Security vulnerability in `async-http-client:2.12.3`

[coffius]

According to aquasec and NIST there is a critical security vulnerability in async-http-client:2.12.3 which is currently used as a dependency in 3.10.1 and 4.0.0-M20 versions of async-http-client-backend in sttp.

This vulnerability is fixed in async-http-client:2.12.4

Links:

• https://avd.aquasec.com/nvd/2024/cve-2024-53990/
• PR with the fix: [CookieStore] Only set Cookies if they are not already set AsyncHttpClient/async-http-client#2033

[adamw]

AHC is removed completely from the next 4.0.0-Mx releases.