Make prometheus dependency optional in pingora-core #822
Description
Summary
pingora-core declares prometheus = "0.13" as a hard (non-optional) dependency, which transitively pulls in protobuf v2.28.0. This version of protobuf has a known vulnerability (RUSTSEC-2024-0437 — stack overflow via uncontrolled recursion on untrusted input).
Problem
prometheus is only used in a single module: pingora-core/src/apps/prometheus_http_app.rs (the PrometheusServer / prometheus_http_service() app). Users who don't need the built-in Prometheus HTTP endpoint still get prometheus + protobuf in their dependency tree, inheriting the RUSTSEC-2024-0437 advisory.
The same applies to pingora-proxy, which also declares prometheus = "0" as a hard dependency.
Proposal
Make prometheus an optional dependency behind a feature flag (e.g., prometheus), and gate prometheus_http_app.rs behind #[cfg(feature = "prometheus")].
# pingora-core/Cargo.toml
[features]
prometheus = ["dep:prometheus"]
[dependencies]
prometheus = { version = "0.13", optional = true }This lets users opt out of the protobuf v2 transitive dependency when they don't use Pingora's built-in Prometheus metrics endpoint.
Context
Discovered while integrating Pingora 0.7 into an API gateway project. cargo deny check flags RUSTSEC-2024-0437 as a hard error. The workaround is to ignore the advisory, but it would be cleaner to not compile the unused dependency at all.