build(deps): bump grpc from 1.76.0 to 1.77.0

[dependabot]

Bumps grpc from 1.76.0 to 1.77.0.
Updates io.grpc:grpc-core from 1.76.0 to 1.77.0

Release notes

Sourced from io.grpc:grpc-core's releases.

v1.77.0

API Changes

• binder: Remove experimental BinderChannelBuilder.bindAsUser() method, deprecated since 1.69 (#12401) (f96ce0670)

Bug Fixes

• api: Fix name resolver bridge listener handling for address resolution errors for custom name resolvers (#12441) (acbbf869a). This fixes regression introduced in v1.68.1 causing a “IllegalStateException: No value present.” exception
• core: Fix NullPointerException during address update with Happy Eyeballs (5e8af564e). This should not impact many people as the code is disabled by default, behind two experimental environment variables
• okhttp: Fix bidirectional keep-alive causing spurious GOAWAY (6fc3fd046). This fixes the grpc-okhttp server incorrectly closing the connection with GOAWAY: too_many_pings
• xds: SslContext updates handling when using system root certs (#12340) (63fdaaccc). Since FileWatcherCertificateProvider isn't used when using system root trust store, the SslContext update for the handshake that depended on it wasn't happening. This fix creates a separate CertificateProvider for handling system root certs that doesn't rely on the FileWatcherCertificateProvider.
• xds: Make cluster selection interceptor run before other filters (#12381) (82f9b8ec0). This is needed when there is GcpAuthenticationFilter in the filter chain to make available the cluster resource in CallOptions.
• xds: Handle wildcards in DNS SAN exact matching (#12345) (5b876cc86)
• android: Fix UdsChannelBuilder with WiFi Proxy (349a35a9b)
• binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures (#12283) (4725ced99)
• binder: Fix a BinderServerTransport crash in the rare shutdown-before-start case (#12440) (91f3f4dc1)

Improvements

• Improve status messages by including causal error details in config parsing errors for outlier detection and xds’s wrr locality policies (86e8b5617)
• xds: Detect negative ref count for xds client (21696cd3d). A negative reference count could cause NullPointerExceptions, so when too many unrefs are detected it produces a SEVERE warning and prevents the reference count from going negative
• xds: Support deprecated xDS TLS fields for Istio compat (#12435) (53cd1a225). This fixes a regression with Istio introduced in v1.73.0. This gives time for Istio’s new xDS field support to roll out
• googleapis: Allow wrapping NameResolver to inject XdsClient (#12450) (27d150890). This allows googleapis to inject an xDS bootstrap to use with its channels even if one is already specified in the environment variable or system property. When the code was originally written there was a single global XdsClient, but since gRFC A71 Xds Fallback each target string has its own XdsClient and thus can have its own bootstrap
• alts: Allow overriding metadata server address with env variable (9ac12ef89) (498f717fc)
• binder: Let the server know when the client fails to authorize it. (#12445) (599a0a146) This avoids the server needing to wait for the handshake timeout before realizing the handshake failed

New Features

• opentelemetry: Implement otel retry metrics from gRFC A96 (#12064) (d380191be)
• opentelemetry: propagate baggage to server metrics for custom attributes (#12389) (155308db2)
• xds: Allow EC Keys in SPIFFE Bundle Map parsing (#12399) (559e3ba41)
• xds: Enable authority rewriting (gRFC A81), system root cert support (gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101) (#12499) (246c2b1ea). Authority rewriting requires the control plane to be labeled trusted_xds_server in the bootstrap. System root cert support and SNI require using XdsChannelCredentials
• rls: Add route lookup reason to request whether it is due to a cache miss or stale cache entry (#12442) (795ce0280)

Dependencies

• compiler: C++ protobuf used by codegen upgraded to 26.1 (#12330) (55aefd5b8)
• alts: Remove dep on grpclb (b769f966a). ALTS is no longer used with grpclb, so this removes dead code
• Upgrade netty to 4.1.127.Final (b37ee67cf)

Thanks to

@​panchenko @​benjaminp @​HyunSangHan @​becomeStar @​ZachChuba @​oliviamariacodes @​kssumin @​laz-canva

... (truncated)

