Upgrade protobuf3 & async-http-client to address CVE-2024-7254 & CVE-2024-53990 (#11)

* Upgrade protobuf3 to 3.25.5 to address CVE-2024-7254

* Include async-http-client with updated version to fix vulnerable transitive dependency.

* Add explanation comment and scope.

---------

Co-authored-by: ganesh-ctds <[email protected]>

Author: nikhil-ctds

pom.xml

@@ -59,7 +59,8 @@
     <commons-compress.version>1.26.0</commons-compress.version>
     <log4j.version>2.17.1</log4j.version>
     <json-smart.version>2.4.9</json-smart.version>
-    <protobuf3.version>3.19.6</protobuf3.version>
+    <protobuf3.version>3.25.5</protobuf3.version>
+    <asynchttpclient.version>2.12.4</asynchttpclient.version>
     <protoc3.version>${protobuf3.version}</protoc3.version>
     <grpc.version>1.42.1</grpc.version>
     <protoc-gen-grpc-java.version>${grpc.version}</protoc-gen-grpc-java.version>
@@ -168,6 +169,13 @@
           </exclusion>
         </exclusions>
       </dependency>
+      <!-- Override transitive dependency version to fix vulnerability -->
+      <dependency>
+        <groupId>org.asynchttpclient</groupId>
+        <artifactId>async-http-client</artifactId>
+        <version>${asynchttpclient.version}</version>
+        <scope>runtime</scope>
+      </dependency>
       <dependency>
         <groupId>com.google.protobuf</groupId>
         <artifactId>protobuf-bom</artifactId>