Update netty.version to 4.2.11.Final

[sanjomo]

Updated netty.version from 4.2.9.Final to 4.2.11.Final

Description

Brief description of the changes in this PR.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code refactoring
• Test improvements
• Build/tooling changes

Related Issue

Closes #(issue number)

Changes Made

Testing

• All existing tests pass
• New tests added for new functionality
• Tests pass locally with mvn test
• Integration tests pass (if applicable)

Checklist

• Code follows project coding standards
• Self-review completed
• Code is commented where necessary
• Documentation updated (if needed)
• Commit messages follow conventional format
• No merge conflicts
• All CI checks pass

Additional Notes

Any additional information, screenshots, or context that reviewers should know.

Summary by CodeRabbit

• Chores
  • Updated Netty dependency from 4.2.9.Final to 4.2.11.Final.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated Maven property controlling Netty dependency versions from 4.2.9.Final to 4.2.11.Final. This change affects all direct dependency management entries and profile-specific native transport dependencies (epoll, io_uring, kqueue) that reference the netty.version property, plus test dependencies.

Changes

Cohort / File(s)	Summary
Netty Version Update pom.xml	Updated netty.version property from 4.2.9.Final to 4.2.11.Final, affecting all Netty artifact dependencies and platform-specific native transports.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• Update netty.version to 4.2.8.Final #87: Both PRs modify the same Maven property netty.version in pom.xml to bump the Netty version.
• Netty to 4.2.9.Final #91: Both PRs update the netty.version property, part of a continuous versioning sequence across multiple PRs.

Suggested reviewers

• NeatGuyCoding

Poem

🐰 A whisker twitch and a hop so light,
Netty jumps to version bright!
From 4.2.9 to .11 it leaps,
Keeping dependencies in ordered heaps. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description uses the required template but most sections are incomplete with placeholder text, empty bullet points, and unchecked checkboxes. Only the initial summary is filled in.	Complete the description by selecting the appropriate Type of Change, adding issue reference if applicable, listing actual changes made, confirming testing status, and checking relevant checklist items.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update netty.version to 4.2.11.Final' clearly and concisely summarizes the main change in the pull request—updating the Netty dependency version from 4.2.9.Final to 4.2.11.Final.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sanjomo-patch-1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pom.xml`:
- Line 68: The PR updates the Netty version property
(<netty.version>4.2.11.Final</netty.version>) but the description lacks the
security rationale; update the PR description to state that this is a
patch-level upgrade from 4.2.9.Final to 4.2.11.Final and explicitly list the two
security fixes (CVE-2026-33871 and CVE-2026-33870) plus the related bugfixes
(epoll, IoUring, HTTP/3, OpenSSL) so reviewers understand the motivation and
that the change is safe because it’s propagated via the netty.version property.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4082f822-c3d2-4997-8058-0c35b93262a3

📥 Commits

Reviewing files that changed from the base of the PR and between fddd5d1 and e2fc601.

📒 Files selected for processing (1)

• pom.xml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify Netty 4.2.11.Final exists on Maven Central and check for security advisories

# Check if the version exists on Maven Central
echo "=== Checking Maven Central for netty-common 4.2.11.Final ==="
curl -s "https://repo1.maven.org/maven2/io/netty/netty-common/4.2.11.Final/netty-common-4.2.11.Final.pom" | head -20

# Check for security vulnerabilities using GitHub advisory database
echo ""
echo "=== Checking GitHub Security Advisories for Netty ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: MAVEN, package: "io.netty:netty-common") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: socketio4j/netty-socketio

Length of output: 1087

---

🌐 Web query:

Netty 4.2.11.Final release notes security fixes

💡 Result:

Netty 4.2.11.Final was released on March 24 or 25, 2026. It includes security fixes for two vulnerabilities: - CVE-2026-33871: HTTP/2 CONTINUATION Frame Flood Denial of Service (GHSA-w9fj-cfpg-grvv) - CVE-2026-33870: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing (GHSA-pwqr-wmgm-9rr8) These are listed under the "Security" section of the release notes on GitHub and newreleases.io. The release also contains various bug fixes and improvements, such as updates to JDK 26 EA, HTTP/3 support enhancements, fixes for epoll and IoUring issues, OpenSSL improvements, and more. Full changelog is available at netty/netty@netty-4.2.10.Final...netty-4.2.11.Final. No dedicated release notes page on netty.io/news/ for this version was found; recent announcements appear to be on GitHub tags and third-party release trackers.

