chore(deps): bump the minor-and-patch group with 30 updates

[dependabot]

Bumps the minor-and-patch group with 30 updates:

Package	From	To
com.google.guava:guava	33.0.0-jre	33.4.0-jre
com.github.gestalt-config:gestalt-core	0.29.0	0.35.1
com.github.gestalt-config:gestalt-toml	0.29.0	0.35.1
com.fasterxml.jackson:jackson-bom	2.15.2	2.18.2
org.jctools:jctools-core	4.0.1	4.0.5
io.jsonwebtoken:jjwt-api	0.11.5	0.12.6
io.jsonwebtoken:jjwt-impl	0.11.5	0.12.6
io.jsonwebtoken:jjwt-jackson	0.11.5	0.12.6
io.vertx:vertx-auth-jwt	4.5.3	4.5.11
io.vertx:vertx-core	4.5.3	4.5.11
io.vertx:vertx-web	4.5.3	4.5.11
io.netty:netty-all	4.1.108.Final	4.1.116.Final
io.micrometer:micrometer-registry-prometheus	1.11.0	1.14.2
io.micrometer:micrometer-tracing-bom	1.1.1	1.4.1
ch.qos.logback:logback-core	1.4.12	1.5.15
ch.qos.logback:logback-classic	1.4.14	1.5.15
org.slf4j:slf4j-api	2.0.7	2.0.16
io.opentelemetry:opentelemetry-bom-alpha	1.26.0-alpha	1.45.0-alpha
io.opentelemetry:opentelemetry-bom	1.26.0	1.45.0
info.picocli:picocli	4.7.3	4.7.6
info.picocli:picocli-codegen	4.7.3	4.7.6
com.google.errorprone:error_prone_core	2.18.0	2.36.0
io.libp2p:jvm-libp2p	1.0.1-RELEASE	1.2.2-RELEASE
com.aayushatharva.brotli4j:brotli4j	1.16.0	1.18.0
org.junit.jupiter:junit-jupiter	5.9.1	5.11.4
org.junit.jupiter:junit-jupiter-engine	5.9.0	5.11.4
org.junit.platform:junit-platform-suite-api	1.9.1	1.11.4
org.junit.platform:junit-platform-suite-engine	1.9.1	1.11.4
org.junit.platform:junit-platform-reporting	1.9.1	1.11.4
com.diffplug.spotless	6.23.3	6.25.0

Updates com.google.guava:guava from 33.0.0-jre to 33.4.0-jre

Release notes

Sourced from com.google.guava:guava's releases.

33.4.0

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>33.4.0-jre</version>
  <!-- or, for Android: -->
  <version>33.4.0-android</version>
</dependency>

Jar files

• 33.4.0-jre.jar
• 33.4.0-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.1.jar

Javadoc

• 33.4.0-jre
• 33.4.0-android

JDiff

• 33.4.0-jre vs. 33.3.1-jre
• 33.4.0-android vs. 33.3.1-android
• 33.4.0-android vs. 33.4.0-jre

Changelog

• Exposed additional Java 8 APIs to Android users. (6082782134, 9b0109c662, 6ace8bc8ea, b650b9fe77, c6c268006c, 984f713d76, f9f3fffb87, cdc225474e)
• base: Deprecated Charsets constants in favor of StandardCharsets. We will not remove the constants, but we recommend using StandardCharsets for consistency. (45e6be2688)
• base: Added ToStringHelper.omitEmptyValues(). (f5ec2ab85c)
• collect: Added an optimized copyOf method to TreeRangeMap. (a46565dd1c)
• collect.testing: Fixed @Require annotations so that features implied by absent features are not also required to be absent. (81be061f85)
• io: Changed ByteSink and CharSink to no longer call flush() in some cases before close(). This is a no-op for well-behaved streams, which internally flush their data as part of closing. However, we have discovered some stream implementations that have overridden close() to do nothing, including not to flush some buffered data. If this change causes problems, the simplest fix is usually to change the close() override to at least call flush(). (6ace8bc8ea)
• net: Added HttpHeaders.ALT_SVC and MediaType.CBOR. (503ba429f9, 7c0bf0892d)

