deps: update upper bound dependencies file

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
com.fasterxml.jackson:jackson-bom	2.19.2 -> 2.20.0
com.google.auth:google-auth-library-bom	1.37.1 -> 1.40.0
com.google.cloud:grpc-gcp (source)	1.6.1 -> 1.7.0
com.google.code.gson:gson	2.13.1 -> 2.13.2
com.google.errorprone:error_prone_annotations (source)	2.41.0 -> 2.42.0
dev.cel:cel	0.10.1 -> 0.11.0
io.opencensus:opencensus-api	0.31.0 -> 0.31.1
io.opentelemetry.semconv:opentelemetry-semconv	1.34.0 -> 1.37.0
io.opentelemetry:opentelemetry-bom	1.52.0 -> 1.55.0
org.apache.httpcomponents.client5:httpclient5 (source)	5.5 -> 5.5.1
org.apache.httpcomponents.core5:httpcore5 (source)	5.3.4 -> 5.3.6

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

googleapis/google-auth-library-java (com.google.auth:google-auth-library-bom)

v1.40.0

Compare Source

Features

• Add projectId getter to GoogleCredentials (#​1813) (c3d9ee0)
• Support user defined or json defined scopes for impersonated token (#​1815) (84fc566)

Dependencies

• Bump guava to v33.5.0 (#​1825) (79f0a35)

v1.39.1

Compare Source

Documentation

• Additional information for deprecated fromStream() methods. (#​1802) (a0d873d)

v1.39.0

Compare Source

Features

• Add Credential Information to GoogleCredential classes (#​1791) (5511913)

Bug Fixes

• Indicate non-validated external credentials in generic methods (e7d4380)

Dependencies

• Add com.google.api:api-commons dependency (e7d4380)
• Update com.google.errorprone:error_prone_annotations dependency to 2.38.0 (e7d4380)

v1.38.0

Compare Source

Features

• Next release from main branch is 1.38.0 (#​1786) (1669dc8)

Bug Fixes

• Override toBuilder() for ExternalAccountCredential and subclasses (#​1793) (a9c3de6)

Documentation

• Update README with X.509 feature details (#​1790) (7b51cb3)

GoogleCloudPlatform/grpc-gcp-java (com.google.cloud:grpc-gcp)

v1.7.0

Compare Source

Features

• Dynamic channel pool scaling (#​194)

google/error-prone (com.google.errorprone:error_prone_annotations)

v2.42.0: Error Prone 2.42.0

Compare Source

New checks:

• ExplicitArrayForVarargs: discourage unnecessary explicit construction of an array to provide varargs.
• FloggerPerWithoutRateLimit: discourage Flogger's perUnique without rate limiting
• StringJoin: Ban String.join(CharSequence) and String.join(CharSequence, CharSequence)
• ThreadBuilderNameWithPlaceholder: Do not allow placeholders in Thread.Builder.name(String) or name(String, int).

Changes:

• The return type of ASTHelpers.asFlagSet has changed. The previous type was EnumSet<Flags.Flag>, where Flags.Flag is an enum in the javac class Flags. A recent JDK change has replaced that enum with a new top-level enum called FlagsEnum. It is not possible to change ASTHelpers.asFlagSet in a way that would be type-safe and compatible with the enums from JDKs both before and after the change. Instead, the method now returns ImmutableSet<String>, where the strings come from the toString() of the enum constants. That means they are "native", "abstract", etc.
• Flag IO.print[ln]() in SystemOut.

Full changelog: google/error-prone@v2.41.0...v2.42.0

google/cel-java (dev.cel:cel)

v0.11.0

Compare Source

Features

• Introduced a new extension library for Two-variable comprehensions support
  • (example: <list>.all(indexVar, valueVar, <predicate>) -> bool)
• Added support for type name Aliasing and Abbreviations to perform name resolution across multiple namespaces.
• CEL Policy Compiler now supports the imports keyword to abbreviate type names.
• Added the capability to export a CEL environment, including its standard libraries and extensions, into YAML.
• Expanded the lists extension library with new functions: slice, distinct, reverse, sort, and sortBy.

Breaking Changes

• PR #​769 removes setContainer(String) method on the Cel, CelCompiler, and CelChecker builders. Callers must use setContainer(CelContainer) instead, which supports aliasing and abbreviations in addition to existing container resolution. For a migration that preserves existing behavior, simply provide CelContainer.ofName(string).

• PR #​789 changes the internal representation of CEL's null and bytes literals (e.g., b'foo') to their CEL-native Java type equivalents (dev.cel.common.Values.NullValue and dev.cel.common.values.CelByteString) instead of their Protobuf counterparts (com.google.protobuf.NullValue and com.google.protobuf.ByteString). This is currently a breaking change only if your codebase references these literals through the CelConstant AST node. There are no observable changes in evaluation behavior, as this is currently controlled by a feature flag. We plan on enabling this by default in a future release.

