Skip to content

fix(deps): bump quick-xml 0.37 → 0.41 (RUSTSEC-2026-0194/0195)#2866

Closed
kvag0 wants to merge 1 commit into
rtk-ai:developfrom
kvag0:fix/quick-xml-rustsec
Closed

fix(deps): bump quick-xml 0.37 → 0.41 (RUSTSEC-2026-0194/0195)#2866
kvag0 wants to merge 1 commit into
rtk-ai:developfrom
kvag0:fix/quick-xml-rustsec

Conversation

@kvag0

@kvag0 kvag0 commented Jul 7, 2026

Copy link
Copy Markdown

What

Bumps quick-xml from 0.37.5 → 0.41.0 to clear two RustSec advisories flagged by osv-scanner:

  • RUSTSEC-2026-0194
  • RUSTSEC-2026-0195

Both advisories are against quick-xml 0.37.5 (a direct dependency); 0.41.0 is the first release that clears them.

API migration

quick-xml 0.41 reworked text/attribute decoding. quick-xml is used in exactly two dotnet call sites, both required small, mechanical changes:

File Before (0.37) After (0.41) Notes
src/cmds/dotnet/dotnet_cmd.rs BytesText::unescape() BytesText::decode() unescape() was removed. The call reads the MTP <UseTestingPlatformRunner>true</…> boolean text node — no entity resolution needed, so decode() is the correct equivalent.
src/cmds/dotnet/dotnet_trx.rs Attribute::decode_and_unescape_value(decoder) Attribute::decoded_and_normalized_value(XmlVersion::default(), decoder) The old method is deprecated (compiled under -D warnings). XmlVersion::default() is XML 1.0, matching TRX files. Normalization is a no-op for the simple attribute values parsed (testName, outcome, counter integers, timestamps).

Note: the TRX Event::Text/Event::CData handlers already consumed raw bytes via String::from_utf8_lossy, so they were unaffected by the entity-handling redesign.

Validation

  • cargo build — clean
  • cargo build --release — clean
  • cargo clippy --all-targets — no issues
  • dotnet test suite (116 tests) — pass

The one unrelated failure in tests/grep_compress_test.rs::small_grep_not_worse_than_plain is pre-existing on develop (verified by stashing this change) and does not involve quick-xml or the dotnet modules.

Risk

Low. Two localized, mechanical call-site migrations behind a green dotnet test suite. No behavior change for realistic inputs.

🤖 Generated with Claude Code

Resolves two RustSec advisories (RUSTSEC-2026-0194, RUSTSEC-2026-0195)
reported by osv-scanner against quick-xml 0.37.5.

quick-xml 0.41 reworked text/attribute decoding, so two dotnet call
sites needed mechanical migration:

- dotnet_cmd.rs: BytesText::unescape() was removed; use decode() to
  read the MTP boolean text node (no entity resolution needed here).
- dotnet_trx.rs: Attribute::decode_and_unescape_value() is deprecated
  in favor of decoded_and_normalized_value(version, decoder). Pass
  XmlVersion::default() (XML 1.0) which matches TRX files; normalization
  is a no-op for the simple attribute values parsed (testName, outcome,
  counters, timestamps).

Validation: cargo build, cargo build --release, and cargo clippy
--all-targets all clean; dotnet test suite (116 tests) passes.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@kvag0

kvag0 commented Jul 7, 2026

Copy link
Copy Markdown
Author

Closing — should target our own fork, not upstream. Reopening on kvag0/rtk.

@kvag0 kvag0 closed this Jul 7, 2026
@kvag0 kvag0 deleted the fix/quick-xml-rustsec branch July 7, 2026 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant