Skip to content

fix(deps): update all dependencies#304

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/all
Open

fix(deps): update all dependencies#304
renovate[bot] wants to merge 1 commit intomainfrom
renovate/all

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Nov 15, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
org.apache.maven.plugins:maven-surefire-plugin (source) 3.5.03.5.5 age confidence
org.apache.maven.plugins:maven-source-plugin (source) 3.3.13.4.0 age confidence
org.apache.maven.plugins:maven-javadoc-plugin (source) 3.10.03.12.0 age confidence
org.apache.maven.plugins:maven-gpg-plugin (source) 3.2.53.2.8 age confidence
com.spotify.fmt:fmt-maven-plugin 2.242.29 age confidence
org.apache.maven.plugins:maven-compiler-plugin (source) 3.13.03.15.0 age confidence
org.jacoco:jacoco-maven-plugin (source) 0.8.120.8.14 age confidence
org.reflections:reflections 0.9.120.10.2 age confidence
org.junit.jupiter:junit-jupiter-engine (source) 5.11.05.14.3 age confidence
org.junit.jupiter:junit-jupiter-api (source) 5.11.05.14.3 age confidence
com.fasterxml.jackson.module:jackson-module-parameter-names 2.17.22.21.2 age confidence
com.fasterxml.jackson.datatype:jackson-datatype-jsr310 2.17.22.21.2 age confidence
com.fasterxml.jackson.core:jackson-databind (source) 2.17.22.21.2 age confidence
com.fasterxml.jackson.core:jackson-annotations (source) 2.17.22.21 age confidence
com.google.guava:guava 33.3.0-jre33.6.0-jre age confidence
com.revinate:assertj-json 1.1.01.2.0 age confidence
org.assertj:assertj-core (source) 3.26.33.27.7 age confidence

GitHub Vulnerability Alerts

CVE-2026-24400

An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.

An application is vulnerable only when it uses untrusted XML input with one of the following methods:

  • isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert
  • xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter

Impact

If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:

  • Read arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files)
  • Perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs
  • Cause Denial of Service via "Billion Laughs" entity expansion attacks

Mitigation

isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:

  1. Replace isXmlEqualTo(CharSequence) with XMLUnit, or
  2. Upgrade to version 3.27.7, or
  3. Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input.

XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

References

Severity
  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N

Release Notes

spotify/fmt-maven-plugin (com.spotify.fmt:fmt-maven-plugin)

v2.29

Compare Source

v2.28

Compare Source

v2.27

Compare Source

v2.25

Compare Source

What's Changed

Full Changelog: spotify/fmt-maven-plugin@2.24...2.25

jacoco/jacoco (org.jacoco:jacoco-maven-plugin)

v0.8.14: 0.8.14

Compare Source

New Features

  • JaCoCo now officially supports Java 25 (GitHub #​1950).
  • Experimental support for Java 26 class files (GitHub #​1870).
  • Branches added by the Kotlin compiler for default argument number 33 or higher are filtered out during generation of report (GitHub #​1655).
  • Part of bytecode generated by the Kotlin compiler for elvis operator that follows safe call operator is filtered out during generation of report (GitHub #​1814, #​1954).
  • Part of bytecode generated by the Kotlin compiler for more cases of chained safe call operators is filtered out during generation of report (GitHub #​1956).
  • Part of bytecode generated by the Kotlin compiler for invocations of suspendCoroutineUninterceptedOrReturn intrinsic is filtered out during generation of report (GitHub #​1929).
  • Part of bytecode generated by the Kotlin compiler for suspending lambdas with parameters is filtered out during generation of report (GitHub #​1945).
  • Part of bytecode generated by the Kotlin compiler for suspending functions and lambdas with suspension points that return inline value class is filtered out during generation of report (GitHub #​1871).
  • Part of bytecode generated by the Kotlin Compose compiler plugin for pausable composition is filtered out during generation of report (GitHub #​1911).
  • Methods generated by the Kotlin serialization compiler plugin are filtered out (GitHub #​1885, #​1970, #​1971).

Fixed bugs

  • Fixed handling of implicit else clause of when with String subject in Kotlin (GitHub #​1813, #​1940).
  • Fixed handling of implicit default clause of switch by String in Java when compiled by ECJ (GitHub #​1813, #​1940).
    Fixed handling of exceptions in chains of safe call operators in Kotlin (GitHub #​1819).

