Update dependency grpcio to v1.53.2 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
grpcio (source)	==1.43.0 -> ==1.53.2
grpcio (source)	==1.42.0 -> ==1.53.2
grpcio (source)	==1.32.0 -> ==1.53.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-33953

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:

• Unbounded memory buffering in the HPACK parser
• Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

• The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
• HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
• gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…

---

Release Notes

grpc/grpc (grpcio)

v1.53.2

Compare Source

This is release gRPC Core 1.53.2 (glockenspiel).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

Core

• [backport][iomgr][EventEngine] Improve server handling of file descriptor exhaustion by @​drfloob in https://github.com/grpc/grpc/pull/33672

v1.53.1

Compare Source

This is release gRPC Core 1.53.1 (glockenspiel).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

• Fixed CVE-2023-32731
• Fixed CVE-2023-32732

v1.53.0

Compare Source

This is release 1.53.0 (glockenspiel) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• xDS: fix crash when removing the last endpoint from the last locality in weighted_target. (#​32592)
• filter stack: pass peer name up via recv_initial_metadata batch. (#​31933)
• [EventEngine] Add advice against blocking work in callbacks. (#​32397)
• [http2] Dont drop connections on metadata limit exceeded. (#​32309)
• xDS: reject aggregate cluster with empty cluster list. (#​32238)
• Fix Python epoll1 Fork Support. (#​32196)
• server: introduce ServerMetricRecorder API and move per-call reporting from a C++ interceptor to a C-core filter. (#​32106)
• [EventEngine] Add invalid handle types to the public API. (#​32202)
• [EventEngine] Refactoring the EventEngine Test Suite: Part 1. (#​32127)
• xDS: fix WeightedClusters total weight handling. (#​32134)

C++

• Update minimum MSVC version to 2019. (#​32615)
• Use CMake variables for paths in pkg-config files. (#​31671)

C#

• Grpc.Tools: Use x86 protoc binaries on arm64 Windows. (#​32017)

Python

• Support python 3.11 on aarch64. (#​32270)
• Include .pyi file. (#​32268)
• De-experimentalize wait-for-ready. (#​32143)
• De-experimentalize compression. (#​32138)

Ruby

• [ruby]: add pre-compiled binaries for ruby 3.2; drop them for ruby 2.6. (#​32089)

v1.52.0

Compare Source

This is release 1.52.0 (gribkoff) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• [༺ EventEngine ༻] Specify requirements for Run* immediate execution. (#​32028)
• Tracing: Add annotations for when call is removed from resolver result queue and lb pick queue. (#​31913)
• ring_hash LB: cap ring size to 4096 with channel arg to override. (#​31692)

C++

• Cmake add separate export for plugin targets. (#​31525)

C#

• Add internal documentation for Grpc.Tools MSBuild integration. (#​31784)

Python

• Change Aio abort() function return type to NoReturn. (#​31984)
• Change the annotated return type of UnaryStreamCall and StreamStreamCall from AsyncIterable to AsyncIterator. (#​31906)
• Build native MacOS arm64 artifacts (universal2). (#​31747)
• Respect CC variable in grpcio python build. (#​26480)
• Revert "Build with System OpenSSL on Mac OS arm64 (#​31096)". (#​31741)

Ruby

• Backport "[ruby]: add pre-compiled binaries for ruby 3.2; drop them for ruby 2.6 #​32089" to v1.52.x. (#​32157)
• remove some default allocators. (#​30434)
• Fix Ruby build errors in 3.2.0 on Apple M1. (#​31997)
• [Ruby] build: make exported symbol files platform-specific. (#​31970)

v1.51.3

Compare Source

This is release gRPC Core 1.51.3 (galaxy).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release is a Python-only patch to release universal2 Mac OS artifacts compatible with both x86 and arm64.

Python

• Backport of #​31747 to v1.51.x (Build native MacOS arm64 artifacts (universal2)) (#​32424)

v1.51.1

Compare Source

This is release gRPC Core 1.51.1 (galaxy).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

Python

• Revert "Build with System OpenSSL on Mac OS arm64 (#​31096)". (#​31739)

v1.51.0

Compare Source

This is release gRPC Core 1.51.0 (galaxy).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

Core

• Bump core version 2022110. (#​31585)
• c-ares DNS resolver: fix logical race between resolution timeout/cancellation and fd readability. (#​31443)
• [log] Longer space for filenames. (#​31432)
• c-ares DNS resolver: remove unnecessary code in SRV callback. (#​31426)
• Correct the domain-socket client address read out from the ServerContext. (#​31108)
• outlier detection: remove env var protection. (#​31251)
• EventEngineFactoryReset - remove custom factory and reset default engine. (#​30554)
• [tls] Remove support for pthread tls. (#​31040)

