Pin bouncycastle to 1.84 to fix CVE-2026-0636, CVE-2026-5588, CVE-2026-5598 (open-telemetry#2783)

trask · web-flow · commit 4247cd3c53e1 · 2026-04-27T06:49:02.000Z
diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts
@@ -50,6 +50,8 @@ dependencies {
     api("org.assertj:assertj-core:3.27.7")
     api("org.awaitility:awaitility:4.3.0")
     api("org.bouncycastle:bcpkix-jdk15on:1.70")
+    api("org.bouncycastle:bcpkix-jdk18on:1.84")
+    api("org.bouncycastle:bcprov-jdk18on:1.84")
     api("org.junit-pioneer:junit-pioneer:1.9.1")
     api("org.skyscreamer:jsonassert:1.5.3")
     api("org.apache.kafka:kafka-clients:4.2.0")
diff --git a/jmx-scraper/build.gradle.kts b/jmx-scraper/build.gradle.kts
@@ -39,8 +39,8 @@ testing {
         implementation("com.linecorp.armeria:armeria-junit5")
         implementation("com.linecorp.armeria:armeria-grpc")
         implementation("io.opentelemetry.proto:opentelemetry-proto:1.10.0-alpha")
-        implementation("org.bouncycastle:bcprov-jdk18on:1.84")
-        implementation("org.bouncycastle:bcpkix-jdk18on:1.84")
+        implementation("org.bouncycastle:bcprov-jdk18on")
+        implementation("org.bouncycastle:bcpkix-jdk18on")
       }
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -39,8 +39,8 @@ testing {`
`39`	`39`	`implementation("com.linecorp.armeria:armeria-junit5")`
`40`	`40`	`implementation("com.linecorp.armeria:armeria-grpc")`
`41`	`41`	`implementation("io.opentelemetry.proto:opentelemetry-proto:1.10.0-alpha")`
`42`		`- implementation("org.bouncycastle:bcprov-jdk18on:1.84")`
`43`		`- implementation("org.bouncycastle:bcpkix-jdk18on:1.84")`
	`42`	`+ implementation("org.bouncycastle:bcprov-jdk18on")`
	`43`	`+ implementation("org.bouncycastle:bcpkix-jdk18on")`
`44`	`44`	`}`
`45`	`45`	`}`
`46`	`46`	`}`