fix(deps): update dependency org.assertj:assertj-core to v3.27.7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.assertj:assertj-core (source)	3.26.3 → 3.27.7

---

AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion

CVE-2026-24400 / GHSA-rqfh-9r24-8c9r

More information

Details

An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.

An application is vulnerable only when it uses untrusted XML input with one of the following methods:

• isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert
• xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter

Impact

If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:

• Read arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files)
• Perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs
• Cause Denial of Service via "Billion Laughs" entity expansion attacks

Mitigation

isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:

1. Replace isXmlEqualTo(CharSequence) with XMLUnit, or
2. Upgrade to version 3.27.7, or
3. Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input.

XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

References

• CWE-611: Improper Restriction of XML External Entity Reference
• OWASP XXE Prevention Cheat Sheet

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N

References

• https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r
• https://nvd.nist.gov/vuln/detail/CVE-2026-24400
• https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a
• https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
• https://github.com/assertj/assertj
• https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.73%. Comparing base (2e18f1c) to head (e36b3fd).

Additional details and impacted files

@@             Coverage Diff              @@
##               main     #234      +/-   ##
============================================
+ Coverage     67.92%   69.73%   +1.81%     
  Complexity       47       47              
============================================
  Files             4        4              
  Lines           159      152       -7     
  Branches         28       28              
============================================
- Hits            108      106       -2     
+ Misses           33       28       -5     
  Partials         18       18              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.