Bump quick-xml to 0.41#96
Closed
mdorman wants to merge 1 commit into
Closed
Conversation
Clears RUSTSEC-2026-0194 (O(N^2) duplicate-attribute check) and RUSTSEC-2026-0195 (unbounded namespace-declaration allocation), DoS advisories against quick-xml < 0.41. The public quick-xml API used here is unchanged across 0.39 -> 0.41 and the full test suite passes. Attribute::decode_and_unescape_value is deprecated in 0.40 in favour of decoded_and_normalized_value but retains identical behaviour, so it is left unchanged to keep this bump minimal.
This was referenced Jul 2, 2026
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #96 +/- ##
==========================================
- Coverage 83.67% 83.50% -0.18%
==========================================
Files 14 14
Lines 1011 964 -47
==========================================
- Hits 846 805 -41
+ Misses 165 159 -6 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Member
|
Thanks for the quick-xml update, and sorry for the overlap. We ended up merging the earlier PR #95, which covers the same dependency upgrade and includes the 0.12.9 release prep. Closing this one to avoid duplicate work. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bump quick-xml to 0.41
quick-xml
< 0.41is affected by two RustSec advisories (both DoS on crafted XML,reachable through
atom_syndicationparsing):O(N²)duplicate-attribute check inBytesStart::attributes()NsReaderBoth are fixed in quick-xml
>= 0.41.0.Change
Raise the
quick-xmldependency from0.39to0.41(keepingfeatures = ["encoding"]).The public quick-xml API used by this crate is unchanged across
0.39 → 0.41(
Reader,Writer,events::*,Attributes) — the crate uses the plainReader,not
NsReader, and wraps quick-xml errors rather than matching the enum exhaustively, sothe new variants don't affect it. The full test suite passes unmodified.
Attribute::decode_and_unescape_valueis deprecated in 0.40 in favour ofdecoded_and_normalized_valuebut retains identical behaviour, so it's left as-is hereto keep this change minimal; migrating it (it now takes an
XmlVersion) can be aseparate follow-up if you'd prefer.