chore(deps): bump the maven group across 8 directories with 2 updates

[dependabot]

Bumps the maven group with 1 update in the /component-runtime-testing/component-runtime-http-junit directory: io.netty:netty-codec-http.
Bumps the maven group with 1 update in the /component-starter-server directory: org.apache.tomcat:tomcat-catalina.
Bumps the maven group with 1 update in the /component-tools directory: org.apache.tomcat:tomcat-catalina.
Bumps the maven group with 1 update in the /component-tools-webapp directory: org.apache.tomcat:tomcat-catalina.
Bumps the maven group with 1 update in the /documentation directory: org.apache.tomcat:tomcat-catalina.
Bumps the maven group with 1 update in the /reporting directory: org.apache.tomcat:tomcat-catalina.
Bumps the maven group with 1 update in the /talend-component-maven-plugin directory: org.apache.tomcat:tomcat-catalina.
Bumps the maven group with 1 update in the /vault-client directory: org.apache.tomcat:tomcat-catalina.

Updates io.netty:netty-codec-http from 4.1.132.Final to 4.1.133.Final

Release notes

Sourced from io.netty:netty-codec-http's releases.

netty-4.1.133.Final

CVEs Fixed

• CVE-2026-42586 (netty-codec-redis)
• CVE-2026-42578 (netty-handler-proxy)
• CVE-2026-42587 (netty-codec-http, netty-codec-http2)
• CVE-2026-41417 (netty-codec-http)
• CVE-2026-42581 (netty-codec-http)
• CVE-2026-42580 (netty-codec-http)
• CVE-2026-42585 (netty-codec-http)
• CVE-2026-42579 (netty-codec-dns)
• CVE-2026-42582 (netty-codec-http3)
• CVE-2026-42583 (netty-codec, netty-codec-compression)
• CVE-2026-42584 (netty-codec-http)
• CVE-2026-44248 (netty-codec-mqtt)

What's Changed

• Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat by @​daguimu in netty/netty#16539
• Auto-port 4.1: Fix implementation of strerror_r_xsi for GNU by @​netty-project-bot in netty/netty#16561
• Auto-port 4.1: Replace usage of strerror with thread-safe alternative by @​netty-project-bot in netty/netty#16555
• Auto-port 4.1: Kqueue: sendfile EINTR doesn't advance offset — data duplication by @​netty-project-bot in netty/netty#16554
• Auto-port 4.1: Avoid leak in PemReader on OutOfDirectMemoryError by @​netty-project-bot in netty/netty#16576
• Auto-port 4.1: Native DNS resolver: Guard against malloc failures by @​netty-project-bot in netty/netty#16584
• Auto-port 4.1: Include user properties and subscription IDs in MqttProperties#isEmpty by @​netty-project-bot in netty/netty#16582
• Auto-port 4.1: Fix parsing HTTP chunks with multiple extensions by @​netty-project-bot in netty/netty#16588
• Auto-port 4.1: Stabilize read-only toStringMultipleThreads1 by @​netty-project-bot in netty/netty#16610
• Auto-port 4.1: Epoll: Cleanup code to always return negative value on failure by @​netty-project-bot in netty/netty#16601
• Auto-port 4.1: Stabilize more AbstractByteBufTests by @​netty-project-bot in netty/netty#16613
• Auto-port 4.1: Stabilize testSessionInvalidate for Conscrypt by @​netty-project-bot in netty/netty#16616
• Auto-port 4.1: Native transports: Correctly create pipe when pipe2 is not supported by @​netty-project-bot in netty/netty#16598
• Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter by @​daguimu in netty/netty#16558
• Fix shutdownInput bug in kqueue for empty recv buffer (#16630) by @​normanmaurer in netty/netty#16638
• Auto-port 4.1: Kqueue: Fix usage of LOCAL_PEERPID by @​netty-project-bot in netty/netty#16646
• Auto-port 4.1: HTTP2: Ensure HTTP2 preface is always send as first message by @​netty-project-bot in netty/netty#16642
• Auto-port 4.1: Propagate exceptions from inner threads in buffer tests by @​netty-project-bot in netty/netty#16652
• Auto-port 4.1: Add maxFrameLength support to ProtobufVarint32FrameDecoder by @​netty-project-bot in netty/netty#16658
• Auto-port 4.1: Bump up netty-tcnative to 2.0.76.Final by @​netty-project-bot in netty/netty#16672
• HTTP2: Ensure HTTP2 preface is always send as first message (also on … by @​chrisvest in netty/netty#16675
• Improve flaky NioSocketChannelTest (#16679) by @​normanmaurer in netty/netty#16681
• Deprecate ObjectCleaner and remove usage (#16685) by @​chrisvest in netty/netty#16694
• Auto-port 4.1: Update to netty-tcnative 2.0.77.Final by @​netty-project-bot in netty/netty#16695
• Avoid NPE in JdkSslServerContext when TrustManagerFactory returns null by @​daguimu in netty/netty#16691
• Avoid NPE in JdkSslClientContext when TrustManagerFactory returns null by @​daguimu in netty/netty#16690
• Auto-port 4.1: Avoid TCPFastOpen in KQueueCompositeBufferGatheringWriteTest by @​netty-project-bot in netty/netty#16699
• Auto-port 4.1: SCTP: Correctly handle SO_BACKLOG by @​netty-project-bot in netty/netty#16715
• Fix DiscardClient hang under -Dssl by using a client SSL context by @​daguimu in netty/netty#16717
• Auto-port 4.1: Consolidate fake exceptions in HTTP/2 tests into Http2TestUtil by @​netty-project-bot in netty/netty#16725
• Auto-port 4.1: Activate noPrintGC by default by @​netty-project-bot in netty/netty#16735
• Merge commit from fork by @​normanmaurer in netty/netty#16742

New Contributors

... (truncated)

Commits

• fb13125 [maven-release-plugin] prepare release netty-4.1.133.Final
• 815f71a Fix compilation after multiple backports
• 1986c38 Merge commit from fork
• 6f69dc9 Merge commit from fork
• bf78040 Fix BrotliDecoder not forwarding all decompressed chunks
• 387bbd0 Merge commit from fork
• 417ebaa Fix codec-dns tests
• 3c091ab Merge commit from fork
• 5d60b87 Fix checkstyle in HttpObjectDecoder
• 485f11d Merge commit from fork
• Additional commits viewable in compare view

Updates org.apache.tomcat:tomcat-catalina from 9.0.117 to 9.0.118

Updates org.apache.tomcat:tomcat-catalina from 9.0.117 to 9.0.118

Updates org.apache.tomcat:tomcat-catalina from 9.0.117 to 9.0.118

Updates org.apache.tomcat:tomcat-catalina from 9.0.117 to 9.0.118

Updates org.apache.tomcat:tomcat-catalina from 9.0.117 to 9.0.118

Updates org.apache.tomcat:tomcat-catalina from 9.0.117 to 9.0.118

Updates org.apache.tomcat:tomcat-catalina from 9.0.117 to 9.0.118

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[sonar-rnd]

Quality Gate passed

Issues

• 0 New Issues
• 0 Fixed Issues
• 0 Accepted Issues

Measures

• 0 Security Hotspots
• No data about coverage (0.00% Estimated after merge)
• 0.00% Duplicated Code (1.40% Estimated after merge)

Project ID: org.talend.sdk.component:component-runtime

View in SonarQube