Dependabot flagged io.grpc:grpc-netty-shaded:1.68.1 (high-severity GHSA, affects < 1.75.0) on the krill server runtime classpath. The coordinate was not a direct krill dependency — it arrived transitively through com.krillforge:krill-pi4j:0.0.3.
grpc-netty-shaded is a fat/shaded JAR: its Netty classes are repackaged under a io.grpc.netty.shaded prefix. Gradle’s dependency resolution has no way to see or override a shaded coordinate, so a standard force or constraints block in krill’s build.gradle.kts cannot reach it. The only fix is to upgrade the artifact that ships the shaded copy — in this case krill-pi4j.
krill-oss: bumped grpc = "1.68.1" → "1.75.0" in pi4j-ktx-service/gradle/libs.versions.toml and set version = "0.0.4" in the krill-pi4j publication block (krill-oss PR #128, closes krill-oss#127).krill: bumped krill-pi4j = "0.0.3" → "0.0.4" in gradle/libs.versions.toml (this PR).-shaded, -all, shadow plugin JARs).krill-oss added GrpcVersionGuardTest that asserts grpc >= 1.75.0 in the version catalog, catching any future accidental downgrade at CI time rather than at Dependabot scan time.Publish Pi4J Maven.yml workflow in krill centralises publishing so a new krill-pi4j version can be released from main without touching krill-oss CI secrets directly.