Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

chore(deps): bump the gradle-dependencies group across 1 directory with 8 updates

Closed
Number: #53
Type: Pull Request
State: Closed
Author: dependabot[bot] dependabot[bot]
Association: Unknown
Comments: 1
Created: May 08, 2026 at 01:11 AM UTC
(about 1 month ago)
Updated: May 11, 2026 at 01:16 AM UTC
(30 days ago)
Closed: May 11, 2026 at 01:16 AM UTC
(30 days ago)
Time to Close: 3 days
Labels:
dependencies java
Description:

Bumps the gradle-dependencies group with 4 updates in the / directory: com.android.tools.build:gradle, io.netty:netty-codec-http, com.google.firebase:firebase-bom and androidx.compose:compose-bom.

Updates com.android.tools.build:gradle from 9.2.0 to 9.2.1

Updates io.netty:netty-codec-http from 4.2.12.Final to 4.2.13.Final

Release notes

Sourced from io.netty:netty-codec-http's releases.

netty-4.2.13.Final

CVEs Fixed

What's Changed

... (truncated)

Commits
  • b3844c8 [maven-release-plugin] prepare release netty-4.2.13.Final
  • 82f47fa Merge commit from fork
  • ada0999 Merge commit from fork
  • b4051e2 Fix BrotliDecoder not forwarding all decompressed chunks
  • 67207c1 Merge commit from fork
  • 541ca7c Merge commit from fork
  • 943edb3 Fix codec-dns tests
  • 6459a28 Merge commit from fork
  • b4ba61b Fix checkstyle in HttpObjectDecoder
  • 977661f Merge commit from fork
  • Additional commits viewable in compare view

Updates io.netty:netty-codec-http2 from 4.2.12.Final to 4.2.13.Final

Release notes

Sourced from io.netty:netty-codec-http2's releases.

netty-4.2.13.Final

CVEs Fixed

What's Changed

... (truncated)

Commits
  • b3844c8 [maven-release-plugin] prepare release netty-4.2.13.Final
  • 82f47fa Merge commit from fork
  • ada0999 Merge commit from fork
  • b4051e2 Fix BrotliDecoder not forwarding all decompressed chunks
  • 67207c1 Merge commit from fork
  • 541ca7c Merge commit from fork
  • 943edb3 Fix codec-dns tests
  • 6459a28 Merge commit from fork
  • b4ba61b Fix checkstyle in HttpObjectDecoder
  • 977661f Merge commit from fork
  • Additional commits viewable in compare view

Updates io.netty:netty-handler from 4.2.12.Final to 4.2.13.Final

Release notes

Sourced from io.netty:netty-handler's releases.

netty-4.2.13.Final

CVEs Fixed

What's Changed

... (truncated)

Commits
  • b3844c8 [maven-release-plugin] prepare release netty-4.2.13.Final
  • 82f47fa Merge commit from fork
  • ada0999 Merge commit from fork
  • b4051e2 Fix BrotliDecoder not forwarding all decompressed chunks
  • 67207c1 Merge commit from fork
  • 541ca7c Merge commit from fork
  • 943edb3 Fix codec-dns tests
  • 6459a28 Merge commit from fork
  • b4ba61b Fix checkstyle in HttpObjectDecoder
  • 977661f Merge commit from fork
  • Additional commits viewable in compare view

Updates io.netty:netty-codec from 4.2.12.Final to 4.2.13.Final

Release notes

Sourced from io.netty:netty-codec's releases.

netty-4.2.13.Final

CVEs Fixed

What's Changed

... (truncated)

Commits
  • b3844c8 [maven-release-plugin] prepare release netty-4.2.13.Final
  • 82f47fa Merge commit from fork
  • ada0999 Merge commit from fork
  • b4051e2 Fix BrotliDecoder not forwarding all decompressed chunks
  • 67207c1 Merge commit from fork
  • 541ca7c Merge commit from fork
  • 943edb3 Fix codec-dns tests
  • 6459a28 Merge commit from fork
  • b4ba61b Fix checkstyle in HttpObjectDecoder
  • 977661f Merge commit from fork
  • Additional commits viewable in compare view

Updates io.netty:netty-common from 4.2.12.Final to 4.2.13.Final

Release notes

Sourced from io.netty:netty-common's releases.

netty-4.2.13.Final

CVEs Fixed

What's Changed

... (truncated)

Commits
  • b3844c8 [maven-release-plugin] prepare release netty-4.2.13.Final
  • 82f47fa Merge commit from fork
  • ada0999 Merge commit from fork
  • b4051e2 Fix BrotliDecoder not forwarding all decompressed chunks
  • 67207c1 Merge commit from fork
  • 541ca7c Merge commit from fork
  • 943edb3 Fix codec-dns tests
  • 6459a28 Merge commit from fork
  • b4ba61b Fix checkstyle in HttpObjectDecoder
  • 977661f Merge commit from fork
  • Additional commits viewable in compare view

