Hi everyone, I would like to volunteer to upgrade the Beam vendored grpc, as requested by the GitHub Issue [1]. The last update was in Apr 2023 [2]. There have been vulnerabilities in its dependencies as well as potential oom issues found since then (see [1]), and also to include grpc-alts [2].
My plan is to follow the release process [3, 4], which involves preparing for the release, building a candidate, voting and finalizing the release. Then the vendored artifact is targeted to be integrated by Beam v2.54.0 onwards (cut date Jan 24, 2024). Please let me know if you have any comments/objections/questions. Thanks, Yi [1] https://github.com/apache/beam/issues/29861 [2] https://github.com/apache/beam/issues/25746 [3] https://github.com/apache/beam/tree/master/vendor [4] https://docs.google.com/document/d/1ztEoyGkqq9ie5riQxRtMuBu3vb6BUO91mSMn1PU0pDA/edit#heading=h.vhcuqlttpnog -- Yi Hu, (he/him/his) Software Engineer
