From 4d50ac3a927720db6d89315f86ef3d06e6181bfe Mon Sep 17 00:00:00 2001
From: halibobo1205 <halibobo1205@gmail.com>
Date: Thu, 2 Apr 2026 12:58:41 +0800
Subject: [PATCH 1/4] fix CVE-2026-33871

---
 build.gradle                     |  11 +
 gradle/verification-metadata.xml | 335 ++++++++++++++++---------------
 protocol/build.gradle            |   2 +-
 3 files changed, 189 insertions(+), 159 deletions(-)

diff --git a/build.gradle b/build.gradle
index 12a0622db99..1ebb3e19bf1 100644
--- a/build.gradle
+++ b/build.gradle
@@ -144,6 +144,17 @@ subprojects {
                         details.because("Automatically replace android guava with jre version: ${requestedVersion} -> ${jreVersion}")
                     }
                 }
+                // Fix CVE-2026-33871: Netty HTTP/2 CONTINUATION Frame Flood DoS
+                // Affected: netty-codec-http2 < 4.1.132.Final
+                // https://github.com/advisories/GHSA-w9fj-cfpg-grvv
+                if (details.requested.group == 'io.netty') {
+                    def nettyVersion = details.requested.version
+                    if (nettyVersion != null && nettyVersion.startsWith('4.1.') &&
+                            nettyVersion < '4.1.132.Final') {
+                        details.useVersion('4.1.132.Final')
+                        details.because("CVE-2026-33871: force Netty >= 4.1.132.Final to fix HTTP/2 CONTINUATION frame DoS")
+                    }
+                }
             }
         }
     }
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 4d0bf1013d6..7714e81b7c0 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -292,12 +292,12 @@
             <sha256 value="16a8688d707c8b63309a9e77cf9c5ffaaefa20b80b9c6131bb7f941e52abcc0d" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.google.api.grpc" name="proto-google-common-protos" version="2.59.2">
-         <artifact name="proto-google-common-protos-2.59.2.jar">
-            <sha256 value="9407f50aef5d1cb12675c170fa64ee216023eefca49f8f5eac45124f23a6cb29" origin="Generated by Gradle"/>
+      <component group="com.google.api.grpc" name="proto-google-common-protos" version="2.63.2">
+         <artifact name="proto-google-common-protos-2.63.2.jar">
+            <sha256 value="9a36be5b3b4736a3de22c9be2976cdc98a17700ecc19f2b679dcd0c6af703913" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="proto-google-common-protos-2.59.2.pom">
-            <sha256 value="8e4f0a02edeb8ed8ad065602e3dedc520afa6d23c2c3db1c230381cb681d82db" origin="Generated by Gradle"/>
+         <artifact name="proto-google-common-protos-2.63.2.pom">
+            <sha256 value="ebc17dc83db925b387a1546a60a4a8e272a0a185f2637de838d165fdad9607c9" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.google.code.findbugs" name="jsr305" version="1.3.9">
@@ -324,12 +324,12 @@
             <sha256 value="19889dbdf1b254b2601a5ee645b8147a974644882297684c798afe5d63d78dfe" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.google.code.gson" name="gson" version="2.11.0">
-         <artifact name="gson-2.11.0.jar">
-            <sha256 value="57928d6e5a6edeb2abd3770a8f95ba44dce45f3b23b7a9dc2b309c581552a78b" origin="Generated by Gradle"/>
+      <component group="com.google.code.gson" name="gson" version="2.12.1">
+         <artifact name="gson-2.12.1.jar">
+            <sha256 value="ebee13d5fb7477cd7f1cc010e0c356df8ca80709715248da97f79e35ccb4fbec" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="gson-2.11.0.pom">
-            <sha256 value="c0e547bea998888e6e25c5886a90e762272bc88b5275343dd2c05ded6ca2e360" origin="Generated by Gradle"/>
+         <artifact name="gson-2.12.1.pom">
+            <sha256 value="0b5735ec85f45282f1e2c769779800427b150a8163f405093a9280b71cab1978" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.google.code.gson" name="gson" version="2.8.9">
@@ -340,9 +340,9 @@
             <sha256 value="afded6e6a690fbf3ad4ae65ada397f0a90a5f630b303d1b741b9c97926fdd4de" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.google.code.gson" name="gson-parent" version="2.11.0">
-         <artifact name="gson-parent-2.11.0.pom">
-            <sha256 value="8acb1f3b72a6f026916ac0735bad9aab0293d527edb7b365327def13a9367b7a" origin="Generated by Gradle"/>
+      <component group="com.google.code.gson" name="gson-parent" version="2.12.1">
+         <artifact name="gson-parent-2.12.1.pom">
+            <sha256 value="c9e7b0b7e31be7be22684979c068001c652cb113c4e6ed894e39b643dee07fc1" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.google.code.gson" name="gson-parent" version="2.8.9">
@@ -363,12 +363,12 @@
             <sha256 value="920135797dcca5917b5a5c017642a58d340a4cd1bcd12f56f892a5663bd7bddc" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.google.errorprone" name="error_prone_annotations" version="2.30.0">
-         <artifact name="error_prone_annotations-2.30.0.jar">
-            <sha256 value="144f3aefbd6e27daec55d3753b2c6b13c1afdaf0cf04816cdb564588ed92f1bd" origin="Generated by Gradle"/>
+      <component group="com.google.errorprone" name="error_prone_annotations" version="2.45.0">
+         <artifact name="error_prone_annotations-2.45.0.jar">
+            <sha256 value="6ba61510e22944e8aec3fe970972d088d8da132a24f2bc817a43c7b70665cc2b" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="error_prone_annotations-2.30.0.pom">
-            <sha256 value="f713849c23b34953e854565dce8aa795cae0c1416611b720c21461322c795f86" origin="Generated by Gradle"/>
+         <artifact name="error_prone_annotations-2.45.0.pom">
+            <sha256 value="95be73f9a87876c95aef10dcc54938e1f1c45a2850c316c33fbdecd590f51280" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.google.errorprone" name="error_prone_parent" version="2.1.3">
@@ -381,9 +381,9 @@
             <sha256 value="47f22e99c7bf466391def16f8377985e5d3ba6f5bbcf65853644805513e15fad" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.google.errorprone" name="error_prone_parent" version="2.30.0">
-         <artifact name="error_prone_parent-2.30.0.pom">
-            <sha256 value="5e8834ccc0e5ed0c72f306c250b518e6ad10d075a9b7b910cf695cba1ee02a2d" origin="Generated by Gradle"/>
+      <component group="com.google.errorprone" name="error_prone_parent" version="2.45.0">
+         <artifact name="error_prone_parent-2.45.0.pom">
+            <sha256 value="ce008b959652d910ee54781cbc6c6c53c063d2aa083a30078f4a43fc97456668" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.google.gradle" name="osdetector-gradle-plugin" version="1.7.1">
@@ -394,12 +394,12 @@
             <sha256 value="859797e70a1bd9e422fed400d66a6602c8af8f3c667ee1c7b78f1763a25eb8e0" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.google.guava" name="failureaccess" version="1.0.2">
-         <artifact name="failureaccess-1.0.2.jar">
