Update dependency io.grpc:grpc-protobuf - abandoned

[mend-for-github-com]

This PR contains the following updates:

Package	Update	Change
io.grpc:grpc-protobuf	minor	1.31.1 -> 1.35.0
io.grpc:grpc-protobuf	minor	1.5.0 -> 1.21.0

By merging this PR, the below issues will be automatically resolved and closed:

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.5	CVE-2021-22569	#479
Low	3.3	CVE-2020-8908	#91

By merging this PR, the below issues will be automatically resolved and closed:

Severity	CVSS Score	CVE	GitHub Issue
High	8.8	CVE-2015-5237	#109
High	7.7	WS-2021-0419	#462
High	7.5	CVE-2022-25647	#618

---

Release Notes

grpc/grpc-java

v1.35.0

Bug Fixes

• core: Fix CompositeChannelCredentials to no longer use CallCredentials for OOB channels. OOB channels are available for load balancing policies to use to communicate with an LB server. It is mainly used by gRPC-LB. This resolves the incompatibility of the 1.34.0 release with googleapis.com.
• alts: Limit number of concurrent handshakes to 32. ALTS uses blocking RPCs for handshakes. If the handshake server has a limit to number of concurrent handshakes this can produce a deadlock. Limiting to 32 should workaround the problem for the majority of the cases. A later fix will allow handshake RPCs to be asynchronous
• xds: Fix missed class relocations for generated code. grpc-xds previously exposed generated code for multiple 3rd-party protobuf generated code classes outside of the io.grpc package. They are now shaded to avoid colliding with other users of the classes
• xds: Fix a user visible stack trace showing java.util.NoSuchElementException when the environment variable GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT was set and the application contains an xDS configured gRPC server. The exception was benign and was seen when the connection was dropped before an SslContextProvider was available.
• xds: Decouple xds channel creation and bootstrapping. This fixes the bug caused by the lifecycle mismatch between XdsClient and its channel to the xDS server. Creating a new XdsClient (previous one shutdown due to no Channel using it) would create and use a new xDS channel.
• xds: Fix races between creating subchannls and Channel shutdown caused by delaying address/config propagation between LB policies. An exception will be thrown if Channel's shutdown() has been called and receiving an EDS update while the Channel has not completely shutdown.

Dependencies

• Guava updated to 30.0-android
• Animal Sniffer annotations updated to 1.19
• Error Prone annotations updated to 2.4.0
• Perfmark updated to 0.23.0
• compiler: Linux artifacts now built using CentOS 7. Previously CentOS 6 was used, but that distribution is discontinued and no longer available in our build infrastructure
• netty: Upgrade to Netty 4.1.52 and tcnative 2.0.34. Note that this Netty release enables TLSv1.3 support. mTLS failures with TLSv1.3 will have different error messages than in TLSv1.2
• auth,alts: google-auth-library-java updated to 0.22.2
• census: OpenCensus updated to 0.28.0
• protobuf: googleapi’s common protos updated to 2.0.1
• okhttp: Okio updated to 1.17.5
• xds: re2j updated to 1.5
• xds: bouncycastle updated to 1.67
• gradle: bumped protobuf-gradle-plugin version to 0.8.14
• android, cronet: upgraded the latest support Android version to 29

Acknowledgments

@​amnox
@​horizonzy
@​wanyingd1996

v1.34.1

Bug Fixes

• core: Fix CompositeChannelCredentials to no longer use CallCredentials for OOB channels. OOB channels are available for load balancing policies to use to communicate with an LB server. It is mainly used by gRPC-LB. This resolves the incompatibility of the 1.34.0 release with googleapis.com.
• alts: Limit number of concurrent handshakes to 32. ALTS uses blocking RPCs for handshakes. If the handshake server has a limit to number of concurrent handshakes this can produce a deadlock. Limiting to 32 should workaround the problem for the majority of the cases. A later fix will allow handshake RPCs to be asynchronous
• xds: Relocate (shade) all generated code; a few classes had previously been missed
• xds: Fixed an issue when GRPC_XDS_EXPERIMENTAL_NEW_SERVER_API=true where gRPC would request non-existent resources

v1.34.0

This release has a severe bug when using CompositeChannelCredentials that predominantly impacts googleapis.com (#​7643). You may be impacted in the future even if not impacted today. If you contact googleapis.com, please use 1.34.1 instead.

API Changes

• api: added io.grpc.ForwardingServerBuilder (#​7633)

New Features

• Added ChannelCredentials and ServerCredentials. They are safe for production but are Experimental APIs to resolve issues discovered as they see usage. The rationale and description of the new API can be found in gRFC L74. In short, these APIs are intended to “replace” the implicit security defaults of channels/servers as well as the usePlaintext() and useTransportSecurity() methods on the channel and server builders. The previous APIs are stable so will not be removed, but are expected to be deprecated in the future. Since these new APIs will be widely used, we encourage users to try the APIs out and report any problems experienced so they can be corrected before the APIs become stable (#​7294, #​7601)
• As part of ChannelCredentials and ServerCredentials there are now XdsChannelCredentials and XdsServerCredentials added that can be used to enable use of XDS provided credentials on the channel and server. A File-watcher certificate provider has been implemented to support these Xds Credentials. The example in example-xds has been enhanced to be a full xDS example with XdsChannelCredentials and XdsServerCredentials to illustrate their usage. (#​7497, #​7636)
• xds: added support for setting bootstrap file with java system property (#​7620)

Bug Fixes

• netty: abrupt GOAWAY should not cause INTERNAL status. It is now UNAVAILABLE. This was a regression introduced in v1.33.0. The error was in the form StatusRuntimeException: INTERNAL: http2 exception with a cause similar to Http2Exception$StreamException: Cannot create stream 222691 greater than Last-Stream-ID 222689 from GOAWAY. This was mainly observed when a C core-based gRPC server shut down. (#​7501)
• core, netty, okhttp, cronet: fixed builders ABI backward compatibility broken in v1.33.0 (#​7552). For details, see v1.33.1 release note.
• core: round robin should ignore name resolution error for channel state change when there are READY subchannels (#​7595). Previously the round_robin load balancing policy puts the Channel into TRANSIENT_FAILURE if encountering name resolution failures even if it has received usable addresses.
• core: fixed floating-point number formatting Locale in error messages (#​7473)
• android: make Channel always enterIdle() upon network recover (#​7611). This is for AndroidChannelBuilder. It avoids failing new RPCs prematurely when the device detects the network has recovered while resuming connections.
• xds: only reschedule time for unresolved resources upon ADS stream restarts (#​7582). The management server can choose not to send resources it has previously sent when the RPC stream is recreated. So the client will keep using resources it has saved previously.
• alts: create handshaker RPC lazily (#​7630). Previously the handshake RPCs start before the TCP connection is established, which might be leaked forever if the connection is never established.

Documentation

• api: added implementation note regarding server interceptors and thread locals (#​7482)
• api: clarify expectations regarding ServerCall#close (#​7580)

Behavior Changes

• netty: differentiate GOAWAY closure status descriptions (#​7502). Previously many different GOAWAY-related errors all produced the same status description. Now they each should use their own specific description which should allow distinguishing between issues like weak server GOAWAY behavior, MAX_CONCURRENT_STREAMS interfering with eager transport selection, and local races. We now also use UNAVAILABLE in more cases, although the cases that benefit should be rare
• xds: added support case insensitive path matching (#​7506). The xDS traffic splitting now supports the case-insensitive option for path matching.
• alts: add a timeout to AltsHandshakerStub. A default of 20 seconds is used (#​7589)

Dependencies

• all: bumped google auth libraries to version 0.22.0 (#​6652)

