xds: add use_system_root_certs to CertificateValidationContext#34235
Merged
htuch merged 2 commits intoenvoyproxy:mainfrom May 31, 2024
Merged
xds: add use_system_root_certs to CertificateValidationContext#34235htuch merged 2 commits intoenvoyproxy:mainfrom
htuch merged 2 commits intoenvoyproxy:mainfrom
Conversation
Signed-off-by: Mark D. Roth <[email protected]>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
htuch
reviewed
May 19, 2024
| // If true, system root certs are used only if neither of the ``trusted_ca`` | ||
| // or ``ca_certificate_provider_instance`` fields are set. | ||
| // [#not-implemented-hide:] | ||
| bool use_system_root_certs = 17; |
Member
There was a problem hiding this comment.
I wonder if this should be a message (empty for now) to future proof against potentially wanting some control over system cert details. For example allow or deny listing certain inbuilt certs.
Contributor
Author
There was a problem hiding this comment.
I'm not opposed to that if you feel strongly, but I don't think it's really necessary. The real intent of this option is to tell the client to use built-in logic that knows how to find the system root certs without the control plane having to know the details. If we wanted the control plane to directly manage this, we would just use certificate providers instead.
Member
There was a problem hiding this comment.
It's not just control plane but also bootstrap in some cases. I think just a SystemRoots empty message for now. I can see folks wanting to do filtering and other stuff from orchestration logic and so on potentially.
Contributor
Author
There was a problem hiding this comment.
The bootstrap use-case is a good point. Okay, changed it to an empty message.
Signed-off-by: Mark D. Roth <[email protected]>
Contributor
|
@htuch ping |
mergify bot
added a commit
to ArcadeData/arcadedb
that referenced
this pull request
Dec 29, 2025
Bumps `grpc.version` from 1.77.0 to 1.78.0. Updates `io.grpc:grpc-netty-shaded` from 1.77.0 to 1.78.0 Release notes *Sourced from [io.grpc:grpc-netty-shaded's releases](https://github.com/grpc/grpc-java/releases).* > V1.78.0 > ------- > > ### Bug Fixes > > * core: Fix shutdown failing accepted RPCs during channel startup (02e98a806). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown() > * okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) (8d49dc1c9) > * binder: Stop leaking `this` from BinderServerTransport's ctor ([#12453](https://redirect.github.com/grpc/grpc-java/issues/12453)) (89d77e062) > * rls: Avoid missed config update from reentrancy (55ae1d054). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) > > ### Improvements > > * xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#12446](https://redirect.github.com/grpc/grpc-java/issues/12446)) (f385add31). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer. > * rls: Control plane channel monitor state and back off handling ([#12460](https://redirect.github.com/grpc/grpc-java/issues/12460)) (26c1c1341). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target. > * core: simplify DnsNameResolver.resolveAddresses() (4843256af) > * netty: Run handshakeCompleteRunnable in success cases (283f1031f) > * api,netty: Add custom header support for HTTP CONNECT proxy (bbc0aa369) > * binder: Pre-factor out the guts of the BinderClientTransport handshake. (9313e87df) > * compiler: Add RISC-V 64-bit architecture support to compiler build configuration (725ab22f3) > * core: Release lock before closing shared resource (cb73f217e). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in d50098f > * Upgrade gson to 2.12.1 (6dab2ceab) > * Upgrade dependencies (f36defa2d). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0 > * compiler: Update maximum supported protobuf edition to EDITION\_2024 (2f64092b8) > * binder: Introduce server authorization strategy v2 (d9710725d). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient. > > ### New Features > > * compiler: Upgrade to C++ protobuf 33.1 ([#12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) (58ae5f808). > * util: Add gRFC A68 random subsetting LB (48a42889d). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52 > * xds: Support for System Root Certs ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://redirect.github.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md). > * xds: Support for GCP Authentication Filter ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://github.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://github.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md). > * xds: Support for xDS-based authority rewriting ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://github.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake. > As mentioned in [gRFC A29](https://github.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field. > * xds: xDS based SNI setting and SAN validation ([#12378](https://redirect.github.com/grpc/grpc-java/issues/12378)) (0567531). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md). > > ### Documentation > > * api: Document gRFC A18 TCP\_USER\_TIMEOUT handling for keepalive (da7038782) > * core: Fix AbstractClientStream Javadoc (28a6130e8) > * examples: Document how to preserve META-INF/services in uber jars (97695d523) > > ### Thanks to > > * [`@panchenko`](https://github.com/panchenko) > * [`@Dayuxiaoshui`](https://github.com/Dayuxiaoshui) > * [`@becomeStar`](https://github.com/becomeStar) > * [`@kssumin`](https://github.com/kssumin) > * [`@marcindabrowski`](https://github.com/marcindabrowski) > * [`@MariusVolkhart`](https://github.com/MariusVolkhart) > * [`@Zgoda91`](https://github.com/Zgoda91) > * [`@devalkone`](https://github.com/devalkone) ... (truncated) Commits * [`8fa6000`](https://github.com/grpc/grpc-java/commit/8fa6000259958fd3b2bdba579ea7dc002ad95777) Bump version to 1.78.0 * [`87df333`](https://github.com/grpc/grpc-java/commit/87df333f8ebd23669734b19c16e2cb7a187fded3) Update README etc to reference 1.78.0 * [`283f103`](https://github.com/grpc/grpc-java/commit/283f1031f7b48ce32a2f91bb92bac93a0ca29bdd) netty: Run handshakeCompleteRunnable in success cases * [`eb8a63c`](https://github.com/grpc/grpc-java/commit/eb8a63cefb827337cc9fd4c5a3877d96a238c1d6) Introduce io.grpc.Uri. ([#12535](https://redirect.github.com/grpc/grpc-java/issues/12535)) * [`58ae5f8`](https://github.com/grpc/grpc-java/commit/58ae5f808cf8e20c5864033c9a8f485b237f9dfc) compiler: Upgrade to protobuf 33.1 ([#12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) * [`8d49dc1`](https://github.com/grpc/grpc-java/commit/8d49dc1c9129fc42c6b80584f5dbad1a543009b5) okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) * [`b1a94a4`](https://github.com/grpc/grpc-java/commit/b1a94a410e1926fb870e9717d11c7d8f85c62cb6) xds: implement server feature fail\_on\_data\_errors ([#12544](https://redirect.github.com/grpc/grpc-java/issues/12544)) * [`55ae1d0`](https://github.com/grpc/grpc-java/commit/55ae1d0541c3482cf9fa2cadb156b1da6852deb4) rls: Avoid missed config update from reentrancy * [`53a0926`](https://github.com/grpc/grpc-java/commit/53a092646a0883c29d3bc8f05277b9f0c15a1ce6) xds: fix race in simpleFlowControl ([#12547](https://redirect.github.com/grpc/grpc-java/issues/12547)) * [`f36defa`](https://github.com/grpc/grpc-java/commit/f36defa2d3950de103d2a2dc73fc7f308d35f624) Upgrade dependencies * Additional commits viewable in [compare view](https://github.com/grpc/grpc-java/compare/v1.77.0...v1.78.0) Updates `io.grpc:grpc-protobuf` from 1.77.0 to 1.78.0 Release notes *Sourced from [io.grpc:grpc-protobuf's releases](https://github.com/grpc/grpc-java/releases).* > V1.78.0 > ------- > > ### Bug Fixes > > * core: Fix shutdown failing accepted RPCs during channel startup (02e98a806). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown() > * okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) (8d49dc1c9) > * binder: Stop leaking `this` from BinderServerTransport's ctor ([#12453](https://redirect.github.com/grpc/grpc-java/issues/12453)) (89d77e062) > * rls: Avoid missed config update from reentrancy (55ae1d054). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) > > ### Improvements > > * xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#12446](https://redirect.github.com/grpc/grpc-java/issues/12446)) (f385add31). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer. > * rls: Control plane channel monitor state and back off handling ([#12460](https://redirect.github.com/grpc/grpc-java/issues/12460)) (26c1c1341). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target. > * core: simplify DnsNameResolver.resolveAddresses() (4843256af) > * netty: Run handshakeCompleteRunnable in success cases (283f1031f) > * api,netty: Add custom header support for HTTP CONNECT proxy (bbc0aa369) > * binder: Pre-factor out the guts of the BinderClientTransport handshake. (9313e87df) > * compiler: Add RISC-V 64-bit architecture support to compiler build configuration (725ab22f3) > * core: Release lock before closing shared resource (cb73f217e). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in d50098f > * Upgrade gson to 2.12.1 (6dab2ceab) > * Upgrade dependencies (f36defa2d). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0 > * compiler: Update maximum supported protobuf edition to EDITION\_2024 (2f64092b8) > * binder: Introduce server authorization strategy v2 (d9710725d). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient. > > ### New Features > > * compiler: Upgrade to C++ protobuf 33.1 ([#12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) (58ae5f808). > * util: Add gRFC A68 random subsetting LB (48a42889d). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52 > * xds: Support for System Root Certs ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://redirect.github.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md). > * xds: Support for GCP Authentication Filter ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://github.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://github.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md). > * xds: Support for xDS-based authority rewriting ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://github.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake. > As mentioned in [gRFC A29](https://github.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field. > * xds: xDS based SNI setting and SAN validation ([#12378](https://redirect.github.com/grpc/grpc-java/issues/12378)) (0567531). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md). > > ### Documentation > > * api: Document gRFC A18 TCP\_USER\_TIMEOUT handling for keepalive (da7038782) > * core: Fix AbstractClientStream Javadoc (28a6130e8) > * examples: Document how to preserve META-INF/services in uber jars (97695d523) > > ### Thanks to > > * [`@panchenko`](https://github.com/panchenko) > * [`@Dayuxiaoshui`](https://github.com/Dayuxiaoshui) > * [`@becomeStar`](https://github.com/becomeStar) > * [`@kssumin`](https://github.com/kssumin) > * [`@marcindabrowski`](https://github.com/marcindabrowski) > * [`@MariusVolkhart`](https://github.com/MariusVolkhart) > * [`@Zgoda91`](https://github.com/Zgoda91) > * [`@devalkone`](https://github.com/devalkone) ... (truncated) Commits * [`8fa6000`](https://github.com/grpc/grpc-java/commit/8fa6000259958fd3b2bdba579ea7dc002ad95777) Bump version to 1.78.0 * [`87df333`](https://github.com/grpc/grpc-java/commit/87df333f8ebd23669734b19c16e2cb7a187fded3) Update README etc to reference 1.78.0 * [`283f103`](https://github.com/grpc/grpc-java/commit/283f1031f7b48ce32a2f91bb92bac93a0ca29bdd) netty: Run handshakeCompleteRunnable in success cases * [`eb8a63c`](https://github.com/grpc/grpc-java/commit/eb8a63cefb827337cc9fd4c5a3877d96a238c1d6) Introduce io.grpc.Uri. ([#12535](https://redirect.github.com/grpc/grpc-java/issues/12535)) * [`58ae5f8`](https://github.com/grpc/grpc-java/commit/58ae5f808cf8e20c5864033c9a8f485b237f9dfc) compiler: Upgrade to protobuf 33.1 ([#12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) * [`8d49dc1`](https://github.com/grpc/grpc-java/commit/8d49dc1c9129fc42c6b80584f5dbad1a543009b5) okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) * [`b1a94a4`](https://github.com/grpc/grpc-java/commit/b1a94a410e1926fb870e9717d11c7d8f85c62cb6) xds: implement server feature fail\_on\_data\_errors ([#12544](https://redirect.github.com/grpc/grpc-java/issues/12544)) * [`55ae1d0`](https://github.com/grpc/grpc-java/commit/55ae1d0541c3482cf9fa2cadb156b1da6852deb4) rls: Avoid missed config update from reentrancy * [`53a0926`](https://github.com/grpc/grpc-java/commit/53a092646a0883c29d3bc8f05277b9f0c15a1ce6) xds: fix race in simpleFlowControl ([#12547](https://redirect.github.com/grpc/grpc-java/issues/12547)) * [`f36defa`](https://github.com/grpc/grpc-java/commit/f36defa2d3950de103d2a2dc73fc7f308d35f624) Upgrade dependencies * Additional commits viewable in [compare view](https://github.com/grpc/grpc-java/compare/v1.77.0...v1.78.0) Updates `io.grpc:grpc-stub` from 1.77.0 to 1.78.0 Release notes *Sourced from [io.grpc:grpc-stub's releases](https://github.com/grpc/grpc-java/releases).* > V1.78.0 > ------- > > ### Bug Fixes > > * core: Fix shutdown failing accepted RPCs during channel startup (02e98a806). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown() > * okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) (8d49dc1c9) > * binder: Stop leaking `this` from BinderServerTransport's ctor ([#12453](https://redirect.github.com/grpc/grpc-java/issues/12453)) (89d77e062) > * rls: Avoid missed config update from reentrancy (55ae1d054). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) > > ### Improvements > > * xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#12446](https://redirect.github.com/grpc/grpc-java/issues/12446)) (f385add31). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer. > * rls: Control plane channel monitor state and back off handling ([#12460](https://redirect.github.com/grpc/grpc-java/issues/12460)) (26c1c1341). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target. > * core: simplify DnsNameResolver.resolveAddresses() (4843256af) > * netty: Run handshakeCompleteRunnable in success cases (283f1031f) > * api,netty: Add custom header support for HTTP CONNECT proxy (bbc0aa369) > * binder: Pre-factor out the guts of the BinderClientTransport handshake. (9313e87df) > * compiler: Add RISC-V 64-bit architecture support to compiler build configuration (725ab22f3) > * core: Release lock before closing shared resource (cb73f217e). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in d50098f > * Upgrade gson to 2.12.1 (6dab2ceab) > * Upgrade dependencies (f36defa2d). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0 > * compiler: Update maximum supported protobuf edition to EDITION\_2024 (2f64092b8) > * binder: Introduce server authorization strategy v2 (d9710725d). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient. > > ### New Features > > * compiler: Upgrade to C++ protobuf 33.1 ([#12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) (58ae5f808). > * util: Add gRFC A68 random subsetting LB (48a42889d). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52 > * xds: Support for System Root Certs ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://redirect.github.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md). > * xds: Support for GCP Authentication Filter ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://github.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://github.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md). > * xds: Support for xDS-based authority rewriting ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://github.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake. > As mentioned in [gRFC A29](https://github.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field. > * xds: xDS based SNI setting and SAN validation ([#12378](https://redirect.github.com/grpc/grpc-java/issues/12378)) (0567531). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md). > > ### Documentation > > * api: Document gRFC A18 TCP\_USER\_TIMEOUT handling for keepalive (da7038782) > * core: Fix AbstractClientStream Javadoc (28a6130e8) > * examples: Document how to preserve META-INF/services in uber jars (97695d523) > > ### Thanks to > > * [`@panchenko`](https://github.com/panchenko) > * [`@Dayuxiaoshui`](https://github.com/Dayuxiaoshui) > * [`@becomeStar`](https://github.com/becomeStar) > * [`@kssumin`](https://github.com/kssumin) > * [`@marcindabrowski`](https://github.com/marcindabrowski) > * [`@MariusVolkhart`](https://github.com/MariusVolkhart) > * [`@Zgoda91`](https://github.com/Zgoda91) > * [`@devalkone`](https://github.com/devalkone) ... (truncated) Commits * [`8fa6000`](https://github.com/grpc/grpc-java/commit/8fa6000259958fd3b2bdba579ea7dc002ad95777) Bump version to 1.78.0 * [`87df333`](https://github.com/grpc/grpc-java/commit/87df333f8ebd23669734b19c16e2cb7a187fded3) Update README etc to reference 1.78.0 * [`283f103`](https://github.com/grpc/grpc-java/commit/283f1031f7b48ce32a2f91bb92bac93a0ca29bdd) netty: Run handshakeCompleteRunnable in success cases * [`eb8a63c`](https://github.com/grpc/grpc-java/commit/eb8a63cefb827337cc9fd4c5a3877d96a238c1d6) Introduce io.grpc.Uri. ([#12535](https://redirect.github.com/grpc/grpc-java/issues/12535)) * [`58ae5f8`](https://github.com/grpc/grpc-java/commit/58ae5f808cf8e20c5864033c9a8f485b237f9dfc) compiler: Upgrade to protobuf 33.1 ([#12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) * [`8d49dc1`](https://github.com/grpc/grpc-java/commit/8d49dc1c9129fc42c6b80584f5dbad1a543009b5) okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) * [`b1a94a4`](https://github.com/grpc/grpc-java/commit/b1a94a410e1926fb870e9717d11c7d8f85c62cb6) xds: implement server feature fail\_on\_data\_errors ([#12544](https://redirect.github.com/grpc/grpc-java/issues/12544)) * [`55ae1d0`](https://github.com/grpc/grpc-java/commit/55ae1d0541c3482cf9fa2cadb156b1da6852deb4) rls: Avoid missed config update from reentrancy * [`53a0926`](https://github.com/grpc/grpc-java/commit/53a092646a0883c29d3bc8f05277b9f0c15a1ce6) xds: fix race in simpleFlowControl ([#12547](https://redirect.github.com/grpc/grpc-java/issues/12547)) * [`f36defa`](https://github.com/grpc/grpc-java/commit/f36defa2d3950de103d2a2dc73fc7f308d35f624) Upgrade dependencies * Additional commits viewable in [compare view](https://github.com/grpc/grpc-java/compare/v1.77.0...v1.78.0) Updates `io.grpc:grpc-services` from 1.77.0 to 1.78.0 Release notes *Sourced from [io.grpc:grpc-services's releases](https://github.com/grpc/grpc-java/releases).* > V1.78.0 > ------- > > ### Bug Fixes > > * core: Fix shutdown failing accepted RPCs during channel startup (02e98a806). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown() > * okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) (8d49dc1c9) > * binder: Stop leaking `this` from BinderServerTransport's ctor ([#12453](https://redirect.github.com/grpc/grpc-java/issues/12453)) (89d77e062) > * rls: Avoid missed config update from reentrancy (55ae1d054). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) > > ### Improvements > > * xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#12446](https://redirect.github.com/grpc/grpc-java/issues/12446)) (f385add31). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer. > * rls: Control plane channel monitor state and back off handling ([#12460](https://redirect.github.com/grpc/grpc-java/issues/12460)) (26c1c1341). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target. > * core: simplify DnsNameResolver.resolveAddresses() (4843256af) > * netty: Run handshakeCompleteRunnable in success cases (283f1031f) > * api,netty: Add custom header support for HTTP CONNECT proxy (bbc0aa369) > * binder: Pre-factor out the guts of the BinderClientTransport handshake. (9313e87df) > * compiler: Add RISC-V 64-bit architecture support to compiler build configuration (725ab22f3) > * core: Release lock before closing shared resource (cb73f217e). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in d50098f > * Upgrade gson to 2.12.1 (6dab2ceab) > * Upgrade dependencies (f36defa2d). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0 > * compiler: Update maximum supported protobuf edition to EDITION\_2024 (2f64092b8) > * binder: Introduce server authorization strategy v2 (d9710725d). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient. > > ### New Features > > * compiler: Upgrade to C++ protobuf 33.1 ([#12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) (58ae5f808). > * util: Add gRFC A68 random subsetting LB (48a42889d). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52 > * xds: Support for System Root Certs ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://redirect.github.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md). > * xds: Support for GCP Authentication Filter ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://github.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://github.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md). > * xds: Support for xDS-based authority rewriting ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://github.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake. > As mentioned in [gRFC A29](https://github.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field. > * xds: xDS based SNI setting and SAN validation ([#12378](https://redirect.github.com/grpc/grpc-java/issues/12378)) (0567531). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md). > > ### Documentation > > * api: Document gRFC A18 TCP\_USER\_TIMEOUT handling for keepalive (da7038782) > * core: Fix AbstractClientStream Javadoc (28a6130e8) > * examples: Document how to preserve META-INF/services in uber jars (97695d523) > > ### Thanks to > > * [`@panchenko`](https://github.com/panchenko) > * [`@Dayuxiaoshui`](https://github.com/Dayuxiaoshui) > * [`@becomeStar`](https://github.com/becomeStar) > * [`@kssumin`](https://github.com/kssumin) > * [`@marcindabrowski`](https://github.com/marcindabrowski) > * [`@MariusVolkhart`](https://github.com/MariusVolkhart) > * [`@Zgoda91`](https://github.com/Zgoda91) > * [`@devalkone`](https://github.com/devalkone) ... (truncated) Commits * [`8fa6000`](https://github.com/grpc/grpc-java/commit/8fa6000259958fd3b2bdba579ea7dc002ad95777) Bump version to 1.78.0 * [`87df333`](https://github.com/grpc/grpc-java/commit/87df333f8ebd23669734b19c16e2cb7a187fded3) Update README etc to reference 1.78.0 * [`283f103`](https://github.com/grpc/grpc-java/commit/283f1031f7b48ce32a2f91bb92bac93a0ca29bdd) netty: Run handshakeCompleteRunnable in success cases * [`eb8a63c`](https://github.com/grpc/grpc-java/commit/eb8a63cefb827337cc9fd4c5a3877d96a238c1d6) Introduce io.grpc.Uri. ([#12535](https://redirect.github.com/grpc/grpc-java/issues/12535)) * [`58ae5f8`](https://github.com/grpc/grpc-java/commit/58ae5f808cf8e20c5864033c9a8f485b237f9dfc) compiler: Upgrade to protobuf 33.1 ([#12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) * [`8d49dc1`](https://github.com/grpc/grpc-java/commit/8d49dc1c9129fc42c6b80584f5dbad1a543009b5) okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) * [`b1a94a4`](https://github.com/grpc/grpc-java/commit/b1a94a410e1926fb870e9717d11c7d8f85c62cb6) xds: implement server feature fail\_on\_data\_errors ([#12544](https://redirect.github.com/grpc/grpc-java/issues/12544)) * [`55ae1d0`](https://github.com/grpc/grpc-java/commit/55ae1d0541c3482cf9fa2cadb156b1da6852deb4) rls: Avoid missed config update from reentrancy * [`53a0926`](https://github.com/grpc/grpc-java/commit/53a092646a0883c29d3bc8f05277b9f0c15a1ce6) xds: fix race in simpleFlowControl ([#12547](https://redirect.github.com/grpc/grpc-java/issues/12547)) * [`f36defa`](https://github.com/grpc/grpc-java/commit/f36defa2d3950de103d2a2dc73fc7f308d35f624) Upgrade dependencies * Additional commits viewable in [compare view](https://github.com/grpc/grpc-java/compare/v1.77.0...v1.78.0) Updates `io.grpc:grpc-xds` from 1.77.0 to 1.78.0 Release notes *Sourced from [io.grpc:grpc-xds's releases](https://github.com/grpc/grpc-java/releases).* > V1.78.0 > ------- > > ### Bug Fixes > > * core: Fix shutdown failing accepted RPCs during channel startup (02e98a806). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown() > * okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) (8d49dc1c9) > * binder: Stop leaking `this` from BinderServerTransport's ctor ([#12453](https://redirect.github.com/grpc/grpc-java/issues/12453)) (89d77e062) > * rls: Avoid missed config update from reentrancy (55ae1d054). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) > > ### Improvements > > * xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#12446](https://redirect.github.com/grpc/grpc-java/issues/12446)) (f385add31). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer. > * rls: Control plane channel monitor state and back off handling ([#12460](https://redirect.github.com/grpc/grpc-java/issues/12460)) (26c1c1341). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target. > * core: simplify DnsNameResolver.resolveAddresses() (4843256af) > * netty: Run handshakeCompleteRunnable in success cases (283f1031f) > * api,netty: Add custom header support for HTTP CONNECT proxy (bbc0aa369) > * binder: Pre-factor out the guts of the BinderClientTransport handshake. (9313e87df) > * compiler: Add RISC-V 64-bit architecture support to compiler build configuration (725ab22f3) > * core: Release lock before closing shared resource (cb73f217e). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in d50098f > * Upgrade gson to 2.12.1 (6dab2ceab) > * Upgrade dependencies (f36defa2d). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0 > * compiler: Update maximum supported protobuf edition to EDITION\_2024 (2f64092b8) > * binder: Introduce server authorization strategy v2 (d9710725d). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient. > > ### New Features > > * compiler: Upgrade to C++ protobuf 33.1 ([#12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) (58ae5f808). > * util: Add gRFC A68 random subsetting LB (48a42889d). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52 > * xds: Support for System Root Certs ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://redirect.github.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md). > * xds: Support for GCP Authentication Filter ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://github.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://github.