ppl preview #7476
Open
ppl preview #7476
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Migrating to a version of AGP that supports API Level 35. See https://developer.android.com/build/releases/past-releases/agp-8-6-0-release-notes
The return value from Builders can safely be ignored dependending as they only enable chaining. This change fixes a warning thrown by errorprone. (internal) See b/424298831
The `unused` vars were added to address a warning raised by errorprone about ignoring returned types. (internal) See b/424298831
Some methods are currently marked with `@VisibleForTestingOnly` but are being used directly within the SDK code. This annotation is intended to restrict usage to tests, and its presence causes errors when integrating the SDK into internal systems via copybara. Internal Tracking: b/429425834
… bespoke implementations (#7109)
API Proposal: [go/fal-grounding-api](https://goto.google.com/fal-grounding-api) (internal) - Added `GoogleSearch` tool and `Tool.googleSearch()` static initializer - Added fields to `GroundingMetadata` to support responses with grounded results: `GroundingChunk`, `WebGroundingChunk`, `GroundingSupport`, `SearchEntrypoint` - Labelled `GroundingAttributions` as deprecated, recommending users to use `GroundingSupport` instead
Merged `sessions-sharedrepo` into `main` This merge brings in the new sessions shared repo implementation, which facilitates the Perf+AQS integration. This also includes improvements that will benefit Crashlytics e.g. providing sessions for early crashes All individual commits on the `sessions-sharedrepo` branch were reviewed and approved in their respective pull requests --------- Co-authored-by: themiswang <themisw@google.com>
Jump to the kotlin 2.x badgawon. Beyond updating the stdlib, related dependencies are bumped to the latest version they released that also depends on 2.0.x
The test is using the `internal` constructor instead of relying on the public factory method which caused it fail with the new grounding functionality.
This should resolve #6990 --------- Co-authored-by: Rodrigo Lazo Paz <rlazo@google.com>
Bump the Sessions SDK major version Also bump the Crashlytics NDK major version to keep aligned with the SDK
This PR removes all the KTX libraries and the docs associated with them. KTX libraries were deprecated a long time ago and now we are removing these as a part of our breaking change release. --------- Co-authored-by: Rodrigo Lazo Paz <rlazo@google.com> Co-authored-by: Rodrigo Lazo <rlazo@users.noreply.github.com>
This is a breaking change. See context in google-gemini/deprecated-generative-ai-android#116 --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
All ktx related functionality has been merged to the main libraries, and the KTX-only code removed. See #7106
Major bump all versions to reflect the infra + ktx changes
Excluding interop causes the test-app to fail to run. Internal b/430569929
The dependency on com.google.firebase:firebase-installations-interop twice, and once with the wrong version
The new wording points to the FAQ for more information around the ktx deprecation/removal.
Due to issues in higher version, robolectric should remain in 4.12 for now.
Co-authored-by: Vinay Guthal <vguthal@google.com> Co-authored-by: Rodrigo Lazo Paz <rlazo@google.com> Co-authored-by: Rodrigo Lazo <rlazo@users.noreply.github.com>
We use `EnricoMi/publish-unit-test-result-action`, and we are reconfiguring it to stop publishing comments, and comparing between runs since the numbers it report are not correct in our case.
