Kraken’s nightly dependency-CVE scan reported open Dependabot alerts for io.netty:netty-common < 4.1.118.Final (GHSA-389x-839f-4rhx) and <= 4.1.114.Final (GHSA-xq3w-v528-46rv). The proposed fix was to resolutionStrategy.force("io.netty:netty-common:4.1.118.Final") in allprojects.
The alerts were stale / false-positives given current resolution. Two netty-common paths exist in the project:
software.amazon.awssdk:netty-nio-client:2.46.5 requests 4.1.135.Final; the netty-bom:4.2.15.Final platform import forces it to 4.2.15.Final via conflict resolution. Well above both thresholds.:aws:apigw-server-logging-lambda): No BOM, AWS SDK resolves 4.1.135.Final directly. 4.1.135 > 4.1.118 > 4.1.115 — also above both thresholds.The proposed force("4.1.118.Final") would have DOWNGRADED the Lambda from 4.1.135 to 4.1.118, which is the wrong direction and could break AWS SDK compatibility.
Added a conditional eachDependency floor in build.gradle.kts (following the guava/httpclient/gson pattern) that only fires when a 4.1.x version below 4.1.118 is requested:
gradle/libs.versions.toml: added nettySecurityFloor = "4.1.118.Final" with CVE comments. Named without a hyphen to avoid namespace collision with the existing netty key (hyphens create sub-accessor hierarchy in Gradle version catalogs).build.gradle.kts: added allprojects.resolutionStrategy.eachDependency rule for io.netty:netty-common that checks ver.startsWith("4.1.") and patch < 118 before applying the floor.No resolved versions changed (server stays at 4.2.15, Lambda stays at 4.1.135).
./gradlew :module:dependencyInsight --dependency <pkg> before implementing the fix. A resolutionStrategy.force to a patched version can downgrade a module that already resolves higher.eachDependency floors (check version range before useVersion) rather than unconditional force, so the rule only acts as a guard rail and never causes a downgrade.foo-bar = "..." creates an accessor libs.versions.foo.bar.get(), which conflicts with an existing standalone foo = "..." key. Use camelCase (no separator) for floor versions that share a prefix with an existing key.