Pin netty-handler for CVE-2025-24970

[JimTharioAmazon]

🔧 Type of changes

• new bid adapter
• bid adapter update
• new feature
• new analytics adapter
• new module
• module update
• bugfix
• documentation
• configuration
• dependency update
• tech debt (test coverage, refactorings, etc.)

✨ What's the context?

This is for https://nvd.nist.gov/vuln/detail/CVE-2025-24970. netty-handler <4.1.118.Final has a high vulnerability related to SSL handling. vert.x >=4.5.13 pulls in this patched version of netty-handler, but a vert.x upgrade is a wider-reaching change. This is a pin for the fixed version of netty-handler only until a larger upgrade can be undertaken.

🧠 Rationale behind the change

This is a smaller and targeted pin for the patched version of netty-handler only versus attempting an larger upgrade to vert.x for the same CVE. No compatibility issues observed with netty-handler 4.1.118.Final.

🔎 New Bid Adapter Checklist

• verify email contact works
• NO fully dynamic hostnames
• geographic host parameters are NOT required
• direct use of HTTP is prohibited - implement an existing Bidder interface that will do all the job
• if the ORTB is just forwarded to the endpoint, use the generic adapter - define the new adapter as the alias of the generic adapter
• cover an adapter configuration with an integration test

🧪 Test plan

Unit tests (mvn test) and functional tests (mvn verify) pass.

🏎 Quality check

• [y] Are your changes following our code style guidelines?
• [n] Are there any breaking changes in your code?
• [-] Does your test coverage exceed 90%?
• [n] Are there any erroneous console logs, debuggers or leftover code in your changes?

[Net-burst]

Hi, @JimTharioAmazon . Looks like this PR will be absorbed by the bigger dependency bump: #3906
We were finally able to solve the issue with VertX dependency bup. If we won't find performance degradation or other issues, that PR will be merged and effectively close that vulnerability.

[JimTharioAmazon]

Thanks for the update. Good news. Let me know if/when I should close this one.

[Net-burst]

Thanks for the update. Good news. Let me know if/when I should close this one.

Yeah, I'll close this PR once we are sure that major version bump didn't break anything. Let's keep this PR open just in case.

[osulzhenko]

@Net-burst does this PR still make sense to keep open?

[Net-burst]

@Net-burst does this PR still make sense to keep open?

Nope. I totally forgot to close it. This was implemented in a wide-scale #3906 . Closing this issue.