Bump google.golang.org/grpc from 1.76.0 to 1.77.0

[dependabot]

Bumps google.golang.org/grpc from 1.76.0 to 1.77.0.

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.77.0

API Changes

• mem: Replace the Reader interface with a struct for better performance and maintainability. (#8669)

Behavior Changes

• balancer/pickfirst: Remove support for the old pick_first LB policy via the environment variable GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST=false. The new pick_first has been the default since v1.71.0. (#8672)

Bug Fixes

• xdsclient: Fix a race condition in the ADS stream implementation that could result in resource-not-found errors, causing the gRPC client channel to move to TransientFailure. (#8605)
• client: Ignore HTTP status header for gRPC streams. (#8548)
• client: Set a read deadline when closing a transport to prevent it from blocking indefinitely on a broken connection. (#8534)
  • Special Thanks: @​jgold2-stripe
• client: Fix a bug where default port 443 was not automatically added to addresses without a specified port when sent to a proxy.
  • Setting environment variable GRPC_EXPERIMENTAL_ENABLE_DEFAULT_PORT_FOR_PROXY_TARGET=false disables this change; please file a bug if any problems are encountered as we will remove this option soon. (#8613)
• balancer/pickfirst: Fix a bug where duplicate addresses were not being ignored as intended. (#8611)
• server: Fix a bug that caused overcounting of channelz metrics for successful and failed streams. (#8573)
  • Special Thanks: @​hugehoo
• balancer/pickfirst: When configured, shuffle addresses in resolver updates that lack endpoints. Since gRPC automatically adds endpoints to resolver updates, this bug only affects custom LB policies that delegate to pick_first but don't set endpoints. (#8610)
• mem: Clear large buffers before re-using. (#8670)

Performance Improvements

• transport: Reduce heap allocations to reduce time spent in garbage collection. (#8624, #8630, #8639, #8668)
• transport: Avoid copies when reading and writing Data frames. (#8657, #8667)
• mem: Avoid clearing newly allocated buffers. (#8670)

New Features

• outlierdetection: Add metrics specified in gRFC A91. (#8644)
  • Special Thanks: @​davinci26, @​PardhuKonakanchi
• stats/opentelemetry: Add support for optional label grpc.lb.backend_service in per-call metrics (#8637)
• xds: Add support for JWT Call Credentials as specified in gRFC A97. Set environment variable GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS=true to enable this feature. (#8536)
  • Special Thanks: @​dimpavloff
• experimental/stats: Add support for up/down counters. (#8581)

Commits

• 805b1f8 Change version to 1.77.0 (#8677)
• ea7b66e Cherrypick #8702 to v1.77.x (#8709)
• cadae08 Cherry-pick #8536 to v1.77.x (#8691)
• 4288cfc Cherrypick #8657 and #8667 to v1.77.x (#8690)
• f959da6 transport: Reduce heap allocations (#8668)
• 0d49384 deps: update all dependencies (#8673)
• e3e142d pickfirst: Remove old pickfirst (#8672)
• 254ab10 documentation: fix typos in benchmark and auth docs (#8674)
• 2d56bda mem: Remove Reader interface and export the concrete struct (#8669)
• 8ab0c82 mem: Avoid clearing new buffers and clear buffers from simpleBufferPools (#8670)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[senzingdevops]

Automated: approving this pull request because it includes a minor update

[github-actions]

🤖 Claude Code Review

PR Code Review

Code Quality

✅ Code follows style guide

Status: N/A - This PR contains only dependency updates in go.mod and go.sum files. No code changes to review against style guide.

✅ No commented-out code

Status: PASS - No code files modified, only dependency manifest files.

✅ Meaningful variable names

Status: N/A - No variables added or modified.

✅ DRY principle followed

Status: N/A - No code duplication possible in dependency files.

✅ Identify Defects

Status: PASS - This is a straightforward dependency bump:

• google.golang.org/grpc: v1.76.0 → v1.77.0 (minor version bump)
• Associated transitive dependencies updated:
  • golang.org/x/net: v0.46.0 → v0.46.1-0.20251013234738-63d1a5100f82
  • OpenTelemetry packages: v1.37.0 → v1.38.0

No logic errors, race conditions, or security vulnerabilities introduced by these automated dependency updates.

---

Testing

❌ Unit tests for new functions

Status: N/A - No new functions added. However, existing tests should be run to ensure compatibility with updated dependencies.

Recommendation: Verify that all 7 test files pass with the new gRPC v1.77.0:

• go.mod:14 (updated to v1.77.0)

❌ Integration tests for new endpoints

Status: N/A - No new endpoints added.

❌ Edge cases covered

Status: N/A for this change type, but existing test coverage should validate compatibility.

❓ Test coverage > 80%

Status: UNKNOWN - No test coverage information provided. This PR should not change coverage since no code was modified.

---

Documentation

❌ Readme updated if needed

Status: FAIL - README.md likely does not need updates for a minor dependency bump, unless it documents specific gRPC version requirements.

File: README.md exists but was not checked for version-specific documentation.

✅ API docs updated

Status: N/A - No API changes.

✅ Inline comments for complex logic

Status: N/A - No code logic added.

❌ CHANGELOG.md updated

Status: FAIL - CHANGELOG.md:8-10 shows ## [Unreleased] section with just a dash placeholder. This PR should add an entry:

## [Unreleased]

- Update dependencies
  - Bump google.golang.org/grpc from 1.76.0 to 1.77.0
  - Update OpenTelemetry packages to v1.38.0

Critical: Following the pattern from previous releases (CHANGELOG.md:12-35), dependency updates should be documented.

---

Security

✅ No hardcoded credentials

Status: PASS - No credentials in go.mod or go.sum.

✅ Input validation implemented

Status: N/A - No input handling code added.

✅ Proper error handling

Status: N/A - No error handling code added.

✅ No sensitive data in logs

Status: N/A - No logging code added.

🔴 CRITICAL: License files (.lic) check

Status: ⚠️ WARNING - A license file exists at testdata/senzing-license/g2.lic but:

• It was NOT modified in this PR (good)
• It does NOT contain the AQAAAD pattern (checked - pattern not found)
• This appears to be a test fixture in testdata/ directory

Conclusion: No security concerns with license files in this PR.

---

Summary

Overall Assessment: ✅ APPROVE with minor changes

Required Changes:

1. Update CHANGELOG.md - Add entry under [Unreleased] section documenting the dependency updates

Recommended Actions:

1. Run full test suite to verify compatibility with gRPC v1.77.0
2. Verify no breaking changes in gRPC release notes

What This PR Does Well:

• Clean, focused dependency update
• Follows Go module best practices
• Updates related transitive dependencies appropriately
• No code changes that could introduce bugs

Risk Level: LOW

Minor version bump of gRPC with associated transitive dependency updates. Standard maintenance PR.

Automated code review analyzing defects and coding standards