fix(deps): update module google.golang.org/grpc to v1.53.0 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
google.golang.org/grpc	require	minor	v1.42.0 -> v1.53.0

GitHub Vulnerability Alerts

CVE-2023-32731

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/32309

---

Release Notes

grpc/grpc-go (google.golang.org/grpc)

v1.53.0: Release 1.53.0

Compare Source

API Changes

• balancer: support injection of per-call metadata from LB policies (#​5853)
• resolver: remove deprecated field resolver.Target.Endpoint and replace with resolver.Target.Endpoint() (#​5852)
  • Special Thanks: @​kylejb

New Features

• xds/ringhash: introduce GRPC_RING_HASH_CAP environment variable to override the maximum ring size. (#​5884)
• rls: propagate headers received in RLS response to backends (#​5883)

Bug Fixes

• transport: drain client transport when streamID approaches MaxStreamID (#​5889)
• server: after GracefulStop, ensure connections are closed when final RPC completes (#​5968)
• server: fix a few issues where grpc server uses RST_STREAM for non-HTTP/2 errors (#​5893)
• xdsclient: fix race which can happen when multiple load reporting calls are made at the same time. (#​5927)
• rls: fix a data race involving the LRU cache (#​5925)
• xds: fix panic involving double close of channel in xDS transport (#​5959)
• gcp/observability: update method name validation (#​5951)

Documentation

• credentials/oauth: mark NewOauthAccess as deprecated (#​5882)
  • Special Thanks: @​buzzsurfr

v1.52.3: Release 1.52.3

Compare Source

Bug Fixes

• Fix user-agent version

v1.52.1: Release 1.52.1

Compare Source

Bug Fixes

• grpclb: rename grpclbstate package back to state (#​5963)

v1.52.0: Release 1.52.0

Compare Source

New Features

• xdsclient: log node ID with verbosity INFO (#​5860)
• ringhash: impose cap on max_ring_size to reduce possibility of OOMs (#​5801)

Behavior Changes

• client: return an error from Dial if an empty target is passed and no custom dialer is present; the ClientConn would otherwise be unable to connect and perform RPCs (#​5732)
  • Special Thanks: @​huangchong94

Bug Fixes

• transport (net/http server handler): respond to bad HTTP requests with status 400 (Bad Request) instead of 500 (Internal Server Error). (#​5804)
  • Special Thanks: @​sjbarag
• transport: Fixed closing a closed channel panic in handlePing (#​5854)
• server: fix ChainUnaryInterceptor and ChainStreamInterceptor to allow retrying handlers (#​5666)
  • Special Thanks: @​yiminc
• transport: ensure value of :authority header matches server name used in TLS handshake when the latter is overridden by the name resolver (#​5748)
  • Special Thanks: @​holdno

Documentation

• examples: add an example to illustrate the usage of stats handler (#​5657)
  • Special Thanks: @​Yash-Handa
• examples: add new example to show updating metadata in interceptors (#​5788)
  • Special Thanks: @​richzw

v1.51.0: Release 1.51.0

Compare Source

Behavior Changes

• xds: NACK EDS resources with duplicate addresses in accordance with a recent spec change (#​5715)
  • Special Thanks: @​erni27
• grpc: restrict status codes that can be generated by the control plane (gRFC A54) (#​5653)

New Features

• client: set grpc-accept-encoding header with all registered compressors (#​5541)
  • Special Thanks: @​jronak
• xds/weightedtarget: return a more meaningful error when all child policies are in TRANSIENT_FAILURE (#​5711)
• gcp/observability: add "started rpcs" metric (#​5768)
• xds: de-experimentalize the google-c2p-resolver (#​5707)
• balancer: add experimental Producer types and methods (#​5669)
• orca: provide a way for LB policies to receive OOB load reports (#​5669)

Bug Fixes

• go.mod: upgrade x/text dependency to address CVE 2022-32149 (#​5769)
• client: fix race that could lead to an incorrect connection state if it was closed immediately after the server's HTTP/2 preface was received (#​5714)
  • Special Thanks: @​fuweid
• xds: ensure sum of the weights of all EDS localities at the same priority level does not exceed uint32 max (#​5703)
  • Special Thanks: @​erni27
• client: fix binary logging bug which logs a server header on a trailers-only response (#​5763)
• balancer/priority: fix a bug where unreleased references to removed child policies (and associated state) was causing a memory leak (#​5682)
• xds/google-c2p: validate URI schema for no authorities (#​5756)

v1.50.1: Release 1.50.1

Compare Source

New Features

• gcp/observability: support new configuration defined in public preview user guide

v1.50.0: Release 1.50.0

Compare Source

Behavior Changes

• client: use proper "@​" semantics for connecting to abstract unix sockets. (#​5678)

