Circular dependency on prometheus/common

[cornfeedhobo]

This repo pulls vulnerable dependencies. For example, yaml.v2 <2.4.0

I noticed this when a dependency of mine ended up pulling in v1.11.1, which depends on prometheus/common@v0.26.0, which depends on v1.7.1.

This circular dependency is causing a bunch of older dependencies to linger.

As far as I can tell, this is still happening right now on main.

[bwplotka]

Thanks for pointing! There was already an discussion about that in prometheus/common#58 - circular dep is unlikely to change. I believe you should be able to pin yaml.v2 to version you want in your go mod file, is that right?

[bwplotka]

I don't believe client_golang itself use YAML for any logic itself.

[cornfeedhobo]

You can't pin it to a specific version because sum will always calculate the entire tree of hashes. The only way is for everyone that depends on this package to include a lot of exclude directives. The YAML package alone pulls like 8 flagged versions.

[ArthurSens]

Circular dependency has been solved after moving the version collector to client_golang!

prometheus/common#579
prometheus/common#591
#1422

[bwplotka]

Thanks everyone! 💪🏽