Consider shading` protobuf-java` to avoid conflicts

[yeikel]

The project currently brings in protobuf-java 4.x as a transitive dependency:

--- io.micrometer:micrometer-registry-prometheus -> 1.14.8
     +--- io.micrometer:micrometer-core:1.14.8 (*)
     +--- io.prometheus:prometheus-metrics-core:1.3.8
     |    +--- io.prometheus:prometheus-metrics-model:1.3.8
     |    \--- io.prometheus:prometheus-metrics-config:1.3.8
     +--- io.prometheus:prometheus-metrics-tracer-common:1.3.8
     \--- io.prometheus:prometheus-metrics-exposition-formats:1.3.8
          \--- io.prometheus:prometheus-metrics-exposition-formats-no-protobuf:1.3.8
               +--- io.prometheus:prometheus-metrics-exposition-textformats:1.3.8
               |    +--- io.prometheus:prometheus-metrics-model:1.3.8
               |    \--- io.prometheus:prometheus-metrics-config:1.3.8
               \--- com.google.protobuf:protobuf-java:4.31.0

Since many projects rely on protobuf-java 3.x, pulling in version 4.x at runtime can lead to compatibility issues and unexpected behavior.

To mitigate this risk, we should consider shading and relocating the protobuf dependency to isolate it from downstream consumers.

Otherwise, a small dependency increment such as 1.14.7 -> 1.14.8 can introduce unexpected breaking changes due to our transitive dependencies

[lenoch7]

I have same problem. It was (probably) caused by 1293. I already shortly discussed it (see my comment). I was asked to create issue, but now I see that issue already exists ;)

I attached simple example (shaded-protobuf.zip), where dependency tree can be done (and compared) for version 1.3.6 and 1.3.8.

Version 1.3.8 ("no shaded" protobuf dependency is included via prometheus-metrics-exposition-formats-no-protobuf defined as dependency of prometheus-metrics-exposition-formats)

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ shaded-protobuf ---
[INFO] test:shaded-protobuf:jar:0.0.1-SNAPSHOT
[INFO] +- io.prometheus:prometheus-metrics-core:jar:1.3.8:compile
[INFO] |  +- io.prometheus:prometheus-metrics-model:jar:1.3.8:compile
[INFO] |  +- io.prometheus:prometheus-metrics-config:jar:1.3.8:compile
[INFO] |  \- io.prometheus:prometheus-metrics-tracer-initializer:jar:1.3.8:compile
[INFO] |     +- io.prometheus:prometheus-metrics-tracer-common:jar:1.3.8:compile
[INFO] |     +- io.prometheus:prometheus-metrics-tracer-otel:jar:1.3.8:compile
[INFO] |     \- io.prometheus:prometheus-metrics-tracer-otel-agent:jar:1.3.8:compile
[INFO] +- io.prometheus:prometheus-metrics-instrumentation-jvm:jar:1.3.8:compile
[INFO] \- io.prometheus:prometheus-metrics-exporter-httpserver:jar:1.3.8:compile
[INFO]    \- io.prometheus:prometheus-metrics-exporter-common:jar:1.3.8:compile
[INFO]       +- io.prometheus:prometheus-metrics-exposition-textformats:jar:1.3.8:compile
[INFO]       \- io.prometheus:prometheus-metrics-exposition-formats:jar:1.3.8:runtime
[INFO]          \- io.prometheus:prometheus-metrics-exposition-formats-no-protobuf:jar:1.3.8:runtime
[INFO]             \- com.google.protobuf:protobuf-java:jar:4.31.0:runtime

Version 1.3.6 (where "shaded" protobuf is part of prometheus-metrics-exposition-formats dependency)

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ shaded-protobuf ---
[INFO] test:shaded-protobuf:jar:0.0.1-SNAPSHOT
[INFO] +- io.prometheus:prometheus-metrics-core:jar:1.3.6:compile
[INFO] |  +- io.prometheus:prometheus-metrics-model:jar:1.3.6:compile
[INFO] |  +- io.prometheus:prometheus-metrics-config:jar:1.3.6:compile
[INFO] |  \- io.prometheus:prometheus-metrics-tracer-initializer:jar:1.3.6:compile
[INFO] |     +- io.prometheus:prometheus-metrics-tracer-common:jar:1.3.6:compile
[INFO] |     +- io.prometheus:prometheus-metrics-tracer-otel:jar:1.3.6:compile
[INFO] |     \- io.prometheus:prometheus-metrics-tracer-otel-agent:jar:1.3.6:compile
[INFO] +- io.prometheus:prometheus-metrics-instrumentation-jvm:jar:1.3.6:compile
[INFO] \- io.prometheus:prometheus-metrics-exporter-httpserver:jar:1.3.6:compile
[INFO]    \- io.prometheus:prometheus-metrics-exporter-common:jar:1.3.6:compile
[INFO]       +- io.prometheus:prometheus-metrics-exposition-textformats:jar:1.3.6:compile
[INFO]       \- io.prometheus:prometheus-metrics-exposition-formats:jar:1.3.6:runtime

[zeitlinger]

Protobuf is still shaded here: https://mvnrepository.com/artifact/io.prometheus/prometheus-metrics-exposition-formats/1.3.8 - you can see from download the jar

I hope this answers the question.

[breun]

io.prometheus:prometheus-metrics-exposition-formats 1.3.6 does not have a transitive dependency on com.google.protobuf:protobuf-java:

io.prometheus:prometheus-metrics-exposition-formats
\- io.prometheus:prometheus-metrics-exposition-textformats
   +- io.prometheus:prometheus-metrics-model
   \- io.prometheus:prometheus-metrics-config

io.prometheus:prometheus-metrics-exposition-formats 1.3.7 and 1.3.8 do have have a transitive dependency on com.google.protobuf:protobuf-java, via the new dependency on io.prometheus:prometheus-metrics-exposition-formats-no-protobuf:

io.prometheus:prometheus-metrics-exposition-formats
\- io.prometheus:prometheus-metrics-exposition-formats-no-protobuf
   +- com.google.protobuf:protobuf-java
   \- io.prometheus:prometheus-metrics-exposition-textformats
      +- io.prometheus:prometheus-metrics-model
      \- io.prometheus:prometheus-metrics-config

This is also causing issues in our projects, due to the version of protobuf-java clashing with the version of Protobuf that's used/assumed elsewhere.

[zeitlinger]

Thanks for the great explanation @breun - I was just looking at the wrong place. Now I created #1433 to fix this issue.