build(deps): bump grpc from 1.72.0 to 1.76.0 in /hiero-dependency-versions

[dependabot]

Bumps grpc from 1.72.0 to 1.76.0.
Updates io.grpc:grpc-netty from 1.72.0 to 1.76.0

Release notes

Sourced from io.grpc:grpc-netty's releases.

v1.76.0

Bug Fixes

• xds: ClusterResolverLb has been converted to use XdsDepManager, which finishes the changes for gRFC A74 xDS Config Tears. This change should resolve some unnecessary reconnections introduced in v1.75.0 when using weighted_round_robin and maybe other policies.
• compiler: A fix has been implemented for the blockingV2 stub to mangle generated method names that conflict with java.lang.Object methods.
• servlet: A race condition in AsyncServletOutputStreamWriter has been fixed to prevent threads from getting stuck.
• servlet: An issue where AsyncContext.complete() was called multiple times, causing an IllegalStateException, has been resolved.
• binder: The REMOTE_UID is now required to hold the exact UID passed to the SecurityPolicy.
• binder: The server will now only accept post-setup transactions from the authorized server UID.
• util: AdvancedTlsX509TrustManager now errors with a message to say that files don’t exist instead of the previous “Files were unmodified before their initial update. Probably a bug.”
• android: A fix has been implemented for network change handling on API levels below 24.

Improvements

• api: Allocations of Attributes.Builder have been reduced. This mostly benefits attributes.toBuilder(), but that’s not expected to be visible in regular workloads.
• api: An empty array allocation in LoadBalancer.CreateSubchannelArgs.Builder has been avoided. It is a small optimization and is not expected to have any performance impact.
• servlet: A configurable methodNameResolver has been added to configure the mapping from servlet request paths to gRPC method name
• servlet: Avoid a race by increasing the AsyncContext timeout by 5 seconds. The gRPC Context timeout should trigger first
• xds: Pretty-print envoy.service.discovery.v3.Resource in debug logs
• bazel: The java/proto rules from rules_java/rules_proto are now used instead of native rules.
• bazel: Unnecessary direct build dependencies were removed from some targets
• netty: Support for the BCJSSE provider has been added in GrpcSslContexts.
• netty: Huffman coding in server response headers has been disabled; it was already disabled for client request headers
• netty: Include allow header for HTTP response code 405
• okhttp: Include allow header for HTTP response code 405
• binder: Error descriptions for ServiceConnection callbacks have been improved
• binder: Apps can now call SecurityPolicy.checkAuthorization() by PeerUid.

New Features

• stub: Trailers are now propagated in StatusException when thrown by BlockingClientCall.
• compiler: Support for macOS aarch64 with a universal binary has been added.
• opentelemetry: grpc.subchannel.* metrics as described in gRFC A94 OTel metrics for Subchannels have been added. grpc.disconnect_error will show as “unknown” until transports implement support
• binder: A NameResolver for Android's intent: URIs has been introduced.
• binder: A basic SocketStats with just the local and remote addresses has been added for channelz.

Documentation

• SECURITY.md: The documentation now describes how to use gcompat with LD_PRELOAD for Alpine.
• examples: The documentation now explains Bazel BCR releases and the git_override option.

Dependencies

• Upgraded Guava version to 33.4.8.
• The org.apache.tomcat:annotations-api dependency has been removed from the examples.

Thanks to

@JoeCqupt @Sangamesh1997

... (truncated)

Commits

• d0db129 Bump version to 1.76.0
• aa672ca Update README etc to reference 1.76.0
• 70b7249 netty: Unconditionally disable adaptive cumulator (#12390)
• f89d1d8 api: remove nullable from StatusOr value methods (#12338)
• 040665f examples: Explain Bazel BCR releases and git_override option
• 4995700 xds: Remove verify TODO for onResult2 error status
• afe7222 SECURITY.md: Mention gcompat for Alpine (#12365)
• 1a7042a android: fix network change handling on API levels < 24
• 8f0db07 api: Avoid allocating empty array in LoadBalancer (#12337)
• 0c179e3 xds: Convert ClusterResolverLb to XdsDepManager
• Additional commits viewable in compare view

