build(crypto,rpc,http,event): bump bundled libs for security fixes

[halibobo1205]

Upgrade bundled libraries in crypto, RPC, HTTP, and event/plugin-related components to newer patched versions to address known security vulnerabilities.

Changes:

• bump bcprov-jdk18on from 1.79 to 1.84 to address CVE-2026-5598
• bump jetty from 9.4.57 to 9.4.58 to address CVE-2025-5115
• bump pf4j from 3.10.0 to 3.14.1 to address CVE-2025-70952
• bump grpc-java from 1.75 to 1.81 to address CVE-2026-33871

Impact:

• picks up upstream security patches in bundled dependencies
• reduces exposure to known vulnerable library versions
• no intended behavior changes beyond dependency upgrades

[waynercheung]

LGTM

[yanghang8612]

LGTM

[0xbigapple]

Thanks for the upgrade. One concern worth flagging:

9.4.58.v20250814 is the last Jetty line that still supports JDK 8, and it is a sponsored release for an End of Life version of Jetty — the 9.4.x branch is officially EOL. After this bump, the following CVEs remain unpatched on 9.4.x:

• CVE-2026-2332 — High, HTTP Request Smuggling
• CVE-2025-11143 — Low, URI parsing differential
• CVE-2024-6763 — Low, HttpURI parsing (officially fixed only in jetty-http 12.0.12)

Future Jetty CVEs will keep landing in the same state. Worth opening a separate discussion to evaluate a longer-term replacement path. No objection to merging this PR — it still closes CVE-2025-5115.

[halibobo1205]

@0xbigapple Regarding the JDK upgrade, the current state is that x86_64 is still limited to JDK 8, while arm64 already supports JDK 17. It may therefore be worth prioritizing JDK 17 compatibility on x86_64 as a separate step. Doing so would reduce cross-platform divergence and lower the risk of future upgrades, including any eventual move away from Jetty 9.