  • This is technically a bug fix; the result is that the address was including a trailing NULL byte, which it should not have. This may break users creating the socket in Go by prefixing a NULL instead of an "@​", though, so calling it out as a behavior change.
  • Special Thanks: @​jachor

New Features

• metadata: add experimental ValueFromIncomingContext to more efficiently retrieve a single value (#​5596)
  • Special Thanks: @​horpto
• stats: provide peer information in HandleConn context (#​5589)
  • Special Thanks: @​feihu-stripe
• xds: add support for Outlier Detection, enabled by default (#​5435, #​5673)

Bug Fixes

• client: fix deadlock in transport caused by GOAWAY racing with stream creation (#​5652)
  • This should only occur with an HTTP/2 server that does not follow best practices of an advisory GOAWAY (not a grpc-go server).
• xds/xdsclient: fix a bug which was causing routes with cluster_specifier_plugin set to be NACKed when GRPC_EXPERIMENTAL_XDS_RLS_LB was off (#​5670)
• xds/xdsclient: NACK cluster resource if config_source_specifier in lrs_server is not self (#​5613)
• xds/ringhash: fix a bug which sometimes prevents the LB policy from retrying connection attempts (#​5601)
• xds/ringhash: do nothing when asked to exit IDLE instead of falling back on the default channel behavior of connecting to all addresses (#​5614)
• xds/rls: fix a bug which was causing the channel to be stuck in IDLE (#​5656)
• alts: fix a bug which was setting WaitForReady on handshaker service RPCs, thereby delaying fallback when required (#​5620)
• gcp/observability: fix End() to cleanup global state correctly (#​5623)

v1.49.0: Release 1.49.0

Compare Source

New Features

• gcp/observability: add support for Environment Variable GRPC_CONFIG_OBSERVABILITY_JSON (#​5525)
• gcp/observability: add support for custom tags (#​5565)

Behavior Changes

• server: reduce log level from Warning to Info for early connection establishment errors (#​5524)
  • Special Thanks: @​jpkrohling

Bug Fixes

• client: fix race in flow control that could lead to unexpected EOF errors (#​5494)
• client: fix a race that could cause RPCs to time out instead of failing more quickly with UNAVAILABLE (#​5503)
• client & server: fix a panic caused by passing a nil stats handler to grpc.WithStatsHandler or grpc.StatsHandler (#​5543)
• transport/server: fix a race that could cause a stray header to be sent (#​5513)
• balancer: give precedence to IDLE over TRANSIENT_FAILURE when aggregating connectivity state (#​5473)
• xds/xdsclient: request correct resource name when user specifies a new style resource name with empty authority (#​5488)
• xds/xdsclient: NACK endpoint resources with zero weight (#​5560)
• xds/xdsclient: fix bug that would reset resource version information after ADS stream restart (#​5422)
• xds/xdsclient: fix goroutine leaks when load reporting is enabled (#​5505)
• xds/ringhash: fix config update processing to recreate ring and picker when min/max ring size changes (#​5557)
• xds/ringhash: avoid recreating subChannels when update doesn't change address weight information (#​5431)
• xds/priority: fix bug which could cause priority LB to block all traffic after a config update (#​5549)
• xds: fix bug when environment variable GRPC_EXPERIMENTAL_ENABLE_OUTLIER_DETECTION is set to true (#​5537)

v1.48.0: Release 1.48.0

Compare Source

Bug Fixes

• xds/priority: fix bug that could prevent higher priorities from receiving config updates (#​5417)
• RLS load balancer: don't propagate the status code returned on control plane RPCs to data plane RPCs (#​5400)

New Features

• stats: add support for multiple stats handlers in a single client or server (#​5347)
• gcp/observability: add experimental OpenCensus tracing/metrics support (#​5372)
• xds: enable aggregate and logical DNS clusters by default (#​5380)
• credentials/google (for xds): support xdstp C2P cluster names (#​5399)

v1.47.0: Release 1.47.0

Compare Source

New Features

• xds: add support for RBAC metadata invert matchers (#​5345)

Bug Fixes

• client: fix a context leaked if a connection to an address is lost before it is fully established (#​5337)
  • Special Thanks: @​carzil
• client: fix potential panic during RPC retries (#​5323)
• xds/client: fix a potential concurrent map read/write in load reporting (#​5331)
• client/SubConn: do not recreate addrConn if UpdateAddresses is called with the same addresses (#​5373)
• xds/eds: resources containing duplicate localities with the same priority will be rejected (#​5303)
• server: return Canceled or DeadlineExceeded status code when writing headers to a stream that is already closed (#​5292)
  • Special Thanks: @​idiamond-stripe

Behavior Changes

• xds/priority: start the init timer when a child switches to Connecting from non-failure states (#​5334)
• server: respond with HTTP Status 405 and gRPC status INTERNAL if the method sent to server is not POST (#​5364)

Documentation

• server: clarify documentation around setting and sending headers and ServerStream errors (#​5302)

v1.46.2

Compare Source

Bug Fixes

• client: fix potential panic during RPC retries (#​5323)
• xds: fix leak of deleted CDS resources from CSDS view (#​5339)

v1.46.1

Compare Source

v1.46.0: Release 1.46.0

Compare Source

New Features

• server: Support setting TCP_USER_TIMEOUT on grpc.Server connections using keepalive.ServerParameters.Time (#​5219)
  • Special Thanks: @​bonnefoa
• client: perform graceful switching of LB policies in the ClientConn by default (#​5285)
• all: improve logging by including channelz identifier in log messages (#​5192)

API Changes

• grpc: delete WithBalancerName() API, deprecated over 4 years ago in #​1697 (#​5232)
• balancer: change BuildOptions.ChannelzParentID to an opaque identifier instead of int (#​5192)
  • Note: the balancer package is labeled as EXPERIMENTAL, and we don't believe users were using this field.

Behavior Changes

• client: change connectivity state to TransientFailure in pick_first LB policy when all addresses are removed (#​5274)
  • This is a minor change that brings grpc-go's behavior in line with the intended behavior and how C and Java behave.
• metadata: add client-side validation of HTTP-invalid metadata before attempting to send (#​4886)
  • Special Thanks: @​Patrick0308

Bug Fixes

• metadata: make a copy of the value slices in FromContext() functions so that modifications won't be made to the original copy (#​5267)
• client: handle invalid service configs by applying the default, if applicable (#​5238)
• xds: the xds client will now apply a 1 second backoff before recreating ADS or LRS streams (#​5280)

Dependencies

• Upgrade security/authorization module dependencies to https://github.com/google/cel-go v0.10.1 and others (#​5243)
  • Special Thanks: @​TristonianJones

v1.45.0: Release 1.45.0

Compare Source

Bug Fixes

• xds/clusterresolver: pass cluster name to DNS child policy to be used in creds handshake (#​5119)
• reflection: support dynamic messages (#​5180)
  • Special Thanks: @​codebutler

Performance Improvements

• wrr: improve randomWRR performance (#​5067)
  • Special Thanks: @​huangchong94

Behavior Changes

• server: convert context errors returned by service handlers to status with the correct status code (Canceled or DeadlineExceeded), instead of Unknown (#​5156)

New Features

• reflection: add NewServer(ServerOptions) for creating a reflection server with advanced customizations (#​5197)
• xds: support federation (#​5128)
• xds/resource: accept Self as LDS's RDS config source and CDS's EDS config source (#​5152)
• xds/bootstrap: add plugin system for credentials specified in bootstrap file (#​5136)

v1.44.0: Release 1.44.0

Compare Source

New Features

• balancer: add RLS load balancing policy (#​5046)
• xds: add RLS Cluster Specifier Plugin (#​5004)
• insecure: remove experimental notice (#​5069)

Bug Fixes

• internal/balancergroup: eliminate race in exitIdle (#​5012)
• authz: fix regex expression match (#​5035)

Documentation

• grpc: minor improvement on WithInsecure() document (#​5068)
  • Special Thanks: @​shitian-ni
• attributes: document that some value types (e.g. maps) must implement Equal (#​5109)
• dialoptions.go: Fix WithBlock godoc (#​5073)
  • Special Thanks: @​sgreene570
• grpclog.DepthLoggerV2: Correct comment: formats like fmt.Println (#​5038)
  • Special Thanks: @​evanj

v1.43.0: Release 1.43.0

Compare Source

API Changes

• grpc: stabilize WithConnectParams DialOption (#​4915)
  • Special Thanks: @​hypnoglow

Behavior Changes

• status: support wrapped errors in FromContextError (#​4977)
  • Special Thanks: @​bestbeforetoday
• config: remove the environment variable to disable retry support (#​4922)

New Features

• balancer: new field Authority in BuildOptions for server name to use in the authentication handshake with a remote load balancer (#​4969)

Bug Fixes

• xds/resolver: fix possible ClientConn leak upon resolver initialization failure (#​4900)
• client: fix nil panic in rare race conditions with the pick first LB policy (#​4971)
• xds: improve RPC error messages when xDS connection errors occur (#​5032, #​5054)
• transport: do not create stream object in the face of illegal stream IDs (#​4873)
  • Special Thanks: @​uds5501

Documentation

• client: clarify errors to indicate whether compressed or uncompressed messages exceeded size limits (#​4918)
  • Special Thanks: @​uds5501

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.