….4 to 2.2.1 (#7516) Bumps androidx.constraintlayout:constraintlayout from 2.1.4 to 2.2.1. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Rodrigo Lazo <rlazo@users.noreply.github.com>
Bumps `truth` from 1.4.4 to 1.4.5. Updates `com.google.truth:truth` from 1.4.4 to 1.4.5 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/google/truth/releases">com.google.truth:truth's releases</a>.</em></p> <blockquote> <h2>1.4.5</h2> <ul> <li>Changed assertions like <code>assertThat(nullMap).isEmpty()</code> to fail with a useful failure message instead of throwing <code>NullPointerException</code> (and similarly for other "bogus" values, such as negative sizes). (da5d6e96f)</li> <li>Made Kotlin's <code>isInstanceOf(Int::class.java)</code> (and Java's <code>isInstanceOf(int.class)</code>) a valid way to check for <code>Int</code>/<code>Integer</code> instances. (974ef195b)</li> <li>Improved <code>isWithin</code> to pretty-print numbers in its failure messages. (de785536d, 07318c23e)</li> <li>Improved some assertions that print class names to print simpler names (e.g., <code>Integer</code> instead of <code>java.lang.Integer</code>). (0ba72d60fdb384aa97da03e2403a6757f63bf129)</li> <li>Changed <code>ExpectFailure</code> to never generate "value of" lines based on bytecode. This slightly simplifies writing new tests with <code>ExpectFailure</code> and prevents future behavior changes in some <code>ExpectFailure</code> tests that already exist. However, it may also require changes to other existing <code>ExpectFailure</code> tests to remove or change any assertions about the "value of" line. (3caa0e845)</li> <li>Our Android <code>minSdkVersion</code> is now 23 (Marshmallow). This follows the minimum of Google's foundational Android libraries, and we expect it to have no practical impact on users. (c85c75cf4)</li> <li>Changed our GWT/J2CL artifact to omit usages of <code>@NullMarked</code>. This was making all our types non-null in those environments, since we don't yet use <code>@nullable</code> in the GWT/J2CL artifact. (6392d37e7)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/google/truth/commit/0c43ea072f7e8d9a6644db3229cfd3bbc359aaaf"><code>0c43ea0</code></a> Set version number for truth-parent to 1.4.5.</li> <li><a href="https://github.com/google/truth/commit/24b5a310fd899b5554ded8287f33c826f5d7778b"><code>24b5a31</code></a> Fix TODO style.</li> <li><a href="https://github.com/google/truth/commit/7261f72093756a8abcc96882e49273b9b6a063be"><code>7261f72</code></a> Make <code>ActualValueInference</code> see through casts and also recognize some of Kotl...</li> <li><a href="https://github.com/google/truth/commit/3caa0e845575c2c6f17ee62716f7064584b79efb"><code>3caa0e8</code></a> In <code>ExpectFailure</code>, never generate "value of" lines based on bytecode.</li> <li><a href="https://github.com/google/truth/commit/a29e1b252c20e794fae5078dbe9db80157f56c44"><code>a29e1b2</code></a> Attempt to fix Javadoc snapshots:</li> <li><a href="https://github.com/google/truth/commit/3a0cf9a12060323fac2b52db79d929b67cea24e4"><code>3a0cf9a</code></a> Bump the github-actions group with 2 updates</li> <li><a href="https://github.com/google/truth/commit/3053945de044b75dd84159848f17554d370f5aee"><code>3053945</code></a> Use the standard parameter name ("<code>expected</code>") in <code>MultimapSubject.isEqualTo</code>.</li> <li><a href="https://github.com/google/truth/commit/079b919abcdf2e63ff6bd40402008a92d1d00d09"><code>079b919</code></a> Add a TODO to <code>containsNoDuplicates</code>.</li> <li><a href="https://github.com/google/truth/commit/b515e7107e487365c7671c11b832d906eb7ec93c"><code>b515e71</code></a> Show only the duplicate keys in the exception message, not all keys.</li> <li><a href="https://github.com/google/truth/commit/534518e1e82221cf0dda5e505f3a088d595577e9"><code>534518e</code></a> Don't bother to explicitly set [<code>publishingServerId</code>](<a href="https://central.sonatyp">https://central.sonatyp</a>...</li> <li>Additional commits viewable in <a href="https://github.com/google/truth/compare/v1.4.4...v1.4.5">compare view</a></li> </ul> </details> <br /> Updates `com.google.truth.extensions:truth-liteproto-extension` from 1.4.4 to 1.4.5 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Rodrigo Lazo <rlazo@users.noreply.github.com>
The chat history in streaming mode reconstructs the parts from their contents, rather than storing the parts themselves. This causes non-visible elements, like `thoughtSignature` to get lost.
* this will filter all non-stable versions out of the BoM, not just alpha and beta --------- Co-authored-by: David Motsonashvili <davidmotson@google.com>
#7567) Added unit tests to `GenerativeModelTesting.kt` to verify that: 1. Using `HarmBlockMethod` with `GoogleAI` backend throws `InvalidStateException`. 2. Using `HarmBlockMethod` with `VertexAI` backend does not throw `InvalidStateException`. This covers an edge case where `HarmBlockMethod` is only supported by VertexAI. --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
wu-hui
force-pushed
the
feat/pipeline/public-preview
branch
from
7e0aa28 to
3352260
Compare
Auto-generated PR for cleaning up release m173 NO_RELEASE_CHANGE --------- Co-authored-by: emilypgoogle <110422458+emilypgoogle@users.noreply.github.com>
includes requested fixes to the Firebase AI documentation including: * Removing all uses of "e. g." * Adding backticks to code in @deprecated tags * Better details on `sendTextRealtime` --------- Co-authored-by: David Motsonashvili <davidmotson@google.com> Co-authored-by: rachelsaunders <52258509+rachelsaunders@users.noreply.github.com>
This PR adds a callback function `audioHandler` which would apply the necessary configurations or modifications to the `AudioTrack` and the `AudioRecord` objects used by the `startAudioCoversation` function. This PR also adds a new configuration class called conversation config which could be sent to the `startAudioConversation` function which allows users to specify different aspects of the conversation.
…androidTest/backend/functions/functions (#7572) Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.3.1 to 1.3.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md">node-forge's changelog</a>.</em></p> <blockquote> <h2>1.3.2 - 2025-11-25</h2> <h3>Security</h3> <ul> <li><strong>HIGH</strong>: ASN.1 Validator Desynchronization <ul> <li>An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.</li> <li>Reported by Hunter Wodzenski.</li> <li>CVE ID: <a href="https://www.cve.org/CVERecord?id=CVE-2025-12816">CVE-2025-12816</a></li> <li>GHSA ID: <a href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-5gfm-wpxj-wjgq">GHSA-5gfm-wpxj-wjgq</a></li> </ul> </li> <li><strong>HIGH</strong>: ASN.1 Unbounded Recursion <ul> <li>An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.</li> <li>Reported by Hunter Wodzenski.</li> <li>CVE ID: <a href="https://www.cve.org/CVERecord?id=CVE-2025-66031">CVE-2025-66031</a></li> <li>GHSA ID: <a href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-554w-wpv2-vw27">GHSA-554w-wpv2-vw27</a></li> </ul> </li> <li><strong>MODERATE</strong>: ASN.1 OID Integer Truncation <ul> <li>An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.</li> <li>Reported by Hunter Wodzenski.</li> <li>CVE ID: <a href="https://www.cve.org/CVERecord?id=CVE-2025-66030">CVE-2025-66030</a></li> <li>GHSA ID: <a href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-65ch-62r8-g69g">GHSA-65ch-62r8-g69g</a></li> </ul> </li> </ul> <h3>Fixed</h3> <ul> <li>[asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.</li> <li>[asn1] Add <code>fromDer()</code> max recursion depth check. <ul> <li>Add a <code>asn1.maxDepth</code> global configurable maximum depth of 256.</li> <li>Add a <code>asn1.fromDer()</code> per-call <code>maxDepth</code> option.</li> <li><strong>NOTE</strong>: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.</li> <li><strong>NOTE</strong>: The per-call <code>maxDepth</code> parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default maximum.</li> </ul> </li> <li>[asn1] Improve OID handling. <ul> <li>Error on parsed OID values larger than <code>2**32 - 1</code>.</li> <li>Error on DER OID values larger than <code>2**53 - 1 </code>.</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/digitalbazaar/forge/commit/235ad3e70e4fdfdca4fdeb662dfba6588e2c38bd"><code>235ad3e</code></a> Release 1.3.2.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/25982441171dc9815c87d3d886c5c8a1d092b334"><code>2598244</code></a> Update changelog.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/0032dd0be8b6fb1b1092ef754d1dde91c10a95ad"><code>0032dd0</code></a> Fix typos.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/d75e08d255559ae401d9368346cacefde306e6df"><code>d75e08d</code></a> Run new security test.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/a5ce91d03df4dcfc025b74a5b7f50389942d49c9"><code>a5ce91d</code></a> Update changelog formatting.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/4652de6ddd833392e52d99b37abbbda76817c0b7"><code>4652de6</code></a> Cleanups.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/eb932d94fbd88655f46ac7a94a8e13e7ed8597f7"><code>eb932d9</code></a> Fix typo.