Bundles vulnerable copy of Expat - please update to 2.2.2

[hartwork]

Hi!

This repository bundles an outdated vulnerable copy of Expat 1.95.8. Please update your copy to version 2.2.2 with the latest security fixes. A change log with details is available at https://github.com/libexpat/libexpat/blob/master/expat/Changes . Thank you!

Best

 
Sebastian

[Naatan]

Thanks for reporting.

[mitchell-as]

After internal discussion, the action item is to switch from cElementTree (which bundles the old version of expat in question) to the Python stdlib's cElementTree, which should have more security updates.

[hartwork]

Wouldn't that bundle Expat as well? Or is this about a new no-bundle dependency? Also, Python itself still needs to update their bundle of Expat. I'd be curious about more details.

[mitchell-as]

Yes, but we off-load the maintenance duty to Python since Python includes the cElementTree module (which houses the out-dated expat you found) in its stdlib.

Komodo pre-dates Python 2.5, so it had to bundle an external, 3rd-party, C-based XML parser. Python 2.5 started including that parser in its standard library, but Komodo never shifted to using Python's version. This dependency is unnecessary.

[hartwork]

I see. As long as you keep the Python bundle up to date, I'm happy :)

[mitchell-as]

Komodo uses Python 2.7, which has updated their version of Expat (see https://bugs.python.org/issue30694). As mentioned previously in this ticket, the original reference to the old Expat you found is no longer used -- it's there as a legacy reference.

Closing ticket.