fix: upgrade io.netty:netty-codec-http to 4.2.13.Final (GHSA-57rv-r2g8-2cj3)

Copilot · gygrobot · web-flow · commit 0a26b2979ee9 · 2026-05-22T14:29:42.000Z
Add resolutionStrategy.eachDependency constraint to force io.netty:netty-codec-http to 4.2.13.Final to address HttpClientCodec response desynchronization vulnerability. Related: CHK-13428, GHSA-57rv-r2g8-2cj3, GitHub alert #60 Agent-Logs-Url: https://github.com/getyourguide/openapi-validation-java/sessions/9949f828-0f32-4b78-be7b-ae7303b39bb2 Co-authored-by: gygrobot <19344429+gygrobot@users.noreply.github.com>
diff --git a/build.gradle b/build.gradle
@@ -35,6 +35,11 @@ subprojects {
                 useVersion('11.0.21')
                 because('GHSA-rv64-5gf8-9qq8 / GHSA-x4m4-345f-5h5g / GHSA-24j9-x2wg-9qv6: Apache Tomcat < 11.0.21 vulnerabilities')
             }
+            if (requested.group == 'io.netty' && requested.name == 'netty-codec-http'
+                    && requested.version != null && requested.version < '4.2.13.Final') {
+                useVersion('4.2.13.Final')
+                because('GHSA-57rv-r2g8-2cj3: Netty HttpClientCodec response desynchronization vulnerability')
+            }
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,11 @@ subprojects {`
`35`	`35`	`useVersion('11.0.21')`
`36`	`36`	`because('GHSA-rv64-5gf8-9qq8 / GHSA-x4m4-345f-5h5g / GHSA-24j9-x2wg-9qv6: Apache Tomcat < 11.0.21 vulnerabilities')`
`37`	`37`	`}`
	`38`	`+ if (requested.group == 'io.netty' && requested.name == 'netty-codec-http'`
	`39`	`+ && requested.version != null && requested.version < '4.2.13.Final') {`
	`40`	`+ useVersion('4.2.13.Final')`
	`41`	`+ because('GHSA-57rv-r2g8-2cj3: Netty HttpClientCodec response desynchronization vulnerability')`
	`42`	`+ }`
`38`	`43`	`}`
`39`	`44`	`}`
`40`	`45`