Bump the trace-java-client-gradle-deps group in /trace-java-client with 6 updates

[dependabot]

Bumps the trace-java-client-gradle-deps group in /trace-java-client with 6 updates:

Package	From	To
com.google.code.gson:gson	2.10.1	2.11.0
io.opentracing.brave:brave-opentracing	1.0.0	1.0.1
org.apache.commons:commons-lang3	3.14.0	3.17.0
io.zipkin.zipkin2:zipkin	2.25.2	3.4.1
io.zipkin.reporter2:zipkin-sender-okhttp3	2.17.1	3.4.2
io.zipkin.brave:brave	5.17.0	6.0.3

Updates com.google.code.gson:gson from 2.10.1 to 2.11.0

Release notes

Sourced from com.google.code.gson:gson's releases.

Gson 2.11.0

Most important changes

• Added default ProGuard / R8 rules (@​Marcono1234, #2397, #2420; @​sgjesse, #2448; @​sfreilich)
  If you are using ProGuard or R8 (for example for Android projects) you might not need any special Gson configuration anymore if your classes have a no-args constructor and use @SerializedName for their fields.
• On Android, Gson now requires API level 21 or newer
• Added new Strictness API (@​marten-voorberg & fellow students, #2437)
  Some of Gson's API is still lenient by default, but you can now use the newly added methods GsonBuilder#setStrictness, JsonReader#setStrictness and JsonWriter#setStrictness with Strictness.STRICT to override this behavior and to instead strictly adhere to the JSON specification when parsing.
• New FormattingStyle class to allow configuring line breaks in JSON output (@​mihnita, #2231)
  Can be set using GsonBuilder#setFormattingStyle and JsonWriter#setFormattingStyle.
• TypeToken can no longer capture type variables by default (@​Marcono1234, #2376)
  This was previously a common source of issues. The newly thrown exception refers to a Troubleshooting Guide article which explains this in more detail and provides suggestions for updating affected code.
• Added serialization support for anonymous and local classes with a custom adapter (@​Marcono1234, #2498)
  This affects for example List implementations returned by libraries such as Guava which are implemented as anonymous class, which were previously serialized as null. Anonymous and local classes without custom adapter will still be serialized as null.
• Added dependency on com.google.errorprone:error_prone_annotations
  Your project can use Maven or Gradle dependency exclusions to remove the transitive error_prone_annotations dependency from Gson. Or if you are manually maintaining dependencies as JARs in your project you can omit error_prone_annotations. And it should still work correctly.
  But Gson itself does declare it as a required dependency, and if you don't perform any custom configuration, then Maven or Gradle will by default try to download and use it.
• Many exception messages now refer to the Troubleshooting Guide (@​Marcono1234, #2357)
  Feedback regarding the Troubleshooting Guide is appreciated!
• Officially documented that JVM languages other than Java might not be fully supported, see the README.
• Guarantee that JsonElement#toString produces JSON output (@​Marcono1234, #2659)

Other changes

Bug fixes

• Fixed incorrect JsonPrimitive#equals results for large BigInteger values (@​MaicolAntali, #2311)
• Fixed incorrect JsonPrimitive#equals results for large BigDecimal values (@​MaicolAntali, #2364)
• Fixed JsonReader throwing NumberFormatException instead of MalformedJsonException for malformed Unicode escape sequences (@​MaicolAntali, #2337)
• Fixed TypeToken#getParameterized returning bogus ParameterizedType for non-generic types (@​Marcono1234, #2447)
• Fixed Java Record adapter not working for GraalVM Native Image (@​eamonnmcmanus, #2465)
• Fixed JsonWriter#name not throwing exception when no JSON object is currently being written (@​shivam-sehgal, #2475; @​Marcono1234, #2476)
• Fixed Gson#getDelegateAdapter not working properly for @JsonAdapter (@​Marcono1234, #2435)
  Note that null is now not allowed as skipPast value anymore, which was previously allowed but undocumented.
• Fixed GsonBuilder not rejecting type adapters for Object and JsonElement, whose default adapters cannot be overridden (@​sachinp97; #2479)
• Fixed no limits being enforced when deserializing BigDecimal and BigInteger (@​Marcono1234, #2510)
  The new limits prevent potential performance problems when user code uses the deserialized numbers. Gson itself was and is not affected by these performance problems. The limits should be high enough to not cause issues for most use cases, but feedback is appreciated.
• Fixed GsonBuilder#setDateFormat not rejecting invalid date formats (@​Carpe-Wang, #2538)
• Fixed GsonBuilder#setDateFormat not rejecting invalid date styles (@​Marcono1234, #2545)
• Fixed GsonBuilder#setDateFormat ignoring partial DEFAULT style (@​Marcono1234, #2556)
• Fixed TypeToken#isAssignableFrom throwing AssertionError in some cases (@​Marcono1234, #2544)
• Fixed date adapters not restoring time zone after parsing (@​Carpe-Wang, #2549)
• Fixed TypeToken#equals erroneously returning false for equal generic type parameters in some cases (@​d-william, #2599)
• Fixed incorrect inherited URLs in pom.xml (@​Marcono1234, #2351)

Performance improvements

• Slightly reduce memory usage for reflection-based adapter (@​sembseth, #2325; @​Marcono1234, #2440)
• Improved parsing speed of ToNumberPolicy#LONG_OR_DOUBLE (@​ctasada, #2674)

... (truncated)

Commits

• 828a97b [maven-release-plugin] prepare release gson-parent-2.11.0
• 93bc0f2 Skip signing graal-native-test module. (#2675)
• b153ca1 [maven-release-plugin] rollback the release of gson-parent-2.11.0
• 0e3d2aa [maven-release-plugin] prepare for next development iteration
• 545b802 [maven-release-plugin] prepare release gson-parent-2.11.0
• 8bfdbb4 Guarantee that JsonElement.toString() produces JSON (#2659)
• 9008b09 Extend Troubleshooting Guide with some ProGuard / R8 information (#2656)
• 05652c3 Document that other JVM languages are not fully supported (#2666)
• 454a491 Improved Long-Double Number Policy (#2674)
• 570d911 Bump the github-actions group with 4 updates (#2671)
• Additional commits viewable in compare view

Updates io.opentracing.brave:brave-opentracing from 1.0.0 to 1.0.1

Commits

• See full diff in compare view

Updates org.apache.commons:commons-lang3 from 3.14.0 to 3.17.0

Updates io.zipkin.zipkin2:zipkin from 2.25.2 to 3.4.1

Release notes

Sourced from io.zipkin.zipkin2:zipkin's releases.

Zipkin 3.4.1 is a maintenance release, updating dependency versions to prevent problems such as bugs or CVEs.

Notable library updates:

• Spring Boot 3.3.0 -> 3.3.2
• Armeria 1.28.4 -> 1.29.4

Notable Docker image updates:

• Alpine 3.20.0 -> 3.20.2
• JRE 21.0.3_p9 -> 21.0.4_p7

Thanks also @​ceddy4395 for improving our CI setup.

For fine grained details, see the changes since 3.4.0.

Zipkin 3.4 adds support for OpenSearch v2 using the same ES_ prefixed environment variables used for Elasticsearch. Thanks a lot to @​reta for all the engineering that results in this being simple to use!

Note: Zipkin Dependencies 3.2 is the corresponding first release of the dependencies job that supports OpenSearch v2.

Zipkin 3.3.1 is a maintenance release that notably updates to Spring Boot 3.3 and Alpine Linux 3.20.

This also adds the test docker image ghcr.io/openzipkin/zipkin-opensearch2, which is used to test the upcoming Zipkin 3.4 release which will support OpenSearch 2 in addition to existing storage backends.

Notable thanks to @​reta on this release!

Zipkin 3.3 is maintenance only with no new features since the last release.

Notably, this raises the floor JRE version of libraries except core from 11 to 17. The only reason we had 11 in the past was due to Spark limitations that affected zipkin-dependencies. This was resolved by Spark 3.4, which we were recently able to upgrade to once libraries we used all became compatible with it.

Also, we now run Trivy security and misconfiguration scanner on every commit, in support of our new security policy. This policy was designed around the norms of our maintenance community, which is currently 100pct volunteers with no dedicated paid time for the project.

We appreciate Trivy adjusting the open source code for the somewhat unique needs of tracing projects: it requires running tests on old library versions. Their open mindedness in classification policy was critical in coming up with a policy at all. We need to focus the small amount of time we have available to the most important alerts, and not the noise: now we can.

Zipkin 3.2.1 fixes a regression where libraries that improve network performance (netty-tcnative) were not included in the main zipkin jar, resulting in unpublished Docker images.

Zipkin 3.2 improves accessibility blindness and language controls.

Before, there was no way to control "dark mode". Also, the color scheme lacked contrast and other features to support vision accessibility. @​giaroc's first commit to zipkin knocked this out of the park, resulting in an easier to read and control UI.

before:

after:

Full Changelog: https://github.com/openzipkin/zipkin/compare/3.1.1..3.2.0

Zipkin 3.1.1 is a hardening release, notably polishing out some UI glitches and experience problems for Cassandra users. Thanks a lot for all the feedback and patience, as we delayed this patch until we felt confident glitches were handled in a way that would be easy to diagnose in the future!