-            <sha256 value="8a8f81cf9b359e3f6dfa691a1e776985c061ef2f223c9b2c80753e1b458e8064" origin="Generated by Gradle"/>
+      <component group="com.google.guava" name="failureaccess" version="1.0.3">
+         <artifact name="failureaccess-1.0.3.jar">
+            <sha256 value="cbfc3906b19b8f55dd7cfd6dfe0aa4532e834250d7f080bd8d211a3e246b59cb" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="failureaccess-1.0.2.pom">
-            <sha256 value="19ebc6f4bdb4edbb3d07b6ee994f846b54ef295582a9b5634719ffa9f31d03b2" origin="Generated by Gradle"/>
+         <artifact name="failureaccess-1.0.3.pom">
+            <sha256 value="c54beff37f6d42d43e14722d54a522c9ad51ef97fc5b79277e62a3ebf882f3bb" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.google.guava" name="guava" version="19.0">
@@ -444,15 +444,15 @@
             <sha256 value="c728db6f2705ca3ea6a3cf2cf1260dbeff3a4524249a1b1b900edcfe9d72142f" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.google.guava" name="guava" version="33.3.1-jre">
-         <artifact name="guava-33.3.1-jre.jar">
-            <sha256 value="4bf0e2c5af8e4525c96e8fde17a4f7307f97f8478f11c4c8e35a0e3298ae4e90" origin="Generated by Gradle"/>
+      <component group="com.google.guava" name="guava" version="33.5.0-jre">
+         <artifact name="guava-33.5.0-jre.jar">
+            <sha256 value="1e301f0c52ac248b0b14fdc3d12283c77252d4d6f48521d572e7d8c4c2cc4ac7" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="guava-33.3.1-jre.module">
-            <sha256 value="41858c84753fd96a6b7c51122fccef39558c91cc08264e08506bcf20e0e63733" origin="Generated by Gradle"/>
+         <artifact name="guava-33.5.0-jre.module">
+            <sha256 value="77ed42c8c8b2cebbb93ac9e07543ff6418aa24bdb8517580cf5324e9a6510956" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="guava-33.3.1-jre.pom">
-            <sha256 value="313b67fc13eb3b0634eda715a1229971f5de9b8188bc280762815b83a275f193" origin="Generated by Gradle"/>
+         <artifact name="guava-33.5.0-jre.pom">
+            <sha256 value="0478fa78a908b3c31fe6d77be9978aaa621e2a181db84007e3d3b37424a2ac61" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.google.guava" name="guava-parent" version="19.0">
@@ -485,14 +485,14 @@
             <sha256 value="43ed0e36b353f41e5eb75cd756667c9e2df97cef06eb16066967158a1d034d2a" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.google.guava" name="guava-parent" version="33.3.1-android">
-         <artifact name="guava-parent-33.3.1-android.pom">
-            <sha256 value="6e11986ea7250b51f847157e2dc937f32a306804dfce0007a5e81ddb9b95c579" origin="Generated by Gradle"/>
+      <component group="com.google.guava" name="guava-parent" version="33.4.0-android">
+         <artifact name="guava-parent-33.4.0-android.pom">
+            <sha256 value="7220ede61026596fbc720ee4b93246fa2d14f328058532b59ef053de397c7d83" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.google.guava" name="guava-parent" version="33.3.1-jre">
-         <artifact name="guava-parent-33.3.1-jre.pom">
-            <sha256 value="55441db27e8869dfefe053059bdf478bdc7e95585642bf391f0023345fd56287" origin="Generated by Gradle"/>
+      <component group="com.google.guava" name="guava-parent" version="33.5.0-jre">
+         <artifact name="guava-parent-33.5.0-jre.pom">
+            <sha256 value="68719e687c6e4c9ff3e0fecbef7bd20896f0f4f7b314743ed33c72f962568215" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.google.guava" name="listenablefuture" version="9999.0-empty-to-avoid-conflict-with-guava">
@@ -516,12 +516,12 @@
             <sha256 value="37f87798b18385113c918bfa9e1276fe50735ef8fa849b5800c519d54dbf11f8" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.google.j2objc" name="j2objc-annotations" version="3.0.0">
-         <artifact name="j2objc-annotations-3.0.0.jar">
-            <sha256 value="88241573467ddca44ffd4d74aa04c2bbfd11bf7c17e0c342c94c9de7a70a7c64" origin="Generated by Gradle"/>
+      <component group="com.google.j2objc" name="j2objc-annotations" version="3.1">
+         <artifact name="j2objc-annotations-3.1.jar">
+            <sha256 value="84d3a150518485f8140ea99b8a985656749629f6433c92b80c75b36aba3b099b" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="j2objc-annotations-3.0.0.pom">
-            <sha256 value="23b3d039e168ad89dd114698e6dd7be383f4a2c577b8877d82c73a6515e74a17" origin="Generated by Gradle"/>
+         <artifact name="j2objc-annotations-3.1.pom">
+            <sha256 value="14570838500034fc1b47c8205ce1c9d6b255c1ccdd2d1afdcdcbf75e89b24a33" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.google.protobuf" name="protobuf-bom" version="3.25.8">
@@ -865,76 +865,76 @@
             <sha256 value="c169726766469a5f159f2953bbc6df67af740e9c623b17a0a2f5e80f060f0c44" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.grpc" name="grpc-api" version="1.75.0">
-         <artifact name="grpc-api-1.75.0.jar">
-            <sha256 value="7f309616691fa655d02512762049ed18bf4ab2b52ced424cab2f527d0bb8e3fc" origin="Generated by Gradle"/>
+      <component group="io.grpc" name="grpc-api" version="1.80.0">
+         <artifact name="grpc-api-1.80.0.jar">
+            <sha256 value="3af18798cf5d705fb40187d47548345d017df9a22791b9c028d9643441be9759" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="grpc-api-1.75.0.pom">
-            <sha256 value="5c77197aa561ea72e11049b2d91ce912788909c2f704e01caf77588845c25aef" origin="Generated by Gradle"/>
+         <artifact name="grpc-api-1.80.0.pom">
+            <sha256 value="e3bcbae505b3c1420b2d1b1b2ad095118507a720f4eea8d31ea5dedabcf26a37" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.grpc" name="grpc-context" version="1.75.0">
-         <artifact name="grpc-context-1.75.0.jar">
-            <sha256 value="7e1de7847ea621a9ec7cb988a8baa947748d0eaef94bfe457d04d9b57105079f" origin="Generated by Gradle"/>
+      <component group="io.grpc" name="grpc-context" version="1.80.0">
+         <artifact name="grpc-context-1.80.0.jar">
+            <sha256 value="74a6fc8e6c9fc873c3683db41bc0ab5869bfd55b733cc62ac63eb276f37b0b0a" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="grpc-context-1.75.0.pom">
-            <sha256 value="231024d1cf18212e0c5d1d89246d6f27b0d26ce0822508a03726d7808ef01881" origin="Generated by Gradle"/>
+         <artifact name="grpc-context-1.80.0.pom">
+            <sha256 value="c7846cdfcfd00f0412996c4a7af9fe5370465c5d9da7e2ff9979d7c758a73881" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.grpc" name="grpc-core" version="1.75.0">
-         <artifact name="grpc-core-1.75.0.jar">
-            <sha256 value="f10cdbe558378494e4ffc6b1bb328b8a137f3201d46c8b24f0154eb9e51191a1" origin="Generated by Gradle"/>
+      <component group="io.grpc" name="grpc-core" version="1.80.0">
+         <artifact name="grpc-core-1.80.0.jar">