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/db6954ba4b4440831a5112dea5d37ef68a28b878"><code>db6954b</code></a> Fix style.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/afbf7d8e0812014da134caa5a064cf55d1f61847"><code>afbf7d8</code></a> Align error message style.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/6607445859637442cf586eaa7fa06e99a2a8ae0b"><code>6607445</code></a> Revert minor changes.</li> <li>Additional commits viewable in <a href="https://github.com/digitalbazaar/forge/compare/v1.3.1...v1.3.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/firebase/firebase-android-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Rodrigo Lazo <rlazo@users.noreply.github.com>
…ndroidTest/backend/functions/functions (#7570) Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 3.14.1 to 3.14.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md">js-yaml's changelog</a>.</em></p> <blockquote> <h2>[3.14.2] - 2025-11-15</h2> <h3>Security</h3> <ul> <li>Backported v4.1.1 fix to v3</li> </ul> <h2>[4.1.1] - 2025-11-12</h2> <h3>Security</h3> <ul> <li>Fix prototype pollution issue in yaml merge (<<) operator.</li> </ul> <h2>[4.1.0] - 2021-04-15</h2> <h3>Added</h3> <ul> <li>Types are now exported as <code>yaml.types.XXX</code>.</li> <li>Every type now has <code>options</code> property with original arguments kept as they were (see <code>yaml.types.int.options</code> as an example).</li> </ul> <h3>Changed</h3> <ul> <li><code>Schema.extend()</code> now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as <code>abcd</code> instead of <code>cbad</code>).</li> </ul> <h2>[4.0.0] - 2021-01-03</h2> <h3>Changed</h3> <ul> <li>Check <a href="https://github.com/nodeca/js-yaml/blob/master/migrate_v3_to_v4.md">migration guide</a> to see details for all breaking changes.</li> <li>Breaking: "unsafe" tags <code>!!js/function</code>, <code>!!js/regexp</code>, <code>!!js/undefined</code> are moved to <a href="https://github.com/nodeca/js-yaml-js-types">js-yaml-js-types</a> package.</li> <li>Breaking: removed <code>safe*</code> functions. Use <code>load</code>, <code>loadAll</code>, <code>dump</code> instead which are all now safe by default.</li> <li><code>yaml.DEFAULT_SAFE_SCHEMA</code> and <code>yaml.DEFAULT_FULL_SCHEMA</code> are removed, use <code>yaml.DEFAULT_SCHEMA</code> instead.</li> <li><code>yaml.Schema.create(schema, tags)</code> is removed, use <code>schema.extend(tags)</code> instead.</li> <li><code>!!binary</code> now always mapped to <code>Uint8Array</code> on load.</li> <li>Reduced nesting of <code>/lib</code> folder.</li> <li>Parse numbers according to YAML 1.2 instead of YAML 1.1 (<code>01234</code> is now decimal, <code>0o1234</code> is octal, <code>1:23</code> is parsed as string instead of base60).</li> <li><code>dump()</code> no longer quotes <code>:</code>, <code>[</code>, <code>]</code>, <code>(</code>, <code>)</code> except when necessary, <a href="https://redirect.github.com/nodeca/js-yaml/issues/470">#470</a>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/557">#557</a>.</li> <li>Line and column in exceptions are now formatted as <code>(X:Y)</code> instead of <code>at line X, column Y</code> (also present in compact format), <a href="https://redirect.github.com/nodeca/js-yaml/issues/332">#332</a>.</li> <li>Code snippet created in exceptions now contains multiple lines with line numbers.</li> <li><code>dump()</code> now serializes <code>undefined</code> as <code>null</code> in collections and removes keys with <code>undefined</code> in mappings, <a href="https://redirect.github.com/nodeca/js-yaml/issues/571">#571</a>.</li> <li><code>dump()</code> with <code>skipInvalid=true</code> now serializes invalid items in collections as null.</li> <li>Custom tags starting with <code>!</code> are now dumped as <code>!tag</code> instead of <code>!<!tag></code>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/576">#576</a>.</li> <li>Custom tags starting with <code>tag:yaml.org,2002:</code> are now shorthanded using <code>!!</code>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/258">#258</a>.</li> </ul> <h3>Added</h3> <ul> <li>Added <code>.mjs</code> (es modules) support.</li> <li>Added <code>quotingType</code> and <code>forceQuotes</code> options for dumper to configure string literal style, <a href="https://redirect.github.com/nodeca/js-yaml/issues/290">#290</a>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/529">#529</a>.