33.3.1

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
</tr></table> 

... (truncated)

Commits

• See full diff in compare view

Updates com.github.gestalt-config:gestalt-core from 0.29.0 to 0.35.1

Release notes

Sourced from com.github.gestalt-config:gestalt-core's releases.

v0.33.0 Annotations

What's Changed

• Feat/annotations by @​credmond-git in gestalt-config/gestalt#225

Certain annotations can be applied to a configuration using @{annotation}, this will covert the annotation to metadata that can be applied to the node. Then the metadata is used to apply the intended behaviour to the node.

For example, we can apply the temporary node feature on a node by using the annotation @{temp:1}

my.password=abcdef@{temp:1}

annotation	parameter	description
temp	(int) Number of times this temp node can be read	restrict the number of times a value can be read before it is released
encrypt	(boolean) if we should apply to this node	Encrypts the node in memory.
nocache	(boolean) if we should apply to this node	Will not cache the node. If a node is part of a object the whole object will not be cached.
secret	(boolean) if we should apply to this node	Treats the node as a secret, so it will not print it out in errors or the debug print.

Trim Whitespace

By default, white spaces before and after the annotation are trimmed. You can disable this feature using the gestalt builder and setting setAnnotationTrimWhiteSpace(false)

GestaltBuilder builder = new GestaltBuilder();
Gestalt gestalt = builder
  .addSource(MapConfigSourceBuilder.builder()
    .setCustomConfig(configs)
    .build())
  .setAnnotationTrimWhiteSpace(false)
  .build();

Full Changelog: gestalt-config/gestalt@v0.32.2...v0.33.0

v0.32.2

What's Changed

• Feat/207 node include source factories by @​credmond-git in gestalt-config/gestalt#214
  • Add additional node include sources:
    • URL Config Source
    • Env Vars
    • Kubernetes
    • System
    • S3 (AWS)
    • Blob (Azure)
    • git
    • Google Cloud Storage
• test: additional git tests. by @​credmond-git in gestalt-config/gestalt#217

Full Changelog: gestalt-config/gestalt@v0.32.1...v0.32.2

... (truncated)

Commits

• aad3846 chore: prepare release 0.35.1
• 9c3fb51 fix: module issues with RunTimeConfigNodeProcessor.
• 6f617a4 chore: update github actions.
• e341cb4 feat: prepare release v0.35.0
• 3b9719d dep: update to Kotlin 2.1.0
• 706c1cd perf: fix performance regression with cache since we added getConfigResult, a...
• ea3eb75 docs: update some details on the web page like changing the order of the anno...
• 19c23ea Update README.md
• ca3c5b5 test: add additional test for dist 100.
• b48fb58 chore: prepare release v0.34.0
• Additional commits viewable in compare view

Updates com.github.gestalt-config:gestalt-toml from 0.29.0 to 0.35.1

Release notes

Sourced from com.github.gestalt-config:gestalt-toml's releases.

v0.33.0 Annotations

What's Changed

• Feat/annotations by @​credmond-git in gestalt-config/gestalt#225

Certain annotations can be applied to a configuration using @{annotation}, this will covert the annotation to metadata that can be applied to the node. Then the metadata is used to apply the intended behaviour to the node.

For example, we can apply the temporary node feature on a node by using the annotation @{temp:1}

my.password=abcdef@{temp:1}

annotation	parameter	description
temp	(int) Number of times this temp node can be read	restrict the number of times a value can be read before it is released
encrypt	(boolean) if we should apply to this node	Encrypts the node in memory.
nocache	(boolean) if we should apply to this node	Will not cache the node. If a node is part of a object the whole object will not be cached.
secret	(boolean) if we should apply to this node	Treats the node as a secret, so it will not print it out in errors or the debug print.

