build(deps): bump grpc-bom from 1.21.1 to 1.48.0

[dependabot]

Bumps grpc-bom from 1.21.1 to 1.48.0.

Release notes

Sourced from grpc-bom's releases.

v1.47.0

Bug Fixes

• api: Ignore ClassCastExceptions for hard-coded providers on Android (#9174). This avoids ServiceConfigurationError in certain cases when an “SDK” includes a copy of gRPC that was renamed with Proguard-like tools that do precise class name rewriting (versus something like Maven Shade Plugin which uses coarse pattern matching)
• binder: respect requested message limits when provide received messages to listener (#9163)
• binder: Avoid an ISE from asAndroidAppUri() (#9169)
• okhttp: Use the user-provided ScheduledExecutorService for keepalive if provided. Previously the user-provided executor was used for deadlines, but not keepalive. Keepalive always used the default executor (#9073)
• bom: Reverted “bom: Removed protoc-gen-grpc-java from the BOM” in v1.46.0. There was a way to use it with Gradle (#9154)
• build: fix grpc-java build against protobuf 3.21 (#9218)
• grpclb: Adds missing META-INF resources to libgrpclb.jar produced by bazel //grpclb:grpclb target (#9156)
• xds: Protect xdstp processing with federation env var. If the xds server uses xdstp:// resource names it was possible for federation code paths to be entered even without enabling the experimental federation support. This is now fixed and it is safe for xds servers to use xdstp:// resource names. (#9190)
• xds: fix bugs in ring-hash load balancer picking subchannel behavior per gRFC. The bug may cause connection not failing over from TRANSIENT_FAILURE status. (#9085)
• xds: NACK EDS resources with duplicate localities in the same priority (#9119)

New Features

• api: Add connection management APIs to ServerBuilder (#9176). This includes methods for keepalive, max connection age, and max connection idle. These APIs have been available on NettyServerBuilder since v1.4.0
• api: allow NameResolver to influence which transport to use (#9076)
• api: New API in ServerCall to expose SecurityLevel on server-side (#8943)
• netty: Add NameResolver for unix: scheme, as defined in gRPC Name Resolution (#9113)
• binder: add allOf security policy, which allows access iff ALL given security policies allow access. (#9125)
• binder: add anyOf security policy, which allows access if ANY given security policy allows access. (#9147)
• binder: add hasPermissions security policy, which checks that a caller has all of the given package permissions. (#9117)
• build: Add Bazel build support for xds, googleapis, rls, and services. grpc-services previously had partial bazel support, but some parts were missing. These artifacts are now configured via IO_GRPC_GRPC_JAVA_OVERRIDE_TARGETS so maven_install will not use the artifacts from Maven Central (#9172)
• xds: New ability to configure custom load balancer implementations via the xDS Cluster.load_balancing_policy field. This implements gRFC A52: gRPC xDS Custom Load Balancer Configuration. (#9141)
• xds, orca: add support for custom backend metrics reporting: allow setting metrics at gRPC server and consuming metrics reports from a custom load balancing policy at the client. This implements gRFC A51: Custom Backend Metrics Support.
• xds: include node ID in RPC failure status messages from the XdsClient (#9099)
• xds: support for the is_optional logic in Cluster Specifier Plugins: if an unsupported Cluster Specifier Plugin is optional, don't NACK, and skip any routes that point to it. (#9168)

Behavior Changes

• xds: Allow unspecified listener traffic direction, to match other languages and to work with Istio (#9173)
• xds: change priority load balancer failover time behavior and ring_hash LB aggregation rule to better handle transient_failure channel status (#9084, #9093)

Dependencies

• Bump GSON to 2.9.0. Earlier versions of GSON are affected by CVE-2022-25647. gRPC was not impacted by the vulnerability. (#9215)
• gcp-observability: add grpc-census as a dependency and update opencensus version (#9140)

Acknowledgements

@​caseyduquettesc @​cfredri4 @​jvolkman @​mirlord @​ovidiutirla

v1.46.0

Bug Fixes

• netty: Fixed incompatibility with Netty 4.1.75.Final that caused COMPRESSION_ERROR (#9004)
• xds: Fix LBs blindly propagating control plane errors (#9012). This change forces the use of UNAVAILABLE for any xDS communication failures, which otherwise could greatly confuse an application. This is essentially a continuation of the fix in 1.45.0 for XdsNameResolver, but for other similar cases
• xds: Fix ring_hash reconnecting behavior. Previously a TRANSIENT_FAILURE subchannel would remain failed forever
• xds: Fix ring_hash defeating priority’s failover connection timeout. grpc/proposal#296
• binder: Work around an Android Intent bug for consistent AndroidComponentAndress hashCode() and equals() (#9061)
• binder: Fix deadlock when using process-local Binder (#8987). Process-local binder has a different threading model than normal FLAG_ONEWAY, so this case is now detected and the FLAG_ONEWAY threading model is emulated

... (truncated)

Commits

• ed58a2c Bump version to 1.48.0
• 6ffba86 Update README etc to reference 1.48.0
• 3f47a6e buildscripts: Fix kube contexts in the xds LB tests (#9389)
• 826a7c9 Revert "Fix for ipv6 link local with scope (#9326)"
• 5991239 interop-testing: Hack runtimeOnly deps to be available at runtime (1.48.x bac...
• fb2d5cf xds: implement ignore_resource_deletion server feature (#9339)
• bdc27cd Service config parse failures should be UNAVAILABLE
• 258ac60 Bump Bazel deps missed in fb314d3
• 97b6a65 Bump versions for assorted dependencies
• 0b3a0b4 Fix for ipv6 link local with scope (#9326)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[viezly]

Pull request by bot. No need to analyze

[dependabot]

Superseded by #250.