Updates io.grpc:grpc-protobuf from 1.72.0 to 1.76.0

Release notes

Sourced from io.grpc:grpc-protobuf's releases.

v1.76.0

Bug Fixes

• xds: ClusterResolverLb has been converted to use XdsDepManager, which finishes the changes for gRFC A74 xDS Config Tears. This change should resolve some unnecessary reconnections introduced in v1.75.0 when using weighted_round_robin and maybe other policies.
• compiler: A fix has been implemented for the blockingV2 stub to mangle generated method names that conflict with java.lang.Object methods.
• servlet: A race condition in AsyncServletOutputStreamWriter has been fixed to prevent threads from getting stuck.
• servlet: An issue where AsyncContext.complete() was called multiple times, causing an IllegalStateException, has been resolved.
• binder: The REMOTE_UID is now required to hold the exact UID passed to the SecurityPolicy.
• binder: The server will now only accept post-setup transactions from the authorized server UID.
• util: AdvancedTlsX509TrustManager now errors with a message to say that files don’t exist instead of the previous “Files were unmodified before their initial update. Probably a bug.”
• android: A fix has been implemented for network change handling on API levels below 24.

Improvements

• api: Allocations of Attributes.Builder have been reduced. This mostly benefits attributes.toBuilder(), but that’s not expected to be visible in regular workloads.
• api: An empty array allocation in LoadBalancer.CreateSubchannelArgs.Builder has been avoided. It is a small optimization and is not expected to have any performance impact.
• servlet: A configurable methodNameResolver has been added to configure the mapping from servlet request paths to gRPC method name
• servlet: Avoid a race by increasing the AsyncContext timeout by 5 seconds. The gRPC Context timeout should trigger first
• xds: Pretty-print envoy.service.discovery.v3.Resource in debug logs
• bazel: The java/proto rules from rules_java/rules_proto are now used instead of native rules.
• bazel: Unnecessary direct build dependencies were removed from some targets
• netty: Support for the BCJSSE provider has been added in GrpcSslContexts.
• netty: Huffman coding in server response headers has been disabled; it was already disabled for client request headers
• netty: Include allow header for HTTP response code 405
• okhttp: Include allow header for HTTP response code 405
• binder: Error descriptions for ServiceConnection callbacks have been improved
• binder: Apps can now call SecurityPolicy.checkAuthorization() by PeerUid.

New Features

• stub: Trailers are now propagated in StatusException when thrown by BlockingClientCall.
• compiler: Support for macOS aarch64 with a universal binary has been added.
• opentelemetry: grpc.subchannel.* metrics as described in gRFC A94 OTel metrics for Subchannels have been added. grpc.disconnect_error will show as “unknown” until transports implement support
• binder: A NameResolver for Android's intent: URIs has been introduced.
• binder: A basic SocketStats with just the local and remote addresses has been added for channelz.

Documentation

• SECURITY.md: The documentation now describes how to use gcompat with LD_PRELOAD for Alpine.
• examples: The documentation now explains Bazel BCR releases and the git_override option.

Dependencies

• Upgraded Guava version to 33.4.8.
• The org.apache.tomcat:annotations-api dependency has been removed from the examples.

Thanks to

@JoeCqupt @Sangamesh1997

... (truncated)

Commits

• d0db129 Bump version to 1.76.0
• aa672ca Update README etc to reference 1.76.0
• 70b7249 netty: Unconditionally disable adaptive cumulator (#12390)
• f89d1d8 api: remove nullable from StatusOr value methods (#12338)
• 040665f examples: Explain Bazel BCR releases and git_override option
• 4995700 xds: Remove verify TODO for onResult2 error status
• afe7222 SECURITY.md: Mention gcompat for Alpine (#12365)
• 1a7042a android: fix network change handling on API levels < 24
• 8f0db07 api: Avoid allocating empty array in LoadBalancer (#12337)
• 0c179e3 xds: Convert ClusterResolverLb to XdsDepManager
• Additional commits viewable in compare view

Updates io.grpc:grpc-stub from 1.72.0 to 1.76.0

Release notes

Sourced from io.grpc:grpc-stub's releases.

v1.76.0

Bug Fixes

• xds: ClusterResolverLb has been converted to use XdsDepManager, which finishes the changes for gRFC A74 xDS Config Tears. This change should resolve some unnecessary reconnections introduced in v1.75.0 when using weighted_round_robin and maybe other policies.
• compiler: A fix has been implemented for the blockingV2 stub to mangle generated method names that conflict with java.lang.Object methods.
• servlet: A race condition in AsyncServletOutputStreamWriter has been fixed to prevent threads from getting stuck.
• servlet: An issue where AsyncContext.complete() was called multiple times, causing an IllegalStateException, has been resolved.
• binder: The REMOTE_UID is now required to hold the exact UID passed to the SecurityPolicy.
• binder: The server will now only accept post-setup transactions from the authorized server UID.
• util: AdvancedTlsX509TrustManager now errors with a message to say that files don’t exist instead of the previous “Files were unmodified before their initial update. Probably a bug.”
• android: A fix has been implemented for network change handling on API levels below 24.

Improvements

• api: Allocations of Attributes.Builder have been reduced. This mostly benefits attributes.toBuilder(), but that’s not expected to be visible in regular workloads.
• api: An empty array allocation in LoadBalancer.CreateSubchannelArgs.Builder has been avoided. It is a small optimization and is not expected to have any performance impact.
• servlet: A configurable methodNameResolver has been added to configure the mapping from servlet request paths to gRPC method name
• servlet: Avoid a race by increasing the AsyncContext timeout by 5 seconds. The gRPC Context timeout should trigger first
• xds: Pretty-print envoy.service.discovery.v3.Resource in debug logs
• bazel: The java/proto rules from rules_java/rules_proto are now used instead of native rules.
• bazel: Unnecessary direct build dependencies were removed from some targets
• netty: Support for the BCJSSE provider has been added in GrpcSslContexts.
• netty: Huffman coding in server response headers has been disabled; it was already disabled for client request headers
• netty: Include allow header for HTTP response code 405
• okhttp: Include allow header for HTTP response code 405
• binder: Error descriptions for ServiceConnection callbacks have been improved
• binder: Apps can now call SecurityPolicy.checkAuthorization() by PeerUid.

New Features

• stub: Trailers are now propagated in StatusException when thrown by BlockingClientCall.
• compiler: Support for macOS aarch64 with a universal binary has been added.
• opentelemetry: grpc.subchannel.* metrics as described in gRFC A94 OTel metrics for Subchannels have been added. grpc.disconnect_error will show as “unknown” until transports implement support
• binder: A NameResolver for Android's intent: URIs has been introduced.
• binder: A basic SocketStats with just the local and remote addresses has been added for channelz.

Documentation

• SECURITY.md: The documentation now describes how to use gcompat with LD_PRELOAD for Alpine.
• examples: The documentation now explains Bazel BCR releases and the git_override option.

Dependencies

• Upgraded Guava version to 33.4.8.
• The org.apache.tomcat:annotations-api dependency has been removed from the examples.

Thanks to

@JoeCqupt @Sangamesh1997

... (truncated)

Commits

• d0db129 Bump version to 1.76.0
• aa672ca Update README etc to reference 1.76.0
• 70b7249 netty: Unconditionally disable adaptive cumulator (#12390)
• f89d1d8 api: remove nullable from StatusOr value methods (#12338)
• 040665f examples: Explain Bazel BCR releases and git_override option
• 4995700 xds: Remove verify TODO for onResult2 error status
• afe7222 SECURITY.md: Mention gcompat for Alpine (#12365)
• 1a7042a android: fix network change handling on API levels < 24
• 8f0db07 api: Avoid allocating empty array in LoadBalancer (#12337)
• 0c179e3 xds: Convert ClusterResolverLb to XdsDepManager
• Additional commits viewable in compare view