Trim Whitespace

By default, white spaces before and after the annotation are trimmed. You can disable this feature using the gestalt builder and setting setAnnotationTrimWhiteSpace(false)

GestaltBuilder builder = new GestaltBuilder();
Gestalt gestalt = builder
  .addSource(MapConfigSourceBuilder.builder()
    .setCustomConfig(configs)
    .build())
  .setAnnotationTrimWhiteSpace(false)
  .build();

Full Changelog: gestalt-config/gestalt@v0.32.2...v0.33.0

v0.32.2

What's Changed

• Feat/207 node include source factories by @​credmond-git in gestalt-config/gestalt#214
  • Add additional node include sources:
    • URL Config Source
    • Env Vars
    • Kubernetes
    • System
    • S3 (AWS)
    • Blob (Azure)
    • git
    • Google Cloud Storage
• test: additional git tests. by @​credmond-git in gestalt-config/gestalt#217

Full Changelog: gestalt-config/gestalt@v0.32.1...v0.32.2

... (truncated)

Commits

• aad3846 chore: prepare release 0.35.1
• 9c3fb51 fix: module issues with RunTimeConfigNodeProcessor.
• 6f617a4 chore: update github actions.
• e341cb4 feat: prepare release v0.35.0
• 3b9719d dep: update to Kotlin 2.1.0
• 706c1cd perf: fix performance regression with cache since we added getConfigResult, a...
• ea3eb75 docs: update some details on the web page like changing the order of the anno...
• 19c23ea Update README.md
• ca3c5b5 test: add additional test for dist 100.
• b48fb58 chore: prepare release v0.34.0
• Additional commits viewable in compare view

Updates com.fasterxml.jackson:jackson-bom from 2.15.2 to 2.18.2

Commits

• 55ff098 [maven-release-plugin] prepare release jackson-bom-2.18.2
• 84a6fe4 Prep for 2.18.2 release
• 88591c6 Merge branch '2.17' into 2.18
• bc1206e Back to snapshot dep
• 1021173 [maven-release-plugin] prepare for next development iteration
• e3fd468 [maven-release-plugin] prepare release jackson-bom-2.17.3
• ef13a7a Start 2.17.3 release
• 1ed3d25 Back to snapshot deps
• fac9a3b [maven-release-plugin] prepare for next development iteration
• ef33ac7 [maven-release-plugin] prepare release jackson-bom-2.18.1
• Additional commits viewable in compare view

Updates org.jctools:jctools-core from 4.0.1 to 4.0.5

Release notes

Sourced from org.jctools:jctools-core's releases.

Fix bytecode version and add unpadded atomic queues

No release notes provided.

Minor Release 4.0.2

Same code, new bundling post #370

Commits

• a17b56f Update development version to 4.0.5-SNAPSHOT
• 173423c Addressing Nitsan's comment
• 4b7d2ac Adding Atomic Unpadded queues
• 5c1b88b Update development version to 4.0.4-SNAPSHOT
• 0dae71c Update development version to 4.0.3-SNAPSHOT
• f36b00f Fix #384, ## in javadoc instead of #
• 463181b Add module descriptor to jctools-core
• 3e54465 Add CodeQL workflow for GitHub code scanning
• 25c1a28 Adding benchmark for thread-local object pool use case
• 9c39910 Update RELEASE-NOTES.md post 4.0.1 release
• Additional commits viewable in compare view

Updates io.jsonwebtoken:jjwt-api from 0.11.5 to 0.12.6

Release notes

Sourced from io.jsonwebtoken:jjwt-api's releases.

0.12.6

This patch release:

• Ensures that after successful JWS signature verification, an application-configured Base64Url Decoder output is used to construct a Jws instance (instead of JJWT's default decoder). See jwtk/jjwt#947.
• Fixes a decompression memory leak in concurrent/multi-threaded environments introduced in 0.12.0 when decompressing JWTs with a zip header of GZIP. See jwtk/jjwt#949.
• Upgrades BouncyCastle to 1.78 via jwtk/jjwt#941
• Usees Acsiidoc as README format by @​bdemers in jwtk/jjwt#777
• Allows using GenericSecret for HmacSHA* algorithms by @​mnylen in jwtk/jjwt#935
• Enables JWE arbitrary content compression by @​mnylen in jwtk/jjwt#937

New Contributors

• @​mnylen made their first contribution in jwtk/jjwt#935

Full Changelog: jwtk/jjwt@0.12.5...0.12.6

0.12.5

This release fixes issue #916 and ensures that builders' NestedCollection changes are applied to the collection immediately as mutation methods are called, no longer requiring application developers to call .and() to 'commit' or apply a change. For example, prior to this release, the following code did not apply changes:

JwtBuilder builder = Jwts.builder();
builder.audience().add("an-audience"); // no .and() call
builder.compact(); // would not keep 'an-audience'

Now this code works as expected and all other NestedCollection instances like it apply changes immediately (e.g. when calling .add(value)).

However, standard fluent builder chains are still recommended for readability when feasible, e.g.

Jwts.builder()
    .audience().add("an-audience").and() // allows fluent chaining
    .subject("Joe")
    // etc...
    .compact()

These same notes are repeated in the CHANGELOG, and as always, project documentation is in the README.

Please allow 30 minutes from the time this announcement is published for the release to be available in Maven Central.

0.12.4

This is patch release completes 10 issues, with two especially noteworthy changes, and a number of other smaller bug fixes and enhancements.

1. The default Jackson deserializer will now reject duplicate JSON members by default in an attempt to be a little more strict at rejecting potentially malicious or malformed JSON. This is a default and can be overridden with a custom ObjectMapper if desired.
2. Password-based JWE encryption key algorithms (PBES2_HS256_A128KW, PBES2_HS384_A192KW and PBES2_HS512_A256KW) now enforce an upper bound (maximum) number of iterations allowed during decryption to mitigate against potential DoS attacks. Many thanks to Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab for their work on this!

A number of other issues fixed: thread-safe ServiceLoader usage for dynamic JSON processor lookup, Android enhancements for JSON Reader APIs, fixed Elliptic Curve field element padding, and more. Please read the 0.12.4 CHANGELOG for full details of all of these changes, and as always, project documentation is in the 0.12.4 README.

Please allow 30 minutes from the time this announcement is published for the release to be available in Maven Central.

... (truncated)

Changelog

Sourced from io.jsonwebtoken:jjwt-api's changelog.

0.12.6

This patch release:

• Ensures that after successful JWS signature verification, an application-configured Base64Url Decoder output is used to construct a Jws instance (instead of JJWT's default decoder). See Issue 947.
• Fixes a decompression memory leak in concurrent/multi-threaded environments introduced in 0.12.0 when decompressing JWTs with a zip header of GZIP. See Issue 949.
• Upgrades BouncyCastle to 1.78 via PR 941.

0.12.5

This patch release:

• Ensures that builders' NestedCollection changes are applied to the collection immediately as mutation methods are called, no longer requiring application developers to call .and() to 'commit' or apply a change. For example, prior to this release, the following code did not apply changes:

  JwtBuilder builder = Jwts.builder();
  builder.audience().add("an-audience"); // no .and() call
  builder.compact(); // would not keep 'an-audience'

  Now this code works as expected and all other NestedCollection instances like it apply changes immediately (e.g. when calling .add(value)).

  However, standard fluent builder chains are still recommended for readability when feasible, e.g.

  Jwts.builder()
      .audience().add("an-audience").and() // allows fluent chaining
      .subject("Joe")
      // etc...
      .compact()

  See Issue 916.

0.12.4

This patch release includes various changes listed below.

Jackson Default Parsing Behavior

This release makes two behavioral changes to JJWT's default Jackson ObjectMapper parsing settings:

1. In the interest of having stronger standards to reject potentially malformed/malicious/accidental JSON that could have undesirable effects on an application, JJWT's default ObjectMapper is now configured to explicitly reject/fail parsing JSON (JWT headers and/or Claims) if/when that JSON contains duplicate JSON member names.

   For example, now the following JSON, if parsed, would fail (be rejected) by default:

... (truncated)

Commits

• 0df9756 [maven-release-plugin] prepare release 0.12.6
• aacdfdc - Updated README.adoc :project-version: to be 0.12.6.
• d14f27b Bump org.bouncycastle:bcprov-jdk18on from 1.76 to 1.78 (#941)
• 0c2d96c Fixes #949 (#950)
• a7de554 Fixes #947 (#948)
• 7543248 Bump org.bouncycastle:bcpkix-jdk18on from 1.76 to 1.78 (#943)
• 3489fdb JWE arbitrary content compression (#937)
• 23d9a33 Allow using GenericSecret for HmacSHA* (#935)
• c673b76 Update SECURITY.md
• 2694861 Use Acsiidoc as README format (#777)
• Additional commits viewable in compare view

Updates io.jsonwebtoken:jjwt-impl from 0.11.5 to 0.12.6

Release notes

Sourced from io.jsonwebtoken:jjwt-impl's releases.

0.12.6

This patch release:

• Ensures that after successful JWS signature verification, an application-configured Base64Url Decoder output is used to construct a Jws instance (instead of JJWT's default decoder). See jwtk/jjwt#947.
• Fixes a decompression memory leak in concurrent/multi-threaded environments introduced in 0.12.0 when decompressing JWTs with a zip header of GZIP. See jwtk/jjwt#949.
• Upgrades BouncyCastle to 1.78 via jwtk/jjwt#941
• Usees Acsiidoc as README format by @​bdemers in jwtk/jjwt#777
• Allows using GenericSecret for HmacSHA* algorithms by @​mnylen in jwtk/jjwt#935
• Enables JWE arbitrary content compression by @​mnylen in jwtk/jjwt#937

New Contributors

• @​mnylen made their first contribution in jwtk/jjwt#935

Full Changelog: jwtk/jjwt@0.12.5...0.12.6

0.12.5

This release fixes issue #916 and ensures that builders' NestedCollection changes are applied to the collection immediately as mutation methods are called, no longer requiring application developers to call .and() to 'commit' or apply a change. For example, prior to this release, the following code did not apply changes:

JwtBuilder builder = Jwts.builder();
builder.audience().add("an-audience"); // no .and() call
builder.compact(); // would not keep 'an-audience'

Now this code works as expected and all other NestedCollection instances like it apply changes immediately (e.g. when calling .add(value)).

However, standard fluent builder chains are still recommended for readability when feasible, e.g.

Jwts.builder()
    .audience().add("an-audience").and() // allows fluent chaining
    .subject("Joe")
    // etc...
    .compact()

These same notes are repeated in the CHANGELOG, and as always, project documentation is in the README.

Please allow 30 minutes from the time this announcement is published for the release to be available in Maven Central.

0.12.4

This is patch release completes 10 issues, with two especially noteworthy changes, and a number of other smaller bug fixes and enhancements.

1. The default Jackson deserializer will now reject duplicate JSON members by default in an attempt to be a little more strict at rejecting potentially malicious or malformed JSON. This is a default and can be overridden with a custom ObjectMapper if desired.
2. Password-based JWE encryption key algorithms (PBES2_HS256_A128KW, PBES2_HS384_A192KW and PBES2_HS512_A256KW) now enforce an upper bound (maximum) number of iterations allowed during decryption to mitigate against potential DoS attacks. Many thanks to Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab for their work on this!

A number of other issues fixed: thread-safe ServiceLoader usage for dynamic JSON processor lookup, Android enhancements for JSON Reader APIs, fixed Elliptic Curve field element padding, and more. Please read the 0.12.4 CHANGELOG for full details of all of these changes, and as always, project documentation is in the 0.12.4 README.

Please allow 30 minutes from the time this announcement is published for the release to be available in Maven Central.

... (truncated)

Changelog

Sourced from io.jsonwebtoken:jjwt-impl's changelog.

