Bump the root-gradle-deps group with 10 updates

[dependabot]

Bumps the root-gradle-deps group with 10 updates:

Package	From	To
com.google.guava:guava	32.1.3-jre	33.0.0-jre
com.amazonaws:aws-java-sdk-bom	1.12.618	1.12.625
com.fasterxml.jackson.dataformat:jackson-dataformat-yaml	2.16.0	2.16.1
io.grpc:grpc-bom	1.60.0	1.60.1
io.grpc:grpc-api	1.60.0	1.60.1
io.grpc:grpc-netty-shaded	1.60.0	1.60.1
io.zipkin.zipkin2:zipkin	2.25.0	2.25.2
io.zipkin.reporter2:zipkin-sender-okhttp3	2.16.5	2.17.1
io.zipkin.brave:brave	5.16.0	5.17.0
software.amazon.awssdk:s3	2.21.44	2.22.5

Updates com.google.guava:guava from 32.1.3-jre to 33.0.0-jre

Release notes

Sourced from com.google.guava:guava's releases.

33.0.0

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>33.0.0-jre</version>
  <!-- or, for Android: -->
  <version>33.0.0-android</version>
</dependency>

Jar files

• 33.0.0-jre.jar
• 33.0.0-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.1.jar

Javadoc

• 33.0.0-jre
• 33.0.0-android

JDiff

• 33.0.0-jre vs. 32.1.3-jre
• 33.0.0-android vs. 32.1.3-android
• 33.0.0-android vs. 33.0.0-jre

Changelog

• This version of guava-android contains some package-private methods whose signature includes the Java 8 Collector API. This is a test to identify any problems before we expose those methods publicly to users. Please report any problems that you encounter. (73dbf7ef26)
• Changed various classes to catch Exception instead of RuntimeException even when only RuntimeException is theoretically possible. This can help code that throws undeclared exceptions, as some bytecode rewriters (e.g., Robolectric) and languages (e.g., Kotlin) do. (c294c23760, 747924e, b2baf48)
• Added an Automatic-Module-Name to failureaccess, Guava's one strong runtime dependency. (280b5d2f60)
• reflect: In guava-android only, removed Invokable.getAnnotatedReturnType() and Parameter.getAnnotatedType(). These methods never worked in an Android VM, and to reflect that, they were born @Deprecated, @Beta, and @DoNotCall. They're now preventing us from rolling out some new Android compatibility testing. This is the only binary-incompatible change in this release, and it should have no effect in practice. Still, we bump the major version number to follow Semantic Versioning. (045cd8428f)
• util.concurrent: Changed our implementations to avoid eagerly initializing loggers during class loading. This can help performance, especially under Android. (4fe1df56bd)

Commits

• See full diff in compare view

Updates com.amazonaws:aws-java-sdk-bom from 1.12.618 to 1.12.625

Changelog

Sourced from com.amazonaws:aws-java-sdk-bom's changelog.

1.12.625 2023-12-22

AWS Glue

• Features

  • This release adds additional configurations for Query Session Context on the following APIs: GetUnfilteredTableMetadata, GetUnfilteredPartitionMetadata, GetUnfilteredPartitionsMetadata.

AWS Lake Formation

• Features

  • This release adds additional configurations on GetTemporaryGlueTableCredentials for Query Session Context.

AWS MediaConnect

• Features

  • This release adds the DescribeSourceMetadata API. This API can be used to view the stream information of the flow's source.

AWS Secrets Manager

• Features

  • Update endpoint rules and examples.

Agents for Amazon Bedrock

• Features

  • Adding Claude 2.1 support to Bedrock Agents

Amazon CloudWatch Network Monitor

• Features

  • CloudWatch Network Monitor is a new service within CloudWatch that will help network administrators and operators continuously monitor network performance metrics such as round-trip-time and packet loss between their AWS-hosted applications and their on-premises locations.

Amazon Omics

• Features

  • Provides minor corrections and an updated description of APIs.

Amazon Simple Storage Service

• Features

  • Added additional examples for some operations.

1.12.624 2023-12-21

AWS CodeCommit

• Features

  • AWS CodeCommit now supports customer managed keys from AWS Key Management Service. UpdateRepositoryEncryptionKey is added for updating the key configuration. CreateRepository, GetRepository, BatchGetRepositories are updated with new input or output parameters.

AWS Elemental MediaLive

• Features

  • MediaLive now supports the ability to configure the audio that an AWS Elemental Link UHD device produces, when the device is configured as the source for a flow in AWS Elemental MediaConnect.

AWS RDS DataService

• Features

  • This release adds support for using RDS Data API with Aurora PostgreSQL Serverless v2 and provisioned DB clusters.

Agents for Amazon Bedrock

• Features

  • This release introduces Amazon Aurora as a vector store on Knowledge Bases for Amazon Bedrock

... (truncated)

Commits

• 984da2f AWS SDK for Java 1.12.625
• 12d1079 Update GitHub version number to 1.12.625-SNAPSHOT
• c2987a9 AWS SDK for Java 1.12.624
• 21d2fa1 Update GitHub version number to 1.12.624-SNAPSHOT
• 30b1009 AWS SDK for Java 1.12.623
• 73e41cf Update GitHub version number to 1.12.623-SNAPSHOT
• 5b894bc AWS SDK for Java 1.12.622
• 78b3d91 Update GitHub version number to 1.12.622-SNAPSHOT
• 63d0d92 AWS SDK for Java 1.12.621
• 5d37c21 Update GitHub version number to 1.12.621-SNAPSHOT
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.dataformat:jackson-dataformat-yaml from 2.16.0 to 2.16.1

Commits

• 370682e [maven-release-plugin] prepare release jackson-dataformats-text-2.16.1
• 124d9b3 Prepare for 2.16.1 release
• 0b7087b Update release notes wrt backport #445 fix
• 18108a4 Fixes for issue #445: Wraps unexpected NullPointerException (#446)
• 8e47f98 Warnings removal
• f4c2cf2 Back to snapshot dep
• b1c7177 [maven-release-plugin] prepare for next development iteration
• See full diff in compare view

Updates io.grpc:grpc-bom from 1.60.0 to 1.60.1

Release notes

Sourced from io.grpc:grpc-bom's releases.

v1.60.1

Bug Fixes

• util: Fix NPE when multiple addresses in an address group for petiole load balancer policies (#10770)

Commits

• cd7ae8b Bump version to 1.60.1
• ef29460 missed step
• 8b24759 Bump version to 1.60.2-SNAPSHOT
• 09952f1 Bump version to 1.60.2-SNAPSHOT
• 661dbe3 Update README etc to reference 1.60.1
• 121f23f Add increment as identified in #10768 (#10769) (#10770)
• b758702 buildscripts: Use the Kokoro shared install lib from the new repo (#10757) (#...
• 1f99df9 Bump version to 1.60.1-SNAPSHOT
• See full diff in compare view

Updates io.grpc:grpc-api from 1.60.0 to 1.60.1

Release notes

Sourced from io.grpc:grpc-api's releases.

v1.60.1

Bug Fixes

• util: Fix NPE when multiple addresses in an address group for petiole load balancer policies (#10770)

Commits

• cd7ae8b Bump version to 1.60.1
• ef29460 missed step
• 8b24759 Bump version to 1.60.2-SNAPSHOT
• 09952f1 Bump version to 1.60.2-SNAPSHOT
• 661dbe3 Update README etc to reference 1.60.1
• 121f23f Add increment as identified in #10768 (#10769) (#10770)
• b758702 buildscripts: Use the Kokoro shared install lib from the new repo (#10757) (#...
• 1f99df9 Bump version to 1.60.1-SNAPSHOT
• See full diff in compare view

Updates io.grpc:grpc-netty-shaded from 1.60.0 to 1.60.1

Release notes

Sourced from io.grpc:grpc-netty-shaded's releases.

v1.60.1

Bug Fixes

• util: Fix NPE when multiple addresses in an address group for petiole load balancer policies (#10770)

