Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2024-0437 vulnerability with prometheus dependency #1009

Open
srale opened this issue Mar 21, 2025 · 3 comments
Open

RUSTSEC-2024-0437 vulnerability with prometheus dependency #1009

srale opened this issue Mar 21, 2025 · 3 comments

Comments

@srale
Copy link

srale commented Mar 21, 2025

Hi.
At the moment, poem depends on prometheus which in itself depends on protobuf, which has a vulnerability. This makes cargo audit fail without ignoring this vulnerability. This is the case because I'm using the prometheus feature in poem.

Link to the vulnerability: RUSTSEC-2024-0437.
Thank you!
@attila-lin
Copy link
Collaborator

wait this?

@vasra-gh
Copy link

@attila-lin yes

Dependency upgrade: Update protobuf to 3.7.2 for RUSTSEC-2024-0437

I guess just need to update dependencies on poem once that is merged

@vasra-gh
Copy link

Seems like opentelemetry-rust that poem uses which uses prometheus (which uses protobuf crate) won't be updated and will be discontinued. open-telemetry/opentelemetry-rust#2769

Will there a plan to replace it?

attila-lin pushed a commit to attila-lin/poem that referenced this issue Mar 27, 2025
@hzlinyiyu-netease
chore: bump prometheus for RUSTSEC
10c3c17 
refs poem-web#1009
@attila-lin attila-lin mentioned this issue Mar 27, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@attila-lin @srale @vasra-gh