build(deps): bump the opentelemetry-deps-java group across 1 directory with 2 updates

[dependabot]

Bumps the opentelemetry-deps-java group with 2 updates in the /java directory: io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha and io.opentelemetry.javaagent:opentelemetry-javaagent.

Updates io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha from 2.26.1-alpha to 2.27.0-alpha

Release notes

Sourced from io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha's releases.

Version 2.26.1

This is a patch release on the previous 2.26.0 release, fixing the issue(s) below.

🔒 Security fixes

• Fix unsafe deserialization in RMI instrumentation that could lead to remote code execution (CVE-2026-33701, #16979)

Changelog

Sourced from io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha's changelog.

Changelog

Unreleased

⚠️ Breaking changes to non-stable APIs

• Removed previously deprecated SqlQueryAnalyzer.analyze(String) and SqlQueryAnalyzer.analyzeWithSummary(String); use the overloads that take a SqlDialect.
• Removed the unused DbClientAttributesGetter.getDbResponseStatusCode() default method.
• Removed previously deprecated KafkaTelemetryBuilder.setMessagingReceiveInstrumentationEnabled(boolean); use setMessagingReceiveTelemetryEnabled(boolean).
• Removed previously deprecated OpenTelemetryAppender.Builder.captureCodeAttributes(boolean) in the log4j-appender-2.17 module; use setCaptureCodeAttributes(boolean).
• Removed previously deprecated Experimental.setEnableSqlCommenter() in the JDBC and R2DBC instrumentations; use Experimental.setSqlCommenterEnabled().
• Removed previously deprecated Experimental.addTraceIdRequestAttribute() and Experimental.setCapturedRequestParameters() in the servlet-3.0 and servlet-5.0 instrumentations; use setTraceIdRequestAttributeEnabled() and setCaptureRequestParameters() respectively.
• Removed the opentelemetry-runtime-telemetry-java8 and opentelemetry-runtime-telemetry-java17 library artifacts (deprecated aliases); use opentelemetry-runtime-telemetry instead.
• Removed previously deprecated experimental config property otel.instrumentation.servlet.experimental.add-trace-id-request-attribute; use otel.instrumentation.servlet.experimental.trace-id-request-attribute.enabled instead.
• Removed the previously deprecated captureEventName library builder setting from the logback-appender-1.0 and log4j-appender-2.17 OpenTelemetryAppender, and the corresponding otel.instrumentation.{logback-appender,log4j-appender,jboss-logmanager}.experimental.capture-event-name javaagent properties. Use the otel.event.name key in MDC / context data / key-value pairs / Logstash markers / structured arguments instead.
• Removed previously deprecated experimental config property otel.instrumentation.http.client.experimental.redact-query-parameters; use otel.instrumentation.sanitization.url.experimental.sensitive-query-parameters instead.
• Removed previously deprecated experimental config property otel.instrumentation.common.experimental.db-sqlcommenter.enabled; use otel.instrumentation.common.db.experimental.sqlcommenter.enabled instead.

Version 2.27.0 (2026-04-21)

This release targets the OpenTelemetry SDK 1.61.0.

Note that many artifacts have the -alpha suffix attached to their version number, reflecting that they will continue to have breaking changes. Please see VERSIONING.md for more details.

⚠️ Breaking changes to non-stable APIs

• Make AbstractKtorServerTelemetryBuilder.isOpenTelemetryInitialized() protected (previously public). (#17509)

... (truncated)

Commits

• See full diff in compare view

Updates io.opentelemetry.javaagent:opentelemetry-javaagent from 2.26.1 to 2.27.0

Release notes

Sourced from io.opentelemetry.javaagent:opentelemetry-javaagent's releases.

Version 2.27.0

This release targets the OpenTelemetry SDK 1.61.0.

Note that many artifacts have the -alpha suffix attached to their version number, reflecting that they will continue to have breaking changes. Please see VERSIONING.md for more details.