C++

• Added version macros to gRPC C++. (#​31033)
• OpenCensus: Move measures, views and CensusContext to include file. (#​31341)
• GcpObservability: Add experimental public target. (#​31339)

C#

• Fix msbuild failing when '@​' is present in path (2nd attempt). (#​31527)
• Revert "Fix msbuild failing when '@​' is present in path". (#​31464)
• Fix msbuild failing when '@​' is present in path. (#​31133)

PHP

• fixing php 8.2 deprecations. (#​30997)

Python

• Fix lack of cooldown between poll attempts. (#​31550)
• Build with System OpenSSL on Mac OS arm64. (#​31096)
• Remove enum and future. (#​31381)
• [Remove Six] Remove dependency on six. (#​31340)
• Update xds-protos package to pull in protobuf 4.X. (#​31113)

v1.50.0

Compare Source

This is release gRPC Core 1.50.0 (galley).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• Derive EventEngine from std::enable_shared_from_this. (#​31060)
• Revert "Revert "[chttp2] fix stream leak with queued flow control update and absence of writes (#​30907)" (#​30991)". (#​30992)
• [chttp2] fix stream leak with queued flow control update and absence of writes. (#​30907)
• Remove gpr_codegen. (#​30899)
• client_channel: allow LB policy to communicate update errors to resolver. (#​30809)
• FaultInjection: Fix random number generation. (#​30623)

C++

• OpenCensus Plugin: Add measure and views for started RPCs. (#​31034)

C#

• Grpc.Tools: Parse warnings from libprotobuf (fix #​27502). (#​30371)
• Grpc.Tools add support for env variable GRPC_PROTOC_PLUGIN (fix #​27099). (#​30411)
• Grpc.Tools document AdditionalImportDirs. (#​30405)
• Fix OutputOptions and GrpcOutputOptions (issue #​25950). (#​30410)

Python

• Support Python 3.11. (#​30818)

Ruby

• Fix ruby windows ucrt build. (#​31051)
• Drop support for ruby 2.5. (#​30699)

v1.49.1

Compare Source

This is release 1.49.1 (gamma) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

All

• Update protobuf to v21.6 on 1.49.x. (#​31028)

Ruby

• Backport "Fix ruby windows ucrt build #​31051" to 1.49.x. (#​31053)

v1.49.0

Compare Source

This is release 1.49.0 (gamma) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• Backport: "stabilize the C2P resolver URI scheme" to v1.49.x. (#​30654)
• Bump core version. (#​30588)
• Update OpenCensus to HEAD. (#​30567)
• Update protobuf submodule to 3.21.5. (#​30548)
• Update third_party/protobuf to 3.21.4. (#​30377)
• [core] Remove GRPC_INITIAL_METADATA_CORKED flag. (#​30443)
• HTTP2: Fix keepalive time throttling. (#​30164)
• Use AnyInvocable in EventEngine APIs. (#​30220)

Python

• Support Python 3.11 (#​30818). (#​30944)
• Add type stub generation support to grpcio-tools. (#​30498)

Ruby

• Backport "Drop support for ruby 2.5 (#​30699)" to v1.49.x. (#​30762)

v1.48.2

Compare Source

This is release 1.48.2 (garum) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

All

• Update protobuf to v3.19.5 on v1.48.x. (#​31029)

v1.48.1

Compare Source

This is release 1.48.1 (garum) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• Backport EventEngine Forkables. (#​30605)

v1.48.0

Compare Source

This is release 1.48.0 (garum) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• Upgrade Abseil to LTS 2022062.0 . (#​30155)
• Call: Send cancel op down the stack even when no ops are sent. (#​30004)
• FreeBSD system roots implementation. (#​29436)
• xDS: Workaround to get gRPC clients working with istio. (#​29841)

Python

• Set Correct Platform Tag in Wheels on Mac OS with Python 3.10. (#​29857)
• [Aio] Ensure Core channel closes when deallocated. (#​29797)
• [Aio] Fix the wait_for_termination return value. (#​29795)

Ruby

• Make the gem build on TruffleRuby. (#​27660)
• Support for prebuilt Ruby binary on x64-mingw-ucrt platform. (#​29684)
• [Ruby] Add ruby_abi_version to exported symbols. (#​28976)

Objective-C

First developer preview of XCFramework binary distribution via Cocoapod (#​28749).

This brings in significant speed up to local compile time and includes support for Apple Silicon build.

• The following binary pods are made available for ObjC V1 & V2 API
  • gRPC-XCFramework (source pod gRPC)
  • gRPC-ProtoRPC-XCFramework (source pod gRPC-ProtoRPC)
• The following platforms and architectures are included
  • ios: armv7, arm64 for device. arm64, i386, x86_64 for simulator
  • macos: x86_64 (Intel), arm64 (Apple Silicon)

v1.47.5

Compare Source

This is release 1.47.5 (gridman) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release is a Python-only patch to release universal2 Mac OS artifacts compatible with both x86 and arm64.

Python

• Backport of #​31747 to v1.47.x (Build native MacOS arm64 artifacts (universal2)) (#​32446)

v1.47.2

Compare Source

This is release 1.47.2 (gridman) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

All

• Update protobuf to v3.19.5 on v1.47.x. (#​31031)

v1.47.0

Compare Source

This is release 1.47.0 (gridman) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Announcement

gRPC C++ 1.47.0 is the first release requiring C++14 (proposal). For those who cannot upgrade to C++14 right now, you can use gRPC C++ 1.46.x in the meantime and gRPC C++ 1.46.x will be maintained by having fixes for critical bugs (P0) and security fixes until 2023-06-01.

Core

• xDS: Workaround to get gRPC clients working with istio (#​29841). (#​29850)
• Bump core version to 25.0.0 for upcoming release. (#​29775)
• Initial support for Haiku. (#​27793)
• Add NetBSD support (Community-supported). (#​29542)
• server: per-rpc backend metric reporting. (#​29621)
• Remove C# implementation (individual packages will continue to be maintained through v2.46.x patches or moved to grpc-dotnet). (#​29225)

C++

• Expose NoOpCertificateVerifier to C++. (#​29322)
• RouteGuide example: Abort if database file not found. (#​29398)

C#

• C#: Suppress CS8981 in generated source. (#​29708)

Python

• Set Correct Platform Tag in Wheels on Mac OS with Python 3.10 (#​29857). (#​30026)
• Removed manylinux2010 python artifacts. (#​29734)
• Allow grpcio to be built against system abseil-cpp. (#​27550)
• [Python] Add an UDS example. (#​29592)

Ruby

• Backport "Support for prebuilt Ruby binary on x64-mingw-ucrt platform (#​29684)" to 1.47.x. (#​29868)
• Upgrade ruby rake-compiler-dock images (and stop building ruby gem artifacts on mac, in favor of rake-compile-dock darwin builds). (#​29304)

Other

• Downgrade io_bazel_rules_go to v0.27.0 restore Bazel 3.x support. (#​29596)

v1.46.5

Compare Source

This is release 1.46.5 (golazo) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

All

• Update protobuf to v3.19.5 on v1.46.x. (#​31032)

Core

• Backport to 1.46.x: priority and ring_hash LBs: fix interactions when using ring_hash under priority (#​29332). (#​30253)
• Backport to v1.46.x: ring hash: fix picker propagation bug in xds_cluster_manager policy (#​29959). (#​30254)

C#

• Fix client resource leaks-issues 8451 and 28153. (#​30290)

v1.46.3

Compare Source

This is release gRPC Core 1.46.3 (golazo).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

Core

• backport: xds: use federation env var to guard new-style resource name parsing (#​29725) #​29727

v1.46.1

Compare Source

This is release gRPC Core 1.46.1 (golazo).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

v1.46.0

Compare Source

This is release 1.46.0 (golazo) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Announcement

gRPC C++ 1.46 will be the last release supporting C++11, future releases will require C++ >= 14. We plan to backport critical (P0) bugs and security fixes to this release for a year, that is, until 2023-06-01. This change won't bump the major version of gRPC since this doesn't introduce API changes. Hence, the next version requiring C++14 will be 1.47 (context).