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md). > * xds: Support for xDS-based authority rewriting ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://github.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake. > As mentioned in [gRFC A29](https://github.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field. > * xds: xDS based SNI setting and SAN validation ([#12378](https://redirect.github.com/grpc/grpc-java/issues/12378)) (0567531). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md). > > ### Documentation > > * api: Document gRFC A18 TCP\_USER\_TIMEOUT handling for keepalive (da7038782) > * core: Fix AbstractClientStream Javadoc (28a6130e8) > * examples: Document how to preserve META-INF/services in uber jars (97695d523) > > ### Thanks to > > * [`@panchenko`](https://github.com/panchenko) > * [`@Dayuxiaoshui`](https://github.com/Dayuxiaoshui) > * [`@becomeStar`](https://github.com/becomeStar) > * [`@kssumin`](https://github.com/kssumin) > * [`@marcindabrowski`](https://github.com/marcindabrowski) > * [`@MariusVolkhart`](https://github.com/MariusVolkhart) > * [`@Zgoda91`](https://github.com/Zgoda91) > * [`@devalkone`](https://github.com/devalkone) ... (truncated) Commits * [`8fa6000`](https://github.com/grpc/grpc-java/commit/8fa6000259958fd3b2bdba579ea7dc002ad95777) Bump version to 1.78.0 * [`87df333`](https://github.com/grpc/grpc-java/commit/87df333f8ebd23669734b19c16e2cb7a187fded3) Update README etc to reference 1.78.0 * [`283f103`](https://github.com/grpc/grpc-java/commit/283f1031f7b48ce32a2f91bb92bac93a0ca29bdd) netty: Run handshakeCompleteRunnable in success cases * [`eb8a63c`](https://github.com/grpc/grpc-java/commit/eb8a63cefb827337cc9fd4c5a3877d96a238c1d6) Introduce io.grpc.Uri. ([#12535](https://redirect.github.com/grpc/grpc-java/issues/12535)) * [`58ae5f8`](https://github.com/grpc/grpc-java/commit/58ae5f808cf8e20c5864033c9a8f485b237f9dfc) compiler: Upgrade to protobuf 33.1 ([#12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) * [`8d49dc1`](https://github.com/grpc/grpc-java/commit/8d49dc1c9129fc42c6b80584f5dbad1a543009b5) okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) * [`b1a94a4`](https://github.com/grpc/grpc-java/commit/b1a94a410e1926fb870e9717d11c7d8f85c62cb6) xds: implement server feature fail\_on\_data\_errors ([#12544](https://redirect.github.com/grpc/grpc-java/issues/12544)) * [`55ae1d0`](https://github.com/grpc/grpc-java/commit/55ae1d0541c3482cf9fa2cadb156b1da6852deb4) rls: Avoid missed config update from reentrancy * [`53a0926`](https://github.com/grpc/grpc-java/commit/53a092646a0883c29d3bc8f05277b9f0c15a1ce6) xds: fix race in simpleFlowControl ([#12547](https://redirect.github.com/grpc/grpc-java/issues/12547)) * [`f36defa`](https://github.com/grpc/grpc-java/commit/f36defa2d3950de103d2a2dc73fc7f308d35f624) Upgrade dependencies * Additional commits viewable in [compare view](https://github.com/grpc/grpc-java/compare/v1.77.0...v1.78.0) Updates `io.grpc:grpc-testing` from 1.77.0 to 1.78.0 Release notes *Sourced from [io.grpc:grpc-testing's releases](https://github.com/grpc/grpc-java/releases).* > V1.78.0 > ------- > > ### Bug Fixes > > * core: Fix shutdown failing accepted RPCs during channel startup (02e98a806). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown() > * okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) (8d49dc1c9) > * binder: Stop leaking `this` from BinderServerTransport's ctor ([#12453](https://redirect.github.com/grpc/grpc-java/issues/12453)) (89d77e062) > * rls: Avoid missed config update from reentrancy (55ae1d054). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) > > ### Improvements > > * xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#12446](https://redirect.github.com/grpc/grpc-java/issues/12446)) (f385add31). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer. > * rls: Control plane channel monitor state and back off handling ([#12460](https://redirect.github.com/grpc/grpc-java/issues/12460)) (26c1c1341). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target. > * core: simplify DnsNameResolver.resolveAddresses() (4843256af) > * netty: Run handshakeCompleteRunnable in success cases (283f1031f) > * api,netty: Add custom header support for HTTP CONNECT proxy (bbc0aa369) > * binder: Pre-factor out the guts of the BinderClientTransport handshake. (9313e87df) > * compiler: Add RISC-V 64-bit architecture support to compiler build configuration (725ab22f3) > * core: Release lock before closing shared resource (cb73f217e). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in d50098f > * Upgrade gson to 2.12.1 (6dab2ceab) > * Upgrade dependencies (f36defa2d). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0 > * compiler: Update maximum supported protobuf edition to EDITION\_2024 (2f64092b8) > * binder: Introduce server authorization strategy v2 (d9710725d). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient. > > ### New Features > > * compiler: Upgrade to C++ protobuf 33.1 ([#12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) (58ae5f808). > * util: Add gRFC A68 random subsetting LB (48a42889d). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52 > * xds: Support for System Root Certs ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://redirect.github.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md). > * xds: Support for GCP Authentication Filter ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://github.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://github.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md). > * xds: Support for xDS-based authority rewriting ([#12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) (51611bad1). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://github.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake. > As mentioned in [gRFC A29](https://github.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field. > * xds: xDS based SNI setting and SAN validation ([#12378](https://redirect.github.com/grpc/grpc-java/issues/12378)) (0567531). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md). > > ### Documentation > > * api: Document gRFC A18 TCP\_USER\_TIMEOUT handling for keepalive (da7038782) > * core: Fix AbstractClientStream Javadoc (28a6130e8) > * examples: Document how to preserve META-INF/services in uber jars (97695d523) > > ### Thanks to > > * [`@panchenko`](https://github.com/panchenko) > * [`@Dayuxiaoshui`](https://github.com/Dayuxiaoshui) > * [`@becomeStar`](https://github.com/becomeStar) > * [`@kssumin`](https://github.com/kssumin) > * [`@marcindabrowski`](https://github.com/marcindabrowski) > * [`@MariusVolkhart`](https://github.com/MariusVolkhart) > * [`@Zgoda91`](https://github.com/Zgoda91) > * [`@devalkone`](https://github.com/devalkone) ... (truncated) Commits * [`8fa6000`](https://github.com/grpc/grpc-java/commit/8fa6000259958fd3b2bdba579ea7dc002ad95777) Bump version to 1.78.0 * [`87df333`](https://github.com/grpc/grpc-java/commit/87df333f8ebd23669734b19c16e2cb7a187fded3) Update README etc to reference 1.78.0 * [`283f103`](https://github.com/grpc/grpc-java/commit/283f1031f7b48ce32a2f91bb92bac93a0ca29bdd) netty: Run handshakeCompleteRunnable in success cases * [`eb8a63c`](https://github.com/grpc/grpc-java/commit/eb8a63cefb827337cc9fd4c5a3877d96a238c1d6) Introduce io.grpc.Uri. ([#12535](https://redirect.github.com/grpc/grpc-java/issues/12535)) * [`58ae5f8`](https://github.com/grpc/grpc-java/commit/58ae5f808cf8e20c5864033c9a8f485b237f9dfc) compiler: Upgrade to protobuf 33.1 ([#12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) * [`8d49dc1`](https://github.com/grpc/grpc-java/commit/8d49dc1c9129fc42c6b80584f5dbad1a543009b5) okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) * [`b1a94a4`](https://github.com/grpc/grpc-java/commit/b1a94a410e1926fb870e9717d11c7d8f85c62cb6) xds: implement server feature fail\_on\_data\_errors ([#12544](https://redirect.github.com/grpc/grpc-java/issues/12544)) * [`55ae1d0`](https://github.com/grpc/grpc-java/commit/55ae1d0541c3482cf9fa2cadb156b1da6852deb4) rls: Avoid missed config update from reentrancy * [`53a0926`](https://github.com/grpc/grpc-java/commit/53a092646a0883c29d3bc8f05277b9f0c15a1ce6) xds: fix race in simpleFlowControl ([#12547](https://redirect.github.com/grpc/grpc-java/issues/12547)) * [`f36defa`](https://github.com/grpc/grpc-java/commit/f36defa2d3950de103d2a2dc73fc7f308d35f624) Upgrade dependencies * Additional commits viewable in [compare view](https://github.com/grpc/grpc-java/compare/v1.77.0...v1.78.0) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreat... \_Description has been truncated\_
charithe
pushed a commit
to cerbos/cerbos-sdk-java
that referenced
this pull request
Dec 29, 2025
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [io.grpc:grpc-netty-shaded](https://redirect.github.com/grpc/grpc-java) | `1.77.0` -> `1.78.0` |  |  | | [io.grpc:grpc-stub](https://redirect.github.com/grpc/grpc-java) | `1.77.0` -> `1.78.0` |  |  | | [io.grpc:grpc-protobuf](https://redirect.github.com/grpc/grpc-java) | `1.77.0` -> `1.78.0` |  |  | | [io.grpc:protoc-gen-grpc-java](https://redirect.github.com/grpc/grpc-java) | `1.77.0` -> `1.78.0` |  |  | --- ### Release Notes <details> <summary>grpc/grpc-java (io.grpc:grpc-netty-shaded)</summary> ### [`v1.78.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.78.0) ##### Bug Fixes - core: Fix shutdown failing accepted RPCs during channel startup ([`02e98a8`](https://redirect.github.com/grpc/grpc-java/commit/02e98a806)). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown() - okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#​12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) ([`8d49dc1`](https://redirect.github.com/grpc/grpc-java/commit/8d49dc1c9)) - binder: Stop leaking `this` from BinderServerTransport's ctor ([#​12453](https://redirect.github.com/grpc/grpc-java/issues/12453)) ([`89d77e0`](https://redirect.github.com/grpc/grpc-java/commit/89d77e062)) - rls: Avoid missed config update from reentrancy ([`55ae1d0`](https://redirect.github.com/grpc/grpc-java/commit/55ae1d054)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ##### Improvements - xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#​12446](https://redirect.github.com/grpc/grpc-java/issues/12446)) ([`f385add`](https://redirect.github.com/grpc/grpc-java/commit/f385add31)). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer. - rls: Control plane channel monitor state and back off handling ([#​12460](https://redirect.github.com/grpc/grpc-java/issues/12460)) ([`26c1c13`](https://redirect.github.com/grpc/grpc-java/commit/26c1c1341)). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target. - core: simplify DnsNameResolver.resolveAddresses() ([`4843256`](https://redirect.github.com/grpc/grpc-java/commit/4843256af)) - netty: Run handshakeCompleteRunnable in success cases ([`283f103`](https://redirect.github.com/grpc/grpc-java/commit/283f1031f)) - api,netty: Add custom header support for HTTP CONNECT proxy ([`bbc0aa3`](https://redirect.github.com/grpc/grpc-java/commit/bbc0aa369)) - binder: Pre-factor out the guts of the BinderClientTransport handshake. ([`9313e87`](https://redirect.github.com/grpc/grpc-java/commit/9313e87df)) - compiler: Add RISC-V 64-bit architecture support to compiler build configuration ([`725ab22`](https://redirect.github.com/grpc/grpc-java/commit/725ab22f3)) - core: Release lock before closing shared resource ([`cb73f21`](https://redirect.github.com/grpc/grpc-java/commit/cb73f217e)). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in [`d50098f`](https://redirect.github.com/grpc/grpc-java/commit/d50098f) - Upgrade gson to 2.12.1 ([`6dab2ce`](https://redirect.github.com/grpc/grpc-java/commit/6dab2ceab)) - Upgrade dependencies ([`f36defa`](https://redirect.github.com/grpc/grpc-java/commit/f36defa2d)). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0 - compiler: Update maximum supported protobuf edition to EDITION\_2024 ([`2f64092`](https://redirect.github.com/grpc/grpc-java/commit/2f64092b8)) - binder: Introduce server authorization strategy v2 ([`d971072`](https://redirect.github.com/grpc/grpc-java/commit/d9710725d)). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient. ##### New Features - compiler: Upgrade to C++ protobuf 33.1 ([#​12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) ([`58ae5f8`](https://redirect.github.com/grpc/grpc-java/commit/58ae5f808)). - util: Add gRFC A68 random subsetting LB ([`48a4288`](https://redirect.github.com/grpc/grpc-java/commit/48a42889d)). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52 - xds: Support for System Root Certs ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://redirect.github.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://redirect.github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md). - xds: Support for GCP Authentication Filter ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://redirect.github.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://redirect.github.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md). - xds: Support for xDS-based authority rewriting ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://redirect.github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://redirect.github.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake.\ As mentioned in [gRFC A29](https://redirect.github.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field. - xds: xDS based SNI setting and SAN validation ([#​12378](https://redirect.github.com/grpc/grpc-java/issues/12378)) ([`0567531`](https://redirect.github.com/grpc/grpc-java/commit/0567531)). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://redirect.github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md). ##### Documentation - api: Document gRFC A18 TCP\_USER\_TIMEOUT handling for keepalive ([`da70387`](https://redirect.github.com/grpc/grpc-java/commit/da7038782)) - core: Fix AbstractClientStream Javadoc ([`28a6130`](https://redirect.github.com/grpc/grpc-java/commit/28a6130e8)) - examples: Document how to preserve META-INF/services in uber jars ([`97695d5`](https://redirect.github.com/grpc/grpc-java/commit/97695d523)) ##### Thanks to - [@​panchenko](https://redirect.github.com/panchenko) - [@​Dayuxiaoshui](https://redirect.github.com/Dayuxiaoshui) - [@​becomeStar](https://redirect.github.com/becomeStar) - [@​kssumin](https://redirect.github.com/kssumin) - [@​marcindabrowski](https://redirect.github.com/marcindabrowski) - [@​MariusVolkhart](https://redirect.github.com/MariusVolkhart) - [@​Zgoda91](https://redirect.github.com/Zgoda91) - [@​devalkone](https://redirect.github.com/devalkone) ### [`v1.77.1`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.77.1) ##### Bug Fixes - rls: Avoid missed config update from reentrancy ([#​12549](https://redirect.github.com/grpc/grpc-java/pull/12549)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/cerbos/cerbos-sdk-java). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi41OS4wIiwidXBkYXRlZEluVmVyIjoiNDIuNTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYm90cyIsImNob3JlIl19--> Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
kodiakhq bot
pushed a commit
to cloudquery/plugin-pb-java
that referenced
this pull request
Jan 1, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [io.grpc:protoc-gen-grpc-java](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.77.0` -> `1.78.0` | | [io.grpc:grpc-testing](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.77.0` -> `1.78.0` | | [io.grpc:grpc-netty-shaded](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.77.0` -> `1.78.0` | | [io.grpc:grpc-stub](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.77.0` -> `1.78.0` | | [io.grpc:grpc-services](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.77.0` -> `1.78.0` | | [io.grpc:grpc-protobuf](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.77.0` -> `1.78.0` | --- ### Release Notes <details> <summary>grpc/grpc-java (io.grpc:protoc-gen-grpc-java)</summary> ### [`v1.78.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.78.0) ##### Bug Fixes - core: Fix shutdown failing accepted RPCs during channel startup ([`02e98a8`](https://redirect.github.com/grpc/grpc-java/commit/02e98a806)). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown() - okhttp: Fix race condition overwriting MAX_CONCURRENT_STREAMS ([#​12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) ([`8d49dc1`](https://redirect.github.com/grpc/grpc-java/commit/8d49dc1c9)) - binder: Stop leaking `this` from BinderServerTransport's ctor ([#​12453](https://redirect.github.com/grpc/grpc-java/issues/12453)) ([`89d77e0`](https://redirect.github.com/grpc/grpc-java/commit/89d77e062)) - rls: Avoid missed config update from reentrancy ([`55ae1d0`](https://redirect.github.com/grpc/grpc-java/commit/55ae1d054)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ##### Improvements - xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#​12446](https://redirect.github.com/grpc/grpc-java/issues/12446)) ([`f385add`](https://redirect.github.com/grpc/grpc-java/commit/f385add31)). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer. - rls: Control plane channel monitor state and back off handling ([#​12460](https://redirect.github.com/grpc/grpc-java/issues/12460)) ([`26c1c13`](https://redirect.github.com/grpc/grpc-java/commit/26c1c1341)). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target. - core: simplify DnsNameResolver.resolveAddresses() ([`4843256`](https://redirect.github.com/grpc/grpc-java/commit/4843256af)) - netty: Run handshakeCompleteRunnable in success cases ([`283f103`](https://redirect.github.com/grpc/grpc-java/commit/283f1031f)) - api,netty: Add custom header support for HTTP CONNECT proxy ([`bbc0aa3`](https://redirect.github.com/grpc/grpc-java/commit/bbc0aa369)) - binder: Pre-factor out the guts of the BinderClientTransport handshake. ([`9313e87`](https://redirect.github.com/grpc/grpc-java/commit/9313e87df)) - compiler: Add RISC-V 64-bit architecture support to compiler build configuration ([`725ab22`](https://redirect.github.com/grpc/grpc-java/commit/725ab22f3)) - core: Release lock before closing shared resource ([`cb73f21`](https://redirect.github.com/grpc/grpc-java/commit/cb73f217e)). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in [`d50098f`](https://redirect.github.com/grpc/grpc-java/commit/d50098f) - Upgrade gson to 2.12.1 ([`6dab2ce`](https://redirect.github.com/grpc/grpc-java/commit/6dab2ceab)) - Upgrade dependencies ([`f36defa`](https://redirect.github.com/grpc/grpc-java/commit/f36defa2d)). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0 - compiler: Update maximum supported protobuf edition to EDITION\_2024 ([`2f64092`](https://redirect.github.com/grpc/grpc-java/commit/2f64092b8)) - binder: Introduce server authorization strategy v2 ([`d971072`](https://redirect.github.com/grpc/grpc-java/commit/d9710725d)). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient. ##### New Features - compiler: Upgrade to C++ protobuf 33.1 ([#​12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) ([`58ae5f8`](https://redirect.github.com/grpc/grpc-java/commit/58ae5f808)). - util: Add gRFC A68 random subsetting LB ([`48a4288`](https://redirect.github.com/grpc/grpc-java/commit/48a42889d)). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52 - xds: Support for System Root Certs ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://redirect.github.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://redirect.github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md). - xds: Support for GCP Authentication Filter ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://redirect.github.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://redirect.github.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md). - xds: Support for xDS-based authority rewriting ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://redirect.github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://redirect.github.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake.\ As mentioned in [gRFC A29](https://redirect.github.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field. - xds: xDS based SNI setting and SAN validation ([#​12378](https://redirect.github.com/grpc/grpc-java/issues/12378)) ([`0567531`](https://redirect.github.com/grpc/grpc-java/commit/0567531)). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://redirect.github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md). ##### Documentation - api: Document gRFC A18 TCP_USER_TIMEOUT handling for keepalive ([`da70387`](https://redirect.github.com/grpc/grpc-java/commit/da7038782)) - core: Fix AbstractClientStream Javadoc ([`28a6130`](https://redirect.github.com/grpc/grpc-java/commit/28a6130e8)) - examples: Document how to preserve META-INF/services in uber jars ([`97695d5`](https://redirect.github.com/grpc/grpc-java/commit/97695d523)) ##### Thanks to - [@​panchenko](https://redirect.github.com/panchenko) - [@​Dayuxiaoshui](https://redirect.github.com/Dayuxiaoshui) - [@​becomeStar](https://redirect.github.com/becomeStar) - [@​kssumin](https://redirect.github.com/kssumin) - [@​marcindabrowski](https://redirect.github.com/marcindabrowski) - [@​MariusVolkhart](https://redirect.github.com/MariusVolkhart) - [@​Zgoda91](https://redirect.github.com/Zgoda91) - [@​devalkone](https://redirect.github.com/devalkone) ### [`v1.77.1`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.77.1) ##### Bug Fixes - rls: Avoid missed config update from reentrancy ([https://github.com/grpc/grpc-java/pull/12549](https://redirect.github.com/grpc/grpc-java/pull/12549)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4yMi4xIiwidXBkYXRlZEluVmVyIjoiNDAuMjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlIl19-->
github-merge-queue bot
pushed a commit
to camunda/camunda
that referenced
this pull request
Jan 5, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [io.grpc:grpc-bom](https://redirect.github.com/grpc/grpc-java) | `1.76.0` → `1.78.0` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>grpc/grpc-java (io.grpc:grpc-bom)</summary> ### [`v1.78.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.78.0) ##### Bug Fixes - core: Fix shutdown failing accepted RPCs during channel startup ([`02e98a8`](https://redirect.github.com/grpc/grpc-java/commit/02e98a806)). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown() - okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#​12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) ([`8d49dc1`](https://redirect.github.com/grpc/grpc-java/commit/8d49dc1c9)) - binder: Stop leaking `this` from BinderServerTransport's ctor ([#​12453](https://redirect.github.com/grpc/grpc-java/issues/12453)) ([`89d77e0`](https://redirect.github.com/grpc/grpc-java/commit/89d77e062)) - rls: Avoid missed config update from reentrancy ([`55ae1d0`](https://redirect.github.com/grpc/grpc-java/commit/55ae1d054)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ##### Improvements - xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#​12446](https://redirect.github.com/grpc/grpc-java/issues/12446)) ([`f385add`](https://redirect.github.com/grpc/grpc-java/commit/f385add31)). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer. - rls: Control plane channel monitor state and back off handling ([#​12460](https://redirect.github.com/grpc/grpc-java/issues/12460)) ([`26c1c13`](https://redirect.github.com/grpc/grpc-java/commit/26c1c1341)). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target. - core: simplify DnsNameResolver.resolveAddresses() ([`4843256`](https://redirect.github.com/grpc/grpc-java/commit/4843256af)) - netty: Run handshakeCompleteRunnable in success cases ([`283f103`](https://redirect.github.com/grpc/grpc-java/commit/283f1031f)) - api,netty: Add custom header support for HTTP CONNECT proxy ([`bbc0aa3`](https://redirect.github.com/grpc/grpc-java/commit/bbc0aa369)) - binder: Pre-factor out the guts of the BinderClientTransport handshake. ([`9313e87`](https://redirect.github.com/grpc/grpc-java/commit/9313e87df)) - compiler: Add RISC-V 64-bit architecture support to compiler build configuration ([`725ab22`](https://redirect.github.com/grpc/grpc-java/commit/725ab22f3)) - core: Release lock before closing shared resource ([`cb73f21`](https://redirect.github.com/grpc/grpc-java/commit/cb73f217e)). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in [`d50098f`](https://redirect.github.com/grpc/grpc-java/commit/d50098f) - Upgrade gson to 2.12.1 ([`6dab2ce`](https://redirect.github.com/grpc/grpc-java/commit/6dab2ceab)) - Upgrade dependencies ([`f36defa`](https://redirect.github.com/grpc/grpc-java/commit/f36defa2d)). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0 - compiler: Update maximum supported protobuf edition to EDITION\_2024 ([`2f64092`](https://redirect.github.com/grpc/grpc-java/commit/2f64092b8)) - binder: Introduce server authorization strategy v2 ([`d971072`](https://redirect.github.com/grpc/grpc-java/commit/d9710725d)). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient. ##### New Features - compiler: Upgrade to C++ protobuf 33.1 ([#​12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) ([`58ae5f8`](https://redirect.github.com/grpc/grpc-java/commit/58ae5f808)). - util: Add gRFC A68 random subsetting LB ([`48a4288`](https://redirect.github.com/grpc/grpc-java/commit/48a42889d)). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52 - xds: Support for System Root Certs ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://redirect.github.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://redirect.github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md). - xds: Support for GCP Authentication Filter ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://redirect.github.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://redirect.github.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md). - xds: Support for xDS-based authority rewriting ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://redirect.github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://redirect.github.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake.\ As mentioned in [gRFC A29](https://redirect.github.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field. - xds: xDS based SNI setting and SAN validation ([#​12378](https://redirect.github.com/grpc/grpc-java/issues/12378)) ([`0567531`](https://redirect.github.com/grpc/grpc-java/commit/0567531)). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://redirect.github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md). ##### Documentation - api: Document gRFC A18 TCP\_USER\_TIMEOUT handling for keepalive ([`da70387`](https://redirect.github.com/grpc/grpc-java/commit/da7038782)) - core: Fix AbstractClientStream Javadoc ([`28a6130`](https://redirect.github.com/grpc/grpc-java/commit/28a6130e8)) - examples: Document how to preserve META-INF/services in uber jars ([`97695d5`](https://redirect.github.com/grpc/grpc-java/commit/97695d523)) ##### Thanks to - [@​panchenko](https://redirect.github.com/panchenko) - [@​Dayuxiaoshui](https://redirect.github.com/Dayuxiaoshui) - [@​becomeStar](https://redirect.github.com/becomeStar) - [@​kssumin](https://redirect.github.com/kssumin) - [@​marcindabrowski](https://redirect.github.com/marcindabrowski) - [@​MariusVolkhart](https://redirect.github.com/MariusVolkhart) - [@​Zgoda91](https://redirect.github.com/Zgoda91) - [@​devalkone](https://redirect.github.com/devalkone) ### [`v1.77.1`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.77.1) ##### Bug Fixes - rls: Avoid missed config update from reentrancy ([#​12549](https://redirect.github.com/grpc/grpc-java/pull/12549)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ### [`v1.77.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.77.0) ##### API Changes - binder: Remove experimental `BinderChannelBuilder.bindAsUser()` method, deprecated since 1.69 ([#​12401](https://redirect.github.com/grpc/grpc-java/issues/12401)) ([`f96ce06`](https://redirect.github.com/grpc/grpc-java/commit/f96ce0670)) ##### Bug Fixes - api: Fix name resolver bridge listener handling for address resolution errors for custom name resolvers ([#​12441](https://redirect.github.com/grpc/grpc-java/issues/12441)) ([`acbbf86`](https://redirect.github.com/grpc/grpc-java/commit/acbbf869a)). This fixes regression introduced in v1.68.1 causing a “IllegalStateException: No value present.” exception - core: Fix NullPointerException during address update with Happy Eyeballs ([`5e8af56`](https://redirect.github.com/grpc/grpc-java/commit/5e8af564e)). This should not impact many people as the code is disabled by default, behind two experimental environment variables - okhttp: Fix bidirectional keep-alive causing spurious GOAWAY ([`6fc3fd0`](https://redirect.github.com/grpc/grpc-java/commit/6fc3fd046)). This fixes the grpc-okhttp server incorrectly closing the connection with `GOAWAY: too_many_pings` - xds: SslContext updates handling when using system root certs ([#​12340](https://redirect.github.com/grpc/grpc-java/issues/12340)) ([`63fdaac`](https://redirect.github.com/grpc/grpc-java/commit/63fdaaccc)). Since `FileWatcherCertificateProvider` isn't used when using system root trust store, the SslContext update for the handshake that depended on it wasn't happening. This fix creates a separate `CertificateProvider` for handling system root certs that doesn't rely on the `FileWatcherCertificateProvider.` - xds: Make cluster selection interceptor run before other filters ([#​12381](https://redirect.github.com/grpc/grpc-java/issues/12381)) ([`82f9b8e`](https://redirect.github.com/grpc/grpc-java/commit/82f9b8ec0)). This is needed when there is `GcpAuthenticationFilter` in the filter chain to make available the cluster resource in `CallOption`s. - xds: Handle wildcards in DNS SAN exact matching ([#​12345](https://redirect.github.com/grpc/grpc-java/issues/12345)) ([`5b876cc`](https://redirect.github.com/grpc/grpc-java/commit/5b876cc86)) - android: Fix UdsChannelBuilder with WiFi Proxy ([`349a35a`](https://redirect.github.com/grpc/grpc-java/commit/349a35a9b)) - binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures ([#​12283](https://redirect.github.com/grpc/grpc-java/issues/12283)) ([`4725ced`](https://redirect.github.com/grpc/grpc-java/commit/4725ced99)) - binder: Fix a BinderServerTransport crash in the rare shutdown-before-start case ([#​12440](https://redirect.github.com/grpc/grpc-java/issues/12440)) ([`91f3f4d`](https://redirect.github.com/grpc/grpc-java/commit/91f3f4dc1)) ##### Improvements - Improve status messages by including causal error details in config parsing errors for outlier detection and xds’s wrr locality policies ([`86e8b56`](https://redirect.github.com/grpc/grpc-java/commit/86e8b5617)) - xds: Detect negative ref count for xds client ([`21696cd`](https://redirect.github.com/grpc/grpc-java/commit/21696cd3d)). A negative reference count could cause NullPointerExceptions, so when too many unrefs are detected it produces a SEVERE warning and prevents the reference count from going negative - xds: Support deprecated xDS TLS fields for Istio compat ([#​12435](https://redirect.github.com/grpc/grpc-java/issues/12435)) ([`53cd1a2`](https://redirect.github.com/grpc/grpc-java/commit/53cd1a225)). This fixes a regression with Istio introduced in v1.73.0. This gives time for [Istio’s new xDS field support](https://redirect.github.com/istio/istio/pull/58257) to roll out - googleapis: Allow wrapping NameResolver to inject XdsClient ([#​12450](https://redirect.github.com/grpc/grpc-java/issues/12450)) ([`27d1508`](https://redirect.github.com/grpc/grpc-java/commit/27d150890)). This allows googleapis to inject an xDS bootstrap to use with its channels even if one is already specified in the environment variable or system property. When the code was originally written there was a single global XdsClient, but since gRFC A71 Xds Fallback each target string has its own XdsClient and thus can have its own bootstrap - alts: Allow overriding metadata server address with env variable ([`9ac12ef`](https://redirect.github.com/grpc/grpc-java/commit/9ac12ef89)) ([`498f717`](https://redirect.github.com/grpc/grpc-java/commit/498f717fc)) - binder: Let the server know when the client fails to authorize it. ([#​12445](https://redirect.github.com/grpc/grpc-java/issues/12445)) ([`599a0a1`](https://redirect.github.com/grpc/grpc-java/commit/599a0a146)) This avoids the server needing to wait for the handshake timeout before realizing the handshake failed ##### New Features - opentelemetry: Implement otel retry metrics from gRFC A96 ([#​12064](https://redirect.github.com/grpc/grpc-java/issues/12064)) ([`d380191`](https://redirect.github.com/grpc/grpc-java/commit/d380191be)) - opentelemetry: propagate baggage to server metrics for custom attributes ([#​12389](https://redirect.github.com/grpc/grpc-java/issues/12389)) ([`155308d`](https://redirect.github.com/grpc/grpc-java/commit/155308db2)) - xds: Allow EC Keys in SPIFFE Bundle Map parsing ([#​12399](https://redirect.github.com/grpc/grpc-java/issues/12399)) ([`559e3ba`](https://redirect.github.com/grpc/grpc-java/commit/559e3ba41)) - xds: Enable authority rewriting (gRFC A81), system root cert support (gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101) ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`246c2b1`](https://redirect.github.com/grpc/grpc-java/commit/246c2b1ea)). Authority rewriting requires the control plane to be labeled `trusted_xds_server` in the bootstrap. System root cert support and SNI require using XdsChannelCredentials - rls: Add route lookup reason to request whether it is due to a cache miss or stale cache entry ([#​12442](https://redirect.github.com/grpc/grpc-java/issues/12442)) ([`795ce02`](https://redirect.github.com/grpc/grpc-java/commit/795ce0280)) ##### Dependencies - compiler: C++ protobuf used by codegen upgraded to 26.1 ([#​12330](https://redirect.github.com/grpc/grpc-java/issues/12330)) ([`55aefd5`](https://redirect.github.com/grpc/grpc-java/commit/55aefd5b8)) - alts: Remove dep on grpclb ([`b769f96`](https://redirect.github.com/grpc/grpc-java/commit/b769f966a)). ALTS is no longer used with grpclb, so this removes dead code - Upgrade netty to 4.1.127.Final ([`b37ee67`](https://redirect.github.com/grpc/grpc-java/commit/b37ee67cf)) ##### Thanks to [@​panchenko](https://redirect.github.com/panchenko) [@​benjaminp](https://redirect.github.com/benjaminp) [@​HyunSangHan](https://redirect.github.com/HyunSangHan) [@​becomeStar](https://redirect.github.com/becomeStar) [@​ZachChuba](https://redirect.github.com/ZachChuba) [@​oliviamariacodes](https://redirect.github.com/oliviamariacodes) [@​kssumin](https://redirect.github.com/kssumin) [@​laz-canva](https://redirect.github.com/laz-canva) ### [`v1.76.2`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.76.2) ##### Bug Fixes - rls: Avoid missed config update from reentrancy ([#​12550](https://redirect.github.com/grpc/grpc-java/pull/12550)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ### [`v1.76.1`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.76.1) ##### Bug Fixes - core: Fix NullPointerException during address update with Happy Eyeballs ([`5e8af56`](https://redirect.github.com/grpc/grpc-java/commit/5e8af564e)). This should not impact many people as the code is disabled by default, behind two experimental environment variables </details> --- ### Configuration 📅 **Schedule**: Branch creation - At 08:00 PM through 11:59 PM and 12:00 AM through 08:59 AM, Monday through Friday ( * 20-23,0-8 * * 1-5 ), Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/camunda/camunda). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi42Ni4xNCIsInVwZGF0ZWRJblZlciI6IjQyLjY5LjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImFyZWEvYmFja2VuZCIsImF1dG9tZXJnZSIsImRlcGVuZGVuY2llcyJdfQ==-->
renovate bot
added a commit
to mattnworb/bazel-java-example
that referenced
this pull request
Jan 21, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [grpc-java](https://redirect.github.com/grpc/grpc-java) | bazel_dep | minor | `1.75.0` → `1.78.0` | --- ### Release Notes <details> <summary>grpc/grpc-java (grpc-java)</summary> ### [`v1.78.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.78.0) ##### Bug Fixes - core: Fix shutdown failing accepted RPCs during channel startup ([`02e98a8`](https://redirect.github.com/grpc/grpc-java/commit/02e98a806)). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown() - okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#​12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) ([`8d49dc1`](https://redirect.github.com/grpc/grpc-java/commit/8d49dc1c9)) - binder: Stop leaking `this` from BinderServerTransport's ctor ([#​12453](https://redirect.github.com/grpc/grpc-java/issues/12453)) ([`89d77e0`](https://redirect.github.com/grpc/grpc-java/commit/89d77e062)) - rls: Avoid missed config update from reentrancy ([`55ae1d0`](https://redirect.github.com/grpc/grpc-java/commit/55ae1d054)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ##### Improvements - xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#​12446](https://redirect.github.com/grpc/grpc-java/issues/12446)) ([`f385add`](https://redirect.github.com/grpc/grpc-java/commit/f385add31)). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer. - rls: Control plane channel monitor state and back off handling ([#​12460](https://redirect.github.com/grpc/grpc-java/issues/12460)) ([`26c1c13`](https://redirect.github.com/grpc/grpc-java/commit/26c1c1341)). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target. - core: simplify DnsNameResolver.resolveAddresses() ([`4843256`](https://redirect.github.com/grpc/grpc-java/commit/4843256af)) - netty: Run handshakeCompleteRunnable in success cases ([`283f103`](https://redirect.github.com/grpc/grpc-java/commit/283f1031f)) - api,netty: Add custom header support for HTTP CONNECT proxy ([`bbc0aa3`](https://redirect.github.com/grpc/grpc-java/commit/bbc0aa369)) - binder: Pre-factor out the guts of the BinderClientTransport handshake. ([`9313e87`](https://redirect.github.com/grpc/grpc-java/commit/9313e87df)) - compiler: Add RISC-V 64-bit architecture support to compiler build configuration ([`725ab22`](https://redirect.github.com/grpc/grpc-java/commit/725ab22f3)) - core: Release lock before closing shared resource ([`cb73f21`](https://redirect.github.com/grpc/grpc-java/commit/cb73f217e)). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in [`d50098f`](https://redirect.github.com/grpc/grpc-java/commit/d50098f) - Upgrade gson to 2.12.1 ([`6dab2ce`](https://redirect.github.com/grpc/grpc-java/commit/6dab2ceab)) - Upgrade dependencies ([`f36defa`](https://redirect.github.com/grpc/grpc-java/commit/f36defa2d)). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0 - compiler: Update maximum supported protobuf edition to EDITION\_2024 ([`2f64092`](https://redirect.github.com/grpc/grpc-java/commit/2f64092b8)) - binder: Introduce server authorization strategy v2 ([`d971072`](https://redirect.github.com/grpc/grpc-java/commit/d9710725d)). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient. ##### New Features - compiler: Upgrade to C++ protobuf 33.1 ([#​12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) ([`58ae5f8`](https://redirect.github.com/grpc/grpc-java/commit/58ae5f808)). - util: Add gRFC A68 random subsetting LB ([`48a4288`](https://redirect.github.com/grpc/grpc-java/commit/48a42889d)). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52 - xds: Support for System Root Certs ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://redirect.github.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://redirect.github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md). - xds: Support for GCP Authentication Filter ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://redirect.github.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://redirect.github.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md). - xds: Support for xDS-based authority rewriting ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://redirect.github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://redirect.github.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake.\ As mentioned in [gRFC A29](https://redirect.github.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field. - xds: xDS based SNI setting and SAN validation ([#​12378](https://redirect.github.com/grpc/grpc-java/issues/12378)) ([`0567531`](https://redirect.github.com/grpc/grpc-java/commit/0567531)). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://redirect.github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md). ##### Documentation - api: Document gRFC A18 TCP\_USER\_TIMEOUT handling for keepalive ([`da70387`](https://redirect.github.com/grpc/grpc-java/commit/da7038782)) - core: Fix AbstractClientStream Javadoc ([`28a6130`](https://redirect.github.com/grpc/grpc-java/commit/28a6130e8)) - examples: Document how to preserve META-INF/services in uber jars ([`97695d5`](https://redirect.github.com/grpc/grpc-java/commit/97695d523)) ##### Thanks to - [@​panchenko](https://redirect.github.com/panchenko) - [@​Dayuxiaoshui](https://redirect.github.com/Dayuxiaoshui) - [@​becomeStar](https://redirect.github.com/becomeStar) - [@​kssumin](https://redirect.github.com/kssumin) - [@​marcindabrowski](https://redirect.github.com/marcindabrowski) - [@​MariusVolkhart](https://redirect.github.com/MariusVolkhart) - [@​Zgoda91](https://redirect.github.com/Zgoda91) - [@​devalkone](https://redirect.github.com/devalkone) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/mattnworb/bazel-java-example). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi44NS4xIiwidXBkYXRlZEluVmVyIjoiNDIuODUuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
JoeWang1127
added a commit
to googleapis/sdk-platform-java
that referenced
this pull request
Jan 23, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [com.google.auth:google-auth-library-bom](https://togithub.com/googleapis/google-auth-library-java) | minor | `1.41.0` -> `1.42.0` | | [com.google.http-client:google-http-client](https://togithub.com/googleapis/google-http-java-client) | minor | `2.0.3` -> `2.1.0` | | [io.grpc:grpc-bom](https://togithub.com/grpc/grpc-java) | minor | `1.76.2` -> `1.78.0` | --- ### Release Notes <details> <summary>googleapis/google-auth-library-java (com.google.auth:google-auth-library-bom)</summary> ### [`v1.42.0`](https://togithub.com/googleapis/google-auth-library-java/blob/HEAD/CHANGELOG.md#1420-2026-01-23) [Compare Source](https://togithub.com/googleapis/google-auth-library-java/compare/v1.41.0...v1.42.0) ##### Features - Update protobuf version to 4.33.2 ([#​1875](https://togithub.com/googleapis/google-auth-library-java/issues/1875)) ([13ddbd1](https://togithub.com/googleapis/google-auth-library-java/commit/13ddbd1744fb908fb51e8866e5aac291f0e9bada)) ##### Bug Fixes - Simplify call to directly retrieve the default service account from MDS ([#​1844](https://togithub.com/googleapis/google-auth-library-java/issues/1844)) ([6efda0b](https://togithub.com/googleapis/google-auth-library-java/commit/6efda0bc2063b1d1b30de43785d08ec86da1791c)) </details> <details> <summary>googleapis/google-http-java-client (com.google.http-client:google-http-client)</summary> ### [`v2.1.0`](https://togithub.com/googleapis/google-http-java-client/blob/HEAD/CHANGELOG.md#210-2026-01-23) [Compare Source](https://togithub.com/googleapis/google-http-java-client/compare/v2.0.3...v2.1.0) ##### Features - Update protobuf-java to 4.33.2 ([d48c443](https://togithub.com/googleapis/google-http-java-client/commit/d48c443cf9b872be4872ed6801c4edf70d5be7ac)) </details> <details> <summary>grpc/grpc-java (io.grpc:grpc-bom)</summary> ### [`v1.78.0`](https://togithub.com/grpc/grpc-java/releases/tag/v1.78.0) [Compare Source](https://togithub.com/grpc/grpc-java/compare/v1.77.1...v1.78.0) ##### Bug Fixes - core: Fix shutdown failing accepted RPCs during channel startup ([`02e98a8`](https://togithub.com/grpc/grpc-java/commit/02e98a806)). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown() - okhttp: Fix race condition overwriting MAX_CONCURRENT_STREAMS ([#​12548](https://togithub.com/grpc/grpc-java/issues/12548)) ([`8d49dc1`](https://togithub.com/grpc/grpc-java/commit/8d49dc1c9)) - binder: Stop leaking `this` from BinderServerTransport's ctor ([#​12453](https://togithub.com/grpc/grpc-java/issues/12453)) ([`89d77e0`](https://togithub.com/grpc/grpc-java/commit/89d77e062)) - rls: Avoid missed config update from reentrancy ([`55ae1d0`](https://togithub.com/grpc/grpc-java/commit/55ae1d054)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ##### Improvements - xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#​12446](https://togithub.com/grpc/grpc-java/issues/12446)) ([`f385add`](https://togithub.com/grpc/grpc-java/commit/f385add31)). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer. - rls: Control plane channel monitor state and back off handling ([#​12460](https://togithub.com/grpc/grpc-java/issues/12460)) ([`26c1c13`](https://togithub.com/grpc/grpc-java/commit/26c1c1341)). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target. - core: simplify DnsNameResolver.resolveAddresses() ([`4843256`](https://togithub.com/grpc/grpc-java/commit/4843256af)) - netty: Run handshakeCompleteRunnable in success cases ([`283f103`](https://togithub.com/grpc/grpc-java/commit/283f1031f)) - api,netty: Add custom header support for HTTP CONNECT proxy ([`bbc0aa3`](https://togithub.com/grpc/grpc-java/commit/bbc0aa369)) - binder: Pre-factor out the guts of the BinderClientTransport handshake. ([`9313e87`](https://togithub.com/grpc/grpc-java/commit/9313e87df)) - compiler: Add RISC-V 64-bit architecture support to compiler build configuration ([`725ab22`](https://togithub.com/grpc/grpc-java/commit/725ab22f3)) - core: Release lock before closing shared resource ([`cb73f21`](https://togithub.com/grpc/grpc-java/commit/cb73f217e)). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in [`d50098f`](https://togithub.com/grpc/grpc-java/commit/d50098f) - Upgrade gson to 2.12.1 ([`6dab2ce`](https://togithub.com/grpc/grpc-java/commit/6dab2ceab)) - Upgrade dependencies ([`f36defa`](https://togithub.com/grpc/grpc-java/commit/f36defa2d)). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0 - compiler: Update maximum supported protobuf edition to EDITION\_2024 ([`2f64092`](https://togithub.com/grpc/grpc-java/commit/2f64092b8)) - binder: Introduce server authorization strategy v2 ([`d971072`](https://togithub.com/grpc/grpc-java/commit/d9710725d)). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient. ##### New Features - compiler: Upgrade to C++ protobuf 33.1 ([#​12534](https://togithub.com/grpc/grpc-java/issues/12534)) ([`58ae5f8`](https://togithub.com/grpc/grpc-java/commit/58ae5f808)). - util: Add gRFC A68 random subsetting LB ([`48a4288`](https://togithub.com/grpc/grpc-java/commit/48a42889d)). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52 - xds: Support for System Root Certs ([#​12499](https://togithub.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://togithub.com/grpc/grpc-java/commit/51611bad1)). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://togithub.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://togithub.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md). - xds: Support for GCP Authentication Filter ([#​12499](https://togithub.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://togithub.com/grpc/grpc-java/commit/51611bad1)). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://togithub.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://togithub.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md). - xds: Support for xDS-based authority rewriting ([#​12499](https://togithub.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://togithub.com/grpc/grpc-java/commit/51611bad1)). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://togithub.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://togithub.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake.\ As mentioned in [gRFC A29](https://togithub.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field. - xds: xDS based SNI setting and SAN validation ([#​12378](https://togithub.com/grpc/grpc-java/issues/12378)) ([`0567531`](https://togithub.com/grpc/grpc-java/commit/0567531)). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://togithub.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md). ##### Documentation - api: Document gRFC A18 TCP_USER_TIMEOUT handling for keepalive ([`da70387`](https://togithub.com/grpc/grpc-java/commit/da7038782)) - core: Fix AbstractClientStream Javadoc ([`28a6130`](https://togithub.com/grpc/grpc-java/commit/28a6130e8)) - examples: Document how to preserve META-INF/services in uber jars ([`97695d5`](https://togithub.com/grpc/grpc-java/commit/97695d523)) ##### Thanks to - [@​panchenko](https://togithub.com/panchenko) - [@​Dayuxiaoshui](https://togithub.com/Dayuxiaoshui) - [@​becomeStar](https://togithub.com/becomeStar) - [@​kssumin](https://togithub.com/kssumin) - [@​marcindabrowski](https://togithub.com/marcindabrowski) - [@​MariusVolkhart](https://togithub.com/MariusVolkhart) - [@​Zgoda91](https://togithub.com/Zgoda91) - [@​devalkone](https://togithub.com/devalkone) ### [`v1.77.1`](https://togithub.com/grpc/grpc-java/releases/tag/v1.77.1) [Compare Source](https://togithub.com/grpc/grpc-java/compare/v1.77.0...v1.77.1) ##### Bug Fixes - rls: Avoid missed config update from reentrancy ([https://github.com/grpc/grpc-java/pull/12549](https://togithub.com/grpc/grpc-java/pull/12549)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ### [`v1.77.0`](https://togithub.com/grpc/grpc-java/releases/tag/v1.77.0) [Compare Source](https://togithub.com/grpc/grpc-java/compare/v1.76.2...v1.77.0) ##### API Changes - binder: Remove experimental `BinderChannelBuilder.bindAsUser()` method, deprecated since 1.69 ([#​12401](https://togithub.com/grpc/grpc-java/issues/12401)) ([`f96ce06`](https://togithub.com/grpc/grpc-java/commit/f96ce0670)) ##### Bug Fixes - api: Fix name resolver bridge listener handling for address resolution errors for custom name resolvers ([#​12441](https://togithub.com/grpc/grpc-java/issues/12441)) ([`acbbf86`](https://togithub.com/grpc/grpc-java/commit/acbbf869a)). This fixes regression introduced in v1.68.1 causing a “IllegalStateException: No value present.” exception - core: Fix NullPointerException during address update with Happy Eyeballs ([`5e8af56`](https://togithub.com/grpc/grpc-java/commit/5e8af564e)). This should not impact many people as the code is disabled by default, behind two experimental environment variables - okhttp: Fix bidirectional keep-alive causing spurious GOAWAY ([`6fc3fd0`](https://togithub.com/grpc/grpc-java/commit/6fc3fd046)). This fixes the grpc-okhttp server incorrectly closing the connection with `GOAWAY: too_many_pings` - xds: SslContext updates handling when using system root certs ([#​12340](https://togithub.com/grpc/grpc-java/issues/12340)) ([`63fdaac`](https://togithub.com/grpc/grpc-java/commit/63fdaaccc)). Since `FileWatcherCertificateProvider` isn't used when using system root trust store, the SslContext update for the handshake that depended on it wasn't happening. This fix creates a separate `CertificateProvider` for handling system root certs that doesn't rely on the `FileWatcherCertificateProvider.` - xds: Make cluster selection interceptor run before other filters ([#​12381](https://togithub.com/grpc/grpc-java/issues/12381)) ([`82f9b8e`](https://togithub.com/grpc/grpc-java/commit/82f9b8ec0)). This is needed when there is `GcpAuthenticationFilter` in the filter chain to make available the cluster resource in `CallOption`s. - xds: Handle wildcards in DNS SAN exact matching ([#​12345](https://togithub.com/grpc/grpc-java/issues/12345)) ([`5b876cc`](https://togithub.com/grpc/grpc-java/commit/5b876cc86)) - android: Fix UdsChannelBuilder with WiFi Proxy ([`349a35a`](https://togithub.com/grpc/grpc-java/commit/349a35a9b)) - binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures ([#​12283](https://togithub.com/grpc/grpc-java/issues/12283)) ([`4725ced`](https://togithub.com/grpc/grpc-java/commit/4725ced99)) - binder: Fix a BinderServerTransport crash in the rare shutdown-before-start case ([#​12440](https://togithub.com/grpc/grpc-java/issues/12440)) ([`91f3f4d`](https://togithub.com/grpc/grpc-java/commit/91f3f4dc1)) ##### Improvements - Improve status messages by including causal error details in config parsing errors for outlier detection and xds’s wrr locality policies ([`86e8b56`](https://togithub.com/grpc/grpc-java/commit/86e8b5617)) - xds: Detect negative ref count for xds client ([`21696cd`](https://togithub.com/grpc/grpc-java/commit/21696cd3d)). A negative reference count could cause NullPointerExceptions, so when too many unrefs are detected it produces a SEVERE warning and prevents the reference count from going negative - xds: Support deprecated xDS TLS fields for Istio compat ([#​12435](https://togithub.com/grpc/grpc-java/issues/12435)) ([`53cd1a2`](https://togithub.com/grpc/grpc-java/commit/53cd1a225)). This fixes a regression with Istio introduced in v1.73.0. This gives time for [Istio’s new xDS field support](https://togithub.com/istio/istio/pull/58257) to roll out - googleapis: Allow wrapping NameResolver to inject XdsClient ([#​12450](https://togithub.com/grpc/grpc-java/issues/12450)) ([`27d1508`](https://togithub.com/grpc/grpc-java/commit/27d150890)). This allows googleapis to inject an xDS bootstrap to use with its channels even if one is already specified in the environment variable or system property. When the code was originally written there was a single global XdsClient, but since gRFC A71 Xds Fallback each target string has its own XdsClient and thus can have its own bootstrap - alts: Allow overriding metadata server address with env variable ([`9ac12ef`](https://togithub.com/grpc/grpc-java/commit/9ac12ef89)) ([`498f717`](https://togithub.com/grpc/grpc-java/commit/498f717fc)) - binder: Let the server know when the client fails to authorize it. ([#​12445](https://togithub.com/grpc/grpc-java/issues/12445)) ([`599a0a1`](https://togithub.com/grpc/grpc-java/commit/599a0a146)) This avoids the server needing to wait for the handshake timeout before realizing the handshake failed ##### New Features - opentelemetry: Implement otel retry metrics from gRFC A96 ([#​12064](https://togithub.com/grpc/grpc-java/issues/12064)) ([`d380191`](https://togithub.com/grpc/grpc-java/commit/d380191be)) - opentelemetry: propagate baggage to server metrics for custom attributes ([#​12389](https://togithub.com/grpc/grpc-java/issues/12389)) ([`155308d`](https://togithub.com/grpc/grpc-java/commit/155308db2)) - xds: Allow EC Keys in SPIFFE Bundle Map parsing ([#​12399](https://togithub.com/grpc/grpc-java/issues/12399)) ([`559e3ba`](https://togithub.com/grpc/grpc-java/commit/559e3ba41)) - xds: Enable authority rewriting (gRFC A81), system root cert support (gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101) ([#​12499](https://togithub.com/grpc/grpc-java/issues/12499)) ([`246c2b1`](https://togithub.com/grpc/grpc-java/commit/246c2b1ea)). Authority rewriting requires the control plane to be labeled `trusted_xds_server` in the bootstrap. System root cert support and SNI require using XdsChannelCredentials - rls: Add route lookup reason to request whether it is due to a cache miss or stale cache entry ([#​12442](https://togithub.com/grpc/grpc-java/issues/12442)) ([`795ce02`](https://togithub.com/grpc/grpc-java/commit/795ce0280)) ##### Dependencies - compiler: C++ protobuf used by codegen upgraded to 26.1 ([#​12330](https://togithub.com/grpc/grpc-java/issues/12330)) ([`55aefd5`](https://togithub.com/grpc/grpc-java/commit/55aefd5b8)) - alts: Remove dep on grpclb ([`b769f96`](https://togithub.com/grpc/grpc-java/commit/b769f966a)). ALTS is no longer used with grpclb, so this removes dead code - Upgrade netty to 4.1.127.Final ([`b37ee67`](https://togithub.com/grpc/grpc-java/commit/b37ee67cf)) ##### Thanks to [@​panchenko](https://togithub.com/panchenko) [@​benjaminp](https://togithub.com/benjaminp) [@​HyunSangHan](https://togithub.com/HyunSangHan) [@​becomeStar](https://togithub.com/becomeStar) [@​ZachChuba](https://togithub.com/ZachChuba) [@​oliviamariacodes](https://togithub.com/oliviamariacodes) [@​kssumin](https://togithub.com/kssumin) [@​laz-canva](https://togithub.com/laz-canva) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: Renovate Bot <[email protected]>