Bug fixes

• Fixed the filter/map macro to be linear in time and space complexity in #​746.
• Fixed unknown merging to be linear in space complexity when referenced in binds in #​770.
• Prevented comprehension identifiers from being mangled if the AST was not optimized in #​792.
• Fixed replaceSubtree to properly populate source info for the three-argument map macro in #​794.
• Corrected CelContainer.toBuilder() to properly copy aliases in #​775.
• Excluded protobuf-javalite from the public artifacts for CEL in #​777.

What's Changed

Aliasing and Abbreviations

• Add aliasing support to type-checker in #​757
• Add abbreviation support to type-checker in #​760

CEL Policy Compiler

• Optimize composed policies using Constant Folding and Common Subexpression Elimination in #​793
• Add display_name field to CelPolicy.Variable element in #​741
• Adding description and display name at Cel Policy level in #​744
• Support for typename import aliases in policy compiler in #​771

CEL Environment

• Add support for stdlib subsetting via CelEnvironment in #​736
• Add support for macro inclusion/exclusion to CelEnvironmentExporter in #​756
• Add support for extension versions in #​739
• Implement CelEnvironmentExporter in #​753
• Update the "encoders" extension to be compatible with CelEnvironmentExporter in #​763
• Update the "protos" extension to be compatible with CelEnvironmentExporter in #​764
• Update the "regex" extension to be compatible with CelEnvironmentExporter in #​765
• Update the "sets" extension to be compatible with CelEnvironmentExporter in #​766
• Update the "strings" extension to be compatible with CelEnvironmentExporter in #​767
• Update "bindings" extension to be compatible with CelEnvironmentExporter in #​762
• Add versions to the 'optional' library to gradually expose new functions in #​747
• Refactor CelExtensionLibrary to centralize version definitions in #​761

Extensions

• Checker and parser changes to support comprehensionsV2 in #​778
• Checker and parser changes to support two variable comprehensions for remaining Macros in #​796
• Introduce 'list' extension functions: 'slice', 'distinct', 'reverse', 'sort', 'sortBy' in #​740
• AST changes to support two variable comprehensions in #​772
• Adding runtime support for two variable comprehensions in #​799
• Adding transformMap and transformMapEntry macros in #​800
• Updating the README.md with CelComprehensionsExtensions docs in #​801

Miscellaneous

• Internally accumulate unknowns to a mutable list in #​750
• Migrate to Bzlmod in #​328
• Support triggering runner library programmatically in #​725
• Run conformance tests against published maven JARs in #​788
• Add missing entries to REVERSE_OPERATORS in #​798
• Remove cel.bind option from SubexpressionOptimizer in #​795

Full Changelog: google/cel-java@v0.10.1...v0.11.0

census-instrumentation/opencensus-java (io.opencensus:opencensus-api)

v0.31.1: Release 0.31.1

Compare Source

What's Changed

• [v0.31.x] Fix retry stat measures to match those in grpc-java exactly (#​2097) by @​mackenziestarr in #​2102

Full Changelog: census-instrumentation/opencensus-java@v0.31.0...v0.31.1

open-telemetry/semantic-conventions-java (io.opentelemetry.semconv:opentelemetry-semconv)

v1.37.0

Compare Source

• Bump to semconv v1.37.0
  (#​288)

v1.36.0

Compare Source

Note: there was no v1.35.0 release
(see details).

• Bump to semconv v1.36.0
  (#​253)

open-telemetry/opentelemetry-java (io.opentelemetry:opentelemetry-bom)

v1.55.0

Compare Source

API

Common

• Improve GraalVM native image compatibility
  (#​7160)

Traces

• Fix TraceState key validation limits to match W3C specification
  (#​7575)

Incubator

• Add ExtendedOpenTelemetry API
  (#​7496)
• Add incubator implementation of composite sampling specification
  (#​7626)

SDK

Traces

• Proactively avoid Unsafe on Java 23+ to avoid triggering JVM warning message
  (#​7691)

Metrics

• Add setMeterConfigurator() support to MeterProvider (incubating API)
  (#​7346)

Exporters

• OTLP: Configure metric exporter to use SDK's MeterProvider for internal metrics
  (#​7541)
• OTLP: Suppress logging of InterruptedException from managed OkHttp threads
  (#​7565)
• OTLP: Update dependency from okhttp-jvm back to okhttp for Gradle users,
  preserving okhttp-jvm for Maven users
  (#​7681)
• Prometheus: Remove separate otel_scope_info metric and always add scope labels to data points
  (#​7398)
• Prometheus: Update exporter dependencies to use protobuf-free formats
  (#​7664)

Profiling

• Update profiles exporter to support proto v1.8.0-alpha changes
  (#​7638)
• Add abstractions to assist with dictionary table assembly
  (#​7717)
• Add abstractions to assist with sample composition
  (#​7727)

Extensions

• Autoconfigure: Improve exception logging when running in Maven
  (#​7336)
• Declarative configuration: Return Resource
  (#​7639)
• Declarative configuration: Invoke auto-configure listeners
  (#​7654)
• Declarative configuration: Add logging when incompatible types are found
  (#​7693)

