build(deps): bump io.opentelemetry.javaagent:opentelemetry-javaagent from 2.26.1 to 2.27.0

[dependabot]

Bumps io.opentelemetry.javaagent:opentelemetry-javaagent from 2.26.1 to 2.27.0.

Release notes

Sourced from io.opentelemetry.javaagent:opentelemetry-javaagent's releases.

Version 2.27.0

This release targets the OpenTelemetry SDK 1.61.0.

Note that many artifacts have the -alpha suffix attached to their version number, reflecting that they will continue to have breaking changes. Please see VERSIONING.md for more details.

⚠️ Breaking changes to non-stable APIs

• Make AbstractKtorServerTelemetryBuilder.isOpenTelemetryInitialized() protected (previously public). (#17509)
• Replace ExperimentalInstrumentationModule.injectClasses(ClassInjector) with exposedClassNames() for exposing helper classes to the application class loader. (#17765)
• Moved WebApplicationContextInstrumentation from the spring-web instrumentation module to spring-webmvc; users who disabled it via otel.instrumentation.spring-web.enabled=false must now use otel.instrumentation.spring-webmvc.enabled=false. (#17856)

🚫 Deprecations

• Deprecated KafkaTelemetryBuilder.setMessagingReceiveInstrumentationEnabled(boolean) in favor of setMessagingReceiveTelemetryEnabled(boolean). (#17092)
• Deprecated GraphQL builder methods setSanitizeQuery() and setAddOperationNameToSpanName(), and deprecated config key otel.instrumentation.graphql.add-operation-name-to-span-name.enabled in favor of setQuerySanitizationEnabled(), setOperationNameInSpanNameEnabled(), and otel.instrumentation.graphql.operation-name-in-span-name.enabled. (#17093)
• Deprecate Experimental.setEnableSqlCommenter() in JDBC and R2DBC instrumentation in favor of Experimental.setSqlCommenterEnabled(). (#17094)
• Rename otel.instrumentation.servlet.capture-request-parameters to otel.instrumentation.servlet.experimental.capture-request-parameters and otel.instrumentation.servlet.add-trace-id-request-attribute to otel.instrumentation.servlet.experimental.trace-id-request-attribute.enabled; old property names are deprecated. (#17113)
• Deprecated the declarative config name statement_sanitizer in favor of query_sanitization, and the declarative config group common.database in favor of common.db. (#17116)
• Deprecated the GraphQL declarative config name query_sanitizer in favor of query_sanitization. (#17455)
• Deprecated the DB query sanitization system property names otel.instrumentation.common.db-statement-sanitizer.enabled, otel.instrumentation.jdbc.statement-sanitizer.enabled, otel.instrumentation.mongo.statement-sanitizer.enabled, and otel.instrumentation.r2dbc.statement-sanitizer.enabled in favor of the corresponding *.query-sanitization.enabled names, deprecated otel.instrumentation.common.experimental.db-sqlcommenter.enabled in favor of otel.instrumentation.common.db.experimental.sqlcommenter.enabled, and deprecated otel.instrumentation.graphql.query-sanitizer.enabled in favor of otel.instrumentation.graphql.query-sanitization.enabled. (#17464)
• Deprecate InstrumentationModule.isIndyModule(); indy mode is now determined by the agent distribution configuration instead of per-module overrides. (#17713)

📈 Enhancements

• Remove log4j.map_message. prefix from MapMessage attributes when otel.instrumentation.common.v3-preview is enabled. (#13871)
• Stop normalizing messaging header names (dash to underscore) when otel.instrumentation.common.v3-preview is enabled, so captured header attribute keys now preserve the original header name. (#14554)
• Add db.system.name attribute to Vertx SQL client instrumentation when stable database semantic conventions are enabled (otel.semconv-stability.opt-in=database). (#16254)
• JDBC instrumentation now supports the db.system.name attribute with stable semantic convention values (e.g., postgresql, oracle.db, ibm.db2, sap.hana) when stable database semantic conventions are enabled (otel.semconv-stability.opt-in=database). (#16277)
• Add otel.instrumentation.common.v3-preview flag that enables upcoming 3.0 breaking changes early. (#16459)
• Optimized log event MDC attribute mapping in jboss-logmanager, log4j, and logback appenders by pre-computing attribute keys at initialization. (#16765)
• Add messaging.kafka.bootstrap.servers attribute to Kafka producer spans when otel.instrumentation.kafka.experimental-span-attributes is enabled. (#17065)
• Disable servlet trace-id request attribute by default when otel.instrumentation.common.v3-preview is enabled. (#17173)
• Disable thread details span processor (otel.javaagent.add-thread-details) by default when otel.instrumentation.common.v3-preview is enabled. (#17215)
• Improved javaagent startup optimization by decomposing disjunction matchers, allowing more transformations to be skipped during class loading. (#17227)
• Add stable messaging.kafka.offset attribute to Kafka instrumentation, gated behind otel.semconv-stability.preview=messaging. (#17785)
• Preserve original casing of servlet request parameter names in attribute keys when otel.instrumentation.common.v3-preview is enabled. (#17822)
• Replace reflective mutation of Byte Buddy's AgentBuilder.Default.transformations with a ClassFileTransformer hook, avoiding a JDK 26 JEP 500 warning about writing to a final field via reflection. (#17824)
• Add javaagent bridging support for OpenTelemetry API 1.61 stable methods including Tracer.isEnabled(), metric instrument isEnabled(), and Logger.setBody(Body). (#17849)