+            <sha256 value="b617121f33ea79b0cfc26e2e19475e64e0c4161d28c78cf56f7db7bbb9a81fbe" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="grpc-core-1.75.0.pom">
-            <sha256 value="4599966c10c6a36d5d14e0a7e0b59daa3099114bf44aca13b1ffce396e114b17" origin="Generated by Gradle"/>
+         <artifact name="grpc-core-1.80.0.pom">
+            <sha256 value="9dacff43c32640d3caefcc4d63914e7d56797103ac12dca0bb0501eb87fbcf91" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.grpc" name="grpc-netty" version="1.75.0">
-         <artifact name="grpc-netty-1.75.0.jar">
-            <sha256 value="2563004eb1c0a6f676678edb545377f21786144c6f55331ff1b8e6be73eb6a57" origin="Generated by Gradle"/>
+      <component group="io.grpc" name="grpc-netty" version="1.80.0">
+         <artifact name="grpc-netty-1.80.0.jar">
+            <sha256 value="c5a7e03ef0d2cd0566f46872303ff30e28b7eea6a80d8b6cc8be0960982b1ee6" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="grpc-netty-1.75.0.pom">
-            <sha256 value="f3527063a77733024fa12cec9463637687c876d2cb89c04bbe6f6201b1907e4b" origin="Generated by Gradle"/>
+         <artifact name="grpc-netty-1.80.0.pom">
+            <sha256 value="7821b49129a7885a41b6f270f4e38f545f5a045bb25800847db88c00a1860d39" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.grpc" name="grpc-protobuf" version="1.75.0">
-         <artifact name="grpc-protobuf-1.75.0.jar">
-            <sha256 value="f52b53c349b0776815e437636dff3d3844e9b10cbb25be419a786bf3d6f20269" origin="Generated by Gradle"/>
+      <component group="io.grpc" name="grpc-protobuf" version="1.80.0">
+         <artifact name="grpc-protobuf-1.80.0.jar">
+            <sha256 value="663102d87c9785835f5a96da5b245210d46e581b6cf6545faf8806d50b0046da" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="grpc-protobuf-1.75.0.pom">
-            <sha256 value="921120d8e7a259a30c1a99680712d6d5918050346901554a31a5e32a8a76256f" origin="Generated by Gradle"/>
+         <artifact name="grpc-protobuf-1.80.0.pom">
+            <sha256 value="bba82108c02368239eac79fbe4087e2a526ff84eff3c43ae7b893c4a174988e8" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.grpc" name="grpc-protobuf-lite" version="1.75.0">
-         <artifact name="grpc-protobuf-lite-1.75.0.jar">
-            <sha256 value="60fafc627aa04bcab328dcc9206f0e7aa71d95f1b612774a18272dfe7dc24cf1" origin="Generated by Gradle"/>
+      <component group="io.grpc" name="grpc-protobuf-lite" version="1.80.0">
+         <artifact name="grpc-protobuf-lite-1.80.0.jar">
+            <sha256 value="0f4e591e52bee28a3645450049ead9713aff5ba55f32f534a207a015fc9b2e9c" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="grpc-protobuf-lite-1.75.0.pom">
-            <sha256 value="c5b04120e8721e9cde1b99979560080070435e52e3796d2d5ff71bd5aeda1288" origin="Generated by Gradle"/>
+         <artifact name="grpc-protobuf-lite-1.80.0.pom">
+            <sha256 value="3ad8b2792e54c9d8e700984114966c44e529ca40c35dab8062905195b3b9a533" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.grpc" name="grpc-services" version="1.75.0">
-         <artifact name="grpc-services-1.75.0.jar">
-            <sha256 value="b6b3db6fecf14220db17d085eb2143f7c68879f6072f2159692c24c607e9391f" origin="Generated by Gradle"/>
+      <component group="io.grpc" name="grpc-services" version="1.80.0">
+         <artifact name="grpc-services-1.80.0.jar">
+            <sha256 value="38d769e4c71f68579e23f86baef5953692a8b4861c2c2c75857e9d5d148ef051" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="grpc-services-1.75.0.pom">
-            <sha256 value="a5f1fd5990de11e96fd280978dfb1377294f65312605ef570eeaf2412e7ac2ad" origin="Generated by Gradle"/>
+         <artifact name="grpc-services-1.80.0.pom">
+            <sha256 value="964074aa387833138148e3837847bc0c6e839830430d0c22746cc88078ce0d0e" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.grpc" name="grpc-stub" version="1.75.0">
-         <artifact name="grpc-stub-1.75.0.jar">
-            <sha256 value="dc98fe18654206948666e6657e13fe301ad0754751f28c6c10961e1e6c457997" origin="Generated by Gradle"/>
+      <component group="io.grpc" name="grpc-stub" version="1.80.0">
+         <artifact name="grpc-stub-1.80.0.jar">
+            <sha256 value="23c04f1c29c210084182dbeca5d3091b200e0dd97cd0bcee086d72f0b9dca2c9" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="grpc-stub-1.75.0.pom">
-            <sha256 value="69c44348e963b27c4bbed1a72970ddf11d406fba9bcfe738184b7bbb63446e1c" origin="Generated by Gradle"/>
+         <artifact name="grpc-stub-1.80.0.pom">
+            <sha256 value="5f982953fa7940c7862dd6067aa933120657e223e72232553667ea0a1f394f19" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.grpc" name="grpc-util" version="1.75.0">
-         <artifact name="grpc-util-1.75.0.jar">
-            <sha256 value="92b5a1195dad4cbd7c405b01cbd9fd2dbbd548d13d4cfabf9d2d6a37bad4cb81" origin="Generated by Gradle"/>
+      <component group="io.grpc" name="grpc-util" version="1.80.0">
+         <artifact name="grpc-util-1.80.0.jar">
+            <sha256 value="8bfa179dc59e44e46cb8b8642cfd86524a0833801e7c95632d6d4dd5cc532e6e" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="grpc-util-1.75.0.pom">
-            <sha256 value="bc863446f94417677cb6ac228fb91bdc3d82af8dd2c8ea4643b5b52d7550fd73" origin="Generated by Gradle"/>
+         <artifact name="grpc-util-1.80.0.pom">
+            <sha256 value="763bd401d0023c31d4bdf2eaa38dc03e574fffab76d55144874773aec0c1e9d2" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="io.grpc" name="protoc-gen-grpc-java" version="1.60.0">
@@ -962,97 +962,97 @@
             <sha256 value="d5a8d2cf3dfaa0f04c8eabcef91ec7ae68cb516a701fbbae84236526c02f3570" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-buffer" version="4.1.124.Final">
-         <artifact name="netty-buffer-4.1.124.Final.jar">
-            <sha256 value="830580f29c425c97bf01ae8ec69e96f4ec425f6b0c6a497c3803f261d69a2647" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-buffer" version="4.1.132.Final">
+         <artifact name="netty-buffer-4.1.132.Final.jar">
+            <sha256 value="583c16c0b1e7692eb6cf2ac05bedb5fd8244998306899576d3fb585f4e41d547" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="netty-buffer-4.1.124.Final.pom">
-            <sha256 value="7ae60051d8c23e5a73e229f730c4360660d78206fbdaaffa883a1a29ba80526d" origin="Generated by Gradle"/>
+         <artifact name="netty-buffer-4.1.132.Final.pom">
+            <sha256 value="a52a3ca55037081eee45c3466f4c7d95a9480e321d2eb3e57d585c0a4742f19b" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-codec" version="4.1.124.Final">
-         <artifact name="netty-codec-4.1.124.Final.jar">
-            <sha256 value="e1f30c0e8808df84126129ac78e303dceb6a701cdf6ccd470a63ee85cb064be0" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-codec" version="4.1.132.Final">
