Upgrade netty to 4.1.127.Final

And netty-tcnative to 2.0.74.Final. Removes CVE-2025-58057 from security reports.

Author: ZachChuba

MODULE.bazel

@@ -23,20 +23,20 @@ IO_GRPC_GRPC_JAVA_ARTIFACTS = [
     "com.google.truth:truth:1.4.2",
     "com.squareup.okhttp:okhttp:2.7.5",
     "com.squareup.okio:okio:2.10.0",  # 3.0+ needs swapping to -jvm; need work to avoid flag-day
-    "io.netty:netty-buffer:4.1.124.Final",
-    "io.netty:netty-codec-http2:4.1.124.Final",
-    "io.netty:netty-codec-http:4.1.124.Final",
-    "io.netty:netty-codec-socks:4.1.124.Final",
-    "io.netty:netty-codec:4.1.124.Final",
-    "io.netty:netty-common:4.1.124.Final",
-    "io.netty:netty-handler-proxy:4.1.124.Final",
-    "io.netty:netty-handler:4.1.124.Final",
-    "io.netty:netty-resolver:4.1.124.Final",
-    "io.netty:netty-tcnative-boringssl-static:2.0.70.Final",
-    "io.netty:netty-tcnative-classes:2.0.70.Final",
-    "io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.124.Final",
-    "io.netty:netty-transport-native-unix-common:4.1.124.Final",
-    "io.netty:netty-transport:4.1.124.Final",
+    "io.netty:netty-buffer:4.1.127.Final",
+    "io.netty:netty-codec-http2:4.1.127.Final",
+    "io.netty:netty-codec-http:4.1.127.Final",
+    "io.netty:netty-codec-socks:4.1.127.Final",
+    "io.netty:netty-codec:4.1.127.Final",
+    "io.netty:netty-common:4.1.127.Final",
+    "io.netty:netty-handler-proxy:4.1.127.Final",
+    "io.netty:netty-handler:4.1.127.Final",
+    "io.netty:netty-resolver:4.1.127.Final",
+    "io.netty:netty-tcnative-boringssl-static:2.0.74.Final",
+    "io.netty:netty-tcnative-classes:2.0.74.Final",
+    "io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.127.Final",
+    "io.netty:netty-transport-native-unix-common:4.1.127.Final",
+    "io.netty:netty-transport:4.1.127.Final",
     "io.opencensus:opencensus-api:0.31.0",
     "io.opencensus:opencensus-contrib-grpc-metrics:0.31.0",
     "io.perfmark:perfmark-api:0.27.0",

SECURITY.md

@@ -397,7 +397,8 @@ grpc-netty version | netty-handler version | netty-tcnative-boringssl-static ver
 1.60.x-1.66.x      | 4.1.100.Final         | 2.0.61.Final
 1.67.x-1.70.x      | 4.1.110.Final         | 2.0.65.Final
 1.71.x-1.74.x      | 4.1.110.Final         | 2.0.70.Final
-1.75.x-            | 4.1.124.Final         | 2.0.72.Final
+1.75.x-1.76.x      | 4.1.124.Final         | 2.0.72.Final
+1.77.x-            | 4.1.127.Final         | 2.0.74.Final
 
 _(grpc-netty-shaded avoids issues with keeping these versions in sync.)_
 

gradle/libs.versions.toml

@@ -1,8 +1,8 @@
 [versions]
-netty = '4.1.124.Final'
+netty = '4.1.127.Final'
 # Keep the following references of tcnative version in sync whenever it's updated:
 #   SECURITY.md
-nettytcnative = '2.0.72.Final'
+nettytcnative = '2.0.74.Final'
 opencensus = "0.31.1"
 # Not upgrading to 4.x as it is not yet ABI compatible.
 # https://github.com/protocolbuffers/protobuf/issues/17247

repositories.bzl

@@ -27,20 +27,20 @@ IO_GRPC_GRPC_JAVA_ARTIFACTS = [
     "com.google.truth:truth:1.4.2",
     "com.squareup.okhttp:okhttp:2.7.5",
     "com.squareup.okio:okio:2.10.0",  # 3.0+ needs swapping to -jvm; need work to avoid flag-day
-    "io.netty:netty-buffer:4.1.124.Final",
-    "io.netty:netty-codec-http2:4.1.124.Final",
-    "io.netty:netty-codec-http:4.1.124.Final",
-    "io.netty:netty-codec-socks:4.1.124.Final",
-    "io.netty:netty-codec:4.1.124.Final",
-    "io.netty:netty-common:4.1.124.Final",
-    "io.netty:netty-handler-proxy:4.1.124.Final",
-    "io.netty:netty-handler:4.1.124.Final",
-    "io.netty:netty-resolver:4.1.124.Final",
-    "io.netty:netty-tcnative-boringssl-static:2.0.70.Final",
-    "io.netty:netty-tcnative-classes:2.0.70.Final",
-    "io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.124.Final",
-    "io.netty:netty-transport-native-unix-common:4.1.124.Final",
-    "io.netty:netty-transport:4.1.124.Final",
+    "io.netty:netty-buffer:4.1.127.Final",
+    "io.netty:netty-codec-http2:4.1.127.Final",
+    "io.netty:netty-codec-http:4.1.127.Final",
+    "io.netty:netty-codec-socks:4.1.127.Final",
+    "io.netty:netty-codec:4.1.127.Final",
+    "io.netty:netty-common:4.1.127.Final",
+    "io.netty:netty-handler-proxy:4.1.127.Final",
+    "io.netty:netty-handler:4.1.127.Final",
+    "io.netty:netty-resolver:4.1.127.Final",
+    "io.netty:netty-tcnative-boringssl-static:2.0.74.Final",
+    "io.netty:netty-tcnative-classes:2.0.74.Final",
+    "io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.127.Final",
+    "io.netty:netty-transport-native-unix-common:4.1.127.Final",
+    "io.netty:netty-transport:4.1.127.Final",
     "io.opencensus:opencensus-api:0.31.0",
     "io.opencensus:opencensus-contrib-grpc-metrics:0.31.0",
     "io.perfmark:perfmark-api:0.27.0",