build(deps): bump the opentelemetry-deps-java group across 1 directory with 3 updates

[dependabot]

Bumps the opentelemetry-deps-java group with 3 updates in the /java directory: io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha, io.opentelemetry.javaagent:opentelemetry-javaagent and io.opentelemetry.contrib:opentelemetry-aws-resources.

Updates io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha from 2.26.1-alpha to 2.27.0-alpha

Release notes

Sourced from io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha's releases.

Version 2.26.1

This is a patch release on the previous 2.26.0 release, fixing the issue(s) below.

🔒 Security fixes

• Fix unsafe deserialization in RMI instrumentation that could lead to remote code execution (CVE-2026-33701, #16979)

Changelog

Sourced from io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha's changelog.

Changelog

Unreleased

⚠️ Breaking changes to non-stable APIs

• Reshaped the ktor Experimental helper from a class with a companion object to a top-level object. Kotlin source callers (Experimental.emitExperimentalTelemetry(...)) are unaffected, but pre-compiled consumers must be recompiled against the new artifact. (#18343)
• Removed previously deprecated SqlQueryAnalyzer.analyze(String) and SqlQueryAnalyzer.analyzeWithSummary(String); use the overloads that take a SqlDialect.
• Removed the unused DbClientAttributesGetter.getDbResponseStatusCode() default method.
• Removed previously deprecated KafkaTelemetryBuilder.setMessagingReceiveInstrumentationEnabled(boolean); use setMessagingReceiveTelemetryEnabled(boolean).
• Removed previously deprecated OpenTelemetryAppender.Builder.captureCodeAttributes(boolean) in the log4j-appender-2.17 module; use setCaptureCodeAttributes(boolean).
• Removed previously deprecated Experimental.setEnableSqlCommenter() in the JDBC and R2DBC instrumentations; use Experimental.setSqlCommenterEnabled().
• Removed previously deprecated Experimental.addTraceIdRequestAttribute() and Experimental.setCapturedRequestParameters() in the servlet-3.0 and servlet-5.0 instrumentations; use setTraceIdRequestAttributeEnabled() and setCaptureRequestParameters() respectively.
• Removed the opentelemetry-runtime-telemetry-java8 and opentelemetry-runtime-telemetry-java17 library artifacts (deprecated aliases); use opentelemetry-runtime-telemetry instead.
• Removed previously deprecated experimental config property otel.instrumentation.servlet.experimental.add-trace-id-request-attribute; use otel.instrumentation.servlet.experimental.trace-id-request-attribute.enabled instead.
• Removed the previously deprecated captureEventName library builder setting from the logback-appender-1.0 and log4j-appender-2.17 OpenTelemetryAppender, and the corresponding otel.instrumentation.{logback-appender,log4j-appender,jboss-logmanager}.experimental.capture-event-name javaagent properties. Use the otel.event.name key in MDC / context data / key-value pairs / Logstash markers / structured arguments instead.
• Removed previously deprecated experimental config property otel.instrumentation.http.client.experimental.redact-query-parameters; use otel.instrumentation.sanitization.url.experimental.sensitive-query-parameters instead.
• Removed previously deprecated experimental config property otel.instrumentation.common.experimental.db-sqlcommenter.enabled; use otel.instrumentation.common.db.experimental.sqlcommenter.enabled instead.

Version 2.27.0 (2026-04-21)

This release targets the OpenTelemetry SDK 1.61.0.

Note that many artifacts have the -alpha suffix attached to their version number, reflecting that they will continue to have breaking changes. Please see VERSIONING.md for more details.

⚠️ Breaking changes to non-stable APIs

... (truncated)

Commits

• See full diff in compare view

Updates io.opentelemetry.javaagent:opentelemetry-javaagent from 2.26.1 to 2.27.0

Release notes

Sourced from io.opentelemetry.javaagent:opentelemetry-javaagent's releases.

Version 2.27.0

This release targets the OpenTelemetry SDK 1.61.0.

Note that many artifacts have the -alpha suffix attached to their version number, reflecting that they will continue to have breaking changes. Please see VERSIONING.md for more details.