0.12.6

This patch release:

• Ensures that after successful JWS signature verification, an application-configured Base64Url Decoder output is used to construct a Jws instance (instead of JJWT's default decoder). See Issue 947.
• Fixes a decompression memory leak in concurrent/multi-threaded environments introduced in 0.12.0 when decompressing JWTs with a zip header of GZIP. See Issue 949.
• Upgrades BouncyCastle to 1.78 via PR 941.

0.12.5

This patch release:

• Ensures that builders' NestedCollection changes are applied to the collection immediately as mutation methods are called, no longer requiring application developers to call .and() to 'commit' or apply a change. For example, prior to this release, the following code did not apply changes:

  JwtBuilder builder = Jwts.builder();
  builder.audience().add("an-audience"); // no .and() call
  builder.compact(); // would not keep 'an-audience'

  Now this code works as expected and all other NestedCollection instances like it apply changes immediately (e.g. when calling .add(value)).

  However, standard fluent builder chains are still recommended for readability when feasible, e.g.

  Jwts.builder()
      .audience().add("an-audience").and() // allows fluent chaining
      .subject("Joe")
      // etc...
      .compact()

  See Issue 916.

0.12.4

This patch release includes various changes listed below.

Jackson Default Parsing Behavior

This release makes two behavioral changes to JJWT's default Jackson ObjectMapper parsing settings:

1. In the interest of having stronger standards to reject potentially malformed/malicious/accidental JSON that could have undesirable effects on an application, JJWT's default ObjectMapper is now configured to explicitly reject/fail parsing JSON (JWT headers and/or Claims) if/when that JSON contains duplicate JSON member names.

   For example, now the following JSON, if parsed, would fail (be rejected) by default:

... (truncated)

Commits

• 0df9756 [maven-release-plugin] prepare release 0.12.6
• aacdfdc - Updated README.adoc :project-version: to be 0.12.6.
• d14f27b Bump org.bouncycastle:bcprov-jdk18on from 1.76 to 1.78 (#941)
• 0c2d96c Fixes #949 (#950)
• a7de554 Fixes #947 (#948)
• 7543248 Bump org.bouncycastle:bcpkix-jdk18on from 1.76 to 1.78 (#943)
• 3489fdb JWE arbitrary content compression (#937)
• 23d9a33 Allow using GenericSecret for HmacSHA* (#935)
• c673b76 Update SECURITY.md
• 2694861 Use Acsiidoc as README format (#777)
• Additional commits viewable in compare view

Updates io.jsonwebtoken:jjwt-jackson from 0.11.5 to 0.12.6

Updates io.vertx:vertx-auth-jwt from 4.5.3 to 4.5.11

Updates io.vertx:vertx-core from 4.5.3 to 4.5.11

Commits

• 27e674d Releasing 4.5.11
• e87837f Decouple the handshake part ServerWebSocket API.
• fcfc661 Redefine what a context closed means.
• a87afd2 Future.await should interrupt the current thread when the worker executor is ...
• ccca2b8 Merge pull request #5316 from franz1981/4.x_unified_allocator_fix_ssl
• a7c2ba5 Provide opportunity to create a client WebSocket with a given vertx context t...
• 032de2b Add peer host and port info for server SslHandler
• 3600204 Save recursive locks on websocket writeFrame
• 775d945 Execute blocking operations and context worker tasks should be concurrent.
• a3393ac Adding new end 2 end test
• Additional commits viewable in compare view

Updates io.vertx:vertx-web from 4.5.3 to 4.5.11

Updates io.netty:netty-all from 4.1.108.Final to 4.1.116.Final

Commits

• 2a58b07 [maven-release-plugin] prepare release netty-4.1.116.Final
• a739efa Adaptive: Add assert to guard against bugs related to chunk pooling (#14590)
• 22cb4ec Fix race and leaks introduced in tests by a16f8aaf2ff101567a526916b46… (#14588)
• ad104c6 Correctly gard aginst failure when running on systems with 1 core
• a16f8aa Allow PcapWriteHandler to output PCAP files larger than 2GB (#14478)
• dccfcc8 Adapt: Ensure Chunks from the central Queue are re-used even if there… (#14586)
• fdc10c4 chore: use readRetainedSlice to avoid copy in SpdyFrameDecoder (#14573)
• 46b11cc Adapt: Don't fail when we run on a host with 1 core (#14582) (#14584)
• 6138a5a Adapt: Only add Chunk to central Queue if unused (#14580) (#14583)
• 6c3041f Adaptive: Correctly restore allocatedBytes value on failure (#14577) (#14578)
• Additional commits viewable in compare view

Updates io.micrometer:micrometer-registry-prometheus from 1.11.0 to 1.14.2

Release notes

Sourced from io.micrometer:micrometer-registry-prometheus's releases.

1.14.2

🐞 Bug Fixes

• Protect against concurrent reads/writes to Context keyvalues #5739
• Null stacktrace in InvalidObservationException using Virtual Threads #5702
• Deprecate AggregationTemporality#toOtlpAggregationTemporality #5733
• Warn about gauge re-registration #5688
• executor.queued metrics of ForkJoinPool does not include queued submissions #5650
• Default ObservationConventions for Grpc do not always use a consistent set of keyvalues #5609

🔨 Dependency Upgrades

• Bump software.amazon.awssdk:cloudwatch from 2.29.14 to 2.29.23 #5724
• Bump io.prometheus:prometheus-metrics-bom from 1.3.3 to 1.3.4 #5723
• Bump dropwizard-metrics from 4.2.28 to 4.2.29 #5721

📔 Documentation

• Remove duplicated contextpropagation.adoc #5693
• Polish "Grafana Dashboard" section #5662
• Use BOM for Micrometer dependency examples in reference docs #5652

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​izeye

1.14.1

📔 Documentation

• Gauges may be silently ignored when MeterFilters drop or transform tags #5616

🔨 Dependency Upgrades

• Bump com.netflix.spectator:spectator-reg-atlas from 1.8.1 to 1.8.2 #5685
• Bump software.amazon.awssdk:cloudwatch from 2.29.7 to 2.29.14 #5669
• Bump shaded netty to 4.1.115.Final in micrometer-registry-statsd to address CVE-2024-47535 #5660

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​izeye

1.14.0

Micrometer 1.14.0 is the GA version of a new feature release. See our support policy for support timelines.

Below are the combined release notes of all the pre-release milestones and release candidate preceding this GA release.

... (truncated)

Commits

• 4f534a7 Protect against concurrent reads/writes to Context keyvalues (#5739)
• 4a44430 Merge branch '1.13.x' into 1.14.x
• 157a7e5 Merge branch '1.12.x' into 1.13.x
• 23cd63b Configure context at right place
• 877d5ca Use shared context for deploy secrets
• a7d7488 Merge branch '1.13.x' into 1.14.x
• 8cd92d9 Merge branch '1.12.x' into 1.13.x
• c5514c1 Include queued submissions in executor.queued
• c95db08 Bump com.fasterxml.jackson.core:jackson-databind from 2.18.1 to 2.18.2 (#5722)
• de00aa3 Bump testcontainers from 1.20.3 to 1.20.4 (#5720)
• Additional commits viewable in compare view

Updates io.micrometer:micrometer-tracing-bom from 1.1.1 to 1.4.1

Release notes

Sourced from io.micrometer:micrometer-tracing-bom's releases.

1.4.1

🐞 Bug Fixes

• OTel Span is not set to status "ok" when ends successfully #890

🔨 Dependency Upgrades

• Upgrade to Micrometer 1.14.2 #908
• Bump io.zipkin.reporter2:zipkin-reporter-bom from 3.4.2 to 3.4.3 #903

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​GFriedrich

1.4.0

⚠️ Noteworthy

• OTel dependency convergence issue #819

⭐ New Features

• Support list values in tags in Span and SpanCustomizer #817
• Make OtelSpan public instead of package-private #808
• Add @Nullable annotations #744
• Propagating values from Observation.Context to Trace's Baggage #455

