Bump grpc.version from 1.18.0 to 1.24.0

[dependabot-preview]

Bumps grpc.version from 1.18.0 to 1.24.0.

Updates grpc-netty from 1.18.0 to 1.24.0

Release notes

Sourced from grpc-netty's releases.

v1.24.0

Dependencies

• core: Migrate to new OpenCensus method & status tags (#5996)

Bug Fixes

• core: handle removing partially-closed resources for throwing on close. Fixes #6002. (#6044)
• auth: fix builder invocation for converting Google service account to Jwt access credential (#6106)
• netty: netty client using http proxy may experienced hang is fixed (#6159). This issue was introduced in 1.22.0.
• bazel: Fix java path separator bug on Windows (#6054)
• grpclb: fix pick_first mode shutdown without subchannels. (#6072)

API Changes

• The deprecated API ManagedChannelBuilder.usePlaintext(boolean skipNegotiation) will be removed in the next release. If you are still using it, please plan a migration (#1772)
• android: final stabilization of AndroidChannelBuilder (#6097). AndroidChannelBuilder is stabilized. Deprecated APIs are deleted. fromBuilder(...) is deprecated with replacement of usingBuilder(...).
• core: allow setting custom Deadline.Ticker to InProcessServerBuilder (#6034)

New Features

• bazel: Added //netty:shaded_maven target, similar to netty-shaded. It is only intended as a dependency for pre-compiled JARs
• bazel: Added IO_GRPC_GRPC_JAVA_OVERRIDE_TARGETS for use with maven_install. See repositories.bzl for how to use
• cronet: add grpc-cronet artifact publishing configurations (#6130). grpc-cronet is published as a standalone artifact in maven central.

Documentation

• doc: explicitly mention that Deadline might saturate (#6085)

Acknowledgements

• @​aadityasg Aaditya Gavandalkar
• @​dharmeshjogadia Dharmesh Jogadia
• @​igorbernstein2 Igor Bernstein
• @​KangZhiDong 康智冬
• @​laurentlb Laurent Le Brun
• @​ST-DDT
• @​Xjs Jannis Andrija Schnitzer

v1.23.0

This release resolves the DoS vulnerability CVE-2019-9515 (SETTINGS flood). Users using the grpc-netty server with untrusted clients should upgrade.

Dependencies

• Bump netty to 4.1.38
• Bump PerfMark to 0.17.0
• Bump protobuf to 3.9.0

Bug Fixes

• netty: Limit number of frames a client can cause the server to enqueue (#6056). Addresses CVE-2019-9515 (Settings flood). While grpc-java was not vulnerable to CVE-2019-9512 (Ping flood) nor CVE-2019-9514 (Reset flood), the fix provides protections against these attacks as well
• alts: Fix server hang (#5900)
• context: Fix race between CancellableContext and Context (#5981)
• stub: Avoid race in onHalfClose server StreamObserver (#5991)
• core: Avoid using partially-closed resources that threw during close in SharedResourceHolder (#6048). This avoids a permanent hang when using google-cloud-java. See googleapis/google-cloud-java#5810 and googleapis/google-cloud-java#5801

API Changes

... (truncated)

Commits

• 99793cf Bump version to 1.24.0
• 5ac69cc Update README etc to reference 1.24.0
• a7985aa auth: Avoid com.auth0:java-jwt dependency in test (#6180)
• d268d88 Revert "Start 1.25.0 development cycle (#6141)" (#6189)
• 7222e37 cronet: update README for using published grpc-cronet with play service Crone...
• 45f5008 netty: converts Proxy handler into new protocol negotiation style backport of...
• fa8f89a Start 1.25.0 development cycle (#6141)
• 415212f alts: fix typo (#6113)
• 252ca2a auth: verify information in decoded JWT token instead of comparing hashing va...
• e866d35 buildscripts: add config for building grpc-cronet artifact (#6134)
• Additional commits viewable in compare view

Updates grpc-protobuf from 1.18.0 to 1.24.0

Release notes

Sourced from grpc-protobuf's releases.

v1.24.0

Dependencies

• core: Migrate to new OpenCensus method & status tags (#5996)

Bug Fixes

• core: handle removing partially-closed resources for throwing on close. Fixes #6002. (#6044)
• auth: fix builder invocation for converting Google service account to Jwt access credential (#6106)
• netty: netty client using http proxy may experienced hang is fixed (#6159). This issue was introduced in 1.22.0.
• bazel: Fix java path separator bug on Windows (#6054)
• grpclb: fix pick_first mode shutdown without subchannels. (#6072)

API Changes

• The deprecated API ManagedChannelBuilder.usePlaintext(boolean skipNegotiation) will be removed in the next release. If you are still using it, please plan a migration (#1772)
• android: final stabilization of AndroidChannelBuilder (#6097). AndroidChannelBuilder is stabilized. Deprecated APIs are deleted. fromBuilder(...) is deprecated with replacement of usingBuilder(...).
• core: allow setting custom Deadline.Ticker to InProcessServerBuilder (#6034)

New Features

• bazel: Added //netty:shaded_maven target, similar to netty-shaded. It is only intended as a dependency for pre-compiled JARs
• bazel: Added IO_GRPC_GRPC_JAVA_OVERRIDE_TARGETS for use with maven_install. See repositories.bzl for how to use
• cronet: add grpc-cronet artifact publishing configurations (#6130). grpc-cronet is published as a standalone artifact in maven central.

