From f0a722346105c12e9bd8347f4d9813594fadb03f Mon Sep 17 00:00:00 2001
From: sean wibisono <sean.wibisono@thetradedesk.com>
Date: Tue, 9 Jun 2026 14:03:48 +1000
Subject: [PATCH] UID2-7251: bump netty to 4.1.135.Final to fix 4 HIGH CVEs

PR #614 bumped netty to 4.1.133.Final, but the 4 HIGH netty CVEs flagged
by Trivy in the operator publish are only fixed in 4.1.135.Final:

  io.netty:netty-handler      CVE-2026-44249, CVE-2026-45416
  io.netty:netty-resolver-dns CVE-2026-45674, CVE-2026-47691

Bumping here keeps uid2-shared aligned with the operator's netty pin.
Note: uid2-operator pins netty independently, so this change alone does
not affect the operator until uid2-shared is released and the operator's
uid2-shared.version is bumped.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 1c06f4df..7f3471ac 100644
--- a/pom.xml
+++ b/pom.xml
@@ -63,7 +63,7 @@
         <vertx.version>4.5.21</vertx.version>
         <!-- check micrometer.version vertx-micrometer-metrics consumes before bumping up -->
         <micrometer.version>1.12.2</micrometer.version>
-        <netty.version>4.1.133.Final</netty.version>
+        <netty.version>4.1.135.Final</netty.version>
         <image.version>${project.version}</image.version>
     </properties>
     <dependencyManagement>