Fix: Upgrade Netty 4, Commons-Lang3 and Spring Security to remediate CVEs

[guptas6est]

What is the purpose of the change?

This PR upgrades Netty 4, Apache Commons-Lang3, gRPC, and Spring Security 6 versions across the Dubbo build to remediate multiple security vulnerabilities detected by Trivy and OWASP Dependency-Check.

The new versions align Dubbo with the minimum fixed versions published in the CVE advisories and ensure the framework is not affected by reported DoS, Path Traversal, Recursion, and HTTP/2 attack vectors.

Summary of CVEs remediated

Netty / gRPC related

• CVE-2025-55163 – Netty HTTP/2 “MadeYouReset” DDoS Vulnerability
• CVE-2025-58057 – Netty BrotliDecoder DoS (zip-bomb style)
• CVE-2025-58056 – Netty HTTP request smuggling
• CVE-2025-59419 – Netty SMTP Command Injection

Apache Commons-Lang3

• CVE-2025-48924 – Apache Commons-Lang3 uncontrolled recursion vulnerability

Spring Security

• CVE-2025-41248 – Spring Security authorization bypass

Checklist

• Make sure there is a GitHub_issue field for the change.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Write necessary unit-test to verify your logic correction. If the new feature or significant change is committed, please remember to add sample in dubbo samples project.
• Make sure gitHub actions can pass. Why the workflow is failing and how to fix it?

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.77%. Comparing base (04a620e) to head (e74477b).

Additional details and impacted files

@@            Coverage Diff            @@
##                3.3   #15809   +/-   ##
=========================================
  Coverage     60.77%   60.77%           
- Complexity    11693    11696    +3     
=========================================
  Files          1938     1938           
  Lines         88679    88679           
  Branches      13386    13386           
=========================================
  Hits          53895    53895           
+ Misses        29252    29251    -1     
- Partials       5532     5533    +1     

Flag	Coverage Δ
integration-tests-java21	32.44% <ø> (+0.13%)	⬆️
integration-tests-java8	32.50% <ø> (+0.07%)	⬆️
samples-tests-java21	32.00% <ø> (+<0.01%)	⬆️
samples-tests-java8	29.62% <ø> (-0.04%)	⬇️
unit-tests-java11	59.06% <ø> (-0.02%)	⬇️
unit-tests-java17	58.55% <ø> (-0.01%)	⬇️
unit-tests-java21	58.53% <ø> (-0.04%)	⬇️
unit-tests-java25	58.49% <ø> (-0.01%)	⬇️
unit-tests-java8	59.03% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[RainYuY]

LGTM. But I think we needn't more PR like this.We have bot.