+         <artifact name="netty-codec-4.1.132.Final.jar">
+            <sha256 value="10662499b0b6a6435de3a02979eed82b529ea9eaf7f1a54859ecc43705aa4096" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="netty-codec-4.1.124.Final.pom">
-            <sha256 value="4dc5754958b349bd35f27aa2e786b007841a41779b26ba371d6974a1671916cc" origin="Generated by Gradle"/>
+         <artifact name="netty-codec-4.1.132.Final.pom">
+            <sha256 value="5cb73b6f2d3b6ad84ccfb2cadc2095ef5aec50ab6e85cd6375d820e462ccaa39" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-codec-http" version="4.1.124.Final">
-         <artifact name="netty-codec-http-4.1.124.Final.jar">
-            <sha256 value="27bb1fe0ec96abb7aa0b8c8f9bf98a105ad788d3a9abffe7f0a07299b317ffd3" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-codec-http" version="4.1.132.Final">
+         <artifact name="netty-codec-http-4.1.132.Final.jar">
+            <sha256 value="77ecb1f5719c9fe26f990d867788e3f47c092377ca4de4fdcee6186e70224cd3" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="netty-codec-http-4.1.124.Final.pom">
-            <sha256 value="eb5fb11e52b15293214739fee6e1b29dde8169ca3905755c5b7718e227c35caa" origin="Generated by Gradle"/>
+         <artifact name="netty-codec-http-4.1.132.Final.pom">
+            <sha256 value="4bdb4f665e87d98229a1122f2786d27fcca422620283e5701d2dbf101c277af5" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-codec-http2" version="4.1.124.Final">
-         <artifact name="netty-codec-http2-4.1.124.Final.jar">
-            <sha256 value="90c25676201d9792029169a1e3198f1b9903bb8139bc40bb8b03c85b70c43d9f" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-codec-http2" version="4.1.132.Final">
+         <artifact name="netty-codec-http2-4.1.132.Final.jar">
+            <sha256 value="8ad7fb7d42f524b11ab1dfbf949269b0d7fe708631da7b5bce8c166ae40a5382" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="netty-codec-http2-4.1.124.Final.pom">
-            <sha256 value="3a13238908bf2748fae365f18771dd5b5c06a1d0db7d6995ae9bc75c4cb9ee0d" origin="Generated by Gradle"/>
+         <artifact name="netty-codec-http2-4.1.132.Final.pom">
+            <sha256 value="28e31fbc5753dc33f6fe9827bf29d8bc3c4653c7be772db4a00ad1e73f1f722c" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-codec-socks" version="4.1.124.Final">
-         <artifact name="netty-codec-socks-4.1.124.Final.jar">
-            <sha256 value="f79232858d4a8135156623b3837fbebdc6c9a533a7bfdcb5c8653892e0f567b8" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-codec-socks" version="4.1.132.Final">
+         <artifact name="netty-codec-socks-4.1.132.Final.jar">
+            <sha256 value="818cfcff52cb36e3a07b1764d21624e75b1eb1029bee65b075850d6d8c080074" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="netty-codec-socks-4.1.124.Final.pom">
-            <sha256 value="f2e1e9382090dbe0c0ef37ad4f303ec9d3a452be7425e10475f78e2733abf830" origin="Generated by Gradle"/>
+         <artifact name="netty-codec-socks-4.1.132.Final.pom">
+            <sha256 value="7711d396a27a751911139dbf0597d4e50d1e57b6dbee21ae462f8cf5996b5929" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-common" version="4.1.124.Final">
-         <artifact name="netty-common-4.1.124.Final.jar">
-            <sha256 value="0c00e34e457708252daf7ccee0a2fe6509a426ff943c8f876f901c07cbf77931" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-common" version="4.1.132.Final">
+         <artifact name="netty-common-4.1.132.Final.jar">
+            <sha256 value="97ca3b4e99fc605b6824498387102392f4c6ba9d5d3d93d507e2c9f38ab5bf10" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="netty-common-4.1.124.Final.pom">
-            <sha256 value="4e12885fcf2f9664410645eff0dbe19f6518b861b5a3419fed0211f40e875649" origin="Generated by Gradle"/>
+         <artifact name="netty-common-4.1.132.Final.pom">
+            <sha256 value="df4bf889e57a9560765935b721e7251d151091d2b70ca1f8254afcd3d2cd28c7" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-handler" version="4.1.124.Final">
-         <artifact name="netty-handler-4.1.124.Final.jar">
-            <sha256 value="8b84814d14804966bab92a91675cbef8b0e054633b0595b57f0115072a65a5c7" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-handler" version="4.1.132.Final">
+         <artifact name="netty-handler-4.1.132.Final.jar">
+            <sha256 value="6e19fe8c1a163857ef9eba9e255e133859d1b9da8fe3c7ee799381465e75cc92" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="netty-handler-4.1.124.Final.pom">
-            <sha256 value="3e1e822abe02579f63086ce54a5c1860361b15fc1862fc3360a23b8b616b76c2" origin="Generated by Gradle"/>
+         <artifact name="netty-handler-4.1.132.Final.pom">
+            <sha256 value="2f642a4e28a042be44bcd17e3084d30add3564a8980049d9560c8098b11f4123" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-handler-proxy" version="4.1.124.Final">
-         <artifact name="netty-handler-proxy-4.1.124.Final.jar">
-            <sha256 value="94311023482cf1ab84abaadad374d9ffa048788ba0996885b6aea8cabcbd9676" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-handler-proxy" version="4.1.132.Final">
+         <artifact name="netty-handler-proxy-4.1.132.Final.jar">
+            <sha256 value="134d985913b7cac9fcae2c8926d957aa1e35d74a19e6ab14349b385c43c17d67" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="netty-handler-proxy-4.1.124.Final.pom">
-            <sha256 value="3a22259cbb839f25936f480f82fe46ef29b4fe98d61dfe2526baa913dc8d152a" origin="Generated by Gradle"/>
+         <artifact name="netty-handler-proxy-4.1.132.Final.pom">
+            <sha256 value="0a1115f4bdf7eb486822fe27e714e4ead0bcfee19e76a368ec37d32900257e0a" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-parent" version="4.1.124.Final">
-         <artifact name="netty-parent-4.1.124.Final.pom">
-            <sha256 value="f6cdc97b825e84973efa400fb4aa3560ad6571991e95ba021b804a7b8f447b68" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-parent" version="4.1.132.Final">
+         <artifact name="netty-parent-4.1.132.Final.pom">
+            <sha256 value="802336455c12ccae5a7ac50c8f19e32189e377d3576d6e92fa71eddac2a9be7b" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-resolver" version="4.1.124.Final">
-         <artifact name="netty-resolver-4.1.124.Final.jar">
-            <sha256 value="7a49003fc1d4e563c0b6391c4821f4e49bc25094069aa6bae9bafcf62f9c0234" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-resolver" version="4.1.132.Final">
+         <artifact name="netty-resolver-4.1.132.Final.jar">
+            <sha256 value="1f0245b4541357aad24be113c870db0a08c75895eaa650338783397c245fa4c2" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="netty-resolver-4.1.124.Final.pom">
-            <sha256 value="f101aadb3b28840c5bdf124587b17117037e9611aee188e19e678417f4a777f5" origin="Generated by Gradle"/>
