Handling your first CVE is exciting! It seems like XML entity expansion is supposed to be a "feature", and I feel like gson would have removed the option if it was inherently vulnerable. Is it one of those things--like building SQL without prepared statement parameters--that you should only use if you trust the input?

Yes. It was a definite rookie mistake (mine). Was good to test out the GitHub security vulnerability process, and the researcher was a very nice chap. As with all these things... It was a one line change to fix.. and most of the 6hour timespan was waiting for things to happen in the background, which is a bit of a win I suppose 🙃