Summary

Fixes the high-severity netty vulnerability GHSA-3qp7-7mw8-wx86 / CVE-2026-44249 (IPv6 subnet filter bypass in io.netty:netty-handler, CVSS 8.1, patched in 4.1.135.Final) — see dependabot alert #190.

This is an alternative to #7209, which only bumps the direct io.netty:netty-handler pin in nf-azure to 4.1.135.Final. That approach is incomplete:

1. It leaves the other five netty modules in nf-azure (netty-common, netty-handler-proxy, netty-codec-http, netty-codec-http2, netty-codec-dns) pinned at 4.1.133.Final, causing netty version skew.
2. It does not address nf-amazon and nf-codecommit, which carry no direct netty pins and instead inherit vulnerable netty 4.1.133.Final transitively from the AWS SDK 2.44.3 (netty-nio-client). Those plugins remain vulnerable after chore: update dependency io.netty:netty-handler to v4.1.135.final [security] #7209.

Changes

Fix the vulnerability at the source of the transitive dependency rather than pinning individual netty modules:

• nf-amazon, nf-codecommit: bump AWS SDK 2.44.3 → 2.46.8. The 2.46.8 SDK declares netty.version = 4.1.135.Final, so patched netty is pulled in transitively.
• nf-azure: replace the six direct io.netty:*:4.1.133.Final pins with a single pin on com.azure:azure-core-http-netty:1.16.5, whose POM aligns every netty module to 4.1.135.Final.

Verification

Resolved runtimeClasspath for all subprojects audited. After the change, every netty module in nf-amazon, nf-azure, and nf-codecommit resolves to 4.1.135.Final with no version skew. nf-google uses grpc-netty-shaded (relocated, not the affected coordinate) and nf-tower only imports netty-bom (no netty artifact on the classpath) — neither is affected.

Unit tests pass for all three modified plugins (:plugins:nf-amazon:test, :plugins:nf-azure:test, :plugins:nf-codecommit:test).