fix: resolve CVEs

[meotch]

Summary of Changes

Resolve the following CVEs

• Uncontrolled Recursion [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-10734078 ] in org.apache.commons:commons-lang3@3.17.0
• Improper Validation of Certificate with Host Mismatch [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782 ] in org.apache.logging.log4j:log4j-core@2.24.3
• XML External Entity (XXE) Injection [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGASSERTJ-15102413 ] in org.assertj:assertj-core@3.27.6

Fixes MC-9655

Public API Additions/Changes

None

Downstream Consumer Impact

None

How Has This Been Tested?

Verified project building and tests passing in pipeline

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works

[mattnichols]

I think we need to fix this with constraints defined in common.

You can add the constrains here:
https://github.com/mxenabled/path-core/blob/master/build.gradle#L75

Only modification is that you need to specify strictly

Like this:

        api("org.apache.commons:commons-lang3") {
          version { strictly "3.18.0" }
          because("SNYK-JAVA-ORGAPACHECOMMONS-10734078")
        }

If you publish this, and pull the new version into a project like path-facilities and run --write-locks you should see the constraint honored. That should propagate down to all including projects.

[stevecl5]

I think we should try the change to path-core that @mattnichols suggested. That would be much cleaner than having to update every project with dependency overrides.