⚠️ Breaking changes to non-stable APIs

• Make AbstractKtorServerTelemetryBuilder.isOpenTelemetryInitialized() protected (previously public). (#17509)
• Replace ExperimentalInstrumentationModule.injectClasses(ClassInjector) with exposedClassNames() for exposing helper classes to the application class loader. (#17765)
• Moved WebApplicationContextInstrumentation from the spring-web instrumentation module to spring-webmvc; users who disabled it via otel.instrumentation.spring-web.enabled=false must now use otel.instrumentation.spring-webmvc.enabled=false. (#17856)

🚫 Deprecations

• Deprecated KafkaTelemetryBuilder.setMessagingReceiveInstrumentationEnabled(boolean) in favor of setMessagingReceiveTelemetryEnabled(boolean). (#17092)
• Deprecated GraphQL builder methods setSanitizeQuery() and setAddOperationNameToSpanName(), and deprecated config key otel.instrumentation.graphql.add-operation-name-to-span-name.enabled in favor of setQuerySanitizationEnabled(), setOperationNameInSpanNameEnabled(), and otel.instrumentation.graphql.operation-name-in-span-name.enabled. (#17093)
• Deprecate Experimental.setEnableSqlCommenter() in JDBC and R2DBC instrumentation in favor of Experimental.setSqlCommenterEnabled(). (#17094)
• Rename otel.instrumentation.servlet.capture-request-parameters to otel.instrumentation.servlet.experimental.capture-request-parameters and otel.instrumentation.servlet.add-trace-id-request-attribute to otel.instrumentation.servlet.experimental.trace-id-request-attribute.enabled; old property names are deprecated. (#17113)
• Deprecated the declarative config name statement_sanitizer in favor of query_sanitization, and the declarative config group common.database in favor of common.db. (#17116)
• Deprecated the GraphQL declarative config name query_sanitizer in favor of query_sanitization. (#17455)
• Deprecated the DB query sanitization system property names otel.instrumentation.common.db-statement-sanitizer.enabled, otel.instrumentation.jdbc.statement-sanitizer.enabled, otel.instrumentation.mongo.statement-sanitizer.enabled, and otel.instrumentation.r2dbc.statement-sanitizer.enabled in favor of the corresponding *.query-sanitization.enabled names, deprecated otel.instrumentation.common.experimental.db-sqlcommenter.enabled in favor of otel.instrumentation.common.db.experimental.sqlcommenter.enabled, and deprecated otel.instrumentation.graphql.query-sanitizer.enabled in favor of otel.instrumentation.graphql.query-sanitization.enabled. (#17464)
• Deprecate InstrumentationModule.isIndyModule(); indy mode is now determined by the agent distribution configuration instead of per-module overrides. (#17713)

📈 Enhancements

• Remove log4j.map_message. prefix from MapMessage attributes when otel.instrumentation.common.v3-preview is enabled. (#13871)
• Stop normalizing messaging header names (dash to underscore) when otel.instrumentation.common.v3-preview is enabled, so captured header attribute keys now preserve the original header name. (#14554)
• Add db.system.name attribute to Vertx SQL client instrumentation when stable database semantic conventions are enabled (otel.semconv-stability.opt-in=database). (#16254)
• JDBC instrumentation now supports the db.system.name attribute with stable semantic convention values (e.g., postgresql, oracle.db, ibm.db2, sap.hana) when stable database semantic conventions are enabled (otel.semconv-stability.opt-in=database). (#16277)
• Add otel.instrumentation.common.v3-preview flag that enables upcoming 3.0 breaking changes early. (#16459)
• Optimized log event MDC attribute mapping in jboss-logmanager, log4j, and logback appenders by pre-computing attribute keys at initialization. (#16765)
• Add messaging.kafka.bootstrap.servers attribute to Kafka producer spans when otel.instrumentation.kafka.experimental-span-attributes is enabled. (#17065)
• Disable servlet trace-id request attribute by default when otel.instrumentation.common.v3-preview is enabled. (#17173)
• Disable thread details span processor (otel.javaagent.add-thread-details) by default when otel.instrumentation.common.v3-preview is enabled. (#17215)
• Improved javaagent startup optimization by decomposing disjunction matchers, allowing more transformations to be skipped during class loading. (#17227)
• Add stable messaging.kafka.offset attribute to Kafka instrumentation, gated behind otel.semconv-stability.preview=messaging. (#17785)
• Preserve original casing of servlet request parameter names in attribute keys when otel.instrumentation.common.v3-preview is enabled. (#17822)
• Replace reflective mutation of Byte Buddy's AgentBuilder.Default.transformations with a ClassFileTransformer hook, avoiding a JDK 26 JEP 500 warning about writing to a final field via reflection. (#17824)
• Add javaagent bridging support for OpenTelemetry API 1.61 stable methods including Tracer.isEnabled(), metric instrument isEnabled(), and Logger.setBody(Body). (#17849)

