chore(deps): bump io.netty:netty-codec-http from 4.2.5.Final to 4.2.13.Final

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps io.netty:netty-codec-http from 4.2.5.Final to 4.2.13.Final.

Release notes

Sourced from io.netty:netty-codec-http's releases.

netty-4.2.13.Final

CVEs Fixed

• CVE-2026-42586 (netty-codec-redis)
• CVE-2026-42578 (netty-handler-proxy)
• CVE-2026-42577 (netty-transport-native-epoll)
• CVE-2026-42587 (netty-codec-http, netty-codec-http2)
• CVE-2026-41417 (netty-codec-http)
• CVE-2026-42581 (netty-codec-http)
• CVE-2026-42580 (netty-codec-http)
• CVE-2026-42585 (netty-codec-http)
• CVE-2026-42579 (netty-codec-dns)
• CVE-2026-42582 (netty-codec-http3)
• CVE-2026-42583 (netty-codec, netty-codec-compression)
• CVE-2026-42584 (netty-codec-http)
• CVE-2026-44248 (netty-codec-mqtt)

Breaking Changes

The patch for CVE-2026-42581 prohibits HTTP/1.1 requests containing both the Transfer-Encoding and Content-Length headers, in line with RFC 9112. Previous versions of HTTP/1.1 (RFC 7230) permitted this combination. You can restore the old behavior with the -Dio.netty.handler.codec.http.rfc9112TransferEncoding=false system property or with HttpDecoderConfig. Note that disabling this check may lead to request smuggling vulnerabilities.

What's Changed

• Kqueue: sendfile EINTR doesn't advance offset — data duplication by @​normanmaurer in netty/netty#16544
• Replace usage of strerror with thread-safe alternative by @​normanmaurer in netty/netty#16547
• Fix implementation of strerror_r_xsi for GNU by @​normanmaurer in netty/netty#16546
• Lazy init ArrayList in DefaultHeaders.getAll by @​doom369 in netty/netty#16526
• Less logging in AWS-LC build by @​chrisvest in netty/netty#16565
• Ensure the CRYPTO_BUFFER_POOL is also freed when we fail creating the SSLContext by @​normanmaurer in netty/netty#16545
• Auto-port 4.2: Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat by @​netty-project-bot in netty/netty#16543
• Avoid leak in PemReader on OutOfDirectMemoryError by @​raipc in netty/netty#16551
• IoUring: Disable test while we debug to unblock other builds by @​normanmaurer in netty/netty#16581
• Include user properties and subscription IDs in MqttProperties#isEmpty by @​ShadowySpirits in netty/netty#16575
• Native DNS resolver: Guard against malloc failures by @​normanmaurer in netty/netty#16559
• Auto-port 4.2: Increase timeouts for QuicChannelConnectTest by @​netty-project-bot in netty/netty#16578
• Fix parsing HTTP chunks with multiple extensions by @​chrisvest in netty/netty#16579
• Bump org.codehaus.plexus:plexus-utils from 3.4.2 to 4.0.3 in /codec-native-quic by @​dependabot[bot] in netty/netty#16572
• Revert to PR build to Ubuntu 22.04 by @​chrisvest in netty/netty#16595
• Native transports: Correctly create pipe when pipe2 is not supported by @​normanmaurer in netty/netty#16592
• Epoll: Cleanup code to always return negative value on failure by @​normanmaurer in netty/netty#16591
• Fix component search fast path by @​yawkat in netty/netty#16548
• Stabilize read-only toStringMultipleThreads1 by @​chrisvest in netty/netty#16608
• Stabilize more AbstractByteBufTests by @​chrisvest in netty/netty#16611
• Remove note about needing 256-bit for PQC by @​chrisvest in netty/netty#16605
• Stabilize testSessionInvalidate for Conscrypt by @​chrisvest in netty/netty#16615
• Quic: Correctly handle SSL_CTX_new failures by @​normanmaurer in netty/netty#16622
• Make LocalIoHandle public by @​rdicroce in netty/netty#16621
• Quic: Fix shadowing of variable which leads to incorrectly handling errors by @​normanmaurer in netty/netty#16623
• Auto-port 4.2: Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter by @​netty-project-bot in netty/netty#16629
• Fix shutdownInput bug in kqueue for empty recv buffer by @​chrisvest in netty/netty#16630
• fix FFM address semantics in directBufferAddress by @​dreamlike-ocean in netty/netty#16603
• HTTP2: Ensure HTTP2 preface is always send as first message by @​normanmaurer in netty/netty#16636

... (truncated)

Commits

• b3844c8 [maven-release-plugin] prepare release netty-4.2.13.Final
• 82f47fa Merge commit from fork
• ada0999 Merge commit from fork
• b4051e2 Fix BrotliDecoder not forwarding all decompressed chunks
• 67207c1 Merge commit from fork
• 541ca7c Merge commit from fork
• 943edb3 Fix codec-dns tests
• 6459a28 Merge commit from fork
• b4ba61b Fix checkstyle in HttpObjectDecoder
• 977661f Merge commit from fork
• Additional commits viewable in compare view

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[nficano]

Superseded: the maven-dependencies group bump (#73) pinned all netty artifacts at 4.2.15.Final on main, which covers this update.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.