We're getting Okio transitively from Moshi (at minimum). Based on release dates (latest version of Moshi released on 5/12/23, and Okio version 3.4.0 was released on 7/7/23), I think it's possible that the latest version of Moshi may not have the recommended Okio version, so we upgrade any instance of transitive Okio dependencies via a constraints block.
Bumping to Moshi 1.14.0, since this version doesn't contain Kotlin 1.8 yet (some downstream consumers are not able to take dependencies with Kotlin 1.8 yet).
Summary
This PR addresses a CVE related to Okio: