fix: keep dependabot remediation compatible with minSdk 23

[jonathannorris]

Summary

• keep the dependabot/security remediation from chore: fix dependabot security alerts and upgrade AGP #285 without raising minSdk
• pin jackson-module-kotlin to 2.19.1 using a strict version so jackson-bom doesn't upgrade it to a build that requires API 26
• keep the remaining Jackson modules on 2.21.1 and retain the forced patched build-time transitive dependencies from the AGP upgrade

This PR

The main blocker for staying on API 23 is jackson-module-kotlin 2.21+, which uses MethodHandle.invokeExact and effectively requires minSdk 26.

I think it probably makes sense to keep jackson-core / jackson-databind / jackson-datatype-json-org on the patched versions, while holding only jackson-module-kotlin back to 2.19.1 until we intentionally raise the Android floor.

Verification

• ./gradlew :android-client-sdk:dependencies --configuration releaseRuntimeClasspath
• ./gradlew buildEnvironment

./gradlew test requires a local Android SDK and couldn't run in this environment.

Related Issues

• alternative to chore: fix dependabot security alerts and upgrade AGP #285

[Copilot]

Pull request overview

This PR keeps the Android Client SDK compatible with minSdk 23 while retaining prior security/dependency remediation work by selectively pinning jackson-module-kotlin to an API-23-compatible version and updating build tooling.

Changes:

• Upgrade build tooling: Gradle wrapper to 8.13 and Android Gradle Plugin to 8.13.2, plus add repository-wide forced patches for vulnerable transitive deps.
• Keep Jackson remediation without raising minSdk by holding jackson-module-kotlin to 2.19.1 (strict), while moving other Jackson modules to 2.21.1.
• Update README requirements line to clarify min supported Android release.

Reviewed changes

Copilot reviewed 3 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
build.gradle	Bumps AGP and introduces global resolutionStrategy.force rules for patched transitive dependencies.
gradle/wrapper/gradle-wrapper.properties	Updates the root Gradle wrapper distribution to 8.13.
android-client-sdk/build.gradle	Updates Jackson versions and strictly pins jackson-module-kotlin to avoid raising minSdk.
README.md	Clarifies the min API requirement with Android version/date context.
openfeature-example/build.gradle	Minor wrapper task hunk touched (closing brace), but still defines a per-module wrapper version.
kotlin-example/build.gradle	Minor wrapper task hunk touched (closing brace), but still defines a per-module wrapper version.
java-example/build.gradle	Minor wrapper task hunk touched (closing brace), but still defines a per-module wrapper version.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.