[DO NOT MERGE] Upgrade Reactor and Reactor Netty dependencies

[alzimmermsft]

Description

This PR is upgrading Reactor dependencies from 3.4.41 to 3.7.1 and Reactor Netty from 1.0.48 to 1.2.1. This is being done as the previous Reactor and Reactor Netty minor versions, 3.4.x and 1.0.x respectively, are end of life and no longer receiving updates.

The Azure SDKs will continue to perform version validation tests using Reactor versions 3.4.15, 3.5.0, and 3.6.0 and Reactor Netty versions 1.0.0 and 1.1.0 to ensure a baseline compatibility with common ecosystems such as Spring which leverage Reactor as well.

Looking forward into the future, eventually validation for Reactor 3.4.15 and Reactor Netty 1.0.0 can be dropped once Spring Framework 5.3 and Spring Boot 2.7 reach end of life for commercial support.

• https://endoflife.date/spring-framework
• https://endoflife.date/spring-boot

And possibly other versions could be dropped as well depending on ecosystem support for them in maintained versions.

All SDK Contribution checklist:

• The pull request does not introduce [breaking changes]
• CHANGELOG is updated for new features, bug fixes or other significant changes.
• I have read the contribution guidelines.

General Guidelines and Best Practices

• Title of the pull request is clear and informative.
• There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

• Pull request includes test coverage for the included changes.

[alzimmermsft]

/azp run java - core

[alzimmermsft]

/azp run java - spring

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[alzimmermsft]

/azp run java - spring - tests

[alzimmermsft]

/azp run java - cosmos - tests

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[weidongxu-microsoft]

I assume the upgrade is to be merged after BOM release?

[thomasstoermer]

Hi,
will the update happen? Azure SDK introduces vulnerabilities caused by the old dependency version io.projectreactor.netty:reactor-netty-http.

[Donnerbart]

Yes, please pick this up again and bump Netty Reactor to the fixed version.
https://www.cve.org/CVERecord?id=CVE-2025-22227
reactor/reactor-netty#3838
https://github.com/reactor/reactor-netty/releases/tag/v1.2.8

Looking at this PR and the current version being 1.0.48 I see no way to fix this from the outside with a version constraint. This needs to be fixed in the Azure SDK.

[nehapawar9]

reactor-netty-http upgrade to 1.2.8 is breaking the webclient calls. It is working till 1.2.7.
error - "text":"Failed to initialize a channel. Closing: [id: 0x8cbd0444]","details":null},"thread":"reactor-http-nio-3","pid":"24124","correlation-id":"","trace":"","errorcode":"",
"stacktrace":"<#693c1b68> j.l.NoSuchMethodError: 'void io.netty.handler.codec.http.HttpContentDecompressor.(boolean,

[violetagg]

@nehapawar9 You need also to update Netty to at least version 4.1.122.Final

[Donnerbart]

@nehapawar9 You need also to update Netty to at least version 4.1.122.Final

Yes, there were CVEs reported for some of the older 4.1 versions.
Updating to the latest available 4.1 version would be much appreciated.

Just a heads up: Netty 4.2 changed some defaults, e.g. for the hostname verification.
Staying on Netty 4.1 should be fine from the CVE perspective (we are on 4.1.223.Final and have no detected security issues right now).

[ruiarodrigues]

Hi! There's a fix version 1.0.49 but it seems it's only available in the spring commercial license. Is there a way to update and use that one?
check here

[Donnerbart]

Can this be closed in favor of the already merged #46207?

[alzimmermsft]

Closing as this work was done in #46207