Shims

OpenTracing Shim

• Improve log levels in error scenarios
  (#​6832)

Project tooling

• Respect testJavaVersion property when running JMH benchmarks
  (#​7697)

v1.54.1

Compare Source

SDK

Exporters

• Prometheus: Fix regression in protobuf format export
  (#​7664)

v1.54.0

Compare Source

API

Baggage

• Fix guard against ArrayIndexOutOfBoundsException in BaggageCodec
  (#​7239)

SDK

Metrics

• Fix MetricData.getDoubleSumData() ClassCastException with custom implementations
  (#​7597)

Exporters

• Fix HttpExporterBuilder.copy() and GrpcExporterBuilder.copy() to preserve component loader
  (#​7596)

Extensions

• Autoconfigure: Remove support for old EnvironmentResourceProvider package name
  (#​7622)
• Declarative config: Add DeclarativeConfigurationProvider SPI
  (#​7472)
• Declarative config: Pass meter provider to avoid using the global OpenTelemetry instance
  (#​7475)

Project tooling

• Update to Gradle v9
  (#​7590)

v1.53.0

Compare Source

SDK

• File based config will log the wrong file format, when applicable.
  (#​7498)

Exporters

• Change okhttp dependency to okhttp-jvm, which fixes missing class failures in
  transitive dependencies.
  (#​7517)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

BEGIN_COMMIT_OVERRIDE
chore: update upper bound dependencies file
END_COMMIT_OVERRIDE

[gemini-code-assist]

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request systematically updates a range of core Java dependencies to their latest stable versions. The primary goal is to ensure the project remains current with the ecosystem, benefiting from critical bug fixes, performance enhancements, and new features across various libraries, including Google authentication, gRPC, JSON processing, code quality tools, and OpenTelemetry. This proactive maintenance helps improve overall stability, security, and developer experience.

Highlights

• Dependency Updates: Updated com.fasterxml.jackson:jackson-bom from 2.19.2 to 2.20.0, com.google.code.gson:gson from 2.13.1 to 2.13.2, org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1, and org.apache.httpcomponents.core5:httpcore5 from 5.3.4 to 5.3.6.
• Google Authentication Library Enhancements: Updated com.google.auth:google-auth-library-bom from 1.37.1 to 1.40.0, introducing a projectId getter and support for user or JSON-defined scopes for impersonated tokens.
• gRPC GCP Dynamic Channel Pooling: Updated com.google.cloud:grpc-gcp from 1.6.1 to 1.7.0, which now includes dynamic channel pool scaling.
• Error Prone Annotations: Updated com.google.errorprone:error_prone_annotations from 2.41.0 to 2.42.0, adding new checks such as ExplicitArrayForVarargs, FloggerPerWithoutRateLimit, StringJoin, and ThreadBuilderNameWithPlaceholder.
• CEL Expression Language Features: Updated dev.cel:cel from 0.10.1 to 0.11.0, introducing two-variable comprehensions, type name aliasing and abbreviations, environment export to YAML, and new list extension functions like slice, distinct, reverse, sort, and sortBy. This update also includes breaking changes related to the setContainer method and internal representation of null and bytes literals.
• OpenCensus and OpenTelemetry Updates: Updated io.opencensus:opencensus-api from 0.31.0 to 0.31.1 with a fix for retry stat measures. Also updated io.opentelemetry.semconv:opentelemetry-semconv from 1.34.0 to 1.37.0 and io.opentelemetry:opentelemetry-bom from 1.52.0 to 1.55.0, which improves GraalVM native image compatibility and fixes TraceState key validation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This PR updates several dependency upper bounds in dependencies.txt. My review focuses on the significant drift this creates between the versions in this file and those specified in the project's pom.xml files. I've added a comment highlighting these inconsistencies and recommending that the pom.xml files be updated to ensure proper compatibility testing, particularly for dev.cel, which has breaking changes in the new version.

[gemini-code-assist]

This update, along with others in this file, creates a significant divergence from the versions defined in the project's pom.xml files. While dependencies.txt is meant to track upper bounds, a large drift can complicate maintenance and compatibility testing.

Notable discrepancies include:

• google-auth-library-bom: 1.40.0 here vs. 1.39.1 in gapic-generator-java-pom-parent/pom.xml.
• opentelemetry-bom: 1.55.0 here vs. 1.47.0 in gapic-generator-java-pom-parent/pom.xml.
• grpc-gcp: 1.7.0 here vs. 1.6.1 in java-shared-dependencies/first-party-dependencies/pom.xml.
• dev.cel: 0.11.0 here vs. 0.6.0 in java-shared-dependencies/third-party-dependencies/pom.xml.

It is recommended to update the pom.xml files to align with these new versions. The update for dev.cel to 0.11.0 is particularly important to address, as this version introduces breaking changes according to its release notes.

[lqiu96]

/gcbrun