Update Samples dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
gradle (source)		patch	8.14.2 -> 8.14.3
org.jetbrains.kotlinx:kotlinx-rpc-krpc-ktor-server	dependencies	minor	0.9.1 -> 0.10.0-grpc-127
org.jetbrains.kotlinx:kotlinx-rpc-krpc-ktor-client	dependencies	minor	0.9.1 -> 0.10.0-grpc-127
org.jetbrains.kotlinx:kotlinx-rpc-krpc-serialization-json	dependencies	minor	0.9.1 -> 0.10.0-grpc-127
org.jetbrains.kotlinx:kotlinx-rpc-krpc-server	dependencies	minor	0.9.1 -> 0.10.0-grpc-127
org.jetbrains.kotlinx:kotlinx-rpc-krpc-client	dependencies	minor	0.9.1 -> 0.10.0-grpc-127
io.grpc:grpc-kotlin-stub	dependencies	patch	1.4.1 -> 1.4.3
io.grpc:grpc-netty	dependencies	minor	1.73.0 -> 1.75.0
org.jetbrains.kotlinx.rpc.plugin	plugin	minor	0.9.1 -> 0.10.0-grpc-127
org.jetbrains.kotlinx:kotlinx-rpc-core	dependencies	minor	0.9.1 -> 0.10.0-grpc-127
org.jetbrains.kotlinx:kotlinx-rpc-grpc-core	dependencies	patch	0.10.0-grpc-121 -> 0.10.0-grpc-127
org.jetbrains.kotlinx:kotlinx-serialization-core	dependencies	minor	1.8.1 -> 1.9.0
org.jetbrains.kotlinx:kotlinx-serialization-json	dependencies	minor	1.8.1 -> 1.9.0
io.ktor.plugin	plugin	minor	3.2.1 -> 3.3.0-eap-115
io.ktor:ktor-client-js	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-client-cio	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-client-websockets	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-client-core	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-server-test-host	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-server-host-common-jvm	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-server-websockets-jvm	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-server-cors-jvm	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-server-netty-jvm	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-server-core-jvm	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-serialization-kotlinx-json	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-client-serialization	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-client-content-negotiation	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-client-okhttp	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-client-websockets-js	dependencies	patch	3.2.1 -> 3.2.3
io.ktor:ktor-server-cio	dependencies	patch	3.2.1 -> 3.2.3
androidx.compose.ui:ui-tooling-preview (source)	dependencies	minor	1.8.3 -> 1.9.0
androidx.compose.ui:ui-tooling (source)	dependencies	minor	1.8.3 -> 1.9.0
androidx.compose:compose-bom	dependencies	minor	2025.06.01 -> 2025.08.01
androidx.test.ext:junit	dependencies	minor	1.2.1 -> 1.3.0
com.google.android.material:material	dependencies	minor	1.12.0 -> 1.13.0
androidx.test.espresso:espresso-core	dependencies	minor	3.6.1 -> 3.7.0
androidx.core:core-ktx (source)	dependencies	minor	1.16.0 -> 1.17.0
org.jetbrains.kotlinx.rpc.plugin	plugin	patch	0.10.0-grpc-121 -> 0.10.0-grpc-127
androidx.compose.foundation:foundation (source)	dependencies	minor	1.8.3 -> 1.9.0
androidx.compose.ui:ui-test-junit4 (source)	dependencies	minor	1.8.3 -> 1.9.0
androidx.compose.ui:ui-test-manifest (source)	dependencies	minor	1.8.3 -> 1.9.0
androidx.compose.ui:ui-graphics (source)	dependencies	minor	1.8.3 -> 1.9.0
androidx.compose.ui:ui (source)	dependencies	minor	1.8.3 -> 1.9.0
org.jetbrains.kotlin-wrappers:kotlin-wrappers-bom	dependencies	minor	2025.6.11 -> 2025.9.2
com.android.library (source)	plugin	minor	8.11.0 -> 8.13.0
com.android.application (source)	plugin	minor	8.11.0 -> 8.13.0
com.android.application (source)	plugin	minor	8.11.0-alpha07 -> 8.13.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

gradle/gradle (gradle)

v8.14.3: 8.14.3

Compare Source

The Gradle team is excited to announce Gradle 8.14.3.

This is a patch release for 8.14. We recommend using 8.14.3 instead of 8.14.

Here are the highlights of this release:

• Java 24 support
• GraalVM Native Image toolchain selection
• Enhancements to test reporting
• Build Authoring improvements

Read the Release Notes

We would like to thank the following community members for their contributions to this release of Gradle:
Aurimas,
Ben Bader,
Björn Kautler,
chandre92,
Daniel Hammer,
Danish Nawab,
Florian Dreier,
Ivy Chen,
Jendrik Johannes,
jimmy1995-gu,
Madalin Valceleanu,
Na Minhyeok.

Upgrade instructions

Switch your build to use Gradle 8.14.3 by updating your wrapper:

./gradlew wrapper --gradle-version=8.14.3 && ./gradlew wrapper

See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

grpc/grpc-java (io.grpc:grpc-netty)

v1.75.0

Behavior Changes

• binder: Introduce server pre-authorization (#​12127). grpc-binder clients authorize servers by checking the UID of the sender of the SETUP_TRANSPORT Binder transaction against some SecurityPolicy. But merely binding to an unauthorized server to learn its UID can enable "keep-alive" and "background activity launch" abuse, even if security policy ultimately causes the grpc connection to fail. Pre-authorization mitigates this kind of abuse by resolving addresses and authorizing a candidate server Application's UID before binding to it. Pre-auth is especially important when the server's address is not fixed in advance but discovered by PackageManager lookup.

Bug Fixes

• core: grpc-timeout should always be positive (#​12201) (6dfa03c). There is a local race between when the deadline is checked before sending the RPC and when the timeout is calculated to put on-the-wire. The code replaced negative timeouts with 0 nanoseconds. gRPC’s PROTOCOL-HTTP2 spec states that timeouts should be positive, so now non-positive values are replaced with 1 nanosecond

• core: Improved DEADLINE_EXCEEDED message for delayed calls (6ff8eca). Delayed calls are the first calls on a Channel before name resolution has resolved addresses. Previously you could see confusing errors saying the deadline “will be exceeded in” X time. The message tense was simply wrong, and now will be correct: deadline “was exceeded after” X time.

• xds: PriorityLB now only uses the failOverTimer to start additional priorities, not fail RPCs (c4256ad). You should no longer see “Connection timeout for priority” errors.

Improvements

• netty: Count sent RST_STREAMs against NettyServerBuilder.maxRstFramesPerWindow() limit (#​12288). This extends the Rapid Reset tool to also cover MadeYouReset. the reset stream count will cause a 420 "Enhance your calm response" to be sent. This depends on Netty 4.1.124 for a bug fix to actually call the encoder by the frame writer.

• xds: Convert CdsLb to XdsDepManager (297ab05). This is part of gRFC A74 to have atomic xDS config updates. This is an internal change, but does change the error description seen in certain cases, especially DEADLINE_EXCEEDED on a brand-new channel.

• census: APIs for stats and tracing (#​12050) (9193701). Client channel and server builders with interceptors and factories respectively for stats and tracing.

• stub: simplify BlockingClientCall infinite blocking (#​12217) (ba0a732). Move deadline computation into overloads with finite timeouts. Blocking calls without timeouts now do not have to read the clock.

• xds: Do RLS fallback policy eagar start (#​12211) (42e1829). In gRPC-Java, the xDS clusters were lazily subscribed, which meant the fallback target which is returned in the RLS config wasn’t subscribed until a RPC actually falls back to it. The delayed resource subscription process in gRPC Java made it more susceptible to the effects of the INITIAL_RESOURCE_FETCH_TIMEOUT compared to other programming languages. It also had impact beyond the RLS cache expiration case, for example, when the first time the client initialized the channel, we couldn't fallback when the intended target times out, because of the lazy subscription. This change starts the fallback LB policy for the default target at the start of RLS policy instead of only when falling back to the default target, which fixes the above mentioned problems.

• xds: Aggregate cluster fixes (A75) (#​12186) (7e982e4). The earlier implementation of aggregate clusters concatenated the priorities from the underlying clusters into a single list, so that it could use a single LB policy defined at the aggregate cluster layer to choose a priority from that combined list. However, it turns out that aggregate clusters don't actually define the LB policy in the aggregate cluster; instead, the aggregate cluster uses a special cluster-provided LB policy that first chooses the underlying cluster and then delegates to the LB policy of the underlying cluster. This change implements that.

• api: set size correctly for sets and maps in handling Metadata values to be exchanged during a call (#​12229) (8021727)

• xds: xdsClient cache transient error for new watchers (#​12291). When a resource update is NACKed, cache the error and update new watchers that get added with that error instead of making them hang.

• xds: Avoid PriorityLb re-enabling timer on duplicate CONNECTING (#​12289). If a LB policy gives extraneous updates with state CONNECTING, then it was possible to re-create failOverTimer which would then wait the 10 seconds for the child to finish CONNECTING. We only want to give the child one opportunity after transitioning out of READY/IDLE.

• xds: Use a different log name for XdsClientImpl and ControlPlaneClient (#​12287). ControlPlaneClient uses "xds-cp-client" now instead of "xds-client" while logging.

Dependencies Changes

• Upgrade to Netty 4.1.124.Final (#​12286). This implicitly disables NettyAdaptiveCumulator (#​11284), which can have a performance impact. We delayed upgrading Netty to give time to rework the optimization, but we've gone too long already without upgrading which causes problems for vulnerability tracking.

• bazel: Use jar_jar to avoid xds deps (#​12243) (8f09b96). The //xds and //xds:orca targets now use jar_jar to shade the protobuf generated code. This allows them to use their own private copy of the protos and drop direct Bazel dependencies on cel-spec, grpc, rules_go, com_github_cncf_xds, envoy_api, com_envoyproxy_protoc_gen_validate, and opencensus_proto. This mirrors the shading of protobuf messages done for grpc-xds provided on Maven Central and should simplify dependency management

Documentation

• Clarify requirements for creating a cross-user Channel. (#​12181). The @SystemApi runtime visibility requirement isn't really new. It has always been implicit in the required INTERACT_ACROSS_USERS permission, which can only be held by system apps in production. Now deprecated BinderChannelBuilder#bindAsUser has always required SDK_INT >= 30. This change just copies that requirement forward to its replacement APIs in AndroidComponentAddress and the TARGET_ANDROID_USER NameResolver.Args.

• api: Add more Javadoc for NameResolver.Listener2 interface (#​12220) (d352540)

Thanks to

@​benjaminp
@​werkt
@​kilink
@​vimanikag

v1.74.0

Behavior Changes

• compiler: Default to @generated=omit (f8700a1). This omits javax.annotation.Generated from the generated code and makes the org.apache.tomcat:annotations-api compile-only dependency unnecessary (README and examples changes forthcoming; we delayed those changes until the release landed). You can use the option @generated=javax for the previous behavior, but please also file an issue so we can develop alternatives
• compiler: generate blocking v2 unary calls that throw StatusException (#​12126) (a16d655). Previously, the new blocking stub API was identical to the older blocking stub for unary RPCs and used the unchecked StatusRuntimeException. However, feedback demonstrated it was confusing to mix that with the checked StatusException in BlockingClientCall. Now the new blocking stub uses StatusException throughout. grpc-java continues to support the old generated code, but the version of protoc-gen-grpc-java will dictate which API you see. If you support multiple generated code versions, you can use the older blocking v1 stub for unary RPCs

Bug Fixes

• netty: Fix a race that caused RPCs to hang on start when a GOAWAY was received while the RPCs’ headers were being written to the OS (b04c673, 15c7573). This was a very old race, not a recent regression. All streams should now properly fail instead of hanging, although in some cases they may be transparently retried
• util: OutlierDetection should use nanoTime, not currentTimeMillis (#​12110) (1c43098). Previously, changes in the wall time would impact its accounting
• xds: Don't allow hostnames in address field in EDS (#​12123) (482dc5c). Only IP addresses were handled properly, and only IP addresses should be handled per gRFC A27
• xds: In resource handling, call onError() for RDS and EDS NACKs (#​12122) (efe9ccc). Previously the resource was NACKed, but gRPC would continue waiting for the resource until a timeout was reached and claim the control plane didn’t send the resource. Now it will fail quickly with an informative error
• xds: Implement equals in RingHashConfig (a5eaa66). Previously all configuration refreshes were considered a new config, which had the potential for causing unexpected inefficiency problems. This was noticed by new code for gRFC A74 xDS Config Tears that is not yet enabled, so there are no known problems that this caused
• LBs should avoid calling LBs after lb.shutdown() (1df2a33). This fixed pick_first and ring_hash behavior that could cause rare and “random” races in parent load balancers like a NullPointerException in ClusterImplLoadBalancer.createSubchannel(), which had a ring_hash child. This is most likely to help xDS, as it heavily uses hierarchical LB policies

