fix(deps): update dependency io.minio:minio to v8.6.0 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
io.minio:minio	compile	minor	8.5.17 -> 8.6.0

GitHub Vulnerability Alerts

CVE-2025-59952

Description

In minio-java versions prior to 8.6.0, XML tag values containing references to system properties or environment variables were automatically substituted with their actual values during processing. This unintended behavior could lead to the exposure of sensitive information, including credentials, file paths, or system configuration details, if such references were present in XML content from untrusted sources.

Affected Versions

• minio-java < 8.6.0

All applications utilizing affected versions of minio-java for parsing XML with potentially untrusted input are vulnerable.

Impact

This vulnerability poses a high risk of information disclosure. Attackers could craft malicious XML inputs to extract sensitive data from the system's properties or environment variables, potentially compromising security in applications relying on minio-java for object storage operations.

Patches

The issue is resolved in minio-java version 8.6.0 and later. In these versions, automatic substitution of XML tag values with system properties or environment variables has been disabled.

Users are strongly advised to upgrade to minio-java 8.6.0 or a newer release to mitigate the vulnerability.

Workarounds

No full workarounds exist without upgrading the library. As interim measures:

• Refrain from processing XML data from untrusted or external sources.
• Implement input sanitization or validation to detect and remove references to
  system properties or environment variables in XML content.

---

Release Notes

minio/minio-java (io.minio:minio)

v8.6.0: Bugfix release 8.6.0

Compare Source

What's Changed

• Add missing fields as per S3 specification by @​balamurugana in #​1618
• Add new APIs by @​balamurugana in #​1619
• MinioAdminClient: add missing fields to listServiceAccount API by @​jongmin-chung in #​1624
• upgrade gradle and dependencies by @​balamurugana in #​1622
• build: use jreleaser for making release by @​balamurugana in #​1635
• Upgrade dependencies by @​balamurugana in #​1657
• Upgrade commons-compress for CVE-2025-48924 by @​inuyasha82 in #​1662
• xml: disable property/environment variable substitution by @​balamurugana in #​1667
• jreleaser: move to MavenCentral deployer by @​balamurugana in #​1668

New Contributors

• @​jongmin-chung made their first contribution in #​1624

Full Changelog: minio/minio-java@8.5.17...8.6.0

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}