MdcHook is greatly reduced and renamed to StairwayLoggingHook: it now only logs at notable state transitions.

    I learned that Spring Boot Dependency Manager pulls in opentelemetry-bom as a dependency.
    For our Spring Boot version 3.1.2, opentelemetry-bom has version 1.25.0.
    Using the BOM (bill of materials) to manage OTEL dependencies is preferred to managing them individually: the BOM makes sure that they remain compatible with one another.
    The only OTEL dependencies that BPM needs to define directly are:
    1. opentelemetry-api so that we can construct OpenTelemetry objects (versioned by the BOM, which is itself versioned by Spring Boot dependency manager)
    2. opentelemetry-instrumentation-annotations so that we can use the @WithSpan annotation

    terra-common-lib defines the OTEL deps it needs, they are available as runtime dependencies so we don't need to redefine them.
    But it does not use the BOM to version them, or Spring Boot dependency manager.  It versions them directly at 1.34.1.

I found when removing the OTEL deps that BPM didn't need, I also needed to instruct our Spring Boot dependency manager to pin opentelemetry-bom at a higher version compatible with TCL's OTEL dependencies.

TCL 1.1.1 introduces a common StairwayLoggingHook for reuse, so I deleted BPM's.

Spring Boot 3.2.3 addresses a number of reported vulnerabilities.

Given the extent of dependency modifications I made, I appreciated having a way to check locally that I was both addressing vulnerabilities, and not pulling in any new ones.

Some other teams also run SourceClear as part of their CI build process, but I am not making that change at this time.