🛠️ Bug fixes

• Fix WebClientBeanPostProcessor and RestClientBeanPostProcessor to avoid replacing user-customized builder beans when the OpenTelemetry tracing filter/interceptor is already registered. (#15546)
• Fix memory leak where bridged observable metric callbacks were never closed when the application-side instrument was garbage collected. (#16219)
• Fix Ktor server instrumentation leaking scope across requests due to restoreThreadContext not always being called by Ktor coroutine machinery. (#16487)
• Add missing schemaUrl to servlet response instrumenter. (#16560)
• Fix OpenTelemetryContextDataProvider calling GlobalOpenTelemetry.get() during class initialization, which could interfere with SDK setup ordering. (#16638)
• Fix ZIO instrumentation destroying caller thread context on fiber suspend, which caused spans created after unsafe.run to lose their parent. (#16647)
• Fix Spring Boot starter adding a duplicate OpenTelemetry logback appender when the appender is nested inside another appender. (#16697)
• Fix bridging of VALUE-type attributes set via AttributeKey.valueKey() on spans and log records through the javaagent API bridge. (#16750)
• Fix unsafe deserialization in RMI instrumentation that could lead to remote code execution (CVE-2026-33701, #16986, also released in 2.26.1)

... (truncated)

Changelog

Sourced from io.opentelemetry.javaagent:opentelemetry-javaagent's changelog.

Version 2.27.0 (2026-04-21)

This release targets the OpenTelemetry SDK 1.61.0.

Note that many artifacts have the -alpha suffix attached to their version number, reflecting that they will continue to have breaking changes. Please see VERSIONING.md for more details.

⚠️ Breaking changes to non-stable APIs

• Make AbstractKtorServerTelemetryBuilder.isOpenTelemetryInitialized() protected (previously public). (#17509)
• Replace ExperimentalInstrumentationModule.injectClasses(ClassInjector) with exposedClassNames() for exposing helper classes to the application class loader. (#17765)
• Moved WebApplicationContextInstrumentation from the spring-web instrumentation module to spring-webmvc; users who disabled it via otel.instrumentation.spring-web.enabled=false must now use otel.instrumentation.spring-webmvc.enabled=false. (#17856)

🚫 Deprecations

• Deprecated KafkaTelemetryBuilder.setMessagingReceiveInstrumentationEnabled(boolean) in favor of setMessagingReceiveTelemetryEnabled(boolean). (#17092)
• Deprecated GraphQL builder methods setSanitizeQuery() and setAddOperationNameToSpanName(), and deprecated config key otel.instrumentation.graphql.add-operation-name-to-span-name.enabled in favor of setQuerySanitizationEnabled(), setOperationNameInSpanNameEnabled(), and otel.instrumentation.graphql.operation-name-in-span-name.enabled. (#17093)
• Deprecate Experimental.setEnableSqlCommenter() in JDBC and R2DBC instrumentation in favor of Experimental.setSqlCommenterEnabled(). (#17094)
• Rename otel.instrumentation.servlet.capture-request-parameters to otel.instrumentation.servlet.experimental.capture-request-parameters and otel.instrumentation.servlet.add-trace-id-request-attribute to otel.instrumentation.servlet.experimental.trace-id-request-attribute.enabled; old property names are deprecated. (#17113)
• Deprecated the declarative config name statement_sanitizer in favor of query_sanitization, and the declarative config group common.database in favor of common.db. (#17116)
• Deprecated the GraphQL declarative config name query_sanitizer in favor of query_sanitization. (#17455)
• Deprecated the DB query sanitization system property names otel.instrumentation.common.db-statement-sanitizer.enabled, otel.instrumentation.jdbc.statement-sanitizer.enabled, otel.instrumentation.mongo.statement-sanitizer.enabled, and

... (truncated)

Commits

• f1973d4 [release/v2.27.x] Prepare release 2.27.0 (#18116)
• 5449673 Review fixes for async-http-client-common-1.8:javaagent (#18102)
• 4a62aff Update changelog for upcoming release (#18105)
• e2190ed Rename JAX-RS 2.0 RESTEasy shared javaagent module to `jaxrs-2.0-resteasy-com...
• afcf274 chore: update instrumentation list [automated] (#18109)
• bf241bf Split runtime telemetry JFR config from experimental metrics (#18110)
• 64d55bf fix(deps): update gradle develocity packages to v4.4.1 (#18107)
• 41393cc fix(deps): update all patch versions to v2.0.5 (#18106)
• 38914f1 chore(deps): update actions/setup-node action to v6.4.0 (#18108)
• dfbf501 v3_preview applied for lowercase normalization for <name> in servlet.… (#17822)
• Additional commits viewable in compare view

Updates io.opentelemetry.contrib:opentelemetry-aws-resources from 1.55.0-alpha to 1.56.0-alpha

Release notes

Sourced from io.opentelemetry.contrib:opentelemetry-aws-resources's releases.

Version 1.55.0

This release targets the OpenTelemetry Java Instrumentation 2.26.1.

Disk buffering

• Add configuration option for explicit removal in the disk buffering iterator (#2560)
• Replace CompletableFuture with CompletableResultCode (#2670)
• Replace IllegalStateException with EOFException in readRawVarint32 (#2687)
• Apply upstream fixes to the disk buffering implementation (#2694)

Dynamic control

• Add trace sampling-rate implementer (#2634)
• Add json and keyvalue parsing and mapping (#2655)
• Move away from JSON requirement (#2652)
• Refactor trace sampling into specific subpackage (#2698)
• Add jsonkeyvalue source (#2702)
• Step 1 in transition to simpler validation (#2703)
• Move to using SourceWrapper, simplifying parsing (#2708)
• Complete the jsonkeyvalue and simpler validation migration (#2715)
• Refactor TYPE to POLICY_TYPE for clarity (#2720)
• Add SourceKind as sources are a known list (#2722)
• Add policy store (#2721)

Build

• Replace NVD with Sonatype OSS Index (#2689)
• Fix OSS Index Audit again (#2706)
• Fix release workflow (#2639)

JMX scraper

• Document ActiveMQ metrics from instrumentation (#2666)
• Document Kafka Connect support (#2688)

🙇 Thank you

This release was possible thanks to the following contributors who shared their brilliant ideas and awesome pull requests:

@​atoulme @​bencehornak @​bidetofevil @​breedx-splk @​cyrille-leclerc @​DmytroBorysovSpotOn @​jackshirazi @​jaydeluca @​laurit @​LikeTheSalad @​OxxxyAction

... (truncated)

Changelog

Sourced from io.opentelemetry.contrib:opentelemetry-aws-resources's changelog.

Changelog

Unreleased

Version 1.56.0 (2026-04-28)

Dynamic control

• Add SourceFormat string to enum conversion (#2737)
• Add policy config model classes (record-style structure) (#2736)
• Add config parsing for both JSON and YAML (#2738)
• Add OpampPolicyProvider for the policy pipeline (#2748)
• Create providers from SourceKind (#2749)
• Use composable samplers and add sampler initialization (#2752)
• Add PolicyTypeInitializer interface for better readability (#2754)

GCP resources

• Unify gcp resource detector (#2747)

JMX scraper

• Pin bouncycastle to 1.84 to fix CVE-2026-0636, CVE-2026-5588, CVE-2026-5598 (#2783)

OpAMP client

• Improve error handling (#2778)

Processors

• Add FilteringSpanExporter with composable SpanFilter and TraceFilter interfaces (#2745)

Version 1.55.0 (2026-03-31)

Disk buffering

• Add configuration option for explicit removal in the disk buffering iterator (#2560)
• Replace CompletableFuture with CompletableResultCode

... (truncated)

Commits

• See full diff in compare view