RUSTSEC-2024-0437: Update protobuf dependency

[wer1st]

Now cargo audit has found vulnerability in protobuf.
Please update your protobuf dependency on actual v3.

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 741 security advisories (from /home/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (528 crate dependencies)
Crate:     protobuf
Version:   2.28.0
Title:     Crash due to uncontrolled recursion in protobuf crate
Date:      2024-12-12
ID:        RUSTSEC-2024-0437
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0437
Solution:  No fixed upgrade is available!
Dependency tree:
protobuf 2.28.0
├── prometheus 0.13.4
│   ├── opentelemetry-prometheus 0.28.0
│   │   └── app 0.1.0
│   └── app 0.1.0
└── opentelemetry-prometheus 0.28.0

error: 1 vulnerability found!

[andrewmcgivery]

Per @abernix in tikv/rust-prometheus#538

Upgrading to 3 is not going to fix it. 3 is also vulnerable to the same thing. Per the text in the advisory, there is no patched version of protobuf.

This needs to be patched in protobuf or need to move to an alternative crate like prost.

[gruebel]

I took a brief look into opentelemetry-prometheus and the protobuf version has to be bumped in the prometheus crate first, because there are a couple of breaking changes.

[cijothomas]

Maybe #2451 needs more discussion. We have not been investing energy into prometheus exporter for a while anyway.

[wer1st]

protobuf version has to be bumped in the prometheus crate first

It is in master now.
by PR: tikv/rust-prometheus#541

[gruebel]

as of #2831 the opentelemetry-prometheus crate will be discontinued and lastly removed, therefore there won't be any fix for it or should we still put in the effort of upgrading it @cijothomas ?

[cijothomas]

My opinion is not to continue investing in dedicated Prometheus exporter now. We are still struggling to hit 1.0, so want to keep focus by reducing anything non-critical.