Commits

• 251dfbb Bump version to 1.77.0
• 5de8e93 Update README etc to reference 1.77.0
• 155308d opentelemetry: propagate baggage to metrics for custom attributes, helps with...
• efef0dd servlet: Ignore timeoutOnSleepingServer for Tomcat
• 53cd1a2 xds: Support deprecated xDS TLS fields for Istio compat (#12435)
• 6fc3fd0 okhttp: Fix bidirectional keep-alive causing spurious GO_AWAY
• 498f717 alts: Metadata server address modification to account for default port
• 9ac12ef alts: Override metadata server address with env variable
• 246c2b1 xds: Enable flags for CSM Cloud run gRPC Java (#12499)
• 5e8af56 core: Fix NPE during address update with Happy Eyeballs
• Additional commits viewable in compare view

Updates io.grpc:grpc-netty from 1.76.0 to 1.77.0

Release notes

Sourced from io.grpc:grpc-netty's releases.

v1.77.0

API Changes

• binder: Remove experimental BinderChannelBuilder.bindAsUser() method, deprecated since 1.69 (#12401) (f96ce0670)

Bug Fixes

• api: Fix name resolver bridge listener handling for address resolution errors for custom name resolvers (#12441) (acbbf869a). This fixes regression introduced in v1.68.1 causing a “IllegalStateException: No value present.” exception
• core: Fix NullPointerException during address update with Happy Eyeballs (5e8af564e). This should not impact many people as the code is disabled by default, behind two experimental environment variables
• okhttp: Fix bidirectional keep-alive causing spurious GOAWAY (6fc3fd046). This fixes the grpc-okhttp server incorrectly closing the connection with GOAWAY: too_many_pings
• xds: SslContext updates handling when using system root certs (#12340) (63fdaaccc). Since FileWatcherCertificateProvider isn't used when using system root trust store, the SslContext update for the handshake that depended on it wasn't happening. This fix creates a separate CertificateProvider for handling system root certs that doesn't rely on the FileWatcherCertificateProvider.
• xds: Make cluster selection interceptor run before other filters (#12381) (82f9b8ec0). This is needed when there is GcpAuthenticationFilter in the filter chain to make available the cluster resource in CallOptions.
• xds: Handle wildcards in DNS SAN exact matching (#12345) (5b876cc86)
• android: Fix UdsChannelBuilder with WiFi Proxy (349a35a9b)
• binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures (#12283) (4725ced99)
• binder: Fix a BinderServerTransport crash in the rare shutdown-before-start case (#12440) (91f3f4dc1)

Improvements

• Improve status messages by including causal error details in config parsing errors for outlier detection and xds’s wrr locality policies (86e8b5617)
• xds: Detect negative ref count for xds client (21696cd3d). A negative reference count could cause NullPointerExceptions, so when too many unrefs are detected it produces a SEVERE warning and prevents the reference count from going negative
• xds: Support deprecated xDS TLS fields for Istio compat (#12435) (53cd1a225). This fixes a regression with Istio introduced in v1.73.0. This gives time for Istio’s new xDS field support to roll out
• googleapis: Allow wrapping NameResolver to inject XdsClient (#12450) (27d150890). This allows googleapis to inject an xDS bootstrap to use with its channels even if one is already specified in the environment variable or system property. When the code was originally written there was a single global XdsClient, but since gRFC A71 Xds Fallback each target string has its own XdsClient and thus can have its own bootstrap
• alts: Allow overriding metadata server address with env variable (9ac12ef89) (498f717fc)
• binder: Let the server know when the client fails to authorize it. (#12445) (599a0a146) This avoids the server needing to wait for the handshake timeout before realizing the handshake failed

New Features

• opentelemetry: Implement otel retry metrics from gRFC A96 (#12064) (d380191be)
• opentelemetry: propagate baggage to server metrics for custom attributes (#12389) (155308db2)
• xds: Allow EC Keys in SPIFFE Bundle Map parsing (#12399) (559e3ba41)
• xds: Enable authority rewriting (gRFC A81), system root cert support (gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101) (#12499) (246c2b1ea). Authority rewriting requires the control plane to be labeled trusted_xds_server in the bootstrap. System root cert support and SNI require using XdsChannelCredentials
• rls: Add route lookup reason to request whether it is due to a cache miss or stale cache entry (#12442) (795ce0280)

