Make prometheus dependency optional in pingora-core

[striped-zebra-dev]

Summary

pingora-core declares prometheus = "0.13" as a hard (non-optional) dependency, which transitively pulls in protobuf v2.28.0. This version of protobuf has a known vulnerability (RUSTSEC-2024-0437 — stack overflow via uncontrolled recursion on untrusted input).

Problem

prometheus is only used in a single module: pingora-core/src/apps/prometheus_http_app.rs (the PrometheusServer / prometheus_http_service() app). Users who don't need the built-in Prometheus HTTP endpoint still get prometheus + protobuf in their dependency tree, inheriting the RUSTSEC-2024-0437 advisory.

The same applies to pingora-proxy, which also declares prometheus = "0" as a hard dependency.

Proposal

Make prometheus an optional dependency behind a feature flag (e.g., prometheus), and gate prometheus_http_app.rs behind #[cfg(feature = "prometheus")].

# pingora-core/Cargo.toml
[features]
prometheus = ["dep:prometheus"]

[dependencies]
prometheus = { version = "0.13", optional = true }

This lets users opt out of the protobuf v2 transitive dependency when they don't use Pingora's built-in Prometheus metrics endpoint.

Context

Discovered while integrating Pingora 0.7 into an API gateway project. cargo deny check flags RUSTSEC-2024-0437 as a hard error. The workaround is to ignore the advisory, but it would be cleaner to not compile the unused dependency at all.

[drcaramelsyrup]

Note: may be a dup of #560