Upgrade grpc to 1.75.0 to fix CVE-2025-55163 and CVE-2025-24970 (#2763)

yiminc · claude · tconley1428 · web-flow · commit 9fae229e9059 · 2026-01-26T11:17:55.000-08:00
* Upgrade grpc to 1.75.0 to fix CVE-2025-55163 and CVE-2025-24970 - Update grpcVersion from 1.58.1 to 1.75.0 - Add grpc-protobuf dependency to temporal-serviceclient (no longer transitively included by grpc-services in 1.75.0) - Suppress deprecation warning for Guava Throwables.propagateIfPossible (deprecated in Guava 33.x brought in by grpc 1.75.0) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Update build.gradle * Revert "Update build.gradle" This reverts commit 100caaa. --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: tconley1428 <tconley1428@gmail.com> Co-authored-by: Tim Conley <timothy.conley@temporal.io>
diff --git a/build.gradle b/build.gradle
@@ -28,7 +28,7 @@ allprojects {
 
 ext {
     // Platforms
-    grpcVersion = '1.58.1' // [1.38.0,) Needed for io.grpc.protobuf.services.HealthStatusManager
+    grpcVersion = '1.75.0' // [1.38.0,) Needed for io.grpc.protobuf.services.HealthStatusManager
     jacksonVersion = '2.15.4' // [2.9.0,)
     nexusVersion = '0.4.0-alpha'
     // we don't upgrade to 1.10.x because it requires kotlin 1.6. Users may use 1.10.x in their environments though.
diff --git a/temporal-serviceclient/build.gradle b/temporal-serviceclient/build.gradle
@@ -12,6 +12,7 @@ dependencies {
     api ("io.grpc:grpc-api") //Classes like io.grpc.Metadata are used as a part of our API
     api "io.grpc:grpc-stub" //Part of WorkflowServiceStubs API
     api "io.grpc:grpc-netty-shaded" //Part of WorkflowServiceStubs API, specifically SslContext
+    api "io.grpc:grpc-protobuf" //For io.grpc.protobuf.StatusProto and ProtoUtils used by generated stubs
     api "io.grpc:grpc-services" //Standard gRPC HealthCheck Response class
     api "io.grpc:grpc-inprocess" //For the in-process time skipping test server
     api "com.google.protobuf:protobuf-java-util:$protoVersion" //proto request and response objects are a part of this module's API
diff --git a/temporal-testing/src/main/java/io/temporal/testing/internal/SDKTestWorkflowRule.java b/temporal-testing/src/main/java/io/temporal/testing/internal/SDKTestWorkflowRule.java
@@ -456,6 +456,7 @@ public <R> void addWorkflowImplementationFactory(
         .registerWorkflowImplementationFactory(factoryImpl, factoryFunc);
   }
 
+  @SuppressWarnings("deprecation")
   public void regenerateHistoryForReplay(String workflowId, String fileName) {
     if (REGENERATE_JSON_FILES) {
       String json = getExecutionHistory(workflowId).toJson(true);

Original file line number	Diff line number	Diff line change
`@@ -456,6 +456,7 @@ public <R> void addWorkflowImplementationFactory(`
`456`	`456`	`.registerWorkflowImplementationFactory(factoryImpl, factoryFunc);`
`457`	`457`	`}`
`458`	`458`
	`459`	`+ @SuppressWarnings("deprecation")`
`459`	`460`	`public void regenerateHistoryForReplay(String workflowId, String fileName) {`
`460`	`461`	`if (REGENERATE_JSON_FILES) {`
`461`	`462`	`String json = getExecutionHistory(workflowId).toJson(true);`