MODULE.bazel depends on a bad protobuf version (for Java)
ejona86 opened this issue · 3 comments
MODULE.bazel is using protobuf 27.0-rc2 and disagrees with bazel/repository_locations.bzl which uses 21.5. For starters, why use an RC version?
Protobuf versions after 23.x start a new major version in Java to 4.x. However, the ecosystem is blocked on protocolbuffers/protobuf#17247 before they can upgrade. Yes, you build from source with Bazel, but Bazel in Java still pulls many things from Maven Central (via maven_install) and so could have been compiled with older versions of protobuf, and thus be incompatible with 27.0-rc2.
In grpc-java we were trying to swap to xds from BCR, but noticed the newer protobuf, which means we can't upgrade as it is simply too dangerous/confusing to users. I'm happy to see #96, but it seems the versions should become somewhat aligned with repository_locations.bzl and protobuf downgraded to 21.7.
I looked through the transitive dependencies, and didn't see any that used such a new protobuf version. But I didn't actually try a build to verify.
I think I had to use that version because of various other broken things. We could try to downgrade but I guess it depends on other common transitives and their versions really. grpc depends on 26 so realistically we have to go at least that high?
grpc 1.56.3.bcr.1 (in the MODULE.bazel) depends on protobuf 3.19.2. grpc 1.59.1 (in repository_locations.bzl) isn't available on BCR, but yeah, the next version in BCR 1.62.1 does depend on protobuf 26. But grpc itself at 1.62.2 depended on protobuf 25. So that is just a BCR "bug."
I don't see this repository needing to depend on a newer version of grpc than 1.56, as downstream users can upgrade to later grpc themselves. I may also talk to the grpc repo folks and suggest they downgrade protobuf. Many users will be prohibited from upgrading until this is resolved.
I think my testing working on this I was trying to integrate it with more downstream deps like envoyproxy/envoy#34355 and the old versions of protobuf didn't work. I think until 27.x there were a lot of protobuf issues with bzlmod, so I think we'd probably hit some if we were trying to downgrade. I didn't try to bring along the WORKSPACE versions as long as they could co-exist