Non-functional Changes

  • JaCoCo now depends on ASM 9.9 (GitHub #​1965).

v0.8.13: 0.8.13

Compare Source

New Features

  • JaCoCo now officially supports Java 23 and Java 24 (GitHub #​1757, #​1631, #​1867).
  • Experimental support for Java 25 class files (GitHub #​1807).
  • Calculation of line coverage for Kotlin inline functions (GitHub #​1670).
  • Calculation of line coverage for Kotlin inline functions with reified type parameter (GitHub #​1670, #​1700).
  • Calculation of coverage for Kotlin JvmSynthetic functions (GitHub #​1700).
  • Part of bytecode generated by the Kotlin Compose compiler plugin is filtered out during generation of report (GitHub #​1616).
  • Part of bytecode generated by the Kotlin compiler for inline value classes is filtered out during generation of report (GitHub #​1475).
  • Part of bytecode generated by the Kotlin compiler for suspending lambdas without suspension points is filtered out during generation of report (GitHub #​1283).
  • Part of bytecode generated by the Kotlin compiler for when expressions and statements with nullable enum subject is filtered out during generation of report (GitHub #​1774).
  • Part of bytecode generated by the Kotlin compiler for when expressions and statements with nullable String subject is filtered out during generation of report (GitHub #​1769).
  • Part of bytecode generated by the Kotlin compiler for chains of safe call operators is filtered out during generation of report (GitHub #​1810, #​1818).
  • Method getEntries generated by the Kotlin compiler for enum classes is filtered out during generation of report (GitHub #​1625).
  • Methods generated by the Kotlin compiler for constructors and functions with JvmOverloads annotation are filtered out (GitHub #​1768).

Fixed bugs

  • Fixed interpretation of Kotlin SMAP (GitHub #​1525).
  • File extensions are preserved in HTML report in case of clashes of normalized file names (GitHub #​1660).

Non-functional Changes

  • JaCoCo build now uses Maven Wrapper and requires at least Maven 3.9.9 (GitHub #​1708, #​1707, #​1681).
  • JaCoCo now depends on ASM 9.8 (GitHub #​1862).
  • More context information when IllegalArgumentException occurs during reading of zip file (GitHub #​1833).
ronmamo/reflections (org.reflections:reflections)

v0.10.2

Compare Source

reflections-0.10.2

v0.10.1

Compare Source

reflections-0.10.1

  • 0.10.1 - fix exception in JavassistHelper.getParametersAnnotations, docs
  • ci: Setup GitHub actions for basic PR CI (#​333)
  • Make the path format to be platform-compatible (#​299)
  • enable Dependabot v2 (#​319)
  • Enable automatic module name (#​308)

known issue #​351: deprecated scanners are using wrong index name :( which results in empty query results. will be solved in next release. workaround/solution: migrate to the new Scanners

v0.10

Compare Source

reflections-0.10 refactor

known issue #​337: annotation not marked with Retention(RUNTIME) will be excluded because of an exception

revinate/assertj-json (com.revinate:assertj-json)

v1.2.0

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "every weekend"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Nov 15, 2024
@renovate renovate bot changed the title chore(deps): update all dependencies fix(deps): update all dependencies Dec 11, 2024
@renovate renovate bot force-pushed the renovate/all branch 2 times, most recently from 03e92ba to 034f88a Compare January 5, 2025 08:56
@renovate renovate bot force-pushed the renovate/all branch 2 times, most recently from d8bfff0 to 1936ab1 Compare March 21, 2025 07:50
@renovate renovate bot force-pushed the renovate/all branch 2 times, most recently from 643977d to 532f5e8 Compare April 1, 2025 04:08
@renovate renovate bot force-pushed the renovate/all branch 2 times, most recently from 123b142 to 6158c52 Compare April 17, 2025 00:16
@renovate renovate bot force-pushed the renovate/all branch from 61a4d5e to ae69d7e Compare May 10, 2025 03:30
@renovate renovate bot force-pushed the renovate/all branch 2 times, most recently from 05c60f3 to 5b40e2b Compare June 1, 2025 07:08
@renovate renovate bot force-pushed the renovate/all branch 2 times, most recently from 0b420b0 to 00b5836 Compare June 14, 2025 07:53
@renovate renovate bot force-pushed the renovate/all branch 3 times, most recently from 69dfe18 to bfe1522 Compare July 4, 2025 18:37
@renovate renovate bot force-pushed the renovate/all branch 4 times, most recently from 73b1042 to 0b8d42b Compare September 18, 2025 01:56
@renovate renovate bot force-pushed the renovate/all branch 4 times, most recently from e1bd484 to 9dd9e0d Compare September 22, 2025 22:15
@renovate renovate bot force-pushed the renovate/all branch 2 times, most recently from 720fdbf to 317d974 Compare January 24, 2026 20:28
@renovate renovate bot added the security Pull requests that address a security vulnerability label Jan 26, 2026
@renovate renovate bot force-pushed the renovate/all branch 2 times, most recently from 8006bef to 8213c0a Compare February 21, 2026 12:49
@renovate renovate bot added security Pull requests that address a security vulnerability and removed security Pull requests that address a security vulnerability labels Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants