Prometheus related vulnerability show up even if the project does not use it as a dependency

Hi community,
we have a gateway project which uses KrakenD-CE, which only has two plugins with only one having a single dependency, nowhere in the project there is a dependency on prometheus, even go vuln tool doesn’t show any vulnerability but until the project goes into build and crowdstrike scan reports us the built image has CVE-2019-3826 vulnerability, can someone give , me an idea where other than in project the prometheus could have been involved?