Dependencies

• compiler: C++ protobuf used by codegen upgraded to 26.1 (#12330) (55aefd5b8)
• alts: Remove dep on grpclb (b769f966a). ALTS is no longer used with grpclb, so this removes dead code
• Upgrade netty to 4.1.127.Final (b37ee67cf)

Thanks to

@​panchenko @​benjaminp @​HyunSangHan @​becomeStar @​ZachChuba @​oliviamariacodes @​kssumin @​laz-canva

... (truncated)

Commits

• 251dfbb Bump version to 1.77.0
• 5de8e93 Update README etc to reference 1.77.0
• 155308d opentelemetry: propagate baggage to metrics for custom attributes, helps with...
• efef0dd servlet: Ignore timeoutOnSleepingServer for Tomcat
• 53cd1a2 xds: Support deprecated xDS TLS fields for Istio compat (#12435)
• 6fc3fd0 okhttp: Fix bidirectional keep-alive causing spurious GO_AWAY
• 498f717 alts: Metadata server address modification to account for default port
• 9ac12ef alts: Override metadata server address with env variable
• 246c2b1 xds: Enable flags for CSM Cloud run gRPC Java (#12499)
• 5e8af56 core: Fix NPE during address update with Happy Eyeballs
• Additional commits viewable in compare view

Updates io.grpc:grpc-protobuf from 1.76.0 to 1.77.0

Release notes

Sourced from io.grpc:grpc-protobuf's releases.

v1.77.0

API Changes

• binder: Remove experimental BinderChannelBuilder.bindAsUser() method, deprecated since 1.69 (#12401) (f96ce0670)

Bug Fixes

• api: Fix name resolver bridge listener handling for address resolution errors for custom name resolvers (#12441) (acbbf869a). This fixes regression introduced in v1.68.1 causing a “IllegalStateException: No value present.” exception
• core: Fix NullPointerException during address update with Happy Eyeballs (5e8af564e). This should not impact many people as the code is disabled by default, behind two experimental environment variables
• okhttp: Fix bidirectional keep-alive causing spurious GOAWAY (6fc3fd046). This fixes the grpc-okhttp server incorrectly closing the connection with GOAWAY: too_many_pings
• xds: SslContext updates handling when using system root certs (#12340) (63fdaaccc). Since FileWatcherCertificateProvider isn't used when using system root trust store, the SslContext update for the handshake that depended on it wasn't happening. This fix creates a separate CertificateProvider for handling system root certs that doesn't rely on the FileWatcherCertificateProvider.
• xds: Make cluster selection interceptor run before other filters (#12381) (82f9b8ec0). This is needed when there is GcpAuthenticationFilter in the filter chain to make available the cluster resource in CallOptions.
• xds: Handle wildcards in DNS SAN exact matching (#12345) (5b876cc86)
• android: Fix UdsChannelBuilder with WiFi Proxy (349a35a9b)
• binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures (#12283) (4725ced99)
• binder: Fix a BinderServerTransport crash in the rare shutdown-before-start case (#12440) (91f3f4dc1)

Improvements

• Improve status messages by including causal error details in config parsing errors for outlier detection and xds’s wrr locality policies (86e8b5617)
• xds: Detect negative ref count for xds client (21696cd3d). A negative reference count could cause NullPointerExceptions, so when too many unrefs are detected it produces a SEVERE warning and prevents the reference count from going negative
• xds: Support deprecated xDS TLS fields for Istio compat (#12435) (53cd1a225). This fixes a regression with Istio introduced in v1.73.0. This gives time for Istio’s new xDS field support to roll out
• googleapis: Allow wrapping NameResolver to inject XdsClient (#12450) (27d150890). This allows googleapis to inject an xDS bootstrap to use with its channels even if one is already specified in the environment variable or system property. When the code was originally written there was a single global XdsClient, but since gRFC A71 Xds Fallback each target string has its own XdsClient and thus can have its own bootstrap
• alts: Allow overriding metadata server address with env variable (9ac12ef89) (498f717fc)
• binder: Let the server know when the client fails to authorize it. (#12445) (599a0a146) This avoids the server needing to wait for the handshake timeout before realizing the handshake failed

