Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.sonatype.central:central-publishing-maven-plugin (source)	0.9.0 → 0.10.0
org.jetbrains.dokka:dokka-maven-plugin	2.1.0 → 2.2.0
org.codehaus.mojo:exec-maven-plugin (source)	3.6.2 → 3.6.3
org.apache.maven.plugins:maven-surefire-plugin (source)	3.5.4 → 3.5.5
org.apache.maven.plugins:maven-compiler-plugin (source)	3.14.1 → 3.15.0
org.apache.maven.plugins:maven-resources-plugin (source)	3.4.0 → 3.5.0
org.assertj:assertj-core (source)	3.27.6 → 3.27.7

---

AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion

CVE-2026-24400 / GHSA-rqfh-9r24-8c9r

More information

Details

An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.

An application is vulnerable only when it uses untrusted XML input with one of the following methods:

• isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert
• xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter

Impact

If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:

• Read arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files)
• Perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs
• Cause Denial of Service via "Billion Laughs" entity expansion attacks

Mitigation

isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:

1. Replace isXmlEqualTo(CharSequence) with XMLUnit, or
2. Upgrade to version 3.27.7, or
3. Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input.

XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

References

• CWE-611: Improper Restriction of XML External Entity Reference
• OWASP XXE Prevention Cheat Sheet

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N

References

• https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r
• https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a
• https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
• https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7
• https://nvd.nist.gov/vuln/detail/CVE-2026-24400
• https://github.com/advisories/GHSA-rqfh-9r24-8c9r

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

Kotlin/dokka (org.jetbrains.dokka:dokka-maven-plugin)

v2.2.0: 2.2.0

Compare Source

Dokka Gradle Plugin

Starting from Dokka 2.1.0, the new Dokka Gradle Plugin is enabled by default. The documentation on kotlinlang.org has been updated accordingly:

• See Get started with Dokka for instructions on adding Dokka to a project
• See Migrate to Dokka Gradle plugin v2 for migrating from the old plugin

Dokka 2.2.0 introduces multiple improvements and fixes:

Note: most of the following changes affect only the new Dokka Gradle Plugin, enabled by default since Dokka 2.1.0

• Compatibility with Android Gradle Plugin 9.0.0, including Built-in Kotlin. (#​4231, #​4295, #​4412)
  • See #​4472 on documenting Android projects with flavors / multiple variants
• Android Gradle Library Plugin for KMP is now properly supported. (#​4359, #​4366)
• Support the new Kotlin Gradle Plugin API to work with generated sources (#​4402, #​4410)
• Fix suppressGeneratedFiles flag was unused (#​4348)
• Improve classpath resolution and platform detection logic (#​4296, #​4263, #​4258)
• Add olderVersionsDirName to DokkaVersioningPluginParameters (#​4301). Thanks to @​osipxd!
• Rework the Gradle attributes to make them integrate better with the ecosystem (#​4334). Thanks to @​martinbonnin!
• Drop usages of APIs deprecated in KGP (#​4271)
  • this change makes deprecated DGPv1 be compatible with KGP 1.9.0+, aligning it with DGPv2

Analysis improvements

Starting from Dokka 2.1.0, the K2 analysis is enabled by default. K2 analysis is now stable, enabled by default, and fully migrated to the new shared Analysis API. This includes the migration to the new KDoc resolution API within the Analysis API.