Improvements

• util: Deliver addresses in a random order to shuffle connection creation ordering (f07eb47). Previously, connections were created in-order (but non-blocking), so in a fast network the first address could be more likely to connect first given a "microsecond" headstart. That first connection then receives all the buffered RPCs, which could cause temporary, but repeated, load imbalances of the same backend when all clients receive the same list of addresses in the same order. This has been seen in practice, but it is unclear how often it happens. Shuffling has the potential to improve load distribution of new clients when using round_robin, weighted_round_robin, and least_request, which connect simultaneously to multiple addresses
• core: Use lazy message formatting in checkState (#​12144) (26bd0ee). This avoids the potential of unnecessarily formatting an exception as a string when a subchannel fails to connect
• bazel: Migrate java_grpc_library to use DefaultInfo (#​12148) (6f69363). This adds compatibility for --incompatible_disable_target_default_provider_fields
• binder: Rationalize @​ThreadSafe-ty inside BinderTransport (#​12130) (c206428)
• binder: Cancel checkAuthorization() request if still pending upon termination (#​12167) (30d40a6)

Dependencies

• compiler: Upgrade Protobuf C++ to 22.5 (#​11961) (46485c8). This is used by the pre-built protoc-gen-grpc-java plugin on Maven Central. This should have no visible benefit, but gets us closer to upgrading to Protobuf 27 which added edition 2023 support
• release: Migrate artifacts publishing changed from legacy OSSRH to Central Portal (#​12156) (f99b2aa). We aren’t aware of any visible changes to the results on Maven Central

Kotlin/kotlinx.serialization (org.jetbrains.kotlinx:kotlinx-serialization-core)

v1.9.0

==================

This release updates Kotlin version to 2.2.0, includes several bugfixes and provides serializers for kotlin.time.Instant.

Add kotlin.time.Instant serializers

Instant class was moved from kotlinx-datetime library to Kotlin standard library.
As a result, kotlinx-datetime 0.7.0 no longer has serializers for the Instant class.
To use new kotlin.time.Instant class in your @​Serializable classes,
you can use this 1.9.0 kotlinx-serialization version (Kotlin 2.2 is required).
You can choose between default InstantSerializer which uses its string representation,
or specify InstantComponentSerializer that represents instant as its components.
See details in the PR.

Other bugfixes

• Fix resize in JsonPath (#​2995)
• Fixed proguard rules for obfuscation to work correctly (#​2983)

ktorio/ktor (io.ktor:ktor-client-js)

v3.2.3

Published 29 July 2025

Improvements

• Server only accepts yaml as the configuration file suffix (KTOR-8712)
• JS / WASM error when process global is undefined (KTOR-8686)
• DI async duplicate resolution (KTOR-8681)

Bugfixes

• CIO: Expect 100-continue response is missing a final \r\n (KTOR-8687)
• Intermittent "ParserException: No colon in HTTP header" when parsing multipart request (KTOR-8523)
• Infinite loop in ByteReadChannel.readFully (KTOR-8682)
• ShutDownUrl: The server cannot shut down since 3.2.0 (KTOR-8674)

v3.2.2

Published 14 July 2025

Improvements

• SSE: Change the order of SSE field serialization: put event before data (KTOR-8627)

Bugfixes

• CORS: server replies with the 405 status code on a preflight request when the plugin is installed in a route (KTOR-4499)
• Darwin: The Content-Encoding header is removed since 3.0.3 (KTOR-8526)
• JS/WASM: response doesn't contain the Content-Length header in a browser (KTOR-8377)
• StatusPages: response headers of OutgoingContent aren't available in the status handlers (KTOR-8232)
• testApplication: The client.sse() acts like a REST call and not a stream in test environment (KTOR-7910)
• Config deserialization - default properties problem (KTOR-8654)
• kotlinx.datetime is not available transitively in 3.2.1 (KTOR-8656)
• Request builder block overrides HTTP method in specific request builders (get, post, etc) (KTOR-8636)

material-components/material-components-android (com.google.android.material:material)

v1.13.0

Compare Source

New in 1.13.0!

• DockedToolbarLayout (source, doc, spec)
• FloatingToolbarLayout (source, doc, spec)
• LoadingIndicator (source, doc, spec)
• MaterialSplitButton (source, doc, spec)
• MaterialButtonGroup (source, doc, spec)

Important

• Required minSdkVersion is now 21 or higher, for Material and AndroidX.
• Now built with compileSdkVersion 35, Android Gradle Plugin (AGP) 8.7.3, Gradle 8.9, and android.nonTransitiveRClass=true.
  • This means that R classes are no longer transitive and resources must be fully qualified with their library path when used programmatically (see the Getting Started guide for more info).
• Material 3 Expressive has moved to the 1.14.0 versions of the library. To get a sneak peak, update to version 1.14.0-alpha04 and use the Material3Expressive themes/styles in conjunction with new components mentioned above.

Dependency Updates

Dependency	Previous version	New version
androidx.appcompat:appcompat	1.6.1	1.7.0
androidx.constraintlayout:constraintlayout	2.0.1	2.1.0
androidx.dynamicanimation:dynamicanimation	1.0.0	1.1.0
androidx.graphics:graphics-shapes	N/A	1.0.1
com.android.tools.build:gradle	7.4.2	8.7.3

Library Updates

• A11y
  • Include "hour" and "minute" in announcements. For example: "Not checked, Hour - 11'0 clock. double tap to select Hour". (960bb4c)
  • Move responsibility of disabling hide on scroll to HideViewOnScrollBehavior and BottomAppBar (9c33476)
  • Prevent hide on scroll when Talkback is on (d560705)
  • Add missing 'button' mention to Talkback output for close icon. (79bd7d7)
• BottomNavigationView
  • Update catalog demo to demonstrate adaptive bottom navigation bar (76936c4)
  • Fix early return in setItemGravity() (8a4d3c6)
• BottomSheet
  • Prevent ACTION_DOWN events on the BottomSheetHandleDragView from setting touchingScrollChild to true. (af7f254)
  • Fix keyboard animation on Android 14 (a0b4dfa)
  • Fixed main catalog demo cutting off content when screen size is too small. (005687d)
  • Remove disruptive announcement "Drag handle double tapped"for BottomSheetDragHandleView. (95025c6)
• Carousel
  • Recyclerview children do not inherit layout direction (ca0b870)
  • Update keyline state if necessary if item size changes (52228c1)
  • Update multi-browse strategy to always have at least 1 medium item (916e908)
  • Recalculate keyline state if it doesn't match the current container size (d0f5d72)
• Checkbox
  • Update translations. (7711191)
• Chip
  • Get default minTouchTargetSize from material attributes (436437a)
  • Add a show all Chip for a11y (8e33421)
  • Updated flow layout to correctly layout padding when in RTL. (1eaf483)
  • Fix close icon focus ripple (a7ff8c9)
• CollapsingToolbarLayout
  • Added multiple subtitle support. (57297ae)
  • Fixed incorrect title and subtitle positioning. (8598aa6)
• Color
  • Updated to only draw surface color under the button's stroke when the buttons are actually overlapped. (7ae12b5)
  • ColorResourcesTableCreator: Fix length encoding for utf8 strings (7c62429)
  • ColorResourcesTableCreator: Fix resource entry names (443eaa5)
  • Added M3 colors in M3 ThemeOverlay. (ede0713)
• Dialog
  • Add m3 styles for floating toolbar and docked toolbar for dialog (1b58f5f)
  • Fixed issue with child views overflowing from the alert dialog. (1ee9a86)
• DockedToolbar
  • Include IME in insets (834ce09)
  • Fix typo in DockedToolbar doc (0c83f50)
  • Add new demo to show fewer items (68a79d7)
  • Add docs (08a8893)
  • Adding inset padding attributes (1fd228b)
  • Create DockedToolbarLayout (51873bb)
• FloatingActionButton
  • Fix the width calculation in the wrap_content extend strategy (1e06f7c)
  • Added medium FAB and s/m/l extended FABs to Material3. (870ace3)
  • Restored public jumpDrawablesToCurrentState method (6f41625)
  • Fixed wrong elevation per state. (f513914)
  • Improved readability. (949b057)
  • Fixed wrong elevation per state. (db7fe20)
  • Merged FABImpl and FABImplLollipop classes, since no pre-lollipop is supported. ([da442be](https://redirect.github.com/material-components/material-components-android/commit/

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.