If you want to upgrade your Bazel dependencies using pinned semver constraints and a lockfile I've made this [0] for you.
It superseeds http_archive and falls back to git_repository if needed. Just run `bazel sync`. See it working at [1].
Note: there's an open (and somewhat long standing) issue WRT Bazel fetching from gitlab.