You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The rules-proto_grpc module (specifically rules_proto_grpc_java) has a maven.install() clause which governs which versions of grpc and protobuf java libraries are installed on the classpath.
Couple of issues I've seen:
5.0.1 is the latest github release, but this has not been propagated to bazel registry for whatever reason. - 5.0.0 is the latest bazel registry version so I will base the rest of this discussion on this:
the grpc and protobuf libraries are both out of date, protobuf 4.27.2 is from June, and has an active vulnerability which feeds all the way to x.28.0.
io.grpc:grpc-protobuf for some bizzare reason depends on version 3.25.3 of protobuf
While there's probably nothing that can be done about the old protobuf dependency in the grpc-protobuf library, is there anything stopping the rules_proto_grpc team from staying on top of protobuf and grpc upgrades as shown in the MODULE.bazel file?
Is looks like it might be a more involved process to upgrade these dependencies, I see renovate is switched on so it's not a lack of visibility of dependency upgrades?
Is there a document anywhere showing how to go about upgrading these dependencies in a 'turnkey' fashion?
PS I am happy to raise a PR, I'm just want to be sure there isn't anything precluding this e.g. "Yes we'd like to do that too, but we're blocked on xyz", or "it's more involved than just bumping the version"
The text was updated successfully, but these errors were encountered:
Description
The rules-proto_grpc module (specifically rules_proto_grpc_java) has a maven.install() clause which governs which versions of grpc and protobuf java libraries are installed on the classpath.
Couple of issues I've seen:
but this has not been propagated to bazel registry for whatever reason.- 5.0.0 is the latest bazel registry version so I will base the rest of this discussion on this:Version 5.0.1 uses the following dependencies:
3.25.3of protobufWhile there's probably nothing that can be done about the old protobuf dependency in the grpc-protobuf library, is there anything stopping the rules_proto_grpc team from staying on top of protobuf and grpc upgrades as shown in the MODULE.bazel file?
Is looks like it might be a more involved process to upgrade these dependencies, I see renovate is switched on so it's not a lack of visibility of dependency upgrades?
Is there a document anywhere showing how to go about upgrading these dependencies in a 'turnkey' fashion?
PS I am happy to raise a PR, I'm just want to be sure there isn't anything precluding this e.g. "Yes we'd like to do that too, but we're blocked on xyz", or "it's more involved than just bumping the version"
The text was updated successfully, but these errors were encountered: