[improve][build] Remove kotlin-stdlib override; upgrade okhttp3 5.3.2 and okio 3.17.0

[lhotari]

Closes #25763

Motivation

The explicit kotlin-stdlib version override was added in PR #13065 to mitigate CVE-2020-29582, which only affects Kotlin < 1.4.21. With the recent upgrade to okhttp3 5.x and okio 3.x, the transitive kotlin-stdlib is already on a modern major (2.x), so the override is no longer necessary. Worse, pinning to 1.8.20 was downgrading a transitive resolution that would naturally land on 2.2.21, and 1.8.20 is itself out of support.

While here, this also resolves a transitive version split: opentelemetry-exporter-sender-okhttp:1.62.0 was bringing in okhttp:5.3.2, but the okhttp-bom:5.3.1 constraint forced it back down to 5.3.1. Aligning the BOM to 5.3.2 removes the mismatch.

org.jetbrains:annotations is no longer pinned in the catalog either — it now resolves naturally to 13.0 as requested by kotlin-stdlib 2.2.21 (not forced).

Modifications

• gradle/libs.versions.toml
  • okhttp3: 5.3.1 → 5.3.2
  • okio: 3.16.3 → 3.17.0
  • Remove kotlin-stdlib = "1.8.20" version and catalog entry — resolves transitively to 2.2.21 via okio/okhttp.
  • Remove jetbrains-annotations = "13.0" — was unused outside the explicit dist declaration; resolves naturally to 13.0 via kotlin-stdlib.
• distribution/server/build.gradle.kts
  • Remove explicit distLib entries for kotlin-stdlib, kotlin-stdlib-common, and org.jetbrains:annotations. These now flow in transitively. (kotlin-stdlib-common is no longer published as a separate JVM artifact in Kotlin 2.x — it is bundled into kotlin-stdlib.)
• distribution/server/src/assemble/LICENSE.bin.txt
  • Update version numbers for okhttp3-*, okio-jvm, and kotlin-stdlib.
  • Drop the kotlin-stdlib-common entry (no longer in the distribution).

Affected transitive consumers verified compatible:

• io.kubernetes:client-java:23.0.0 (Pulsar Functions kubernetes runtime)
• io.opentelemetry:opentelemetry-exporter-sender-okhttp:1.62.0
• pulsar-broker-auth-oidc (direct usage)
• Tests in pulsar-broker and pulsar-proxy

The contents of the built apache-pulsar-*-bin.tar.gz were inspected to confirm the new versions land in lib/:

lib/com.squareup.okhttp3-logging-interceptor-5.3.2.jar
lib/com.squareup.okhttp3-okhttp-jvm-5.3.2.jar
lib/com.squareup.okio-okio-jvm-3.17.0.jar
lib/org.jetbrains.kotlin-kotlin-stdlib-2.2.21.jar
lib/org.jetbrains-annotations-13.0.jar

Verifying this change

• Make sure that the change passes the CI checks.

This change is a trivial rework / code cleanup without any test coverage.

Local verification performed:

• ./gradlew :distribution:pulsar-server-distribution:checkBinaryLicense — passes
• ./gradlew :distribution:pulsar-shell-distribution:checkBinaryLicense — passes
• ./gradlew spotlessCheck — passes
• Inspected resolved dependency tree to confirm kotlin-stdlib is no longer forced to 1.8.20 and that okhttp3/okio resolve to the aligned versions.

Does this pull request potentially affect one of the following parts:

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The threading model
• The binary protocol
• The REST endpoints
• The admin CLI options
• The metrics
• Anything that affects deployment

Documentation

• no-need-doc