fix: upgrade dependencies to address critical CVEs

[javier-aliaga]

Description

• Upgrade jackson-bom from 2.16.2 to 2.18.6 to fix CVE-2025-52999 (CVSS 8.7 — DoS via deeply nested JSON in async parser)
• Add netty-bom 4.1.132.Final to override transitive Netty 4.1.124 from gRPC, fixing CVE-2026-33871 (CVSS 8.7 — HTTP/2 CONTINUATION flood DoS) and CVE-2026-33870 (CVSS 7.5 — HTTP request smuggling)
• Bump spring-boot from 3.4.9 to 3.4.10, which ships Tomcat 10.1.46, fixing CVE-2025-55754 (CVSS 9.6 — ANSI escape injection in logs) and CVE-2025-55752 (CVSS 7.5 — path traversal with RCE potential)
• Align springframework.version 6.2.7 → 6.2.11 with Spring Boot 3.4.10
• Bump springboot4.version from 4.0.2 to 4.0.5 across all 6 modules, which ships tools.jackson.core:jackson-core 3.1.0, fixing GHSA-72hv-8253-57qq (CVSS 6.9 — async parser bypasses maxNumberLength)
• Reorder BOM imports so netty-bom and jackson-bom take precedence over Spring Boot's managed versions

CVEs addressed

CVE	CVSS	Dependency	Fixed by
CVE-2025-55754	9.6 Critical	tomcat-embed-core 10.1.44	Spring Boot 3.4.10 (Tomcat 10.1.46)
CVE-2025-52999	8.7 High	jackson-core 2.18.4	jackson-bom 2.18.6
CVE-2026-33871	8.7 High	netty-transport 4.1.124	netty-bom 4.1.132.Final
CVE-2025-55752	7.5 High	tomcat-embed-core 10.1.44	Spring Boot 3.4.10 (Tomcat 10.1.46)
CVE-2026-33870	7.5 High	netty-codec-http 4.1.124	netty-bom 4.1.132.Final
GHSA-72hv-8253-57qq	6.9 Moderate	jackson-core 3.0.4	Spring Boot 4.0.5 (jackson 3.1.0)

Notes

• The netty-bom override is temporary — gRPC 1.80.0 still ships Netty 4.1.130. A TODO comment marks it for removal once gRPC bundles >= 4.1.132.
• No code changes — dependency version bumps only.

Issue reference

We strive to have all PR being opened based on an issue, where the problem or feature have been discussed prior to implementation.

Please reference the issue this PR will close: #[issue number]

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

• Code compiles correctly
• Created/updated tests
• Extended the documentation

[dapr-bot]

The backport to release-1.16 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-release-1.16 release-1.16
# Navigate to the new working tree
cd .worktrees/backport-release-1.16
# Create a new branch
git switch --create backport-1706-to-release-1.16
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d6b25cb17d90911e44f3119fe0c6bb6169703fc0
# Push it to GitHub
git push --set-upstream origin backport-1706-to-release-1.16
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-release-1.16

Then, create a pull request where the base branch is release-1.16 and the compare/head branch is backport-1706-to-release-1.16.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.54%. Comparing base (12d8c7a) to head (77fa2c3).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##             master    #1706   +/-   ##
=========================================
  Coverage     79.54%   79.54%           
  Complexity     2196     2196           
=========================================
  Files           238      238           
  Lines          6591     6591           
  Branches        732      732           
=========================================
  Hits           5243     5243           
  Misses          990      990           
  Partials        358      358           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.