build(deps): bump io.netty:netty-handler from 4.2.12.Final to 4.2.13.Final in /sdk/java/grpc

[dependabot]

Bumps io.netty:netty-handler from 4.2.12.Final to 4.2.13.Final.

Release notes

Sourced from io.netty:netty-handler's releases.

netty-4.2.13.Final

CVEs Fixed

• CVE-2026-42586 (netty-codec-redis)
• CVE-2026-42578 (netty-handler-proxy)
• CVE-2026-42577 (netty-transport-native-epoll)
• CVE-2026-42587 (netty-codec-http, netty-codec-http2)
• CVE-2026-41417 (netty-codec-http)
• CVE-2026-42581 (netty-codec-http)
• CVE-2026-42580 (netty-codec-http)
• CVE-2026-42585 (netty-codec-http)
• CVE-2026-42579 (netty-codec-dns)
• CVE-2026-42582 (netty-codec-http3)
• CVE-2026-42583 (netty-codec, netty-codec-compression)
• CVE-2026-42584 (netty-codec-http)
• CVE-2026-44248 (netty-codec-mqtt)

Breaking Changes

The patch for CVE-2026-42581 prohibits HTTP/1.1 requests containing both the Transfer-Encoding and Content-Length headers, in line with RFC 9112. Previous versions of HTTP/1.1 (RFC 7230) permitted this combination. You can restore the old behavior with the -Dio.netty.handler.codec.http.rfc9112TransferEncoding=false system property or with HttpDecoderConfig. Note that disabling this check may lead to request smuggling vulnerabilities.

What's Changed

• Kqueue: sendfile EINTR doesn't advance offset — data duplication by @​normanmaurer in netty/netty#16544
• Replace usage of strerror with thread-safe alternative by @​normanmaurer in netty/netty#16547
• Fix implementation of strerror_r_xsi for GNU by @​normanmaurer in netty/netty#16546
• Lazy init ArrayList in DefaultHeaders.getAll by @​doom369 in netty/netty#16526
• Less logging in AWS-LC build by @​chrisvest in netty/netty#16565
• Ensure the CRYPTO_BUFFER_POOL is also freed when we fail creating the SSLContext by @​normanmaurer in netty/netty#16545
• Auto-port 4.2: Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat by @​netty-project-bot in netty/netty#16543
• Avoid leak in PemReader on OutOfDirectMemoryError by @​raipc in netty/netty#16551
• IoUring: Disable test while we debug to unblock other builds by @​normanmaurer in netty/netty#16581
• Include user properties and subscription IDs in MqttProperties#isEmpty by @​ShadowySpirits in netty/netty#16575
• Native DNS resolver: Guard against malloc failures by @​normanmaurer in netty/netty#16559
• Auto-port 4.2: Increase timeouts for QuicChannelConnectTest by @​netty-project-bot in netty/netty#16578
• Fix parsing HTTP chunks with multiple extensions by @​chrisvest in netty/netty#16579
• Bump org.codehaus.plexus:plexus-utils from 3.4.2 to 4.0.3 in /codec-native-quic by @​dependabot[bot] in netty/netty#16572
• Revert to PR build to Ubuntu 22.04 by @​chrisvest in netty/netty#16595
• Native transports: Correctly create pipe when pipe2 is not supported by @​normanmaurer in netty/netty#16592
• Epoll: Cleanup code to always return negative value on failure by @​normanmaurer in netty/netty#16591
• Fix component search fast path by @​yawkat in netty/netty#16548
• Stabilize read-only toStringMultipleThreads1 by @​chrisvest in netty/netty#16608
• Stabilize more AbstractByteBufTests by @​chrisvest in netty/netty#16611
• Remove note about needing 256-bit for PQC by @​chrisvest in netty/netty#16605
• Stabilize testSessionInvalidate for Conscrypt by @​chrisvest in netty/netty#16615
• Quic: Correctly handle SSL_CTX_new failures by @​normanmaurer in netty/netty#16622
• Make LocalIoHandle public by @​rdicroce in netty/netty#16621
• Quic: Fix shadowing of variable which leads to incorrectly handling errors by @​normanmaurer in netty/netty#16623
• Auto-port 4.2: Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter by @​netty-project-bot in netty/netty#16629
• Fix shutdownInput bug in kqueue for empty recv buffer by @​chrisvest in netty/netty#16630
• fix FFM address semantics in directBufferAddress by @​dreamlike-ocean in netty/netty#16603
• HTTP2: Ensure HTTP2 preface is always send as first message by @​normanmaurer in netty/netty#16636

... (truncated)

Commits

• b3844c8 [maven-release-plugin] prepare release netty-4.2.13.Final
• 82f47fa Merge commit from fork
• ada0999 Merge commit from fork
• b4051e2 Fix BrotliDecoder not forwarding all decompressed chunks
• 67207c1 Merge commit from fork
• 541ca7c Merge commit from fork
• 943edb3 Fix codec-dns tests
• 6459a28 Merge commit from fork
• b4ba61b Fix checkstyle in HttpObjectDecoder
• 977661f Merge commit from fork
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)