🔨 Dependency Upgrades

• Upgrade to Micrometer 1.14.0 #886
• Bump io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha to 2.9.0-alpha #876 (micrometer-metrics/tracing#876) (Brings in io.opentelemetry:opentelemetry-bom:1.43.0)
• Bump io.zipkin.reporter2:zipkin-reporter-bom to 3.4.2 #846

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Jasz, @​chemicL, @​ThomasVitale, @​m15o

1.4.0-RC1

This is a pre-release milestone for early testing purposes. See https://github.com/micrometer-metrics/tracing?tab=readme-ov-file#milestone-releases

⭐ New Features

• Support list values in tags in Span and SpanCustomizer #817
• Make OtelSpan public instead of package-private #808

🔨 Dependency Upgrades

... (truncated)

Commits

• 81e3387 Upgrade to Micrometer 1.14.2
• 67b8941 Merge branch '1.3.x' into 1.4.x
• 06acfac Upgrade to Micrometer 1.13.9
• 391d116 Bump io.micrometer:micrometer-bom from 1.14.0 to 1.14.1 (#904)
• 58b57d3 Bump org.apache.logging.log4j:log4j-core from 2.24.1 to 2.24.2 (#906)
• 734a668 Bump testcontainers from 1.20.3 to 1.20.4 (#905)
• 88cfadb Merge branch '1.3.x' into 1.4.x
• 916821e Bump io.zipkin.reporter2:zipkin-reporter-bom from 3.4.2 to 3.4.3 (#903)
• f0bbf8e Merge branch '1.3.x' into 1.4.x
• e830428 Merge branch '1.2.x' into 1.3.x
• Additional commits viewable in compare view

Updates ch.qos.logback:logback-core from 1.4.12 to 1.5.15

Commits

• c32c92a prepare release 1.5.15
• 402fc67 check that logback-classic and logback-core are identical
• 020610a name is optional in EventEvaluator, add ExceptionMatchEvaluator with a test
• 11a3951 start work on 1.5.15-SNAPSHOT
• 3ddf27b prepare release 1.5.14
• d4804f9 fix incompatibile change, Spring-Boot issue 885
• 3492bc8 start work on 1.5.14-SNAPSHOT
• 32638aa prepare release 1.5.13
• 0056a9c CORE_POOL_SIZE set to 4
• 2cb6d52 remove JaninoEventEvaluator
• Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.4.14 to 1.5.15

Commits

• c32c92a prepare release 1.5.15
• 402fc67 check that logback-classic and logback-core are identical
• 020610a name is optional in EventEvaluator, add ExceptionMatchEvaluator with a test
• 11a3951 start work on 1.5.15-SNAPSHOT
• 3ddf27b prepare release 1.5.14
• d4804f9 fix incompatibile change, Spring-Boot issue 885
• 3492bc8 start work on 1.5.14-SNAPSHOT
• 32638aa prepare release 1.5.13
• 0056a9c CORE_POOL_SIZE set to 4
• 2cb6d52 remove JaninoEventEvaluator
• Additional commits viewable in compare view

Updates org.slf4j:slf4j-api from 2.0.7 to 2.0.16

Updates io.opentelemetry:opentelemetry-bom-alpha from 1.26.0-alpha to 1.45.0-alpha

Release notes

Sourced from io.opentelemetry:opentelemetry-bom-alpha's releases.

Version 1.44.1

This is a patch release on the previous 1.44.0 release, fixing the issue(s) below.

SDK

Traces

• Fix regression in event attributes (#6865)

Version 1.44.0

API

• Fix ConfigUtil#getString ConcurrentModificationException (#6841)

SDK

Traces

• Stabilize ExceptionEventData (#6795)

Metrics

• Stabilize metric cardinality limits (#6794)
• Refactor metrics internals to remove MeterSharedState (#6845)

Exporters

• Add memory mode option to stdout exporters (#6774)
• Log a warning if OTLP endpoint port is likely incorrect given the protocol (#6813)
• Fix OTLP gRPC retry mechanism for unsuccessful HTTP responses (#6829)
• Add ByteBuffer field type marshaling support (#6686)
• Fix stdout exporter format by adding newline after each export (

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.