Updates io.grpc:grpc-netty-shaded from 1.72.0 to 1.76.0

Release notes

Sourced from io.grpc:grpc-netty-shaded's releases.

v1.76.0

Bug Fixes

• xds: ClusterResolverLb has been converted to use XdsDepManager, which finishes the changes for gRFC A74 xDS Config Tears. This change should resolve some unnecessary reconnections introduced in v1.75.0 when using weighted_round_robin and maybe other policies.
• compiler: A fix has been implemented for the blockingV2 stub to mangle generated method names that conflict with java.lang.Object methods.
• servlet: A race condition in AsyncServletOutputStreamWriter has been fixed to prevent threads from getting stuck.
• servlet: An issue where AsyncContext.complete() was called multiple times, causing an IllegalStateException, has been resolved.
• binder: The REMOTE_UID is now required to hold the exact UID passed to the SecurityPolicy.
• binder: The server will now only accept post-setup transactions from the authorized server UID.
• util: AdvancedTlsX509TrustManager now errors with a message to say that files don’t exist instead of the previous “Files were unmodified before their initial update. Probably a bug.”
• android: A fix has been implemented for network change handling on API levels below 24.

Improvements

• api: Allocations of Attributes.Builder have been reduced. This mostly benefits attributes.toBuilder(), but that’s not expected to be visible in regular workloads.
• api: An empty array allocation in LoadBalancer.CreateSubchannelArgs.Builder has been avoided. It is a small optimization and is not expected to have any performance impact.
• servlet: A configurable methodNameResolver has been added to configure the mapping from servlet request paths to gRPC method name
• servlet: Avoid a race by increasing the AsyncContext timeout by 5 seconds. The gRPC Context timeout should trigger first
• xds: Pretty-print envoy.service.discovery.v3.Resource in debug logs
• bazel: The java/proto rules from rules_java/rules_proto are now used instead of native rules.
• bazel: Unnecessary direct build dependencies were removed from some targets
• netty: Support for the BCJSSE provider has been added in GrpcSslContexts.
• netty: Huffman coding in server response headers has been disabled; it was already disabled for client request headers
• netty: Include allow header for HTTP response code 405
• okhttp: Include allow header for HTTP response code 405
• binder: Error descriptions for ServiceConnection callbacks have been improved
• binder: Apps can now call SecurityPolicy.checkAuthorization() by PeerUid.

New Features

• stub: Trailers are now propagated in StatusException when thrown by BlockingClientCall.
• compiler: Support for macOS aarch64 with a universal binary has been added.
• opentelemetry: grpc.subchannel.* metrics as described in gRFC A94 OTel metrics for Subchannels have been added. grpc.disconnect_error will show as “unknown” until transports implement support
• binder: A NameResolver for Android's intent: URIs has been introduced.
• binder: A basic SocketStats with just the local and remote addresses has been added for channelz.

Documentation

• SECURITY.md: The documentation now describes how to use gcompat with LD_PRELOAD for Alpine.
• examples: The documentation now explains Bazel BCR releases and the git_override option.

Dependencies

• Upgraded Guava version to 33.4.8.
• The org.apache.tomcat:annotations-api dependency has been removed from the examples.

Thanks to

@JoeCqupt @Sangamesh1997

... (truncated)

Commits

• d0db129 Bump version to 1.76.0
• aa672ca Update README etc to reference 1.76.0
• 70b7249 netty: Unconditionally disable adaptive cumulator (#12390)
• f89d1d8 api: remove nullable from StatusOr value methods (#12338)
• 040665f examples: Explain Bazel BCR releases and git_override option
• 4995700 xds: Remove verify TODO for onResult2 error status
• afe7222 SECURITY.md: Mention gcompat for Alpine (#12365)
• 1a7042a android: fix network change handling on API levels < 24
• 8f0db07 api: Avoid allocating empty array in LoadBalancer (#12337)
• 0c179e3 xds: Convert ClusterResolverLb to XdsDepManager
• Additional commits viewable in compare view

