chore(deps): bump io.github.ascopes:protobuf-maven-plugin from 4.1.3 to 5.0.2

[dependabot]

Bumps io.github.ascopes:protobuf-maven-plugin from 4.1.3 to 5.0.2.

Release notes

Sourced from io.github.ascopes:protobuf-maven-plugin's releases.

v5.0.2

Bugfixes:

• Reimplement artifact resolution to handle additional edge cases that may previously have bled into other code and caused spurious/unhelpful/vague exceptions during dependency resolution.
  • Specifically, this handles a case where passing a non-existent classifier on a published dependency could result in an ArrayIndexOutOfBoundsException being raised at runtime. Other edge cases should also be handled more sensibly moving forwards.

Other changes:

• Dependency resolution now explicitly ensures additional configuration overrides within the Maven/Aether transports are propagated and used correctly with respect to things like proxies and custom authenticators.
• New examples by @​sleepkqq for building Kotlin gRPC projects in the documentation.
• Build on Maven 3.9.13 in addition to 3.9.6 and 4.0.0-rc-5, now that the former has been released.

v5.0.1 release notes

• Implemented partial workaround for GH-596 where users may experience OutOfMemoryExceptions being raised by Eclipse Aether during dependency resolution. - The plugin now follows similar behaviour to Maven Core by not recursing into transitive test dependencies and fat artifact dependencies, which was considered to be surprising and undefined behaviour.
  • Users depending on the old behaviour should explicitly declare their dependencies following standard Maven conventions.
  • This is not deemed a breaking change since the old behaviour is undefined and does not follow Maven default behaviour.
• Reverted offloading project dependency resolution to Maven to address GH-939.
  • This previously manifested as various Maven reactor failures when resolving sibling dependencies in a Maven multi-module project.
  • Users can now disable dependency resolution for the main project dependencies correctly by setting <ignoreProjectDependencies>true</ignoreProjectDependencies> and only specify their protobuf dependencies via the plugin itself.
• Reduced default concurrency multiplier used for various internal tasks after several JFR profiling sessions showed a general lack of utilisation of the thread pool.
  • This should reduce idle resources slightly in builds.
• Various Aether internals are now cached for the duration of the plugin goal rather than recreated numerous times during dependency resolution.
  • This should reduce resource usage slightly in builds.
• Updated plugin to use protobuf-java:4.34.0for various descriptor file-related activities.
• Updated project and integration test dependencies to verify plugin compatibility across various component matrices.

v5.0.0

New major version that removes some old tech debt introduced for backwards API compatibility with minor versions on v4.x and older. This allows extending this plugin with new features moving forwards by removing some limitations around the old way of configuring a couple of aspects.

The changes are fairly minor, but migration details have been added below.

[!TIP] Users with concerns about making changes across many projects due to being pinned to an older version of this plugin can first upgrade their parent projects to point at v4.1.3 of this plugin while they perform migration steps incrementally.

If there are any concerns or queries, please add a comment to the discussion.

Protoc plugin declarations

We have removed deprecated legacy protoc plugin parameters from GH-877 -- users must use the plugins parameter instead now. - binaryMavenPlugins is removed, use plugins with kind="binary-maven" instead. - binaryPathPlugins is removed, use plugins with kind="path" instead. - binaryUrlPlugins is removed, use plugins with kind="url" instead. - jvmMavenPlugins is removed, use plugins with kind jvm-maven instead.

See https://ascopes.github.io/protobuf-maven-plugin/using-protoc-plugins.html for full usage details and examples, but effectively the change that users will want to make is the following:

Old usage:

</tr></table> 

... (truncated)

Commits

• 7d80b0e [maven-release-plugin] prepare release v5.0.2
• b7ba3a4 Merge pull request #955 from ascopes/dependabot/maven/main/org.apache.maven-m...
• 11bbb92 Merge pull request #956 from ascopes/dependabot/maven/main/org.apache.maven.p...
• e7ca48e Merge pull request #957 from ascopes/dependabot/maven/main/org.apache.maven-m...
• aa8bfc1 Merge pull request #958 from ascopes/dependabot/maven/protobuf-maven-plugin/s...
• 5d53f85 Bump net.alchim31.maven:scala-maven-plugin
• 261f7b0 Bump org.apache.maven:maven-core from 3.9.12 to 3.9.13
• 883c348 Bump org.apache.maven.plugins:maven-resources-plugin from 3.4.0 to 3.5.0
• c9b37cb Bump org.apache.maven:maven-plugin-api from 3.9.12 to 3.9.13
• 7586ac0 Merge pull request #954 from ascopes/bugfix/GH-951
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[mergify]

🧪 CI Insights

Here's what we observed from your CI run for 4fb8b46.

🟢 All jobs passed!

But CI Insights is watching 👀

[robfrank]

@dependabot rebase

[robfrank]

@dependabot rebase

[robfrank]

@dependabot rebase