deps: updates main deps except armeria and amqp (#3615)

This updates all main dependencies except armeria (handled #3614) and
amqp (driver is incompatible so needs a new PR).

Signed-off-by: Adrian Cole <[email protected]>

pom.xml

@@ -46,7 +46,7 @@
 
     <!-- override to set exclusions per-project -->
     <errorprone.args />
-    <errorprone.version>2.4.0</errorprone.version>
+    <errorprone.version>2.23.0</errorprone.version>
 
     <zipkin-proto3.version>1.0.0</zipkin-proto3.version>
 
@@ -57,32 +57,28 @@
     <netty.version>4.1.95.Final</netty.version>
 
     <!-- It's easy for Jackson dependencies to get misaligned, so we manage it ourselves. -->
-    <jackson.version>2.15.0</jackson.version>
+    <jackson.version>2.16.0</jackson.version>
 
     <java-driver.version>4.17.0</java-driver.version>
-    <micrometer.version>1.9.3</micrometer.version>
-
-    <snappy.version>1.1.10.3</snappy.version>
+    <micrometer.version>1.12.0</micrometer.version>
 
     <!-- Used for Generated annotations -->
     <javax-annotation-api.version>1.3.1</javax-annotation-api.version>
 
     <!-- update together -->
-    <spring-boot.version>2.7.14</spring-boot.version>
-    <spring.version>5.3.29</spring.version>
-    <!-- override spring dependency version, CVE-2022-25857, CVE-2022-1471 -->
-    <snakeyaml.version>2.0</snakeyaml.version>
+    <spring-boot.version>2.7.18</spring-boot.version>
+    <spring.version>5.3.31</spring.version>
 
     <!-- MySQL connector is GPL, even if it has an OSS exception.
          https://www.mysql.com/about/legal/licensing/foss-exception/
 
          MariaDB has a friendlier license, LGPL, which is less scary in audits.
     -->
-    <mariadb-java-client.version>2.7.1</mariadb-java-client.version>
-    <HikariCP.version>3.4.5</HikariCP.version>
+    <mariadb-java-client.version>2.7.11</mariadb-java-client.version>
+    <HikariCP.version>5.1.0</HikariCP.version>
     <slf4j.version>1.7.36</slf4j.version>
-    <auto-value.version>1.7.4</auto-value.version>
-    <git-commit-id.version>4.0.3</git-commit-id.version>
+    <auto-value.version>1.10.4</auto-value.version>
+    <git-commit-id.version>4.9.10</git-commit-id.version>
 
     <!-- Test only dependencies -->
     <junit.version>4.13.2</junit.version>

zipkin-collector/activemq/pom.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright 2015-2021 The OpenZipkin Authors
+    Copyright 2015-2023 The OpenZipkin Authors
 
     Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
     in compliance with the License. You may obtain a copy of the License at
@@ -29,7 +29,7 @@
 
   <properties>
     <main.basedir>${project.basedir}/../..</main.basedir>
-    <activemq.version>5.16.3</activemq.version>
+    <activemq.version>5.18.3</activemq.version>
   </properties>
 
   <dependencies>

zipkin-collector/kafka/pom.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright 2015-2021 The OpenZipkin Authors
+    Copyright 2015-2023 The OpenZipkin Authors
 
     Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
     in compliance with the License. You may obtain a copy of the License at
@@ -28,7 +28,7 @@
 
   <properties>
     <main.basedir>${project.basedir}/../..</main.basedir>
-    <kafka.version>3.4.0</kafka.version>
+    <kafka.version>3.6.0</kafka.version>
   </properties>
 
   <dependencies>

zipkin-collector/rabbitmq/pom.xml

@@ -29,6 +29,7 @@
 
   <properties>
     <main.basedir>${project.basedir}/../..</main.basedir>
+    <!-- TODO: this version is abandoned: we have to rewrite for 5.x to avoid CVEs -->
     <amqp-client.version>4.12.0</amqp-client.version>
   </properties>
 

zipkin-server/pom.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright 2015-2022 The OpenZipkin Authors
+    Copyright 2015-2023 The OpenZipkin Authors
 
     Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
     in compliance with the License. You may obtain a copy of the License at
@@ -32,8 +32,11 @@
     <main.signature.artifact>java18</main.signature.artifact>
 
     <!-- Sometimes we need to override Armeria's Brave version -->
-    <brave.version>5.13.2</brave.version>
-    <log4j2.version>2.17.1</log4j2.version>
+    <brave.version>5.16.0</brave.version>
+    <!-- Version overrides to avoid CVEs due to out-of-date Spring deps -->
+    <log4j2.version>2.22.0</log4j2.version>
+    <snappy.version>1.1.10.5</snappy.version>
+    <snakeyaml.version>2.2</snakeyaml.version>
     <proto.generatedSourceDirectory>${project.build.directory}/generated-test-sources/wire</proto.generatedSourceDirectory>
   </properties>
 
@@ -103,21 +106,21 @@
       </exclusions>
     </dependency>
 
-    <!-- Override Spring dependency to avoid CVE-2022-25857 -->
+    <!-- Override Spring dependency to avoid CVEs -->
     <dependency>
       <groupId>org.yaml</groupId>
       <artifactId>snakeyaml</artifactId>
       <version>${snakeyaml.version}</version>
     </dependency>
 
-    <!-- Override to avoid CVE-2023-34455 -->
+    <!-- Override Spring dependency to avoid CVEs -->
     <dependency>
       <groupId>org.xerial.snappy</groupId>
       <artifactId>snappy-java</artifactId>
       <version>${snappy.version}</version>
     </dependency>
 
-    <!-- Override log4j 2 version to avoid CVE-2021-44228 -->
+    <!-- Override Spring dependency to avoid CVEs -->
     <dependency>
       <groupId>org.apache.logging.log4j</groupId>
       <artifactId>log4j-api</artifactId>
@@ -191,7 +194,7 @@
     <dependency>
       <groupId>com.netflix.concurrency-limits</groupId>
       <artifactId>concurrency-limits-core</artifactId>
-      <version>0.3.6</version>
+      <version>0.4.0</version>
     </dependency>
     <dependency>
       <groupId>io.micrometer</groupId>
@@ -491,7 +494,7 @@
       <plugin>
         <groupId>org.codehaus.mojo</groupId>
         <artifactId>build-helper-maven-plugin</artifactId>
-        <version>3.2.0</version>
+        <version>3.5.0</version>
         <executions>
           <execution>
             <id>add-test-source</id>

zipkin-storage/mysql-v1/pom.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright 2015-2021 The OpenZipkin Authors
+    Copyright 2015-2023 The OpenZipkin Authors
 
     Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
     in compliance with the License. You may obtain a copy of the License at
@@ -29,7 +29,9 @@
   <properties>
     <main.basedir>${project.basedir}/../..</main.basedir>
 
-    <jooq.version>3.14.4</jooq.version>
+    <!-- TODO: upgrade when we make floor JDK 11 or 17
+         3.16 is the last to compile with JDK <17; 3.14 last for Java 8 -->
+    <jooq.version>3.14.16</jooq.version>
 
     <!-- jOOQ doesn't add the Generated annotation, so we have to explicitly disable rules -->
     <errorprone.args>-Xep:InconsistentCapitalization:OFF</errorprone.args>

zipkin/pom.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright 2015-2021 The OpenZipkin Authors
+    Copyright 2015-2023 The OpenZipkin Authors
 
     Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
     in compliance with the License. You may obtain a copy of the License at