Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.assertj:assertj-core (source)	3.26.3 → 3.27.7

GitHub Vulnerability Alerts

CVE-2026-24400

An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.

An application is vulnerable only when it uses untrusted XML input with one of the following methods:

• isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert
• xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter

Impact

If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:

• Read arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files)
• Perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs
• Cause Denial of Service via "Billion Laughs" entity expansion attacks

Mitigation

isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:

1. Replace isXmlEqualTo(CharSequence) with XMLUnit, or
2. Upgrade to version 3.27.7, or
3. Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input.

XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

References

• CWE-611: Improper Restriction of XML External Entity Reference
• OWASP XXE Prevention Cheat Sheet

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.45%. Comparing base (b47170d) to head (a6d2fbf).

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #2416      +/-   ##
============================================
+ Coverage     43.76%   46.45%   +2.69%     
============================================
  Files           275       34     -241     
  Lines         13243     4107    -9136     
  Branches       1328        0    -1328     
============================================
- Hits           5796     1908    -3888     
+ Misses         6857     2000    -4857     
+ Partials        590      199     -391     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.