Skip to content

fix: address quick-xml security advisories#30941

Merged
bolinfest merged 1 commit into
mainfrom
pr30941
Jul 2, 2026
Merged

fix: address quick-xml security advisories#30941
bolinfest merged 1 commit into
mainfrom
pr30941

Conversation

@bolinfest

@bolinfest bolinfest commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Why

The cargo-deny job on main began failing after RUSTSEC-2026-0194 and RUSTSEC-2026-0195 flagged the workspace quick-xml 0.38.4. Both denial-of-service issues are fixed in quick-xml 0.41.0.

A quick-xml 0.39.4 copy must temporarily remain because the latest plist and wayland-scanner releases have not adopted 0.41 yet. Neither retained path accepts attacker-controlled XML at runtime: plist does not exercise the affected APIs, and wayland-scanner parses trusted protocol definitions at build time. Compatible upstream bumps are already open in rust-plist#191 and wayland-rs#938.

What changed

  • Upgrade the workspace quick-xml dependency used by codex-protocol to 0.41.0.
  • Refresh Cargo.lock and MODULE.bazel.lock; this also updates plist to 1.9.0 and wayland-scanner to 0.31.10.
  • Add synchronized, temporary cargo-deny and cargo-audit exceptions for the trusted quick-xml 0.39.4 paths, with both upstream releases recorded as the removal condition.

Testing

  • cargo deny check
  • just test -p codex-protocol (238 tests)
  • just bazel-lock-check

@bolinfest bolinfest marked this pull request as ready for review July 2, 2026 17:56
@bolinfest bolinfest merged commit 0ccb676 into main Jul 2, 2026
43 checks passed
@bolinfest bolinfest deleted the pr30941 branch July 2, 2026 17:59
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 2, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants