[FLINK-39139] Update lz4-java to 1.10.3

[eschcam]

What is the purpose of the change

lz4-java 1.8.0 has the following CVEs:

• CVE-2025-66566
• CVE-2025-12183

It has also been relocated to at.yawk.lz4

This is a backport of #27535

Brief change log

• Update lz4-java to 1.10.3

Verifying this change

Passes local tests

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): yes
• The public API, i.e., is any changed class annotated with @Public(Evolving): no
• The serializers: no
• The runtime per-record code paths (performance sensitive): no
• Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
• The S3 file system connector: no

Documentation

• Does this pull request introduce a new feature? no
• If yes, how is the feature documented? not applicable

[flinkbot]

CI report:

• d7bffc5 Azure: SUCCESS

Bot commands

The @flinkbot bot supports the following commands:

• @flinkbot run azure re-run the last Azure build

[Abacn]

It's causing module conflicts if org.lz4:lz4-java also exists in the dependency tree, which is common (used by kafka-client):

> Could not resolve org.lz4:lz4-java:1.8.0.
         > Module 'org.lz4:lz4-java' has been rejected:
              Cannot select module with conflict on capability 'org.lz4:lz4-java:1.8.0' also provided by [at.yawk.lz4:lz4-java:1.10.3(runtimeElements)]
      > Could not resolve at.yawk.lz4:lz4-java:1.10.3.
         > Module 'at.yawk.lz4:lz4-java' has been rejected:
              Cannot select module with conflict on capability 'org.lz4:lz4-java:1.10.3' also provided by [org.lz4:lz4-java:1.8.0(runtime)]

as a result one needs to exclude one of is or use a dependencyResolution, however downstream could still be breaking. See apache/beam#38961 (comment) for details