From 95d16d85c84b7bc587adaa349fa58c8fa80e1503 Mon Sep 17 00:00:00 2001
From: Eric Anderson <ejona@google.com>
Date: Wed, 13 Aug 2025 12:59:57 -0700
Subject: [PATCH] Upgrade to Netty 4.1.124.Final

This implicitly disables NettyAdaptiveCumulator (#11284), which can have a
performance impact. We delayed upgrading Netty to give time to rework
the optimization, but we've gone too long already without upgrading
which causes problems for vulnerability tracking.
---
 MODULE.bazel                                  | 24 +++++++++----------
 SECURITY.md                                   |  3 ++-
 gradle/libs.versions.toml                     |  4 ++--
 .../io/grpc/netty/NettyClientHandlerTest.java |  3 +--
 repositories.bzl                              | 24 +++++++++----------
 5 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/MODULE.bazel b/MODULE.bazel
index 5a731723c3..7d49c4e4b4 100644
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -23,20 +23,20 @@ IO_GRPC_GRPC_JAVA_ARTIFACTS = [
     "com.google.truth:truth:1.4.2",
     "com.squareup.okhttp:okhttp:2.7.5",
     "com.squareup.okio:okio:2.10.0",  # 3.0+ needs swapping to -jvm; need work to avoid flag-day
-    "io.netty:netty-buffer:4.1.110.Final",
-    "io.netty:netty-codec-http2:4.1.110.Final",
-    "io.netty:netty-codec-http:4.1.110.Final",
-    "io.netty:netty-codec-socks:4.1.110.Final",
-    "io.netty:netty-codec:4.1.110.Final",
-    "io.netty:netty-common:4.1.110.Final",
-    "io.netty:netty-handler-proxy:4.1.110.Final",
-    "io.netty:netty-handler:4.1.110.Final",
-    "io.netty:netty-resolver:4.1.110.Final",
+    "io.netty:netty-buffer:4.1.124.Final",
+    "io.netty:netty-codec-http2:4.1.124.Final",
+    "io.netty:netty-codec-http:4.1.124.Final",
+    "io.netty:netty-codec-socks:4.1.124.Final",
+    "io.netty:netty-codec:4.1.124.Final",
+    "io.netty:netty-common:4.1.124.Final",
+    "io.netty:netty-handler-proxy:4.1.124.Final",
+    "io.netty:netty-handler:4.1.124.Final",
+    "io.netty:netty-resolver:4.1.124.Final",
     "io.netty:netty-tcnative-boringssl-static:2.0.70.Final",
     "io.netty:netty-tcnative-classes:2.0.70.Final",
-    "io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.110.Final",
-    "io.netty:netty-transport-native-unix-common:4.1.110.Final",
-    "io.netty:netty-transport:4.1.110.Final",
+    "io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.124.Final",
+    "io.netty:netty-transport-native-unix-common:4.1.124.Final",
+    "io.netty:netty-transport:4.1.124.Final",
     "io.opencensus:opencensus-api:0.31.0",
     "io.opencensus:opencensus-contrib-grpc-metrics:0.31.0",
     "io.perfmark:perfmark-api:0.27.0",
diff --git a/SECURITY.md b/SECURITY.md
index 48d6e0919a..cd02fbe3e1 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -400,7 +400,8 @@ grpc-netty version | netty-handler version | netty-tcnative-boringssl-static ver
 1.59.x             | 4.1.97.Final          | 2.0.61.Final
 1.60.x-1.66.x      | 4.1.100.Final         | 2.0.61.Final
 1.67.x-1.70.x      | 4.1.110.Final         | 2.0.65.Final
-1.71.x-            | 4.1.110.Final         | 2.0.70.Final
+1.71.x-1.74.x      | 4.1.110.Final         | 2.0.70.Final
+1.75.x-            | 4.1.124.Final         | 2.0.72.Final
 
 _(grpc-netty-shaded avoids issues with keeping these versions in sync.)_
 
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 9407b2a877..540657b9dd 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -1,8 +1,8 @@
 [versions]
-netty = '4.1.110.Final'
+netty = '4.1.124.Final'
 # Keep the following references of tcnative version in sync whenever it's updated:
 #   SECURITY.md
-nettytcnative = '2.0.70.Final'
+nettytcnative = '2.0.72.Final'
 opencensus = "0.31.1"
 # Not upgrading to 4.x as it is not yet ABI compatible.
 # https://github.com/protocolbuffers/protobuf/issues/17247
diff --git a/netty/src/test/java/io/grpc/netty/NettyClientHandlerTest.java b/netty/src/test/java/io/grpc/netty/NettyClientHandlerTest.java
index 5a2605eea5..c5289296ed 100644
--- a/netty/src/test/java/io/grpc/netty/NettyClientHandlerTest.java
+++ b/netty/src/test/java/io/grpc/netty/NettyClientHandlerTest.java
@@ -28,7 +28,6 @@ import static io.grpc.netty.Utils.HTTP_METHOD;
 import static io.grpc.netty.Utils.STATUS_OK;
 import static io.grpc.netty.Utils.TE_HEADER;
 import static io.grpc.netty.Utils.TE_TRAILERS;
-import static io.netty.handler.codec.http2.Http2CodecUtil.DEFAULT_PRIORITY_WEIGHT;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
@@ -276,7 +275,7 @@ public class NettyClientHandlerTest extends NettyHandlerTestBase<NettyClientHand
   public void createStreamShouldSucceed() throws Exception {
     createStream();
     verifyWrite().writeHeaders(eq(ctx()), eq(STREAM_ID), eq(grpcHeaders), eq(0),
-        eq(DEFAULT_PRIORITY_WEIGHT), eq(false), eq(0), eq(false), any(ChannelPromise.class));
+        eq(false), any(ChannelPromise.class));
   }
 
   @Test
diff --git a/repositories.bzl b/repositories.bzl
index 5a760be5a4..47609ae767 100644
--- a/repositories.bzl
+++ b/repositories.bzl
@@ -27,20 +27,20 @@ IO_GRPC_GRPC_JAVA_ARTIFACTS = [
     "com.google.truth:truth:1.4.2",
     "com.squareup.okhttp:okhttp:2.7.5",
     "com.squareup.okio:okio:2.10.0",  # 3.0+ needs swapping to -jvm; need work to avoid flag-day
-    "io.netty:netty-buffer:4.1.110.Final",
-    "io.netty:netty-codec-http2:4.1.110.Final",
-    "io.netty:netty-codec-http:4.1.110.Final",
-    "io.netty:netty-codec-socks:4.1.110.Final",
-    "io.netty:netty-codec:4.1.110.Final",
-    "io.netty:netty-common:4.1.110.Final",
-    "io.netty:netty-handler-proxy:4.1.110.Final",
-    "io.netty:netty-handler:4.1.110.Final",
-    "io.netty:netty-resolver:4.1.110.Final",
+    "io.netty:netty-buffer:4.1.124.Final",
+    "io.netty:netty-codec-http2:4.1.124.Final",
+    "io.netty:netty-codec-http:4.1.124.Final",
+    "io.netty:netty-codec-socks:4.1.124.Final",
+    "io.netty:netty-codec:4.1.124.Final",
+    "io.netty:netty-common:4.1.124.Final",
+    "io.netty:netty-handler-proxy:4.1.124.Final",
+    "io.netty:netty-handler:4.1.124.Final",
+    "io.netty:netty-resolver:4.1.124.Final",
     "io.netty:netty-tcnative-boringssl-static:2.0.70.Final",
     "io.netty:netty-tcnative-classes:2.0.70.Final",
-    "io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.110.Final",
-    "io.netty:netty-transport-native-unix-common:4.1.110.Final",
-    "io.netty:netty-transport:4.1.110.Final",
+    "io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.124.Final",
+    "io.netty:netty-transport-native-unix-common:4.1.124.Final",
+    "io.netty:netty-transport:4.1.124.Final",
     "io.opencensus:opencensus-api:0.31.0",
     "io.opencensus:opencensus-contrib-grpc-metrics:0.31.0",
     "io.perfmark:perfmark-api:0.27.0",