Citations:

• 1: https://newreleases.io/project/github/netty/netty/release/netty-4.2.11.Final
• 2: https://github.com/netty/netty/security
• 3: https://github.com/netty/netty/tags
• 4: netty/netty@netty-4.2.8.Final...netty-4.2.9.Final

---

🌐 Web query:

Netty 4.2.10.Final 4.2.11.Final changelog changes

💡 Result:

Netty 4.2.11.Final was released on March 24-25, 2026. There is no dedicated release announcement on netty.io/news for this version (unlike 4.2.10.Final on Feb 5, 2026). The changes from 4.2.10.Final to 4.2.11.Final are detailed in the GitHub release changelog. Key changes include: Security: CVE-2026-33871 (HTTP/2 CONTINUATION Frame Flood DoS), CVE-2026-33870 (HTTP Request Smuggling). Notable fixes and improvements: - Update to latest JDK 26 EA (#16230) - HTTP3: non-standard settings support (#16171) - Epoll: Fix CPU usage when channel registered but no I/O (#162xx) - Avoid allocation in HttpObjectEncoder (#16241) - HTTP2: padding in decompress (#16264) - AdaptivePoolingAllocator fixes (#164xx, #165xx) - Enforce maxDirectMemory on all Java versions (#16489) - Limit Continuation frames in HTTP/2 Headers (#16536, auto-port) - IoUring, Kqueue, native transport fixes - OpenSSL, QUIC, DNS resolver improvements - Various cleanups, benchmarks, new contributors Full list in GitHub changelog: netty-4.2.10.Final...netty-4.2.11.Final. For 4.2.10.Final release notes (prior version): Bug-fix release fixing regression from 4.2.9.Final. Key changes: IORING_OP_SENDMSG_ZC reimplement (#16130), DNS MX RDATA decompress (#16040), adaptive allocator enhancements (#16053, #15741), NioDatagramChannel fix (#16044), QUIC limits (#16117), SslHandler resume fix (#16144), etc.

Citations:

• 1: https://netty.io/news/
• 2: https://newreleases.io/project/github/netty/netty/release/netty-4.2.11.Final
• 3: https://netty.io/news/2026/02/05/4-2-10.html
• 4: https://github.com/netty/netty/tags

---

🌐 Web query:

Netty CVE security advisory 4.2.9 4.2.10 4.2.11

💡 Result:

Netty versions 4.2.9.Final, 4.2.10.Final, and 4.2.11.Final (assuming sequential release) are recent bug-fix releases with no directly assigned CVEs fixed in their release notes. However, they follow security fixes in prior versions: - 4.2.8.Final (Dec 2025): Fixes CVE-2025-67735 (CRLF injection in HttpRequestEncoder leading to request smuggling; affects <4.2.8.Final. GHSA-84h7-rjj3-6jx4, CVSS 6.5 Medium). - 4.2.7.Final (Oct 2025): Fixes CVE-2025-59419 (SMTP command injection). - 4.2.5.Final (Sep 2025): Fixes request smuggling via chunk extensions (CVE-2025-58056, GHSA-fghv-69vj-qj49). - Earlier: CVE-2025-55163 (HTTP/2 MadeYouReset DDoS, fixed in 4.2.4.Final). These versions inherit all prior security fixes and address regressions/bugs, but no new CVEs are explicitly mentioned for 4.2.9-4.2.11. Upgrade to latest (4.2.10.Final as of Feb 2026) for security. Official advisories: https://github.com/netty/netty/security.

Citations:

• 1: https://app.opencve.io/cve/?vendor=netty
• 2: https://netty.io/news/2026/02/05/4-2-10.html
• 3: https://netty.io/news/2025/12/11/4-2-8.html
• 4: https://netty.io/news/2025/10/15/4-2-7.html
• 5: https://netty.io/news/2025/12/15/4-2-9.html
• 6: https://github.com/netty/netty/security
• 7: https://nvd.nist.gov/vuln/detail/cve-2025-67735

---

Upgrade to 4.2.11.Final is justified—include security fixes in PR description.

Version 4.2.11.Final exists and includes two important security fixes:

• CVE-2026-33871: HTTP/2 CONTINUATION Frame Flood DoS
• CVE-2026-33870: HTTP Request Smuggling via chunked extension parsing

Along with bug fixes for epoll, IoUring, HTTP/3, and OpenSSL, this justifies the upgrade from 4.2.9.Final. The patch-level update maintains backward compatibility while propagating fixes to all Netty artifacts via the ${netty.version} property.

Document these security fixes in the PR description to clarify the upgrade motivation for reviewers.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pom.xml` at line 68, The PR updates the Netty version property
(<netty.version>4.2.11.Final</netty.version>) but the description lacks the
security rationale; update the PR description to state that this is a
patch-level upgrade from 4.2.9.Final to 4.2.11.Final and explicitly list the two
security fixes (CVE-2026-33871 and CVE-2026-33870) plus the related bugfixes
(epoll, IoUring, HTTP/3, OpenSSL) so reviewers understand the motivation and
that the change is safe because it’s propagated via the netty.version property.