Move dependencyManagement to parent pom to fix CVE-2025-48924 in uber jar (#1294)

## Summary
- The `dependencyManagement` overrides for `commons-lang3` and `gson`
were only in `jdbc-core/pom.xml`, not inherited by `assembly-uber`
- The uber jar was bundling `commons-lang3:3.14.0` (from
`commons-configuration2` transitive dep) instead of `3.18.0`
- Moved overrides to parent `pom.xml` so all modules resolve safe
versions

Fixes #1293

## Test plan
- [x] `mvn dependency:tree -pl jdbc-core` shows `commons-lang3:3.18.0`
- [x] `mvn dependency:tree -pl assembly-uber` shows
`commons-lang3:3.18.0`
- [ ] CI unit tests pass

NO_CHANGELOG=true

Signed-off-by: Oleksandr Shevchenko <oleksandr.shevchenko@datarobot.com>
Co-authored-by: Samikshya Chand <148681192+samikshya-db@users.noreply.github.com>

Author: o-shevchenko

jdbc-core/pom.xml

@@ -43,22 +43,6 @@
       <url>file://${project.build.directory}/local-repo</url>
     </repository>
   </distributionManagement>
-  <dependencyManagement>
-    <!-- Force safe version of commons-lang3 https://nvd.nist.gov/vuln/detail/CVE-2025-48924 -->
-    <dependencies>
-      <dependency>
-        <groupId>org.apache.commons</groupId>
-        <artifactId>commons-lang3</artifactId>
-        <version>${commons-lang3.version}</version>
-      </dependency>
-      <!-- Force safe version of Gson to fix CVE-2025-53864 -->
-      <dependency>
-        <groupId>com.google.code.gson</groupId>
-        <artifactId>gson</artifactId>
-        <version>${gson.version}</version>
-      </dependency>
-    </dependencies>
-  </dependencyManagement>
   <dependencies>
     <dependency>
       <groupId>com.databricks</groupId>

pom.xml

@@ -102,6 +102,25 @@
     <maven.deploy.skip>true</maven.deploy.skip>
   </properties>
 
+  <dependencyManagement>
+    <dependencies>
+      <!-- Force safe version of commons-lang3 across all modules (including uber jar)
+           to resolve CVE-2025-48924. Without this, assembly-uber resolves the older
+           transitive version from commons-configuration2. -->
+      <dependency>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-lang3</artifactId>
+        <version>${commons-lang3.version}</version>
+      </dependency>
+      <!-- Force safe version of Gson across all modules to fix CVE-2025-53864 -->
+      <dependency>
+        <groupId>com.google.code.gson</groupId>
+        <artifactId>gson</artifactId>
+        <version>${gson.version}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
   <build>
     <pluginManagement>
       <plugins>