switch to grpc-netty-shaded

[remyhaemmerle-da]

following official recommendation

[adrien-piquerez-da]

What's the motivation for this? Do we have any conflict at the moment or is this a quality of life improvement?

Also do we know how big is the grpc-netty-shaded compared to grpc-netty?

[remyhaemmerle-da]

This switches to grpc-netty-shaded is a proactive quality of life improvement to prevent dependency conflicts. It isolates the version of Netty that gRPC uses, avoiding potential clashes with other versions that might exist on the classpath. This prevents hard-to-debug runtime issues.

Concerning the size, we're swapping a group of smaller Netty jars for a single, larger, self-contained one, so they should no impact.

[adrien-piquerez-da]

Concerning the size, we're swapping a group of smaller Netty jars for a single, larger, self-contained one, so they should no impact.

Not for us, but it has an impact for those users that use Netty, as they now need to download it twice.

[remyhaemmerle-da]

Not for us, but it has an impact for those users that use Netty, as they now need to download it twice.

You're right, this will impact clients that use Netty directly together with our gRPC libraries or the Java code generated.

Together with @rgugliel-da and @soren-da, we judged this trade-off was acceptable. The decision was based on two key factors:

• It's the recommended approach.
• This change allows clients to use a different version of Netty than the one gRPC uses. This is critical for addressing vulnerabilities. The recent CVE-2025-24970 netty vulnerability is a perfect example. While gRPC's specific use of Netty is not affected, the client's direct use of it could be. This change empowers the client to update is own Netty dependency immediately, without being blocked waiting for a gRPC release that uses a non vulnerable version of Netty.