Symptom

Dependabot reported ~99 open security alerts against the repo. Triaged, they fell into three buckets: shippable server-runtime Maven deps (the bulk being a large netty cluster plus jackson-core), the Kotlin/JS wasm build toolchain (kotlin-js-store/yarn.lock, autogenerated, build-time only), and Gradle plugin-classpath Maven deps (jose4j, log4j-core, bouncycastle, opentelemetry, jdom2, plexus-utils — none on any runtime classpath, so not shipped).

Root cause

The shippable runtime CVEs were all transitive:

• netty arrived on two majors at once — the AWS SDK’s netty-nio-client requested 4.1.132 while ktor’s ktor-server-netty pulled 4.2.12. Gradle conflict-resolution unifies the server classpath onto the higher (4.2.x) line, so AWS’s HTTP client already runs on ktor’s netty. Both the requested 4.1.x range and the selected 4.2.x range were below their patched floors.
• jackson-core 2.21.0 came in via kandy-lets-plot → arrow → jackson-bom, one patch below the GHSA fix (2.21.1).
• grpc-netty-shaded 1.68.1 came from krill-pi4j — a krill-oss artifact, so it cannot be fixed here.

Fix

All in gradle/libs.versions.toml + server/build.gradle.kts:

• AWS bom 2.44.0 → 2.46.5 (moves the netty 4.1.x line to 4.1.135.Final).
• ktor 3.4.3 → 3.5.0 (moves the netty 4.2.x line to 4.2.13.Final).
• Added a netty-bom 4.2.15.Final platform in server jvmMain to align the unified 4.2.x line to the first release clearing the netty-handler GHSA (<= 4.2.14.Final).
• Added a jackson-bom 2.21.1 platform to force jackson-core off 2.21.0.
• The two BOM platforms use project.dependencies.platform(...) because the bare platform() helper inside a KMP sourceSet dependencies {} block resolves to a -Werror-deprecated overload (KT-58759). The shadowJar / ProGuard netty-merge + gRPC ServiceLoader verification (issue #164) still passes — only patch-level netty versions moved, the dual-origin structure is unchanged.

Prevention

• DependencyVersionGuardTest (server jvmTest) reads the netty and jackson versions baked into their own jars on the classpath and asserts each is at or above its patched floor. If a future edit drops ktor, removes a BOM platform, or otherwise regresses one below the floor, the test fails before it can ship. It is environment-independent (no filesystem / network / clock), so it is safe on the CI runner.
• When a transitive CVE spans two majors of the same library (the netty case), fix it by bumping the roots (the BOMs/libraries that request it) and then, if a residual remains, align the unified line with a single *-bom platform — do not force individual artifacts, which risks intra-library version skew and the #164 shadowJar breakage.
• Before chasing a Dependabot alert, check which classpath the coordinate is actually on (./gradlew :<module>:dependencies --configuration <cfg> + dependencyInsight). Plugin-classpath and autogenerated-lockfile alerts are not shipped attack surface and should not be fixed by churning runtime deps.