kodiakhq bot
pushed a commit
to cloudquery/plugin-sdk-java
that referenced
this pull request
Feb 1, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [io.grpc:grpc-inprocess](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.76.0` -> `1.78.0` | | [io.grpc:grpc-testing](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.76.0` -> `1.78.0` | | [io.grpc:grpc-services](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.76.0` -> `1.78.0` | | [io.grpc:grpc-stub](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.76.0` -> `1.78.0` | | [io.grpc:grpc-protobuf](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.76.0` -> `1.78.0` | --- ### Release Notes <details> <summary>grpc/grpc-java (io.grpc:grpc-inprocess)</summary> ### [`v1.78.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.78.0) ##### Bug Fixes - core: Fix shutdown failing accepted RPCs during channel startup ([`02e98a8`](https://redirect.github.com/grpc/grpc-java/commit/02e98a806)). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown() - okhttp: Fix race condition overwriting MAX_CONCURRENT_STREAMS ([#​12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) ([`8d49dc1`](https://redirect.github.com/grpc/grpc-java/commit/8d49dc1c9)) - binder: Stop leaking `this` from BinderServerTransport's ctor ([#​12453](https://redirect.github.com/grpc/grpc-java/issues/12453)) ([`89d77e0`](https://redirect.github.com/grpc/grpc-java/commit/89d77e062)) - rls: Avoid missed config update from reentrancy ([`55ae1d0`](https://redirect.github.com/grpc/grpc-java/commit/55ae1d054)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ##### Improvements - xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#​12446](https://redirect.github.com/grpc/grpc-java/issues/12446)) ([`f385add`](https://redirect.github.com/grpc/grpc-java/commit/f385add31)). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer. - rls: Control plane channel monitor state and back off handling ([#​12460](https://redirect.github.com/grpc/grpc-java/issues/12460)) ([`26c1c13`](https://redirect.github.com/grpc/grpc-java/commit/26c1c1341)). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target. - core: simplify DnsNameResolver.resolveAddresses() ([`4843256`](https://redirect.github.com/grpc/grpc-java/commit/4843256af)) - netty: Run handshakeCompleteRunnable in success cases ([`283f103`](https://redirect.github.com/grpc/grpc-java/commit/283f1031f)) - api,netty: Add custom header support for HTTP CONNECT proxy ([`bbc0aa3`](https://redirect.github.com/grpc/grpc-java/commit/bbc0aa369)) - binder: Pre-factor out the guts of the BinderClientTransport handshake. ([`9313e87`](https://redirect.github.com/grpc/grpc-java/commit/9313e87df)) - compiler: Add RISC-V 64-bit architecture support to compiler build configuration ([`725ab22`](https://redirect.github.com/grpc/grpc-java/commit/725ab22f3)) - core: Release lock before closing shared resource ([`cb73f21`](https://redirect.github.com/grpc/grpc-java/commit/cb73f217e)). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in [`d50098f`](https://redirect.github.com/grpc/grpc-java/commit/d50098f) - Upgrade gson to 2.12.1 ([`6dab2ce`](https://redirect.github.com/grpc/grpc-java/commit/6dab2ceab)) - Upgrade dependencies ([`f36defa`](https://redirect.github.com/grpc/grpc-java/commit/f36defa2d)). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0 - compiler: Update maximum supported protobuf edition to EDITION\_2024 ([`2f64092`](https://redirect.github.com/grpc/grpc-java/commit/2f64092b8)) - binder: Introduce server authorization strategy v2 ([`d971072`](https://redirect.github.com/grpc/grpc-java/commit/d9710725d)). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient. ##### New Features - compiler: Upgrade to C++ protobuf 33.1 ([#​12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) ([`58ae5f8`](https://redirect.github.com/grpc/grpc-java/commit/58ae5f808)). - util: Add gRFC A68 random subsetting LB ([`48a4288`](https://redirect.github.com/grpc/grpc-java/commit/48a42889d)). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52 - xds: Support for System Root Certs ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://redirect.github.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://redirect.github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md). - xds: Support for GCP Authentication Filter ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://redirect.github.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://redirect.github.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md). - xds: Support for xDS-based authority rewriting ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://redirect.github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://redirect.github.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake.\ As mentioned in [gRFC A29](https://redirect.github.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field. - xds: xDS based SNI setting and SAN validation ([#​12378](https://redirect.github.com/grpc/grpc-java/issues/12378)) ([`0567531`](https://redirect.github.com/grpc/grpc-java/commit/0567531)). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://redirect.github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md). ##### Documentation - api: Document gRFC A18 TCP_USER_TIMEOUT handling for keepalive ([`da70387`](https://redirect.github.com/grpc/grpc-java/commit/da7038782)) - core: Fix AbstractClientStream Javadoc ([`28a6130`](https://redirect.github.com/grpc/grpc-java/commit/28a6130e8)) - examples: Document how to preserve META-INF/services in uber jars ([`97695d5`](https://redirect.github.com/grpc/grpc-java/commit/97695d523)) ##### Thanks to - [@​panchenko](https://redirect.github.com/panchenko) - [@​Dayuxiaoshui](https://redirect.github.com/Dayuxiaoshui) - [@​becomeStar](https://redirect.github.com/becomeStar) - [@​kssumin](https://redirect.github.com/kssumin) - [@​marcindabrowski](https://redirect.github.com/marcindabrowski) - [@​MariusVolkhart](https://redirect.github.com/MariusVolkhart) - [@​Zgoda91](https://redirect.github.com/Zgoda91) - [@​devalkone](https://redirect.github.com/devalkone) ### [`v1.77.1`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.77.1) ##### Bug Fixes - rls: Avoid missed config update from reentrancy ([https://github.com/grpc/grpc-java/pull/12549](https://redirect.github.com/grpc/grpc-java/pull/12549)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ### [`v1.77.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.77.0) ##### API Changes - binder: Remove experimental `BinderChannelBuilder.bindAsUser()` method, deprecated since 1.69 ([#​12401](https://redirect.github.com/grpc/grpc-java/issues/12401)) ([`f96ce06`](https://redirect.github.com/grpc/grpc-java/commit/f96ce0670)) ##### Bug Fixes - api: Fix name resolver bridge listener handling for address resolution errors for custom name resolvers ([#​12441](https://redirect.github.com/grpc/grpc-java/issues/12441)) ([`acbbf86`](https://redirect.github.com/grpc/grpc-java/commit/acbbf869a)). This fixes regression introduced in v1.68.1 causing a “IllegalStateException: No value present.” exception - core: Fix NullPointerException during address update with Happy Eyeballs ([`5e8af56`](https://redirect.github.com/grpc/grpc-java/commit/5e8af564e)). This should not impact many people as the code is disabled by default, behind two experimental environment variables - okhttp: Fix bidirectional keep-alive causing spurious GOAWAY ([`6fc3fd0`](https://redirect.github.com/grpc/grpc-java/commit/6fc3fd046)). This fixes the grpc-okhttp server incorrectly closing the connection with `GOAWAY: too_many_pings` - xds: SslContext updates handling when using system root certs ([#​12340](https://redirect.github.com/grpc/grpc-java/issues/12340)) ([`63fdaac`](https://redirect.github.com/grpc/grpc-java/commit/63fdaaccc)). Since `FileWatcherCertificateProvider` isn't used when using system root trust store, the SslContext update for the handshake that depended on it wasn't happening. This fix creates a separate `CertificateProvider` for handling system root certs that doesn't rely on the `FileWatcherCertificateProvider.` - xds: Make cluster selection interceptor run before other filters ([#​12381](https://redirect.github.com/grpc/grpc-java/issues/12381)) ([`82f9b8e`](https://redirect.github.com/grpc/grpc-java/commit/82f9b8ec0)). This is needed when there is `GcpAuthenticationFilter` in the filter chain to make available the cluster resource in `CallOption`s. - xds: Handle wildcards in DNS SAN exact matching ([#​12345](https://redirect.github.com/grpc/grpc-java/issues/12345)) ([`5b876cc`](https://redirect.github.com/grpc/grpc-java/commit/5b876cc86)) - android: Fix UdsChannelBuilder with WiFi Proxy ([`349a35a`](https://redirect.github.com/grpc/grpc-java/commit/349a35a9b)) - binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures ([#​12283](https://redirect.github.com/grpc/grpc-java/issues/12283)) ([`4725ced`](https://redirect.github.com/grpc/grpc-java/commit/4725ced99)) - binder: Fix a BinderServerTransport crash in the rare shutdown-before-start case ([#​12440](https://redirect.github.com/grpc/grpc-java/issues/12440)) ([`91f3f4d`](https://redirect.github.com/grpc/grpc-java/commit/91f3f4dc1)) ##### Improvements - Improve status messages by including causal error details in config parsing errors for outlier detection and xds’s wrr locality policies ([`86e8b56`](https://redirect.github.com/grpc/grpc-java/commit/86e8b5617)) - xds: Detect negative ref count for xds client ([`21696cd`](https://redirect.github.com/grpc/grpc-java/commit/21696cd3d)). A negative reference count could cause NullPointerExceptions, so when too many unrefs are detected it produces a SEVERE warning and prevents the reference count from going negative - xds: Support deprecated xDS TLS fields for Istio compat ([#​12435](https://redirect.github.com/grpc/grpc-java/issues/12435)) ([`53cd1a2`](https://redirect.github.com/grpc/grpc-java/commit/53cd1a225)). This fixes a regression with Istio introduced in v1.73.0. This gives time for [Istio’s new xDS field support](https://redirect.github.com/istio/istio/pull/58257) to roll out - googleapis: Allow wrapping NameResolver to inject XdsClient ([#​12450](https://redirect.github.com/grpc/grpc-java/issues/12450)) ([`27d1508`](https://redirect.github.com/grpc/grpc-java/commit/27d150890)). This allows googleapis to inject an xDS bootstrap to use with its channels even if one is already specified in the environment variable or system property. When the code was originally written there was a single global XdsClient, but since gRFC A71 Xds Fallback each target string has its own XdsClient and thus can have its own bootstrap - alts: Allow overriding metadata server address with env variable ([`9ac12ef`](https://redirect.github.com/grpc/grpc-java/commit/9ac12ef89)) ([`498f717`](https://redirect.github.com/grpc/grpc-java/commit/498f717fc)) - binder: Let the server know when the client fails to authorize it. ([#​12445](https://redirect.github.com/grpc/grpc-java/issues/12445)) ([`599a0a1`](https://redirect.github.com/grpc/grpc-java/commit/599a0a146)) This avoids the server needing to wait for the handshake timeout before realizing the handshake failed ##### New Features - opentelemetry: Implement otel retry metrics from gRFC A96 ([#​12064](https://redirect.github.com/grpc/grpc-java/issues/12064)) ([`d380191`](https://redirect.github.com/grpc/grpc-java/commit/d380191be)) - opentelemetry: propagate baggage to server metrics for custom attributes ([#​12389](https://redirect.github.com/grpc/grpc-java/issues/12389)) ([`155308d`](https://redirect.github.com/grpc/grpc-java/commit/155308db2)) - xds: Allow EC Keys in SPIFFE Bundle Map parsing ([#​12399](https://redirect.github.com/grpc/grpc-java/issues/12399)) ([`559e3ba`](https://redirect.github.com/grpc/grpc-java/commit/559e3ba41)) - xds: Enable authority rewriting (gRFC A81), system root cert support (gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101) ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`246c2b1`](https://redirect.github.com/grpc/grpc-java/commit/246c2b1ea)). Authority rewriting requires the control plane to be labeled `trusted_xds_server` in the bootstrap. System root cert support and SNI require using XdsChannelCredentials - rls: Add route lookup reason to request whether it is due to a cache miss or stale cache entry ([#​12442](https://redirect.github.com/grpc/grpc-java/issues/12442)) ([`795ce02`](https://redirect.github.com/grpc/grpc-java/commit/795ce0280)) ##### Dependencies - compiler: C++ protobuf used by codegen upgraded to 26.1 ([#​12330](https://redirect.github.com/grpc/grpc-java/issues/12330)) ([`55aefd5`](https://redirect.github.com/grpc/grpc-java/commit/55aefd5b8)) - alts: Remove dep on grpclb ([`b769f96`](https://redirect.github.com/grpc/grpc-java/commit/b769f966a)). ALTS is no longer used with grpclb, so this removes dead code - Upgrade netty to 4.1.127.Final ([`b37ee67`](https://redirect.github.com/grpc/grpc-java/commit/b37ee67cf)) ##### Thanks to [@​panchenko](https://redirect.github.com/panchenko) [@​benjaminp](https://redirect.github.com/benjaminp) [@​HyunSangHan](https://redirect.github.com/HyunSangHan) [@​becomeStar](https://redirect.github.com/becomeStar) [@​ZachChuba](https://redirect.github.com/ZachChuba) [@​oliviamariacodes](https://redirect.github.com/oliviamariacodes) [@​kssumin](https://redirect.github.com/kssumin) [@​laz-canva](https://redirect.github.com/laz-canva) ### [`v1.76.3`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.76.3) ##### Dependencies - Downgrade OpenTelemetry to 1.51.0 to make it easier for people dealing with the OkHttp 4.x → 5.x upgrade of some OpenTelemetry modules ([`354d8b4`](https://redirect.github.com/grpc/grpc-java/commit/354d8b451)). gRPC is not using the impacted OpenTelemetry modules. Users are still free to upgrade to newer versions of OpenTelemetry of their choosing. ### [`v1.76.2`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.76.2) ##### Bug Fixes - rls: Avoid missed config update from reentrancy ([https://github.com/grpc/grpc-java/pull/12550](https://redirect.github.com/grpc/grpc-java/pull/12550)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ### [`v1.76.1`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.76.1) ##### Bug Fixes - core: Fix NullPointerException during address update with Happy Eyeballs ([`5e8af56`](https://redirect.github.com/grpc/grpc-java/commit/5e8af564e)). This should not impact many people as the code is disabled by default, behind two experimental environment variables </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4yMi4xIiwidXBkYXRlZEluVmVyIjoiNDAuMjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlIl19-->
kodiakhq bot
pushed a commit
to cloudquery/cloudquery
that referenced
this pull request
Feb 2, 2026
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [io.grpc:grpc-testing](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.69.0` -> `1.78.0` |
| [io.grpc:grpc-services](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.69.0` -> `1.78.0` |
| [io.grpc:grpc-stub](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.69.0` -> `1.78.0` |
| [io.grpc:grpc-protobuf](https://redirect.github.com/grpc/grpc-java) | dependencies | minor | `1.69.0` -> `1.78.0` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
---
### Release Notes
<details>
<summary>grpc/grpc-java (io.grpc:grpc-testing)</summary>
### [`v1.78.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.78.0)
##### Bug Fixes
- core: Fix shutdown failing accepted RPCs during channel startup ([`02e98a8`](https://redirect.github.com/grpc/grpc-java/commit/02e98a806)). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown()
- okhttp: Fix race condition overwriting MAX_CONCURRENT_STREAMS ([#​12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) ([`8d49dc1`](https://redirect.github.com/grpc/grpc-java/commit/8d49dc1c9))
- binder: Stop leaking `this` from BinderServerTransport's ctor ([#​12453](https://redirect.github.com/grpc/grpc-java/issues/12453)) ([`89d77e0`](https://redirect.github.com/grpc/grpc-java/commit/89d77e062))
- rls: Avoid missed config update from reentrancy ([`55ae1d0`](https://redirect.github.com/grpc/grpc-java/commit/55ae1d054)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update)
##### Improvements
- xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#​12446](https://redirect.github.com/grpc/grpc-java/issues/12446)) ([`f385add`](https://redirect.github.com/grpc/grpc-java/commit/f385add31)). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer.
- rls: Control plane channel monitor state and back off handling ([#​12460](https://redirect.github.com/grpc/grpc-java/issues/12460)) ([`26c1c13`](https://redirect.github.com/grpc/grpc-java/commit/26c1c1341)). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target.
- core: simplify DnsNameResolver.resolveAddresses() ([`4843256`](https://redirect.github.com/grpc/grpc-java/commit/4843256af))
- netty: Run handshakeCompleteRunnable in success cases ([`283f103`](https://redirect.github.com/grpc/grpc-java/commit/283f1031f))
- api,netty: Add custom header support for HTTP CONNECT proxy ([`bbc0aa3`](https://redirect.github.com/grpc/grpc-java/commit/bbc0aa369))
- binder: Pre-factor out the guts of the BinderClientTransport handshake. ([`9313e87`](https://redirect.github.com/grpc/grpc-java/commit/9313e87df))
- compiler: Add RISC-V 64-bit architecture support to compiler build configuration ([`725ab22`](https://redirect.github.com/grpc/grpc-java/commit/725ab22f3))
- core: Release lock before closing shared resource ([`cb73f21`](https://redirect.github.com/grpc/grpc-java/commit/cb73f217e)). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in [`d50098f`](https://redirect.github.com/grpc/grpc-java/commit/d50098f)
- Upgrade gson to 2.12.1 ([`6dab2ce`](https://redirect.github.com/grpc/grpc-java/commit/6dab2ceab))
- Upgrade dependencies ([`f36defa`](https://redirect.github.com/grpc/grpc-java/commit/f36defa2d)). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0
- compiler: Update maximum supported protobuf edition to EDITION\_2024 ([`2f64092`](https://redirect.github.com/grpc/grpc-java/commit/2f64092b8))
- binder: Introduce server authorization strategy v2 ([`d971072`](https://redirect.github.com/grpc/grpc-java/commit/d9710725d)). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient.
##### New Features
- compiler: Upgrade to C++ protobuf 33.1 ([#​12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) ([`58ae5f8`](https://redirect.github.com/grpc/grpc-java/commit/58ae5f808)).
- util: Add gRFC A68 random subsetting LB ([`48a4288`](https://redirect.github.com/grpc/grpc-java/commit/48a42889d)). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52
- xds: Support for System Root Certs ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://redirect.github.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://redirect.github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md).
- xds: Support for GCP Authentication Filter ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://redirect.github.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://redirect.github.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md).
- xds: Support for xDS-based authority rewriting ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://redirect.github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://redirect.github.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake.\
As mentioned in [gRFC A29](https://redirect.github.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field.
- xds: xDS based SNI setting and SAN validation ([#​12378](https://redirect.github.com/grpc/grpc-java/issues/12378)) ([`0567531`](https://redirect.github.com/grpc/grpc-java/commit/0567531)). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://redirect.github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md).
##### Documentation
- api: Document gRFC A18 TCP_USER_TIMEOUT handling for keepalive ([`da70387`](https://redirect.github.com/grpc/grpc-java/commit/da7038782))
- core: Fix AbstractClientStream Javadoc ([`28a6130`](https://redirect.github.com/grpc/grpc-java/commit/28a6130e8))
- examples: Document how to preserve META-INF/services in uber jars ([`97695d5`](https://redirect.github.com/grpc/grpc-java/commit/97695d523))
##### Thanks to
- [@​panchenko](https://redirect.github.com/panchenko)
- [@​Dayuxiaoshui](https://redirect.github.com/Dayuxiaoshui)
- [@​becomeStar](https://redirect.github.com/becomeStar)
- [@​kssumin](https://redirect.github.com/kssumin)
- [@​marcindabrowski](https://redirect.github.com/marcindabrowski)
- [@​MariusVolkhart](https://redirect.github.com/MariusVolkhart)
- [@​Zgoda91](https://redirect.github.com/Zgoda91)
- [@​devalkone](https://redirect.github.com/devalkone)
### [`v1.77.1`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.77.1)
##### Bug Fixes
- rls: Avoid missed config update from reentrancy ([https://github.com/grpc/grpc-java/pull/12549](https://redirect.github.com/grpc/grpc-java/pull/12549)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update)
### [`v1.77.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.77.0)
##### API Changes
- binder: Remove experimental `BinderChannelBuilder.bindAsUser()` method, deprecated since 1.69 ([#​12401](https://redirect.github.com/grpc/grpc-java/issues/12401)) ([`f96ce06`](https://redirect.github.com/grpc/grpc-java/commit/f96ce0670))
##### Bug Fixes
- api: Fix name resolver bridge listener handling for address resolution errors for custom name resolvers ([#​12441](https://redirect.github.com/grpc/grpc-java/issues/12441)) ([`acbbf86`](https://redirect.github.com/grpc/grpc-java/commit/acbbf869a)). This fixes regression introduced in v1.68.1 causing a “IllegalStateException: No value present.” exception
- core: Fix NullPointerException during address update with Happy Eyeballs ([`5e8af56`](https://redirect.github.com/grpc/grpc-java/commit/5e8af564e)). This should not impact many people as the code is disabled by default, behind two experimental environment variables
- okhttp: Fix bidirectional keep-alive causing spurious GOAWAY ([`6fc3fd0`](https://redirect.github.com/grpc/grpc-java/commit/6fc3fd046)). This fixes the grpc-okhttp server incorrectly closing the connection with `GOAWAY: too_many_pings`
- xds: SslContext updates handling when using system root certs ([#​12340](https://redirect.github.com/grpc/grpc-java/issues/12340)) ([`63fdaac`](https://redirect.github.com/grpc/grpc-java/commit/63fdaaccc)). Since `FileWatcherCertificateProvider` isn't used when using system root trust store, the SslContext update for the handshake that depended on it wasn't happening. This fix creates a separate `CertificateProvider` for handling system root certs that doesn't rely on the `FileWatcherCertificateProvider.`
- xds: Make cluster selection interceptor run before other filters ([#​12381](https://redirect.github.com/grpc/grpc-java/issues/12381)) ([`82f9b8e`](https://redirect.github.com/grpc/grpc-java/commit/82f9b8ec0)). This is needed when there is `GcpAuthenticationFilter` in the filter chain to make available the cluster resource in `CallOption`s.
