Comparing changes

🤖 I have created a release *beep* *boop* --- <details><summary>2.53.1-SNAPSHOT</summary> ### Updating meta-information for bleeding-edge SNAPSHOT release. </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

removed line from [WORKSPACE](https://github.com/googleapis/googleapis/blob/d383e2fe6661b29ea0def03c3900080ba953dd26/WORKSPACE#L292-L304) a while ago.

Discovered as part of CI error in googleapis/google-cloud-java#11426 ``` Error: Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.5.0:enforce (enforce) on project google-cloud-notification: Error: Rule 2: org.apache.maven.enforcer.rules.dependency.RequireUpperBoundDeps failed with message: Error: Failed while enforcing RequireUpperBoundDeps. The error(s) are [ Error: Require upper bound dependencies error for io.opentelemetry.semconv:opentelemetry-semconv:1.26.0-alpha paths to dependency are: Error: +-com.google.cloud:google-cloud-notification:0.176.0-beta-SNAPSHOT Error: +-com.google.cloud:google-cloud-storage:2.48.1 Error: +-io.opentelemetry.semconv:opentelemetry-semconv:1.26.0-alpha (managed) <-- io.opentelemetry.semconv:opentelemetry-semconv:1.27.0-alpha Error: ] ```

This manual update is to sync grpc versions with google-http-java-client before cutting LTS release

Changes to introduce client logging debug feature to Gax. Guide on usage will be added separately to README file. - Brings in `slf4j-api` as optional dependency to gax-java - `LoggingUtils`, `LogData` and `LoggerProvider` are public because access are needed from gax-grpc and gax-httpjson packages - `LoggingUtils` handles logic to enable/disable from env var, and contains shared utility methods for record data for logging and record logs (abstracting away any need for SLF4J classes). - `Slf4jUtils` any logic interacting with SLF4J classes. - `LoggerProvider` provides the SLF4J Logger. This is so that Logger interceptor classes do not declare Logger directly. - This feature is guarded by env var GOOGLE_SDK_JAVA_LOGGING, only turned on if true. - By default it is off, user app should act as before (usual tests behaves as usual) __Tests added:__ - Unit tests in Gax that need either GOOGLE_SDK_JAVA_LOGGING unset, or do not depend on env var - LoggingEnabledTest: test for logger correctly setups when GOOGLE_SDK_JAVA_LOGGING = true. This is added to existing `envVarTest` profile - Showcase tests: - ITLoggingDisabled: test no logging event should record when env var is turned off. - ITLogging: test logging event with slf4j2.x+logback - ITLogging1x: test logging event with slf4j1.x+logback These tests may not compile depending on the logging dependency brought in. Set up profiles to control test compile and run: - Slf4j2_logback, slf4j1_logback, disabledLogging: brings in logging dependencies and setup compile config exclusions - Do not include `it/logging` folder for compile by default, or `enable-golden-tests`. `native` is also excluded for now. __Notable changes since last reviewed:__ - Changes related to get slf4j-api deps as optional - Logics to switch logging behavior based on slf4j major version - Moved helper methods into Gax - Revamped test setup - use Protobuf utils to serialize message __Context:__ [go/java-client-logging-design](http://goto.google.com/java-client-logging-design) TODO: - add rules for renovate bot to bypass some versions for testing

@rockspore

…3651) @rockspore pointed out that the credential should be created from scratch because when using [toBuilder](https://github.com/googleapis/google-auth-library-java/blob/main/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java#L648) the underlying [access token is copied](https://github.com/googleapis/google-auth-library-java/blob/37d228410e99799e4a7be8650fe472ea712c9b4d/oauth2_http/java/com/google/auth/oauth2/OAuth2Credentials.java#L657). This was confirmed to be a bug with local testing which: - deployed a GAE app, the app performs the below two actions sequentially - create Google API client ( `allowedHardBoundAccessTokens` empty in GrpcProvider) and then ping the API, logs show the bearer token is used, obtained from making call to MDS - create a Google API client ( `allowedHardBoundAccessTokens` contains `MTLS_S2A` in GrpcProvider) and then ping the API, logs show the bearer token is used. A call to MDS is **not** made. This is likely because the credential and channel have different lifetimes.