Acknowledgements

@​attila123
@​erikjoh
@​jbdeboer
@​ST-DDT
@​sullis
@​susinmotion

v1.33.1

Bug Fixes

• Fix builders ABI backward compatibility broken in v1.33.0, see #​7552
  • netty: The class io.grpc.netty.NettyServerBuilder reverted to extend internal class io.grpc.internal.AbstractServerImplBuilder
  • netty: The class io.grpc.netty.NettyChannelBuilder reverted to extend internal class io.grpc.internal.AbstractManagedChannelImplBuilder
  • okhttp: The class io.grpc.okhttp.OkhttpChannelBuilder reverted to extend internal class io.grpc.internal.AbstractManagedChannelImplBuilder
  • core: The class io.grpc.inprocess.InProcessChannelBuilder reverted to extend internal class io.grpc.internal.AbstractManagedChannelImplBuilder
  • cronet: The class io.grpc.cronet.CronetChannelBuilder reverted to extend internal class io.grpc.internal.AbstractManagedChannelImplBuilder
• api: ForwardingServerBuilder reverted until the permanent fix of the issue with ABI compatibility of delegating classes
• okhttp: exclude Internal* from javadoc
• netty: Abrupt GOAWAY should not cause INTERNAL status. It is now UNAVAILABLE. This was a regression introduced in v1.33.0. The error was in the form StatusRuntimeException: INTERNAL: http2 exception with a cause similar to Http2Exception$StreamException: Cannot create stream 222691 greater than Last-Stream-ID 222689 from GOAWAY. This was mainly observed when a C core-based gRPC server shut down.
• core: fix floating-point number formatting Locale

v1.33.0

This release broke ABI in a non-planned way for NettyServerBuilder, NettyChannelBuilder, and similar. See https://github.com/grpc/grpc-java/issues/7552. If you are impacted, please use an earlier version until v1.33.1 is available. A future ABI breakage may be necessary, but will be communicated explicitly at that time.

API Changes

• netty: The class io.grpc.netty.NettyServerBuilder is no longer a subclass of the internal class io.grpc.internal.AbstractServerImplBuilder
• netty: The class io.grpc.netty.NettyChannelBuilder is no longer a subclass of the internal class io.grpc.internal.AbstractManagedChannelImplBuilder
• okhttp: The class io.grpc.okhttp.OkhttpChannelBuilder is no longer a subclass of the internal class io.grpc.internal.AbstractManagedChannelImplBuilder
• core: The class io.grpc.inprocess.InProcessChannelBuilder is no longer a subclass of the internal class io.grpc.internal.AbstractManagedChannelImplBuilder
• cronet: The class io.grpc.cronet.CronetChannelBuilder is no longer a subclass of the internal class io.grpc.internal.AbstractManagedChannelImplBuilder
• api: Add ForwardingServerBuilder: a ServerBuilder that delegates to another builder by default
• core: Add accessor for bare method name in MethodDescriptor (#​7339)
• stub: On server-side when an RPC is cancelled, only throw StatusRuntimeException: CANCELLED from onNext() for streaming responses. Previously the exception was also thrown from onNext() for unary responses and from onComplete(), which didn’t help the server avoid unnecessary processing
• okhttp: OkHttpChannelBuilder made final and can no longer be anonymous
• api, core: delete io.grpc.LoadBalancer.loadBalancingConfig attribute (#​7440). The attribute was deprecated in v1.27.0, now it is completely deleted.

New Features

• netty: Add support for IBMJSSE2 (#​7422)

Documentation

• API documentation (Javadoc) for Server and Channel builders now correctly displays inherited methods and the class hierarchy

Bug Fixes

• core: Reverted "delay sending cancel request on client-side when deadline expires" which introduced a memory leak (#​7105). It could also cause messages to arrive after the call was reported closed (e.g., onMessage() after onClose())
• grpclb: Fixed a bug that RPC might be hanging when using grpclb balancer as a child balancer in a hierarchical load balancer tree (#​7434)
• netty: TCP close during TLS handshake should be UNAVAILABLE, not UNKNOWN
• netty: BDP ping accounting should occur after flow control. This resolves an incompatibility issue introduced in v1.30.0 and could be worked around via GRPC_EXPERIMENTAL_AUTOFLOWCONTROL=false introduced later. The symptom was a GOAWAY with “too_many_pings” without an aggressive keepalive configured. The environment variable is still available, but will be removed in the future

Behavior Changes

• xds: Xds server channel credential option will be required in the xDS bootstrap file. Use {"type":"insecure"}” for plaintext (#​7396)

Dependencies

• benchmarks: Removed -javaagent jvm option in CreateStartScripts, to allow running the benchmarks without building from source
• Upgrade Conscrypt to 2.5.1
• bazel: Remove Maven repositories from repositories.bzl, in favor of maven_install. v1.27.0 introduced support for maven_install and encouraged users to migrate. See examples/WORKSPACE for an example. maven_install dramatically reduces the boilerplate for maven dependencies and properly handles transitive dependencies and version selection. gRPC is not yet using the @maven workspace, so it is still possible to use other dependency tools.
• Update protobuf gradle plugin version to 0.8.13 (#​7355)

Acknowledgements

@​codeblooded Benjamin Reed
@​kiwi1969 Russell Shaw
@​pkern Philipp Kern

v1.32.3

Bug Fixes

• xds: Fixed JSON number types in internally generated service config for header matching (more specifically, range matching for numerical headers) (#​7880).

v1.32.2

Bug Fixes

• netty: TCP close during TLS handshake should be UNAVAILABLE, not UNKNOWN
• netty: BDP ping accounting should occur after flow control. This resolves an incompatibility issue introduced in v1.30.0 and could be worked around via GRPC_EXPERIMENTAL_AUTOFLOWCONTROL=false introduced later. The symptom was a GOAWAY with “too_many_pings” without an aggressive keepalive configured. The environment variable is still available, but will be removed in the future
• alts: Reverted workaround for Conscrypt cipher performance. Conscrypt 2.5.0 has significantly improved performance and the workaround now decreases performance. Note that grpc-alts itself still depends on Conscrypt 2.2.1 to remain stable for this bug fix release, but users are encouraged to use newer a version of Conscrypt. The gains from Conscrypt 2.5.0 are significantly greater than what the workaround provided

v1.32.1

API Changes

• api: Removed deprecated method ChannelBuilder.blockingExecutor() (#​7242). There should not be any users as it was deprecated the first release it was available and was renamed offloadExecutor().
• grpclb: Make ATTR_LB_ADDRS public (#​7230). This is necessary to configure grpclb from a custom NameResolver

New Features

• xds: perform header matching on concatenated multi-valued headers (#​7215)
• xds: add header matching special cases for hiding/exposing some gRPC headers (#​7224). The only gRPC header available for header matching is “content-type”.
• xds: support load reporting all clusters option and fix actual report interval measurement (#​7209). If the LRS response enables send_all_clusters, the client side will report loads for all clusters it is currently using.

Bug Fixes

• core, alts, cronet: Fix ByteBuffer covariant method usages (#​7349). When built with Java 9+, internal usages of ByteBuffer APIs may cause runtime breakage for dependent applications running with Java 8. This is fixed now.
• core: Fixed a bug that RPC may hang when hedging is enabled with a throttling configuration (#​7337)
• netty: The environment variable GRPC_EXPERIMENTAL_AUTOFLOWCONTROL=false will now disable the BDP monitoring introduced in v1.30.0. This is intended to help diagnose a “too_many_pings” compatibility issue and will be removed once it is resolved. If you need to use the variable, please file an issue
• benchmarks: Use correct classpath for scripts (the ones in the bin/ folder of the tar/zip), fixing NoClassDefFoundErrors. The classpath was probably broken starting in v1.30.
• xds: routing policy should immediately update a picker that selects base on updated config (#​7233)

Dependencies

• netty: Upgrade to Netty 4.1.51 and tcnative 2.0.31
• android, cronet: Drop support for android SDK versions older than 16 (#​7253). The minimum supported Android SDK version is 16.

Acknowledgements

@​susinmotion
@​trustin
@​wanyingd1996

v1.31.2

Bug Fixes

• xds: Fixed JSON number types in internally generated service config for header matching (more specifically, range matching for numerical headers) (#​7884).

---

• If you want to rebase/retry this PR, click this checkbox.

[mend-for-github-com]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.