Hi all, I would like to volunteer to upgrade the Beam vendored grpc, as requested by the GitHub Issue [1]. I checked the project history that we did four upgrades in the last 2 years (1.26->1.36->1.43->1.48) and the last time was in Aug 2022 [2]. There have been vulnerabilities in its dependencies found since then (see [1]).
My plan is to follow the release process [3, 4], which involves preparing for the release, building a candidate, voting and finalizing the release. Then the vendored artifact is targeted to be integrated by Beam v2.48.0 onwards (cut date May 17, 2023). Please let me know if you have any comments/objections/questions. Thanks, Yi [1] https://github.com/apache/beam/issues/25746 [2] https://github.com/apache/beam/pull/22628 [3] https://github.com/apache/beam/tree/master/vendor [4] https://docs.google.com/document/d/1ztEoyGkqq9ie5riQxRtMuBu3vb6BUO91mSMn1PU0pDA/edit#heading=h.vhcuqlttpnog -- Yi Hu, (he/him/his) Software Engineer
