chore: fix dependabot security alerts and upgrade AGP

[jonathannorris]

Summary

• Update all Jackson dependencies from 2.19.1 to 2.21.1 to fix CVE in jackson-core async parser (high severity DoS)
• Raise minSdk from 23 to 26 (Android 8.0 Oreo, released August 2017) to support jackson-module-kotlin 2.21+ which uses MethodHandle.invokeExact
• Upgrade AGP from 8.10.1 to 8.13.2 and Gradle from 8.11.1 to 8.13
• Add resolutionStrategy force directives for vulnerable transitive build-time dependencies that AGP still pulls in (netty, jose4j, jdom2, protobuf, commons-compress)
• Modernize build settings for minSdk 26

Details

The Jackson update is a direct dependency bump. The remaining vulnerable packages are transitive build-time dependencies from AGP's internal tooling (gRPC, lint, analytics) — they don't ship with the published SDK artifact. The AGP upgrade alone doesn't bump these transitive deps, so resolutionStrategy force directives are still needed.

minSdk raised from 23 (Android 6.0, October 2015) to 26 (Android 8.0, August 2017) to allow aligning all Jackson modules to 2.21.1. API 26+ covers >95% of active Android devices. The 2.21+ jackson-module-kotlin uses MethodHandle.invokeExact which requires API 26+.

Package	Old Version	Patched Version	Severity
jackson-core	2.19.1	2.21.1	high
netty-*	4.1.110.Final	4.1.129.Final	low–high
jose4j	0.9.5	0.9.6	high
jdom2	2.0.6	2.0.6.1	high
protobuf-java/kotlin	3.24.4	3.25.5	high
commons-compress	1.21	1.26.0	medium

minSdk 26 modernization

• Remove dead Build.VERSION.SDK_INT checks that are always true at API 26+ (DevCycleLogger.kt, PopulatedUser.kt)
• Remove android.enableJetifier=true — all dependencies are already AndroidX-native
• Raise JVM target from 1.8 to 11 across all modules
• Remove unnecessary java.nio.file.Path ProGuard keep rule (class is always available at API 26+)
• Update stale openfeature-example dependencies (core-ktx, appcompat, material)
• Update README to reflect new minimum API version

[Copilot]

Pull request overview

Updates dependency versions and Gradle resolution rules to address Dependabot security alerts affecting both runtime (Jackson) and build-time transitive dependencies (AGP toolchain).

Changes:

• Bump Jackson-related versions used by android-client-sdk to 2.21.1.
• Add resolutionStrategy.force overrides for several vulnerable transitive dependencies (netty, jose4j, jdom2, protobuf, commons-compress) in the root build.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
build.gradle	Adds forced dependency versions via resolutionStrategy for the buildscript classpath and all subproject configurations.
android-client-sdk/build.gradle	Updates Jackson version variables used by SDK dependencies.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

This PR updates the Android build tooling and key dependencies to address Dependabot security alerts, primarily by upgrading Jackson and the Android Gradle Plugin/Gradle, and by forcing patched versions of vulnerable transitive build dependencies.

Changes:

• Upgraded Gradle wrapper to 8.13 and Android Gradle Plugin (AGP) to 8.13.2.
• Bumped Jackson versions used by the SDK, including moving core-related artifacts to 2.21.1.
• Added resolutionStrategy.force rules to pin patched versions of several vulnerable transitive dependencies (netty, jose4j, jdom2, protobuf, commons-compress).

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File	Description
gradle/wrapper/gradle-wrapper.properties	Updates Gradle wrapper distribution to 8.13.
build.gradle	Upgrades AGP and adds global dependency forcing for vulnerable transitive deps.
android-client-sdk/build.gradle	Updates Jackson versions used by the Android client SDK (with an exception for jackson-module-kotlin).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

This PR focuses on addressing Dependabot security alerts in the Android build by upgrading build tooling/dependencies (AGP, Gradle, Jackson) and enforcing patched versions for vulnerable transitive build-time artifacts.

Changes:

• Upgrade Android Gradle Plugin to 8.13.2 and Gradle wrapper to 8.13.
• Bump Jackson versions in android-client-sdk from 2.19.1 to 2.21.1.
• Add Gradle resolutionStrategy.force rules for several vulnerable transitive dependencies (Netty, jose4j, jdom2, protobuf, commons-compress), and raise minSdk from 23 to 26 across modules.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
build.gradle	Bumps AGP and adds forced resolution strategy overrides for vulnerable transitives in buildscript + subprojects.
gradle/wrapper/gradle-wrapper.properties	Updates Gradle wrapper distribution to 8.13.
android-client-sdk/build.gradle	Updates Jackson versions and raises library minSdk to 26.
java-example/build.gradle	Raises example app minSdk to 26.
kotlin-example/build.gradle	Raises example app minSdk to 26.
openfeature-example/build.gradle	Raises example app minSdk to 26.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Updates Android build/tooling and dependency versions to address Dependabot security alerts, including upgrading Jackson and Android build infrastructure, and raising minSdk to support newer Jackson Kotlin module requirements.

Changes:

• Bump Jackson dependencies to 2.21.1 and raise minSdk from 23 → 26 across SDK + example apps.
• Upgrade Android Gradle Plugin to 8.13.2 and Gradle wrapper to 8.13.
• Add Gradle resolutionStrategy.force overrides to pin patched versions of vulnerable transitive build-time dependencies; update README requirement.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
openfeature-example/build.gradle	Raises example app minSdk to 26 to match SDK requirements.
kotlin-example/build.gradle	Raises example app minSdk to 26 to match SDK requirements.
java-example/build.gradle	Raises example app minSdk to 26 to match SDK requirements.
gradle/wrapper/gradle-wrapper.properties	Upgrades Gradle wrapper distribution to 8.13.
build.gradle	Upgrades AGP and adds dependency forcing for vulnerable transitive build deps.
android-client-sdk/build.gradle	Raises SDK minSdk to 26 and bumps Jackson versions to 2.21.1.
README.md	Documents the new minimum supported Android API level (26).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.