chore(deps): update upper bound dependencies file by JoeWang1127 · Pull Request #4083 · googleapis/sdk-platform-java

JoeWang1127 · 2026-01-23T16:27:04Z

This PR contains the following updates:

Package	Update	Change
com.google.auth:google-auth-library-bom	minor	`1.41.0` -> `1.42.0`
com.google.http-client:google-http-client	minor	`2.0.3` -> `2.1.0`
io.grpc:grpc-bom	minor	`1.76.2` -> `1.78.0`

Release Notes

googleapis/google-auth-library-java (com.google.auth:google-auth-library-bom)

`v1.42.0`

Compare Source

Features

Update protobuf version to 4.33.2 (#1875) (13ddbd1)

Bug Fixes

Simplify call to directly retrieve the default service account from MDS (#1844) (6efda0b)

googleapis/google-http-java-client (com.google.http-client:google-http-client)

`v2.1.0`

Compare Source

Features

Update protobuf-java to 4.33.2 (d48c443)

grpc/grpc-java (io.grpc:grpc-bom)

`v1.78.0`

Compare Source

Bug Fixes

core: Fix shutdown failing accepted RPCs during channel startup (02e98a8). This fixes a race where RPCs could fail with "UNAVAILABLE: Channel shutdown invoked" even though they were created before channel.shutdown()
okhttp: Fix race condition overwriting MAX_CONCURRENT_STREAMS (#12548) (8d49dc1)
binder: Stop leaking this from BinderServerTransport's ctor (#12453) (89d77e0)
rls: Avoid missed config update from reentrancy (55ae1d0). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update)

Improvements

xds: gRFC A88 - Changes to XdsClient Watcher APIs (#12446) (f385add). We now have improved xDS error handling and this provides a clearer mechanism for the xDS server to report per-resource errors to the client, resulting in better error messages for debugging and faster detection of non-existent resources. This also improves the handling of all xDS-related data errors and the behavior of the xDS resource timer.
rls: Control plane channel monitor state and back off handling (#12460) (26c1c13). Resets RLS request backoff timers when the Control plane channel state transitions to READY. Also when the backoff timer expires, instead of making a RLS request immediately, it just causes a picker update to allow making rpc again to the RLS target.
core: simplify DnsNameResolver.resolveAddresses() (4843256)
netty: Run handshakeCompleteRunnable in success cases (283f103)
api,netty: Add custom header support for HTTP CONNECT proxy (bbc0aa3)
binder: Pre-factor out the guts of the BinderClientTransport handshake. (9313e87)
compiler: Add RISC-V 64-bit architecture support to compiler build configuration (725ab22)
core: Release lock before closing shared resource (cb73f21). Shared resources are internal to gRPC for sharing expensive objects across channels and servers, like threads. This reduces the chances of forming a deadlock, like seen with s2a in d50098f
Upgrade gson to 2.12.1 (6dab2ce)
Upgrade dependencies (f36defa). proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0, error-prone annotations to 2.44.0, guava to 33.5.0-android, opentelemetry to 1.56.0
compiler: Update maximum supported protobuf edition to EDITION_2024 (2f64092)
binder: Introduce server authorization strategy v2 (d971072). Adds support for android:isolatedProcess Services and moves all security checks to the handshake, making subsequent transactions more efficient.

New Features

compiler: Upgrade to C++ protobuf 33.1 (#12534) (58ae5f8).
util: Add gRFC A68 random subsetting LB (48a4288). The policy uses the name random_subsetting_experimental. If it is working for you, tell us so we can gauge marking it stable. While the xDS portions haven’t yet landed, it is possible to use with xDS with JSON-style Structs as supported by gRFC A52
xds: Support for System Root Certs (#12499) (51611ba). Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy. The xDS CertificateValidationContext message (see envoyproxy/envoy#34235) has a system_root_certs field. In the gRPC client, if this field is present and the ca_certificate_provider_instance field is unset, system root certificates will be used for validation. This implements gRFC A82.
xds: Support for GCP Authentication Filter (#12499) (51611ba). In service mesh environments, there are cases where intermediate proxies make it impossible to rely on mTLS for end-to-end authentication. These cases can be addressed instead by the use of service account identity JWT tokens. The xDS GCP Authentication filter provides a mechanism for attaching such JWT tokens as gRPC call credentials on GCP. gRPC already supports a framework for xDS HTTP filters, as described in gRFC A39. This release supports the GCP Authentication filter under this framework as described in gRFC A83.
xds: Support for xDS-based authority rewriting (#12499) (51611ba). gRPC supports getting routing configuration from an xDS server, as described in gRFCs A27 and A28. The xDS configuration can configure the client to rewrite the authority header on requests. This functionality can be useful in cases where the server is using the authority header to make decisions about how to process the request, such as when multiple hosts are handled via a reverse proxy. Note that this feature is solely about rewriting the authority header on data plane RPCs; it does not affect the authority used in the TLS handshake.
As mentioned in gRFC A29, there are use-cases for gRPC that prohibit trusting the xDS server to control security-centric configuration. The authority rewriting feature falls under the same umbrella as mTLS configuration. As a result, the authority rewriting feature will only be enabled when the bootstrap config for the xDS server has trusted_xds_server in the server_features field.
xds: xDS based SNI setting and SAN validation (#12378) (0567531). When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS. Implements gRFC A101.

Documentation

api: Document gRFC A18 TCP_USER_TIMEOUT handling for keepalive (da70387)
core: Fix AbstractClientStream Javadoc (28a6130)
examples: Document how to preserve META-INF/services in uber jars (97695d5)

Thanks to

`v1.77.1`

Compare Source

Bug Fixes

rls: Avoid missed config update from reentrancy (https://github.com/grpc/grpc-java/pull/12549). This fixes a regression since 1.75.0 triggered by CdsLb being converted to XdsDepManager. Without this fix, a second channel to the same target may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the control plane delivers an update (e.g., endpoint address update)

`v1.77.0`

Compare Source

API Changes

binder: Remove experimental BinderChannelBuilder.bindAsUser() method, deprecated since 1.69 (#12401) (f96ce06)

Bug Fixes

api: Fix name resolver bridge listener handling for address resolution errors for custom name resolvers (#12441) (acbbf86). This fixes regression introduced in v1.68.1 causing a “IllegalStateException: No value present.” exception
core: Fix NullPointerException during address update with Happy Eyeballs (5e8af56). This should not impact many people as the code is disabled by default, behind two experimental environment variables
okhttp: Fix bidirectional keep-alive causing spurious GOAWAY (6fc3fd0). This fixes the grpc-okhttp server incorrectly closing the connection with GOAWAY: too_many_pings
xds: SslContext updates handling when using system root certs (#12340) (63fdaac). Since FileWatcherCertificateProvider isn't used when using system root trust store, the SslContext update for the handshake that depended on it wasn't happening. This fix creates a separate CertificateProvider for handling system root certs that doesn't rely on the FileWatcherCertificateProvider.
xds: Make cluster selection interceptor run before other filters (#12381) (82f9b8e). This is needed when there is GcpAuthenticationFilter in the filter chain to make available the cluster resource in CallOptions.
xds: Handle wildcards in DNS SAN exact matching (#12345) (5b876cc)
android: Fix UdsChannelBuilder with WiFi Proxy (349a35a)
binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures (#12283) (4725ced)
binder: Fix a BinderServerTransport crash in the rare shutdown-before-start case (#12440) (91f3f4d)

Improvements

Improve status messages by including causal error details in config parsing errors for outlier detection and xds’s wrr locality policies (86e8b56)
xds: Detect negative ref count for xds client (21696cd). A negative reference count could cause NullPointerExceptions, so when too many unrefs are detected it produces a SEVERE warning and prevents the reference count from going negative
xds: Support deprecated xDS TLS fields for Istio compat (#12435) (53cd1a2). This fixes a regression with Istio introduced in v1.73.0. This gives time for Istio’s new xDS field support to roll out
googleapis: Allow wrapping NameResolver to inject XdsClient (#12450) (27d1508). This allows googleapis to inject an xDS bootstrap to use with its channels even if one is already specified in the environment variable or system property. When the code was originally written there was a single global XdsClient, but since gRFC A71 Xds Fallback each target string has its own XdsClient and thus can have its own bootstrap
alts: Allow overriding metadata server address with env variable (9ac12ef) (498f717)
binder: Let the server know when the client fails to authorize it. (#12445) (599a0a1) This avoids the server needing to wait for the handshake timeout before realizing the handshake failed

New Features

opentelemetry: Implement otel retry metrics from gRFC A96 (#12064) (d380191)
opentelemetry: propagate baggage to server metrics for custom attributes (#12389) (155308d)
xds: Allow EC Keys in SPIFFE Bundle Map parsing (#12399) (559e3ba)
xds: Enable authority rewriting (gRFC A81), system root cert support (gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101) (#12499) (246c2b1). Authority rewriting requires the control plane to be labeled trusted_xds_server in the bootstrap. System root cert support and SNI require using XdsChannelCredentials
rls: Add route lookup reason to request whether it is due to a cache miss or stale cache entry (#12442) (795ce02)