- xds: Handle wildcards in DNS SAN exact matching ([#​12345](https://redirect.github.com/grpc/grpc-java/issues/12345)) ([`5b876cc`](https://redirect.github.com/grpc/grpc-java/commit/5b876cc86))
- android: Fix UdsChannelBuilder with WiFi Proxy ([`349a35a`](https://redirect.github.com/grpc/grpc-java/commit/349a35a9b))
- binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures ([#​12283](https://redirect.github.com/grpc/grpc-java/issues/12283)) ([`4725ced`](https://redirect.github.com/grpc/grpc-java/commit/4725ced99))
- binder: Fix a BinderServerTransport crash in the rare shutdown-before-start case ([#​12440](https://redirect.github.com/grpc/grpc-java/issues/12440)) ([`91f3f4d`](https://redirect.github.com/grpc/grpc-java/commit/91f3f4dc1))
##### Improvements
- Improve status messages by including causal error details in config parsing errors for outlier detection and xds’s wrr locality policies ([`86e8b56`](https://redirect.github.com/grpc/grpc-java/commit/86e8b5617))
- xds: Detect negative ref count for xds client ([`21696cd`](https://redirect.github.com/grpc/grpc-java/commit/21696cd3d)). A negative reference count could cause NullPointerExceptions, so when too many unrefs are detected it produces a SEVERE warning and prevents the reference count from going negative
- xds: Support deprecated xDS TLS fields for Istio compat ([#​12435](https://redirect.github.com/grpc/grpc-java/issues/12435)) ([`53cd1a2`](https://redirect.github.com/grpc/grpc-java/commit/53cd1a225)). This fixes a regression with Istio introduced in v1.73.0. This gives time for [Istio’s new xDS field support](https://redirect.github.com/istio/istio/pull/58257) to roll out
- googleapis: Allow wrapping NameResolver to inject XdsClient ([#​12450](https://redirect.github.com/grpc/grpc-java/issues/12450)) ([`27d1508`](https://redirect.github.com/grpc/grpc-java/commit/27d150890)). This allows googleapis to inject an xDS bootstrap to use with its channels even if one is already specified in the environment variable or system property. When the code was originally written there was a single global XdsClient, but since gRFC A71 Xds Fallback each target string has its own XdsClient and thus can have its own bootstrap
- alts: Allow overriding metadata server address with env variable ([`9ac12ef`](https://redirect.github.com/grpc/grpc-java/commit/9ac12ef89)) ([`498f717`](https://redirect.github.com/grpc/grpc-java/commit/498f717fc))
- binder: Let the server know when the client fails to authorize it. ([#​12445](https://redirect.github.com/grpc/grpc-java/issues/12445)) ([`599a0a1`](https://redirect.github.com/grpc/grpc-java/commit/599a0a146)) This avoids the server needing to wait for the handshake timeout before realizing the handshake failed
##### New Features
- opentelemetry: Implement otel retry metrics from gRFC A96 ([#​12064](https://redirect.github.com/grpc/grpc-java/issues/12064)) ([`d380191`](https://redirect.github.com/grpc/grpc-java/commit/d380191be))
- opentelemetry: propagate baggage to server metrics for custom attributes ([#​12389](https://redirect.github.com/grpc/grpc-java/issues/12389)) ([`155308d`](https://redirect.github.com/grpc/grpc-java/commit/155308db2))
- xds: Allow EC Keys in SPIFFE Bundle Map parsing ([#​12399](https://redirect.github.com/grpc/grpc-java/issues/12399)) ([`559e3ba`](https://redirect.github.com/grpc/grpc-java/commit/559e3ba41))
- xds: Enable authority rewriting (gRFC A81), system root cert support (gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101) ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`246c2b1`](https://redirect.github.com/grpc/grpc-java/commit/246c2b1ea)). Authority rewriting requires the control plane to be labeled `trusted_xds_server` in the bootstrap. System root cert support and SNI require using XdsChannelCredentials
- rls: Add route lookup reason to request whether it is due to a cache miss or stale cache entry ([#​12442](https://redirect.github.com/grpc/grpc-java/issues/12442)) ([`795ce02`](https://redirect.github.com/grpc/grpc-java/commit/795ce0280))
##### Dependencies
- compiler: C++ protobuf used by codegen upgraded to 26.1 ([#​12330](https://redirect.github.com/grpc/grpc-java/issues/12330)) ([`55aefd5`](https://redirect.github.com/grpc/grpc-java/commit/55aefd5b8))
- alts: Remove dep on grpclb ([`b769f96`](https://redirect.github.com/grpc/grpc-java/commit/b769f966a)). ALTS is no longer used with grpclb, so this removes dead code
- Upgrade netty to 4.1.127.Final ([`b37ee67`](https://redirect.github.com/grpc/grpc-java/commit/b37ee67cf))
##### Thanks to
[@​panchenko](https://redirect.github.com/panchenko)
[@​benjaminp](https://redirect.github.com/benjaminp)
[@​HyunSangHan](https://redirect.github.com/HyunSangHan)
[@​becomeStar](https://redirect.github.com/becomeStar)
[@​ZachChuba](https://redirect.github.com/ZachChuba)
[@​oliviamariacodes](https://redirect.github.com/oliviamariacodes)
[@​kssumin](https://redirect.github.com/kssumin)
[@​laz-canva](https://redirect.github.com/laz-canva)
### [`v1.76.3`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.76.3)
##### Dependencies
- Downgrade OpenTelemetry to 1.51.0 to make it easier for people dealing with the OkHttp 4.x → 5.x upgrade of some OpenTelemetry modules ([`354d8b4`](https://redirect.github.com/grpc/grpc-java/commit/354d8b451)). gRPC is not using the impacted OpenTelemetry modules. Users are still free to upgrade to newer versions of OpenTelemetry of their choosing.
### [`v1.76.2`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.76.2)
##### Bug Fixes
- rls: Avoid missed config update from reentrancy ([https://github.com/grpc/grpc-java/pull/12550](https://redirect.github.com/grpc/grpc-java/pull/12550)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update)
### [`v1.76.1`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.76.1)
##### Bug Fixes
- core: Fix NullPointerException during address update with Happy Eyeballs ([`5e8af56`](https://redirect.github.com/grpc/grpc-java/commit/5e8af564e)). This should not impact many people as the code is disabled by default, behind two experimental environment variables
### [`v1.76.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.76.0)
##### Bug Fixes
- **xds:** ClusterResolverLb has been converted to use XdsDepManager, which finishes the changes for [gRFC A74 xDS Config Tears](https://redirect.github.com/grpc/proposal/blob/master/A74-xds-config-tears.md). This change should resolve some unnecessary reconnections introduced in v1.75.0 when using weighted_round_robin and maybe other policies.
- **netty:** Remove Netty version detection since grpc-netty-shaded can't reliably determine its Netty version when multiple copies of Netty are present (even when shaded). This fixes the resurfacing of the Netty 4.1.111 corruption fixed in 1.65.0. That version fixed grpc-netty, but v1.75.0 upgraded grpc-netty-shaded to Netty 4.1.111 and exposed the Netty version detection problem. This fixes corruption, so the error messages range wildly, but one of them is "RESOURCE_EXHAUSTED: gRPC message exceeds maximum size"
- **compiler:** A fix has been implemented for the blockingV2 stub to mangle generated method names that conflict with java.lang.Object methods.
- **servlet:** A race condition in AsyncServletOutputStreamWriter has been fixed to prevent threads from getting stuck.
- **servlet:** An issue where AsyncContext.complete() was called multiple times, causing an IllegalStateException, has been resolved.
- **binder:** The REMOTE_UID is now required to hold the exact UID passed to the SecurityPolicy.
- **binder:** The server will now only accept post-setup transactions from the authorized server UID.
- **util:** AdvancedTlsX509TrustManager now errors with a message to say that files don’t exist instead of the previous “Files were unmodified before their initial update. Probably a bug.”
- **android:** A fix has been implemented for network change handling on API levels below 24.
##### Improvements
- **api:** Allocations of Attributes.Builder have been reduced. This mostly benefits attributes.toBuilder(), but that’s not expected to be visible in regular workloads.
- **api:** An empty array allocation in LoadBalancer.CreateSubchannelArgs.Builder has been avoided. It is a small optimization and is not expected to have any performance impact.
- **servlet:** A configurable methodNameResolver has been added to configure the mapping from servlet request paths to gRPC method name
- **servlet:** Avoid a race by increasing the AsyncContext timeout by 5 seconds. The gRPC Context timeout should trigger first
- **xds:** Pretty-print envoy.service.discovery.v3.Resource in debug logs
- **bazel:** The java/proto rules from rules_java/rules_proto are now used instead of native rules.
- **bazel:** Unnecessary direct build dependencies were removed from some targets
- **netty:** Support for the BCJSSE provider has been added in GrpcSslContexts.
- **netty:** Huffman coding in server response headers has been disabled; it was already disabled for client request headers
- **netty:** Include allow header for HTTP response code 405
- **okhttp:** Include allow header for HTTP response code 405
- **binder:** Error descriptions for ServiceConnection callbacks have been improved
- **binder:** Apps can now call SecurityPolicy.checkAuthorization() by PeerUid.
##### New Features
- **stub:** Trailers are now propagated in StatusException when thrown by BlockingClientCall.
- **compiler:** Support for macOS aarch64 with a universal binary has been added.
- **opentelemetry:** grpc.subchannel.\* metrics as described in [gRFC A94 OTel metrics for Subchannels](https://redirect.github.com/grpc/proposal/blob/master/A94-subchannel-otel-metrics.md) have been added. grpc.disconnect_error will show as “unknown” until transports implement support
- **binder:** A NameResolver for Android's intent: URIs has been introduced.
- **binder:** A basic SocketStats with just the local and remote addresses has been added for channelz.
##### Documentation
- **SECURITY.md:** The documentation now describes how to use gcompat with LD_PRELOAD for Alpine.
- **examples:** The documentation now explains Bazel BCR releases and the git_override option.
##### Dependencies
- Upgraded Guava version to 33.4.8.
- The org.apache.tomcat:annotations-api dependency has been removed from the examples.
##### Thanks to
@​[JoeCqupt](https://redirect.github.com/JoeCqupt)
@​[Sangamesh1997](https://redirect.github.com/Sangamesh1997)
@​[benjaminp](https://redirect.github.com/benjaminp)
@​[camelcc](https://redirect.github.com/camelcc)
@​[dmytroreutov](https://redirect.github.com/dmytroreutov)
@​[duckladydinh](https://redirect.github.com/duckladydinh)
@​[jirkafm](https://redirect.github.com/jirkafm)
@​[kilink](https://redirect.github.com/kilink)
@​[panchenko](https://redirect.github.com/panchenko)
@​[umairk79](https://redirect.github.com/umairk79)
@​[vimanikag](https://redirect.github.com/vimanikag)
@​[werkt](https://redirect.github.com/werkt)
@​[xuhongxu96](https://redirect.github.com/xuhongxu96)
@​[zrlw](https://redirect.github.com/zrlw)
### [`v1.75.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.75.0)
##### Behavior Changes
- binder: Introduce server pre-authorization ([#​12127](https://redirect.github.com/grpc/grpc-java/issues/12127)). grpc-binder clients authorize servers by checking the UID of the sender of the SETUP_TRANSPORT Binder transaction against some SecurityPolicy. But merely binding to an unauthorized server to learn its UID can enable "keep-alive" and "background activity launch" abuse, even if security policy ultimately causes the grpc connection to fail. Pre-authorization mitigates this kind of abuse by resolving addresses and authorizing a candidate server Application's UID before binding to it. Pre-auth is especially important when the server's address is not fixed in advance but discovered by PackageManager lookup.
##### Bug Fixes
- core: `grpc-timeout` should always be positive ([#​12201](https://redirect.github.com/grpc/grpc-java/issues/12201)) ([`6dfa03c`](https://redirect.github.com/grpc/grpc-java/commit/6dfa03c51)). There is a local race between when the deadline is checked before sending the RPC and when the timeout is calculated to put on-the-wire. The code replaced negative timeouts with 0 nanoseconds. gRPC’s PROTOCOL-HTTP2 spec states that timeouts should be positive, so now non-positive values are replaced with 1 nanosecond
- core: Improved DEADLINE_EXCEEDED message for delayed calls ([`6ff8eca`](https://redirect.github.com/grpc/grpc-java/commit/6ff8ecac0)). Delayed calls are the first calls on a Channel before name resolution has resolved addresses. Previously you could see confusing errors saying the deadline “will be exceeded in” X time. The message tense was simply wrong, and now will be correct: deadline “was exceeded after” X time.
- xds: PriorityLB now only uses the failOverTimer to start additional priorities, not fail RPCs ([`c4256ad`](https://redirect.github.com/grpc/grpc-java/commit/c4256add4)). You should no longer see “Connection timeout for priority” errors.
##### Improvements
- netty: Count sent RST_STREAMs against `NettyServerBuilder.maxRstFramesPerWindow()` limit ([#​12288](https://redirect.github.com/grpc/grpc-java/issues/12288)). This extends the Rapid Reset tool to also cover MadeYouReset. the reset stream count will cause a 420 "Enhance your calm response" to be sent. This depends on Netty 4.1.124 for a bug fix to actually call the encoder by the frame writer.
- xds: Convert CdsLb to `XdsDepManager` ([`297ab05`](https://redirect.github.com/grpc/grpc-java/commit/297ab05ef)). This is part of gRFC A74 to have atomic xDS config updates. This is an internal change, but does change the error description seen in certain cases, especially DEADLINE_EXCEEDED on a brand-new channel.
- census: APIs for stats and tracing ([#​12050](https://redirect.github.com/grpc/grpc-java/issues/12050)) ([`9193701`](https://redirect.github.com/grpc/grpc-java/commit/919370172)). Client channel and server builders with interceptors and factories respectively for stats and tracing.
- stub: simplify `BlockingClientCall` infinite blocking ([#​12217](https://redirect.github.com/grpc/grpc-java/issues/12217)) ([`ba0a732`](https://redirect.github.com/grpc/grpc-java/commit/ba0a7329d)). Move deadline computation into overloads with finite timeouts. Blocking calls without timeouts now do not have to read the clock.
- xds: Do RLS fallback policy eagar start ([#​12211](https://redirect.github.com/grpc/grpc-java/issues/12211)) ([`42e1829`](https://redirect.github.com/grpc/grpc-java/commit/42e1829b3)). In gRPC-Java, the xDS clusters were lazily subscribed, which meant the fallback target which is returned in the RLS config wasn’t subscribed until a RPC actually falls back to it. The delayed resource subscription process in gRPC Java made it more susceptible to the effects of the INITIAL_RESOURCE_FETCH_TIMEOUT compared to other programming languages. It also had impact beyond the RLS cache expiration case, for example, when the first time the client initialized the channel, we couldn't fallback when the intended target times out, because of the lazy subscription. This change starts the fallback LB policy for the default target at the start of RLS policy instead of only when falling back to the default target, which fixes the above mentioned problems.
- xds: Aggregate cluster fixes (A75) ([#​12186](https://redirect.github.com/grpc/grpc-java/issues/12186)) ([`7e982e4`](https://redirect.github.com/grpc/grpc-java/commit/7e982e48a)). The earlier implementation of aggregate clusters concatenated the priorities from the underlying clusters into a single list, so that it could use a single LB policy defined at the aggregate cluster layer to choose a priority from that combined list. However, it turns out that aggregate clusters don't actually define the LB policy in the aggregate cluster; instead, the aggregate cluster uses a special cluster-provided LB policy that first chooses the underlying cluster and then delegates to the LB policy of the underlying cluster. This change implements that.
- api: set size correctly for sets and maps in handling `Metadata` values to be exchanged during a call ([#​12229](https://redirect.github.com/grpc/grpc-java/issues/12229)) ([`8021727`](https://redirect.github.com/grpc/grpc-java/commit/80217275d))
- xds: xdsClient cache transient error for new watchers ([#​12291](https://redirect.github.com/grpc/grpc-java/issues/12291)). When a resource update is NACKed, cache the error and update new watchers that get added with that error instead of making them hang.
- xds: Avoid PriorityLb re-enabling timer on duplicate CONNECTING ([#​12289](https://redirect.github.com/grpc/grpc-java/issues/12289)). If a LB policy gives extraneous updates with state CONNECTING, then it was possible to re-create `failOverTimer` which would then wait the 10 seconds for the child to finish CONNECTING. We only want to give the child one opportunity after transitioning out of READY/IDLE.
- xds: Use a different log name for `XdsClientImpl` and `ControlPlaneClient` ([#​12287](https://redirect.github.com/grpc/grpc-java/issues/12287)). `ControlPlaneClient` uses "xds-cp-client" now instead of "xds-client" while logging.
##### Dependencies Changes
- Upgrade to Netty 4.1.124.Final ([#​12286](https://redirect.github.com/grpc/grpc-java/issues/12286)). This implicitly disables `NettyAdaptiveCumulator` ([#​11284](https://redirect.github.com/grpc/grpc-java/issues/11284)), which can have a performance impact. We delayed upgrading Netty to give time to rework the optimization, but we've gone too long already without upgrading which causes problems for vulnerability tracking.
- bazel: Use `jar_jar` to avoid xds deps ([#​12243](https://redirect.github.com/grpc/grpc-java/issues/12243)) ([`8f09b96`](https://redirect.github.com/grpc/grpc-java/commit/8f09b9689)). The //xds and //xds:orca targets now use `jar_jar` to shade the protobuf generated code. This allows them to use their own private copy of the protos and drop direct Bazel dependencies on cel-spec, grpc, rules_go, com_github_cncf_xds, envoy_api, com_envoyproxy_protoc_gen_validate, and opencensus_proto. This mirrors the shading of protobuf messages done for grpc-xds provided on Maven Central and should simplify dependency management
- Protobuf upgraded to 3.25.8
- proto-google-common-protos upgraded to 2.59.2
- s2a-proto upgraded to 1.1.2
- google-cloud-logging upgraded to 3.23.1 (used by gcp-observability)
- OpenTelemetry upgraded to 1.52.0
##### Documentation
- Clarify requirements for creating a cross-user Channel. ([#​12181](https://redirect.github.com/grpc/grpc-java/issues/12181)). The `@SystemApi` runtime visibility requirement isn't really new. It has always been implicit in the required INTERACT_ACROSS_USERS permission, which can only be held by system apps in production. Now deprecated `BinderChannelBuilder#bindAsUser` has always required SDK_INT >= 30. This change just copies that requirement forward to its replacement APIs in `AndroidComponentAddress` and the TARGET_ANDROID_USER `NameResolver.Args`.
- api: Add more Javadoc for `NameResolver.Listener2` interface ([#​12220](https://redirect.github.com/grpc/grpc-java/issues/12220)) ([`d352540`](https://redirect.github.com/grpc/grpc-java/commit/d352540a0))
##### Thanks to
[@​benjaminp](https://redirect.github.com/benjaminp)
[@​werkt](https://redirect.github.com/werkt)
[@​kilink](https://redirect.github.com/kilink)
[@​vimanikag](https://redirect.github.com/vimanikag)
### [`v1.74.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.74.0)
##### Behavior Changes
- compiler: Default to `@generated=omit` ([`f8700a1`](https://redirect.github.com/grpc/grpc-java/commit/f8700a13a)). This omits `javax.annotation.Generated` from the generated code and makes the `org.apache.tomcat:annotations-api` compile-only dependency unnecessary (README and examples changes forthcoming; we delayed those changes until the release landed). You can use the option `@generated=javax` for the previous behavior, but please also file an issue so we can develop alternatives
- compiler: generate blocking v2 unary calls that throw StatusException ([#​12126](https://redirect.github.com/grpc/grpc-java/issues/12126)) ([`a16d655`](https://redirect.github.com/grpc/grpc-java/commit/a16d65591)). Previously, the new blocking stub API was identical to the older blocking stub for unary RPCs and used the unchecked `StatusRuntimeException`. However, feedback demonstrated it was confusing to mix that with the checked `StatusException` in `BlockingClientCall`. Now the new blocking stub uses StatusException throughout. grpc-java continues to support the old generated code, but the version of protoc-gen-grpc-java will dictate which API you see. If you support multiple generated code versions, you can use the older blocking v1 stub for unary RPCs
##### Bug Fixes
- netty: Fix a race that caused RPCs to hang on start when a GOAWAY was received while the RPCs’ headers were being written to the OS ([`b04c673`](https://redirect.github.com/grpc/grpc-java/commit/b04c673fd), [`15c7573`](https://redirect.github.com/grpc/grpc-java/commit/15c757398)). This was a very old race, not a recent regression. All streams should now properly fail instead of hanging, although in some cases they may be transparently retried
- util: OutlierDetection should use nanoTime, not currentTimeMillis ([#​12110](https://redirect.github.com/grpc/grpc-java/issues/12110)) ([`1c43098`](https://redirect.github.com/grpc/grpc-java/commit/1c4309899)). Previously, changes in the wall time would impact its accounting
- xds: Don't allow hostnames in address field in EDS ([#​12123](https://redirect.github.com/grpc/grpc-java/issues/12123)) ([`482dc5c`](https://redirect.github.com/grpc/grpc-java/commit/482dc5c1c)). Only IP addresses were handled properly, and only IP addresses should be handled per gRFC A27
- xds: In resource handling, call onError() for RDS and EDS NACKs ([#​12122](https://redirect.github.com/grpc/grpc-java/issues/12122)) ([`efe9ccc`](https://redirect.github.com/grpc/grpc-java/commit/efe9ccc22)). Previously the resource was NACKed, but gRPC would continue waiting for the resource until a timeout was reached and claim the control plane didn’t send the resource. Now it will fail quickly with an informative error
