CHK-13429: Pin Netty codec compression to 4.2.13.Final

[Copilot]

This PR addresses the HIGH severity resource exhaustion vulnerability in io.netty:netty-codec-compression (GHSA-mj4r-2hfc-f8p6, GitHub alert #59) by moving resolution from vulnerable 4.2.12.Final to patched 4.2.13.Final. The vulnerable artifact is pulled transitively through the library’s dependency graph and also appears on Spring-managed classpaths used in this repository.

• Dependency constraint in openapi-validation-core

  • Added a published dependency constraint for io.netty:netty-codec-compression
  • Pinned the version strictly to 4.2.13.Final
  • Followed the existing constraint pattern already used for other security overrides

• Repository-wide resolution override

  • Added a matching resolutionStrategy.eachDependency rule in the root build.gradle
  • Ensures Spring Boot BOM-managed/example/test classpaths also resolve the patched Netty artifact
  • Uses numeric version comparison to avoid incorrect lexicographic version checks

• Implementation Reasoning

  • Adding a dependency constraint for io.netty:netty-codec-compression to force version 4.2.13.Final rather than upgrading the parent dependency (swagger-request-validator-core) because:
    1. The constraint approach is already established in this project (see existing constraints for commons-codec, rhino, jackson-core)
    2. It provides surgical precision to fix only the vulnerable dependency without potentially introducing other changes from a parent upgrade
    3. It's consistent with the project's security fix pattern and makes the security requirement explicit in the build configuration

constraints {
    implementation('io.netty:netty-codec-compression') {
        version {
            strictly '4.2.13.Final'
        }
        because 'GHSA-mj4r-2hfc-f8p6: Netty Codec Compression before 4.2.13.Final is vulnerable to resource exhaustion. See https://github.com/getyourguide/openapi-validation-java/security/dependabot/59'
    }
}

Original prompt

Requested by: catarina.correia@getyourguide.com

Branch naming: Please prefix your branch with CHK-13429

Jira Ticket: CHK-13429
Security Alert: Github_Security_Alert - Resource Exhaustion Vulnerability

Context:
This is a security vulnerability fix for a resource exhaustion vulnerability in io.netty:netty-codec-compression used by the openapi-validation-java library.

Vulnerability Details:

• CVE/GHSA: GHSA-mj4r-2hfc-f8p6
• Severity: HIGH
• Package: io.netty:netty-codec-compression
• Vulnerable Version/Range: <= 4.2.12.Final
• Patched Version: 4.2.13.Final

Work Needed:

• Locate netty-codec-compression in the dependency tree (it's a transitive dependency from swagger-request-validator-core)
• Add a dependency constraint in openapi-validation-core/build.gradle to force version 4.2.13.Final
• Follow the existing pattern in the constraints block (similar to commons-codec and rhino constraints)
• Verify the patched version appears in the dependency tree after the change
• Run tests following the repository's test process (check README.md and CI workflows)

⚠️ PR Description Requirements:

• ALWAYS include the "Implementation Reasoning" section below in the PR description on GitHub
• This is a minor version upgrade (4.2.12.Final → 4.2.13.Final), not a major version change

Implementation Reasoning:
Adding a dependency constraint for io.netty:netty-codec-compression to force version 4.2.13.Final rather than upgrading the parent dependency (swagger-request-validator-core) because:

1. The constraint approach is already established in this project (see existing constraints for commons-codec, rhino, jackson-core)
2. It provides surgical precision to fix only the vulnerable dependency without potentially introducing other changes from a parent upgrade
3. It's consistent with the project's security fix pattern and makes the security requirement explicit in the build configuration

This resolves the GHSA-mj4r-2hfc-f8p6 resource exhaustion vulnerability in Netty's Lz4FrameDecoder by upgrading to the patched version.

Security Considerations:

• Verify io.netty:netty-codec-compression 4.2.13.Final appears in the dependency tree after the constraint is added
• Ensure all existing tests pass with the upgraded dependency
• Test thoroughly to ensure the resource exhaustion vulnerability is closed
• Confirm the fix by checking that GitHub Dependabot alert Bump org.springframework.boot from 3.0.2 to 3.1.5 #59 is resolved after merge

Acceptance Criteria:

• io.netty:netty-codec-compression 4.2.13.Final confirmed in dependency tree
• All existing tests pass with upgraded dependency
• No unexpected breaking changes introduced
• PR includes links to CHK-13429, GitHub alert Bump org.springframework.boot from 3.0.2 to 3.1.5 #59, and GHSA-mj4r-2hfc-f8p6

⚠️ Security Fix: This PR addresses a HIGH severity resource exhaustion vulnerability. Please review carefully.

Ask @catarina-correia for a review.