UI Fixes

... (truncated)

Commits

• 1dc238c [maven-release-plugin] prepare release 3.4.1
• 4d4d648 ci: updates to latest ubuntu-24.04 macos-14 (#3777)
• fcaa2cf deps: updates all main and test java library versions (#3774)
• 42e870d lens: updates to latest node and fix CVEs (#3776)
• 2cf1850 Updates to latest docker images, aligning maven version (#3775)
• 2f0a26f Fix potential github action smells (#3770)
• 0cae9f4 [maven-release-plugin] prepare for next development iteration
• 61e65dc [maven-release-plugin] prepare release 3.4.0
• fb8d8b9 bumps dependencies prior to 3.4 release (#3772)
• ed594e7 Supports OpenSearch V2 through ES_* environment variables (#3765)
• Additional commits viewable in compare view

Updates io.zipkin.reporter2:zipkin-sender-okhttp3 from 2.17.1 to 3.4.2

Release notes

Sourced from io.zipkin.reporter2:zipkin-sender-okhttp3's releases.

Zipkin Reporter 3.4 deprecates AsyncReporter/SpanHandler queuedMaxBytes and disables it by default.

When introduced, AsyncReporter had three ways to trigger a queue flush:

• queuedMaxSpans - when the number of spans in the queue exceeds a threshold
• queuedMaxBytes - when the size of the spans in the queue exceeds a threshold
• messageTimeout - when a span has been in the queue longer than a threshold

queuedMaxBytes was deprecated because requires time in the critical path, to calculate the size of a span to make sure it doesn't breach the threshold. This is problematic in tools that check for pinning, like Virtual Threads.

Thanks a lot to @​reta for sorting this out!

Full Changelog: https://github.com/openzipkin/zipkin-reporter-java/compare/3.3.0..3.4.1

Zipkin Reporter 3.3 adds a BaseHttpSender type, which eases http library integration. It also adds HttpEndpointSupplier which supports dynamic endpoint discovery such as from Eureka, as well utilities to create constants or rate-limit suppliers. Finally, brave users get a native PROTO3 encoder through the new MutableSpanBytesEncoder type.

These features were made in support of spring-boot, but available to any user with no new dependencies. For example, the PROTO encoder adds no library dependency, even if it increases the size of zipkin-reporter-brave by a couple dozen KB. A lion's share of thanks goes to @​reta and @​anuraaga who were on design and review duty for several days leading to this.

Here's an example of pulling most of these things together, integrating a sender with spring-cloud-loadbalancer (a client-side loadbalancer library).

This endpoint supplier will get the configuration endpoint value and look up the next target to use with the loadBalancerClient. The rate limiter will ensure a gap of 30 seconds between queries. While below is hard-coded, it covers some routine advanced features formerly only available in spring-cloud-sleuth. Now, anyone can use them!

@Configuration(proxyBeanMethods = false)
public class ZipkinDiscoveryConfiguration {
  @Bean HttpEndpointSupplier.Factory loadbalancerEndpoints(LoadBalancerClient loadBalancerClient) {
    LoadBalancerHttpEndpointSupplier.Factory httpEndpointSupplierFactory =
        new LoadBalancerHttpEndpointSupplier.Factory(loadBalancerClient);
    // don't ask more than 30 seconds (just to show)
    return HttpEndpointSuppliers.newRateLimitedFactory(httpEndpointSupplierFactory, 30);
  }
record LoadBalancerHttpEndpointSupplier(LoadBalancerClient loadBalancerClient, URI virtualURL)
implements HttpEndpointSupplier {
record Factory(LoadBalancerClient loadBalancerClient) implements HttpEndpointSupplier.Factory {
  @Override public HttpEndpointSupplier create(String endpoint) {
    return new LoadBalancerHttpEndpointSupplier(loadBalancerClient, URI.create(endpoint));
  }
}
@Override public String get() {
ServiceInstance instance = loadBalancerClient.choose(virtualURL.getHost());
if (instance != null) {
return instance.getUri() + virtualURL.getPath();
}
throw new IllegalArgumentException(virtualURL.getHost() + " is not registered");
}
@Override public void close() {
}

</tr></table>

... (truncated)

Commits

• bbe4d01 [maven-release-plugin] prepare release 3.4.2
• 128fa2c [maven-release-plugin] prepare for next development iteration
• 151238b [maven-release-plugin] prepare release 3.4.1
• ad5b40f Routine dependency updates (#271)
• 302b54c Avoid encoding list of spans twice in BaseHttpSender (#270)
• 5191332 Adds SECURITY.md and scanning workflow (#267)
• 3af6593 [maven-release-plugin] prepare for next development iteration
• 0af48b8 [maven-release-plugin] prepare release 3.4.0
• 22b6727 Adds spring-beans context test and defaults to Spring 5 (#265)
• fcc67bb Deprecates AsyncReporter/SpanHandler queuedMaxBytes (#264)
• Additional commits viewable in compare view

Updates io.zipkin.brave:brave from 5.17.0 to 6.0.3

Release notes

Sourced from io.zipkin.brave:brave's releases.