Documentation

• doc: explicitly mention that Deadline might saturate (#6085)

Acknowledgements

• @​aadityasg Aaditya Gavandalkar
• @​dharmeshjogadia Dharmesh Jogadia
• @​igorbernstein2 Igor Bernstein
• @​KangZhiDong 康智冬
• @​laurentlb Laurent Le Brun
• @​ST-DDT
• @​Xjs Jannis Andrija Schnitzer

v1.23.0

This release resolves the DoS vulnerability CVE-2019-9515 (SETTINGS flood). Users using the grpc-netty server with untrusted clients should upgrade.

Dependencies

• Bump netty to 4.1.38
• Bump PerfMark to 0.17.0
• Bump protobuf to 3.9.0

Bug Fixes

• netty: Limit number of frames a client can cause the server to enqueue (#6056). Addresses CVE-2019-9515 (Settings flood). While grpc-java was not vulnerable to CVE-2019-9512 (Ping flood) nor CVE-2019-9514 (Reset flood), the fix provides protections against these attacks as well
• alts: Fix server hang (#5900)
• context: Fix race between CancellableContext and Context (#5981)
• stub: Avoid race in onHalfClose server StreamObserver (#5991)
• core: Avoid using partially-closed resources that threw during close in SharedResourceHolder (#6048). This avoids a permanent hang when using google-cloud-java. See googleapis/google-cloud-java#5810 and googleapis/google-cloud-java#5801

API Changes

... (truncated)

Commits

• 99793cf Bump version to 1.24.0
• 5ac69cc Update README etc to reference 1.24.0
• a7985aa auth: Avoid com.auth0:java-jwt dependency in test (#6180)
• d268d88 Revert "Start 1.25.0 development cycle (#6141)" (#6189)
• 7222e37 cronet: update README for using published grpc-cronet with play service Crone...
• 45f5008 netty: converts Proxy handler into new protocol negotiation style backport of...
• fa8f89a Start 1.25.0 development cycle (#6141)
• 415212f alts: fix typo (#6113)
• 252ca2a auth: verify information in decoded JWT token instead of comparing hashing va...
• e866d35 buildscripts: add config for building grpc-cronet artifact (#6134)
• Additional commits viewable in compare view

Updates grpc-stub from 1.18.0 to 1.24.0

Release notes

Sourced from grpc-stub's releases.

v1.24.0

Dependencies

• core: Migrate to new OpenCensus method & status tags (#5996)

Bug Fixes

• core: handle removing partially-closed resources for throwing on close. Fixes #6002. (#6044)
• auth: fix builder invocation for converting Google service account to Jwt access credential (#6106)
• netty: netty client using http proxy may experienced hang is fixed (#6159). This issue was introduced in 1.22.0.
• bazel: Fix java path separator bug on Windows (#6054)
• grpclb: fix pick_first mode shutdown without subchannels. (#6072)

API Changes

• The deprecated API ManagedChannelBuilder.usePlaintext(boolean skipNegotiation) will be removed in the next release. If you are still using it, please plan a migration (#1772)
• android: final stabilization of AndroidChannelBuilder (#6097). AndroidChannelBuilder is stabilized. Deprecated APIs are deleted. fromBuilder(...) is deprecated with replacement of usingBuilder(...).
• core: allow setting custom Deadline.Ticker to InProcessServerBuilder (#6034)

New Features

• bazel: Added //netty:shaded_maven target, similar to netty-shaded. It is only intended as a dependency for pre-compiled JARs
• bazel: Added IO_GRPC_GRPC_JAVA_OVERRIDE_TARGETS for use with maven_install. See repositories.bzl for how to use
• cronet: add grpc-cronet artifact publishing configurations (#6130). grpc-cronet is published as a standalone artifact in maven central.

Documentation

• doc: explicitly mention that Deadline might saturate (#6085)

Acknowledgements

• @​aadityasg Aaditya Gavandalkar
• @​dharmeshjogadia Dharmesh Jogadia
• @​igorbernstein2 Igor Bernstein
• @​KangZhiDong 康智冬
• @​laurentlb Laurent Le Brun
• @​ST-DDT
• @​Xjs Jannis Andrija Schnitzer

v1.23.0

This release resolves the DoS vulnerability CVE-2019-9515 (SETTINGS flood). Users using the grpc-netty server with untrusted clients should upgrade.