Updates com.google.firebase:firebase-bom from 34.12.0 to 34.13.0

Updates androidx.compose:compose-bom from 2026.04.01 to 2026.05.00

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
Package Dependencies
Package:
io.netty:netty-codec-http
Ecosystem:
maven
Version Change:
4.2.12.Final → 4.2.13.Final
Update Type:
Patch
Package:
io.netty:netty-handler
Ecosystem:
maven
Version Change:
4.2.12.Final → 4.2.13.Final
Update Type:
Patch
Package:
androidx.compose:compose-bom
Ecosystem:
maven
Version Change:
2026.04.01 → 2026.05.00
Update Type:
Minor
Package:
io.netty:netty-common
Ecosystem:
maven
Version Change:
4.2.12.Final → 4.2.13.Final
Update Type:
Patch
Package:
io.netty:netty-codec
Ecosystem:
maven
Version Change:
4.2.12.Final → 4.2.13.Final
Update Type:
Patch
Package:
com.android.tools.build:gradle
Ecosystem:
maven
Version Change:
9.2.0 → 9.2.1
Update Type:
Patch
Package:
com.google.firebase:firebase-bom
Ecosystem:
maven
Version Change:
34.12.0 → 34.13.0
Update Type:
Minor
Package:
io.netty:netty-codec-http2
Ecosystem:
maven
Version Change:
4.2.12.Final → 4.2.13.Final
Update Type:
Patch
Security Advisories
sjcl is missing point-on-curve validation in sjcl.ecc.basicKey.publicKey
GHSA-2w8x-224x-785m CVE-2026-4258 HIGH
All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recove...
Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection
GHSA-v8h7-rr48-vmmv CVE-2026-41417 MODERATE
### Summary Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructo...
Netty epoll transport denial of service via RST on half-closed TCP connection
GHSA-rwm7-x88c-3g2p CVE-2026-42577 HIGH
## Summary Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths...
Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS
GHSA-f6hv-jmp6-3vwv CVE-2026-42587 HIGH
## Summary `HttpContentDecompressor` accepts a `maxAllocation` parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and de...
Netty Redis Codec Encoder has a CRLF Injection Issue
GHSA-rgrr-p7gp-5xj7 CVE-2026-42586 MODERATE
# Security Vulnerability Report: CRLF Injection in Netty Redis Codec Encoder ## 1. Vulnerability Summary | Field | Value | |-------|-------| | **Product** | Netty | | **Version** | 4.2.12.Final (...
Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding
GHSA-38f8-5428-x5cv CVE-2026-42585 MODERATE
### Summary Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. ### Details Netty incorrectly marks a request as chunked when malformed "Transfer-Encoding: ch...
Netty has HttpClientCodec response desynchronization
GHSA-57rv-r2g8-2cj3 CVE-2026-42584 HIGH
### Summary If HttpClientCodec is configured, there are use cases when a response body from one request, can be parsed as another's. ### Details HttpClientCodec pairs each inbound response with a...
Netty Lz4FrameDecoder is vulnerable to resource exhaustion
GHSA-mj4r-2hfc-f8p6 CVE-2026-42583 HIGH
### Summary Lz4FrameDecoder allocates a ByteBuf of size `decompressedLength` (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus `compressedLength` payload bytes - 22 b...
Netty HTTP/3 QPACK literal unbounded allocation
GHSA-2c5c-chwr-9hqw CVE-2026-42582 HIGH
### Summary When Netty decodes HTTP/3 headers, it sometimes runs `new byte[length]` using a length from the wire before checking that many bytes are really there. A small malicious header can claim...
Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization
GHSA-xxqh-mfjm-7mv9 CVE-2026-42581 MODERATE
# NETTY HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization | Field | Value | |-----------|-------| | Library | `io.netty:netty-codec-http` | | Component | `codec-http` — `HttpObjectD...
Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing
GHSA-m4cv-j2px-7723 CVE-2026-42580 MODERATE
### Summary Netty's chunk size parser silently overflows int, enabling request smuggling attacks. ### Details io.netty.handler.codec.http.HttpObjectDecoder#getChunkSize silently overflows int. Th...
Netty has a DNS Codec Input Validation Bypass (Encoder + Decoder)
GHSA-cm33-6792-r9fm CVE-2026-42579 HIGH
# Security Vulnerability Report: DNS Codec Input Validation Bypass in Netty (Encoder + Decoder) ## 1. Vulnerability Summary | Field | Value | |-------|-------| | **Product** | Netty | | **Version...
Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735)
GHSA-45q3-82m4-75jr CVE-2026-42578 LOW
# Security Vulnerability Report: HTTP Header Injection via HttpProxyHandler Disabled Validation in Netty ## 1. Vulnerability Summary | Field | Value | |-------|-------| | **Product** | Netty | | ...
Netty MQTT: Resource exhaustion in MqttDecoder
GHSA-jfg9-48mv-9qgx CVE-2026-44248 MODERATE
### Impact The MQTT 5 header Properties section is parsed and buffered _before_ any message size limit is applied. Specifically, in `MqttDecoder`, the `decodeVariableHeader()` method is called bef...
Actions
View on GitHub View Repository All Dependabot PRs
Technical Details
ID: 15743337
UUID: 4403012111
Node ID: PR_kwDOQ9mKCc7ZW723
Host: GitHub
Repository: AndroidIRCx/NULVEX