aws-observability · lukeina2z · Sep 19, 2025 · Sep 19, 2025 · Sep 19, 2025 · Oct 1, 2025
@@ -18,4 +18,6 @@ If your change does not need a CHANGELOG entry, add the "skip changelog" label t
 - Support X-Ray Trace Id extraction from Lambda Context object, and respect user-configured OTEL_PROPAGATORS in AWS Lamdba instrumentation
   ([#1191](https://github.com/aws-observability/aws-otel-java-instrumentation/pull/1191)) ([#1218](https://github.com/aws-observability/aws-otel-java-instrumentation/pull/1218))
 - Adaptive Sampling improvements: Ensure propagation of sampling rule across services and AWS accounts. Remove unnecessary B3 propagator.
-  ([#1201](https://github.com/aws-observability/aws-otel-java-instrumentation/pull/1201))
+  ([#1201](https://github.com/aws-observability/aws-otel-java-instrumentation/pull/1201))
+- fix: Remove Netty as an agent dependency
+  ([#1206](https://github.com/aws-observability/aws-otel-java-instrumentation/pull/1206))
@@ -52,8 +52,8 @@ dependencies {
   testImplementation("org.testcontainers:junit-jupiter")
   testImplementation("io.opentelemetry.contrib:opentelemetry-aws-xray")
   testImplementation("org.testcontainers:localstack")
-  testImplementation("software.amazon.awssdk:s3")
-  testImplementation("software.amazon.awssdk:sts")
+  testImplementation("software.amazon.awssdk:s3:2.33.11")
+  testImplementation("software.amazon.awssdk:sts:2.33.11")
   testImplementation(kotlin("test"))
   implementation(project(":appsignals-tests:images:grpc:grpc-base"))
   testImplementation("org.testcontainers:kafka:1.21.3")

@@ -50,7 +50,6 @@ dependencies {
   compileOnly("io.opentelemetry:opentelemetry-exporter-otlp-common")
 
   // For OtlpAwsExporter SigV4 Authentication
-  runtimeOnly("software.amazon.awssdk:sts")
   implementation("software.amazon.awssdk:auth")
   implementation("software.amazon.awssdk:http-auth-aws")
 

@@ -40,16 +40,11 @@ val dependencyBoms = listOf(
   "com.google.protobuf:protobuf-bom:3.25.1",
   "com.linecorp.armeria:armeria-bom:1.26.4",
   "io.grpc:grpc-bom:1.59.1",
-  // netty-bom is a fix for CVE-2025-58056 (https://github.com/advisories/GHSA-fghv-69vj-qj49).
-  // Remove once https://github.com/aws/aws-sdk-java-v2/pull/6398 and https://github.com/aws/aws-sdk-java/pull/3192
-  // are both merged and released, and we update the corresponding dependencies.
-  "io.netty:netty-bom:4.1.126.Final",
   "io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:$otelAlphaVersion",
   "org.apache.logging.log4j:log4j-bom:2.21.1",
   "org.junit:junit-bom:5.10.1",
   "org.springframework.boot:spring-boot-dependencies:2.7.17",
   "org.testcontainers:testcontainers-bom:1.19.3",
-  "software.amazon.awssdk:bom:2.30.17",
 )
 
 val dependencySets = listOf(
@@ -103,6 +98,9 @@ dependencies {
     for (dependency in dependencyLists) {
       api(dependency)
     }
+
+    api("software.amazon.awssdk:auth:2.33.11")
+    api("software.amazon.awssdk:aws-core:2.33.11")
   }
 }
 

@@ -15,8 +15,8 @@ dependencies {
   implementation("com.squareup.okhttp3:okhttp")
   implementation("io.opentelemetry:opentelemetry-api")
   implementation("org.apache.logging.log4j:log4j-core")
-  implementation("software.amazon.awssdk:s3")
-  implementation("software.amazon.awssdk:sts")
+  implementation("software.amazon.awssdk:s3:2.33.11")
+  implementation("software.amazon.awssdk:sts:2.33.11")
 
   runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl")
 }

@@ -10,8 +10,8 @@ dependencies {
   implementation("org.springframework.boot:spring-boot-starter-web")
   implementation("org.springframework.boot:spring-boot-starter")
   implementation("com.squareup.okhttp3:okhttp")
-  implementation("software.amazon.awssdk:s3")
-  implementation("software.amazon.awssdk:sts")
+  implementation("software.amazon.awssdk:s3:2.33.11")
+  implementation("software.amazon.awssdk:sts:2.33.11")
   implementation("io.opentelemetry:opentelemetry-api")
 }