chore(deps): update upper bound dependencies file

[lqiu96]

This PR contains the following updates:

Package	Update	Change
com.fasterxml.jackson:jackson-bom	patch	2.21.0 -> 2.21.1
com.google.api-client:google-api-client	minor	2.8.1 -> 2.9.0
com.google.errorprone:error_prone_annotations (source)	minor	2.47.0 -> 2.48.0
com.google.protobuf:protobuf-java (source)	minor	4.33.5 -> 4.34.0
dev.cel:cel	minor	0.11.1 -> 0.12.0
io.opentelemetry.semconv:opentelemetry-semconv	minor	1.39.0 -> 1.40.0
io.opentelemetry:opentelemetry-bom	minor	1.59.0 -> 1.60.1
org.apache.httpcomponents.core5:httpcore5	patch	5.4.1 -> 5.4.2

---

Release Notes

googleapis/google-api-java-client (com.google.api-client:google-api-client)

v2.9.0

Compare Source

Features

• Next release from main branch is 2.9.0 (#​2614) (857362a)
• Update GoogleUtils#getCertificateTrustStore to first attempt t… (#​2613) (dddb15b)

Bug Fixes

• sec: Warn users of unsafe credential generation methods (#​2604) (d4c0a33)
• Use Cloud RAD in deprecation link in GoogleCredential class (#​2606) (f238d59)

google/error-prone (com.google.errorprone:error_prone_annotations)

v2.48.0: Error Prone 2.48.0

Compare Source

Changes:

• Added support for passing flags with command-line argument files (@-files) (google/error-prone@8e84edf)

New checks:

• AvoidValueSetter
• UnnecessarySemicolon

Closed issues: #​5529, #​5537, #​5522, #​5521

Full changelog: google/error-prone@v2.47.0...v2.48.0

google/cel-java (dev.cel:cel)

v0.12.0

Compare Source

Features

• Introduced the Program Planner (Experimental) to eventually back the CEL runtime. The planner allows evaluation of parsed-only expressions (https://github.com/google/cel-java/issues/276), and is designed to improve evaluation speed when planned programs are cached.
• InliningOptimizer has been added to allow inlining variables within an AST. It replaces variable references with their corresponding expressions, automatically rewrites presence tests (e.g., has() macros), and supports recursive inlining based on variable dependency ordering.
• Added support for Protobuf json_name field options. When enableJsonFieldNames option is enabled, the compiler will exclusively accept the json_name and no longer recognize the original protobuf field name. To maintain backwards compatibility, the runtime continues to support both the original name and the json_name when resolving fields.
• Expanded the CEL Environment YAML import/export capabilities to include shared feature flags and common limits (https://github.com/google/cel-java/pull/970) (https://github.com/google/cel-java/pull/971).

Breaking Changes

• PR #​820 Enables evaluateCanonicalTypesToNativeValues by default. See previous release for details.
• PR #​943 removes StringConversion, StringConcatenation, and ListConcatenation from CelOptions in favor of standard library subsetting via CelStandardDeclarations and CelStandardFunctions.
• PR #​875 removes null assignability to function arguments for Protobuf messages.

Bug fixes

• Fixed a regression reported in https://github.com/google/cel-java/issues/890 for Protobuf timestamp/duration field values to reside outside RFC3339 range in #​893.
• Prevent non-foldable functions from being folded in comprehensions in #​937
• Fixed context propagation in AsyncProgramImpl to preserve resolved attributes in #​913.
• Fixed type-checker to search local scopes for identifiers before container resolution in #​910.
• Fixed type-checker and runtime to properly resolve global escaped identifiers in #​917.
• Fixed argument matching to validate all args for non-strict functions in #​855.
• Fixed source locations in error messages for maps, comprehensions, and missing attributes in #​921 and #​962.
• Fixed null assignment to fields in #​979.