+         <artifact name="netty-resolver-4.1.132.Final.pom">
+            <sha256 value="fdccc7dd6612872e05f23e90917bff872032c6402c4d1678930a471709f0abd6" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-transport" version="4.1.124.Final">
-         <artifact name="netty-transport-4.1.124.Final.jar">
-            <sha256 value="065c5aa6de5e8305dc1a25fb079b5dd041057ee19bd027ba24420316bf2e71b2" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-transport" version="4.1.132.Final">
+         <artifact name="netty-transport-4.1.132.Final.jar">
+            <sha256 value="70da7db7fba9bfcbed030747ca25e9a6a3a53694c3c69b353c4851e9db08f60a" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="netty-transport-4.1.124.Final.pom">
-            <sha256 value="22b49f09ab47f5bc6a6d1a572692b373f0647236877b1030f0eb52e8ee678258" origin="Generated by Gradle"/>
+         <artifact name="netty-transport-4.1.132.Final.pom">
+            <sha256 value="22fd2fc0fed65046a054908e15bd957a725a70edaa58f97bf71187b86d1262fd" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-transport-native-unix-common" version="4.1.124.Final">
-         <artifact name="netty-transport-native-unix-common-4.1.124.Final.jar">
-            <sha256 value="5b824b485345d3eb4f29bd96005fe71d4bdcda3e4453a834fd58f7e113346115" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-transport-native-unix-common" version="4.1.132.Final">
+         <artifact name="netty-transport-native-unix-common-4.1.132.Final.jar">
+            <sha256 value="542d554e9bb57b57282cb42db7e05d2128d402d32584e5600daa2aef9d1980d1" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="netty-transport-native-unix-common-4.1.124.Final.pom">
-            <sha256 value="2bc4dda980f564cf1cb58ad23ced0a5d148ff0f1f88ed8977ec408fbcdcc1528" origin="Generated by Gradle"/>
+         <artifact name="netty-transport-native-unix-common-4.1.132.Final.pom">
+            <sha256 value="e6f759ff378eb52ce686ffc65cfe359ab00cd8235b90e8f7d2eb0465e6906573" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="io.perfmark" name="perfmark-api" version="0.27.0">
@@ -1676,12 +1676,12 @@
             <sha256 value="1879f19a05991e3ed95910b96689333396b0c467a215dc4d1f90018404b72a26" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.codehaus.mojo" name="animal-sniffer-annotations" version="1.24">
-         <artifact name="animal-sniffer-annotations-1.24.jar">
-            <sha256 value="c720e6e5bcbe6b2f48ded75a47bccdb763eede79d14330102e0d352e3d89ed92" origin="Generated by Gradle"/>
+      <component group="org.codehaus.mojo" name="animal-sniffer-annotations" version="1.26">
+         <artifact name="animal-sniffer-annotations-1.26.jar">
+            <sha256 value="342f4d815eae69bb980620d0a622862709be37d38f47577675b42c739a962da9" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="animal-sniffer-annotations-1.24.pom">
-            <sha256 value="88484f60a6ad4238a97febacf2b333e9e08c178b8f180a05a3edbff4a38a836e" origin="Generated by Gradle"/>
+         <artifact name="animal-sniffer-annotations-1.26.pom">
+            <sha256 value="c3998d00e7826ef837fe20049aa42078e4f9afc3e09a960056b9d55b7f25e394" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="org.codehaus.mojo" name="animal-sniffer-parent" version="1.14">
@@ -1689,9 +1689,9 @@
             <sha256 value="f51550a06b1410bd4962cb0e71df0b921a60a7ef47bfa9c4825a14be72316eea" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.codehaus.mojo" name="animal-sniffer-parent" version="1.24">
-         <artifact name="animal-sniffer-parent-1.24.pom">
-            <sha256 value="49ddab43c8361dc2ef0c1ff87cb590fa7231702ab9f62e26d512dc18a1f1cd04" origin="Generated by Gradle"/>
+      <component group="org.codehaus.mojo" name="animal-sniffer-parent" version="1.26">
+         <artifact name="animal-sniffer-parent-1.26.pom">
+            <sha256 value="f5e6c307308f277d39eeec90d66d851fa5157ff3e7df032cdf4a6342012f1381" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="org.codehaus.mojo" name="mojo-parent" version="34">
@@ -1699,9 +1699,9 @@
             <sha256 value="3e395d6fbc43c09a3774cac8694ce527398305ea3fd5492d80e25af27d382a9c" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.codehaus.mojo" name="mojo-parent" version="84">
-         <artifact name="mojo-parent-84.pom">
-            <sha256 value="2fe510618b2f60fcd5f2fb82bc4b2c2c344048d74f30be719fcb86829ee8ac30" origin="Generated by Gradle"/>
+      <component group="org.codehaus.mojo" name="mojo-parent" version="94">
+         <artifact name="mojo-parent-94.pom">
+            <sha256 value="d7e1a553ddc8746158dc3e4a0639bf4ac27f0d3685997e8ec95948cb2a69e134" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="org.codehaus.plexus" name="plexus" version="8">
@@ -1989,6 +1989,17 @@
             <sha256 value="98d561914ff908ec21d8b46bef89fb7af824d416dfd32b1ba71fa5d4a4f4c7a0" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.jspecify" name="jspecify" version="1.0.0">
+         <artifact name="jspecify-1.0.0.jar">
+            <sha256 value="1fad6e6be7557781e4d33729d49ae1cdc8fdda6fe477bb0cc68ce351eafdfbab" origin="Generated by Gradle"/>
+         </artifact>
+         <artifact name="jspecify-1.0.0.module">
+            <sha256 value="d307ca77a54e18ac1ef1aaed4e5bbe014bd2f49f29e1d2f813e47c278283195b" origin="Generated by Gradle"/>
+         </artifact>
+         <artifact name="jspecify-1.0.0.pom">
+            <sha256 value="cdab929a3b95211f43d2090c5e2d0dfe8465960e378bc32b35841dab324433a6" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.junit" name="junit-bom" version="5.10.2">
          <artifact name="junit-bom-5.10.2.module">
             <sha256 value="de23b114b3e4119a8fe6eb17bed5a3852816698bace67071579d6d927ebb080a" origin="Generated by Gradle"/>
@@ -2021,6 +2032,14 @@
             <sha256 value="fa68451ea830572ed43ffe51d75b6a05f7a5e665a602a51f49d6be02063a65f3" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.junit" name="junit-bom" version="5.14.0">
+         <artifact name="junit-bom-5.14.0.module">
+            <sha256 value="7ad3ddb2d74e6a77d65ae89aca45d468c97bf9915b6bc52f449d675e4e6f9b35" origin="Generated by Gradle"/>
+         </artifact>
+         <artifact name="junit-bom-5.14.0.pom">
+            <sha256 value="f5aa47b366483e8d1f9bef10e67a0c66f66afc0f331c9f966b1310bad60d0f6f" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.junit" name="junit-bom" version="5.7.2">
          <artifact name="junit-bom-5.7.2.module">
             <sha256 value="f3bceb1c59dd4f6993f4304dffa580172b8df65a76cd36fa4fd92c0578d28ad8" origin="Generated by Gradle"/>
diff --git a/protocol/build.gradle b/protocol/build.gradle
index 789d27b6360..b3c0c9a8269 100644
--- a/protocol/build.gradle
+++ b/protocol/build.gradle
@@ -1,7 +1,7 @@
 apply plugin: 'com.google.protobuf'
 
