chore(deps): update upper bound dependencies file (#4083)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
|
[com.google.auth:google-auth-library-bom](https://togithub.com/googleapis/google-auth-library-java)
| minor | `1.41.0` -> `1.42.0` |
|
[com.google.http-client:google-http-client](https://togithub.com/googleapis/google-http-java-client)
| minor | `2.0.3` -> `2.1.0` |
| [io.grpc:grpc-bom](https://togithub.com/grpc/grpc-java) | minor |
`1.76.2` -> `1.78.0` |

---

### Release Notes

<details>
<summary>googleapis/google-auth-library-java
(com.google.auth:google-auth-library-bom)</summary>

###
[`v1.42.0`](https://togithub.com/googleapis/google-auth-library-java/blob/HEAD/CHANGELOG.md#1420-2026-01-23)

[Compare
Source](https://togithub.com/googleapis/google-auth-library-java/compare/v1.41.0...v1.42.0)

##### Features

- Update protobuf version to 4.33.2
([#&#8203;1875](https://togithub.com/googleapis/google-auth-library-java/issues/1875))
([13ddbd1](https://togithub.com/googleapis/google-auth-library-java/commit/13ddbd1744fb908fb51e8866e5aac291f0e9bada))

##### Bug Fixes

- Simplify call to directly retrieve the default service account from
MDS
([#&#8203;1844](https://togithub.com/googleapis/google-auth-library-java/issues/1844))
([6efda0b](https://togithub.com/googleapis/google-auth-library-java/commit/6efda0bc2063b1d1b30de43785d08ec86da1791c))

</details>

<details>
<summary>googleapis/google-http-java-client
(com.google.http-client:google-http-client)</summary>

###
[`v2.1.0`](https://togithub.com/googleapis/google-http-java-client/blob/HEAD/CHANGELOG.md#210-2026-01-23)

[Compare
Source](https://togithub.com/googleapis/google-http-java-client/compare/v2.0.3...v2.1.0)

##### Features

- Update protobuf-java to 4.33.2
([d48c443](https://togithub.com/googleapis/google-http-java-client/commit/d48c443cf9b872be4872ed6801c4edf70d5be7ac))

</details>

<details>
<summary>grpc/grpc-java (io.grpc:grpc-bom)</summary>

###
[`v1.78.0`](https://togithub.com/grpc/grpc-java/releases/tag/v1.78.0)

[Compare
Source](https://togithub.com/grpc/grpc-java/compare/v1.77.1...v1.78.0)

##### Bug Fixes

- core: Fix shutdown failing accepted RPCs during channel startup
([`02e98a8`](https://togithub.com/grpc/grpc-java/commit/02e98a806)).
This fixes a race where RPCs could fail with "UNAVAILABLE: Channel
shutdown invoked" even though they were created before
channel.shutdown()
- okhttp: Fix race condition overwriting MAX_CONCURRENT_STREAMS
([#&#8203;12548](https://togithub.com/grpc/grpc-java/issues/12548))
([`8d49dc1`](https://togithub.com/grpc/grpc-java/commit/8d49dc1c9))
- binder: Stop leaking `this` from BinderServerTransport's ctor
([#&#8203;12453](https://togithub.com/grpc/grpc-java/issues/12453))
([`89d77e0`](https://togithub.com/grpc/grpc-java/commit/89d77e062))
- rls: Avoid missed config update from reentrancy
([`55ae1d0`](https://togithub.com/grpc/grpc-java/commit/55ae1d054)).
This fixes a regression since 1.75.0 triggered by CdsLb being converted
to XdsDepManager. Without this fix, a second channel to the same target
may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the
control plane delivers an update (e.g., endpoint address update)

##### Improvements

- xds: gRFC A88 - Changes to XdsClient Watcher APIs
([#&#8203;12446](https://togithub.com/grpc/grpc-java/issues/12446))
([`f385add`](https://togithub.com/grpc/grpc-java/commit/f385add31)). We
now have improved xDS error handling and this provides a clearer
mechanism for the xDS server to report per-resource errors to the
client, resulting in better error messages for debugging and faster
detection of non-existent resources. This also improves the handling of
all xDS-related data errors and the behavior of the xDS resource timer.
- rls: Control plane channel monitor state and back off handling
([#&#8203;12460](https://togithub.com/grpc/grpc-java/issues/12460))
([`26c1c13`](https://togithub.com/grpc/grpc-java/commit/26c1c1341)).
Resets RLS request backoff timers when the Control plane channel state
transitions to READY. Also when the backoff timer expires, instead of
making a RLS request immediately, it just causes a picker update to
allow making rpc again to the RLS target.
- core: simplify DnsNameResolver.resolveAddresses()
([`4843256`](https://togithub.com/grpc/grpc-java/commit/4843256af))
- netty: Run handshakeCompleteRunnable in success cases
([`283f103`](https://togithub.com/grpc/grpc-java/commit/283f1031f))
- api,netty: Add custom header support for HTTP CONNECT proxy
([`bbc0aa3`](https://togithub.com/grpc/grpc-java/commit/bbc0aa369))
- binder: Pre-factor out the guts of the BinderClientTransport
handshake.
([`9313e87`](https://togithub.com/grpc/grpc-java/commit/9313e87df))
- compiler: Add RISC-V 64-bit architecture support to compiler build
configuration
([`725ab22`](https://togithub.com/grpc/grpc-java/commit/725ab22f3))
- core: Release lock before closing shared resource
([`cb73f21`](https://togithub.com/grpc/grpc-java/commit/cb73f217e)).
Shared resources are internal to gRPC for sharing expensive objects
across channels and servers, like threads. This reduces the chances of
forming a deadlock, like seen with s2a in
[`d50098f`](https://togithub.com/grpc/grpc-java/commit/d50098f)
- Upgrade gson to 2.12.1
([`6dab2ce`](https://togithub.com/grpc/grpc-java/commit/6dab2ceab))
- Upgrade dependencies
([`f36defa`](https://togithub.com/grpc/grpc-java/commit/f36defa2d)).
proto-google-common-protos to 2.63.1, google-auth-library to 1.40.0,
error-prone annotations to 2.44.0, guava to 33.5.0-android,
opentelemetry to 1.56.0
- compiler: Update maximum supported protobuf edition to EDITION\_2024
([`2f64092`](https://togithub.com/grpc/grpc-java/commit/2f64092b8))
- binder: Introduce server authorization strategy v2
([`d971072`](https://togithub.com/grpc/grpc-java/commit/d9710725d)).
Adds support for `android:isolatedProcess` Services and moves all
security checks to the handshake, making subsequent transactions more
efficient.

