The LiveKit Server SDK depends on OkHttp 3.x, which contains known security vulnerabilities flagged by security scanners (e.g., Aikido, Snyk).
When attempting to upgrade OkHttp to 4.x (the recommended secure version), the application fails at runtime with:

java.lang.NoSuchFieldError: Companion
    at okhttp3.internal.Util.<clinit>(Util.kt:70)

This indicates that the SDK relies on internal APIs from OkHttp 3.x that are not present in OkHttp 4.x, making it impossible to upgrade or override the dependency safely.

Therefore, applications using the LiveKit Java/Kotlin Server SDK are forced to ship with vulnerable OkHttp 3.x versions.

Steps to reproduce the behavior:

1. Create a Spring Boot / JVM application using LiveKit Server SDK.
2. Add a dependency override to use com.squareup.okhttp3:okhttp:4.9.2 (or any 4.x version).
3. Start the application.
4. The application crashes on startup with NoSuchFieldError: Companion, thrown from LiveKit’s OkHttp client initialization.

Expected behavior:
I expect the SDK to use the current stable OkHttp major version (4.x), or at least avoid relying on internal, non-public OkHttp 3.x APIs.
This would allow upgrading to secure versions and eliminate CVE warnings.

Applications should be able to use the latest OkHttp version without causing runtime errors in the LiveKit client.

Device Info:
Java Version: 17
LiveKit Server SDK Version: 0.10.1
Build Tool: Maven
OS: Linux (AWS EC2)

Additional context:
Security scanning tools (Aikido, Snyk, etc.) flag the following dependency in the SDK:
com.squareup.okhttp3:okhttp:3.14.x
This version is end-of-life and contains known vulnerabilities.
Because the SDK uses internal OkHttp 3.x APIs, it is not currently possible to upgrade to OkHttp 4.x without breaking the SDK.

Please consider upgrading the SDK to use OkHttp 4.x, or update internal usage so that OkHttp can be safely overridden without causing runtime failures.

This would allow applications to remain secure and compliant with modern dependency standards.