⚠️ Breaking changes to non-stable APIs

• Make AbstractKtorServerTelemetryBuilder.isOpenTelemetryInitialized() protected (previously public). (#17509)
• Replace ExperimentalInstrumentationModule.injectClasses(ClassInjector) with exposedClassNames() for exposing helper classes to the application class loader. (#17765)
• Moved WebApplicationContextInstrumentation from the spring-web instrumentation module to spring-webmvc; users who disabled it via otel.instrumentation.spring-web.enabled=false must now use otel.instrumentation.spring-webmvc.enabled=false. (#17856)

🚫 Deprecations

• Deprecated KafkaTelemetryBuilder.setMessagingReceiveInstrumentationEnabled(boolean) in favor of setMessagingReceiveTelemetryEnabled(boolean). (#17092)
• Deprecated GraphQL builder methods setSanitizeQuery() and setAddOperationNameToSpanName(), and deprecated config key otel.instrumentation.graphql.add-operation-name-to-span-name.enabled in favor of setQuerySanitizationEnabled(), setOperationNameInSpanNameEnabled(), and otel.instrumentation.graphql.operation-name-in-span-name.enabled. (#17093)
• Deprecate Experimental.setEnableSqlCommenter() in JDBC and R2DBC instrumentation in favor of Experimental.setSqlCommenterEnabled(). (#17094)
• Rename otel.instrumentation.servlet.capture-request-parameters to otel.instrumentation.servlet.experimental.capture-request-parameters and otel.instrumentation.servlet.add-trace-id-request-attribute to otel.instrumentation.servlet.experimental.trace-id-request-attribute.enabled; old property names are deprecated. (#17113)
• Deprecated the declarative config name statement_sanitizer in favor of query_sanitization, and the declarative config group common.database in favor of common.db. (#17116)
• Deprecated the GraphQL declarative config name query_sanitizer in favor of query_sanitization. (#17455)
• Deprecated the DB query sanitization system property names otel.instrumentation.common.db-statement-sanitizer.enabled, otel.instrumentation.jdbc.statement-sanitizer.enabled, otel.instrumentation.mongo.statement-sanitizer.enabled, and otel.instrumentation.r2dbc.statement-sanitizer.enabled in favor of the corresponding *.query-sanitization.enabled names, deprecated otel.instrumentation.common.experimental.db-sqlcommenter.enabled in favor of otel.instrumentation.common.db.experimental.sqlcommenter.enabled, and deprecated otel.instrumentation.graphql.query-sanitizer.enabled in favor of otel.instrumentation.graphql.query-sanitization.enabled. (#17464)
• Deprecate InstrumentationModule.isIndyModule(); indy mode is now determined by the agent distribution configuration instead of per-module overrides. (#17713)

📈 Enhancements

• Remove log4j.map_message. prefix from MapMessage attributes when otel.instrumentation.common.v3-preview is enabled. (#13871)
• Stop normalizing messaging header names (dash to underscore) when otel.instrumentation.common.v3-preview is enabled, so captured header attribute keys now preserve the original header name. (#14554)
• Add db.system.name attribute to Vertx SQL client instrumentation when stable database semantic conventions are enabled (otel.semconv-stability.opt-in=database). (#16254)
• JDBC instrumentation now supports the db.system.name attribute with stable semantic convention values (e.g., postgresql, oracle.db, ibm.db2, sap.hana) when stable database semantic conventions are enabled (otel.semconv-stability.opt-in=database). (#16277)
• Add otel.instrumentation.common.v3-preview flag that enables upcoming 3.0 breaking changes early. (#16459)
• Optimized log event MDC attribute mapping in jboss-logmanager, log4j, and logback appenders by pre-computing attribute keys at initialization. (#16765)
• Add messaging.kafka.bootstrap.servers attribute to Kafka producer spans when otel.instrumentation.kafka.experimental-span-attributes is enabled. (#17065)
• Disable servlet trace-id request attribute by default when otel.instrumentation.common.v3-preview is enabled. (#17173)
• Disable thread details span processor (otel.javaagent.add-thread-details) by default when otel.instrumentation.common.v3-preview is enabled. (#17215)
• Improved javaagent startup optimization by decomposing disjunction matchers, allowing more transformations to be skipped during class loading. (#17227)
• Add stable messaging.kafka.offset attribute to Kafka instrumentation, gated behind otel.semconv-stability.preview=messaging. (#17785)
• Preserve original casing of servlet request parameter names in attribute keys when otel.instrumentation.common.v3-preview is enabled. (#17822)
• Replace reflective mutation of Byte Buddy's AgentBuilder.Default.transformations with a ClassFileTransformer hook, avoiding a JDK 26 JEP 500 warning about writing to a final field via reflection. (#17824)
• Add javaagent bridging support for OpenTelemetry API 1.61 stable methods including Tracer.isEnabled(), metric instrument isEnabled(), and Logger.setBody(Body). (#17849)

🛠️ Bug fixes

• Fix WebClientBeanPostProcessor and RestClientBeanPostProcessor to avoid replacing user-customized builder beans when the OpenTelemetry tracing filter/interceptor is already registered. (#15546)
• Fix memory leak where bridged observable metric callbacks were never closed when the application-side instrument was garbage collected. (#16219)
• Fix Ktor server instrumentation leaking scope across requests due to restoreThreadContext not always being called by Ktor coroutine machinery. (#16487)
• Add missing schemaUrl to servlet response instrumenter. (#16560)
• Fix OpenTelemetryContextDataProvider calling GlobalOpenTelemetry.get() during class initialization, which could interfere with SDK setup ordering. (#16638)
• Fix ZIO instrumentation destroying caller thread context on fiber suspend, which caused spans created after unsafe.run to lose their parent. (#16647)
• Fix Spring Boot starter adding a duplicate OpenTelemetry logback appender when the appender is nested inside another appender. (#16697)
• Fix bridging of VALUE-type attributes set via AttributeKey.valueKey() on spans and log records through the javaagent API bridge. (#16750)
• Fix unsafe deserialization in RMI instrumentation that could lead to remote code execution (CVE-2026-33701, #16986, also released in 2.26.1)

... (truncated)

Changelog

Sourced from io.opentelemetry.javaagent:opentelemetry-javaagent's changelog.

Version 2.27.0 (2026-04-21)

This release targets the OpenTelemetry SDK 1.61.0.

Note that many artifacts have the -alpha suffix attached to their version number, reflecting that they will continue to have breaking changes. Please see VERSIONING.md for more details.

⚠️ Breaking changes to non-stable APIs

• Make AbstractKtorServerTelemetryBuilder.isOpenTelemetryInitialized() protected (previously public). (#17509)
• Replace ExperimentalInstrumentationModule.injectClasses(ClassInjector) with exposedClassNames() for exposing helper classes to the application class loader. (#17765)
• Moved WebApplicationContextInstrumentation from the spring-web instrumentation module to spring-webmvc; users who disabled it via otel.instrumentation.spring-web.enabled=false must now use otel.instrumentation.spring-webmvc.enabled=false. (#17856)

🚫 Deprecations

• Deprecated KafkaTelemetryBuilder.setMessagingReceiveInstrumentationEnabled(boolean) in favor of setMessagingReceiveTelemetryEnabled(boolean). (#17092)
• Deprecated GraphQL builder methods setSanitizeQuery() and setAddOperationNameToSpanName(), and deprecated config key otel.instrumentation.graphql.add-operation-name-to-span-name.enabled in favor of setQuerySanitizationEnabled(), setOperationNameInSpanNameEnabled(), and otel.instrumentation.graphql.operation-name-in-span-name.enabled. (#17093)
• Deprecate Experimental.setEnableSqlCommenter() in JDBC and R2DBC instrumentation in favor of Experimental.setSqlCommenterEnabled(). (#17094)
• Rename otel.instrumentation.servlet.capture-request-parameters to otel.instrumentation.servlet.experimental.capture-request-parameters and otel.instrumentation.servlet.add-trace-id-request-attribute to otel.instrumentation.servlet.experimental.trace-id-request-attribute.enabled; old property names are deprecated. (#17113)
• Deprecated the declarative config name statement_sanitizer in favor of query_sanitization, and the declarative config group common.database in favor of common.db. (#17116)
• Deprecated the GraphQL declarative config name query_sanitizer in favor of query_sanitization. (#17455)
• Deprecated the DB query sanitization system property names otel.instrumentation.common.db-statement-sanitizer.enabled, otel.instrumentation.jdbc.statement-sanitizer.enabled, otel.instrumentation.mongo.statement-sanitizer.enabled, and

... (truncated)

Commits

• f1973d4 [release/v2.27.x] Prepare release 2.27.0 (#18116)
• 5449673 Review fixes for async-http-client-common-1.8:javaagent (#18102)
• 4a62aff Update changelog for upcoming release (#18105)
• e2190ed Rename JAX-RS 2.0 RESTEasy shared javaagent module to `jaxrs-2.0-resteasy-com...
• afcf274 chore: update instrumentation list [automated] (#18109)
• bf241bf Split runtime telemetry JFR config from experimental metrics (#18110)
• 64d55bf fix(deps): update gradle develocity packages to v4.4.1 (#18107)
• 41393cc fix(deps): update all patch versions to v2.0.5 (#18106)
• 38914f1 chore(deps): update actions/setup-node action to v6.4.0 (#18108)
• dfbf501 v3_preview applied for lowercase normalization for <name> in servlet.… (#17822)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions