fix(deps): update module google.golang.org/grpc to v1.53.0 [security] - autoclosed

[renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
google.golang.org/grpc	require	minor	v1.48.0 -> v1.53.0

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-32731

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/32309

---

Release Notes

grpc/grpc-go (google.golang.org/grpc)

### [`v1.53.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.53.0): Release 1.53.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.3...v1.53.0) ### API Changes - balancer: support injection of per-call metadata from LB policies ([#​5853](https://togithub.com/grpc/grpc-go/issues/5853)) - resolver: remove deprecated field `resolver.Target.Endpoint` and replace with `resolver.Target.Endpoint()` ([#​5852](https://togithub.com/grpc/grpc-go/issues/5852)) - Special Thanks: [@​kylejb](https://togithub.com/kylejb) ### New Features - xds/ringhash: introduce `GRPC_RING_HASH_CAP` environment variable to override the maximum ring size. ([#​5884](https://togithub.com/grpc/grpc-go/issues/5884)) - rls: propagate headers received in RLS response to backends ([#​5883](https://togithub.com/grpc/grpc-go/issues/5883)) ### Bug Fixes - transport: drain client transport when streamID approaches MaxStreamID ([#​5889](https://togithub.com/grpc/grpc-go/issues/5889)) - server: after GracefulStop, ensure connections are closed when final RPC completes ([#​5968](https://togithub.com/grpc/grpc-go/issues/5968)) - server: fix a few issues where grpc server uses RST_STREAM for non-HTTP/2 errors ([#​5893](https://togithub.com/grpc/grpc-go/issues/5893)) - xdsclient: fix race which can happen when multiple load reporting calls are made at the same time. ([#​5927](https://togithub.com/grpc/grpc-go/issues/5927)) - rls: fix a data race involving the LRU cache ([#​5925](https://togithub.com/grpc/grpc-go/issues/5925)) - xds: fix panic involving double close of channel in xDS transport ([#​5959](https://togithub.com/grpc/grpc-go/issues/5959)) - gcp/observability: update method name validation ([#​5951](https://togithub.com/grpc/grpc-go/issues/5951)) ### Documentation - credentials/oauth: mark `NewOauthAccess` as deprecated ([#​5882](https://togithub.com/grpc/grpc-go/issues/5882)) - Special Thanks: [@​buzzsurfr](https://togithub.com/buzzsurfr) ### [`v1.52.3`](https://togithub.com/grpc/grpc-go/releases/tag/v1.52.3): Release 1.52.3 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.1...v1.52.3) ### Bug Fixes - Fix user-agent version ### [`v1.52.1`](https://togithub.com/grpc/grpc-go/releases/tag/v1.52.1): Release 1.52.1 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.52.0...v1.52.1) ### Bug Fixes - grpclb: rename grpclbstate package back to state ([#​5963](https://togithub.com/grpc/grpc-go/issues/5963)) ### [`v1.52.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.52.0): Release 1.52.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.51.0...v1.52.0) ### New Features - xdsclient: log node ID with verbosity INFO ([#​5860](https://togithub.com/grpc/grpc-go/issues/5860)) - ringhash: impose cap on `max_ring_size` to reduce possibility of OOMs ([#​5801](https://togithub.com/grpc/grpc-go/issues/5801)) ### Behavior Changes - client: return an error from `Dial` if an empty target is passed and no custom dialer is present; the ClientConn would otherwise be unable to connect and perform RPCs ([#​5732](https://togithub.com/grpc/grpc-go/issues/5732)) - Special Thanks: [@​huangchong94](https://togithub.com/huangchong94) ### Bug Fixes - transport (net/http server handler): respond to bad HTTP requests with status 400 (Bad Request) instead of 500 (Internal Server Error). ([#​5804](https://togithub.com/grpc/grpc-go/issues/5804)) - Special Thanks: [@​sjbarag](https://togithub.com/sjbarag) - transport: Fixed closing a closed channel panic in handlePing ([#​5854](https://togithub.com/grpc/grpc-go/issues/5854)) - server: fix ChainUnaryInterceptor and ChainStreamInterceptor to allow retrying handlers ([#​5666](https://togithub.com/grpc/grpc-go/issues/5666)) - Special Thanks: [@​yiminc](https://togithub.com/yiminc) - transport: ensure value of `:authority` header matches server name used in TLS handshake when the latter is overridden by the name resolver ([#​5748](https://togithub.com/grpc/grpc-go/issues/5748)) - Special Thanks: [@​holdno](https://togithub.com/holdno) ### Documentation - examples: add an example to illustrate the usage of stats handler ([#​5657](https://togithub.com/grpc/grpc-go/issues/5657)) - Special Thanks: [@​Yash-Handa](https://togithub.com/Yash-Handa) - examples: add new example to show updating metadata in interceptors ([#​5788](https://togithub.com/grpc/grpc-go/issues/5788)) - Special Thanks: [@​richzw](https://togithub.com/richzw) ### [`v1.51.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.51.0): Release 1.51.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.50.1...v1.51.0) ### Behavior Changes - xds: NACK EDS resources with duplicate addresses in accordance with a recent spec change ([#​5715](https://togithub.com/grpc/grpc-go/issues/5715)) - Special Thanks: [@​erni27](https://togithub.com/erni27) - grpc: restrict status codes that can be generated by the control plane (gRFC A54) ([#​5653](https://togithub.com/grpc/grpc-go/issues/5653)) ### New Features - client: set grpc-accept-encoding header with all registered compressors ([#​5541](https://togithub.com/grpc/grpc-go/issues/5541)) - Special Thanks: [@​jronak](https://togithub.com/jronak) - xds/weightedtarget: return a more meaningful error when all child policies are in `TRANSIENT_FAILURE` ([#​5711](https://togithub.com/grpc/grpc-go/issues/5711)) - gcp/observability: add "started rpcs" metric ([#​5768](https://togithub.com/grpc/grpc-go/issues/5768)) - xds: de-experimentalize the google-c2p-resolver ([#​5707](https://togithub.com/grpc/grpc-go/issues/5707)) - balancer: add experimental Producer types and methods ([#​5669](https://togithub.com/grpc/grpc-go/issues/5669)) - orca: provide a way for LB policies to receive OOB load reports ([#​5669](https://togithub.com/grpc/grpc-go/issues/5669)) ### Bug Fixes - go.mod: upgrade x/text dependency to address [CVE 2022-32149](https://www.cve.org/CVERecord?id=CVE-2022-32149) ([#​5769](https://togithub.com/grpc/grpc-go/issues/5769)) - client: fix race that could lead to an incorrect connection state if it was closed immediately after the server's HTTP/2 preface was received ([#​5714](https://togithub.com/grpc/grpc-go/issues/5714)) - Special Thanks: [@​fuweid](https://togithub.com/fuweid) - xds: ensure sum of the weights of all EDS localities at the same priority level does not exceed uint32 max ([#​5703](https://togithub.com/grpc/grpc-go/issues/5703)) - Special Thanks: [@​erni27](https://togithub.com/erni27) - client: fix binary logging bug which logs a server header on a trailers-only response ([#​5763](https://togithub.com/grpc/grpc-go/issues/5763)) - balancer/priority: fix a bug where unreleased references to removed child policies (and associated state) was causing a memory leak ([#​5682](https://togithub.com/grpc/grpc-go/issues/5682)) - xds/google-c2p: validate URI schema for no authorities ([#​5756](https://togithub.com/grpc/grpc-go/issues/5756)) ### [`v1.50.1`](https://togithub.com/grpc/grpc-go/releases/tag/v1.50.1): Release 1.50.1 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.50.0...v1.50.1) New Features - gcp/observability: support new configuration defined in public preview user guide ### [`v1.50.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.50.0): Release 1.50.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.49.0...v1.50.0) ### Behavior Changes - client: use proper "@​" semantics for connecting to abstract unix sockets. ([#​5678](https://togithub.com/grpc/grpc-go/issues/5678)) - This is technically a bug fix; the result is that the address was including a trailing NULL byte, which it should not have. This may break users creating the socket in Go by prefixing a NULL instead of an "@​", though, so calling it out as a behavior change. - Special Thanks: [@​jachor](https://togithub.com/jachor) ### New Features - metadata: add experimental `ValueFromIncomingContext` to more efficiently retrieve a single value ([#​5596](https://togithub.com/grpc/grpc-go/issues/5596)) - Special Thanks: [@​horpto](https://togithub.com/horpto) - stats: provide peer information in `HandleConn` context ([#​5589](https://togithub.com/grpc/grpc-go/issues/5589)) - Special Thanks: [@​feihu-stripe](https://togithub.com/feihu-stripe) - xds: add support for Outlier Detection, enabled by default ([#​5435](https://togithub.com/grpc/grpc-go/issues/5435), [#​5673](https://togithub.com/grpc/grpc-go/issues/5673)) ### Bug Fixes - client: fix deadlock in transport caused by GOAWAY racing with stream creation ([#​5652](https://togithub.com/grpc/grpc-go/issues/5652)) - This should only occur with an HTTP/2 server that does not follow best practices of an advisory GOAWAY (not a grpc-go server). - xds/xdsclient: fix a bug which was causing routes with `cluster_specifier_plugin` set to be NACKed when GRPC_EXPERIMENTAL_XDS_RLS_LB was off ([#​5670](https://togithub.com/grpc/grpc-go/issues/5670)) - xds/xdsclient: NACK cluster resource if `config_source_specifier` in `lrs_server` is not `self` ([#​5613](https://togithub.com/grpc/grpc-go/issues/5613)) - xds/ringhash: fix a bug which sometimes prevents the LB policy from retrying connection attempts ([#​5601](https://togithub.com/grpc/grpc-go/issues/5601)) - xds/ringhash: do nothing when asked to exit `IDLE` instead of falling back on the default channel behavior of connecting to all addresses ([#​5614](https://togithub.com/grpc/grpc-go/issues/5614)) - xds/rls: fix a bug which was causing the channel to be stuck in `IDLE` ([#​5656](https://togithub.com/grpc/grpc-go/issues/5656)) - alts: fix a bug which was setting `WaitForReady` on handshaker service RPCs, thereby delaying fallback when required ([#​5620](https://togithub.com/grpc/grpc-go/issues/5620)) - gcp/observability: fix End() to cleanup global state correctly ([#​5623](https://togithub.com/grpc/grpc-go/issues/5623)) ### [`v1.49.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.49.0): Release 1.49.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.48.0...v1.49.0) ### New Features - gcp/observability: add support for Environment Variable `GRPC_CONFIG_OBSERVABILITY_JSON` ([#​5525](https://togithub.com/grpc/grpc-go/issues/5525)) - gcp/observability: add support for custom tags ([#​5565](https://togithub.com/grpc/grpc-go/issues/5565)) ### Behavior Changes - server: reduce log level from Warning to Info for early connection establishment errors ([#​5524](https://togithub.com/grpc/grpc-go/issues/5524)) - Special Thanks: [@​jpkrohling](https://togithub.com/jpkrohling) ### Bug Fixes - client: fix race in flow control that could lead to unexpected EOF errors ([#​5494](https://togithub.com/grpc/grpc-go/issues/5494)) - client: fix a race that could cause RPCs to time out instead of failing more quickly with UNAVAILABLE ([#​5503](https://togithub.com/grpc/grpc-go/issues/5503)) - client & server: fix a panic caused by passing a `nil` stats handler to `grpc.WithStatsHandler` or `grpc.StatsHandler` ([#​5543](https://togithub.com/grpc/grpc-go/issues/5543)) - transport/server: fix a race that could cause a stray header to be sent ([#​5513](https://togithub.com/grpc/grpc-go/issues/5513)) - balancer: give precedence to `IDLE` over `TRANSIENT_FAILURE` when aggregating connectivity state ([#​5473](https://togithub.com/grpc/grpc-go/issues/5473)) - xds/xdsclient: request correct resource name when user specifies a new style resource name with empty authority ([#​5488](https://togithub.com/grpc/grpc-go/issues/5488)) - xds/xdsclient: NACK endpoint resources with zero weight ([#​5560](https://togithub.com/grpc/grpc-go/issues/5560)) - xds/xdsclient: fix bug that would reset resource version information after ADS stream restart ([#​5422](https://togithub.com/grpc/grpc-go/issues/5422)) - xds/xdsclient: fix goroutine leaks when load reporting is enabled ([#​5505](https://togithub.com/grpc/grpc-go/issues/5505)) - xds/ringhash: fix config update processing to recreate ring and picker when min/max ring size changes ([#​5557](https://togithub.com/grpc/grpc-go/issues/5557)) - xds/ringhash: avoid recreating subChannels when update doesn't change address weight information ([#​5431](https://togithub.com/grpc/grpc-go/issues/5431)) - xds/priority: fix bug which could cause priority LB to block all traffic after a config update ([#​5549](https://togithub.com/grpc/grpc-go/issues/5549)) - xds: fix bug when environment variable `GRPC_EXPERIMENTAL_ENABLE_OUTLIER_DETECTION` is set to true ([#​5537](https://togithub.com/grpc/grpc-go/issues/5537))