Dokka 2.2.0 introduces multiple improvements and fixes:

Note: most of the following changes affect only Dokka's K2 analysis, enabled by default since Dokka 2.1.0

• Allow actual declarations to automatically inherit their documentation from expect counterparts in multiplatform projects (#​2493, #​4245, #​4351)
• Link resolution improvements:
  • Support references to declarations with quoted names (#​3356)
  • Support resolution of links to extensions with type parameters according to KEEP#385 (#​3555)
  • Improve handling of ambiguous KDoc links according to KEEP#389 (#​3451, #​3179, #​3632, #​4327, #​3604)
    • Note: those changes are currently available only under experimental org.jetbrains.dokka.analysis.enableExperimentalKDocResolution system property
• K2/K1 compatibility improvements:
  • Fix Multiple pages associated with key (#​4300)
  • Fix inconsistent constructor rendering for expect/actual annotation (#​4055)
  • Fix missing abstract modifier for abstract interface method with redundant open modifier (#​4144)
  • Fix working with intersected and overridden fake functions/properties (#​3857)
  • Fix rendering of links in @see block (#​3680)
  • Fix redundant ? on properties with a type of typealias to nullable type (#​4337)
  • Fix the missing default parameter value for inherited (not overridden) members (#​4320)
  • Fix duplicate source links for function overloads and properties (#​4049, #​4338)
  • Fix resolution of links in the second line of KDoc tags (#​4332, KT-75215, KT-79783)
• Improve DRI handling for varargs and properties (#​3558, #​4347)
• Context parameters improvements:
  • Fix KDoc links to context parameters (#​4389)
  • Support context parameters documentation via @param tag (#​4065)
• Java/Javadoc related improvements:
  • Use language-java class for <pre> and <code> tags generated from Java sources (#​4346)
  • Add new Mark DocTag, TextStyle.Highlight and support for <mark> javadoc HTML tag (#​4376)
  • Fix source links to accessors in the KotlinAsJava plugin (#​4396)
  • Fix incorrect links to Javadoc's functions with type parameters (#​3502)
  • Fix links to Java fields (#​4360)
  • Fix documentation on extension properties is not propagated to the generated extension getters (#​3752)
  • Fix generated getter for property in kotlin-as-java doesn't inherit KDoc description (#​3369)

Kotlin playground runnable samples extracted into a separate plugin

Starting with Dokka 2.2.0, Kotlin Playground–based rendering of @sample KDoc references is disabled by default. Samples are now rendered as non-runnable code blocks.

Support for interactive, runnable samples has been extracted into a separate plugin with configurable options, including custom Playground scripts and server URLs. See the plugin README.md for setup instructions.

Other changes and bugfixes

• Fix unnecessary logging for unresolved links in module documentation (#​4413)
• Fix CLI runner to force use of the latest stdlib (#​4324)
• Use the shadowed stdlib in the Dokka Maven Plugin (#​4229)

Changes from 2.2.0-Beta

• Fix DGP reads all Gradle properties, which causes unnecessary CC invalidation (#​4467)
• Detect and handle intersected source roots in Android multi-variant projects (#​4473)

Feedback

We would appreciate your feedback!

• Please report any feedback or problems https://kotl.in/dokka-issues
• Chat with the community visit #dokka in https://kotlinlang.slack.com/ (To sign up visit https://kotl.in/slack)

mojohaus/exec-maven-plugin (org.codehaus.mojo:exec-maven-plugin)

v3.6.3

Compare Source

📝 Documentation updates

• Document thread group isolation limitation in java goal (#​503) @​copilot-swe-agent[bot]

👻 Maintenance

• JUnit 5 best practices (#​505) @​slachiewicz
• Move ExecJavaMojoTest, ExecMojoTest to JUnit 5 (#​502) @​slawekjaranowski
• Add support for JEP 512 for for package-private static main method (#​499) @​anuragagarwal561994
• Move to JUnit 5 (#​501) @​slawekjaranowski

📦 Dependency updates

• Bump asm.version from 9.9 to 9.9.1 (#​509) @​dependabot[bot]
• Bump org.apache.commons:commons-exec from 1.5.0 to 1.6.0 (#​508) @​dependabot[bot]

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@            Coverage Diff            @@
##              main       #90   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines            4         4           
=========================================
  Hits             4         4           

Components	Coverage Δ
api	∅ <ø> (∅)
spi	∅ <ø> (∅)
impl	100.00% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.