Bump software.amazon.awssdk:netty-nio-client to resolve security vulnerability CVE‑2025‑6735

[mssowjuv]

Describe the bug
Through the software.amazon.awssdk:netty-nio-client dependency, any project using our current AWS SDK stack (e.g., software.amazon.awssdk:sts) transitively pulls in io.netty:netty-codec-http. The version of netty-codec-http dragged in by
netty-nio-client today is still below the fixed 4.1.129.Final release, so every service that depends on this AWS client inherits CVE‑2025‑6735, which vulnerability scanners are already flagging. Amazon hasn’t yet cut a new SDK release with a
patched Netty, but the Netty project has already shipped 4.1.130.Final, which contains the fix. I’m raising this issue to ask that we bump the AWS Netty transport—or the Netty overrides we apply in our build—to 4.1.130.Final and publish a new
minor version so downstream apps can consume the patched dependency.
Client Version
25.0.0

Kubernetes Version
e.g. 1.19.3

Java Version
e.g. Java 8

To Reproduce
Steps to reproduce the behavior:

Expected behavior
A clear and concise description of what you expected to happen.

KubeConfig
If applicable, add a KubeConfig file with secrets redacted.

Server (please complete the following information):

• OS: [e.g. Linux]
• Environment [e.g. container]
• Cloud [e.g. Azure]

Additional context
Add any other context about the problem here.

[brendandburns]

I don't think it makes sense to do this, since AWS SDK updates frequently and that CVE does not appear to impact this library, since we should not be using untrusted URLs.

Additionally, since the AWS SDK is optional, you can choose not to include it (or it's dependencies) if you don't want the vuln.