Welcome @qu1queee! It looks like this is your first PR to knative/serving 🎉

Hi @qu1queee. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Hey few things - after bumping the dependency in go.mod you'll want to run our hack/update-deps.sh script

Secondly you'll want to sign the CLA to contribute - https://cla.developers.google.com/clas

Let me know if you're blocked on those things and I can bump this dependency for you.

It looks like the string InstrumentHandler appears only in vendor/github.com/prometheus/client_golang/prometheus/promhttp, not in any other code in Knative -- we use raw prometheus.Gauge in queue-proxy.

(I was misled by VSCode in my initial search)

/ok-to-test

Thanks for the hint @dprotaso . As a side note, the update-deps.sh uses a go get which is deprecated on go v1.17, so the script didn't work immediately(depending on ur go version). Where could I open an issue for this?

/assign @dprotaso

@evankanderson thanks for the information. My rational on this PR was that for tooling such as Whitesource(OS security tool), a vulnerability will be raised when using this project as a dependency, due to the indirect one to the prometheus/client_golang. Therefore I thought it would not hurt to propose the bump here.

Codecov Report

Merging #12653 (089ee52) into main (c1aaaf6) will decrease coverage by 0.04%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main   #12653      +/-   ##
==========================================
- Coverage   87.52%   87.47%   -0.05%     
==========================================
  Files         195      195              
  Lines        9712     9712              
==========================================
- Hits         8500     8496       -4     
- Misses        929      931       +2     
- Partials      283      285       +2     

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c1aaaf6...089ee52. Read the comment docs.

I think it's fine to propose the bump. It was flagged as a Knative vulnerability, and I wanted to be clear that it was a false-positive.

/retest

/lgtm
/approve

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, qu1queee

The full list of commands accepted by this bot can be found here.

The pull request process is described here

thanks @qu1queee

re: the warning - yeah I believe it's a known issue

Made an issue about favouring go install knative/test-infra#3113

known flake
/retest