</li> <li>Added <code>styles: { '!!null': 'empty' }</code> option for dumper (serializes <code>{ foo: null }</code> as "<code>foo: </code>"), <a href="https://redirect.github.com/nodeca/js-yaml/issues/570">#570</a>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodeca/js-yaml/commit/9963d366dfbde0c69722452bcd40b41e7e4160a0"><code>9963d36</code></a> 3.14.2 released</li> <li><a href="https://github.com/nodeca/js-yaml/commit/10d3c8e70a6888543f5cdb656bb39f73e0ea77c1"><code>10d3c8e</code></a> dist rebuild</li> <li><a href="https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266"><code>5278870</code></a> fix prototype pollution in merge (<<) (<a href="https://redirect.github.com/nodeca/js-yaml/issues/731">#731</a>)</li> <li>See full diff in <a href="https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/firebase/firebase-android-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Rodrigo Lazo <rlazo@users.noreply.github.com>
In context of class not found exception: #7296 This PR restore a previously deleted service as no operational The user reported a crash after upgrading to BoM 34.1.0 only for some Samsung and Oppo devices in Android 14/15. https://firebase.google.com/support/release-notes/android There was a major refactor on the way of monitoring application lifecycle events and determining when/if a new session should be generated. Which was the main purpose for `SessionLifecycleService`. [Firebase Session](https://github.com/firebase/firebase-android-sdk/blob/main/firebase-sessions/README.md) is used by Crashlytics and Performance internally to measure sessions [The refactor](https://github.com/firebase/firebase-android-sdk/pull/7039/files#diff-ea2eb8012abccd4cb5dccba37ec109f0eaa2a82fe6be852b5be7c32ed8de2b45) proposes the elimination of the service `SessionLifecycleService` in favor of `SharedSessionRepository`. This refactor was released on version `releases/m167` ([see commit here](c9a4a3d)). See diff of m167 with m166 [here](releases/m166...releases/m167). Looking for `SessionLifecycleService` usages into the SDK I found just a leftover reference in an Android Test Manifest. So I can conclude this is not production code. Reviewing the original `SessionLifecycleService` class I found out this service contains a `Binder` implementation It sounds like the Android system on those specific devices (Samsung/Oppo on Android 14/15) might be trying to recreate the `SessionLifecycleService` based on a cached manifest from the previous version of the host app, even though the service class itself is no longer present in the new version. This leads to the `ClassNotFoundException`. **Conclusions:** A) Stale Service Connections (I see this as the root cause, I’d like to review g3 code to confirm there is not source code having references to the removed service): If any component within the host app (or the SDK itself) was bound to `SessionLifecycleService` and the `ServiceConnection` wasn't properly released or unbound before the app update (or if the system is trying to restore a previous binding state), the system will attempt to call `onBind` on the service. When it tries to instantiate `SessionLifecycleService` to do this and finds the class missing, it results in the `ClassNotFoundException`. The git diff showed `android:exported="false"` for the service, which is good as it means only the SDK could bind to it. Why this still leads to `ClassNotFoundException` on update: Even if the new code doesn't try to bind to the removed service anymore, the Android system might still attempt to re-establish connections that it considers active or pending from the previous app session, especially if the app process didn't terminate cleanly or if the system is trying to restore the app's state after an update. If a `ServiceConnection` was active when the app was last running the old version, the system might try to call `onServiceConnected` for that connection, which requires instantiating the service. tl; dr: B) Android /System Caching/State Retention: The Android Package Manager or Activity Manager on certain devices/OS versions might retain information about previously registered services. If the service was started in a "sticky" way, the system will try to restart it after it's killed or after an app update if it believes the service should still be running. When it tries to do so with the updated app that lacks the service class, it crashes. C) Stale System State: Sometimes, especially with certain OEM customizations or newer Android versions, the system's package manager or activity manager might not perfectly clear all references to components from an old app version immediately upon an update. For users experiencing this: The most reliable fix is often a clean reinstall. D) OEM Customizations: Samsung and Oppo devices have their own modifications to Android, which can sometimes lead to different behaviors in how app updates and service lifecycles are handled. **Proposed workaround:** Future Service Removals (Refined Mitigation Strategy for Bound Services): **Version N+1** (Graceful Shutdown & Deprecation): Return the service class in the codebase, modify its onBind(Intent intent) method to return null immediately. This signals to any clients attempting to bind that the service is not available or is shutting down. Crucially, mark the service as `android:enabled="false"` in the AndroidManifest.xml. **This explicitly tells the system the service should not be started or bound**. **Version N+2** (Full Removal): Now that clients have had a version where the service gracefully refuses bindings and is disabled, it's safer to remove the service class and its manifest entry.
Currently based off of `ep/unit-test-report`, cannot be merged until that PR is.
wu-hui
force-pushed
the
feat/pipeline/public-preview
branch
from
3352260 to
1239582
Compare
wu-hui
force-pushed
the
feat/pipeline/public-preview
branch
from
1239582 to
5c6d908
Compare
This fixes a `NoSuchMethodError: No virtual method buildOrThrow()` error introduced when the Truth library was upgraded from 1.4.4 to 1.4.5 in PR #7497. Here is the full stack trace: ``` java.lang.NoSuchMethodError: No virtual method buildOrThrow()Lcom/google/common/collect/ImmutableMap; in class Lcom/google/common/collect/ImmutableMap$Builder; or its super classes (declaration of 'com.google.common.collect.ImmutableMap$Builder' appears in /data/app/com.google.firebase.testing.fireperf-UwnD88IA3xxKNmt0idI3uA==/base.apk!classes7.dex) at com.google.common.truth.Subject.<clinit>(Subject.java:1282) at com.google.common.truth.ComparableSubject.comparables(ComparableSubject.java:182) at com.google.common.truth.StandardSubjectBuilder.that(StandardSubjectBuilder.java:110) at com.google.common.truth.Truth.assertThat(Truth.java:153) at com.google.firebase.testing.fireperf.FirebasePerformanceFragmentScreenTracesTest.scrollAndCycleThroughAllFragments(FirebasePerformanceFragmentScreenTracesTest.java:56) ``` This bug was solved with help from Gemini, which gave this insight: ``` I am getting the crash below in an Android integration tests. Did Guava remove the ImmutableMap.buildOrThrow() method or something?? ``` Links: * https://github.com/firebase/firebase-android-sdk/actions/runs/20035701928/job/57464321738?pr=7585 * https://firebase.corp.google.com/project/fireescape-c4819/testlab/histories/bh.588330bbc5b76933/matrices/6849433697466807925/executions/bs.356271b0dcb89e85/testcases/1 No, Guava did not remove the method. In fact, the situation is the exact opposite: **buildOrThrow() is a newer method** that was added in Guava **31.0**. The error NoSuchMethodError is happening because there is a **dependency conflict** in your project. * **The Cause:** Your test library (Google Truth) was compiled against a **newer** version of Guava (31.0+) and expects buildOrThrow() to exist. However, another library in your project (likely a transitive dependency) is forcing an **older** version of Guava (older than 31.0) onto your classpath at runtime. * **The Victim:** com.google.common.truth.Subject is trying to call this method, but the older Guava JAR loaded by Android doesn't have it yet. You need to force your project to use a newer version of Guava that includes this method. Add (or update) the Guava dependency explicitly in your module's build.gradle file within the dependencies block. Make sure to use the \-android flavor: Groovy dependencies { // Force a newer version of Guava (31.0 or higher) for your tests androidTestImplementation 'com.google.guava:guava:33.3.1-android' } **Note:** If you are using implementation or api for Guava elsewhere, ensure those versions are also consistent (31.0+) so you don't get runtime crashes in your production app as well. You likely upgraded com.google.truth:truth recently. * **Truth 1.1.4 and newer** started using ImmutableMap.buildOrThrow() internally. * If your project pulls in an older library (like an older version of the Android tools or Firebase SDKs) that depends on Guava 28.x or 20.0, Gradle's conflict resolution might be downgrading Guava to that older version, breaking Truth. To confirm which old library is "poisoning" your dependency tree, you can run the following command in your terminal: Bash ./gradlew app:dependencies \--configuration androidTestCompileClasspath *(Replace app with your module name)*. Look for com.google.guava:guava in the output. You will likely see something like 33.3.1-android \-\> 28.1-android, indicating a downgrade happened. Adding the explicit dependency above fixes this by telling Gradle "I really mean it, use the new one."
… and firebase-tools to 14.27.0 (was 14.18.0) (#7585)
…ns/functions (#7580) Bumps and [jws](https://github.com/brianloveswords/node-jws). These dependencies needed to be updated together. Updates `jws` from 3.2.2 to 3.2.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/brianloveswords/node-jws/releases">jws's releases</a>.</em></p> <blockquote> <h2>v3.2.3</h2> <h3>Changed</h3> <ul> <li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.</li> <li>Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/auth0/node-jws/blob/master/CHANGELOG.md">jws's changelog</a>.</em></p> <blockquote> <h2>[3.2.3]</h2> <h3>Changed</h3> <ul> <li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.</li> <li>Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.</li> </ul> <h2>[3.0.0]</h2> <h3>Changed</h3> <ul> <li><strong>BREAKING</strong>: <code>jwt.verify</code> now requires an <code>algorithm</code> parameter, and <code>jws.createVerify</code> requires an <code>algorithm</code> option. The <code>"alg"</code> field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by <code>jwt.verify</code>. See <a href="https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/">https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/</a> for details.</li> </ul> <h2><a href="https://github.com/brianloveswords/node-jws/compare/v1.0.1...v2.0.0">2.0.0</a> - 2015-01-30</h2> <h3>Changed</h3> <ul> <li> <p><strong>BREAKING</strong>: Default payload encoding changed from <code>binary</code> to <code>utf8</code>. <code>utf8</code> is a is a more sensible default than <code>binary</code> because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. (<!-- raw HTML omitted --><a href="https://github.com/brianloveswords/node-jws/commit/6b6de48">6b6de48</a><!-- raw HTML omitted -->)</p> </li> <li> <p>Code reorganization, thanks <a href="https://github.com/fearphage"><code>@fearphage</code></a>! (<!-- raw HTML omitted --><a href="https://github.com/brianloveswords/node-jws/commit/7880050">7880050</a><!-- raw HTML omitted -->)</p> </li> </ul> <h3>Added</h3> <ul> <li>Option in all relevant methods for <code>encoding</code>. For those few users that might be depending on a <code>binary</code> encoding of the messages, this is for them. (<!-- raw HTML omitted --><a href="https://github.com/brianloveswords/node-jws/commit/6b6de48">6b6de48</a><!-- raw HTML omitted -->)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/auth0/node-jws/commit/4f6e73f24df42f07d632dec6431ade8eda8d11a6"><code>4f6e73f</code></a> Merge commit from fork</li> <li><a href="https://github.com/auth0/node-jws/commit/bd0fea57f35a97b6749a632b19ae5100d6d35729"><code>bd0fea5</code></a> version 3.2.3</li> <li><a href="https://github.com/auth0/node-jws/commit/7c3b4b411004c206af8901fa3f8e644127bbf8d9"><code>7c3b4b4</code></a> Enhance tests for HMAC streaming sign and verify</li> <li><a href="https://github.com/auth0/node-jws/commit/a9b8ed999de8f8fff486ac9167514577a0fae323"><code>a9b8ed9</code></a> Improve secretOrKey initialization in VerifyStream</li> <li><a href="https://github.com/auth0/node-jws/commit/6707fde62cbae465a7f11e52760fb994dbc0e0dc"><code>6707fde</code></a> Improve secret handling in SignStream</li> <li>See full diff in <a href="https://github.com/brianloveswords/node-jws/compare/v3.2.2...v3.2.3">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~julien.wollscheid">julien.wollscheid</a>, a new releaser for jws since your current version.</p> </details> <br /> Updates `jws` from 4.0.0 to 4.0.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/brianloveswords/node-jws/releases">jws's releases</a>.</em></p> <blockquote> <h2>v3.2.3</h2> <h3>Changed</h3> <ul> <li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.</li> <li>Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/auth0/node-jws/blob/master/CHANGELOG.md">jws's changelog</a>.</em></p> <blockquote> <h2>[3.2.3]</h2> <h3>Changed</h3> <ul> <li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.</li> <li>Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.</li> </ul> <h2>[3.0.0]</h2> <h3>Changed</h3> <ul> <li><strong>BREAKING</strong>: <code>jwt.verify</code> now requires an <code>algorithm</code> parameter, and <code>jws.createVerify</code> requires an <code>algorithm</code> option. The <code>"alg"</code> field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by <code>jwt.verify</code>. See <a href="https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/">https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/</a> for details.</li> </ul> <h2><a href="https://github.com/brianloveswords/node-jws/compare/v1.0.1...v2.0.0">2.0.0</a> - 2015-01-30</h2> <h3>Changed</h3> <ul> <li> <p><strong>BREAKING</strong>: Default payload encoding changed from <code>binary</code> to <code>utf8</code>. <code>utf8</code> is a is a more sensible default than <code>binary</code> because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. (<!-- raw HTML omitted --><a href="https://github.com/brianloveswords/node-jws/commit/6b6de48">6b6de48</a><!-- raw HTML omitted -->)</p> </li> <li> <p>Code reorganization, thanks <a href="https://github.com/fearphage"><code>@fearphage</code></a>! (<!-- raw HTML omitted --><a href="https://github.com/brianloveswords/node-jws/commit/7880050">7880050</a><!-- raw HTML omitted -->)</p> </li> </ul> <h3>Added</h3> <ul> <li>Option in all relevant methods for <code>encoding</code>. For those few users that might be depending on a <code>binary</code> encoding of the messages, this is for them. (<!-- raw HTML omitted --><a href="https://github.com/brianloveswords/node-jws/commit/6b6de48">6b6de48</a><!-- raw HTML omitted -->)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/auth0/node-jws/commit/4f6e73f24df42f07d632dec6431ade8eda8d11a6"><code>4f6e73f</code></a> Merge commit from fork</li> <li><a href="https://github.com/auth0/node-jws/commit/bd0fea57f35a97b6749a632b19ae5100d6d35729"><code>bd0fea5</code></a> version 3.2.3</li> <li><a href="https://github.com/auth0/node-jws/commit/7c3b4b411004c206af8901fa3f8e644127bbf8d9"><code>7c3b4b4</code></a> Enhance tests for HMAC streaming sign and verify</li> <li><a href="https://github.com/auth0/node-jws/commit/a9b8ed999de8f8fff486ac9167514577a0fae323"><code>a9b8ed9</code></a> Improve secretOrKey initialization in VerifyStream</li> <li><a href="https://github.com/auth0/node-jws/commit/6707fde62cbae465a7f11e52760fb994dbc0e0dc"><code>6707fde</code></a> Improve secret handling in SignStream</li> <li>See full diff in <a href="https://github.com/brianloveswords/node-jws/compare/v3.2.2...v3.2.3">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~julien.wollscheid">julien.wollscheid</a>, a new releaser for jws since your current version.</p> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/firebase/firebase-android-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Rodrigo Lazo <rlazo@users.noreply.github.com>
wu-hui
force-pushed
the
feat/pipeline/public-preview
branch
from
0283543 to
3f07dab
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.