deps: older version and syntax usage of github.com/prometheus/common blocks patching cosign CVE

[lucasrod16]

Describe the bug
Not sure I would classify this as a bug or feature, but it's related to an older dependency version that is affecting us from patching a CVE in our codebase.

Usage of expfmt.FmtText from an older version of the github.com/prometheus/common dependency. The FmtText constant has been made private since v0.48.0.

https://github.com/prometheus/common/blob/c1b9b7252566d10e2ef16a827f454810c7f7fa56/expfmt/expfmt.go#L24-L53
https://github.com/prometheus/common/releases/tag/v0.48.0
prometheus/common#576

To Reproduce
Steps to reproduce the behavior:

1. Clone the zarf repository
2. Checkout the renovate/go-github.com/sigstore/cosign/v2-vulnerability branch from this PR that patches a cosign vulnerability
3. From the root of the repo, run make to build the zarf binary

You can also view the error here in our CI without cloning the repo and manually reproducing:

https://github.com/defenseunicorns/zarf/actions/runs/8696598566/job/23850223859?pr=2437#step:4:91

Expected behavior
Our build succeeds

Screenshots

Versions (please complete the following information):

• OS: M1 Mac
• Popeye: v0.11.2
• K8s: N/A

[lucasrod16]

popeye/pkg/popeye.go

Line 425 in d09ec25

pusher = pusher.Format(expfmt.FmtText)

[schristoff]

Hey @derailed - any way we could get an update on this, seems like the associated PR should fix this pretty ez :)