Flurry of dependencies and conflicts brought in with latest protobuf bazel module

[daniel-b2c2]

I've just upgraded to bazelmod from 28.3 to 29.0 for protobuf and I'm getting these warnings:

    com.google.guava:guava has multiple versions 33.3.1-jre, 32.0.1-jre
    org.mockito:mockito-core has multiple versions 5.14.2, 4.3.1
    info.picocli:picocli has multiple versions 4.7.6, 4.6.3

These dependencies are somehow being brought in via the protobuf module.

The concerns I have:

• What is mockito-core doing on a production classpath? This is used for testing normally.
• What are these new entries biz.aQute.bnd
  • Are you enabling this to be used in an osgi context or have you accidentally added build tooling to the dependency set?
• Why is a CLI library like picocli required for protobufs module?
• Why are all these dependencies so far behind?
• How can I avoid all this? Am I doing something wrong?

Filed as a bug as I cannot really see why all these non-production dependencies or deps that seem unrelated to the task at hand, that are so far behind, would be exposed besides some sort of error during release... almost feels like something test related has leaked into prod by mistake.

I really hope I'm "holding it wrong" and there's a quick fix.

What version of protobuf and what language are you using?

    "com.google.protobuf:protobuf-java:4.29.0",
    "com.google.protobuf:protobuf-java-util:4.29.0",
   bazel_dep(name = "protobuf", version = "29.0")
    "io.grpc:grpc-api:1.68.2",
    "io.grpc:grpc-context:1.68.2",
    "io.grpc:grpc-core:1.68.2",
    "io.grpc:grpc-netty:1.68.2",
    "io.grpc:grpc-protobuf:1.68.2",
    "io.grpc:grpc-services:1.68.2",
    "io.grpc:grpc-stub:1.68.2",
    "io.grpc:grpc-testing:1.68.2",

Java

What operating system (Linux, Windows, ...) and version?
Linux/Mac OS M1

What runtime / compiler are you using (e.g., python version or gcc version)

bazel 7 Java 21

As a precaution, I've rolled back to 28.3 but I have no idea what the impact will be. There are so many separate bazel modules required to work with protobufs and grpc that it's often hard to tell exactly what each module is providing.

[shs96c]

Looking at the module definition, it seems as if this should have been fixed in this PR, which should be in the latest release.

[daniel-b2c2]

I can see 29.0 came out 5 days ago, presumably that would contain the fix which was from October? Yet I still see the issue in 29.0..

[daniel-b2c2]

Ah, I see, @shs96c 29.0 did come out 5 days ago, but it's not the very latest, unless I'm misunderstanding github, it's missing 800 or so commits amongst which the fix you mention: v29.0...main
(load additional commits)

[zhangskz]

This should be patched in the v29.1 patch -- please reopen if you are still hitting this!