Skip to content

Bump quick-xml to 0.41.0 for RustSec advisories #787

Description

@alamb

The arrow-rs audit workflow is currently failing on two quick-xml advisories pulled in transitively through object_store:

Both advisories report a fix in quick-xml >=0.41.0.

Current release state:

  • arrow-rs depends on object_store 0.13.2, which resolves quick-xml 0.39.4
  • object_store 0.14.0 is published, but its manifest still depends on quick-xml 0.40.1, so it is not sufficient for these advisories
  • object_store main appears to have quick-xml = 0.41.0 already

It would be helpful to cut an object_store release containing the quick-xml >=0.41.0 bump so downstream projects can remove temporary cargo-audit ignores.

Downstream arrow-rs temporary ignore PR: apache/arrow-rs#10267

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions