[Crawler] Bump httpclient5 to 5.5.1 to resolve CVE-2025-8671 (httpcore5-h2 HTTP/2 DoS)

[Jan-Kazlouski-elastic]

Part of https://github.com/elastic/search-team/issues/13738

Bumps org.apache.httpcomponents.client5:httpclient5 from 5.1 to 5.5.1, which pulls in httpcore5/httpcore5-h2 5.3.6 (>= 5.3.5) and resolves the HTTP/2 stream-reset Denial of Service vulnerability CVE-2025-8671 in httpcore5-h2 < 5.3.5.

The newer DnsResolver interface adds a default resolve(String, int) overload returning List, which httpclient5 5.3+ now invokes from the connection manager. FilteringDnsResolver and the http_client_spec DNS stub are updated to implement both overloads while preserving the existing private-address filtering.

Jars.lock and vendor/jars/ were regenerated with the pinned toolchain via make clean install (not hand-edited). commons-codec is updated 1.15 → 1.17.1 as a transitive result; all Base64 usage in the codebase is Ruby stdlib, not the Java library.

Checklists

Pre-Review Checklist

• This PR does NOT contain credentials of any kind, such as API keys or username/passwords (double check crawler.yml.example and elasticsearch.yml.example)
• This PR has a meaningful title
• This PR links to all relevant GitHub issues that it fixes or partially addresses
  • If there is no GitHub issue, please create it. Each PR should have a link to an issue
• this PR has a thorough description
• Covered the changes with automated tests
• Tested the changes locally
• Added a label for each target release version (example: v0.1.0)
• Considered corresponding documentation changes
• Contributed any configuration settings changes to the configuration reference
• Ran make notice if any dependencies have been added (N/A — version bump only; vendored jars are not tracked in NOTICE.txt)

Changes Requiring Extra Attention

• Security-related changes (encryption, TLS, SSRF, etc) — CVE remediation; touches the HTTP client's DNS resolver (which enforces SSRF/private-address filtering)

Related Pull Requests

Release Note

Upgrade Apache HttpClient (httpclient5 5.5.1 / httpcore5 5.3.6) to remediate CVE-2025-8671, an HTTP/2 stream-reset Denial of Service vulnerability in httpcore5-h2.

[artem-shelkovnikov]

Looks good! Have you had a chance to test crawler out against a random website with this change?

[Jan-Kazlouski-elastic]

Looks good! Have you had a chance to test crawler out against a random website with this change?

Hi @artem-shelkovnikov

Yes, a live crawl of https://books.toscrape.com (public scraping sandbox) using the image built from this branch with the file sink. Result: 15 pages fetched (all HTTP 200, plus the expected 404 for the missing robots.txt) and 15 valid docs written with extracted title/body/links.