Updates io.grpc:protoc-gen-grpc-java from 1.72.0 to 1.76.0

Release notes

Sourced from io.grpc:protoc-gen-grpc-java's releases.

v1.76.0

Bug Fixes

• xds: ClusterResolverLb has been converted to use XdsDepManager, which finishes the changes for gRFC A74 xDS Config Tears. This change should resolve some unnecessary reconnections introduced in v1.75.0 when using weighted_round_robin and maybe other policies.
• compiler: A fix has been implemented for the blockingV2 stub to mangle generated method names that conflict with java.lang.Object methods.
• servlet: A race condition in AsyncServletOutputStreamWriter has been fixed to prevent threads from getting stuck.
• servlet: An issue where AsyncContext.complete() was called multiple times, causing an IllegalStateException, has been resolved.
• binder: The REMOTE_UID is now required to hold the exact UID passed to the SecurityPolicy.
• binder: The server will now only accept post-setup transactions from the authorized server UID.
• util: AdvancedTlsX509TrustManager now errors with a message to say that files don’t exist instead of the previous “Files were unmodified before their initial update. Probably a bug.”
• android: A fix has been implemented for network change handling on API levels below 24.

Improvements

• api: Allocations of Attributes.Builder have been reduced. This mostly benefits attributes.toBuilder(), but that’s not expected to be visible in regular workloads.
• api: An empty array allocation in LoadBalancer.CreateSubchannelArgs.Builder has been avoided. It is a small optimization and is not expected to have any performance impact.
• servlet: A configurable methodNameResolver has been added to configure the mapping from servlet request paths to gRPC method name
• servlet: Avoid a race by increasing the AsyncContext timeout by 5 seconds. The gRPC Context timeout should trigger first
• xds: Pretty-print envoy.service.discovery.v3.Resource in debug logs
• bazel: The java/proto rules from rules_java/rules_proto are now used instead of native rules.
• bazel: Unnecessary direct build dependencies were removed from some targets
• netty: Support for the BCJSSE provider has been added in GrpcSslContexts.
• netty: Huffman coding in server response headers has been disabled; it was already disabled for client request headers
• netty: Include allow header for HTTP response code 405
• okhttp: Include allow header for HTTP response code 405
• binder: Error descriptions for ServiceConnection callbacks have been improved
• binder: Apps can now call SecurityPolicy.checkAuthorization() by PeerUid.

New Features

• stub: Trailers are now propagated in StatusException when thrown by BlockingClientCall.
• compiler: Support for macOS aarch64 with a universal binary has been added.
• opentelemetry: grpc.subchannel.* metrics as described in gRFC A94 OTel metrics for Subchannels have been added. grpc.disconnect_error will show as “unknown” until transports implement support
• binder: A NameResolver for Android's intent: URIs has been introduced.
• binder: A basic SocketStats with just the local and remote addresses has been added for channelz.

Documentation

• SECURITY.md: The documentation now describes how to use gcompat with LD_PRELOAD for Alpine.
• examples: The documentation now explains Bazel BCR releases and the git_override option.

Dependencies

• Upgraded Guava version to 33.4.8.
• The org.apache.tomcat:annotations-api dependency has been removed from the examples.

Thanks to

@JoeCqupt @Sangamesh1997

... (truncated)

Commits

• d0db129 Bump version to 1.76.0
• aa672ca Update README etc to reference 1.76.0
• 70b7249 netty: Unconditionally disable adaptive cumulator (#12390)
• f89d1d8 api: remove nullable from StatusOr value methods (#12338)
• 040665f examples: Explain Bazel BCR releases and git_override option
• 4995700 xds: Remove verify TODO for onResult2 error status
• afe7222 SECURITY.md: Mention gcompat for Alpine (#12365)
• 1a7042a android: fix network change handling on API levels < 24
• 8f0db07 api: Avoid allocating empty array in LoadBalancer (#12337)
• 0c179e3 xds: Convert ClusterResolverLb to XdsDepManager
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[lfdt-bot]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.