Bump patch/minor dependencies for 1.2.0

[kirich1409]

Summary

Verified patch/minor dependency bump based on current develop branch. Supersedes #227 (which was based on v1.0.0 with all CI checks failing).

Bump table

Key in catalog	Old	New
kotlinx-coroutines	1.10.2	1.11.0
androidx-core	1.18.0	1.19.0
mockk	1.14.9	1.14.11
firebaseBom	34.11.0	34.14.1
asm	9.7	9.10.1
spotless	8.4.0	8.6.0
material	1.13.0	1.14.0
skie	0.10.10	0.10.12
composeHotReload	1.0.0	1.1.1
kotlin	2.3.10	2.3.21

CVE status (issue #224 — 33 advisories, 13 high)

OSV database scan of bumped artifacts via maven-mcp returned no CVEs for the versions being bumped to. The Dependabot alerts on the default branch reference transitive dependencies not directly declared in libs.versions.toml; bumping the direct deps above reduces transitive exposure but does not eliminate all advisories. Remaining CVEs require either:

• AGP bump (deferred, see below), or
• investigation of specific transitive graphs per advisory.

Deferred (out of scope for conservative 1.2.0 cycle)

Item	Reason
agp (9.1.0)	Major bump; requires coordinated AGP/lint/r8 update
lint (32.1.0)	Locked to agp + 23.0.0; must move with AGP
r8 (9.1.31)	Locked to AGP release train
composeMultiplatform (1.10.3)	Latest in 1.10.x for Kotlin 2.3.x; 1.11.x requires Kotlin 2.4.x

Verification

• ./gradlew :core:jvmTest :featured-gradle-plugin:test :featured-debug-ui:jvmTest — BUILD SUCCESSFUL (1m 4s)
• ./gradlew spotlessCheck — BUILD SUCCESSFUL

Refs #224

🤖 Generated with Claude Code

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[cubic-dev-ai]

No issues found across 1 file

_{Re-trigger cubic}