fix(deps): bump quick-xml 0.37 → 0.41 (RUSTSEC-2026-0194/0195)#2866
Closed
kvag0 wants to merge 1 commit into
Closed
fix(deps): bump quick-xml 0.37 → 0.41 (RUSTSEC-2026-0194/0195)#2866kvag0 wants to merge 1 commit into
kvag0 wants to merge 1 commit into
Conversation
Resolves two RustSec advisories (RUSTSEC-2026-0194, RUSTSEC-2026-0195) reported by osv-scanner against quick-xml 0.37.5. quick-xml 0.41 reworked text/attribute decoding, so two dotnet call sites needed mechanical migration: - dotnet_cmd.rs: BytesText::unescape() was removed; use decode() to read the MTP boolean text node (no entity resolution needed here). - dotnet_trx.rs: Attribute::decode_and_unescape_value() is deprecated in favor of decoded_and_normalized_value(version, decoder). Pass XmlVersion::default() (XML 1.0) which matches TRX files; normalization is a no-op for the simple attribute values parsed (testName, outcome, counters, timestamps). Validation: cargo build, cargo build --release, and cargo clippy --all-targets all clean; dotnet test suite (116 tests) passes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Author
|
Closing — should target our own fork, not upstream. Reopening on kvag0/rtk. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bumps
quick-xmlfrom 0.37.5 → 0.41.0 to clear two RustSec advisories flagged byosv-scanner:Both advisories are against
quick-xml 0.37.5(a direct dependency); 0.41.0 is the first release that clears them.API migration
quick-xml 0.41 reworked text/attribute decoding.
quick-xmlis used in exactly two dotnet call sites, both required small, mechanical changes:src/cmds/dotnet/dotnet_cmd.rsBytesText::unescape()BytesText::decode()unescape()was removed. The call reads the MTP<UseTestingPlatformRunner>true</…>boolean text node — no entity resolution needed, sodecode()is the correct equivalent.src/cmds/dotnet/dotnet_trx.rsAttribute::decode_and_unescape_value(decoder)Attribute::decoded_and_normalized_value(XmlVersion::default(), decoder)-D warnings).XmlVersion::default()is XML 1.0, matching TRX files. Normalization is a no-op for the simple attribute values parsed (testName,outcome, counter integers, timestamps).Note: the TRX
Event::Text/Event::CDatahandlers already consumed raw bytes viaString::from_utf8_lossy, so they were unaffected by the entity-handling redesign.Validation
cargo build— cleancargo build --release— cleancargo clippy --all-targets— no issuesThe one unrelated failure in
tests/grep_compress_test.rs::small_grep_not_worse_than_plainis pre-existing ondevelop(verified by stashing this change) and does not involve quick-xml or the dotnet modules.Risk
Low. Two localized, mechanical call-site migrations behind a green dotnet test suite. No behavior change for realistic inputs.
🤖 Generated with Claude Code