Commits

• cd7ae8b Bump version to 1.60.1
• ef29460 missed step
• 8b24759 Bump version to 1.60.2-SNAPSHOT
• 09952f1 Bump version to 1.60.2-SNAPSHOT
• 661dbe3 Update README etc to reference 1.60.1
• 121f23f Add increment as identified in #10768 (#10769) (#10770)
• b758702 buildscripts: Use the Kokoro shared install lib from the new repo (#10757) (#...
• 1f99df9 Bump version to 1.60.1-SNAPSHOT
• See full diff in compare view

Updates io.zipkin.zipkin2:zipkin from 2.25.0 to 2.25.2

Release notes

Sourced from io.zipkin.zipkin2:zipkin's releases.

Zipkin 2.25.2 adds the ppc64le architecture to our production zipkin and zipkin-slim images. It also fixes a couple docker crashes when run on Apple Silicon. Finally, we documented how to run the Elasticsearch Service Depedencies graph job ad-hoc, as it has been frequently asked about.

Special thanks to @​NishikantThorat from Knative for the help progressing ppc64le, as well @​anuraaga for lots of review support.

Full Changelog: openzipkin/zipkin@2.25.1...2.25.2

Zipkin 2.25.1 sets a milestone where a trivy scan of our openzipkin/zipkin:2.25.1 docker image came clear of all vulnerabilities:

$ trivy image openzipkin/zipkin:2.25.1
2023-12-14T21:38:42.716+0700	INFO	Vulnerability scanning is enabled
2023-12-14T21:38:42.717+0700	INFO	Secret scanning is enabled
2023-12-14T21:38:42.717+0700	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-14T21:38:42.717+0700	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2023-12-14T21:38:47.299+0700	INFO	Detected OS: alpine
2023-12-14T21:38:47.299+0700	WARN	This OS version is not on the EOL list: alpine 3.19
2023-12-14T21:38:47.299+0700	INFO	Detecting Alpine vulnerabilities...
2023-12-14T21:38:47.301+0700	INFO	Number of language-specific files: 1
2023-12-14T21:38:47.301+0700	INFO	Detecting jar vulnerabilities...
openzipkin/zipkin:2.25.1 (alpine 3.19.0)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

There was a lot of PR review support and again we have @​anuraaga to thank for being so available to keep things moving. We'd also like to thank @​tacigar for progress on renovating the Lens UI, resulting in a significant drop in NPM vulnerabilities as well.

Full Changelog: openzipkin/zipkin@2.25.0...2.25.1

Commits

• 11e3b27 [maven-release-plugin] prepare release 2.25.2
• ced6a9c lens: reduces cves for top-level deps (#3657)
• 6e79b6d docker: documents how to use master version in examples (#3656)
• 8b2b331 ci: test building of javadoc (#3655)
• aed6d92 docker: adds ppc64le architecture to zipkin and zipkin-slim images (#3653)
• c40a50b docker: uses health check in examples and documents dependencies job (#3652)
• e21beed docker: updates Elasticsearch 7.x image to Elastic licensed 7.17.16 (#3654)
• 0092696 cassandra: moves to Apache Driver and fixes Apple Silicon docker crash (#3651)
• a78c162 deps: temporarily update boringssl ahead of netty to fix M1 docker crash (#3650)
• 9244952 [maven-release-plugin] prepare for next development iteration
• Additional commits viewable in compare view

Updates io.zipkin.reporter2:zipkin-sender-okhttp3 from 2.16.5 to 2.17.1

Release notes

Sourced from io.zipkin.reporter2:zipkin-sender-okhttp3's releases.

Zipkin Reporter 2.17.0

Zipkin Reporter v2.17.0 updates default versions of dependencies so that CVE scanners like trivy pass by default. Details below for the interested.

For example, trivy is now clean.

$ trivy -q --skip-files "**/src/it/*/pom.xml" repo https://github.com/openzipkin/zipkin-reporter-java

In order to do this, and based on user demand, we had to change some default practice in our senders (the transport plug-in for sending spans to a zipkin compatible endpoint). Here is a summary of each and how versions are handled.

• activemq-client - Note that the recently released 6.x version is not compatible with 5.x due to package import change from javax.jms to jakarta.jms. Raise an issue if you need a later client as it will require a copy of the entire module to resolve.
• amqp-client (rabbitmq) - The 4.x version is no longer maintained, so we set a 5.x version and test the old one.
• kafka - the kafka-clients driver has not had any known compatibility problems, so we've left it as-is.
• libthrift (scribe) - libthrift (used for the deprecated scribe transport) has never released a 1.0 version, so occasionally causes revlocks. @​zhfeng noticed this in apache camel, as updating past the 4 year old 0.13 was impossible to work around. Luckily versions after that seem compatible with each other.
• okhttp3 - The 3.x version is no longer maintained, so we set a 4.x version and test the old one. Thanks @​evantorrie for explaining why this is important and @​shakuzen for helping in the discussion.

While not end-user affecting, we have also migrated from JUnit 4 to JUnit 5, thanks to OpenRewrite recipes from @​TeamModerne. Also, we use docker images to test all messaging transports. This ensures compatibility with upstream in transparent ways, and also removes classpath conflicts from java-based messaging transports such as ActiveMQ and Kafka.

Thanks a lot to @​anuraaga for copious support work on this release, as well.

Full Changelog: openzipkin/zipkin-reporter-java@2.16.5...2.17.0

Note: To pass Trivy at the moment, we have to skip old versions used only for compatibility testing. There is a discussion about making this default.

Changelog

Sourced from io.zipkin.reporter2:zipkin-sender-okhttp3's changelog.

OpenZipkin Release Process

This repo uses semantic versions. Please keep this in mind when choosing version numbers.

1. Alert others you are releasing

   There should be no commits made to master while the release is in progress (about 10 minutes). Before you start a release, alert others on gitter so that they don't accidentally merge anything. If they do, and the build fails because of that, you'll have to recreate the release tag described below.

2. Push a git tag

   The trigger format is release-MAJOR.MINOR.PATCH, ex git tag release-1.18.1 && git push origin release-1.18.1.

3. Wait for CI

   The release-MAJOR.MINOR.PATCH tag triggers https://github.com/openzipkin/zipkin-reporter-java/blob/master/build-bin/maven/maven_release, which creates commits, MAJOR.MINOR.PATCH tag, and increments the version (maven-release-plugin).

   The MAJOR.MINOR.PATCH tag triggers https://github.com/openzipkin/zipkin-reporter-java/blob/master/build-bin/deploy, which does the following:

   • Publishes jars to https://oss.sonatype.org/content/repositories/releases https://github.com/openzipkin/zipkin-reporter-java/blob/master/build-bin/maven/maven_deploy
     • Later, the same jars synchronize to Maven Central

   Notes:

   • https://search.maven.org/ index will take longer than direct links like https://repo1.maven.org/maven2/io/zipkin

Credentials

The release process uses various credentials. If you notice something failing due to unauthorized, look at the notes in [.github/workflows/deploy.yml] and check the org secrets.

Troubleshooting invalid credentials

If you receive a '401 unauthorized' failure from OSSRH, it is likely SONATYPE_USER or SONATYPE_PASSWORD entries are invalid, or possibly the user associated with them does not have rights to upload.

The least destructive test is to try to publish a snapshot manually. By passing the values CI would use, you can kick off a snapshot from your laptop. This is a good way to validate that your unencrypted credentials are authorized.

Here's an example of a snapshot deploy with specified credentials.

$ export GPG_TTY=$(tty) && GPG_PASSPHRASE=whackamole SONATYPE_USER=adrianmole SONATYPE_PASSWORD=ed6f20bde9123bbb2312b221 build-bin/build-bin/maven/maven_deploy

First release of the year

The license plugin verifies license headers of files include a copyright notice indicating the years a file was affected. This information is taken from git history. There's a once-a-year problem with files that include version numbers (pom.xml).