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[forking-renovate[bot]]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: deployable/go/go.sum

Command failed: docker run --rm --name=renovate_a_sidecar --label=renovate_a_child -v "/tmp/worker/334b71/405f12/repos/github/googleapis/env-tests-logging":"/tmp/worker/334b71/405f12/repos/github/googleapis/env-tests-logging" -v "/tmp/worker/334b71/405f12/cache":"/tmp/worker/334b71/405f12/cache" -e GOPATH -e GOPROXY -e GOSUMDB -e GOFLAGS -e CGO_ENABLED -e GIT_CONFIG_KEY_0 -e GIT_CONFIG_VALUE_0 -e GIT_CONFIG_KEY_1 -e GIT_CONFIG_VALUE_1 -e GIT_CONFIG_KEY_2 -e GIT_CONFIG_VALUE_2 -e GIT_CONFIG_COUNT -e BUILDPACK_CACHE_DIR -e CONTAINERBASE_CACHE_DIR -w "/tmp/worker/334b71/405f12/repos/github/googleapis/env-tests-logging/deployable/go" ghcr.io/containerbase/sidecar bash -l -c "install-tool golang 1.20.5 && go get -d -t ./..."
go: cloud.google.com/go/logging@v1.4.0 (replaced by ./logging): reading logging/go.mod: open /tmp/worker/334b71/405f12/repos/github/googleapis/env-tests-logging/deployable/go/logging/go.mod: no such file or directory