New Features

• opentelemetry: Implement otel retry metrics from gRFC A96 (#12064) (d380191be)
• opentelemetry: propagate baggage to server metrics for custom attributes (#12389) (155308db2)
• xds: Allow EC Keys in SPIFFE Bundle Map parsing (#12399) (559e3ba41)
• xds: Enable authority rewriting (gRFC A81), system root cert support (gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101) (#12499) (246c2b1ea). Authority rewriting requires the control plane to be labeled trusted_xds_server in the bootstrap. System root cert support and SNI require using XdsChannelCredentials
• rls: Add route lookup reason to request whether it is due to a cache miss or stale cache entry (#12442) (795ce0280)

Dependencies

• compiler: C++ protobuf used by codegen upgraded to 26.1 (#12330) (55aefd5b8)
• alts: Remove dep on grpclb (b769f966a). ALTS is no longer used with grpclb, so this removes dead code
• Upgrade netty to 4.1.127.Final (b37ee67cf)

Thanks to

@​panchenko @​benjaminp @​HyunSangHan @​becomeStar @​ZachChuba @​oliviamariacodes @​kssumin @​laz-canva

... (truncated)

Commits

• 251dfbb Bump version to 1.77.0
• 5de8e93 Update README etc to reference 1.77.0
• 155308d opentelemetry: propagate baggage to metrics for custom attributes, helps with...
• efef0dd servlet: Ignore timeoutOnSleepingServer for Tomcat
• 53cd1a2 xds: Support deprecated xDS TLS fields for Istio compat (#12435)
• 6fc3fd0 okhttp: Fix bidirectional keep-alive causing spurious GO_AWAY
• 498f717 alts: Metadata server address modification to account for default port
• 9ac12ef alts: Override metadata server address with env variable
• 246c2b1 xds: Enable flags for CSM Cloud run gRPC Java (#12499)
• 5e8af56 core: Fix NPE during address update with Happy Eyeballs
• Additional commits viewable in compare view

Updates io.grpc:grpc-stub from 1.76.0 to 1.77.0

Release notes

Sourced from io.grpc:grpc-stub's releases.

v1.77.0

API Changes

• binder: Remove experimental BinderChannelBuilder.bindAsUser() method, deprecated since 1.69 (#12401) (f96ce0670)

Bug Fixes

• api: Fix name resolver bridge listener handling for address resolution errors for custom name resolvers (#12441) (acbbf869a). This fixes regression introduced in v1.68.1 causing a “IllegalStateException: No value present.” exception
• core: Fix NullPointerException during address update with Happy Eyeballs (5e8af564e). This should not impact many people as the code is disabled by default, behind two experimental environment variables
• okhttp: Fix bidirectional keep-alive causing spurious GOAWAY (6fc3fd046). This fixes the grpc-okhttp server incorrectly closing the connection with GOAWAY: too_many_pings
• xds: SslContext updates handling when using system root certs (#12340) (63fdaaccc). Since FileWatcherCertificateProvider isn't used when using system root trust store, the SslContext update for the handshake that depended on it wasn't happening. This fix creates a separate CertificateProvider for handling system root certs that doesn't rely on the FileWatcherCertificateProvider.
• xds: Make cluster selection interceptor run before other filters (#12381) (82f9b8ec0). This is needed when there is GcpAuthenticationFilter in the filter chain to make available the cluster resource in CallOptions.
• xds: Handle wildcards in DNS SAN exact matching (#12345) (5b876cc86)
• android: Fix UdsChannelBuilder with WiFi Proxy (349a35a9b)
• binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures (#12283) (4725ced99)
• binder: Fix a BinderServerTransport crash in the rare shutdown-before-start case (#12440) (91f3f4dc1)

