Override assertj-core to 3.27.7 for security fix#484
Conversation
Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR addresses a security vulnerability in the transitive dependency org.assertj:assertj-core by adding a version override in the root pom.xml. The project uses Hamcrest for assertions rather than AssertJ, but AssertJ is pulled in transitively through spring-boot-starter-test dependencies used across multiple modules (xapi-model, xapi-client, and samples).
Changes:
- Added
org.assertj:assertj-coreversion override (3.27.7) in the root pom.xml<dependencyManagement>section to patch a security vulnerability
|
@copilot does this even override the assertj-core version used by Spring Boot? |
Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com>
Yes, it does override the Spring Boot version. You can verify with |
|
Description
Overrides
org.assertj:assertj-coreto version 3.27.7 in the root pom.xml to address security advisory https://github.com/BerryCloud/xapi-java/security/dependabot/703.Spring Boot 4.0.2 transitively pulls in assertj-core 3.27.6. The override in
dependencyManagementforces all modules to use the patched version.Changes
assertj.versionproperty (3.27.7) in the<properties>section for consistency with project conventionsorg.assertj:assertj-coreversion override using${assertj.version}in root pom.xml<dependencyManagement>sectionChecklist:
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.