Brave 6.0.3 including the following minor changes. Thanks very much to @​reta and @​anuraaga for review support!

• fixes bug that allowed setting local or remote service names to the empty string ("")
• fixed thread safety issue when using Tag.tag
• ports brave-instrumentation-mongodb to work on the new org.mongodb:mongodb-driver-core v5
  • Note: the floor JRE of this instrumentation is now 1.7, where it formerly was 1.6
• changes license headers to SPDX style, as used in zipkin and zipkin-reporter

Full Changelog: https://github.com/openzipkin/brave/compare/6.0.2..6.0.3

Brave 6.0.2 fixes a propagation glitch on kafka streams processors using context.forward(). Tons of thanks to @​frosiere for the help on this! We also changed how dependencies are managed so that less false-positives show up due to our backwards compatability testing. We appreciate your continued use and feedback!

Full Changelog: https://github.com/openzipkin/brave/compare/6.0.1..6.0.2

Brave 6.0.1 simplifies internals of the json encoder and kafka-streams instrumentation. It also fixes a bug where a Tag<Throwable> passed to MutableSpanBytesEncoder.zipkinJsonV2 always used the key "error" even when set to something else. Finally @​reta fixed a flakey JMS integration test which was plaguing our CI builds!

Full Changelog: https://github.com/openzipkin/brave/compare/6.0.0..6.0.1

Brave 6 removes all modules and functions deprecated in Brave 5.x. It no longer has any dependency on io.zipkin.zipkin2:zipkin. Special thanks to @​reta and @​anuraaga for a lot of review support leading to this release!

No more deprecated functions

The final release of Brave 5 with deprecated functions was 5.18.1. Removing these functions was the only way to decouple Brave from zipkin's core library (io.zipkin.zipkin2:zipkin). However, this does not change Brave's floor Java 6 support. We still integration test this via the brave-example repository.

Here's an example of a working Java 6 and Spring 2.5 application, which is 280KB smaller due to use of the lean combination of Brave 6 and Zipkin Reporter 3.x:

# brave 5.18.1
3860    target/brave-example-webmvc25-1.0-SNAPSHOT.war
# brave 6.0.0
3580    target/brave-example-webmvc25-1.0-SNAPSHOT.war

No more io.zipkin.reporter2:zipkin-reporter or io.zipkin.zipkin2:zipkin dependencies

io.zipkin.brave:brave-bom used to manage zipkin-reporter dependencies. Since Brave no longer has dependencies on zipkin, it no longer manages them.

This impact is that users will need to manage their own versions for zipkin-reporter, likely via io.zipkin.reporter2:zipkin-reporter-bom described in the zipkin-reporter README.

To fully remove a zipkin core library dependency from your traced applications, use io.zipkin.reporter2:zipkin-reporter-brave 3.x AsyncZipkinSpanHandler. This is described in the zipkin-reporter README. You can expect currently maintained frameworks to do this on your behalf.

Thanks for your patience with the major upgrade. Things like this allow easier maintenance and a longer life for Brave, particularly as zipkin-server moves ahead with later Java versions.

Full Changelog: https://github.com/openzipkin/brave/compare/5.17.1..5.18.1

Brave 5.18 prepares for Brave 6 by deprecating instrumentation for libraries not released in 1.5-3.5 years including:

• context/rxjava2 - last released Feb 2021
  • replaced by RxJava3, but unlikely this module will be ported as it wasn't used widely.
• instrumentation/dubbo-rpc - (alibaba) last released Dec 2021

... (truncated)

Commits

• 95ae4c2 [maven-release-plugin] prepare release 6.0.3
• 08e8e39 Fixes thread safety issue in Tag.tag (#1434)
• 57f27e2 license: removes copyright year and uses SPDX ID (#1433)
• 170c79f Speeds up dubbo tests, aligns conventions and bumps deps (#1432)
• ef6fbbd Adds support for org.mongodb:mongodb-driver-core v5 (#1431)
• fe3c8b4 fixes bug setting service names to empty (#1428)
• 69e30f3 Adds BaggagePropagation benchmarks for decorate (#1425)
• b7ece7b Consolidates notes on "extra" data (#1424)
• d8dc495 benchmarks: moves dependency scope to test (#1422)
• 5552507 [maven-release-plugin] prepare for next development iteration
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Superseded by #1685.