- xds: Implement equals in RingHashConfig ([`a5eaa66`](https://redirect.github.com/grpc/grpc-java/commit/a5eaa66cc)). Previously all configuration refreshes were considered a new config, which had the potential for causing unexpected inefficiency problems. This was noticed by new code for gRFC A74 xDS Config Tears that is not yet enabled, so there are no known problems that this caused
- LBs should avoid calling LBs after lb.shutdown() ([`1df2a33`](https://redirect.github.com/grpc/grpc-java/commit/1df2a3305)). This fixed pick_first and ring_hash behavior that could cause rare and “random” races in parent load balancers like a `NullPointerException` in `ClusterImplLoadBalancer.createSubchannel()`, which had a ring_hash child. This is most likely to help xDS, as it heavily uses hierarchical LB policies
##### Improvements
- util: Deliver addresses in a random order to shuffle connection creation ordering ([`f07eb47`](https://redirect.github.com/grpc/grpc-java/commit/f07eb47ca)). Previously, connections were created in-order (but non-blocking), so in a fast network the first address could be more likely to connect first given a "microsecond" headstart. That first connection then receives all the buffered RPCs, which could cause temporary, but repeated, load imbalances of the same backend when all clients receive the same list of addresses in the same order. This has been seen in practice, but it is unclear how often it happens. Shuffling has the potential to improve load distribution of new clients when using round_robin, weighted_round_robin, and least_request, which connect simultaneously to multiple addresses
- core: Use lazy message formatting in checkState ([#​12144](https://redirect.github.com/grpc/grpc-java/issues/12144)) ([`26bd0ee`](https://redirect.github.com/grpc/grpc-java/commit/26bd0eee4)). This avoids the potential of unnecessarily formatting an exception as a string when a subchannel fails to connect
- bazel: Migrate java_grpc_library to use DefaultInfo ([#​12148](https://redirect.github.com/grpc/grpc-java/issues/12148)) ([`6f69363`](https://redirect.github.com/grpc/grpc-java/commit/6f69363d9)). This adds compatibility for `--incompatible_disable_target_default_provider_fields`
- binder: Rationalize [@​ThreadSafe-ty](https://redirect.github.com/ThreadSafe-ty) inside BinderTransport ([#​12130](https://redirect.github.com/grpc/grpc-java/issues/12130)) ([`c206428`](https://redirect.github.com/grpc/grpc-java/commit/c20642874))
- binder: Cancel checkAuthorization() request if still pending upon termination ([#​12167](https://redirect.github.com/grpc/grpc-java/issues/12167)) ([`30d40a6`](https://redirect.github.com/grpc/grpc-java/commit/30d40a617))
##### Dependencies
- compiler: Upgrade Protobuf C++ to 22.5 ([#​11961](https://redirect.github.com/grpc/grpc-java/issues/11961)) ([`46485c8`](https://redirect.github.com/grpc/grpc-java/commit/46485c8b6)). This is used by the pre-built protoc-gen-grpc-java plugin on Maven Central. This should have no visible benefit, but gets us closer to upgrading to Protobuf 27 which added edition 2023 support
- release: Migrate artifacts publishing changed from legacy OSSRH to Central Portal ([#​12156](https://redirect.github.com/grpc/grpc-java/issues/12156)) ([`f99b2aa`](https://redirect.github.com/grpc/grpc-java/commit/f99b2aaef)). We aren’t aware of any visible changes to the results on Maven Central
### [`v1.73.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.73.0)
##### API Changes
xds: Enable least request by default ([#​12062](https://redirect.github.com/grpc/grpc-java/issues/12062))
core: Delete the long-deprecated GRPC_PROXY_EXP env variable ([#​11988](https://redirect.github.com/grpc/grpc-java/issues/11988)) ([`908f9f1`](https://redirect.github.com/grpc/grpc-java/commit/908f9f19c)). This was experimental and has been warning when used since v1.8.0. Use the Java-standard -Dhttps.proxyHost and -Dhttps.proxyPort instead
api: Remove deprecated SubchannelPicker.requestConnection() ([`f79ab2f`](https://redirect.github.com/grpc/grpc-java/commit/f79ab2f16)). This API was replaced by LoadBalancer.requestConnection() in v1.22.0
##### Bug Fixes
config: prevents global stats config freeze in ConfiguratorRegistry.getConfigurators() ([#​11991](https://redirect.github.com/grpc/grpc-java/issues/11991)) ([`d4c46a7`](https://redirect.github.com/grpc/grpc-java/commit/d4c46a7f1))
xds: XdsDepManager should ignore updates after shutdown ([`25199e9`](https://redirect.github.com/grpc/grpc-java/commit/25199e9df)). This fixes a source of java.lang.NullPointerException: Cannot invoke "io.grpc.xds.XdsDependencyManager$RdsUpdateSupplier.getRdsUpdate()" because "routeSource" is null regression introduced in v1.72.0
##### Improvements
xds: listener type validation ([#​11933](https://redirect.github.com/grpc/grpc-java/issues/11933)) ([`c8d1e6e`](https://redirect.github.com/grpc/grpc-java/commit/c8d1e6e39))
xds: add the missing xds.authority metric defined in [gRFC A78](https://redirect.github.com/grpc/proposal/blob/master/A78-grpc-metrics-wrr-pf-xds.md#xdsclient) ([#​12018](https://redirect.github.com/grpc/grpc-java/issues/12018)) ([`6cd007d`](https://redirect.github.com/grpc/grpc-java/commit/6cd007d0d))
##### New Features
xds: float LRU cache across interceptors ([#​11992](https://redirect.github.com/grpc/grpc-java/issues/11992)) ([`7a08fdb`](https://redirect.github.com/grpc/grpc-java/commit/7a08fdb7f))
xds: propagate audience from cluster resource in gcp auth filter. This completes the gRFC A83, implementation of GCP Authentication Filter. ([#​11972](https://redirect.github.com/grpc/grpc-java/issues/11972)) ([`84c7713`](https://redirect.github.com/grpc/grpc-java/commit/84c7713b2))
opentelemetry: Implement grpc.lb.backend_service optional label ([`9619453`](https://redirect.github.com/grpc/grpc-java/commit/961945379)). This completes the [gRFC A89](https://redirect.github.com/grpc/proposal/blob/master/A89-backend-service-metric-label.md) implementation, which is enabled when requesting the new label
##### Documentation
api: Remove mention of "epoch" from Ticker.nanoTime() javadocs ([`84bd014`](https://redirect.github.com/grpc/grpc-java/commit/84bd01454))
### [`v1.72.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.72.0)
##### API Changes
- util: Remove deprecated method GracefulSwitchLb.switchTo() ([`f207be3`](https://redirect.github.com/grpc/grpc-java/commit/f207be39a)). It is rarely used outside of gRPC itself. The configuration is passed as lb policy configuration instead
- xds: Add support for custom per-target credentials on the transport ([#​11951](https://redirect.github.com/grpc/grpc-java/issues/11951)) ([`1958e42`](https://redirect.github.com/grpc/grpc-java/commit/1958e4237))
- xds: Explicitly set request hash key for the ring hash LB policy ([`892144d`](https://redirect.github.com/grpc/grpc-java/commit/892144dca))
##### Bug Fixes
- core: Apply ManagedChannelImpl's updateBalancingState() immediately ([`ca4819a`](https://redirect.github.com/grpc/grpc-java/commit/ca4819ac6))
- xds: Fix cluster selection races when updating config selector ([`d82613a`](https://redirect.github.com/grpc/grpc-java/commit/d82613a74))
- otel: Fix span names as per the A72 gRFC changes ([#​11974](https://redirect.github.com/grpc/grpc-java/issues/11974)) ([`94f8e93`](https://redirect.github.com/grpc/grpc-java/commit/94f8e9369))
- xds: ClusterResolverLoadBalancer handle update for both resolved addresses and errors via ResolutionResult ([#​11997](https://redirect.github.com/grpc/grpc-java/issues/11997)) ([`8681786`](https://redirect.github.com/grpc/grpc-java/commit/868178651))
##### Improvements
- netty: Avoid allocating an exception on transport shutdown. This reduces allocation rate for connection-heavy workloads/load testing ([`a57c14a`](https://redirect.github.com/grpc/grpc-java/commit/a57c14a51))
- servlet: Set an explicit description for CANCELLED status ([#​11927](https://redirect.github.com/grpc/grpc-java/issues/11927)) ([`fca1d3c`](https://redirect.github.com/grpc/grpc-java/commit/fca1d3cf4))
- xds: [gRFC A74 xDS Config Tears](https://redirect.github.com/grpc/proposal/blob/master/A74-xds-config-tears.md) implementation in the XdsNameResolver ([`e80c197`](https://redirect.github.com/grpc/grpc-java/commit/e80c19745)). While there is more remaining, users may already see reduced latency when resources are replaced. For example, if changing a route from one backend service to another, RPCs may see less latency during the transition
- core: Log any exception during channel panic because of exception ([`3961a92`](https://redirect.github.com/grpc/grpc-java/commit/3961a923a)). This prevents the exception from propagating up the stack on an arbitrary thread. Such exceptions are rarely interesting. Instead, the exception that caused the channel panic is the important one, and RPCs will still fail with its details
- util: Graceful switch to new LB when leaving CONNECTING ([`2e260a4`](https://redirect.github.com/grpc/grpc-java/commit/2e260a4bb)). Previously when using xDS and the configuration changes the LB policy, the old LB policy is used until the new one is READY. Now the old LB policy is used until the new policy becomes READY, TRANSIENT_FAILURE, or IDLE
- core: Use java.time.Time.getNano directly in InstantTimeProvider. Previously reflection was used which would confuse R8 full mode ([#​11977](https://redirect.github.com/grpc/grpc-java/issues/11977)) ([`7507a9e`](https://redirect.github.com/grpc/grpc-java/commit/7507a9ec0))
- core: Avoid cancellation exceptions when notifying watchers that already have their connections cancelled ([#​11934](https://redirect.github.com/grpc/grpc-java/issues/11934)) ([`350f90e`](https://redirect.github.com/grpc/grpc-java/commit/350f90e1a))
- rls: allow maxAge in RLS config to exceed 5 minutes if staleAge is set. Previously, the limit was 5 minutes, which isn't enough for some gRPC clients ([#​11931](https://redirect.github.com/grpc/grpc-java/issues/11931)) ([`c340f4a`](https://redirect.github.com/grpc/grpc-java/commit/c340f4a2f))
- xds: avoid unnecessary dns lookup for CIDR addresses ([#​11932](https://redirect.github.com/grpc/grpc-java/issues/11932)) ([`602aece`](https://redirect.github.com/grpc/grpc-java/commit/602aece08))
- netty: Swap to UniformStreamByteDistributor ([#​11954](https://redirect.github.com/grpc/grpc-java/issues/11954)) ([`2f52a00`](https://redirect.github.com/grpc/grpc-java/commit/2f52a0036)). gRPC will no longer observe the HTTP/2 priorities, which were not used directly by gRPC and deprecated in RFC 9113
- core: Avoid Set.removeAll() when passing a possibly-large List ([#​11994](https://redirect.github.com/grpc/grpc-java/issues/11994)) ([`666136b`](https://redirect.github.com/grpc/grpc-java/commit/666136b4b))
- stub: trailersFromThrowable() metadata should be copied ([#​11979](https://redirect.github.com/grpc/grpc-java/issues/11979)) ([`a6e1c1f`](https://redirect.github.com/grpc/grpc-java/commit/a6e1c1f09))
##### New Features
- xds: xDS-based HTTP CONNECT configuration ([#​11861](https://redirect.github.com/grpc/grpc-java/issues/11861)) ([`1219706`](https://redirect.github.com/grpc/grpc-java/commit/12197065f))
- netty: Per-rpc authority verification against peer cert subject names. Overriding transport authority at rpc time is only allowed when using TlsChannelCredentials. The per-rpc authority verification feature is guarded by the environment variable GRPC_ENABLE_PER_RPC_AUTHORITY_CHECK in this release. When this is false or not set, the rpc will not fail when the authority verification fails but a warning will be logged. In a subsequent release the usage of this environment variable will be removed and RPCs will start failing if the authority doesn't match the peer certificate names. The environment variable is temporary; if you are depending on the existing insecure behavior, please file an issue ([#​11724](https://redirect.github.com/grpc/grpc-java/issues/11724)) ([`cdab410`](https://redirect.github.com/grpc/grpc-java/commit/cdab410b8))
##### Thanks to
[@​panchenko](https://redirect.github.com/panchenko)
[@​emmanuel-ferdman](https://redirect.github.com/emmanuel-ferdman)
[@​JoeCqupt](https://redirect.github.com/JoeCqupt)
### [`v1.71.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.71.0)
##### API Changes
- xds: Enable Xds Client Fallback by default. This allows having a backup xDS server as described in gRFC [A71-xds-fallback.md](https://redirect.github.com/grpc/proposal/blob/master/A71-xds-fallback.md) ([#​11817](https://redirect.github.com/grpc/grpc-java/issues/11817)) ([`176f3ee`](https://redirect.github.com/grpc/grpc-java/commit/176f3eed1))
- protobuf: Experimental API marshallerWithRecursionLimit in `ProtoUtils` is now stabilized ([#​11884](https://redirect.github.com/grpc/grpc-java/issues/11884)) ([`90b1c4f`](https://redirect.github.com/grpc/grpc-java/commit/90b1c4fe9))
##### Bug Fixes
- xds: Cluster weights should be uint32 ([`199a7ea`](https://redirect.github.com/grpc/grpc-java/commit/199a7ea3e)). They were previously processed as int32, although the sum of weights was checked to be positive. So this would have caused a very large weight to never be selected and to reduce the chances of immediately-following clusters to be selected. There have been no reports of control planes using such large weights
- xds: Fix an unlikely infinite loop triggered by route update ([`199a7ea`](https://redirect.github.com/grpc/grpc-java/commit/199a7ea3e)). Triggering required the old cluster to no longer be used, an RPC processing when the update arrived, and for a RPC to not match any route in the new config. There have been no reports of this actually happening
- core: Release data frame if it is received before the headers ([`dc316f7`](https://redirect.github.com/grpc/grpc-java/commit/dc316f7fd))
##### Improvements
- Replace jsr305's `CheckReturnValue` with Error Prone's ([#​11811](https://redirect.github.com/grpc/grpc-java/issues/11811)) ([`7b5d069`](https://redirect.github.com/grpc/grpc-java/commit/7b5d0692c))
- core: optimize number of buffer allocations for message sizes larger than 1 MB ([#​11879](https://redirect.github.com/grpc/grpc-java/issues/11879)) ([`5a7f350`](https://redirect.github.com/grpc/grpc-java/commit/5a7f35053))
- core: Update the retry backoff range from \[0, 1] to \[0.8, 1.2] as per the A6 redefinition ([#​11858](https://redirect.github.com/grpc/grpc-java/issues/11858)) ([`44e92e2`](https://redirect.github.com/grpc/grpc-java/commit/44e92e2c2))
- core: include last pick status in status message when wait-for-ready RPC’s deadline expires ([#​11851](https://redirect.github.com/grpc/grpc-java/issues/11851)) ([`7585b16`](https://redirect.github.com/grpc/grpc-java/commit/7585b1607)). This makes it much easier to debug connectivity issues when using wait-for-ready RPCs
- xds: Include max concurrent request limit in the error status for concurrent connections limit exceeded ([#​11845](https://redirect.github.com/grpc/grpc-java/issues/11845)) ([`0f5503e`](https://redirect.github.com/grpc/grpc-java/commit/0f5503ebb))
- netty, servlet: Remove 4096 min write buffer size because `MessageFramer`.flush() is being called between every message, so messages are never combined and the larger allocation just wastes memory. ([`4a10a38`](https://redirect.github.com/grpc/grpc-java/commit/4a10a3816), [`7153ff8`](https://redirect.github.com/grpc/grpc-java/commit/7153ff852))
- core: When `ClientStreamObserver` closes the response observer log the error message if this operation fails ([#​11880](https://redirect.github.com/grpc/grpc-java/issues/11880)) ([`302342c`](https://redirect.github.com/grpc/grpc-java/commit/302342cfc))
- bom: use gradle java-platform to build pom instead of custom xml generation ([#​11875](https://redirect.github.com/grpc/grpc-java/issues/11875)) ([`3142928`](https://redirect.github.com/grpc/grpc-java/commit/3142928fa))
- xds: Reuse filter interceptors on client-side across RPCs ([`c506190`](https://redirect.github.com/grpc/grpc-java/commit/c506190b0), [`b3db8c2`](https://redirect.github.com/grpc/grpc-java/commit/b3db8c248)). This was an internal refactor that should have no user-visible change
- alts: Enhance `AltsContextUtil` to allow getting the `AltsContext` on client-side ([`b1bc0a9`](https://redirect.github.com/grpc/grpc-java/commit/b1bc0a9d2))
- xds: Envoy proto sync to 2024-11-11 ([#​11816](https://redirect.github.com/grpc/grpc-java/issues/11816)) ([`b44ebce`](https://redirect.github.com/grpc/grpc-java/commit/b44ebce45))
##### Documentation
- examples: Update `HelloWorldServer` to use Executor ([#​11850](https://redirect.github.com/grpc/grpc-java/issues/11850)) ([`16edf7a`](https://redirect.github.com/grpc/grpc-java/commit/16edf7ac4))
- examples: Add README for all examples lacking it ([#​11676](https://redirect.github.com/grpc/grpc-java/issues/11676)) ([`9e86299`](https://redirect.github.com/grpc/grpc-java/commit/9e8629914))
##### Dependencies
- Version upgrades ([#​11874](https://redirect.github.com/grpc/grpc-java/issues/11874)) ([`fc8571a`](https://redirect.github.com/grpc/grpc-java/commit/fc8571a0e))
- Upgrade netty-tcnative to 2.0.70 ([`122b683`](https://redirect.github.com/grpc/grpc-java/commit/122b68371))
##### Thanks to
[@​benjamin](https://redirect.github.com/benjamin)
[@​panchenko](https://redirect.github.com/panchenko)
[@​harshagoo94](https://redirect.github.com/harshagoo94)
[@​NaveenPrasannaV](https://redirect.github.com/NaveenPrasannaV)
### [`v1.70.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.70.0)
##### **Bug Fixes**
- Re-enable animalsniffer, fixing most violations ([`8ea3629`](https://redirect.github.com/grpc/grpc-java/commit/8ea362937)). Violations would only have triggered on API level 23 and earlier, and the violations fixed here were highly unlikely to be triggered
- api: Fix Android API level 23 and earlier compatibility for StatusRuntimeException without stacktrace ([#​11072](https://redirect.github.com/grpc/grpc-java/issues/11072)) ([`ebe2b48`](https://redirect.github.com/grpc/grpc-java/commit/ebe2b4867)). This fixes a regression introduced in 1.64.0. The regression should have caused failures on API level 23 and earlier when a StatusRuntimeException or StatusException was created. However, for unknown reasons tests on old devices didn’t notice issues
- okhttp: Improve certificate handling by rejecting non-ASCII subject alternative names and hostnames as seen in CVE-2021-0341 ([#​11749](https://redirect.github.com/grpc/grpc-java/issues/11749)) ([`a0982ca`](https://redirect.github.com/grpc/grpc-java/commit/a0982ca0a)). Hostnames are considered trusted and CAs are required to use punycode for non-ASCII hostnames, so this is expected to provide defense-in-depth. See also the [related GoSecure blog post](https://gosecure.ai/blog/2020/10/27/weakness-in-java-tls-host-verification/) and the [AOSP fix](https://android.googlesource.com/platform/external/okhttp/+/ddc934efe3ed06ce34f3724d41cfbdcd7e7358fc)
- okhttp: Fix for ipv6 link local with scope ([#​11725](https://redirect.github.com/grpc/grpc-java/issues/11725)) ([`65b32e6`](https://redirect.github.com/grpc/grpc-java/commit/65b32e60e))
- xds: Preserve nonce when unsubscribing last watcher of a particular type so that new discovery requests of that type are handled correctly ([`1cf1927`](https://redirect.github.com/grpc/grpc-java/commit/1cf1927d1)). This (along with [`6c12c2b`](https://redirect.github.com/grpc/grpc-java/commit/6c12c2bd2)) fixes a nonce-handling regression introduced in 1.66.0 that could cause resources to appear to not exist until re-creating the ADS stream. Triggering the behavior required specific config changes. It is easiest to trigger when clusters use EDS and routes are changed from one cluster to another. The error “found 0 leaf (logical DNS or EDS) clusters for root cluster” might then be seen
- xds: Remember nonces for unknown types ([`6c12c2b`](https://redirect.github.com/grpc/grpc-java/commit/6c12c2bd2))
- xds: Unexpected types in the bootstrap’s server_features should be ignored ([`e8ff6da`](https://redirect.github.com/grpc/grpc-java/commit/e8ff6da2c)). They were previously required to be strings
- xds: Remove xds authority label from metric registration ([#​11760](https://redirect.github.com/grpc/grpc-java/issues/11760)) ([`6516c73`](https://redirect.github.com/grpc/grpc-java/commit/6516c7387)). This fixes the error “Incorrect number of required labels provided. Expected: 4” introduced in 1.69.0
- xds: Fixed unsupported unsigned 32 bits issue for circuit breaker ([#​11735](https://redirect.github.com/grpc/grpc-java/issues/11735)) ([`f8f6139`](https://redirect.github.com/grpc/grpc-java/commit/f8f613984)). This fixes clients treating large max_requests as “no requests” and failing all requests
##### **Improvements**
- api: Introduce custom NameResolver.Args ([#​11669](https://redirect.github.com/grpc/grpc-java/issues/11669)) ([`0b2d440`](https://redirect.github.com/grpc/grpc-java/commit/0b2d44098))
- stub: Introduce new API: BlockingStubV2 which supports Bidi streaming, Client streaming, a cleaner Server streaming and Unary RPCs ([#​10318](https://redirect.github.com/grpc/grpc-java/issues/10318)) ([`ea8c31c`](https://redirect.github.com/grpc/grpc-java/commit/ea8c31c30))
- bazel: Remove workaround for DoNotCall fixed in Bazel 3.4 ([`805cad3`](https://redirect.github.com/grpc/grpc-java/commit/805cad378))
- binder: A standard API for pointing resolvers at a different Android User. ([#​11775](https://redirect.github.com/grpc/grpc-java/issues/11775)) ([`1126a8e`](https://redirect.github.com/grpc/grpc-java/commit/1126a8e30))
- xds: Fix XDS control plane client retry timer backoff duration when connection closes after results are received ([#​11766](https://redirect.github.com/grpc/grpc-java/issues/11766)) ([`ef7c2d5`](https://redirect.github.com/grpc/grpc-java/commit/ef7c2d59c))
- xds: Parsing xDS Cluster Metadata ([#​11741](https://redirect.github.com/grpc/grpc-java/issues/11741)) ([`1edc4d8`](https://redirect.github.com/grpc/grpc-java/commit/1edc4d84d)). Not used actively, but this adds validation. The validation is unlikely to fail but may reject invalid resources.
- xds: Use "#server" as dataplane target value for xDS enabled gRPC servers ([#​11715](https://redirect.github.com/grpc/grpc-java/issues/11715)) ([`ebb43a6`](https://redirect.github.com/grpc/grpc-java/commit/ebb43a69e)). This only imp
</details>
---
### Configuration
📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.
---
- [ ] If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate).
