From 9b89ca5bb7f7ca734fc110225129e94509cac879 Mon Sep 17 00:00:00 2001
From: Patrick Boos <patrick.boos@getyourguide.com>
Date: Tue, 10 Feb 2026 10:51:21 +0100
Subject: [PATCH] Fix dependabot alert 30: upgrade netty-codec-http to
 4.2.8.Final

Override transitive io.netty:netty-codec-http version to 4.2.8.Final
via dependency constraint to fix CVE-2025-67735 (CRLF injection in
HttpRequestEncoder).
---
 build.gradle              | 8 ++++++++
 gradle/libs.versions.toml | 1 +
 2 files changed, 9 insertions(+)

diff --git a/build.gradle b/build.gradle
index 365d62e..21c385d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -64,6 +64,14 @@ subprojects {
         annotationProcessor(libs.lombok)
         testCompileOnly(libs.lombok)
         testAnnotationProcessor(libs.lombok)
+
+        // Security: override transitive netty-codec-http to fix CVE-2025-67735 (CRLF injection)
+        constraints {
+            implementation('io.netty:netty-codec-http') {
+                version { require libs.versions.netty.get() }
+                because 'CVE-2025-67735: CRLF injection in HttpRequestEncoder'
+            }
+        }
     }
 
     checkstyle {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index e8a30c9..527cc69 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -11,6 +11,7 @@ lombok = "1.18.42"
 commons-codec = "1.20.0"
 find-bugs = "3.0.2"
 gradle-nexus-publish-plugin = "2.0.0"
+netty = "4.2.8.Final"
 datadog-statsd = "4.4.5"
 # Verify
 checkstyle = "8.44"