Dependencies

• Bump netty to 4.1.38
• Bump PerfMark to 0.17.0
• Bump protobuf to 3.9.0

Bug Fixes

• netty: Limit number of frames a client can cause the server to enqueue (#6056). Addresses CVE-2019-9515 (Settings flood). While grpc-java was not vulnerable to CVE-2019-9512 (Ping flood) nor CVE-2019-9514 (Reset flood), the fix provides protections against these attacks as well
• alts: Fix server hang (#5900)
• context: Fix race between CancellableContext and Context (#5981)
• stub: Avoid race in onHalfClose server StreamObserver (#5991)
• core: Avoid using partially-closed resources that threw during close in SharedResourceHolder (#6048). This avoids a permanent hang when using google-cloud-java. See googleapis/google-cloud-java#5810 and googleapis/google-cloud-java#5801

API Changes

... (truncated)

Commits

• 99793cf Bump version to 1.24.0
• 5ac69cc Update README etc to reference 1.24.0
• a7985aa auth: Avoid com.auth0:java-jwt dependency in test (#6180)
• d268d88 Revert "Start 1.25.0 development cycle (#6141)" (#6189)
• 7222e37 cronet: update README for using published grpc-cronet with play service Crone...
• 45f5008 netty: converts Proxy handler into new protocol negotiation style backport of...
• fa8f89a Start 1.25.0 development cycle (#6141)
• 415212f alts: fix typo (#6113)
• 252ca2a auth: verify information in decoded JWT token instead of comparing hashing va...
• e866d35 buildscripts: add config for building grpc-cronet artifact (#6134)
• Additional commits viewable in compare view

Updates grpc-core from 1.18.0 to 1.24.0

Release notes

Sourced from grpc-core's releases.

v1.24.0

Dependencies

• core: Migrate to new OpenCensus method & status tags (#5996)

Bug Fixes

• core: handle removing partially-closed resources for throwing on close. Fixes #6002. (#6044)
• auth: fix builder invocation for converting Google service account to Jwt access credential (#6106)
• netty: netty client using http proxy may experienced hang is fixed (#6159). This issue was introduced in 1.22.0.
• bazel: Fix java path separator bug on Windows (#6054)
• grpclb: fix pick_first mode shutdown without subchannels. (#6072)

API Changes

• The deprecated API ManagedChannelBuilder.usePlaintext(boolean skipNegotiation) will be removed in the next release. If you are still using it, please plan a migration (#1772)
• android: final stabilization of AndroidChannelBuilder (#6097). AndroidChannelBuilder is stabilized. Deprecated APIs are deleted. fromBuilder(...) is deprecated with replacement of usingBuilder(...).
• core: allow setting custom Deadline.Ticker to InProcessServerBuilder (#6034)

New Features

• bazel: Added //netty:shaded_maven target, similar to netty-shaded. It is only intended as a dependency for pre-compiled JARs
• bazel: Added IO_GRPC_GRPC_JAVA_OVERRIDE_TARGETS for use with maven_install. See repositories.bzl for how to use
• cronet: add grpc-cronet artifact publishing configurations (#6130). grpc-cronet is published as a standalone artifact in maven central.

Documentation

• doc: explicitly mention that Deadline might saturate (#6085)

Acknowledgements

• @​aadityasg Aaditya Gavandalkar
• @​dharmeshjogadia Dharmesh Jogadia
• @​igorbernstein2 Igor Bernstein
• @​KangZhiDong 康智冬
• @​laurentlb Laurent Le Brun
• @​ST-DDT
• @​Xjs Jannis Andrija Schnitzer

v1.23.0

This release resolves the DoS vulnerability CVE-2019-9515 (SETTINGS flood). Users using the grpc-netty server with untrusted clients should upgrade.

Dependencies

• Bump netty to 4.1.38
• Bump PerfMark to 0.17.0
• Bump protobuf to 3.9.0

Bug Fixes

• netty: Limit number of frames a client can cause the server to enqueue (#6056). Addresses CVE-2019-9515 (Settings flood). While grpc-java was not vulnerable to CVE-2019-9512 (Ping flood) nor CVE-2019-9514 (Reset flood), the fix provides protections against these attacks as well
• alts: Fix server hang (#5900)
• context: Fix race between CancellableContext and Context (#5981)
• stub: Avoid race in onHalfClose server StreamObserver (#5991)
• core: Avoid using partially-closed resources that threw during close in SharedResourceHolder (#6048). This avoids a permanent hang when using google-cloud-java. See googleapis/google-cloud-java#5810 and googleapis/google-cloud-java#5801

API Changes

... (truncated)

Commits

• 99793cf Bump version to 1.24.0
• 5ac69cc Update README etc to reference 1.24.0
• a7985aa auth: Avoid com.auth0:java-jwt dependency in test (#6180)
• d268d88 Revert "Start 1.25.0 development cycle (#6141)" (#6189)
• 7222e37 cronet: update README for using published grpc-cronet with play service Crone...
• 45f5008 netty: converts Proxy handler into new protocol negotiation style backport of...
• fa8f89a Start 1.25.0 development cycle (#6141)
• 415212f alts: fix typo (#6113)
• 252ca2a auth: verify information in decoded JWT token instead of comparing hashing va...
• e866d35 buildscripts: add config for building grpc-cronet artifact (#6134)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

Superseded by #125.