Merge pull request #8349 from govuk-one-login/BAU/constrain-netty-handler-proxy-to-4.1.133

alhcomer · web-flow · commit 2616b660d5f5 · 2026-05-18T15:04:21.000Z
BAU: Constrain netty-handler-proxy to 4.1.133.Final to fix CVE-2026-42578
diff --git a/build.gradle b/build.gradle
@@ -77,6 +77,10 @@ subprojects {
                     because 'CVE-2025-58057 is fixed in io.netty:netty-codec:4.1.125.Final and higher'
                 }
 
+                classpath('io.netty:netty-handler-proxy:[4.1.133.Final,4.2.0)') {
+                    because 'CVE-2026-42578 is fixed in io.netty:netty-handler-proxy:4.1.133.Final and higher'
+                }
+
                 // Apache Commons constraints
                 classpath('commons-beanutils:commons-beanutils:[1.11.0,)') {
                     because 'CVE-2025-48734 is fixed in commons-beanutils:commons-beanutils:1.11.0 and higher'
@@ -154,6 +158,10 @@ subprojects {
                         because 'CVE-2026-42577 is fixed in io.netty:netty-transport-native-epoll:4.2.13.Final and higher'
                     }
 
+                    add(conf.name, 'io.netty:netty-handler-proxy:[4.1.133.Final,4.2.0)') {
+                        because 'CVE-2026-42578 is fixed in io.netty:netty-handler-proxy:4.1.133.Final and higher'
+                    }
+
                     // Jetty constraints
                     add(conf.name, 'org.eclipse.jetty.http2:jetty-http2-common:[12.0.25,12.1.0)') {
                         because 'CVE-2025-5115 is fixed in org.eclipse.jetty.http2:jetty-http2-common:12.0.25 and higher'