... (truncated)

Commits

• 692bb3d [maven-release-plugin] prepare release 2.17.1
• a2060be ci: adds action to test javadoc (#230)
• 66060b3 deps: updates to zipkin 2.25.2 (#229)
• 4e886ea build: fixes animal-sniffer phase and runs on all JDKs (#231)
• e635df8 [maven-release-plugin] prepare for next development iteration
• d21c18e [maven-release-plugin] prepare release 2.17.0
• e8f2052 deps: bumps to zipkin 2.25.1 (#227)
• 555bdc4 benchmarks: replace kafka-unit with docker (#226)
• 077737c amqp-client: moves to latest version and tests prior (#225)
• 8e86704 updates integration tests and benchmarks to use log4j (#224)
• Additional commits viewable in compare view

Updates io.zipkin.brave:brave from 5.16.0 to 5.17.0

Changelog

Sourced from io.zipkin.brave:brave's changelog.

OpenZipkin Release Process

This repo uses semantic versions. Please keep this in mind when choosing version numbers.

1. Alert others you are releasing

   There should be no commits made to master while the release is in progress (about 10 minutes). Before you start a release, alert others on gitter so that they don't accidentally merge anything. If they do, and the build fails because of that, you'll have to recreate the release tag described below.

2. Push a git tag

   The trigger format is release-MAJOR.MINOR.PATCH, ex git tag release-1.18.1 && git push origin release-1.18.1.

3. Wait for CI

   The release-MAJOR.MINOR.PATCH tag triggers https://github.com/openzipkin/brave/blob/master/build-bin/maven/maven_release, which creates commits, MAJOR.MINOR.PATCH tag, and increments the version (maven-release-plugin).

   The MAJOR.MINOR.PATCH tag triggers https://github.com/openzipkin/brave/blob/master/build-bin/deploy, which does the following:

   • Publishes jars to https://oss.sonatype.org/content/repositories/releases https://github.com/openzipkin/brave/blob/master/build-bin/maven/maven_deploy
     • Later, the same jars synchronize to Maven Central
   • Publishes Javadoc to https://zipkin.io/brave into a versioned subdirectory

   Notes:

   • https://search.maven.org/ index will take longer than direct links like https://repo1.maven.org/maven2/io/zipkin

Credentials

The release process uses various credentials. If you notice something failing due to unauthorized, look at the notes in [.github/workflows/deploy.yml] and check the org secrets.

Troubleshooting invalid credentials

If you receive a '401 unauthorized' failure from OSSRH, it is likely SONATYPE_USER or SONATYPE_PASSWORD entries are invalid, or possibly the user associated with them does not have rights to upload.

The least destructive test is to try to publish a snapshot manually. By passing the values CI would use, you can kick off a snapshot from your laptop. This is a good way to validate that your unencrypted credentials are authorized.

Here's an example of a snapshot deploy with specified credentials.

$ export GPG_TTY=$(tty) && GPG_PASSPHRASE=whackamole SONATYPE_USER=adrianmole SONATYPE_PASSWORD=ed6f20bde9123bbb2312b221 build-bin/build-bin/maven/maven_deploy

First release of the year

The license plugin verifies license headers of files include a copyright notice indicating the years a file was affected.

... (truncated)

Commits

• d55db97 [maven-release-plugin] prepare release 5.17.0
• 053e743 deps: updates to zipkin-reporter 2.17.1 (#1390)
• 90537d6 build: fixes animal-sniffer phase and runs on all JDKs (#1389)
• 677244a fix compiler
• 2bde4fe [maven-release-plugin] prepare for next development iteration
• c204053 [maven-release-plugin] prepare release 5.17.0
• 20692fe deps: bumps all main versions that compile (#1388)
• b0ad9aa Migrates all tests and fixtures from JUnit 4.x to Jupiter (#1387)
• 902e560 dubbo: updates dependencies to latest versions (#1386)
• eac0ffa build: updates to build and test with LTS JDKs (#1385)
• Additional commits viewable in compare view

Updates software.amazon.awssdk:s3 from 2.21.44 to 2.22.5

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.