The project currently brings in protobuf-java 4.x as a transitive dependency:
--- io.micrometer:micrometer-registry-prometheus -> 1.14.8
+--- io.micrometer:micrometer-core:1.14.8 (*)
+--- io.prometheus:prometheus-metrics-core:1.3.8
| +--- io.prometheus:prometheus-metrics-model:1.3.8
| \--- io.prometheus:prometheus-metrics-config:1.3.8
+--- io.prometheus:prometheus-metrics-tracer-common:1.3.8
\--- io.prometheus:prometheus-metrics-exposition-formats:1.3.8
\--- io.prometheus:prometheus-metrics-exposition-formats-no-protobuf:1.3.8
+--- io.prometheus:prometheus-metrics-exposition-textformats:1.3.8
| +--- io.prometheus:prometheus-metrics-model:1.3.8
| \--- io.prometheus:prometheus-metrics-config:1.3.8
\--- com.google.protobuf:protobuf-java:4.31.0
Since many projects rely on protobuf-java 3.x, pulling in version 4.x at runtime can lead to compatibility issues and unexpected behavior.
To mitigate this risk, we should consider shading and relocating the protobuf dependency to isolate it from downstream consumers.
Otherwise, a small dependency increment such as 1.14.7 -> 1.14.8 can introduce unexpected breaking changes due to our transitive dependencies
The project currently brings in
protobuf-java4.x as a transitive dependency:Since many projects rely on
protobuf-java3.x, pulling in version 4.x at runtime can lead to compatibility issues and unexpected behavior.To mitigate this risk, we should consider shading and relocating the
protobufdependency to isolate it from downstream consumers.Otherwise, a small dependency increment such as 1.14.7 -> 1.14.8 can introduce unexpected breaking changes due to our transitive dependencies