##### New Features

- compiler: Upgrade to C++ protobuf 33.1
([#&#8203;12534](https://togithub.com/grpc/grpc-java/issues/12534))
([`58ae5f8`](https://togithub.com/grpc/grpc-java/commit/58ae5f808)).
- util: Add gRFC A68 random subsetting LB
([`48a4288`](https://togithub.com/grpc/grpc-java/commit/48a42889d)). The
policy uses the name `random_subsetting_experimental`. If it is working
for you, tell us so we can gauge marking it stable. While the xDS
portions haven’t yet landed, it is possible to use with xDS with
JSON-style Structs as supported by gRFC A52
- xds: Support for System Root Certs
([#&#8203;12499](https://togithub.com/grpc/grpc-java/issues/12499))
([`51611ba`](https://togithub.com/grpc/grpc-java/commit/51611bad1)).
Most service mesh workloads use mTLS, as described in gRFC A29. However,
there are cases where it is useful for applications to use normal TLS
rather than using certificates for workload identity, such as when a
mesh wants to move some workloads behind a reverse proxy. The xDS
`CertificateValidationContext` message (see
[envoyproxy/envoy#34235](https://togithub.com/envoyproxy/envoy/pull/34235))
has a `system_root_certs` field. In the gRPC client, if this field is
present and the `ca_certificate_provider_instance` field is unset,
system root certificates will be used for validation. This implements
[gRFC
A82](https://togithub.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md).
- xds: Support for GCP Authentication Filter
([#&#8203;12499](https://togithub.com/grpc/grpc-java/issues/12499))
([`51611ba`](https://togithub.com/grpc/grpc-java/commit/51611bad1)). In
service mesh environments, there are cases where intermediate proxies
make it impossible to rely on mTLS for end-to-end authentication. These
cases can be addressed instead by the use of service account identity
JWT tokens. The xDS [GCP Authentication
filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gcp_authn_filter)
provides a mechanism for attaching such JWT tokens as gRPC call
credentials on GCP. gRPC already supports a framework for xDS HTTP
filters, as described in [gRFC
A39](https://togithub.com/grpc/proposal/blob/master/A39-xds-http-filters.md).
This release supports the GCP Authentication filter under this framework
as described in [gRFC
A83](https://togithub.com/grpc/proposal/blob/master/A83-xds-gcp-authn-filter.md).
- xds: Support for xDS-based authority rewriting
([#&#8203;12499](https://togithub.com/grpc/grpc-java/issues/12499))
([`51611ba`](https://togithub.com/grpc/grpc-java/commit/51611bad1)).
gRPC supports getting routing configuration from an xDS server, as
described in gRFCs
[A27](https://togithub.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md)
and
[A28](https://togithub.com/grpc/proposal/blob/master/A28-xds-traffic-splitting-and-routing.md).
The xDS configuration can configure the client to rewrite the authority
header on requests. This functionality can be useful in cases where the
server is using the authority header to make decisions about how to
process the request, such as when multiple hosts are handled via a
reverse proxy. Note that this feature is solely about rewriting the
authority header on data plane RPCs; it does not affect the authority
used in the TLS handshake.\
As mentioned in [gRFC
A29](https://togithub.com/grpc/proposal/blob/master/A29-xds-tls-security.md),
there are use-cases for gRPC that prohibit trusting the xDS server to
control security-centric configuration. The authority rewriting feature
falls under the same umbrella as mTLS configuration. As a result, the
authority rewriting feature will only be enabled when the bootstrap
config for the xDS server has `trusted_xds_server` in the
`server_features` field.
- xds: xDS based SNI setting and SAN validation
([#&#8203;12378](https://togithub.com/grpc/grpc-java/issues/12378))
([`0567531`](https://togithub.com/grpc/grpc-java/commit/0567531)). When
using xDS credentials make SNI for the Tls handshake to be configured
via xDS, rather than use the channel authority as the SNI, and make SAN
validation to be able to use the SNI sent when so instructed via xDS.
Implements gRFC
[A101](https://togithub.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md).

##### Documentation

- api: Document gRFC A18 TCP_USER_TIMEOUT handling for keepalive
([`da70387`](https://togithub.com/grpc/grpc-java/commit/da7038782))
- core: Fix AbstractClientStream Javadoc
([`28a6130`](https://togithub.com/grpc/grpc-java/commit/28a6130e8))
- examples: Document how to preserve META-INF/services in uber jars
([`97695d5`](https://togithub.com/grpc/grpc-java/commit/97695d523))

##### Thanks to

-   [@&#8203;panchenko](https://togithub.com/panchenko)
-   [@&#8203;Dayuxiaoshui](https://togithub.com/Dayuxiaoshui)
-   [@&#8203;becomeStar](https://togithub.com/becomeStar)
-   [@&#8203;kssumin](https://togithub.com/kssumin)
-   [@&#8203;marcindabrowski](https://togithub.com/marcindabrowski)
-   [@&#8203;MariusVolkhart](https://togithub.com/MariusVolkhart)
-   [@&#8203;Zgoda91](https://togithub.com/Zgoda91)
-   [@&#8203;devalkone](https://togithub.com/devalkone)

###
[`v1.77.1`](https://togithub.com/grpc/grpc-java/releases/tag/v1.77.1)

[Compare
Source](https://togithub.com/grpc/grpc-java/compare/v1.77.0...v1.77.1)

##### Bug Fixes

- rls: Avoid missed config update from reentrancy
([https://github.com/grpc/grpc-java/pull/12549](https://togithub.com/grpc/grpc-java/pull/12549)).
This fixes a regression since 1.75.0 triggered by CdsLb being converted
to XdsDepManager. Without this fix, a second channel to the same target
may hang when starting, causing DEADLINE_EXCEEDED, and unhang when the
control plane delivers an update (e.g., endpoint address update)

###
[`v1.77.0`](https://togithub.com/grpc/grpc-java/releases/tag/v1.77.0)

[Compare
Source](https://togithub.com/grpc/grpc-java/compare/v1.76.2...v1.77.0)

##### API Changes

- binder: Remove experimental `BinderChannelBuilder.bindAsUser()`
method, deprecated since 1.69
([#&#8203;12401](https://togithub.com/grpc/grpc-java/issues/12401))
([`f96ce06`](https://togithub.com/grpc/grpc-java/commit/f96ce0670))