Dependencies

compiler: C++ protobuf used by codegen upgraded to 26.1 (#12330) (55aefd5)
alts: Remove dep on grpclb (b769f96). ALTS is no longer used with grpclb, so this removes dead code
Upgrade netty to 4.1.127.Final (b37ee67)

Thanks to

@panchenko
@benjaminp
@HyunSangHan
@becomeStar
@ZachChuba
@oliviamariacodes
@kssumin
@laz-canva

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

gemini-code-assist · 2026-01-23T16:27:22Z

Summary of Changes

Hello @JoeWang1127, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs routine maintenance by updating several core Java library dependencies to their latest minor versions. These updates ensure the project benefits from the newest features, performance enhancements, and critical bug fixes provided by the google-auth-library-bom, google-http-client, and grpc-bom libraries, maintaining compatibility and improving overall stability.

Highlights

Dependency Update: google-auth-library-bom: The com.google.auth:google-auth-library-bom dependency has been updated from version 1.41.0 to 1.42.0. This update includes a protobuf version bump to 4.33.2 and a simplification in how the default service account is retrieved from MDS.
Dependency Update: google-http-client: The com.google.http-client:google-http-client dependency has been updated from version 2.0.3 to 2.1.0. This primarily involves an internal update to its protobuf-java dependency to version 4.33.2.
Dependency Update: grpc-bom: The io.grpc:grpc-bom dependency has been updated from version 1.76.2 to 1.78.0. This is a significant update bringing numerous bug fixes (e.g., fixing shutdown issues, race conditions in OkHttp, and RLS config updates), various improvements (like enhanced xDS error handling, control plane channel monitoring, and dependency upgrades), and several new features including xDS-based SNI setting, GCP Authentication Filter support, and a new random subsetting load balancer.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

gemini-code-assist

Code Review

This pull request updates the upper bound versions for grpc-bom, google-auth-library-bom, and google-http-client in the dependencies.txt file. After reviewing the changes and the context of the surrounding files, the updates appear correct and align with the documented purpose of this file, which is to track upper bounds for compatibility testing. No issues were found.

sonarqubecloud · 2026-01-23T16:36:00Z

Quality Gate passed for 'gapic-generator-java-root'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud · 2026-01-23T16:39:45Z

Quality Gate passed for 'java_showcase_integration_tests'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

chore(deps): update upper bound dependencies file

9f5db75

product-auto-label bot added the size: xs Pull request size is extra small. label Jan 23, 2026

gemini-code-assist bot reviewed Jan 23, 2026

View reviewed changes

JoeWang1127 enabled auto-merge (squash) January 23, 2026 16:44

blakeli0 approved these changes Jan 23, 2026

View reviewed changes

JoeWang1127 merged commit 7934c24 into main Jan 23, 2026
58 of 62 checks passed

JoeWang1127 deleted the renovate/upper-bound-dependencies-file branch January 23, 2026 16:55

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update upper bound dependencies file#4083

chore(deps): update upper bound dependencies file#4083
JoeWang1127 merged 1 commit intomainfrom
renovate/upper-bound-dependencies-file

JoeWang1127 commented Jan 23, 2026

Uh oh!

gemini-code-assist bot commented Jan 23, 2026

Uh oh!

gemini-code-assist bot left a comment

Uh oh!

sonarqubecloud bot commented Jan 23, 2026

Uh oh!

sonarqubecloud bot commented Jan 23, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

JoeWang1127 commented Jan 23, 2026

Release Notes

v1.42.0

Features

Bug Fixes

v2.1.0

Features

v1.78.0

Bug Fixes

Improvements

New Features

Documentation

Thanks to

v1.77.1

Bug Fixes

v1.77.0

API Changes

Bug Fixes

Improvements

New Features

Dependencies

Thanks to

Configuration

Uh oh!

gemini-code-assist bot commented Jan 23, 2026

Summary of Changes

Highlights

Footnotes

Uh oh!

gemini-code-assist bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

sonarqubecloud bot commented Jan 23, 2026

Quality Gate passed for 'gapic-generator-java-root'

Uh oh!

sonarqubecloud bot commented Jan 23, 2026

Quality Gate passed for 'java_showcase_integration_tests'

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

`v1.42.0`

`v2.1.0`

`v1.78.0`

`v1.77.1`

`v1.77.0`