lqiu96
pushed a commit
to googleapis/sdk-platform-java
that referenced
this pull request
Feb 12, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [com.google.auth:google-auth-library-bom](https://togithub.com/googleapis/google-auth-library-java) | minor | `1.41.0` -> `1.42.0` | | [com.google.http-client:google-http-client](https://togithub.com/googleapis/google-http-java-client) | minor | `2.0.3` -> `2.1.0` | | [io.grpc:grpc-bom](https://togithub.com/grpc/grpc-java) | minor | `1.76.2` -> `1.78.0` | --- ### Release Notes <details> <summary>googleapis/google-auth-library-java (com.google.auth:google-auth-library-bom)</summary> ### [`v1.42.0`](https://togithub.com/googleapis/google-auth-library-java/blob/HEAD/CHANGELOG.md#1420-2026-01-23) [Compare Source](https://togithub.com/googleapis/google-auth-library-java/compare/v1.41.0...v1.42.0) ##### Features - Update protobuf version to 4.33.2 ([#​1875](https://togithub.com/googleapis/google-auth-library-java/issues/1875)) ([13ddbd1](https://togithub.com/googleapis/google-auth-library-java/commit/13ddbd1744fb908fb51e8866e5aac291f0e9bada)) ##### Bug Fixes - Simplify call to directly retrieve the default service account from MDS ([#​1844](https://togithub.com/googleapis/google-auth-library-java/issues/1844)) ([6efda0b](https://togithub.com/googleapis/google-auth-library-java/commit/6efda0bc2063b1d1b30de43785d08ec86da1791c)) </details> <details> <summary>googleapis/google-http-java-client (com.google.http-client:google-http-client)</summary> ### [`v2.1.0`](https://togithub.com/googleapis/google-http-java-client/blob/HEAD/CHANGELOG.md#210-2026-01-23) [Compare Source](https://togithub.com/googleapis/google-http-java-client/compare/v2.0.3...v2.1.0) ##### Features - Update protobuf-java to 4.33.2 ([d48c443](https://togithub.com/googleapis/google-http-java-client/commit/d48c443cf9b872be4872ed6801c4edf70d5be7ac)) </details> <details> <summary>grpc/grpc-java (io.grpc:grpc-bom)</summary> ### [`v1.78.0`](https://togithub.com/grpc/grpc-java/releases/tag/v1.78.0) [Compare Source](https://togithub.com/grpc/grpc-java/compare/v1.77.1...v1.78.0) ##### Bug Fixes - core: Fix shutdown failing accepted RPCs during channel startup ([`02e98a8`](https://togithub.com/grpc/grpc-java/commit/02e98a806)). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown() - okhttp: Fix race condition overwriting MAX_CONCURRENT_STREAMS ([#​12548](https://togithub.com/grpc/grpc-java/issues/12548)) ([`8d49dc1`](https://togithub.com/grpc/grpc-java/commit/8d49dc1c9)) - binder: Stop leaking `this` from BinderServerTransport's ctor ([#​12453](https://togithub.com/grpc/grpc-java/issues/12453)) ([`89d77e0`](https://togithub.com/grpc/grpc-java/commit/89d77e062)) - rls: Avoid missed config update from reentrancy ([`55ae1d0`](https://togithub.com/grpc/grpc-java/commit/55ae1d054)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ##### Improvements - xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#​12446](https://togithub.com/grpc/grpc-java/issues/12446)) ([`f385add`](https://togithub.com/grpc/grpc-java/commit/f385add31)). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer. - rls: Control plane channel monitor state and back off handling ([#​12460](https://togithub.com/grpc/grpc-java/issues/12460)) ([`26c1c13`](https://togithub.com/grpc/grpc-java/commit/26c1c1341)). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target. - core: simplify DnsNameResolver.resolveAddresses() ([`4843256`](https://togithub.com/grpc/grpc-java/commit/4843256af)) - netty: Run handshakeCompleteRunnable in success cases ([`283f103`](https://togithub.com/grpc/grpc-java/commit/283f1031f)) - api,netty: Add custom header support for HTTP CONNECT proxy ([`bbc0aa3`](https://togithub.com/grpc/grpc-java/commit/bbc0aa369)) - binder: Pre-factor out the guts of the BinderClientTransport handshake. ([`9313e87`](https://togithub.com/grpc/grpc-java/commit/9313e87df)) - compiler: Add RISC-V 64-bit architecture support to compiler build configuration ([`725ab22`](https://togithub.com/grpc/grpc-java/commit/725ab22f3)) - core: Release lock before closing shared resource ([`cb73f21`](https://togithub.com/grpc/grpc-java/commit/cb73f217e)). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in [`d50098f`](https://togithub.com/grpc/grpc-java/commit/d50098f) - Upgrade gson to 2.12.1 ([`6dab2ce`](https://togithub.com/grpc/grpc-java/commit/6dab2ceab)) - Upgrade dependencies ([`f36defa`](https://togithub.com/grpc/grpc-java/commit/f36defa2d)). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0 - compiler: Update maximum supported protobuf edition to EDITION\_2024 ([`2f64092`](https://togithub.com/grpc/grpc-java/commit/2f64092b8)) - binder: Introduce server authorization strategy v2 ([`d971072`](https://togithub.com/grpc/grpc-java/commit/d9710725d)). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient. ##### New Features - compiler: Upgrade to C++ protobuf 33.1 ([#​12534](https://togithub.com/grpc/grpc-java/issues/12534)) ([`58ae5f8`](https://togithub.com/grpc/grpc-java/commit/58ae5f808)). - util: Add gRFC A68 random subsetting LB ([`48a4288`](https://togithub.com/grpc/grpc-java/commit/48a42889d)). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52 - xds: Support for System Root Certs ([#​12499](https://togithub.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://togithub.com/grpc/grpc-java/commit/51611bad1)). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://togithub.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://togithub.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md). - xds: Support for GCP Authentication Filter ([#​12499](https://togithub.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://togithub.com/grpc/grpc-java/commit/51611bad1)). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://togithub.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://togithub.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md). - xds: Support for xDS-based authority rewriting ([#​12499](https://togithub.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://togithub.com/grpc/grpc-java/commit/51611bad1)). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://togithub.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://togithub.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake.\ As mentioned in [gRFC A29](https://togithub.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field. - xds: xDS based SNI setting and SAN validation ([#​12378](https://togithub.com/grpc/grpc-java/issues/12378)) ([`0567531`](https://togithub.com/grpc/grpc-java/commit/0567531)). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://togithub.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md). ##### Documentation - api: Document gRFC A18 TCP_USER_TIMEOUT handling for keepalive ([`da70387`](https://togithub.com/grpc/grpc-java/commit/da7038782)) - core: Fix AbstractClientStream Javadoc ([`28a6130`](https://togithub.com/grpc/grpc-java/commit/28a6130e8)) - examples: Document how to preserve META-INF/services in uber jars ([`97695d5`](https://togithub.com/grpc/grpc-java/commit/97695d523)) ##### Thanks to - [@​panchenko](https://togithub.com/panchenko) - [@​Dayuxiaoshui](https://togithub.com/Dayuxiaoshui) - [@​becomeStar](https://togithub.com/becomeStar) - [@​kssumin](https://togithub.com/kssumin) - [@​marcindabrowski](https://togithub.com/marcindabrowski) - [@​MariusVolkhart](https://togithub.com/MariusVolkhart) - [@​Zgoda91](https://togithub.com/Zgoda91) - [@​devalkone](https://togithub.com/devalkone) ### [`v1.77.1`](https://togithub.com/grpc/grpc-java/releases/tag/v1.77.1) [Compare Source](https://togithub.com/grpc/grpc-java/compare/v1.77.0...v1.77.1) ##### Bug Fixes - rls: Avoid missed config update from reentrancy ([https://github.com/grpc/grpc-java/pull/12549](https://togithub.com/grpc/grpc-java/pull/12549)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ### [`v1.77.0`](https://togithub.com/grpc/grpc-java/releases/tag/v1.77.0) [Compare Source](https://togithub.com/grpc/grpc-java/compare/v1.76.2...v1.77.0) ##### API Changes - binder: Remove experimental `BinderChannelBuilder.bindAsUser()` method, deprecated since 1.69 ([#​12401](https://togithub.com/grpc/grpc-java/issues/12401)) ([`f96ce06`](https://togithub.com/grpc/grpc-java/commit/f96ce0670)) ##### Bug Fixes - api: Fix name resolver bridge listener handling for address resolution errors for custom name resolvers ([#​12441](https://togithub.com/grpc/grpc-java/issues/12441)) ([`acbbf86`](https://togithub.com/grpc/grpc-java/commit/acbbf869a)). This fixes regression introduced in v1.68.1 causing a “IllegalStateException: No value present.” exception - core: Fix NullPointerException during address update with Happy Eyeballs ([`5e8af56`](https://togithub.com/grpc/grpc-java/commit/5e8af564e)). This should not impact many people as the code is disabled by default, behind two experimental environment variables - okhttp: Fix bidirectional keep-alive causing spurious GOAWAY ([`6fc3fd0`](https://togithub.com/grpc/grpc-java/commit/6fc3fd046)). This fixes the grpc-okhttp server incorrectly closing the connection with `GOAWAY: too_many_pings` - xds: SslContext updates handling when using system root certs ([#​12340](https://togithub.com/grpc/grpc-java/issues/12340)) ([`63fdaac`](https://togithub.com/grpc/grpc-java/commit/63fdaaccc)). Since `FileWatcherCertificateProvider` isn't used when using system root trust store, the SslContext update for the handshake that depended on it wasn't happening. This fix creates a separate `CertificateProvider` for handling system root certs that doesn't rely on the `FileWatcherCertificateProvider.` - xds: Make cluster selection interceptor run before other filters ([#​12381](https://togithub.com/grpc/grpc-java/issues/12381)) ([`82f9b8e`](https://togithub.com/grpc/grpc-java/commit/82f9b8ec0)). This is needed when there is `GcpAuthenticationFilter` in the filter chain to make available the cluster resource in `CallOption`s. - xds: Handle wildcards in DNS SAN exact matching ([#​12345](https://togithub.com/grpc/grpc-java/issues/12345)) ([`5b876cc`](https://togithub.com/grpc/grpc-java/commit/5b876cc86)) - android: Fix UdsChannelBuilder with WiFi Proxy ([`349a35a`](https://togithub.com/grpc/grpc-java/commit/349a35a9b)) - binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures ([#​12283](https://togithub.com/grpc/grpc-java/issues/12283)) ([`4725ced`](https://togithub.com/grpc/grpc-java/commit/4725ced99)) - binder: Fix a BinderServerTransport crash in the rare shutdown-before-start case ([#​12440](https://togithub.com/grpc/grpc-java/issues/12440)) ([`91f3f4d`](https://togithub.com/grpc/grpc-java/commit/91f3f4dc1)) ##### Improvements - Improve status messages by including causal error details in config parsing errors for outlier detection and xds’s wrr locality policies ([`86e8b56`](https://togithub.com/grpc/grpc-java/commit/86e8b5617)) - xds: Detect negative ref count for xds client ([`21696cd`](https://togithub.com/grpc/grpc-java/commit/21696cd3d)). A negative reference count could cause NullPointerExceptions, so when too many unrefs are detected it produces a SEVERE warning and prevents the reference count from going negative - xds: Support deprecated xDS TLS fields for Istio compat ([#​12435](https://togithub.com/grpc/grpc-java/issues/12435)) ([`53cd1a2`](https://togithub.com/grpc/grpc-java/commit/53cd1a225)). This fixes a regression with Istio introduced in v1.73.0. This gives time for [Istio’s new xDS field support](https://togithub.com/istio/istio/pull/58257) to roll out - googleapis: Allow wrapping NameResolver to inject XdsClient ([#​12450](https://togithub.com/grpc/grpc-java/issues/12450)) ([`27d1508`](https://togithub.com/grpc/grpc-java/commit/27d150890)). This allows googleapis to inject an xDS bootstrap to use with its channels even if one is already specified in the environment variable or system property. When the code was originally written there was a single global XdsClient, but since gRFC A71 Xds Fallback each target string has its own XdsClient and thus can have its own bootstrap - alts: Allow overriding metadata server address with env variable ([`9ac12ef`](https://togithub.com/grpc/grpc-java/commit/9ac12ef89)) ([`498f717`](https://togithub.com/grpc/grpc-java/commit/498f717fc)) - binder: Let the server know when the client fails to authorize it. ([#​12445](https://togithub.com/grpc/grpc-java/issues/12445)) ([`599a0a1`](https://togithub.com/grpc/grpc-java/commit/599a0a146)) This avoids the server needing to wait for the handshake timeout before realizing the handshake failed ##### New Features - opentelemetry: Implement otel retry metrics from gRFC A96 ([#​12064](https://togithub.com/grpc/grpc-java/issues/12064)) ([`d380191`](https://togithub.com/grpc/grpc-java/commit/d380191be)) - opentelemetry: propagate baggage to server metrics for custom attributes ([#​12389](https://togithub.com/grpc/grpc-java/issues/12389)) ([`155308d`](https://togithub.com/grpc/grpc-java/commit/155308db2)) - xds: Allow EC Keys in SPIFFE Bundle Map parsing ([#​12399](https://togithub.com/grpc/grpc-java/issues/12399)) ([`559e3ba`](https://togithub.com/grpc/grpc-java/commit/559e3ba41)) - xds: Enable authority rewriting (gRFC A81), system root cert support (gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101) ([#​12499](https://togithub.com/grpc/grpc-java/issues/12499)) ([`246c2b1`](https://togithub.com/grpc/grpc-java/commit/246c2b1ea)). Authority rewriting requires the control plane to be labeled `trusted_xds_server` in the bootstrap. System root cert support and SNI require using XdsChannelCredentials - rls: Add route lookup reason to request whether it is due to a cache miss or stale cache entry ([#​12442](https://togithub.com/grpc/grpc-java/issues/12442)) ([`795ce02`](https://togithub.com/grpc/grpc-java/commit/795ce0280)) ##### Dependencies - compiler: C++ protobuf used by codegen upgraded to 26.1 ([#​12330](https://togithub.com/grpc/grpc-java/issues/12330)) ([`55aefd5`](https://togithub.com/grpc/grpc-java/commit/55aefd5b8)) - alts: Remove dep on grpclb ([`b769f96`](https://togithub.com/grpc/grpc-java/commit/b769f966a)). ALTS is no longer used with grpclb, so this removes dead code - Upgrade netty to 4.1.127.Final ([`b37ee67`](https://togithub.com/grpc/grpc-java/commit/b37ee67cf)) ##### Thanks to [@​panchenko](https://togithub.com/panchenko) [@​benjaminp](https://togithub.com/benjaminp) [@​HyunSangHan](https://togithub.com/HyunSangHan) [@​becomeStar](https://togithub.com/becomeStar) [@​ZachChuba](https://togithub.com/ZachChuba) [@​oliviamariacodes](https://togithub.com/oliviamariacodes) [@​kssumin](https://togithub.com/kssumin) [@​laz-canva](https://togithub.com/laz-canva) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: Renovate Bot <[email protected]>
github-merge-queue bot
pushed a commit
to borkfork/spicedb-embedded
that referenced
this pull request
Feb 23, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [org.apache.maven.plugins:maven-source-plugin](https://maven.apache.org/plugins/) ([source](https://redirect.github.com/apache/maven-source-plugin)) | `3.2.1` → `3.4.0` |  |  | | [org.apache.maven.plugins:maven-deploy-plugin](https://maven.apache.org/plugins/) ([source](https://redirect.github.com/apache/maven-deploy-plugin)) | `3.1.2` → `3.1.4` |  |  | | [org.codehaus.mojo:build-helper-maven-plugin](https://www.mojohaus.org/build-helper-maven-plugin/) ([source](https://redirect.github.com/mojohaus/build-helper-maven-plugin)) | `3.5.0` → `3.6.1` |  |  | | [org.apache.maven.plugins:maven-antrun-plugin](https://maven.apache.org/plugins/) ([source](https://redirect.github.com/apache/maven-antrun-plugin)) | `3.1.0` → `3.2.0` |  |  | | [org.sonatype.central:central-publishing-maven-plugin](https://central.sonatype.org) ([source](https://redirect.github.com/sonatype/central-publishing-maven-plugin)) | `0.5.0` → `0.10.0` |  |  | | [org.apache.maven.plugins:maven-release-plugin](https://maven.apache.org/) ([source](https://redirect.github.com/apache/maven-release)) | `3.1.1` → `3.3.1` |  |  | | [org.apache.maven.plugins:maven-gpg-plugin](https://maven.apache.org/plugins/) ([source](https://redirect.github.com/apache/maven-gpg-plugin)) | `3.2.4` → `3.2.8` |  |  | | [org.apache.maven.plugins:maven-javadoc-plugin](https://maven.apache.org/plugins/) ([source](https://redirect.github.com/apache/maven-javadoc-plugin)) | `3.7.0` → `3.12.0` |  |  | | [org.apache.maven.plugins:maven-source-plugin](https://maven.apache.org/plugins/) ([source](https://redirect.github.com/apache/maven-source-plugin)) | `3.3.0` → `3.4.0` |  |  | | [com.diffplug.spotless:spotless-maven-plugin](https://redirect.github.com/diffplug/spotless) | `2.43.0` → `2.46.1` |  |  | | [org.apache.maven.plugins:maven-surefire-plugin](https://maven.apache.org/surefire/) ([source](https://redirect.github.com/apache/maven-surefire)) | `3.2.5` → `3.5.5` |  |  | | [org.apache.maven.plugins:maven-compiler-plugin](https://maven.apache.org/plugins/) ([source](https://redirect.github.com/apache/maven-compiler-plugin)) | `3.12.1` → `3.15.0` |  |  | | [ch.qos.logback:logback-classic](http://logback.qos.ch) ([source](https://redirect.github.com/qos-ch/logback), [changelog](https://logback.qos.ch/news.html)) | `1.5.6` → `1.5.32` |  |  | | [org.junit.jupiter:junit-jupiter](https://junit.org/) ([source](https://redirect.github.com/junit-team/junit-framework)) | `5.10.2` → `5.14.3` |  |  | | [com.google.code.gson:gson](https://redirect.github.com/google/gson) | `2.10.1` → `2.13.2` |  |  | | [io.netty:netty-transport-native-kqueue](https://netty.io/) ([source](https://redirect.github.com/netty/netty)) | `4.1.115.Final` → `4.2.10.Final` |  |  | | [io.netty:netty-transport-native-epoll](https://netty.io/) ([source](https://redirect.github.com/netty/netty)) | `4.1.115.Final` → `4.2.10.Final` |  |  | | [io.grpc:grpc-netty](https://redirect.github.com/grpc/grpc-java) | `1.75.0` → `1.79.0` |  |  | | [io.grpc:grpc-stub](https://redirect.github.com/grpc/grpc-java) | `1.75.0` → `1.79.0` |  |  | | [net.java.dev.jna:jna](https://redirect.github.com/java-native-access/jna) | `5.14.0` → `5.18.1` |  |  | --- ### Release Notes <details> <summary>mojohaus/build-helper-maven-plugin (org.codehaus.mojo:build-helper-maven-plugin)</summary> ### [`v3.6.1`](https://redirect.github.com/mojohaus/build-helper-maven-plugin/releases/tag/3.6.1) [Compare Source](https://redirect.github.com/mojohaus/build-helper-maven-plugin/compare/3.6.0...3.6.1) <!-- Optional: add a release summary here --> ##### 📝 Documentation updates - Rename Goals to Plugin Documentation in the site menu ([#​229](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/229)) [@​slawekjaranowski](https://redirect.github.com/slawekjaranowski) - update the documentation for adding more resource directories ([#​213](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/213)) [@​mjj042](https://redirect.github.com/mjj042) ##### 👻 Maintenance - Use common release-drafter configuration ([#​230](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/230)) [@​slawekjaranowski](https://redirect.github.com/slawekjaranowski) ##### 📦 Dependency updates - Bump org.codehaus.mojo:mojo-parent from 87 to 91 ([#​228](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/228)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - Bump org.apache.maven.shared:file-management from 3.1.0 to 3.2.0 ([#​222](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/222)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - Bump org.codehaus.mojo:mojo-parent from 86 to 87 ([#​221](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/221)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - Bump org.codehaus.mojo:mojo-parent from 85 to 86 ([#​219](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/219)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2 ([#​220](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/220)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - Bump org.codehaus.mojo:mojo-parent from 84 to 85 ([#​217](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/217)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - Bump org.codehaus.mojo:mojo-parent from 82 to 84 ([#​214](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/214)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ### [`v3.6.0`](https://redirect.github.com/mojohaus/build-helper-maven-plugin/releases/tag/3.6.0) [Compare Source](https://redirect.github.com/mojohaus/build-helper-maven-plugin/compare/3.5.0...3.6.0) #### Changes #### 🚀 New features and improvements - Deprecate remove-project-artifact goal ([#​205](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/205)) [@​slawekjaranowski](https://redirect.github.com/slawekjaranowski) - Parallel execution of uptodate-properties ([#​201](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/201)) [@​mkarg](https://redirect.github.com/mkarg) #### 📦 Dependency updates - Bump org.codehaus.mojo:mojo-parent from 81 to 82 ([#​206](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/206)) [@​dependabot](https://redirect.github.com/dependabot) - Bump org.codehaus.mojo:mojo-parent from 78 to 81 ([#​204](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/204)) [@​dependabot](https://redirect.github.com/dependabot) - Bump org.codehaus.plexus:plexus-utils from 4.0.0 to 4.0.1 ([#​202](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/202)) [@​dependabot](https://redirect.github.com/dependabot) - Bump apache/maven-gh-actions-shared from 3 to 4 ([#​200](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/200)) [@​dependabot](https://redirect.github.com/dependabot) - Bump release-drafter/release-drafter from 5 to 6 ([#​195](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/195)) [@​dependabot](https://redirect.github.com/dependabot) - Bump org.codehaus.mojo:mojo-parent from 77 to 78 ([#​193](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/193)) [@​dependabot](https://redirect.github.com/dependabot) #### 👻 Maintenance - Delete link to remove-project-artifact as is deprecated ([#​210](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/210)) [@​slawekjaranowski](https://redirect.github.com/slawekjaranowski) - Cleanups dependencies ([#​209](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/209)) [@​slawekjaranowski](https://redirect.github.com/slawekjaranowski) - Remove public modifiers from JUnit 5 tests ([#​208](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/208)) [@​slawekjaranowski](https://redirect.github.com/slawekjaranowski) - Delete example about remove-project-artifact as is deprecated ([#​207](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/207)) [@​slawekjaranowski](https://redirect.github.com/slawekjaranowski) - Fix goal in usage add-test-resource example ([#​199](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/199)) [@​mfussenegger](https://redirect.github.com/mfussenegger) #### 🔧 Build - Use shared action for release drafter ([#​203](https://redirect.github.com/mojohaus/build-helper-maven-plugin/pull/203)) [@​slawekjaranowski](https://redirect.github.com/slawekjaranowski) </details> <details> <summary>diffplug/spotless (com.diffplug.spotless:spotless-maven-plugin)</summary> ### [`v2.45.0`](https://redirect.github.com/diffplug/spotless/blob/HEAD/CHANGES.md#2450---2024-01-23) ##### Added - Support for `gofmt` ([#​2001](https://redirect.github.com/diffplug/spotless/pull/2001)) - Support for formatting Java Docs for the Palantir formatter ([#​2009](https://redirect.github.com/diffplug/spotless/pull/2009)) ### [`v2.44.0`](https://redirect.github.com/diffplug/spotless/blob/HEAD/CHANGES.md#2440---2024-01-15) ##### Added - New static method to `DiffMessageFormatter` which allows to retrieve diffs with their line numbers ([#​1960](https://redirect.github.com/diffplug/spotless/issues/1960)) - Gradle - Support for formatting shell scripts via [shfmt](https://redirect.github.com/mvdan/sh). ([#​1994](https://redirect.github.com/diffplug/spotless/pull/1994)) ##### Fixed - Fix empty files with biome >= 1.5.0 when formatting files that are in the ignore list of the biome configuration file. ([#​1989](https://redirect.github.com/diffplug/spotless/pull/1989) fixes [#​1987](https://redirect.github.com/diffplug/spotless/issues/1987)) - Fix a regression in BufStep where the same arguments were being provided to every `buf` invocation. ([#​1976](https://redirect.github.com/diffplug/spotless/issues/1976)) ##### Changed - Use palantir-java-format 2.39.0 on Java 21. ([#​1948](https://redirect.github.com/diffplug/spotless/pull/1948)) - Bump default `ktlint` version to latest `1.0.1` -> `1.1.1`. ([#​1973](https://redirect.github.com/diffplug/spotless/pull/1973)) - Bump default `googleJavaFormat` version to latest `1.18.1` -> `1.19.2`. ([#​1971](https://redirect.github.com/diffplug/spotless/pull/1971)) - Bump default `diktat` version to latest `1.2.5` -> `2.0.0`. ([#​1972](https://redirect.github.com/diffplug/spotless/pull/1972)) </details> <details> <summary>grpc/grpc-java (io.grpc:grpc-netty)</summary> ### [`v1.79.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.79.0) **API Changes** - core: Delete the never-used io.grpc.internal.ReadableBuffer.readBytes(ByteBuffer) ([#​12580](https://redirect.github.com/grpc/grpc-java/issues/12580)) ([`738782f`](https://redirect.github.com/grpc/grpc-java/commit/738782fb0)). This is deeply internal and not accessible, so shouldn’t impact anything. However, Apache Arrow Java [uses reflection to access private fields](https://redirect.github.com/apache/arrow-java/blob/96156ccc2bf933c75c852ca7c04418a61f87defd/flight/flight-core/src/main/java/org/apache/arrow/flight/grpc/GetReadableBuffer.java#L44-L45); [GH-939: Remove reflection for gRPC buffers](https://redirect.github.com/apache/arrow-java/pull/954) is swapping to gRPC’s public zero-copy APIs - opentelemetry: Add target attribute filter for metrics ([#​12587](https://redirect.github.com/grpc/grpc-java/issues/12587)). Introduce an optional Predicate targetAttributeFilter to control how grpc.target is recorded in OpenTelemetry client metrics. When a filter is provided, targets rejected by the predicate are normalized to "other" to reduce grpc.target metric cardinality, while accepted targets are recorded as-is. If no filter is set, existing behavior is preserved. This change adds a new Builder API on GrpcOpenTelemetry to allow applications to configure the filter. **Behavior Changes** - core: Convert AutoConfiguredLB to an actual LB ([`4bbf8ee`](https://redirect.github.com/grpc/grpc-java/commit/4bbf8eee5)). This is an internal refactoring, but it does improve how errors are handled for broken binaries. Previously, not being able to load pick\_first would result in a channel panic. Now it is handled as a regular load balancing error - okhttp: Assert no pending streams before transport READY ([#​12566](https://redirect.github.com/grpc/grpc-java/issues/12566)) ([`ed6d175`](https://redirect.github.com/grpc/grpc-java/commit/ed6d175fc)). No pending streams should exist when the transport transitions to READY. This PR adds an assertion to help verify this invariant. **Bug Fixes** - core: PickFirstLB should not return a subchannel during CONNECTING ([`228fc8e`](https://redirect.github.com/grpc/grpc-java/commit/228fc8ecd)). Pick-first in grpc-java has behaved this way since it was created, and it was of no consequence. However, now there are some load balancing policies (mainly RLS) that will do a pick() and hope the result to be reasonably accurate for metrics. **Improvements** - core: Improve DEADLINE\_EXCEEDED message for CallCreds delays ([`ead532b`](https://redirect.github.com/grpc/grpc-java/commit/ead532b39)). Previously the error message contained “buffered\_nanos” and “waiting\_for\_connection” for connection delays. However, we discovered the same strings were also used if waiting on CallCredentials. Now you’ll see details like “connecting\_and\_lb\_delay”, “call\_credentials\_delay”, and “was\_still\_waiting”. - opentelemetry: Add Android API checking ([`a9f73f4`](https://redirect.github.com/grpc/grpc-java/commit/a9f73f4c0)). Previously we assumed OpenTelemetry support would not be used on Android. It did happen to be compatible with Android, but since OpenTelemetry does have some Android support, we now have a check that it remains compatible - core: Catch Errors when calling complex config parsing code ([`a535ed7`](https://redirect.github.com/grpc/grpc-java/commit/a535ed799)). Error (and any other Throwable) is now caught and handled when parsing configuration (e.g., service config, xds). This will cause such failures to be handled gracefully instead of panicking the channel - core: Implement LoadBalancer.Helper.createOobChannel() with the internals of createResolvingOobChannel() ([`3915d02`](https://redirect.github.com/grpc/grpc-java/commit/3915d029c)). This API is only expected to be relevant to the gRPC-LB lookaside load balancer, and is not believed to have behavior changes. Out-of-band channel had been implemented with its own stripped-down Channel without load balancing. Reimplementing using the resolving oob channel makes it a full-fledged channel and reduces the burden when integrating new features and allows us to have a ManagedChannelBuilder to use with efforts like [gRFC A110: Child Channel Options](https://redirect.github.com/grpc/proposal/pull/529). - xds: Implement the proactive connection logic in RingHashLoadBalancer as outlined in gRFC A61 ([#​12596](https://redirect.github.com/grpc/grpc-java/issues/12596)). Previously, the Java implementation only initialized child balancers when a ring-chosen endpoint was in TRANSIENT\_FAILURE during a picker's pickSubchannel call. This PR adds the missing logic: when a child balancer reports TRANSIENT\_FAILURE, the LoadBalancer now proactively initializes the first available IDLE child if no other children are currently connecting or ready. This ensures a backup subchannel starts warming up immediately outside the RPC flow, reducing failover latency and improving overall resilience. This behavior was previously present but was inadvertently lost after [#​10610](https://redirect.github.com/grpc/grpc-java/pull/10610). - api: Add RFC 3986 support to DnsNameResolverProvider ([#​12602](https://redirect.github.com/grpc/grpc-java/issues/12602)) ([`f65127c`](https://redirect.github.com/grpc/grpc-java/commit/f65127cf7)) Experimental RFC 3986 target URI parsing mode (disabled by default) **New Features** - opentelemetry: Actual reason for the disconnects in subchannel metrics([`6b2f758`](https://redirect.github.com/grpc/grpc-java/commit/6b2f7580c)), completing the remaining work in [gRFC A96: OTel metrics for Subchannels](https://redirect.github.com/grpc/proposal/pull/485/files) **Dependencies** - protobuf: Upgrade Bazel protobuf to 33.1 ([#​12553](https://redirect.github.com/grpc/grpc-java/issues/12553)) ([`b61a8f4`](https://redirect.github.com/grpc/grpc-java/commit/b61a8f49c)) and load java\_proto\_library from the protobuf repo ([`c7f3cdb`](https://redirect.github.com/grpc/grpc-java/commit/c7f3cdbc3)) - protobuf: Fix build with Bazel 9 by upgrading bazel\_jar\_jar and grpc-proto versions ([#​12569](https://redirect.github.com/grpc/grpc-java/issues/12569)) - Upgrade dependencies ([#​12588](https://redirect.github.com/grpc/grpc-java/issues/12588)) ([`6422092`](https://redirect.github.com/grpc/grpc-java/commit/6422092e3)) Netty to 4.1.130, error-prone annotations to 2.45.0, google-auth-library to 1.41.0, tomcat-embed-core9 to 9.0.113, tomcat-embed-core to 10.1.50, opentelemetry to 1.57.0, jetty-ee10-servlet to 12.1.5, jetty-http2-server to 12.1.5, google-cloud-logging to 3.23.9, google-auth to 1.41.0, proto-google-common-protos to 2.63.2. **Thanks to** - [@​benjaminp](https://redirect.github.com/benjaminp) - [@​becomeStar](https://redirect.github.com/becomeStar) - [@​meteorcloudy](https://redirect.github.com/meteorcloudy) ### [`v1.78.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.78.0) ##### Bug Fixes - core: Fix shutdown failing accepted RPCs during channel startup ([`02e98a8`](https://redirect.github.com/grpc/grpc-java/commit/02e98a806)). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown() - okhttp: Fix race condition overwriting MAX\_CONCURRENT\_STREAMS ([#​12548](https://redirect.github.com/grpc/grpc-java/issues/12548)) ([`8d49dc1`](https://redirect.github.com/grpc/grpc-java/commit/8d49dc1c9)) - binder: Stop leaking `this` from BinderServerTransport's ctor ([#​12453](https://redirect.github.com/grpc/grpc-java/issues/12453)) ([`89d77e0`](https://redirect.github.com/grpc/grpc-java/commit/89d77e062)) - rls: Avoid missed config update from reentrancy ([`55ae1d0`](https://redirect.github.com/grpc/grpc-java/commit/55ae1d054)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ##### Improvements - xds: gRFC A88 - Changes to XdsClient Watcher APIs ([#​12446](https://redirect.github.com/grpc/grpc-java/issues/12446)) ([`f385add`](https://redirect.github.com/grpc/grpc-java/commit/f385add31)). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer. - rls: Control plane channel monitor state and back off handling ([#​12460](https://redirect.github.com/grpc/grpc-java/issues/12460)) ([`26c1c13`](https://redirect.github.com/grpc/grpc-java/commit/26c1c1341)). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target. - core: simplify DnsNameResolver.resolveAddresses() ([`4843256`](https://redirect.github.com/grpc/grpc-java/commit/4843256af)) - netty: Run handshakeCompleteRunnable in success cases ([`283f103`](https://redirect.github.com/grpc/grpc-java/commit/283f1031f)) - api,netty: Add custom header support for HTTP CONNECT proxy ([`bbc0aa3`](https://redirect.github.com/grpc/grpc-java/commit/bbc0aa369)) - binder: Pre-factor out the guts of the BinderClientTransport handshake. ([`9313e87`](https://redirect.github.com/grpc/grpc-java/commit/9313e87df)) - compiler: Add RISC-V 64-bit architecture support to compiler build configuration ([`725ab22`](https://redirect.github.com/grpc/grpc-java/commit/725ab22f3)) - core: Release lock before closing shared resource ([`cb73f21`](https://redirect.github.com/grpc/grpc-java/commit/cb73f217e)). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in [`d50098f`](https://redirect.github.com/grpc/grpc-java/commit/d50098f) - Upgrade gson to 2.12.1 ([`6dab2ce`](https://redirect.github.com/grpc/grpc-java/commit/6dab2ceab)) - Upgrade dependencies ([`f36defa`](https://redirect.github.com/grpc/grpc-java/commit/f36defa2d)). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0 - compiler: Update maximum supported protobuf edition to EDITION\_2024 ([`2f64092`](https://redirect.github.com/grpc/grpc-java/commit/2f64092b8)) - binder: Introduce server authorization strategy v2 ([`d971072`](https://redirect.github.com/grpc/grpc-java/commit/d9710725d)). Adds support for `android:isolatedProcess` Services and moves all security checks to the handshake, making subsequent transactions more efficient. ##### New Features - compiler: Upgrade to C++ protobuf 33.1 ([#​12534](https://redirect.github.com/grpc/grpc-java/issues/12534)) ([`58ae5f8`](https://redirect.github.com/grpc/grpc-java/commit/58ae5f808)). - util: Add gRFC A68 random subsetting LB ([`48a4288`](https://redirect.github.com/grpc/grpc-java/commit/48a42889d)). The policy uses the name `random_subsetting_experimental`. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52 - xds: Support for System Root Certs ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS `CertificateValidationContext` message (see [envoyproxy/envoy#34235](https://redirect.github.com/envoyproxy/envoy/pull/34235)) has a `system_root_certs` field. In the gRPC client, if this field is present and the `ca_certificate_provider_instance` field is unset, system root certificates will be used for validation. This implements [gRFC A82](https://redirect.github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md). - xds: Support for GCP Authentication Filter ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS [GCP Authentication filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter) provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in [gRFC A39](https://redirect.github.com/grpc/proposal/blob/master/A39-xds-http-filters.md). This release supports the GCP Authentication filter under this framework as described in [gRFC A83](https://redirect.github.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md). - xds: Support for xDS-based authority rewriting ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`51611ba`](https://redirect.github.com/grpc/grpc-java/commit/51611bad1)). gRPC supports getting routing configuration from an xDS server, as described in gRFCs [A27](https://redirect.github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md) and [A28](https://redirect.github.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md). The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake.\ As mentioned in [gRFC A29](https://redirect.github.com/grpc/proposal/blob/master/A29-xds-tls-security.md), there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has `trusted_xds_server` in the `server_features` field. - xds: xDS based SNI setting and SAN validation ([#​12378](https://redirect.github.com/grpc/grpc-java/issues/12378)) ([`0567531`](https://redirect.github.com/grpc/grpc-java/commit/0567531)). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC [A101](https://redirect.github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md). ##### Documentation - api: Document gRFC A18 TCP\_USER\_TIMEOUT handling for keepalive ([`da70387`](https://redirect.github.com/grpc/grpc-java/commit/da7038782)) - core: Fix AbstractClientStream Javadoc ([`28a6130`](https://redirect.github.com/grpc/grpc-java/commit/28a6130e8)) - examples: Document how to preserve META-INF/services in uber jars ([`97695d5`](https://redirect.github.com/grpc/grpc-java/commit/97695d523)) ##### Thanks to - [@​panchenko](https://redirect.github.com/panchenko) - [@​Dayuxiaoshui](https://redirect.github.com/Dayuxiaoshui) - [@​becomeStar](https://redirect.github.com/becomeStar) - [@​kssumin](https://redirect.github.com/kssumin) - [@​marcindabrowski](https://redirect.github.com/marcindabrowski) - [@​MariusVolkhart](https://redirect.github.com/MariusVolkhart) - [@​Zgoda91](https://redirect.github.com/Zgoda91) - [@​devalkone](https://redirect.github.com/devalkone) ### [`v1.77.1`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.77.1) ##### Bug Fixes - rls: Avoid missed config update from reentrancy ([#​12549](https://redirect.github.com/grpc/grpc-java/pull/12549)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ### [`v1.77.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.77.0) ##### API Changes - binder: Remove experimental `BinderChannelBuilder.bindAsUser()` method, deprecated since 1.69 ([#​12401](https://redirect.github.com/grpc/grpc-java/issues/12401)) ([`f96ce06`](https://redirect.github.com/grpc/grpc-java/commit/f96ce0670)) ##### Bug Fixes - api: Fix name resolver bridge listener handling for address resolution errors for custom name resolvers ([#​12441](https://redirect.github.com/grpc/grpc-java/issues/12441)) ([`acbbf86`](https://redirect.github.com/grpc/grpc-java/commit/acbbf869a)). This fixes regression introduced in v1.68.1 causing a “IllegalStateException: No value present.” exception - core: Fix NullPointerException during address update with Happy Eyeballs ([`5e8af56`](https://redirect.github.com/grpc/grpc-java/commit/5e8af564e)). This should not impact many people as the code is disabled by default, behind two experimental environment variables - okhttp: Fix bidirectional keep-alive causing spurious GOAWAY ([`6fc3fd0`](https://redirect.github.com/grpc/grpc-java/commit/6fc3fd046)). This fixes the grpc-okhttp server incorrectly closing the connection with `GOAWAY: too_many_pings` - xds: SslContext updates handling when using system root certs ([#​12340](https://redirect.github.com/grpc/grpc-java/issues/12340)) ([`63fdaac`](https://redirect.github.com/grpc/grpc-java/commit/63fdaaccc)). Since `FileWatcherCertificateProvider` isn't used when using system root trust store, the SslContext update for the handshake that depended on it wasn't happening. This fix creates a separate `CertificateProvider` for handling system root certs that doesn't rely on the `FileWatcherCertificateProvider.` - xds: Make cluster selection interceptor run before other filters ([#​12381](https://redirect.github.com/grpc/grpc-java/issues/12381)) ([`82f9b8e`](https://redirect.github.com/grpc/grpc-java/commit/82f9b8ec0)). This is needed when there is `GcpAuthenticationFilter` in the filter chain to make available the cluster resource in `CallOption`s. - xds: Handle wildcards in DNS SAN exact matching ([#​12345](https://redirect.github.com/grpc/grpc-java/issues/12345)) ([`5b876cc`](https://redirect.github.com/grpc/grpc-java/commit/5b876cc86)) - android: Fix UdsChannelBuilder with WiFi Proxy ([`349a35a`](https://redirect.github.com/grpc/grpc-java/commit/349a35a9b)) - binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures ([#​12283](https://redirect.github.com/grpc/grpc-java/issues/12283)) ([`4725ced`](https://redirect.github.com/grpc/grpc-java/commit/4725ced99)) - binder: Fix a BinderServerTransport crash in the rare shutdown-before-start case ([#​12440](https://redirect.github.com/grpc/grpc-java/issues/12440)) ([`91f3f4d`](https://redirect.github.com/grpc/grpc-java/commit/91f3f4dc1)) ##### Improvements - Improve status messages by including causal error details in config parsing errors for outlier detection and xds’s wrr locality policies ([`86e8b56`](https://redirect.github.com/grpc/grpc-java/commit/86e8b5617)) - xds: Detect negative ref count for xds client ([`21696cd`](https://redirect.github.com/grpc/grpc-java/commit/21696cd3d)). A negative reference count could cause NullPointerExceptions, so when too many unrefs are detected it produces a SEVERE warning and prevents the reference count from going negative - xds: Support deprecated xDS TLS fields for Istio compat ([#​12435](https://redirect.github.com/grpc/grpc-java/issues/12435)) ([`53cd1a2`](https://redirect.github.com/grpc/grpc-java/commit/53cd1a225)). This fixes a regression with Istio introduced in v1.73.0. This gives time for [Istio’s new xDS field support](https://redirect.github.com/istio/istio/pull/58257) to roll out - googleapis: Allow wrapping NameResolver to inject XdsClient ([#​12450](https://redirect.github.com/grpc/grpc-java/issues/12450)) ([`27d1508`](https://redirect.github.com/grpc/grpc-java/commit/27d150890)). This allows googleapis to inject an xDS bootstrap to use with its channels even if one is already specified in the environment variable or system property. When the code was originally written there was a single global XdsClient, but since gRFC A71 Xds Fallback each target string has its own XdsClient and thus can have its own bootstrap - alts: Allow overriding metadata server address with env variable ([`9ac12ef`](https://redirect.github.com/grpc/grpc-java/commit/9ac12ef89)) ([`498f717`](https://redirect.github.com/grpc/grpc-java/commit/498f717fc)) - binder: Let the server know when the client fails to authorize it. ([#​12445](https://redirect.github.com/grpc/grpc-java/issues/12445)) ([`599a0a1`](https://redirect.github.com/grpc/grpc-java/commit/599a0a146)) This avoids the server needing to wait for the handshake timeout before realizing the handshake failed ##### New Features - opentelemetry: Implement otel retry metrics from gRFC A96 ([#​12064](https://redirect.github.com/grpc/grpc-java/issues/12064)) ([`d380191`](https://redirect.github.com/grpc/grpc-java/commit/d380191be)) - opentelemetry: propagate baggage to server metrics for custom attributes ([#​12389](https://redirect.github.com/grpc/grpc-java/issues/12389)) ([`155308d`](https://redirect.github.com/grpc/grpc-java/commit/155308db2)) - xds: Allow EC Keys in SPIFFE Bundle Map parsing ([#​12399](https://redirect.github.com/grpc/grpc-java/issues/12399)) ([`559e3ba`](https://redirect.github.com/grpc/grpc-java/commit/559e3ba41)) - xds: Enable authority rewriting (gRFC A81), system root cert support (gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101) ([#​12499](https://redirect.github.com/grpc/grpc-java/issues/12499)) ([`246c2b1`](https://redirect.github.com/grpc/grpc-java/commit/246c2b1ea)). Authority rewriting requires the control plane to be labeled `trusted_xds_server` in the bootstrap. System root cert support and SNI require using XdsChannelCredentials - rls: Add route lookup reason to request whether it is due to a cache miss or stale cache entry ([#​12442](https://redirect.github.com/grpc/grpc-java/issues/12442)) ([`795ce02`](https://redirect.github.com/grpc/grpc-java/commit/795ce0280)) ##### Dependencies - compiler: C++ protobuf used by codegen upgraded to 26.1 ([#​12330](https://redirect.github.com/grpc/grpc-java/issues/12330)) ([`55aefd5`](https://redirect.github.com/grpc/grpc-java/commit/55aefd5b8)) - alts: Remove dep on grpclb ([`b769f96`](https://redirect.github.com/grpc/grpc-java/commit/b769f966a)). ALTS is no longer used with grpclb, so this removes dead code - Upgrade netty to 4.1.127.Final ([`b37ee67`](https://redirect.github.com/grpc/grpc-java/commit/b37ee67cf)) ##### Thanks to [@​panchenko](https://redirect.github.com/panchenko) [@​benjaminp](https://redirect.github.com/benjaminp) [@​HyunSangHan](https://redirect.github.com/HyunSangHan) [@​becomeStar](https://redirect.github.com/becomeStar) [@​ZachChuba](https://redirect.github.com/ZachChuba) [@​oliviamariacodes](https://redirect.github.com/oliviamariacodes) [@​kssumin](https://redirect.github.com/kssumin) [@​laz-canva](https://redirect.github.com/laz-canva) ### [`v1.76.3`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.76.3) #### Dependencies - Downgrade OpenTelemetry to 1.51.0 to make it easier for people dealing with the OkHttp 4.x → 5.x upgrade of some OpenTelemetry modules ([`354d8b4`](https://redirect.github.com/grpc/grpc-java/commit/354d8b451)). gRPC is not using the impacted OpenTelemetry modules. Users are still free to upgrade to newer versions of OpenTelemetry of their choosing. ### [`v1.76.2`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.76.2) ##### Bug Fixes - rls: Avoid missed config update from reentrancy ([#​12550](https://redirect.github.com/grpc/grpc-java/pull/12550)). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE\_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update) ### [`v1.76.1`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.76.1) ##### Bug Fixes - core: Fix NullPointerException during address update with Happy Eyeballs ([`5e8af56`](https://redirect.github.com/grpc/grpc-java/commit/5e8af564e)). This should not impact many people as the code is disabled by default, behind two experimental environment variables ### [`v1.76.0`](https://redirect.github.com/grpc/grpc-java/releases/tag/v1.76.0) ##### Bug Fixes - **xds:** ClusterResolverLb has been converted to use XdsDepManager, which finishes the changes for [gRFC A74 xDS Config Tears](https://redirect.github.com/grpc/proposal/blob/master/A74-xds-config-tears.md). This change should resolve some unnecessary reconnections introduced in v1.75.0 when using weighted\_round\_robin and maybe other policies. - **netty:** Remove Netty version detection since grpc-netty-shaded can't reliably determine its Netty version when multiple copies of Netty are present (even when shaded). This fixes the resurfacing of the Netty 4.1.111 corruption fixed in 1.65.0. That version fixed grpc-netty, but v1.75.0 upgraded grpc-netty-shaded to Netty 4.1.111 and exposed the Netty version detection problem. This fixes corruption, so the error messages range wildly, but one of them is "RESOURCE\_EXHAUSTED: gRPC message exceeds maximum size" - **compiler:** A fix has been implemented for the blockingV2 stub to mangle generated method names that conflict with java.lang.Object methods. - **servlet:** A race condition in AsyncServletOutputStreamWriter has been fixed to prevent threads from getting stuck. - **servlet:** An issue where AsyncContext.complete() was called multiple times, causing an IllegalStateException, has been resolved. - **binder:** The REMOTE\_UID is now required to hold the exact UID passed to the SecurityPolicy. - **binder:** The server will now only accept post-setup transactions from the authorized server UID. - **util:** AdvancedTlsX509TrustManager now errors with a message to say that files don’t exist instead of the previous “Files were unmodified before their initial update. Probably a bug.” - **android:** A fix has been implemented for network change handling on API levels below 24. ##### Improvements - **api:** Allocations of Attributes.Builder have been reduced. This mostly benefits attributes.toBuilder(), but that’s not expected to be visible in regular workloads. - **api:** An empty array allocation in LoadBalancer.CreateSubchannelArgs.Builder has been avoided. It is a small optimization and is not expected to have any performance impact. - **servlet:** A configurable methodNameResolver has been added to configure the mapping from servlet request paths to gRPC method name - **servlet:** Avoid a race by increasing the AsyncContext timeout by 5 seconds. The gRPC Context timeout should trigger first - **xds:** Pretty-print envoy.service.discovery.v3.Resource in debug logs - **bazel:** The java/proto rules from rules\_java/rules\_proto are now used instead of native rules. - **bazel:** Unnecessary direct build dependencies were removed from some targets - **netty:** Support for the BCJSSE provider has been added in GrpcSslContexts. - **netty:** Huffman coding in server response headers has been disabled; it was already disabled for client request headers - **netty:** Include allow header for HTTP response code 405 - **okhttp:** Include allow header for HTTP response code 405 - **binder:** Error descriptions for ServiceConnection callbacks have been improved - **binder:** Apps can now call SecurityPolicy.checkAuthorization() by PeerUid. ##### New Features - **stub:** Trailers are now propagated in StatusException when thrown by BlockingClientCall. - **compiler:** Support for macOS aarch64 with a universal binary has been added. - **opentelemetry:** grpc.subchannel.\* metrics as described in [gRFC A94 OTel metrics for Subchannels](https://redirect.github.com/grpc/proposal/blob/master/A94-subchannel-otel-metrics.md) have been added. grpc.disconnect\_error will show as “unknown” until transports implement support - **binder:** A NameResolver for Android's intent: URIs has been introduced. - **binder:** A basic SocketStats with just the local and remote addresses has been added for channelz. ##### Documentation - **SECURITY.md:** The documentation now describes how to use gcompat with LD\_PRELOAD for Alpine. - **examples:** The documentation now explains Bazel BCR releases and the git\_override option. ##### Dependencies - Upgraded Guava version to 33.4.8. - The org.apache.tomcat:annotations-api dependency has been removed from the examples. ##### Thanks to @​[JoeCqupt](https://redirect.github.com/JoeCqupt) @​[Sangamesh1997](https://redirect.github.com/Sangamesh1997) @​[benjaminp](https://redirect.github.com/benjaminp) @​[camelcc](https://redirect.github.com/camelcc) @​[dmytroreutov](https://redirect.github.com/dmytroreutov) @​[duckladydinh](https://redirect.github.com/duckladydinh) @​[jirkafm](https://redirect.github.com/jirkafm) @​[kilink](https://redirect.github.com/kilink) @​[panchenko](https://redirect.github.com/panchenko) @​[umairk79](https://redirect.github.com/umairk79) @​[vimanikag](https://redirect.github.com/vimanikag) @​[werkt](https://redirect.github.com/werkt) @​[xuhongxu96](https://redirect.github.com/xuhongxu96) @​[zrlw](https://redirect.github.com/zrlw) </details> <details> <summary>java-native-access/jna (net.java.dev.jna:jna)</summary> ### [`v5.18.1`](https://redirect.github.com/java-native-access/jna/blob/HEAD/CHANGES.md#Release-5181) [Compare Source](https://redirect.github.com/java-native-access/jna/compare/5.18.0...5.18.1) \============== ## Bug Fixes - [#​1686](https://redirect.github.com/java-native-access/jna/issues/1686): Fix `sortFields` race condition while getting fields - [@​bendk](https://redirect.github.com/bendk). ### [`v5.18.0`](https://redirect.github.com/java-native-access/jna/blob/HEAD/CHANGES.md#Release-5180) [Compare Source](https://redirect.github.com/java-native-access/jna/compare/5.17.0...5.18.0) \============== ## Features - [#​1671](https://redirect.github.com/java-native-access/jna/pull/1671): Add `isRISCV` to `c.s.j.Platform` - [@​Glavo](https://redirect.github.com/Glavo). - [#​1672](https://redirect.github.com/java-native-access/jna/pull/1672): Add `CFLocale`, `CFLocaleCopyCurrent`, `CFCFDateFormatter`, `CFDateFormatterStyle`, `CFDateFormatterCreate` and `CFDateFormatterGetFormat` to `c.s.j.p.mac.CoreFoundation` - [@​dbwiddis](https://redirect.github.com/dbwiddis). - [#​1669](https://redirect.github.com/java-native-access/jna/pull/1669): Document requirement for running on JDK 24+ - [@​matthiasblaesing](https://redirect.github.com/matthiasblaesing). ## Bug Fixes - [#​1681](https://redirect.github.com/java-native-access/jna/issues/1681): Fix deadlock in Structure constructor introduced in 5.16.0 - [@​brettwooldridge](https://redirect.github.com/brettwooldridge). - [#​1683](https://redirect.github.com/java-native-access/jna/pull/1683): Fix native build error on Xcode 16.3 / Apple Clang 17 - [@​brettwooldridge](https://redirect.github.com/brettwooldridge). ### [`v5.17.0`](https://redirect.github.com/java-native-access/jna/blob/HEAD/CHANGES.md#Release-5170) [Compare Source](https://redirect.github.com/java-native-access/jna/compare/5.16.0...5.17.0) \============== ## Features - [#​1658](https://redirect.github.com/java-native-access/jna/pull/1658): Add win32 power event constants, types, and functions - [@​eranl](https://redirect.github.com/eranl). ## Bug Fixes - [#​1647](https://redirect.github.com/java-native-access/jna/issues/1647): Fix calls to jnidispatch on Android with 16KB page size (part 2) - [@​BugsBeGone](https://redirect.github.com/BugsBeGone). ### [`v5.16.0`](https://redirect.github.com/java-native-access/jna/blob/HEAD/CHANGES.md#Release-5160) [Compare Source](https://redirect.github.com/java-native-access/jna/compare/5.15.0...5.16.0) \============== ## Features - [#​1626](https://redirect.github.com/java-native-access/jna/pull/1626): Add caching of field list and field validation in `Structure` along with more efficient reentrant read-write locking instead of synchronized() blocks - [@​BrettWooldridge](https://redirect.github.com/brettwooldridge) ## Bug Fixes - [#​1618](https://redirect.github.com/java-native-access/jna/issues/1618): Fix calls to jnidispatch on Android with 16KB page size - [@​Thomyrock](https://redirect.github.com/Thomyrock) ### [`v5.15.0`](https://redirect.github.com/java-native-access/jna/blob/HEAD/CHANGES.md#Release-5150) [Compare Source](https://redirect.github.com/java-native-access/jna/compare/5.14.0...5.15.0) \============== ## Features - [#​1578](https://redirect.github.com/java-native-access/jna/pull/1578): Add support for FreeBSD aarch64 - [@​alexdupre](https://redirect.github.com/alexdupre). - [#​1593](https://redirect.github.com/java-native-access/jna/pull/1593): Add support for DragonFly BSD x86-64 - [@​liweitianux](https://redirect.github.com/liweitianux). - [#​1595](https://redirect.github.com/java-native-access/jna/pull/1595): Add `IsProcessorFeaturePresent` to `c.s.j.p.win32.Kernel32` - [@​dbwiddis](https://redirect.github.com/dbwiddis). - [#​1602](https://redirect.github.com/java-native-access/jna/pull/1602): Add `XMoveWindow`, `XResizeWindow`, `XMoveResizeWindow`, `XRaiseWindow`, `XLowerWindow` X11 calls to `c.s.j.p.unix.X11` - [@​vinceh121](https://redirect.github.com/vinceh121). - [#​1613](https://redirect.github.com/java-native-access/jna/issues/1613): Added static helper method \`Native#getNativeLibrary' for getting the underlying NativeLibrary instance from a Library interface instance or from a "registered" class - [@​matthiasblaesing](https://redirect.github.com/matthiasblaesing). - [#​1624](https://redirect.github.com/java-native-access/jna/pull/1624): Enable linker build-id for android builds - [@​mstyura](https://redirect.github.com/mstyura). ## Bug Fixes - [#​1579](https://redirect.github.com/java-native-access/jna/issues/1579): Fix analysis of ELF binary on arm systems running with a java ELF binary without section table headers (java8 on armv7 NAS) - [@​matthiasblaesing](https://redirect.github.com/matthiasblaesing). - [#​1586](https://redirect.github.com/java-native-access/jna/issues/1586): Fix free\_callback JNI weak reference leak - [@​xiezhaokun](https://redirect.github.com/xiezhaokun). - [6486c90d913a413f247eef84742ce3c474738933](https://redirect.github.com/java-native-access/jna/commit/6486c90d913a413f247eef84742ce3c474738933): Check CallbackReference#cbstruct for null when checking existing Reference - [@​matthiasblaesing](https://redirect.github.com/matthiasblaesing). - [#​1622](https://redirect.github.com/java-native-access/jna/issues/1622): Add "linux-riscv64" entry to OSGI Bundle-NativeCode header in MANIFEST.MF - [@​matthiasblaesing](https://redirect.github.com/matthiasblaesing). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone UTC, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/borkfork/spicedb-embedded). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNi41IiwidXBkYXRlZEluVmVyIjoiNDMuMjYuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Matt Alexander <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Message: xds: add use_system_root_certs to CertificateValidationContext
Additional Description: This allows using system root certs in gRPC. For details, see grpc/proposal#436.
Risk Level: Low
Testing: N/A
Docs Changes: Included in PR
Release Notes: N/A
Platform Specific Features: N/A