 def protobufVersion = '3.25.8'
-def grpcVersion = '1.75.0'
+def grpcVersion = '1.80.0'
 
 dependencies {
     api group: 'com.google.protobuf', name: 'protobuf-java', version: protobufVersion

From a29254e4d8951dbc309e90f4501916104def3e68 Mon Sep 17 00:00:00 2001
From: halibobo1205 <halibobo1205@gmail.com>
Date: Thu, 2 Apr 2026 16:08:23 +0800
Subject: [PATCH 2/4] fix GHSA-72hv-8253-57qq

---
 common/build.gradle              |  2 +-
 gradle/verification-metadata.xml | 74 ++++++++++++++++++--------------
 2 files changed, 42 insertions(+), 34 deletions(-)

diff --git a/common/build.gradle b/common/build.gradle
index 98fc3257190..acde43a1ea9 100644
--- a/common/build.gradle
+++ b/common/build.gradle
@@ -8,7 +8,7 @@ sourceCompatibility = 1.8
 
 
 dependencies {
-    api group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.18.3' // https://github.com/FasterXML/jackson-databind/issues/3627
+    api group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.18.6' // https://github.com/FasterXML/jackson-databind/issues/3627
     api "com.cedarsoftware:java-util:3.2.0"
     api group: 'org.apache.httpcomponents', name: 'httpasyncclient', version: '4.1.1'
     api group: 'commons-codec', name: 'commons-codec', version: '1.11'
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 7714e81b7c0..50cb085b7ba 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -164,9 +164,9 @@
             <sha256 value="c83f8f45dfdca8d0b6b3661c60b3f84780f671b12e06f91ad5d1c1a1d1f966e8" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.fasterxml" name="oss-parent" version="61">
-         <artifact name="oss-parent-61.pom">
-            <sha256 value="3649513cf597e9186da0855986a8c543e12bdbd805edeef9c124db56dd036544" origin="Generated by Gradle"/>
+      <component group="com.fasterxml" name="oss-parent" version="69">
+         <artifact name="oss-parent-69.pom">
+            <sha256 value="3856d584aaa1c8e33ce94c67244f71f6f70538a259ffe8e781761b9faaad875f" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.fasterxml.jackson" name="jackson-base" version="2.10.2">
@@ -174,9 +174,9 @@
             <sha256 value="7e3ef56ce1edbb723f7fc3712f6c8689f4bc06f564125c75a6d658d023bdec56" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.fasterxml.jackson" name="jackson-base" version="2.18.3">
-         <artifact name="jackson-base-2.18.3.pom">
-            <sha256 value="d5bbfd3c8445230e498b6092de809afd65cf504d013932dab7b3dfd6e9f3a4fd" origin="Generated by Gradle"/>
+      <component group="com.fasterxml.jackson" name="jackson-base" version="2.18.6">
+         <artifact name="jackson-base-2.18.6.pom">
+            <sha256 value="61d86ef235fca52e6bd11af1de251b95eb069e716fdc4600a5f182091fc9162a" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.fasterxml.jackson" name="jackson-bom" version="2.10.2">
@@ -184,9 +184,9 @@
             <sha256 value="a250e4a602054dfaf9ee9655afb7d603539226c97327bf237ecd8b3e172eb90f" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.fasterxml.jackson" name="jackson-bom" version="2.18.3">
-         <artifact name="jackson-bom-2.18.3.pom">
-            <sha256 value="f1d4c6aeb32118650c805fe9bbc5ee940fa8f2cd7d0f04fa4360551e9a27b290" origin="Generated by Gradle"/>
+      <component group="com.fasterxml.jackson" name="jackson-bom" version="2.18.6">
+         <artifact name="jackson-bom-2.18.6.pom">
+            <sha256 value="7dbb3b94217cd701dc1befbb05724a276f917721da572ea7e9f3e7985727c8ab" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.fasterxml.jackson" name="jackson-parent" version="2.10">
@@ -194,9 +194,9 @@
             <sha256 value="a50db80829c4f897c6d0e7e95472cbb43b0ebece135a68e39c27b8a6fe33e481" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.fasterxml.jackson" name="jackson-parent" version="2.18.1">
-         <artifact name="jackson-parent-2.18.1.pom">
-            <sha256 value="d0822fac1a0226844b8ad445c920c49a4f619169d09b1010a7dfeed19910998c" origin="Generated by Gradle"/>
+      <component group="com.fasterxml.jackson" name="jackson-parent" version="2.18.4">
+         <artifact name="jackson-parent-2.18.4.pom">
+            <sha256 value="916e9bbf43fc0994292f3fde2d385764bd21060c60dffe9c695c091978087d00" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.fasterxml.jackson.core" name="jackson-annotations" version="2.10.2">
@@ -204,15 +204,15 @@
             <sha256 value="7f64965efd25dbc10791e90735b6636deb787cd718d302e0906e54aa7adec3ea" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.fasterxml.jackson.core" name="jackson-annotations" version="2.18.3">
-         <artifact name="jackson-annotations-2.18.3.jar">
-            <sha256 value="8aa5740d80b5a5025508b41bbadbaa1fb3772267c628b2e30681a4f45f8b8931" origin="Generated by Gradle"/>
+      <component group="com.fasterxml.jackson.core" name="jackson-annotations" version="2.18.6">
+         <artifact name="jackson-annotations-2.18.6.jar">
+            <sha256 value="face5c37bee1f0768f5f198d077fc29d163becca95de9e0f13962c84d1047662" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="jackson-annotations-2.18.3.module">
-            <sha256 value="464585db21f48ab159e8ef579cd7e8e6d307a04761199651c3ecc17f4e72745d" origin="Generated by Gradle"/>
+         <artifact name="jackson-annotations-2.18.6.module">
+            <sha256 value="ac6198bd28b0fddf1d64ca7bf4f7c4c420ff5f73c753304751c72f4c52193433" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="jackson-annotations-2.18.3.pom">
-            <sha256 value="b9c98ba9e29ea61b693d4c8c801968feaae220b2b2002364a7bcec524998384b" origin="Generated by Gradle"/>
+         <artifact name="jackson-annotations-2.18.6.pom">
+            <sha256 value="76a0101fecf99fcf3d0920e692c1d263ef32e3dad014dc3ba9f2c769e553d852" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.fasterxml.jackson.core" name="jackson-core" version="2.10.2">
@@ -220,15 +220,15 @@
             <sha256 value="325a3c94d924af0f6ceacca40e9e887a188864c153f9fc34ce9c4f013da8828e" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.fasterxml.jackson.core" name="jackson-core" version="2.18.3">
-         <artifact name="jackson-core-2.18.3.jar">
-            <sha256 value="056bc4d3e5e53ce821450fa97b3f9e0f8dde125cf6da6884353bb1f09582e1d9" origin="Generated by Gradle"/>
+      <component group="com.fasterxml.jackson.core" name="jackson-core" version="2.18.6">
+         <artifact name="jackson-core-2.18.6.jar">
+            <sha256 value="e7e1bfa50f0a79db37e6aa37db111cf03aebf4a484b359d21127ab43ab2398c6" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="jackson-core-2.18.3.module">
-            <sha256 value="9836d5a7f21b6bc54d7f26de87c8b305dde0e4f184b2ac8950e9a1b1df47c340" origin="Generated by Gradle"/>
+         <artifact name="jackson-core-2.18.6.module">
+            <sha256 value="2a7b48354b51251077955e67a8ea01f9049e60e153db9d8a8e348c45ccd5acc2" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="jackson-core-2.18.3.pom">
-            <sha256 value="37dc6b8f6391a4709ac215ca98fa2341c6dd65613c2277d96a4fd82a2f50e3c9" origin="Generated by Gradle"/>
+         <artifact name="jackson-core-2.18.6.pom">
+            <sha256 value="58232cda77c9d6ff66d173aa261fe717e59ff59d241dea913adcaabdcc3c9b05" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.fasterxml.jackson.core" name="jackson-databind" version="2.10.2">
@@ -236,15 +236,15 @@
             <sha256 value="64f8800dfe5b9b608ed47a74df73c4c2445a8916ba6bfa2cfbb70181f2130178" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.fasterxml.jackson.core" name="jackson-databind" version="2.18.3">
-         <artifact name="jackson-databind-2.18.3.jar">
-            <sha256 value="510bdda75a7a6186c5bf33b851239488a1450906ae5757121f2e1cc48a7e108f" origin="Generated by Gradle"/>
+      <component group="com.fasterxml.jackson.core" name="jackson-databind" version="2.18.6">
+         <artifact name="jackson-databind-2.18.6.jar">
+            <sha256 value="45d124736ea29dc374171fc1a8a9958e0f44407c1e0aae0297d8eee267fb592e" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="jackson-databind-2.18.3.module">
-            <sha256 value="642aa080f85b20057789facf2ac6a26e147835b5033e27520ecb697bc443fcba" origin="Generated by Gradle"/>
+         <artifact name="jackson-databind-2.18.6.module">
+            <sha256 value="97c90be3efa29b30abb6a27817eee16728bd3413275242ca81c6d7136a5cb0ba" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="jackson-databind-2.18.3.pom">
-            <sha256 value="e58f48ac14e4dbd48595d69e20bad35019ec1281514ef7ef155e18072ada617f" origin="Generated by Gradle"/>
+         <artifact name="jackson-databind-2.18.6.pom">
+            <sha256 value="e313176ad23828499be8ad12141c72ff1337dca476b2209a6c2eefff96d59ffd" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.github.briandilley.jsonrpc4j" name="jsonrpc4j" version="1.6">
@@ -2024,6 +2024,14 @@
             <sha256 value="f48e88538aac145eb3ae0345a9ebd055b28f329a35dce8d1e9281325ca9b0ea2" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.junit" name="junit-bom" version="5.11.4">
+         <artifact name="junit-bom-5.11.4.module">
+            <sha256 value="a9a4f27be94e99b9d570162d246a80f686d277d5d31aeb5481047cf51daf46e4" origin="Generated by Gradle"/>
+         </artifact>
+         <artifact name="junit-bom-5.11.4.pom">
+            <sha256 value="19d4b747b204805325b6334553296f986562277a4ac1cb5e593a5e4c4f5e4115" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.junit" name="junit-bom" version="5.13.1">
          <artifact name="junit-bom-5.13.1.module">
             <sha256 value="33c07ab9724790a6e5859ba07d69117ac530439724545a81c4179e3272c75de8" origin="Generated by Gradle"/>

From effe1724825b6348d7d6c9a32938d6369f2a3ce7 Mon Sep 17 00:00:00 2001
From: halibobo1205 <halibobo1205@gmail.com>
Date: Thu, 2 Apr 2026 16:23:36 +0800
Subject: [PATCH 3/4] fix CVE-2025-70952

---
 framework/build.gradle           |  2 +-
 gradle/verification-metadata.xml | 26 +++++++++++++-------------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/framework/build.gradle b/framework/build.gradle
index d884b6a7c49..ef2b71a38fd 100644
--- a/framework/build.gradle
+++ b/framework/build.gradle
@@ -53,7 +53,7 @@ dependencies {
     // https://mvnrepository.com/artifact/javax.portlet/portlet-api
     compileOnly group: 'javax.portlet', name: 'portlet-api', version: '3.0.1'
 
-    implementation (group: 'org.pf4j', name: 'pf4j', version: '3.10.0') {
+    implementation (group: 'org.pf4j', name: 'pf4j', version: '3.14.1') {
         exclude group: "org.slf4j", module: "slf4j-api"
     }
 
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 50cb085b7ba..1cb5ade1d04 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -266,12 +266,12 @@
             <sha256 value="19d24f4ec51ec7e3bf34552abf5e10749df2e25ba4dfccbf233870d8072e5989" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.github.zafarkhaja" name="java-semver" version="0.9.0">
-         <artifact name="java-semver-0.9.0.jar">
-            <sha256 value="2218c73b40f9af98b570d084420c1b4a81332297bd7fc27ddd552e903be8e93c" origin="Generated by Gradle"/>
+      <component group="com.github.zafarkhaja" name="java-semver" version="0.10.2">
+         <artifact name="java-semver-0.10.2.jar">
+            <sha256 value="a8e32e17575d0188c1f3e2e57bb95db09793883c8853fde828b63ecb1f99a63a" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="java-semver-0.9.0.pom">
-            <sha256 value="74da05b3ca50a8158101b7e12fbfbf902e011340f14bf31c1776cb51f96147f3" origin="Generated by Gradle"/>
+         <artifact name="java-semver-0.10.2.pom">
+            <sha256 value="7f005ff3f900e86955f5a534b5a9aa8ea54bb5d60bb60ac23759550a36676835" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.google" name="google" version="5">
@@ -2172,17 +2172,17 @@
             <sha256 value="a34ea1e3e4128c01038db43c6976e88c779cf5af84b0505da266dfe6965668ec" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.pf4j" name="pf4j" version="3.10.0">
-         <artifact name="pf4j-3.10.0.jar">
-            <sha256 value="17adf2de728d85c2bf89d6972cc5299e57c910ff463b938350d5a9fcea8a4365" origin="Generated by Gradle"/>
+      <component group="org.pf4j" name="pf4j" version="3.14.1">
+         <artifact name="pf4j-3.14.1.jar">
+            <sha256 value="c1b18f9be5b275c11f274447ee7a89d09be00cdd42dce475e708b54ffcf15630" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="pf4j-3.10.0.pom">
-            <sha256 value="65551b0290be606dce0b48dcd69f4dd0bd802f4786e9338cecf636b38e9e2a46" origin="Generated by Gradle"/>
+         <artifact name="pf4j-3.14.1.pom">
+            <sha256 value="95c5843942717af5cdfe5188b98dec0034439e80978be0ef67637ea684154818" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.pf4j" name="pf4j-parent" version="3.10.0">
-         <artifact name="pf4j-parent-3.10.0.pom">
-            <sha256 value="bc970dc489b11a0f385be7af432f897c3aa373d767f237c02a0465fac0447580" origin="Generated by Gradle"/>
+      <component group="org.pf4j" name="pf4j-parent" version="3.14.1">
+         <artifact name="pf4j-parent-3.14.1.pom">
+            <sha256 value="7e0d598e2e54c4286b48874f8af6f3e0773153bbec6eec89a0880d067f491263" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="org.projectlombok" name="lombok" version="1.18.34">

From d1757611b84f384d3261323b98147f154c59936a Mon Sep 17 00:00:00 2001
From: halibobo1205 <halibobo1205@gmail.com>
Date: Thu, 2 Apr 2026 16:33:44 +0800
Subject: [PATCH 4/4] fix CVE-2025-5115

---
 framework/build.gradle           |  4 +-
 gradle/verification-metadata.xml | 76 ++++++++++++++++----------------
 2 files changed, 40 insertions(+), 40 deletions(-)

diff --git a/framework/build.gradle b/framework/build.gradle
index ef2b71a38fd..1aa266da3cd 100644
--- a/framework/build.gradle
+++ b/framework/build.gradle
@@ -42,8 +42,8 @@ dependencies {
     implementation group: 'io.dropwizard.metrics', name: 'metrics-core', version: '3.1.2'
     implementation group: 'com.github.davidb', name: 'metrics-influxdb', version: '0.8.2'
     // http
-    implementation 'org.eclipse.jetty:jetty-server:9.4.57.v20241219'
-    implementation 'org.eclipse.jetty:jetty-servlet:9.4.57.v20241219'
+    implementation 'org.eclipse.jetty:jetty-server:9.4.58.v20250814'
+    implementation 'org.eclipse.jetty:jetty-servlet:9.4.58.v20250814'
     implementation 'com.alibaba:fastjson:1.2.83'
     // end http
 