🛠️ Bug fixes

• Fix WebClientBeanPostProcessor and RestClientBeanPostProcessor to avoid replacing user-customized builder beans when the OpenTelemetry tracing filter/interceptor is already registered. (#15546)
• Fix memory leak where bridged observable metric callbacks were never closed when the application-side instrument was garbage collected. (#16219)
• Fix Ktor server instrumentation leaking scope across requests due to restoreThreadContext not always being called by Ktor coroutine machinery. (#16487)
• Add missing schemaUrl to servlet response instrumenter. (#16560)
• Fix OpenTelemetryContextDataProvider calling GlobalOpenTelemetry.get() during class initialization, which could interfere with SDK setup ordering. (#16638)
• Fix ZIO instrumentation destroying caller thread context on fiber suspend, which caused spans created after unsafe.run to lose their parent. (#16647)
• Fix Spring Boot starter adding a duplicate OpenTelemetry logback appender when the appender is nested inside another appender. (#16697)
• Fix bridging of VALUE-type attributes set via AttributeKey.valueKey() on spans and log records through the javaagent API bridge. (#16750)
• Fix unsafe deserialization in RMI instrumentation that could lead to remote code execution (CVE-2026-33701, #16986, also released in 2.26.1)

... (truncated)

Changelog

Sourced from io.opentelemetry.javaagent:opentelemetry-javaagent's changelog.

Version 2.27.0 (2026-04-21)

This release targets the OpenTelemetry SDK 1.61.0.

Note that many artifacts have the -alpha suffix attached to their version number, reflecting that they will continue to have breaking changes. Please see VERSIONING.md for more details.

⚠️ Breaking changes to non-stable APIs

• Make AbstractKtorServerTelemetryBuilder.isOpenTelemetryInitialized() protected (previously public). (#17509)
• Replace ExperimentalInstrumentationModule.injectClasses(ClassInjector) with exposedClassNames() for exposing helper classes to the application class loader. (#17765)
• Moved WebApplicationContextInstrumentation from the spring-web instrumentation module to spring-webmvc; users who disabled it via otel.instrumentation.spring-web.enabled=false must now use otel.instrumentation.spring-webmvc.enabled=false. (#17856)

🚫 Deprecations

• Deprecated KafkaTelemetryBuilder.setMessagingReceiveInstrumentationEnabled(boolean) in favor of setMessagingReceiveTelemetryEnabled(boolean). (#17092)
• Deprecated GraphQL builder methods setSanitizeQuery() and setAddOperationNameToSpanName(), and deprecated config key otel.instrumentation.graphql.add-operation-name-to-span-name.enabled in favor of setQuerySanitizationEnabled(), setOperationNameInSpanNameEnabled(), and otel.instrumentation.graphql.operation-name-in-span-name.enabled. (#17093)
• Deprecate Experimental.setEnableSqlCommenter() in JDBC and R2DBC instrumentation in favor of Experimental.setSqlCommenterEnabled(). (#17094)
• Rename otel.instrumentation.servlet.capture-request-parameters to otel.instrumentation.servlet.experimental.capture-request-parameters and otel.instrumentation.servlet.add-trace-id-request-attribute to otel.instrumentation.servlet.experimental.trace-id-request-attribute.enabled; old property names are deprecated. (#17113)
• Deprecated the declarative config name statement_sanitizer in favor of query_sanitization, and the declarative config group common.database in favor of common.db. (#17116)
• Deprecated the GraphQL declarative config name query_sanitizer in favor of query_sanitization. (#17455)
• Deprecated the DB query sanitization system property names otel.instrumentation.common.db-statement-sanitizer.enabled, otel.instrumentation.jdbc.statement-sanitizer.enabled, otel.instrumentation.mongo.statement-sanitizer.enabled, and

... (truncated)

Commits

• f1973d4 [release/v2.27.x] Prepare release 2.27.0 (#18116)
• 5449673 Review fixes for async-http-client-common-1.8:javaagent (#18102)
• 4a62aff Update changelog for upcoming release (#18105)
• e2190ed Rename JAX-RS 2.0 RESTEasy shared javaagent module to `jaxrs-2.0-resteasy-com...
• afcf274 chore: update instrumentation list [automated] (#18109)
• bf241bf Split runtime telemetry JFR config from experimental metrics (#18110)
• 64d55bf fix(deps): update gradle develocity packages to v4.4.1 (#18107)
• 41393cc fix(deps): update all patch versions to v2.0.5 (#18106)
• 38914f1 chore(deps): update actions/setup-node action to v6.4.0 (#18108)
• dfbf501 v3_preview applied for lowercase normalization for <name> in servlet.… (#17822)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)