Update transitive dependencies to address Dependabot alerts

[Copilot]

Forces patched transitive versions of protobuf, Netty, jdom2, jose4j, commons-lang3, and httpclient in Gradle (including buildscript classpath) to satisfy Dependabot alerts without altering application code, and documents the override rationale in the README. Unit tests were re-run to validate the dependency upgrades.

Original prompt

I want you to help me address these dependabot alerts in the transient dependencies within the android project to the best of your ability. Note that although they are rated high/moderate they should not pose any significant security impact to our app. This is mostly to make dependabot happy without breaking our codebase. Follow best practices and fix compatibility issues that could arise while you update the dependencies. Document all the findings during the upgrade process properly so that we can make further decisions on whether to retire (unused+unmaintained) depedencies entirely, etc.

protobuf-java has potential Denial of Service issue High
#30 opened 12 hours ago • Detected in com.google.protobuf:protobuf-kotlin (Maven) • settings.gradle.kts

protobuf-java has potential Denial of Service issue High
#15 opened yesterday • Detected in com.google.protobuf:protobuf-java (Maven) • settings.gradle.kts

XML External Entity (XXE) Injection in JDOM High
#25 opened yesterday • Detected in org.jdom:jdom2 (Maven) • settings.gradle.kts

Netty affected by MadeYouReset HTTP/2 DDoS vulnerability High
#22 opened yesterday • Detected in io.netty:netty-codec-http2 (Maven) • settings.gradle.kts

SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine High
#18 opened yesterday • Detected in io.netty:netty-handler (Maven) • settings.gradle.kts

netty-handler SniHandler 16MB allocation Moderate
#5 opened yesterday • Detected in io.netty:netty-handler (Maven) • settings.gradle.kts

jose4j is vulnerable to DoS via compressed JWE content High
#28 opened yesterday • Detected in org.bitbucket.b_c:jose4j (Maven) • settings.gradle.kts

io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack High
#6 opened yesterday • Detected in io.netty:netty-codec-http2 (Maven) • settings.gradle.kts

Netty's decoders vulnerable to DoS via zip bomb style attack Moderate
#23 opened yesterday • Detected in io.netty:netty-codec (Maven) • settings.gradle.kts

Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder Moderate
#27 opened yesterday • Detected in io.netty:netty-codec-http (Maven) • settings.gradle.kts

Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs Moderate
#31 opened 12 hours ago • Detected in org.apache.commons:commons-lang3 (Maven) • settings.gradle.kts

Cross-site scripting in Apache HttpClient Moderate
#29 opened 12 hours ago • Detected in org.apache.httpcomponents:httpclient (Maven) • settings.gradle.kts

Denial of Service attack on windows app using netty Moderate
#19 opened yesterday • Detected in io.netty:netty-common (Maven) • settings.gradle.kts

Denial of Service attack on windows app using Netty Moderate
#20 opened yesterday • Detected in io.netty:netty-common (Maven) • settings.gradle.kts

Netty's HttpPostRequestDecoder can OOM Moderate
#11 opened yesterday • Detected in io.netty:netty-codec-http (Maven) • settings.gradle.kts

Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions Low
#24 opened yesterday • Detected in io.netty:netty-codec-http (Maven) • settings.gradle.kts

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[MinecraftFuns]

@copilot please continue your work of upgrading dependencies to address Dependabot alerts. help me address the Dependabot alerts properly by upgrading to the latest versions and address any incompatibilites if they should arise. Follow best practices in coding and ensure the correctness, efficiency, and security of the code.

[Copilot]

@copilot please continue your work of upgrading dependencies to address Dependabot alerts. help me address the Dependabot alerts properly by upgrading to the latest versions and address any incompatib...

Upgraded the flagged transitive dependencies by forcing patched versions in Gradle and documented the override rationale, with prodDebug unit tests passing. Commit: b320043.