Core

• Ignore Connection Aborted errors on accept. (#​29318)
• Filter content-length metadata from the application. (#​29295)
• RetryFilter: Cleanup pending byte stream. (#​29245)
• HTTP Proxy: Ignore empty entry in no_proxy list. (#​29217)
• Adding http/1.1 support in httpcli. (#​29238)
• HTTP2: Initiate write for acknowledging SETTINGS frame. (#​29218)
• Change the unsupported polling strategy log for forking to GPR_INFO. (#​29232)
• Handle SSL_ERROR_WANT_WRITE error. (#​29176)
• TCP Async Connect: Fix Heap use-after-free. (#​29209)
• HTTP2: Add graceful goaway. (#​29050)
• Remove epollex poller. (#​29160)
• TlsCredentials: Comparator implementation. (#​28940)
• Decrease verbosity of alts handshaker logs which can happen during cancellation. (#​29058)
• HTTP2: Should not run cancelling logic on servers when receiving GOAWAY. (#​29067)
• HTTP2: Don't throttle pings from the server. (#​29053)
• Include ADS stream error in XDS error updates. (#​29014)
• Remove idempotent/cacheable requests. (#​28922)

C++

• Add bazel cpp distribtest for grpc_cc_library. (#​29175)

C#

• Add support for grpc-dotnet in GKE benchmarks. (#​28975)
• Sync unary call after shutdown: Add a repro and fix for #​19090 . (#​23003)
• Remove C# Legacy (a.k.a. "Classic") csproj example. (#​29102)

Python

• Add Python GCF Distribtest. (#​29303)
• Add Python Reflection Client. (#​29085)
• Revert "Fix prefork handler register's default behavior". (#​29229)
• Fix prefork handler register's default behavior. (#​29103)
• Fix fetching CXX variable in setup.py. (#​28873)

Ruby

• Support pre-built binaries for Ruby 3.1. (#​29000)
• Make sure to always receive initial metadata in ruby. (#​29155)

v1.45.0

Compare Source

This is release 1.45.0 (gravity) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• Backport "Include ADS stream error in XDS error updates (#​29014)" to 1.45.x. (#​29121)
• Bump core version to 23.0.0 for upcoming release. (#​29026)
• Fix memory leak in HTTP request security handshake cancellation. (#​28971)
• CompositeChannelCredentials: Comparator implementation. (#​28902)
• Delete custom iomgr. (#​28816)
• Implement transparent retries. (#​28548)
• Uniquify channel args keys. (#​28799)
• Set trailing_metadata_available for recv_initial_metadata ops when generating a fake status. (#​28827)
• Eliminate gRPC insecure build. (#​25586)
• Fix for a racy WorkSerializer shutdown. (#​28769)
• InsecureCredentials: singleton object. (#​28777)
• Add http cancel api. (#​28354)
• Memory leak fix on windows in grpc_tcp_create(). (#​27457)
• xDS: Rbac filter updates. (#​28568)

C++

• Bump the minimum gcc to 5. (#​28786)
• Add experimental API for CRL checking support to gRPC C++ TlsCredentials. (#​28407)

C#

• [C#] Add cancellation token overloads to streaming interfaces. (#​27886)
• [C#] Grpc.Core.Api nullable fixes. (#​28616)

Objective-C

• Patch GRPCCallOptions to use nonatomic properties. (#​28972)

Python

• Reimplement Gevent Integration. (#​28276)
• Support musllinux binary wheels on x64 and x86. (#​28092)
• Increase the Python protobuf requirement to >=3.12.0. (#​28604)

Other

• Upgrade googletest. (#​27287)

v1.44.0

Compare Source

This is release 1.44.0 (great) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• xDS: Rbac filter updates (#​28568). (#​28608)
• Fix xDS client for multiple watchers. (#​28521)
• bump C-core version for upcoming release. (#​28527)
• Add a trace to list which filters are contained in a channel stack. (#​28530)
• Remove grpc_httpcli_context. (#​27867)
• xDS: Add support for RBAC HTTP filter. (#​28309)
• API to cancel grpc_resolve_address. (#​27883)
• Replace work serializer with a mutex in c-ares resolver. (#​27858)
• xDS: Add graceful shutdown for old connections on listener resource update. (#​28154)

C++

• Promote ClientContext::set_wait_for_ready to be non-experimental. (#​28247)

C#

• Only apply "singleplatform" nuget suffix when actually needed. (#​28677)
• [C#] Add ConfigureAwait to AsyncUnaryCall and AsyncClientStreamingCall. (#​28235)

Python

• Add python async example for hellostreamingworld using generator. (#​27343)
• Disable __wrap_memcpy hack for Python builds. (#​28410)
• Bump Bazel Python Cython dependency to 0.29.26. (#​28398)
• Fix libatomic linking on Raspberry Pi OS Bullseye. (#​28041)
• Allow generated proto sources in remote repositories for py_proto_library. (#​28103)

Ruby

• Remove ruby 2.4 support. (#​28522)
• Add an env var to override make parallelism in ruby build. (#​28250)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.