Merge pull request #246 from contentstack/development

DX| 05-01-2026 | Release

Author: reeshika-h

.github/workflows/unit-testing.yml

@@ -0,0 +1,102 @@
+name: Java SDK - Coverage Check
+
+on:
+  pull_request:
+    branches:
+      - development
+      - staging
+      - master
+
+jobs:
+  coverage:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: 🧾 Checkout repository
+        uses: actions/checkout@v4
+
+      - name: ☕ Set up JDK 8 (Temurin)
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: 8
+          cache: maven
+
+      - name: 🧩 Ensure tests are enabled in pom.xml
+        run: |
+          echo "🔧 Ensuring tests are enabled in pom.xml..."
+          sed -i 's/<skipTests>true<\/skipTests>/<skipTests>false<\/skipTests>/g' pom.xml || true
+
+      - name: 🧪 Run tests and generate JaCoCo report
+        run: mvn clean test -Dtest='Test*' jacoco:report -Dgpg.skip=true
+
+      - name: 📊 Extract coverage from JaCoCo HTML report
+        id: extract_coverage
+        run: |
+          echo "📊 Extracting coverage summary from JaCoCo HTML report..."
+
+          REPORT="target/site/jacoco/index.html"
+
+          if [ ! -f "$REPORT" ]; then
+            echo "❌ JaCoCo HTML report not found!"
+            exit 1
+          fi
+
+          # Extract the <tfoot> Total row and clean it up
+          TOTAL_ROW=$(grep -A2 "<td>Total</td>" "$REPORT" | tr -d '\n')
+
+          # Extract numeric percentages in order (Instruction first, Branch second)
+          PERCENTAGES=($(echo "$TOTAL_ROW" | grep -oE '[0-9]+%' | sed 's/%//g'))
+
+          INSTRUCTION=${PERCENTAGES[0]:-0}
+          BRANCH=${PERCENTAGES[1]:-0}
+
+          echo "📘 Instruction Coverage: ${INSTRUCTION}%"
+          echo "🌿 Branch Coverage: ${BRANCH}%"
+
+          echo "instruction=${INSTRUCTION}" >> $GITHUB_OUTPUT
+          echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
+
+      - name: 🚦 Enforce coverage threshold
+        run: |
+          MIN_INSTRUCTION=90
+          MIN_BRANCH=80
+
+          INSTRUCTION=${{ steps.extract_coverage.outputs.instruction }}
+          BRANCH=${{ steps.extract_coverage.outputs.branch }}
+
+          echo "🧾 Required minimums:"
+          echo "   • Instruction: ${MIN_INSTRUCTION}%"
+          echo "   • Branch: ${MIN_BRANCH}%"
+          echo ""
+          echo "📈 Actual coverage:"
+          echo "   • Instruction: ${INSTRUCTION}%"
+          echo "   • Branch: ${BRANCH}%"
+
+          if [ "$INSTRUCTION" -lt "$MIN_INSTRUCTION" ]; then
+            echo "❌ Instruction coverage (${INSTRUCTION}%) is below the threshold (${MIN_INSTRUCTION}%)"
+            exit 1
+          fi
+
+          if [ "$BRANCH" -lt "$MIN_BRANCH" ]; then
+            echo "❌ Branch coverage (${BRANCH}%) is below the threshold (${MIN_BRANCH}%)"
+            exit 1
+          fi
+
+          echo "✅ Coverage thresholds met!"
+
+      - name: 💬 Post coverage summary as PR comment
+        uses: marocchino/sticky-pull-request-comment@v2
+        with:
+          header: 🧪 JaCoCo Coverage Report
+          message: |
+            **Coverage Summary**
+            - 📘 Instruction Coverage: `${{ steps.extract_coverage.outputs.instruction }}%`
+            - 🌿 Branch Coverage: `${{ steps.extract_coverage.outputs.branch }}%`
+
+      - name: 📦 Upload JaCoCo HTML report as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: jacoco-report
+          path: target/site/jacoco/
+          if-no-files-found: warn

.gitignore

@@ -272,3 +272,5 @@ src/main/resources/
 /src/main/java/com/contentstack/sdk/models/
 /.vscode/
 /.vscode/
+/docs/
+INTEGRATION-TESTS-GUIDE.md

CHANGELOG.md

@@ -1,5 +1,10 @@
 # CHANGELOG
 
+## v2.3.2
+
+### Jan 05, 2026
+- Snyk Fixes
+
 ## v2.3.1
 
 ### Date: 03-Nov-2025

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2012 - 2025 Contentstack
+Copyright (c) 2012 - 2026 Contentstack
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pom.xml

@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.contentstack.sdk</groupId>
     <artifactId>java</artifactId>
-    <version>2.3.1</version>
+    <version>2.3.2</version>
     <packaging>jar</packaging>
     <name>contentstack-java</name>
     <description>Java SDK for Contentstack Content Delivery API</description>
@@ -20,8 +20,8 @@
         <maven-source-plugin.version>3.3.1</maven-source-plugin.version>
         <maven-javadoc-plugin.version>3.4.1</maven-javadoc-plugin.version>
         <dotenv-source.version>3.0.0</dotenv-source.version>
-        <rxjava-source.version>3.1.10</rxjava-source.version>
-        <retrofit-source.version>2.11.0</retrofit-source.version>
+        <rxjava-source.version>3.1.11</rxjava-source.version>
+        <retrofit-source.version>3.0.0</retrofit-source.version>
         <loggin.version>5.1.0</loggin.version>
         <jococo-plugin.version>0.8.5</jococo-plugin.version>
         <lombok-source.version>1.18.36</lombok-source.version>
@@ -172,12 +172,19 @@
             <artifactId>json-simple</artifactId>
             <version>${json-simple-version}</version>
             <scope>compile</scope>
+            <!-- Exclude junit - it was incorrectly included as compile dep in json-simple -->
+            <exclusions>
+                <exclusion>
+                    <groupId>junit</groupId>
+                    <artifactId>junit</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
 
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.18.2</version>
+            <version>2.19.2</version>
         </dependency>
         <dependency>
             <groupId>com.slack.api</groupId>
@@ -187,7 +194,7 @@
         <dependency>
             <groupId>org.jetbrains</groupId>
             <artifactId>annotations</artifactId>
-            <version>24.0.1</version>
+            <version>26.0.2</version>
         </dependency>
         <dependency>
             <groupId>com.squareup.okhttp3</groupId>
@@ -215,6 +222,34 @@
                 <artifactId>kotlin-stdlib</artifactId>
                 <version>2.1.0</version> 
             </dependency>
+            <!-- Fix CVE-2025-48924: Uncontrolled Recursion in commons-lang3 -->
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-lang3</artifactId>
+                <version>3.18.0</version>
+            </dependency>
+            <!-- Fix Spring vulnerabilities from contentstack-utils transitive deps -->
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-core</artifactId>
+                <version>6.2.11</version>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-beans</artifactId>
+                <version>6.2.11</version>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-web</artifactId>
+                <version>6.2.11</version>
+            </dependency>
+            <!-- Fix CVE-2020-15250: junit pulled by json-simple -->
+            <dependency>
+                <groupId>junit</groupId>
+                <artifactId>junit</artifactId>
+                <version>4.13.2</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
     <build>
@@ -271,14 +306,44 @@
                 </executions>
             </plugin>
 
+            <!-- Surefire Plugin for API Tests -->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <version>2.22.2</version>
                 <configuration>
+                    <!-- Tests are skipped by default; use -Dtest to specify which tests to run -->
+                    <!-- Example: -Dtest='*IT' for integration tests, -Dtest='Test*' for unit tests -->
                     <skipTests>true</skipTests>
+                    <!-- OPTIMIZED: Parallel execution with controlled concurrency -->
+                    <parallel>classes</parallel>
+                    <threadCount>4</threadCount>
+                    <perCoreThreadCount>false</perCoreThreadCount>
+                    <useUnlimitedThreads>false</useUnlimitedThreads>
+                    <!-- Reuse forks for better performance -->
+                    <reuseForks>true</reuseForks>
+                    <forkCount>2</forkCount>
+                    <!-- Increase timeout for slow tests -->
+                    <forkedProcessTimeoutInSeconds>500</forkedProcessTimeoutInSeconds>
+                    <!-- Better memory management -->
+                    <!-- @{argLine} allows JaCoCo to inject its agent -->
+                    <argLine>@{argLine} -Xmx2048m -XX:MaxMetaspaceSize=512m</argLine>
                 </configuration>
             </plugin>
+            
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-report-plugin</artifactId>
+                <version>2.22.2</version>
+                <executions>
+                    <execution>
+                        <phase>test</phase>
+                        <goals>
+                            <goal>report-only</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
 
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
@@ -377,7 +442,7 @@
                         </goals>
                         <configuration>
                             <dataFile>target/jacoco.exec</dataFile>
-                            <outputDirectory>target/jacoco-ut</outputDirectory>
+                            <!-- outputDirectory removed - uses default: target/site/jacoco/ -->
                         </configuration>
                     </execution>
                 </executions>

send-report.sh

@@ -42,7 +42,7 @@ echo "📄 Generating Surefire HTML report..."
 mvn surefire-report:report-only
 
 echo "📤 Sending test report to Slack..."
-mvn compile exec:java -Dexec.mainClass="com.contentstack.sdk.SanityReport"
+mvn test-compile exec:java -Dexec.mainClass="com.contentstack.sdk.SanityReport" -Dexec.classpathScope=test
 
 # Restore pom.xml and clean up
 restore_pom