Skip to content

Bump quick-xml to 0.41#96

Closed
mdorman wants to merge 1 commit into
rust-syndication:masterfrom
jaunder-org:quick-xml-0.41
Closed

Bump quick-xml to 0.41#96
mdorman wants to merge 1 commit into
rust-syndication:masterfrom
jaunder-org:quick-xml-0.41

Conversation

@mdorman

@mdorman mdorman commented Jul 2, 2026

Copy link
Copy Markdown

Bump quick-xml to 0.41

quick-xml < 0.41 is affected by two RustSec advisories (both DoS on crafted XML,
reachable through atom_syndication parsing):

  • RUSTSEC-2026-0194O(N²) duplicate-attribute check in BytesStart::attributes()
  • RUSTSEC-2026-0195 — unbounded namespace-declaration allocation in NsReader

Both are fixed in quick-xml >= 0.41.0.

Change

Raise the quick-xml dependency from 0.39 to 0.41 (keeping features = ["encoding"]).

The public quick-xml API used by this crate is unchanged across 0.39 → 0.41
(Reader, Writer, events::*, Attributes) — the crate uses the plain Reader,
not NsReader, and wraps quick-xml errors rather than matching the enum exhaustively, so
the new variants don't affect it. The full test suite passes unmodified.

Attribute::decode_and_unescape_value is deprecated in 0.40 in favour of
decoded_and_normalized_value but retains identical behaviour, so it's left as-is here
to keep this change minimal; migrating it (it now takes an XmlVersion) can be a
separate follow-up if you'd prefer.

Clears RUSTSEC-2026-0194 (O(N^2) duplicate-attribute check) and
RUSTSEC-2026-0195 (unbounded namespace-declaration allocation), DoS
advisories against quick-xml < 0.41.

The public quick-xml API used here is unchanged across 0.39 -> 0.41 and the
full test suite passes. Attribute::decode_and_unescape_value is deprecated in
0.40 in favour of decoded_and_normalized_value but retains identical
behaviour, so it is left unchanged to keep this bump minimal.
@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.50%. Comparing base (4a43f77) to head (2462e37).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master      #96      +/-   ##
==========================================
- Coverage   83.67%   83.50%   -0.18%     
==========================================
  Files          14       14              
  Lines        1011      964      -47     
==========================================
- Hits          846      805      -41     
+ Misses        165      159       -6     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@DCjanus

DCjanus commented Jul 2, 2026

Copy link
Copy Markdown
Member

Thanks for the quick-xml update, and sorry for the overlap. We ended up merging the earlier PR #95, which covers the same dependency upgrade and includes the 0.12.9 release prep.

Closing this one to avoid duplicate work.

@DCjanus DCjanus closed this Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants