Skip to content

Update dependency io.rest-assured:rest-assured to v6#987

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/io.rest-assured-rest-assured-6.x
Open

Update dependency io.rest-assured:rest-assured to v6#987
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/io.rest-assured-rest-assured-6.x

Conversation

@renovate

@renovate renovate Bot commented Mar 10, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
io.rest-assured:rest-assured (source) 5.5.76.0.1 age confidence

Release Notes

rest-assured/rest-assured (io.rest-assured:rest-assured)

v6.0.1

  • Fix a JsonPath denial-of-service where oversized numeric literals in untrusted JSON were parsed into arbitrarily large BigIntegers, an O(n^2) CPU and heap cost. JSON number tokens are now capped at 1000 characters by default, configurable via JsonPathConfig.numberLengthLimit and JsonConfig.numberLengthLimit (a negative value disables the check). Thanks to Brian Lee (PhD security researcher, Georgia Tech SSLab) for the private report.
  • Use custom Jackson 3 object mapper in JsonPath (#​1858) (thanks to gkiel for PR)
  • Fix Spring MockMvc cookie handling with Jakarta-only servlet APIs (fixes #​1853)
  • Use Jackson 3 mapper in JsonPath deserialization when Jackson 3 is the only Jackson on the classpath (#​1865) (thanks to dickerpulli for PR)
  • Add JsonPath.using(Jackson3ObjectMapperFactory) overload (#​1861) (thanks to Anusha-7254 for PR)
  • Fix typo in duplicate-finder-maven-plugin phase property (#​1866) (thanks to metacosm for PR)
  • Fix incorrect serialization of enum constants declared with a body when used as query/path parameters (#​1799)
  • The spring-mock-mvc and spring-web-test-client modules now target Spring Framework 7 and no longer expose their own Spring version as a transitive dependency (the Spring dependencies are declared optional), so they no longer drag Spring 5 onto a Spring Boot 4 / Spring Framework 7 classpath. This removes the need for manual Spring exclusions on Spring Boot 4 (fixes #​1853, #​1868). Thanks to spencerarq for the detailed investigation.

v6.0.0

  • Fix a JsonPath denial-of-service where oversized numeric literals in untrusted JSON were parsed into arbitrarily large BigIntegers, an O(n^2) CPU and heap cost. JSON number tokens are now capped at 1000 characters by default, configurable via JsonPathConfig.numberLengthLimit and JsonConfig.numberLengthLimit (a negative value disables the check). Thanks to Brian Lee (PhD security researcher, Georgia Tech SSLab) for the private report.
  • Use custom Jackson 3 object mapper in JsonPath (#​1858) (thanks to gkiel for PR)
  • Fix Spring MockMvc cookie handling with Jakarta-only servlet APIs (fixes #​1853)
  • Use Jackson 3 mapper in JsonPath deserialization when Jackson 3 is the only Jackson on the classpath (#​1865) (thanks to dickerpulli for PR)
  • Add JsonPath.using(Jackson3ObjectMapperFactory) overload (#​1861) (thanks to Anusha-7254 for PR)
  • Fix typo in duplicate-finder-maven-plugin phase property (#​1866) (thanks to metacosm for PR)
  • Fix incorrect serialization of enum constants declared with a body when used as query/path parameters (#​1799)
  • The spring-mock-mvc and spring-web-test-client modules now target Spring Framework 7 and no longer expose their own Spring version as a transitive dependency (the Spring dependencies are declared optional), so they no longer drag Spring 5 onto a Spring Boot 4 / Spring Framework 7 classpath. This removes the need for manual Spring exclusions on Spring Boot 4 (fixes #​1853, #​1868). Thanks to spencerarq for the detailed investigation.

Configuration

📅 Schedule: (in timezone Europe/London)

  • Branch creation
    • "after 7am and before 11am every weekday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Mar 10, 2026
@renovate renovate Bot enabled auto-merge (squash) March 10, 2026 10:01
@renovate renovate Bot force-pushed the renovate/io.rest-assured-rest-assured-6.x branch from 172b59a to ab8e7b3 Compare March 10, 2026 14:07
@renovate renovate Bot force-pushed the renovate/io.rest-assured-rest-assured-6.x branch from ab8e7b3 to 21bcfb0 Compare March 25, 2026 10:49
@renovate renovate Bot force-pushed the renovate/io.rest-assured-rest-assured-6.x branch from 21bcfb0 to b001442 Compare April 1, 2026 11:20
@renovate renovate Bot force-pushed the renovate/io.rest-assured-rest-assured-6.x branch from b001442 to be6b344 Compare April 2, 2026 15:03
@renovate renovate Bot force-pushed the renovate/io.rest-assured-rest-assured-6.x branch from be6b344 to 27ec29f Compare April 7, 2026 09:19
@renovate renovate Bot force-pushed the renovate/io.rest-assured-rest-assured-6.x branch from 27ec29f to 4a3f8c0 Compare April 14, 2026 13:00
@renovate renovate Bot force-pushed the renovate/io.rest-assured-rest-assured-6.x branch from 4a3f8c0 to 3fa1e86 Compare May 18, 2026 14:09
@renovate renovate Bot force-pushed the renovate/io.rest-assured-rest-assured-6.x branch from 3fa1e86 to ac32220 Compare July 10, 2026 17:38
@hmcts-jenkins-d-to-i hmcts-jenkins-d-to-i Bot requested a deployment to preview July 10, 2026 17:44 Abandoned
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file ns:fact prd:fact rel:fact-api-pr-987

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants