Description
Hi!
Our organization is large: we have a few thousand Maven projects plus a Bazel repo, all importing an internal BOM which in turn imports Google's libraries-bom. Many libraries of course depend on error-prone-annotations, and we also have a few internal checks that import -core.
The latest error-prone 2.38.0 upgraded to Guava 33.4.6, part of a series of releases that introduce a few problems. In practice, the changes with modularization and nullability checks means that many projects don't build with the upgrade and require some time to fix.
We had a very similar situation a few months ago where error-prone upgraded protobuf to a release that is known to introduce complicated breaking changes that can take a long time to fix.
Since in Maven, transitive dependencies are intended as minimum requirements, and in fact to avoid problems we run the enforcer-plugin with the requireUpperBounds check, when a widely used tool like error-prone upgrades to very recent and problematic releases of libraries like protobuf and guava, large organizations especially can have problems.
Specifically for Guava in this case, was this upgrade really necessary or could it be reverted? Maybe error-prone could have a policy to be very conservative in the transitive dependencies that it introduces to relieve such problems? That would help a lot, thank you!
As a side note, is there an expectation that an organization uses all the different error-prone libraries (-annotations, -core, etc) at the same version - and in that case, could you consider an internal BOM to facilitate that? Or instead do you see them more as separate, where general usage of the annotations should only depend on the latest error-prone-annotations (which doesn't pull anything transitively), and only custom defined checks should pull the other libraries, including their more problematic transitive dependencies? Thanks again!