What's Changed

Environment & Policy Compiler

• Add support for container aliases to CelEnvironment in #​900
• Add a shorthand for declaring policy variables in #​944

Optimizations & Internals

• Accumulate unknowns into a set to avoid intermediate duplication in #​864
• Support constant folding in chained SELECT expressions in #​886
• Optimize list.distinct() in #​902
• Use mutable expressions for AST rewrites during type-check in #​936
• Invert the nesting level sequencing when mangling comprehension identifiers in #​942
• Remove unnecessary synchronization on dispatcher by making it immutable in #​851
• Persist lazily bound variables in the correct scoped resolver in #​881

Miscellaneous

• Add conformance tests for planner in #​973
• Migrate to new GeneratorNames library for java codegen naming in #​882
• Properly establish cross dependencies across maven artifacts in #​954
• Add isolated artifact tests for dev.cel:compiler and dev.cel:runtime in #​959
• OSS Fix for Bazel 9 in #​924
• Upgrade GitHub Actions for Node 24 compatibility by @​salmanmkc in #​896

New Contributors

• @​salmanmkc made their first contribution in #​896

Full Changelog: google/cel-java@v0.11.1...v0.12.0

open-telemetry/semantic-conventions-java (io.opentelemetry.semconv:opentelemetry-semconv)

v1.40.0

Compare Source

• Bump to semconv v1.40.0
  (#​418)

open-telemetry/opentelemetry-java (io.opentelemetry:opentelemetry-bom)

v1.60.1

Compare Source

SDK

Extensions

• Autoconfigure: fix warning always emitted
  (#​8157)

v1.60.0

Compare Source

API

• Support W3C trace context random flag
  (#​8012)
• Clarify that SpanBuilder.setAttribute allows null values
  (#​8072)

Incubating

• Implement environment variable context propagation carriers
  (#​8074)
• Deprecate ExtendedAttributes, ExtendedAttributeKey, ExtendedAttributeType,
  ExtendedAttributesBuilder
  (#​8060)
• Deprecate peerServiceMapping accessor from InstrumentationConfigUtil
  (#​8088)

SDK

Traces

• Disable warning when using TraceIdRatioBasedSampler as root sampler
  (#​8065)
• User-supplied attributes take precedence over exception-derived attributes
  (#​7993)
• Exclude META-INF/maven from traces SDK shaded dependencies
  (#​8096)
• Fix inverted condition in LegacySpanProcessorInstrumentation#finishSpans
  (#​8145)

Metrics

• Split out cumulative vs. delta storage
  (#​8015)
• Add metrics for PeriodicMetricReader
  (#​8038)
• Allow configuring min/max in histograms
  (#​8095)
• Remove deprecated otel.experimental.metrics.cardinality.limit property
  (#​8124)
• BREAKING bug fix: GlobUtil and IncludePatternMatching, used in views and declarative
  config matching, previously were inconsistent in case sensitivity. If a glob char (* or ?) was
  present, it was evaluated with case sensitivity. If no glob chars were present, it was evaluated
  with case insensitivity. Now, all are consistently evaluated with case sensitivity.
  (#​8152)

Logs

• Stabilize LogRecordBuilder.setException
  (#​8089)
• Clarify setTimestamp javadoc for event timestamp behavior
  (#​8104)

Exporters

• OTLP: Fix marshaling for empty string attributes
  (#​8014)
• Prometheus: Update Prometheus client to 1.5.0
  (#​8080)
• OTLP: Serialize exponential histogram sum as optional double
  (#​8107)
• OTLP: Use KeyManagerFactory.getDefaultAlgorithm() in TlsUtil.keyManager()
  (#​8122)
• OTLP: Ensure proto serializer idCache is cleared when exception is thrown
  (#​8147)

Extensions

• Autoconfigure: Decode plus sign in resource attributes
  (#​8059)
• Declarative config: update to 1.0 schema
  (#​8123)
• Declarative config: add support for setting schema URL
  (#​8028)
• Declarative config: add version mismatch warning
  (#​8069)
• Declarative config: cache component providers in DeclarativeConfigContext
  (#​8070)
• Declarative config: add system property substitution
  (#​8073)
• Declarative config: add exporter customizers
  (#​8081)
• Declarative config: add support for setting internal telemetry version
  (#​8045)
• Deprecate View File Configuration mechanism
  (#​8133)
• Autoconfigure: add property to allow autoconfiguration of SDK telemetry version
  (#​8037)
• Jaeger remote sampler: refactor to leverage senders
  (#​8046)
• Declarative config: document ObjectMapper config
  (#​8075)
• Declarative config: Remove unchecked warning
  (#​8090)

Project tooling

• Add architecture test to detect usage of shared internal code
  (#​6978)
• Replace Xlint deprecation check with custom error-prone check
  (#​8061)
• Enable error-prone's UnnecessarilyFullyQualified check
  (#​8078)
• Small refactoring to make safety clearer
  (#​8083)
• Rework span record benchmark and publish results
  (#​8031)
• Add LogRecordBenchmark
  (#​8106,
  #​8117)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request systematically updates several key Java dependencies, encompassing both minor version bumps and patch releases. The updates introduce new features, performance enhancements, and critical bug fixes across various components, including Google API client libraries, error-prone annotations, Protocol Buffers, CEL expression language, OpenTelemetry, and Jackson. This ensures the project benefits from the latest improvements and maintains compatibility with evolving ecosystems.

