FileTimerPersistence doesn't handle https://cwe.mitre.org/data/definitions/611.html properly.

Per https://docs.oracle.com/en/java/javase/21/security/java-api-xml-processing-jaxp-security-guide.html#GUID-5C5B2843-3964-4DE3-847A-5C4863A75F17:

Even in a trusted environment with trusted sources, it's recommended that you use both external access restrictions and resolvers to minimize dependencies on external sources.

The 'external access restrictions' bit is handled by not calling XMLInputFactory.createXMLStreamReader without first calling XMLInput.setProperty(IS_SUPPORTING_EXTERNAL_ENTITIES, false).

The 'resolvers' bit is handled by setting an XMLResolver that always returns "" from the resolveEntity method.

The files it's reading are our own files, so fixing this is just a matter of weakness hardening.