fix: use resolutionStrategy to enforce minimum versions for vulnerabilities

Replaces dependency constraints with resolutionStrategy.eachDependency to
correctly rewrite transitive dependency versions in the submitted dependency
graph, fixing stale versions showing in GitHub Insights. Also adds
netty-codec-http2 and netty-codec-http3 to the netty upgrade rule.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: catarina-correia

build.gradle

@@ -23,6 +23,26 @@ allprojects {
 }
 
 subprojects {
+    configurations.configureEach {
+        resolutionStrategy.eachDependency {
+            if (requested.group == 'tools.jackson.core' && requested.name == 'jackson-core'
+                    && requested.version != null && requested.version < '3.1.1') {
+                useVersion('3.1.1')
+                because('GHSA-2m67-wjpj-xhg9: Jackson Core 3.0.0-3.1.0 maxDocumentLength bypass')
+            }
+            if (requested.group == 'org.apache.tomcat.embed' && requested.name == 'tomcat-embed-core'
+                    && requested.version != null && requested.version < '11.0.22') {
+                useVersion('11.0.22')
+                because('GHSA-rv64-5gf8-9qq8 / GHSA-x4m4-345f-5h5g / GHSA-24j9-x2wg-9qv6 / GHSA-gx5v-xp9w-j4cg: Apache Tomcat < 11.0.22 vulnerabilities')
+            }
+            if (requested.group == 'io.netty' && requested.name in ['netty-codec-http', 'netty-codec-http2', 'netty-codec-http3']
+                    && requested.version != null && requested.version < '4.2.13.Final') {
+                useVersion('4.2.13.Final')
+                because('GHSA-38f8-5428-x5cv: HTTP Request Smuggling in io.netty:netty-codec-http via malformed Transfer-Encoding headers')
+            }
+        }
+    }
+
     if(it.parent.name == 'examples') {
         apply plugin: 'java'
     } else {
@@ -59,28 +79,6 @@ subprojects {
     apply plugin: 'pmd'
 
     dependencies {
-        constraints {
-            add('implementation', 'tools.jackson.core:jackson-core') {
-                version {
-                    require '[3.1.1,)'
-                }
-                because('GHSA-2m67-wjpj-xhg9: Jackson Core 3.0.0-3.1.0 maxDocumentLength bypass')
-            }
-            add('implementation', 'org.apache.tomcat.embed:tomcat-embed-core') {
-                version {
-                    require '[11.0.22,)'
-                }
-                because('GHSA-rv64-5gf8-9qq8 / GHSA-x4m4-345f-5h5g / GHSA-24j9-x2wg-9qv6 / GHSA-gx5v-xp9w-j4cg: Apache Tomcat < 11.0.22 vulnerabilities')
-            }
-            add('implementation', 'io.netty:netty-codec-http') {
-                version {
-                    require '[4.2.13.Final,)'
-                    prefer '4.2.14.Final'
-                }
-                because('GHSA-38f8-5428-x5cv: HTTP Request Smuggling in io.netty:netty-codec-http via malformed Transfer-Encoding headers')
-            }
-        }
-
         // Lombok annotations to reduce boilerplate code
         compileOnly(libs.lombok)
         annotationProcessor(libs.lombok)