[1.16] Fix/bump deps CVE 1.16

[javier-aliaga]

Description

Upgrade dependencies to address critical and high CVEs on the release-1.16 branch, and consolidate BOM management in the parent pom.

Dependency upgrades (parent pom)

• jackson: 2.18.6 → 2.21.2 (fixes CVE-2023-35116 in transitive deps)
• assertj: 3.27.3 → 3.27.7 (fixes CVE-2026-24400, test-scope)
• tomcat-embed: override to 10.1.52 (fixes CVE-2025-66614 critical, CVE-2026-24734 high)
• logback: override to 1.5.25
• commons-compress: override to 1.26.0 (fixes CVE-2024-25710, CVE-2024-26308)
• commons-codec: override to 1.17.2
• netty-bom: override to 4.1.132.Final (mitigates CVE-2026-33871, CVE-2026-33870 for non-shaded usage)

BOM consolidation

• Moved jackson-bom, spring-framework-bom, and spring-boot-dependencies imports to the parent pom
• Removed duplicate BOM imports from sdk-springboot, dapr-spring, sdk-tests, and spring-boot-examples
• This ensures parent-level security overrides (e.g., netty-bom) are not shadowed by child modules re-importing the Spring Boot BOM

CVE scan results after this PR

CVE	Severity	CVSS	Artifact	Notes
CVE-2020-29582	MEDIUM	5.3	kotlin-stdlib-jdk7:1.9.25	examples only, not shipped
CVE-2025-68161	MEDIUM	4.8	log4j-api:2.24.3	Transitive from Spring Boot BOM
CVE-2023-35116	MEDIUM	4.7	jackson-databind:2.15.1	sdk module only, disputed CVE

Not addressable in this PR

• log4j-api:2.24.3 — pulled in by Spring Boot BOM, no patch available yet

Test plan

• mvn clean install -DskipTests passes on all modules
• OWASP dependency-check scan: 0 CRITICAL, 0 HIGH, 3 MEDIUM (down from 11 total)
• CI build and integration tests pass
• Verify no dependency resolution changes in published artifacts (sdk, sdk-actors, sdk-workflows, sdk-springboot)

Test plan

• CI unit tests pass
• Integration tests pass
• snyk test --all-projects returns only grpc-netty-shaded and actuator CVEs

Issue reference

We strive to have all PR being opened based on an issue, where the problem or feature have been discussed prior to implementation.

Please reference the issue this PR will close: #[issue number]

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

• Code compiles correctly
• Created/updated tests
• Extended the documentation

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (release-1.16@7fa6e6a). Learn more about missing BASE report.

Additional details and impacted files

@@               Coverage Diff               @@
##             release-1.16    #1717   +/-   ##
===============================================
  Coverage                ?   79.59%           
  Complexity              ?     2090           
===============================================
  Files                   ?      256           
  Lines                   ?     6386           
  Branches                ?      662           
===============================================
  Hits                    ?     5083           
  Misses                  ?      959           
  Partials                ?      344           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.