Improvements

• Improve status messages by including causal error details in config parsing errors for outlier detection and xds’s wrr locality policies (86e8b5617)
• xds: Detect negative ref count for xds client (21696cd3d). A negative reference count could cause NullPointerExceptions, so when too many unrefs are detected it produces a SEVERE warning and prevents the reference count from going negative
• xds: Support deprecated xDS TLS fields for Istio compat (#12435) (53cd1a225). This fixes a regression with Istio introduced in v1.73.0. This gives time for Istio’s new xDS field support to roll out
• googleapis: Allow wrapping NameResolver to inject XdsClient (#12450) (27d150890). This allows googleapis to inject an xDS bootstrap to use with its channels even if one is already specified in the environment variable or system property. When the code was originally written there was a single global XdsClient, but since gRFC A71 Xds Fallback each target string has its own XdsClient and thus can have its own bootstrap
• alts: Allow overriding metadata server address with env variable (9ac12ef89) (498f717fc)
• binder: Let the server know when the client fails to authorize it. (#12445) (599a0a146) This avoids the server needing to wait for the handshake timeout before realizing the handshake failed

New Features

• opentelemetry: Implement otel retry metrics from gRFC A96 (#12064) (d380191be)
• opentelemetry: propagate baggage to server metrics for custom attributes (#12389) (155308db2)
• xds: Allow EC Keys in SPIFFE Bundle Map parsing (#12399) (559e3ba41)
• xds: Enable authority rewriting (gRFC A81), system root cert support (gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101) (#12499) (246c2b1ea). Authority rewriting requires the control plane to be labeled trusted_xds_server in the bootstrap. System root cert support and SNI require using XdsChannelCredentials
• rls: Add route lookup reason to request whether it is due to a cache miss or stale cache entry (#12442) (795ce0280)

Dependencies

• compiler: C++ protobuf used by codegen upgraded to 26.1 (#12330) (55aefd5b8)
• alts: Remove dep on grpclb (b769f966a). ALTS is no longer used with grpclb, so this removes dead code
• Upgrade netty to 4.1.127.Final (b37ee67cf)

Thanks to

@​panchenko @​benjaminp @​HyunSangHan @​becomeStar @​ZachChuba @​oliviamariacodes @​kssumin @​laz-canva

... (truncated)

Commits

• 251dfbb Bump version to 1.77.0
• 5de8e93 Update README etc to reference 1.77.0
• 155308d opentelemetry: propagate baggage to metrics for custom attributes, helps with...
• efef0dd servlet: Ignore timeoutOnSleepingServer for Tomcat
• 53cd1a2 xds: Support deprecated xDS TLS fields for Istio compat (#12435)
• 6fc3fd0 okhttp: Fix bidirectional keep-alive causing spurious GO_AWAY
• 498f717 alts: Metadata server address modification to account for default port
• 9ac12ef alts: Override metadata server address with env variable
• 246c2b1 xds: Enable flags for CSM Cloud run gRPC Java (#12499)
• 5e8af56 core: Fix NPE during address update with Happy Eyeballs
• Additional commits viewable in compare view

Updates io.grpc:grpc-inprocess from 1.76.0 to 1.77.0

Release notes

Sourced from io.grpc:grpc-inprocess's releases.

v1.77.0

API Changes

• binder: Remove experimental BinderChannelBuilder.bindAsUser() method, deprecated since 1.69 (#12401) (f96ce0670)

Bug Fixes

• api: Fix name resolver bridge listener handling for address resolution errors for custom name resolvers (#12441) (acbbf869a). This fixes regression introduced in v1.68.1 causing a “IllegalStateException: No value present.” exception
• core: Fix NullPointerException during address update with Happy Eyeballs (5e8af564e). This should not impact many people as the code is disabled by default, behind two experimental environment variables
• okhttp: Fix bidirectional keep-alive causing spurious GOAWAY (6fc3fd046). This fixes the grpc-okhttp server incorrectly closing the connection with GOAWAY: too_many_pings
• xds: SslContext updates handling when using system root certs (#12340) (63fdaaccc). Since FileWatcherCertificateProvider isn't used when using system root trust store, the SslContext update for the handshake that depended on it wasn't happening. This fix creates a separate CertificateProvider for handling system root certs that doesn't rely on the FileWatcherCertificateProvider.
• xds: Make cluster selection interceptor run before other filters (#12381) (82f9b8ec0). This is needed when there is GcpAuthenticationFilter in the filter chain to make available the cluster resource in CallOptions.
• xds: Handle wildcards in DNS SAN exact matching (#12345) (5b876cc86)
• android: Fix UdsChannelBuilder with WiFi Proxy (349a35a9b)
• binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures (#12283) (4725ced99)
• binder: Fix a BinderServerTransport crash in the rare shutdown-before-start case (#12440) (91f3f4dc1)

