Background
In #3730, we added dependencies to cargo-deny that can be removed once we update the xml dependency in our lockfile.
quick-xml DoS advisories are fixed in quick-xml >= 0.41.0. The dependency gets pulled in via pprof -> inferno andnearcore rust-s3/object_store/aws-creds` (S3/AWS API responses).
None of these code paths parse attacker-controlled XML, so the vulnerable code paths are unreachable in our usage. This should be revisited once upstream releases depend on quick-xml >= 0.41.0.
User Story
As a dev, I like not having dependencies that are vulnerable to attacks
Acceptance Criteria
Bump xml dependency version
Resources & Additional Notes
No response
Background
In #3730, we added dependencies to cargo-deny that can be removed once we update the xml dependency in our lockfile.
quick-xml DoS advisories are fixed in quick-xml >= 0.41.0. The dependency gets pulled in via
pprof -> infernoandnearcorerust-s3/object_store/aws-creds` (S3/AWS API responses).None of these code paths parse attacker-controlled XML, so the vulnerable code paths are unreachable in our usage. This should be revisited once upstream releases depend on quick-xml >= 0.41.0.
User Story
As a dev, I like not having dependencies that are vulnerable to attacks
Acceptance Criteria
Bump xml dependency version
Resources & Additional Notes
No response