Skip to content

update xml dep #3732

Description

@kevindeforth

Background

In #3730, we added dependencies to cargo-deny that can be removed once we update the xml dependency in our lockfile.

quick-xml DoS advisories are fixed in quick-xml >= 0.41.0. The dependency gets pulled in via pprof -> inferno andnearcore rust-s3/object_store/aws-creds` (S3/AWS API responses).

None of these code paths parse attacker-controlled XML, so the vulnerable code paths are unreachable in our usage. This should be revisited once upstream releases depend on quick-xml >= 0.41.0.

User Story

As a dev, I like not having dependencies that are vulnerable to attacks

Acceptance Criteria

Bump xml dependency version

Resources & Additional Notes

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions