used is in promql.go.
Why is the Prometheus package pinned to an old version? What kind of incompatibilities are there with the newer versions?
As the the Prometheus package is used only in one file I guess it won't be hard to refactor it, so that the newest stable version can be used...
The text was updated successfully, but these errors were encountered:
Hi @chombium, unfortunately there were many breaking changes in the prometheus package between October 2019 and now, which makes this a non-trivial change. That package is not intended for stable, public consumption, and pulling it in was a questionable choice from a maintenance perspective IMO. Even if we fix the code now, we should expect breaking changes in the future that will make this process hard once again. Check out Prometheus' own description of the go code versioning: https://github.com/prometheus/prometheus#prometheus-code-base.
Hi @ctlong, I've taken a quick look at your branch and saw that there are too many things going on a part from the prometheus changes. I suggest that we create a new PR based on the current state in the main branch and your initial changes. We will prepare a PR.
At SAP are running security checks on the Log Cache's codebase and we (me and @ZPascal) have seen that the used Prometheus package is pinned to a really old version. The pinned version is 2.13 from October 2019 and the current version is 2.44.
I've went through the code today and I've seen that the only place where the Prometheus package is used is in promql.go.
Why is the Prometheus package pinned to an old version? What kind of incompatibilities are there with the newer versions?
As the the Prometheus package is used only in one file I guess it won't be hard to refactor it, so that the newest stable version can be used...
The text was updated successfully, but these errors were encountered: