Skip to content
/ prometheus-metrics-exposition-formats-no-protobuf Public

Reconfigures prometheus-metrics-exposition-formats to remove protobuf

License

Apache-2.0 license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

xdev-software/prometheus-metrics-exposition-formats-no-protobuf

BranchesTags

Repository files navigation

Latest version Build Quality Gate Status

prometheus-metrics-exposition-formats-no-protobuf

Reconfigures prometheus-metrics-exposition-formats to remove protobuf.

This module is designed to integrate with Spring Boot Actuator (Prometheus) or similar services.

Why remove Protobuf?

  1. Prometheus Protobuf format is obsolete/experimental, the chance that it's used is near 0
  2. The additional library can result in additional attack vectors. For example in CVE-2024-7254
    • If the dependency is reshaded it may not be detected by vulnerability scanners (as is the case in io.prometheus:prometheus-metrics-exposition-formats <= 1.3.1)
  3. The protobuf dependency is huge (around 10x bigger) in comparison to the other libraries

See also prometheus/client_java#1173

Installation

Installation guide for the latest release

Compatibility with io.prometheus:prometheus-metrics-exposition-formats

io.prometheus:prometheus-metrics-exposition-formats version prometheus-metrics-exposition-formats-no-protobuf version
1.3.4+ No longer required
1.3.2+ 2
< 1.3.2 1

Spring Boot Actuator

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-dependencies</artifactId>
            <version>...</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

<dependencies>
    <dependency>
        <groupId>software.xdev</groupId>
        <artifactId>prometheus-metrics-exposition-formats-no-protobuf</artifactId>
        <version>...</version>
        <scope>runtime</scope>
    </dependency>

    <dependency>
        <groupId>io.micrometer</groupId>
        <artifactId>micrometer-registry-prometheus</artifactId>
        <exclusions>
            <!-- Exclude default module so that dependency is properly removed -->
            <exclusion>
                <groupId>io.prometheus</groupId>
                <artifactId>prometheus-metrics-exposition-formats</artifactId>
            </exclusion>
        </exclusions>
        <scope>runtime</scope>
    </dependency>
</dependencies>

Support

If you need support as soon as possible and you can't wait for any pull request, feel free to use our support.

Contributing

See the contributing guide for detailed instructions on how to get started with our project.

Dependencies and Licenses

View the license of the current project or the summary including all dependencies

About

Reconfigures prometheus-metrics-exposition-formats to remove protobuf

Topics

spring spring-boot protobuf eol actuator prometheus-metrics-exposition-formats

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

v2.0.0 Latest
Nov 22, 2024
+ 1 release

Contributors 6

Languages