##### Bug Fixes

- api: Fix name resolver bridge listener handling for address resolution
errors for custom name resolvers
([#&#8203;12441](https://togithub.com/grpc/grpc-java/issues/12441))
([`acbbf86`](https://togithub.com/grpc/grpc-java/commit/acbbf869a)).
This fixes regression introduced in v1.68.1 causing a
“IllegalStateException: No value present.” exception
- core: Fix NullPointerException during address update with Happy
Eyeballs
([`5e8af56`](https://togithub.com/grpc/grpc-java/commit/5e8af564e)).
This should not impact many people as the code is disabled by default,
behind two experimental environment variables
- okhttp: Fix bidirectional keep-alive causing spurious GOAWAY
([`6fc3fd0`](https://togithub.com/grpc/grpc-java/commit/6fc3fd046)).
This fixes the grpc-okhttp server incorrectly closing the connection
with `GOAWAY: too_many_pings`
- xds: SslContext updates handling when using system root certs
([#&#8203;12340](https://togithub.com/grpc/grpc-java/issues/12340))
([`63fdaac`](https://togithub.com/grpc/grpc-java/commit/63fdaaccc)).
Since `FileWatcherCertificateProvider` isn't used when using system root
trust store, the SslContext update for the handshake that depended on it
wasn't happening. This fix creates a separate `CertificateProvider` for
handling system root certs that doesn't rely on the
`FileWatcherCertificateProvider.`
- xds: Make cluster selection interceptor run before other filters
([#&#8203;12381](https://togithub.com/grpc/grpc-java/issues/12381))
([`82f9b8e`](https://togithub.com/grpc/grpc-java/commit/82f9b8ec0)).
This is needed when there is `GcpAuthenticationFilter` in the filter
chain to make available the cluster resource in `CallOption`s.
- xds: Handle wildcards in DNS SAN exact matching
([#&#8203;12345](https://togithub.com/grpc/grpc-java/issues/12345))
([`5b876cc`](https://togithub.com/grpc/grpc-java/commit/5b876cc86))
- android: Fix UdsChannelBuilder with WiFi Proxy
([`349a35a`](https://togithub.com/grpc/grpc-java/commit/349a35a9b))
- binder: Avoid potential deadlock when canceling AsyncSecurityPolicy
futures
([#&#8203;12283](https://togithub.com/grpc/grpc-java/issues/12283))
([`4725ced`](https://togithub.com/grpc/grpc-java/commit/4725ced99))
- binder: Fix a BinderServerTransport crash in the rare
shutdown-before-start case
([#&#8203;12440](https://togithub.com/grpc/grpc-java/issues/12440))
([`91f3f4d`](https://togithub.com/grpc/grpc-java/commit/91f3f4dc1))

##### Improvements

- Improve status messages by including causal error details in config
parsing errors for outlier detection and xds’s wrr locality policies
([`86e8b56`](https://togithub.com/grpc/grpc-java/commit/86e8b5617))
- xds: Detect negative ref count for xds client
([`21696cd`](https://togithub.com/grpc/grpc-java/commit/21696cd3d)). A
negative reference count could cause NullPointerExceptions, so when too
many unrefs are detected it produces a SEVERE warning and prevents the
reference count from going negative
- xds: Support deprecated xDS TLS fields for Istio compat
([#&#8203;12435](https://togithub.com/grpc/grpc-java/issues/12435))
([`53cd1a2`](https://togithub.com/grpc/grpc-java/commit/53cd1a225)).
This fixes a regression with Istio introduced in v1.73.0. This gives
time for [Istio’s new xDS field
support](https://togithub.com/istio/istio/pull/58257) to roll out
- googleapis: Allow wrapping NameResolver to inject XdsClient
([#&#8203;12450](https://togithub.com/grpc/grpc-java/issues/12450))
([`27d1508`](https://togithub.com/grpc/grpc-java/commit/27d150890)).
This allows googleapis to inject an xDS bootstrap to use with its
channels even if one is already specified in the environment variable or
system property. When the code was originally written there was a single
global XdsClient, but since gRFC A71 Xds Fallback each target string has
its own XdsClient and thus can have its own bootstrap
- alts: Allow overriding metadata server address with env variable
([`9ac12ef`](https://togithub.com/grpc/grpc-java/commit/9ac12ef89))
([`498f717`](https://togithub.com/grpc/grpc-java/commit/498f717fc))
- binder: Let the server know when the client fails to authorize it.
([#&#8203;12445](https://togithub.com/grpc/grpc-java/issues/12445))
([`599a0a1`](https://togithub.com/grpc/grpc-java/commit/599a0a146)) This
avoids the server needing to wait for the handshake timeout before
realizing the handshake failed

##### New Features

- opentelemetry: Implement otel retry metrics from gRFC A96
([#&#8203;12064](https://togithub.com/grpc/grpc-java/issues/12064))
([`d380191`](https://togithub.com/grpc/grpc-java/commit/d380191be))
- opentelemetry: propagate baggage to server metrics for custom
attributes
([#&#8203;12389](https://togithub.com/grpc/grpc-java/issues/12389))
([`155308d`](https://togithub.com/grpc/grpc-java/commit/155308db2))
- xds: Allow EC Keys in SPIFFE Bundle Map parsing
([#&#8203;12399](https://togithub.com/grpc/grpc-java/issues/12399))
([`559e3ba`](https://togithub.com/grpc/grpc-java/commit/559e3ba41))
- xds: Enable authority rewriting (gRFC A81), system root cert support
(gRFC A82), GCP authentication filter (gRFC A83), and SNI (gRFC A101)
([#&#8203;12499](https://togithub.com/grpc/grpc-java/issues/12499))
([`246c2b1`](https://togithub.com/grpc/grpc-java/commit/246c2b1ea)).
Authority rewriting requires the control plane to be labeled
`trusted_xds_server` in the bootstrap. System root cert support and SNI
require using XdsChannelCredentials
- rls: Add route lookup reason to request whether it is due to a cache
miss or stale cache entry
([#&#8203;12442](https://togithub.com/grpc/grpc-java/issues/12442))
([`795ce02`](https://togithub.com/grpc/grpc-java/commit/795ce0280))

##### Dependencies

- compiler: C++ protobuf used by codegen upgraded to 26.1
([#&#8203;12330](https://togithub.com/grpc/grpc-java/issues/12330))
([`55aefd5`](https://togithub.com/grpc/grpc-java/commit/55aefd5b8))
- alts: Remove dep on grpclb
([`b769f96`](https://togithub.com/grpc/grpc-java/commit/b769f966a)).
ALTS is no longer used with grpclb, so this removes dead code
- Upgrade netty to 4.1.127.Final
([`b37ee67`](https://togithub.com/grpc/grpc-java/commit/b37ee67cf))

##### Thanks to

[@&#8203;panchenko](https://togithub.com/panchenko)
[@&#8203;benjaminp](https://togithub.com/benjaminp)
[@&#8203;HyunSangHan](https://togithub.com/HyunSangHan)
[@&#8203;becomeStar](https://togithub.com/becomeStar)
[@&#8203;ZachChuba](https://togithub.com/ZachChuba)
[@&#8203;oliviamariacodes](https://togithub.com/oliviamariacodes)
[@&#8203;kssumin](https://togithub.com/kssumin)
[@&#8203;laz-canva](https://togithub.com/laz-canva)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://togithub.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: Renovate Bot <renovate@whitesourcesoftware.com>

Author: JoeWang1127

dependencies.txt

@@ -9,9 +9,9 @@
 # Pom-Parent Dependencies
 # These dependencies are declared: https://github.com/googleapis/sdk-platform-java/blob/main/gapic-generator-java-pom-parent/pom.xml
 javax.annotation:javax.annotation-api,javax.annotation-api=1.3.2
-io.grpc:grpc-bom,grpc=1.76.2
-com.google.auth:google-auth-library-bom,google.auth=1.41.0
-com.google.http-client:google-http-client,google.http-client=2.0.3
+io.grpc:grpc-bom,grpc=1.78.0
+com.google.auth:google-auth-library-bom,google.auth=1.42.0
+com.google.http-client:google-http-client,google.http-client=2.1.0
 com.google.code.gson:gson,gson=2.13.2
 com.google.guava:guava,guava=33.5.0-jre
 com.google.protobuf:protobuf-java,protobuf=4.33.4