From cc479ab3c26930373ac4e1d67eabc8b672f9e955 Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnam.mozafari@thetradedesk.com>
Date: Tue, 9 Jun 2026 11:42:26 +1000
Subject: [PATCH] UID2-7251: upgrade netty to 4.1.133.Final

Bump the netty-bom import (netty.version property) from 4.1.132.Final to
4.1.133.Final to resolve 4 HIGH-severity Trivy findings in the netty codec
modules:

- CVE-2026-42583 (io.netty:netty-codec)
- CVE-2026-42579 (io.netty:netty-codec-dns)
- CVE-2026-42584 (io.netty:netty-codec-http)
- CVE-2026-42587 (io.netty:netty-codec-http / netty-codec-http2)

All four are fixed in 4.1.133.Final. netty is transitive via vertx and
azure-core-http-netty; the BOM bump pins every codec module. mvn test:
476 tests, 0 failures.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 918e21de..1c06f4df 100644
--- a/pom.xml
+++ b/pom.xml
@@ -63,7 +63,7 @@
         <vertx.version>4.5.21</vertx.version>
         <!-- check micrometer.version vertx-micrometer-metrics consumes before bumping up -->
         <micrometer.version>1.12.2</micrometer.version>
-        <netty.version>4.1.132.Final</netty.version>
+        <netty.version>4.1.133.Final</netty.version>
         <image.version>${project.version}</image.version>
     </properties>
     <dependencyManagement>