False Positive: CVE-2019-3826 should not apply to Golang package
Hi there,
regardless of the changes themselves which might need a rework, I believe this vulnerability should be double-checked and eventually marked as FP.
CVE-2019-3826 (nvd) should apply to the Prometheus product rather than the Golang package.
If for some reason it should apply to the Golang package the proper version should be used: the latest (not retracted) for this Golang package is v0.48.0 (ref: https://pkg.go.dev/github.com/prometheus/prometheus?tab=versions)