…ity] (#3654) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [ch.qos.logback:logback-core](http://logback.qos.ch) ([source](https://redirect.github.com/qos-ch/logback), [changelog](https://logback.qos.ch/news.html)) | `1.2.13` -> `1.3.15` | [![age](https://developer.mend.io/api/mc/badges/age/maven/ch.qos.logback:logback-core/1.3.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/ch.qos.logback:logback-core/1.3.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/ch.qos.logback:logback-core/1.2.13/1.3.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/ch.qos.logback:logback-core/1.2.13/1.3.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2024-12798](https://nvd.nist.gov/vuln/detail/CVE-2024-12798) ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. #### [CVE-2024-12801](https://nvd.nist.gov/vuln/detail/CVE-2024-12801) Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files. --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/googleapis/sdk-platform-java).

…onfig to v1.14.4 (#3655) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [com.google.cloud:google-cloud-shared-config](https://redirect.github.com/googleapis/java-shared-config) | `1.14.2` -> `1.14.4` | [![age](https://developer.mend.io/api/mc/badges/age/maven/com.google.cloud:google-cloud-shared-config/1.14.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/com.google.cloud:google-cloud-shared-config/1.14.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/com.google.cloud:google-cloud-shared-config/1.14.2/1.14.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/com.google.cloud:google-cloud-shared-config/1.14.2/1.14.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>googleapis/java-shared-config (com.google.cloud:google-cloud-shared-config)</summary> ### [`v1.14.4`](https://redirect.github.com/googleapis/java-shared-config/blob/HEAD/CHANGELOG.md#1144-2025-02-24) [Compare Source](https://redirect.github.com/googleapis/java-shared-config/compare/v1.14.3...v1.14.4) ##### Dependencies - Update dependency org.graalvm.buildtools:native-maven-plugin to v0.10.5 ([#979](https://redirect.github.com/googleapis/java-shared-config/issues/979)) ([06c8547](https://redirect.github.com/googleapis/java-shared-config/commit/06c854718c39e658cdead0584cfb1cc698143ffd)) ### [`v1.14.3`](https://redirect.github.com/googleapis/java-shared-config/blob/HEAD/CHANGELOG.md#1143-2025-02-18) [Compare Source](https://redirect.github.com/googleapis/java-shared-config/compare/v1.14.2...v1.14.3) ##### Bug Fixes - Introducing "flatten" profile to use the plugin ([#984](https://redirect.github.com/googleapis/java-shared-config/issues/984)) ([436aa7c](https://redirect.github.com/googleapis/java-shared-config/commit/436aa7c9e9914a830e3172ae0ee93131bb641e07)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/googleapis/sdk-platform-java).

In this PR: - Update link in showcase readme.

this should have gone with PR #3641 --------- Co-authored-by: cloud-java-bot <cloud-java-bot@google.com> Co-authored-by: JoeWang1127 <joewa@google.com>

chore: update googleapis commit at Tue Feb 25 21:56:14 UTC 2025

🤖 I have created a release *beep* *boop* --- <details><summary>2.54.0</summary> ## [2.54.0](v2.53.0...v2.54.0) (2025-02-25) ### Features * add client side logging with slf4j ([#3403](#3403)) ([fe002fa](fe002fa)) ### Bug Fixes * S2A gRPC flow creates ComputeEngineCredentials via newBuilder. ([#3651](#3651)) ([29c061e](29c061e)) ### Dependencies * update dependency ch.qos.logback:logback-core to v1.3.15 [security] ([#3654](#3654)) ([093d867](093d867)) * update google api dependencies ([#3631](#3631)) ([48db2a1](48db2a1)) * update google auth library dependencies to v1.33.1 ([#3656](#3656)) ([f7877a5](f7877a5)) * update google http client dependencies to v1.46.3 ([#3657](#3657)) ([9d5b3b5](9d5b3b5)) * update grpc to 1.70.0 ([#3641](#3641)) ([ad26cf9](ad26cf9)) * update grpc to 1.70.0 (missed update) ([#3658](#3658)) ([6ca0599](6ca0599)) * Update opentelemetry-semconv to v1.29.0-alpha ([#3635](#3635)) ([49ac09d](49ac09d)) ### Documentation * update showcase readme ([#3659](#3659)) ([0ddf073](0ddf073)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Joe Wang <joewa@google.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Comparing changes

Open a pull request

Commits on Feb 10, 2025

Commits on Feb 11, 2025

Commits on Feb 14, 2025

Commits on Feb 18, 2025

Commits on Feb 24, 2025

Commits on Feb 25, 2025

This comparison is taking too long to generate.

Uh oh!