deps: updates to latest versions (#216)

Signed-off-by: Adrian Cole <[email protected]>

build-bin/docker/docker_args

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright 2016-2023 The OpenZipkin Authors
+# Copyright 2016-2024 The OpenZipkin Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
 # in compliance with the License. You may obtain a copy of the License at
@@ -46,7 +46,7 @@ if [ -n "${DOCKER_TARGET}" ]; then
 fi
 
 # When non-empty, becomes the base layer including tag appropriate for the image being built.
-# e.g. ghcr.io/openzipkin/java:21.0.1_p12-jre
+# e.g. ghcr.io/openzipkin/java:21.0.2_p13-jre
 #
 # This is not required to be a base (FROM scratch) image like ghcr.io/openzipkin/alpine:3.12.3
 # See https://docs.docker.com/glossary/#parent-image
@@ -60,7 +60,7 @@ if [ -n "${ALPINE_VERSION}" ]; then
   docker_args="${docker_args} --build-arg alpine_version=${ALPINE_VERSION}"
 fi
 
-# When non-empty, becomes the build-arg java_version. e.g. "21.0.1_p12"
+# When non-empty, becomes the build-arg java_version. e.g. "21.0.2_p13"
 # Used to align base layers from https://github.com/orgs/openzipkin/packages/container/package/java
 if [ -n "${JAVA_VERSION}" ]; then
   docker_args="${docker_args} --build-arg java_version=${JAVA_VERSION}"

docker/Dockerfile

@@ -13,14 +13,14 @@
 #
 
 # zipkin version should match zipkin.version in /pom.xml
-ARG zipkin_version=3.0.3
+ARG zipkin_version=3.0.5
 
 # java_version is used during the installation process to build or download the module jar.
 #
 # Use latest version here: https://github.com/orgs/openzipkin/packages/container/package/java
 # This is defined in many places because Docker has no "env" script functionality unless you use
 # docker-compose: When updating, update everywhere.
-ARG java_version=21.0.1_p12
+ARG java_version=21.0.2_p13
 
 # We copy files from the context into a scratch container first to avoid a problem where docker and
 # docker-compose don't share layer hashes https://github.com/docker/compose/issues/883 normally.

module/pom.xml

@@ -51,18 +51,6 @@
       <groupId>com.google.auth</groupId>
       <artifactId>google-auth-library-oauth2-http</artifactId>
       <version>${google-auth-library-oauth2-http.version}</version>
-      <exclusions>
-        <exclusion>
-          <groupId>commons-codec</groupId>
-          <artifactId>commons-codec</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
-    <!-- avoid CVE in ^^ transient deps -->
-    <dependency>
-      <groupId>commons-codec</groupId>
-      <artifactId>commons-codec</artifactId>
-      <version>${commons-codec.version}</version>
     </dependency>
     <!-- google-auth-library-oauth2-http strictly depends on...
             google-http-java-client, which strictly depends on...

pom.xml

@@ -74,9 +74,9 @@
     <!-- matching armeria/grpc/zipkin -->
     <zipkin.groupId>io.zipkin.zipkin2</zipkin.groupId>
     <!-- when updating, update docker/Dockerfile and storage/src/test/java/zipkin2/storage/kafka/IT* -->
-    <zipkin.version>3.0.3</zipkin.version>
+    <zipkin.version>3.0.5</zipkin.version>
     <zipkin-reporter.version>3.2.1</zipkin-reporter.version>
-    <spring-boot.version>3.2.1</spring-boot.version>
+    <spring-boot.version>3.2.2</spring-boot.version>
     <!-- armeria.groupId allows you to test feature branches with jitpack -->
     <armeria.groupId>com.linecorp.armeria</armeria.groupId>
     <armeria.version>1.26.4</armeria.version>
@@ -88,28 +88,26 @@
     <brave.groupId>io.zipkin.brave</brave.groupId>
     <brave.version>6.0.0</brave.version>
 
-    <!-- from armeria-grpc -->
-    <grpc.version>1.58.0</grpc.version>
+    <!-- from armeria-grpc or grpc-google-cloud-trace-v1 whichever is higher -->
+    <grpc.version>1.60.0</grpc.version>
     <!-- from grpc-protobuf -->
     <protobuf.version>3.24.0</protobuf.version>
     <guava.version>32.0.1-android</guava.version>
 
     <!-- stackdriver deps -->
-    <google-auth-library-oauth2-http.version>1.20.0</google-auth-library-oauth2-http.version>
-    <!-- avoid CVE in ^^ transient deps -->
-    <commons-codec.version>1.16.0</commons-codec.version>
-    <proto-google-common-protos.version>2.29.0</proto-google-common-protos.version>
+    <google-auth-library-oauth2-http.version>1.22.0</google-auth-library-oauth2-http.version>
+    <proto-google-common-protos.version>2.31.0</proto-google-common-protos.version>
     <!-- only used for stackdriver protos, we could possibly obviate this if a problem -->
-    <grpc-google-cloud-trace.version>2.32.0</grpc-google-cloud-trace.version>
+    <grpc-google-cloud-trace.version>2.34.0</grpc-google-cloud-trace.version>
 
     <!-- pubsub deps -->
-    <google-cloud-pubsub.version>1.125.13</google-cloud-pubsub.version>
-    <grpc-google-cloud-pubsub-v1.version>1.107.13</grpc-google-cloud-pubsub-v1.version>
+    <google-cloud-pubsub.version>1.126.0</google-cloud-pubsub.version>
+    <grpc-google-cloud-pubsub-v1.version>1.108.0</grpc-google-cloud-pubsub-v1.version>
 
     <assertj.version>3.25.1</assertj.version>
     <awaitility.version>4.2.0</awaitility.version>
     <junit-jupiter.version>5.10.1</junit-jupiter.version>
-    <mockito.version>5.8.0</mockito.version>
+    <mockito.version>5.9.0</mockito.version>
 
     <!-- override to set exclusions per-project -->
     <errorprone.args />

sender-stackdriver/pom.xml

@@ -97,20 +97,6 @@
       <groupId>com.google.auth</groupId>
       <artifactId>google-auth-library-oauth2-http</artifactId>
       <version>${google-auth-library-oauth2-http.version}</version>
-      <exclusions>
-        <exclusion>
-          <groupId>commons-codec</groupId>
-          <artifactId>commons-codec</artifactId>
-        </exclusion>
-      </exclusions>
-      <scope>test</scope>
-    </dependency>
-    <!-- avoid CVE in ^^ transient deps -->
-    <dependency>
-      <groupId>commons-codec</groupId>
-      <artifactId>commons-codec</artifactId>
-      <version>${commons-codec.version}</version>
-      <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.awaitility</groupId>