chore(deps): update vulnerable dependencies (Netty 4.1.93.Final, protobuf-java 3.22.3)

[gregoriodelasheras]

Hello @jonz94

We are currently using the this library in a project, and during a security scan using BlackDuck, we identified several vulnerabilities related to outdated dependencies. Specifically, the following dependencies are flagged:

Netty Project v. 4.1.93.Final:

io.netty:netty-transport-native-unix-common:4.1.93.Final
io.netty:netty-buffer:4.1.93.Final
io.netty:netty-codec-http2:4.1.93.Final
io.netty:netty-codec:4.1.93.Final
io.netty:netty-handler-proxy:4.1.93.Final
io.netty:netty-common:4.1.93.Final
io.netty:netty-handler:4.1.93.Final
io.netty:netty-resolver:4.1.93.Final
io.netty:netty-transport:4.1.93.Final

protobuf-java v. 3.22.3:

com.google.protobuf:protobuf-java:3.22.3

These vulnerabilities are reported in the following dependency paths in the project:

Netty Project:

- android:jonz94-capacitor-azure-notification-hubs:unspecified:node_modules/@jonz94/capacitor-azure-notification-hubs/android:-gradle/com.android.tools.utp:android-test-plugin-result-listener-gradle:31.5.0/io.grpc:grpc-netty:1.57.0/io.netty:netty-transport-native-unix-common:4.1.93.Final/io.netty:netty-buffer:4.1.93.Final

- android:jonz94-capacitor-azure-notification-hubs:unspecified:node_modules/@jonz94/capacitor-azure-notification-hubs/android:-gradle/com.android.tools.utp:android-test-plugin-result-listener-gradle:31.5.0/io.grpc:grpc-netty:1.57.0/io.netty:netty-codec-http2:4.1.93.Final/io.netty:netty-codec:4.1.93.Final

- android:jonz94-capacitor-azure-notification-hubs:unspecified:node_modules/@jonz94/capacitor-azure-notification-hubs/android:-gradle/com.android.tools.utp:android-test-plugin-result-listener-gradle:31.5.0/io.grpc:grpc-netty:1.57.0/io.netty:netty-codec-http2:4.1.93.Final

- android:jonz94-capacitor-azure-notification-hubs:unspecified:node_modules/@jonz94/capacitor-azure-notification-hubs/android:-gradle/com.android.tools.utp:android-test-plugin-result-listener-gradle:31.5.0/io.grpc:grpc-netty:1.57.0/io.netty:netty-codec-http2:4.1.93.Final/io.netty:netty-codec-http:4.1.93.Final

- android:jonz94-capacitor-azure-notification-hubs:unspecified:node_modules/@jonz94/capacitor-azure-notification-hubs/android:-gradle/com.android.tools.utp:android-test-plugin-result-listener-gradle:31.5.0/io.grpc:grpc-netty:1.57.0/io.netty:netty-handler-proxy:4.1.93.Final/io.netty:netty-codec-socks:4.1.93.Final

- android:jonz94-capacitor-azure-notification-hubs:unspecified:node_modules/@jonz94/capacitor-azure-notification-hubs/android:-gradle/com.android.tools.utp:android-test-plugin-result-listener-gradle:31.5.0/io.grpc:grpc-netty:1.57.0/io.netty:netty-transport-native-unix-common:4.1.93.Final/io.netty:netty-common:4.1.93.Final

- android:jonz94-capacitor-azure-notification-hubs:unspecified:node_modules/@jonz94/capacitor-azure-notification-hubs/android:-gradle/com.android.tools.utp:android-test-plugin-result-listener-gradle:31.5.0/io.grpc:grpc-netty:1.57.0/io.netty:netty-codec-http2:4.1.93.Final/io.netty:netty-handler:4.1.93.Final

- android:jonz94-capacitor-azure-notification-hubs:unspecified:node_modules/@jonz94/capacitor-azure-notification-hubs/android:-gradle/com.android.tools.utp:android-test-plugin-result-listener-gradle:31.5.0/io.grpc:grpc-netty:1.57.0/io.netty:netty-handler-proxy:4.1.93.Final

- android:jonz94-capacitor-azure-notification-hubs:unspecified:node_modules/@jonz94/capacitor-azure-notification-hubs/android:-gradle/com.android.tools.utp:android-test-plugin-result-listener-gradle:31.5.0/io.grpc:grpc-netty:1.57.0/io.netty:netty-transport-native-unix-common:4.1.93.Final/io.netty:netty-transport:4.1.93.Final/io.netty:netty-resolver:4.1.93.Final

- android:jonz94-capacitor-azure-notification-hubs:unspecified:node_modules/@jonz94/capacitor-azure-notification-hubs/android:-gradle/com.android.tools.utp:android-test-plugin-result-listener-gradle:31.5.0/io.grpc:grpc-netty:1.57.0/io.netty:netty-transport-native-unix-common:4.1.93.Final/io.netty:netty-transport:4.1.93.Final

protobuf-java:

- com.google.protobuf:protobuf-java:3.22.3/com.android.tools.utp:android-test-plugin-host-apk-installer:31.5.0/android:jonz94-capacitor-azure-notification-hubs:unspecified:node_modules/@jonz94/capacitor-azure-notification-hubs/android:-gradle

Request:

Would it be possible for the mentioned dependencies to be upgraded to their latest, non-vulnerable versions? I and my team would be very grateful. For example:

• Netty Project: Update to 4.1.112.Final or newer (https://mvnrepository.com/artifact/io.netty)

• protobuf-java: Update to 3.25.4 or newer https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java

This will help ensure that applications using this library remain secure and free from known vulnerabilities.

Thank you for your attention to this matter. Please let me know if I can assist in any way to facilitate these updates.

Best regards, Francisco Gregorio de las Heras

[rumaisaknaz]

We have the same issue, please resolve the above security risks in the project.