fix: batch simple dependency bumps

[lfarrel6]

Pins the following Netty and BouncyCastle artifacts via the existing allprojects resolutionStrategy.force() block in build.gradle.kts, and regenerates the five Gradle lockfiles accordingly. All three deps are build-time transitives only (AGP Unified Test Platform / Kotlin compiler toolchain) and are never bundled into any shipped AAR/APK.

CVE-2026-33870 (HIGH, CVSS 7.5) — io.netty:netty-codec-http
4.1.129.Final -> 4.1.132.Final
HTTP/1.1 chunked encoding request smuggling.
https://github.com/evervault/evervault-android/security/dependabot/28

CVE-2026-33871 (HIGH) — io.netty:netty-codec-http2
4.1.93.Final / 4.1.110.Final -> 4.1.132.Final
Unbounded HTTP/2 CONTINUATION frames CPU DoS.
https://github.com/evervault/evervault-android/security/dependabot/29

CVE-2026-3505 (HIGH) — org.bouncycastle:{bcpg,bcpkix,bcprov,bcutil}-jdk18on
1.80 -> 1.84
Unbounded PGP AEAD chunk size in bcpg-jdk18on.
https://github.com/evervault/evervault-android/security/dependabot/33

Linear: COM-176

[changeset-bot]

⚠️ No Changeset found

Latest commit: 45d382c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	maven/​io.netty/​netty-codec-http2@​4.1.93.Final ⏵ 4.1.132.Final	-4	+25
	maven/​org.bouncycastle/​bcpkix-jdk18on@​1.80 ⏵ 1.84		+2
	maven/​org.bouncycastle/​bcpg-jdk18on@​1.80 ⏵ 1.84	-4	+16

View full report