Exclude CVE-2025-27820 versions of httpclient5 from dependency resolution

This addresses CVE-2025-27820:

>A bug in PSL validation logic in Apache HttpClient 5.4.x disables
>domain checks, affecting cookie management and host name
>verification. Discovered by the Apache HttpClient team. Fixed in the
>5.4.3 release

Sources:

- https://nvd.nist.gov/vuln/detail/CVE-2025-27820
- GHSA-73m2-qfq3-56cx
- https://ossindex.sonatype.org/vulnerability/CVE-2025-27820

Author: emlun

NEWS

@@ -11,6 +11,12 @@ New features:
  ** NOTE: Experimental features may receive breaking changes without a major
     version increase.
 
+Fixes:
+
+* Excluded CVE-2025-27820 vulnerable versions of Apache httpclient5 from
+  dependency resolution. Note that this might only affect consumers using Gradle
+  module metadata.
+
 
 == Version 2.6.0 ==
 

settings.gradle.kts

@@ -16,7 +16,10 @@ dependencyResolutionManagement {
         create("constraintLibs") {
             library("cbor", "com.upokecenter:cbor:[4.5.1,5)")
             library("guava", "com.google.guava:guava:[24.1.1,33)")
-            library("httpclient5", "org.apache.httpcomponents.client5:httpclient5:[5.0.0,6)")
+            library("httpclient5", "org.apache.httpcomponents.client5", "httpclient5").version {
+              strictly("[5.0.0,6)")
+              reject("[5.4-alpha1,5.4.3)")
+            }
             library("slf4j", "org.slf4j:slf4j-api:[1.7.25,3)")
 
             val jacksonVer = version("jackson", "[2.13.2.1,3)")