[pkg-go] Bug#1138247: Upgrade to Prometheus 3.12.0

[siretart at debian.org]

Package: src:prometheus
Severity: important
X-Debbugs-Cc: tina at debian.org, dswarbrick at debian.org, kanashiro at debian.org, pkg-go-maintainers at lists.alioth.debian.org

Hi Martina, Daniel, Lucas, and the pkg-golang team,

Now with Trixie released, we need to think about our upgrading strategy for Prometheus. I haven't heard of such plans yet; please provide me with links so that I can catch up in case I missed anything.

In the meantime, I’ve been looking into the current RC issues affecting the 2.53.x series in Unstable, and the situation is becoming increasingly difficult to manage on the 2.x branch:

**1. Unpatched Security Vulnerabilities (Grave)**
Two high-severity CVEs were published in May 2026 (Bug #1135999):
*   **CVE-2026-42151:** Plaintext exposure of the Azure AD `client_secret` via the `/-/config` endpoint.
*   **CVE-2026-42154:** DoS (memory exhaustion) via the `/api/v1/read` endpoint when handling snappy-compressed requests.

Upstream has fixed these in the 3.x line (v3.5.3 LTS and v3.12.0). However, because the 2.53 LTS branch officially reached its End-of-Life in July 2025, upstream has **not** backported these fixes to 2.x, and no future 2.5x releases are planned.

**2. Go 1.26 FTBFS Regression (Serious)**
We are seeing a FTBFS in archive rebuilds (Bugs #1137403, #1114942) with the error `parse error: unexpected character inside braces: '0'`. This is a regression tied to the Go 1.26 toolchain/libraries and stricter PromQL label validation. This is also unlikely to be addressed upstream in the EOL 2.x branch.

**Transition to 3.x**
What do we need for upgrading to 3.x? Is the old UI still available and can we somehow avoid introducing all those nodejs dependencies? Is packaging the UI separately an option? 

-rt