From 39f34445afa77a573a9ef4625b69ca0b42d63dae Mon Sep 17 00:00:00 2001
From: 40handz <keithwright1229@gmail.com>
Date: Mon, 26 Jan 2026 15:39:23 -0500
Subject: [PATCH 1/2] fix: upgrade Netty to 4.1.129.Final to address security
 vulnerabilities

Force transitive Netty dependency upgrade to resolve:
- CVE-2025-24970 (HIGH 7.5): SslHandler validation flaw causing native crash
- CVE-2025-25193 (MEDIUM 5.5): DoS via null-byte in BoundedInputStream
- CVE-2025-55163 (HIGH 7.5): HTTP/2 "MadeYouReset" DDoS attack
- CVE-2025-58056 (HIGH 7.5): HTTP request smuggling via LF parsing
- CVE-2025-58057 (HIGH 7.5): BrotliDecoder DoS (zip bomb)
- CVE-2025-67735 (MEDIUM 6.5): CRLF injection / request smuggling

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 build.gradle | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/build.gradle b/build.gradle
index d424e2b..2fcc4bd 100644
--- a/build.gradle
+++ b/build.gradle
@@ -27,6 +27,12 @@ group = "com.pusher"
 version = "1.3.4"
 description = "Pusher HTTP Client"
 
+// Netty version override to address CVE-2025-24970, CVE-2025-25193, CVE-2025-55163,
+// CVE-2025-58056, CVE-2025-58057, CVE-2025-67735
+ext {
+    nettyVersion = '4.1.129.Final'
+}
+
 java {
     sourceCompatibility = JavaVersion.VERSION_11
     targetCompatibility = JavaVersion.VERSION_11
@@ -38,6 +44,10 @@ dependencies {
     implementation 'org.apache.httpcomponents:httpclient:4.5.13'
     implementation 'org.asynchttpclient:async-http-client:3.0.1'
     implementation 'com.google.code.gson:gson:2.8.9'
+
+    // Force Netty upgrade to resolve CVEs
+    implementation platform("io.netty:netty-bom:${nettyVersion}")
+
     testImplementation 'org.apache.httpcomponents:httpclient:4.5.13'
     testImplementation 'org.hamcrest:hamcrest-all:1.3'
     testImplementation 'org.jmock:jmock-junit5:2.12.0'
@@ -45,6 +55,15 @@ dependencies {
     testImplementation 'org.junit.jupiter:junit-jupiter:5.7.1'
 }
 
+configurations.all {
+    resolutionStrategy.eachDependency { details ->
+        if (details.requested.group == 'io.netty') {
+            details.useVersion nettyVersion
+            details.because 'CVE-2025-24970, CVE-2025-25193, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057, CVE-2025-67735'
+        }
+    }
+}
+
 processResources {
     filter(ReplaceTokens, tokens: [
             version: project.version

From afc042a998e9076026c8ac11caba0f753bf82a05 Mon Sep 17 00:00:00 2001
From: 40handz <keithwright1229@gmail.com>
Date: Mon, 26 Jan 2026 15:45:19 -0500
Subject: [PATCH 2/2] fix: update async-http-client to 3.0.6 and change
 dependency scopes to api

- Update async-http-client from 3.0.1 to 3.0.6 (addresses Issue #79)
- Change httpclient, async-http-client, and gson from 'implementation'
  to 'api' scope since they appear in public method signatures (Issue #78)

Closes #78
Closes #79

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 build.gradle | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/build.gradle b/build.gradle
index 2fcc4bd..396267d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -41,9 +41,10 @@ java {
 }
 
 dependencies {
-    implementation 'org.apache.httpcomponents:httpclient:4.5.13'
-    implementation 'org.asynchttpclient:async-http-client:3.0.1'
-    implementation 'com.google.code.gson:gson:2.8.9'
+    // These are 'api' because they appear in public method signatures (Issue #78)
+    api 'org.apache.httpcomponents:httpclient:4.5.13'
+    api 'org.asynchttpclient:async-http-client:3.0.6'  // Updated from 3.0.1 (Issue #79)
+    api 'com.google.code.gson:gson:2.8.9'
 
     // Force Netty upgrade to resolve CVEs
     implementation platform("io.netty:netty-bom:${nettyVersion}")