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 1cb5ade1d04..8b89745c1a9 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -1728,65 +1728,65 @@
             <sha256 value="cdc9c49f59d230d4271771bb764aa7097d6acbcdc2500149e4d2c951df5cac30" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.eclipse.jetty" name="jetty-http" version="9.4.57.v20241219">
-         <artifact name="jetty-http-9.4.57.v20241219.jar">
-            <sha256 value="02c6514977f0051dfdecf8d0799acf7a88fd8008a5fd9320a92f2e5db45d297b" origin="Generated by Gradle"/>
+      <component group="org.eclipse.jetty" name="jetty-http" version="9.4.58.v20250814">
+         <artifact name="jetty-http-9.4.58.v20250814.jar">
+            <sha256 value="8f49b8583fc8dbbfe3a0ba80a04c97df64ebabca2981b56ee403c989aba9d4da" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="jetty-http-9.4.57.v20241219.pom">
-            <sha256 value="90d4ff2a77097b31ca1bc2720de53c0554c7dcc3b327dd95b909cf5eb50d4a8d" origin="Generated by Gradle"/>
+         <artifact name="jetty-http-9.4.58.v20250814.pom">
+            <sha256 value="f64d6da0aeeb994b1efa31fac44b08ba0c56bf75d923ac01354955c015ac1868" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.eclipse.jetty" name="jetty-io" version="9.4.57.v20241219">
-         <artifact name="jetty-io-9.4.57.v20241219.jar">
-            <sha256 value="f6246a2cf0abcee7f0971217c0ce4cd30d8ce15a91530363457113907ab38690" origin="Generated by Gradle"/>
+      <component group="org.eclipse.jetty" name="jetty-io" version="9.4.58.v20250814">
+         <artifact name="jetty-io-9.4.58.v20250814.jar">
+            <sha256 value="f55b2cc7c05244fd7b1773e99979b740002b0186e45b8a688243d89c7006fe21" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="jetty-io-9.4.57.v20241219.pom">
-            <sha256 value="1edfa0486d6a4717426590d03f6bf327b854f1a8e7ac46c0b97f593148551093" origin="Generated by Gradle"/>
+         <artifact name="jetty-io-9.4.58.v20250814.pom">
+            <sha256 value="8a7c6cfe62b82fcabce21e93964915d0323ec4617b578de996c9d86d2854db8d" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.eclipse.jetty" name="jetty-project" version="9.4.57.v20241219">
-         <artifact name="jetty-project-9.4.57.v20241219.pom">
-            <sha256 value="ba9c9bf64fae535dc6fa8a34f8d552f884ff7811b09f94b2c18963cbed52a21d" origin="Generated by Gradle"/>
+      <component group="org.eclipse.jetty" name="jetty-project" version="9.4.58.v20250814">
+         <artifact name="jetty-project-9.4.58.v20250814.pom">
+            <sha256 value="57fb1ce6a8debbdae7e8226ad3e9e5d576c86bc2ec5cdcc0122dd2aa1dccd44c" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.eclipse.jetty" name="jetty-security" version="9.4.57.v20241219">
-         <artifact name="jetty-security-9.4.57.v20241219.jar">
-            <sha256 value="af923d4f395a73bf8ddcb754f42d7617c6b7055e37e5a6b625ed894f73107ae9" origin="Generated by Gradle"/>
+      <component group="org.eclipse.jetty" name="jetty-security" version="9.4.58.v20250814">
+         <artifact name="jetty-security-9.4.58.v20250814.jar">
+            <sha256 value="301548ebf008551a3a4312b04df0ea0468acc2780f863b83cc9cf0d668e62252" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="jetty-security-9.4.57.v20241219.pom">
-            <sha256 value="d82252b3117c2d5f98a0e1a881df6f09a43097f23ea80d39059955ce6877ad9d" origin="Generated by Gradle"/>
+         <artifact name="jetty-security-9.4.58.v20250814.pom">
+            <sha256 value="be1b66c55f9c7516308329706f8a4e0ab168651434686d8e802103eb8c2359b6" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.eclipse.jetty" name="jetty-server" version="9.4.57.v20241219">
-         <artifact name="jetty-server-9.4.57.v20241219.jar">
-            <sha256 value="ba957ae07da647023cfa52c923732aea1c67f5273a594cee1863365dfebb9a02" origin="Generated by Gradle"/>
+      <component group="org.eclipse.jetty" name="jetty-server" version="9.4.58.v20250814">
+         <artifact name="jetty-server-9.4.58.v20250814.jar">
+            <sha256 value="608dbd3e1c4184374f02c70704e5d1c9daaded45e6a31d07824f40dac6083ba9" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="jetty-server-9.4.57.v20241219.pom">
-            <sha256 value="4d0f558c516dfae1671545ed71a1f4ea88d38dee521f849dfdd79dd5aa6ca38a" origin="Generated by Gradle"/>
+         <artifact name="jetty-server-9.4.58.v20250814.pom">
+            <sha256 value="b750ef1eb4b10d00700ace9675c17619c04017cd0e757748848b894662fe5c3c" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.eclipse.jetty" name="jetty-servlet" version="9.4.57.v20241219">
-         <artifact name="jetty-servlet-9.4.57.v20241219.jar">
-            <sha256 value="c5e9517974dec9e4606b2d810f4995ea81091b1e24bd9640cb45d8b2aefd722c" origin="Generated by Gradle"/>
+      <component group="org.eclipse.jetty" name="jetty-servlet" version="9.4.58.v20250814">
+         <artifact name="jetty-servlet-9.4.58.v20250814.jar">
+            <sha256 value="1c6bb17326147e642c8a41e4657b32bca5057c8958db4da770d09c0904aefcff" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="jetty-servlet-9.4.57.v20241219.pom">
-            <sha256 value="d92c3f3eb4a37e310e8c411dea481b77bf0a2f04a8bde9858c49ac5f250000c4" origin="Generated by Gradle"/>
+         <artifact name="jetty-servlet-9.4.58.v20250814.pom">
+            <sha256 value="92b861dbc3c0b64866a8c4edf2393de558d810299c539e8b43414837cc6c1036" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.eclipse.jetty" name="jetty-util" version="9.4.57.v20241219">
-         <artifact name="jetty-util-9.4.57.v20241219.jar">
-            <sha256 value="6ccbf678716778e316cc097d8aada4fe2a2e16c0bbfd8a1763204d6724b423f4" origin="Generated by Gradle"/>
+      <component group="org.eclipse.jetty" name="jetty-util" version="9.4.58.v20250814">
+         <artifact name="jetty-util-9.4.58.v20250814.jar">
+            <sha256 value="8d591679d318d20c8fb2b1e83900562b3c4571ff7a189696be700293e0204146" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="jetty-util-9.4.57.v20241219.pom">
-            <sha256 value="307af307bf9faf8e9d4786b0c235d6f030136dd7def86df5d58b6c90a9913322" origin="Generated by Gradle"/>
+         <artifact name="jetty-util-9.4.58.v20250814.pom">
+            <sha256 value="74d463a2ea02233728ae70131374d6b1e194f77d223c0554f44f476f40c032c5" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.eclipse.jetty" name="jetty-util-ajax" version="9.4.57.v20241219">
-         <artifact name="jetty-util-ajax-9.4.57.v20241219.jar">
-            <sha256 value="67af50dd7714803b1bcdfabac181dd8b279d0ba6ba7fd27ea80c5b2099016542" origin="Generated by Gradle"/>
+      <component group="org.eclipse.jetty" name="jetty-util-ajax" version="9.4.58.v20250814">
+         <artifact name="jetty-util-ajax-9.4.58.v20250814.jar">
+            <sha256 value="185430a2eafcdffba18204dbf51cb18436ab4ca09b74d97c1dc13abbadd9704b" origin="Generated by Gradle"/>
          </artifact>
-         <artifact name="jetty-util-ajax-9.4.57.v20241219.pom">
-            <sha256 value="84de57bb5a3a9174cf9159ad3dd67c3f061641dcb7854e10c0eeeb6aab29f3df" origin="Generated by Gradle"/>
+         <artifact name="jetty-util-ajax-9.4.58.v20250814.pom">
+            <sha256 value="9fb635f45ce3121b7d8bb40eaff2f64cf2cca3ffd0f7d8933f0a5abc05cc122a" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="org.fusesource" name="fusesource-pom" version="1.11">