Looks like gopkg.in/yaml.* project seems to be deprecated. Also v2 is EOL.

The https://github.com/goccy/go-yaml is being recommended, also by the author of gopkg.in/yaml. I checked briefly and it looks healthy and even more capable, especially around YAML marshal/unmarshal customizations.

Additional arguments for doing this is that this creates friction for client_golang users due to broken vuln scanners. client_golang don't use yaml marshal/unmarshal directly I believe, but we use common so we are impacted by scanners.

NOTE: This will stop impacting client_golang if stop importing common if that's even possible.

Anyway, even if not for client_golang users with broken scanners, it would be nice to upgrade Prometheus ecosystem going forward, assuming it's possible (PoC needed).

Kudos to @kakkoyun who surfaced this earlier on client_golang.