Highlights

• Dependency Updates: Updated com.fasterxml.jackson:jackson-bom from 2.21.0 to 2.21.1.
• Google API Client Update: Updated com.google.api-client:google-api-client from 2.8.1 to 2.9.0, which includes security warnings for unsafe credential generation methods and other features.
• Error Prone Annotations Update: Updated com.google.errorprone:error_prone_annotations from 2.47.0 to 2.48.0, introducing new checks like AvoidValueSetter and UnnecessarySemicolon.
• Protobuf Java Update: Updated com.google.protobuf:protobuf-java from 4.33.5 to 4.34.0.
• CEL Expression Language Update: Updated dev.cel:cel from 0.11.1 to 0.12.0, featuring an experimental Program Planner, InliningOptimizer, support for Protobuf json_name field options, and several breaking changes and bug fixes.
• OpenTelemetry Semantic Conventions Update: Updated io.opentelemetry.semconv:opentelemetry-semconv from 1.39.0 to 1.40.0.
• OpenTelemetry BOM Update: Updated io.opentelemetry:opentelemetry-bom from 1.59.0 to 1.60.1, bringing various API, SDK, Traces, Metrics, Logs, and Exporter improvements, including a breaking change in GlobUtil case sensitivity.
• Apache HttpCore5 Update: Updated org.apache.httpcomponents.core5:httpcore5 from 5.4.1 to 5.4.2.

Changelog

• dependencies.txt
  • Updated com.fasterxml.jackson:jackson-bom from 2.21.0 to 2.21.1.
  • Updated com.google.api-client:google-api-client from 2.8.1 to 2.9.0.
  • Updated com.google.errorprone:error_prone_annotations from 2.47.0 to 2.48.0.
  • Updated com.google.protobuf:protobuf-java from 4.33.5 to 4.34.0.
  • Updated dev.cel:cel from 0.11.1 to 0.12.0.
  • Updated io.opentelemetry.semconv:opentelemetry-semconv from 1.39.0 to 1.40.0.
  • Updated io.opentelemetry:opentelemetry-bom from 1.59.0 to 1.60.1.
  • Updated org.apache.httpcomponents.core5:httpcore5 from 5.4.1 to 5.4.2.

Activity

• This pull request was automatically generated by Renovate Bot to update upper bound dependencies.
• The bot provided detailed release notes for major dependency updates.
• Automerge is currently disabled, requiring manual merging.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates several dependency versions in dependencies.txt. While most updates are minor or patch versions, it's important to note that dev.cel:cel (v0.12.0) and io.opentelemetry:opentelemetry-bom (v1.60.0) introduce breaking changes. These changes should be thoroughly reviewed to ensure compatibility with the existing codebase and to adhere to the repository's dependency management guidelines, which advise against bumping versions without a strong justification like a CVE or critical bug fix.

[gemini-code-assist]

The update to dev.cel:cel from 0.11.1 to 0.12.0 includes explicit "Breaking Changes" as detailed in its release notes. According to the repository's dependency management guidelines, external dependency versions should ideally not be bumped unless there is a known CVE or a critical bug fix (Repository Style Guide, line 137). Please confirm that these breaking changes have been thoroughly evaluated and addressed, or that they do not impact our current usage.

References

1. Try not to bump any external dependency version unless there is a known CVE (security or vulnerability issue) or a critical bug fix.

[gemini-code-assist]

The update to io.opentelemetry:opentelemetry-bom from 1.59.0 to 1.60.1 includes a "BREAKING bug fix" in version 1.60.0 related to case sensitivity in GlobUtil and IncludePatternMatching. This could potentially alter behavior in parts of the codebase that rely on the previous case-insensitivity. Please confirm that the impact of this breaking change has been assessed and mitigated if necessary, aligning with the repository's dependency management principles (Repository Style Guide, line 137).

References

1. Try not to bump any external dependency version unless there is a known CVE (security or vulnerability issue) or a critical bug fix.

[sonarqubecloud]

Quality Gate passed for 'gapic-generator-java-root'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'java_showcase_integration_tests'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud