chore(deps): update upper bound dependencies file

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
com.fasterxml.jackson:jackson-bom	2.21.1 → 2.21.2
com.google.crypto.tink:tink	1.20.0 → 1.21.0
com.google.protobuf:protobuf-java (source)	4.34.0 → 4.34.1
io.grpc:grpc-bom	1.79.0 → 1.80.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

tink-crypto/tink-java (com.google.crypto.tink:tink)

v1.21.0: Tink Java v1.21.0

Tink is a multi-language, cross-platform library that provides simple and misuse-proof APIs for common cryptographic tasks.

This is Tink Java 1.21.0

The complete list of changes since 1.20.0 can be found here.

• Added methods addAnnotations to KeysetHandle.Builder and getAnnotationsOrNull to KeysetHandle. This allows attaching arbitrary information to a KeysetHandle, which can be useful when one has deep stacks.
• A set of accessor methods in RawJwt has been made public.
• Added general support for ML-DSA-87.
• SignaturePemKeysetReader now supports ML-DSA-65, ML-DSA-87 and Ed25519.
• Added buildPublicKeysetHandle method to SignaturePemKeysetReader.Builder, which replaces the deprecated build method.

Maven:

<dependency>
    <groupId>com.google.crypto.tink</groupId>
    <artifactId>tink</artifactId>
    <version>1.21.0</version>
</dependency>

Gradle:

dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.21.0'
}

Bazel:

Using bzlmod

bazel_dep(name = "tink_java")

git_override(
    module_name = "tink_java",
    remote = "https://github.com/tink-crypto/tink-java",
    tag = "v1.21.0",
)

grpc/grpc-java (io.grpc:grpc-bom)

v1.80.0

Compare Source

API Changes

• core: Added PickResult.copyWithSubchannel() and PickResult.copyWithStreamTracerFactory() to simplify updating PickResult while preserving metadata. Load balancing policies should now ensure ForwardingSubchannel decorators are unwrapped before being returned in a pick result. (#​12658) (eae16b2)

Bug Fixes

• core: Fixed the retry backoff jitter range to [0.8, 1.2] to align with the gRPC A6 specification. Retries will now occur more consistently around the calculated backoff interval. (#​12639) (024fdd0)
  core: Fixed a race condition in RetriableStream where inFlightSubStreams counting could become inconsistent during concurrent retry and deadline events. This ensures that client calls (such as blockingUnaryCall) do not hang indefinitely and correctly receive a close signal. (#​12649) (73abb48)

Improvements

• api: Trigger R8's ServiceLoader optimization to reduce necessary configuration when using R8 Full Mode (470219f). This allows gRPC to avoid reflection, and the need to specify -keeps for various class’s constructors.
  Upgrade to protobuf 33.4 (#​12615) (50c18f1)
• cronet: Introduced CRONET_READ_BUFFER_SIZE_KEY to allow customizing the read buffer size per-stream via CallOptions. Increasing the buffer size from the 4KB default can significantly improve performance for large messages by reducing JNI and context-switching overhead. (31fdb6c)
• api: Moved FlagResetRule to api/testFixtures and updated ManagedChannelRegistry to honor the GRPC_ENABLE_RFC3986_URIS feature flag. This ensures that target parsing is consistent across the library when the new URI parser is enabled. (#​12608)
• api: Updated NameResolverRegistry to natively support io.grpc.Uri. This is a foundational change that allows gRPC's name resolution system to handle URIs parsed with the new RFC 3986-compliant parser, ensuring more robust target handling. (#​12609) (9903488)
• xds: Removed the GRPC_EXPERIMENTAL_XDS_SNI feature flag. SNI determination via xDS is now always enabled and follows gRFC A101, where SNI is derived from xDS configurations like auto_host_sni or UpstreamTlsContext.sni. This ensures that no SNI is sent if not explicitly configured, unless the legacy channel authority fallback is enabled. (#​12625) (ac44e96)

New Features

• core: pick_first shuffling now a weighted shuffle and observes weights from EDS (34dd290). This finishes the gRFC A113 pick_first: Weighted Random Shuffling support
• netty: Added RFC 3986 support to the unix: name resolver. This enables proper parsing of Unix domain socket URIs, including correct handling of query and fragment components in both hierarchical (e.g., unix:///path) and opaque (e.g., unix:/path) formats. (#​12659)

Thanks to

• @​becomeStar
• @​aymanm-google
• @​PetitBaguette
• @​stagegrowth
• @​wcchoi
• @​Gyuhyeok99

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Code Review

This pull request updates several dependency versions in sdk-platform-java/dependencies.txt, including grpc-bom, protobuf-java, jackson-bom, and tink. A review comment highlights a potential version mismatch where protobuf-java is updated to a version ahead of the one bundled with the new grpc-bom release, which could lead to binary compatibility issues.

[gemini-code-assist]

The io.grpc:grpc-bom update to version 1.80.0 (line 12) includes an upgrade to Protobuf 33.4 (which corresponds to Protobuf Java 4.33.4). However, this line updates protobuf-java to 4.34.1. While this is an upper-bound file, using a version of Protobuf that is ahead of the one gRPC was built with can occasionally lead to binary compatibility issues or unexpected behavior in generated code. It is generally recommended to keep these versions aligned with the gRPC release unless there is a specific need for a newer Protobuf runtime.