Improvements

• Improve status messages by including causal error details in config parsing errors for outlier detection and xds’s wrr locality policies (86e8b5617)
• xds: Detect negative ref count for xds client (21696cd3d). A negative reference count could cause NullPointerExceptions, so when too many unrefs are detected it produces a SEVERE warning and prevents the reference count from going negative
• xds: Support deprecated xDS TLS fields for Istio compat (#12435) (53cd1a225). This fixes a regression with Istio introduced in v1.73.0. This gives time for Istio’s new xDS field support to roll out
• googleapis: Allow wrapping NameResolver to inject XdsClient (#12450) (27d150890). This allows googleapis to inject an xDS bootstrap to use with its channels even if one is already specified in the environment variable or system property. When the code was originally written there was a single global XdsClient, but since gRFC A71 Xds Fallback each target string has its own XdsClient and thus can have its own bootstrap
• alts: Allow overriding metadata server address with env variable (9ac12ef89) (498f717fc)
• binder: Let the server know when the client fails to authorize it. (#12445) (599a0a146) This avoids the server needing to wait for the handshake timeout before realizing the handshake failed

New Features

• opentelemetry: Implement otel retry metrics from gRFC A96 (#12064) (d380191be)
• opentelemetry: propagate baggage to server metrics for custom attributes (#12389) (155308db2)
• xds: Allow EC Keys in SPIFFE Bundle Map parsing (#12399) (559e3ba41)
• xds: Enable authority rewriting (gRFC A81), system root cert support (gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101) (#12499) (246c2b1ea). Authority rewriting requires the control plane to be labeled trusted_xds_server in the bootstrap. System root cert support and SNI require using XdsChannelCredentials
• rls: Add route lookup reason to request whether it is due to a cache miss or stale cache entry (#12442) (795ce0280)

Dependencies

• compiler: C++ protobuf used by codegen upgraded to 26.1 (#12330) (55aefd5b8)
• alts: Remove dep on grpclb (b769f966a). ALTS is no longer used with grpclb, so this removes dead code
• Upgrade netty to 4.1.127.Final (b37ee67cf)

Thanks to

@​panchenko @​benjaminp @​HyunSangHan @​becomeStar @​ZachChuba @​oliviamariacodes @​kssumin @​laz-canva

... (truncated)

Commits

• 251dfbb Bump version to 1.77.0
• 5de8e93 Update README etc to reference 1.77.0
• 155308d opentelemetry: propagate baggage to metrics for custom attributes, helps with...
• efef0dd servlet: Ignore timeoutOnSleepingServer for Tomcat
• 53cd1a2 xds: Support deprecated xDS TLS fields for Istio compat (#12435)
• 6fc3fd0 okhttp: Fix bidirectional keep-alive causing spurious GO_AWAY
• 498f717 alts: Metadata server address modification to account for default port
• 9ac12ef alts: Override metadata server address with env variable
• 246c2b1 xds: Enable flags for CSM Cloud run gRPC Java (#12499)
• 5e8af56 core: Fix NPE during address update with Happy Eyeballs
• Additional commits viewable in compare view

Updates io.grpc:grpc-util from 1.76.0 to 1.77.0

Release notes

Sourced from io.grpc:grpc-util's releases.

v1.77.0

API Changes

• binder: Remove experimental BinderChannelBuilder.bindAsUser() method, deprecated since 1.69 (#12401) (f96ce0670)

Bug Fixes

• api: Fix name resolver bridge listener handling for address resolution errors for custom name resolvers (#12441) (acbbf869a). This fixes regression introduced in v1.68.1 causing a “IllegalStateException: No value present.” exception
• core: Fix NullPointerException during address update with Happy Eyeballs (5e8af564e). This should not impact many people as the code is disabled by default, behind two experimental environment variables
• okhttp: Fix bidirectional keep-alive causing spurious GOAWAY (6fc3fd046). This fixes the grpc-okhttp server incorrectly closing the connection with GOAWAY: too_many_pings
• xds: SslContext updates handling when using system root certs (#12340) (63fdaaccc). Since FileWatcherCertificateProvider isn't used when using system root trust store, the SslContext update for the handshake that depended on it wasn't happening. This fix creates a separate CertificateProvider for handling system root certs that doesn't rely on the FileWatcherCertificateProvider.
• xds: Make cluster selection interceptor run before other filters (#12381) (82f9b8ec0). This is needed when there is GcpAuthenticationFilter in the filter chain to make available the cluster resource in CallOptions.
• xds: Handle wildcards in DNS SAN exact matching (#12345) (5b876cc86)
• android: Fix UdsChannelBuilder with WiFi Proxy (349a35a9b)
• binder: Avoid potential deadlock when canceling AsyncSecurityPolicy futures (#12283) (4725ced99)
• binder: Fix a BinderServerTransport crash in the rare shutdown-before-start case (#12440) (91f3f4dc1)

Improvements

• Improve status messages by including causal error details in config parsing errors for outlier detection and xds’s wrr locality policies (86e8b5617)
• xds: Detect negative ref count for xds client (21696cd3d). A negative reference count could cause NullPointerExceptions, so when too many unrefs are detected it produces a SEVERE warning and prevents the reference count from going negative
• xds: Support deprecated xDS TLS fields for Istio compat (#12435) (53cd1a225). This fixes a regression with Istio introduced in v1.73.0. This gives time for Istio’s new xDS field support to roll out
• googleapis: Allow wrapping NameResolver to inject XdsClient (#12450) (27d150890). This allows googleapis to inject an xDS bootstrap to use with its channels even if one is already specified in the environment variable or system property. When the code was originally written there was a single global XdsClient, but since gRFC A71 Xds Fallback each target string has its own XdsClient and thus can have its own bootstrap
• alts: Allow overriding metadata server address with env variable (9ac12ef89) (498f717fc)
• binder: Let the server know when the client fails to authorize it. (#12445) (599a0a146) This avoids the server needing to wait for the handshake timeout before realizing the handshake failed

New Features

• opentelemetry: Implement otel retry metrics from gRFC A96 (#12064) (d380191be)
• opentelemetry: propagate baggage to server metrics for custom attributes (#12389) (155308db2)
• xds: Allow EC Keys in SPIFFE Bundle Map parsing (#12399) (559e3ba41)
• xds: Enable authority rewriting (gRFC A81), system root cert support (gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101) (#12499) (246c2b1ea). Authority rewriting requires the control plane to be labeled trusted_xds_server in the bootstrap. System root cert support and SNI require using XdsChannelCredentials
• rls: Add route lookup reason to request whether it is due to a cache miss or stale cache entry (#12442) (795ce0280)

Dependencies

• compiler: C++ protobuf used by codegen upgraded to 26.1 (#12330) (55aefd5b8)
• alts: Remove dep on grpclb (b769f966a). ALTS is no longer used with grpclb, so this removes dead code
• Upgrade netty to 4.1.127.Final (b37ee67cf)

Thanks to

@​panchenko @​benjaminp @​HyunSangHan @​becomeStar @​ZachChuba @​oliviamariacodes @​kssumin @​laz-canva

... (truncated)

Commits

• 251dfbb Bump version to 1.77.0
• 5de8e93 Update README etc to reference 1.77.0
• 155308d opentelemetry: propagate baggage to metrics for custom attributes, helps with...
• efef0dd servlet: Ignore timeoutOnSleepingServer for Tomcat
• 53cd1a2 xds: Support deprecated xDS TLS fields for Istio compat (#12435)
• 6fc3fd0 okhttp: Fix bidirectional keep-alive causing spurious GO_AWAY
• 498f717 alts: Metadata server address modification to account for default port
• 9ac12ef alts: Override metadata server address with env variable
• 246c2b1 xds: Enable flags for CSM Cloud run gRPC Java (#12499)
• 5e8af56 core: Fix NPE during address update with Happy Eyeballs
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign lburgazzoli for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment