Bump com.google.firebase:firebase-perf from 21.0.1 to 22.0.5

[dependabot]

Bumps com.google.firebase:firebase-perf from 21.0.1 to 22.0.5.

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[claude]

🔍 Dependency Analysis Summary

Package	Old	New	Type
com.google.firebase:firebase-perf	21.0.1	22.0.5	MAJOR

Overall risk: LOW — despite the major version bump, the breaking changes do not affect this project (minSdk already 23, AGP/Gradle/perf-plugin already meet requirements, and the project never used the deprecated firebase-perf-ktx artifact).

📋 Detailed Changelog Review

Package: com.google.firebase:firebase-perf (21.0.1 → 22.0.5)

Notable releases across the range:

• 21.0.2 — Fixed IllegalStateException when starting traces before Firebase initialization. Updated protobuf to 3.25.5 (CVE-2024-7254).
• 21.0.4 / 21.0.5 — Performance fix for Remote Config-driven SharedPreferences writes; protolite-well-known-types bumped to 18.0.1.
• 22.0.0 (Jul 2025) — MAJOR:
  • minSdkVersion raised to API 23 (Android 6.0).
  • Deprecated Kotlin extensions (KTX) module discontinued; KTX APIs collapsed into the main firebase-perf artifact.
• 22.0.1 — Fixed ANR on app launch.
• 22.0.2 — Fixed AppStartTrace behavior on API 34+ devices.
• 22.0.3 — Internal OkHttp bumped 3.12.13 → 4.12.0.
• 22.0.4 — Fixed StrictMode DiskReadViolation in AppStartTrace setup.
• 22.0.5 — Internal dependency bumps.

Breaking changes: minSdk 23 (we already require 23 — see app/build.gradle:283); KTX module removal (not used here — see below).

Security fixes: CVE-2024-7254 (protobuf) picked up via 21.0.2.

Migration notes: None required for this project.

⚠️ Impact Assessment

Breaking changes affecting CommCare: No.

Verification:

• minSdkVersion 23 already set (app/build.gradle:283) — satisfies the 22.0.0 minSdk requirement.
• compileSdk 36, targetSdkVersion 35 — well above requirements.
• AGP 8.13.2 and perf-plugin 2.0.2 already in place (build.gradle:10, build.gradle:16) — both exceed the 22.0.0 floor (AGP 7.0+, Gradle 7.3.3+, perf-plugin 2.0.0+).
• Kotlin 2.2.20, OkHttp 4.11.0 — compatible with firebase-perf 22.0.3's internal OkHttp 4.12.0 bump (same major line).
• No com.google.firebase.perf.ktx.* imports anywhere in the codebase, so the KTX collapse is a non-issue.

Affected files (usage only — no changes needed):

• app/src/org/commcare/CommCareApplication.java — FirebasePerformance.getInstance().setPerformanceCollectionEnabled(true)
• app/src/org/commcare/google/services/analytics/CCPerfMonitoring.kt — FirebasePerformance.getInstance().newTrace(...)
• app/src/org/commcare/gis/EntityMapActivity.java, EntityLoaderTask.java, SaveToDiskTask.java, DataPullTask.java, FormLoaderTask.java, EntityStringFilterer.java, DeviceReportWriter.java, EncryptionIO.java, HybridFileBackedSqlStorage.java — all use com.google.firebase.perf.metrics.Trace, which is unchanged in 22.x.

Test impact: None expected.

Configuration changes: None required. The FirebasePerformance { ... } Gradle block and firebase_performance_collection_enabled manifest meta-data continue to work unchanged.

Side note (not blocking): firebase-analytics:20.1.2 is now quite stale (current 22.x line). Worth a follow-up bump, but outside the scope of this PR.

🛠️ Recommendations

• Action Required: None beyond standard merge verification.
• Testing Focus:
  • App-start cold launch (verify no ANR — 22.0.1 specifically addressed an ANR regression).
  • Existing custom traces in EntityLoaderTask, FormLoaderTask, DataPullTask, SaveToDiskTask, EntityStringFilterer — confirm they still report to the Firebase console after a release build.
  • Confirm StrictMode logs are clean on app start (22.0.4 fix area).
• Follow-up Tasks: Consider opening a separate PR to bring firebase-analytics to a current version.
• Merge Recommendation: APPROVE ✅

📚 Useful Links

• Firebase Android release notes
• firebase-perf CHANGELOG
• firebase-android-sdk releases