Skip to content

deps: Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] (stable/8.6)#2028

Open
renovate[bot] wants to merge 1 commit intostable/8.6from
renovate/stable/8.6-dependency.assertj.version
Open

deps: Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] (stable/8.6)#2028
renovate[bot] wants to merge 1 commit intostable/8.6from
renovate/stable/8.6-dependency.assertj.version

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Jan 26, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
org.assertj:assertj-core (source) 3.25.33.27.7 age confidence

GitHub Vulnerability Alerts

CVE-2026-24400

An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.

An application is vulnerable only when it uses untrusted XML input with one of the following methods:

  • isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert
  • xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter

Impact

If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:

  • Read arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files)
  • Perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs
  • Cause Denial of Service via "Billion Laughs" entity expansion attacks

Mitigation

isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:

  1. Replace isXmlEqualTo(CharSequence) with XMLUnit, or
  2. Upgrade to version 3.27.7, or
  3. Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input.

XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

References

Severity
  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added area/security Relates to security automerge labels Jan 26, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Jan 26, 2026
edited
Loading

Test Results

 40 files   -   354   40 suites   - 354   17s ⏱️ - 14m 24s
 23 tests  -   344   23 ✅  -   342  0 💤  - 2  0 ❌ ±0 
184 runs   - 2 198  184 ✅  - 2 190  0 💤  - 8  0 ❌ ±0 

Results for commit a75d842. ± Comparison against base commit a04a4ea.

This pull request removes 344 tests. 
io.camunda.zeebe.process.test.engine.EngineClientTest ‑ shouldActivateJob
io.camunda.zeebe.process.test.engine.EngineClientTest ‑ shouldBroadcastSignal
io.camunda.zeebe.process.test.engine.EngineClientTest ‑ shouldBroadcastSignalWithVariables
io.camunda.zeebe.process.test.engine.EngineClientTest ‑ shouldCancelProcessInstance
io.camunda.zeebe.process.test.engine.EngineClientTest ‑ shouldCompleteJob
io.camunda.zeebe.process.test.engine.EngineClientTest ‑ shouldCreateInstanceWithoutVariables
io.camunda.zeebe.process.test.engine.EngineClientTest ‑ shouldCreateProcessInstance
io.camunda.zeebe.process.test.engine.EngineClientTest ‑ shouldCreateProcessInstanceWithResult
io.camunda.zeebe.process.test.engine.EngineClientTest ‑ shouldDeployForm
io.camunda.zeebe.process.test.engine.EngineClientTest ‑ shouldDeployProcess
…

♻️ This comment has been updated with latest results.

@renovate renovate bot force-pushed the renovate/stable/8.6-dependency.assertj.version branch 2 times, most recently from 63bf42e to 60f5478 Compare February 6, 2026 04:20
@renovate renovate bot changed the title deps: Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] (stable/8.6) deps: Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] (stable/8.6) - autoclosed Feb 17, 2026
@renovate renovate bot closed this Feb 17, 2026
@renovate renovate bot deleted the renovate/stable/8.6-dependency.assertj.version branch February 17, 2026 15:23
@renovate renovate bot changed the title deps: Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] (stable/8.6) - autoclosed deps: Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] (stable/8.6) Feb 17, 2026
@renovate renovate bot reopened this Feb 17, 2026
@renovate renovate bot force-pushed the renovate/stable/8.6-dependency.assertj.version branch 2 times, most recently from 60f5478 to 352553b Compare February 17, 2026 15:40
@renovate renovate bot force-pushed the renovate/stable/8.6-dependency.assertj.version branch 2 times, most recently from 56aa94c to ed1f852 Compare March 9, 2026 13:04
@renovate renovate bot force-pushed the renovate/stable/8.6-dependency.assertj.version branch 2 times, most recently from f713f5e to 89463ed Compare March 26, 2026 13:31
@renovate renovate bot changed the title deps: Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] (stable/8.6) deps: Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] (stable/8.6) - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot changed the title deps: Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] (stable/8.6) - autoclosed deps: Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] (stable/8.6) Mar 30, 2026
@renovate renovate bot reopened this Mar 30, 2026
@renovate renovate bot force-pushed the renovate/stable/8.6-dependency.assertj.version branch 4 times, most recently from 2549d81 to 6959a54 Compare April 2, 2026 07:21
@renovate renovate bot force-pushed the renovate/stable/8.6-dependency.assertj.version branch 2 times, most recently from dc64186 to f0579d3 Compare April 10, 2026 12:50
@renovate renovate bot changed the title deps: Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] (stable/8.6) deps: Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] (stable/8.6) - autoclosed Apr 15, 2026
@renovate renovate bot closed this Apr 15, 2026
@renovate renovate bot changed the title deps: Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] (stable/8.6) - autoclosed deps: Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] (stable/8.6) Apr 16, 2026
@renovate renovate bot reopened this Apr 16, 2026
@renovate renovate bot force-pushed the renovate/stable/8.6-dependency.assertj.version branch 2 times, most recently from f0579d3 to a75d842 Compare April 16, 2026 11:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

area/security Relates to security automerge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants