Bump quick-xml to 0.41#190
Merged
Merged
Conversation
Clears RUSTSEC-2026-0194 (O(N^2) duplicate-attribute check) and RUSTSEC-2026-0195 (unbounded namespace-declaration allocation), DoS advisories against quick-xml < 0.41. The public quick-xml API used here is unchanged across 0.39 -> 0.41 and the full --all-features test suite passes. Attribute::decode_and_unescape_value is deprecated in 0.40 in favour of decoded_and_normalized_value but retains identical behaviour, so it is left unchanged to keep this bump minimal.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #190 +/- ##
=======================================
Coverage 80.98% 80.98%
=======================================
Files 23 23
Lines 1530 1530
=======================================
Hits 1239 1239
Misses 291 291 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Member
|
Thanks for the quick-xml update! This has been merged and included in the upcoming 2.1.0 release (#192). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bump quick-xml to 0.41
quick-xml
< 0.41is affected by two RustSec advisories (both DoS on crafted XML,reachable through RSS/atom parsing):
O(N²)duplicate-attribute check inBytesStart::attributes()NsReaderBoth are fixed in quick-xml
>= 0.41.0.Change
Raise the
quick-xmldependency from0.39to0.41(keepingfeatures = ["encoding"]).The public quick-xml API used by this crate is unchanged across
0.39 → 0.41(
Reader,Writer,events::*,Attributes,escape::resolve_predefined_entity) —the crate uses the plain
Reader, notNsReader, and wraps quick-xml errors rather thanmatching the enum exhaustively. The full
--all-featurestest suite passes unmodified.Attribute::decode_and_unescape_valueis deprecated in 0.40 in favour ofdecoded_and_normalized_valuebut retains identical behaviour, so it's left as-is hereto keep this change minimal.
Note on
atom_syndicationWith the
atomfeature enabled, this crate depends onatom_syndication, which stillpins quick-xml
^0.39. A companion PR raisingatom_syndicationto quick-xml 0.41 isopen at rust-syndication/atom#96; merging/releasing that first avoids a transient
quick-xml version split for
rssbuilds using theatomfeature.