fix(deps): override Micronaut's netty-codec-http to 4.2.11.Final

Resolves CVE-2026-33870 (HTTP/1.1 request smuggling) and CVE-2026-33871
(HTTP/2 CONTINUATION frame DoS). Micronaut platform BOM 4.10.10 pins
netty-codec-http* at 4.2.9.Final, overriding the parent pom's
netty-bom 4.2.11. Re-importing netty-bom as the first BOM in the cli
and server dependencyManagement blocks restores 4.2.11 via Maven's
first-declaration-wins rule for BOM imports.

Author: fhussonnois

cli/pom.xml

@@ -47,6 +47,16 @@
 
     <dependencyManagement>
         <dependencies>
+            <!-- Netty BOM must be imported BEFORE Micronaut so its 4.2.11 pins win
+                 (Maven first-declaration-wins). Micronaut platform 4.10.10 otherwise
+                 pulls in netty-codec-http* 4.2.9 (CVE-2026-33870, CVE-2026-33871). -->
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-bom</artifactId>
+                <version>${netty.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
             <!-- Micronaut -->
             <dependency>
                 <groupId>io.micronaut.platform</groupId>

server/jikkou-api-server/pom.xml

@@ -171,6 +171,16 @@
     </dependencies>
     <dependencyManagement>
         <dependencies>
+            <!-- Netty BOM must be imported BEFORE Micronaut so its 4.2.11 pins win
+                 (Maven first-declaration-wins). Micronaut platform 4.10.10 otherwise
+                 pulls in netty-codec-http* 4.2.9 (CVE-2026-33870, CVE-2026-33871). -->
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-bom</artifactId>
+                <version>${netty.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
             <dependency>
                 <groupId>io.micronaut.platform</groupId>
                 <artifactId>micronaut-parent</artifactId>