Hello,
Could you please update the prometheus dependency, as the current version contains a vulnerability?
(I also believe this dependency should be optional and enabled via a feature flag.)
In Cargo.toml, the dependency is declared as:
prometheus = "0"
and
prometheus = "0.13"
However, Cargo currently resolves it to version 0.13.4 and does not upgrade to the 0.14.x series. As a result, the vulnerable version remains in the dependency tree.
Here is the report from cargo audit:
Crate: protobuf
Version: 2.28.0
Title: Crash due to uncontrolled recursion in protobuf crate
Date: 2024-12-12
ID: RUSTSEC-2024-0437
URL: https://rustsec.org/advisories/RUSTSEC-2024-0437
Solution: Upgrade to >=3.7.2
Dependency tree:
protobuf 2.28.0
└── prometheus 0.13.4
└── pingora-core 0.8.0
├── pingora-proxy 0.8.0
│ ├── pingora 0.8.0
│
├── pingora-load-balancing 0.8.0
│ ├── pingora 0.8.0
│
├── pingora-cache 0.8.0
│ ├── pingora-proxy 0.8.0
│ └── pingora 0.8.0
├── pingora 0.8.0
Updating the dependency to a version compatible with 0.14.x would resolve the vulnerability.
Additionally, several dependencies used in the project appear to be unmaintained, such as:
Crate: daemonize
Version: 0.5.0
Warning: unmaintained
Title: `daemonize` is Unmaintained
Date: 2025-09-14
ID: RUSTSEC-2025-0069
URL: https://rustsec.org/advisories/RUSTSEC-2025-0069
-----------------------------
Crate: derivative
Version: 2.2.0
Warning: unmaintained
Title: `derivative` is unmaintained; consider using an alternative
Date: 2024-06-26
ID: RUSTSEC-2024-0388
URL: https://rustsec.org/advisories/RUSTSEC-2024-0388
---------------------------
Crate: rustls-pemfile
Version: 2.2.0
Warning: unmaintained
Title: rustls-pemfile is unmaintained
Date: 2025-11-28
ID: RUSTSEC-2025-0134
URL: https://rustsec.org/advisories/RUSTSEC-2025-0134
Thank you in advance.
Pingora info
Please include the following information about your environment:
Pingora version: 0.8.0
Hello,
Could you please update the prometheus dependency, as the current version contains a vulnerability?
(I also believe this dependency should be optional and enabled via a feature flag.)
In Cargo.toml, the dependency is declared as:
prometheus = "0"and
prometheus = "0.13"However, Cargo currently resolves it to version 0.13.4 and does not upgrade to the 0.14.x series. As a result, the vulnerable version remains in the dependency tree.
Here is the report from cargo audit:
Updating the dependency to a version compatible with 0.14.x would resolve the vulnerability.
Additionally, several dependencies used in the project appear to be unmaintained, such as:
Thank you in advance.
Pingora info
Please include the following information about your environment:
Pingora version: 0.8.0