From 2462e3798295047ba35078b9634bcd129e887ffe Mon Sep 17 00:00:00 2001 From: Michael Alan Dorman Date: Thu, 2 Jul 2026 09:39:32 -0400 Subject: [PATCH] Bump quick-xml to 0.41 Clears RUSTSEC-2026-0194 (O(N^2) duplicate-attribute check) and RUSTSEC-2026-0195 (unbounded namespace-declaration allocation), DoS advisories against quick-xml < 0.41. The public quick-xml API used here is unchanged across 0.39 -> 0.41 and the full test suite passes. Attribute::decode_and_unescape_value is deprecated in 0.40 in favour of decoded_and_normalized_value but retains identical behaviour, so it is left unchanged to keep this bump minimal. --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 9f34ec9..d19f365 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -14,7 +14,7 @@ rust-version = "1.83" [dependencies] diligent-date-parser = "0.1.3" -quick-xml = { version = "0.39", features = ["encoding"] } +quick-xml = { version = "0.41", features = ["encoding"] } chrono = { version = "0.4", default-features = false, features = ["alloc"] } derive_builder = { version = "0.20", optional = true } serde = { version = "1.0", optional = true, features = ["derive"] }