Skip to content

fix(security): bump quick-xml 0.37→0.41 (RUSTSEC-2026-0194/0195)#660

Merged
avrabe merged 1 commit into
mainfrom
fix/quick-xml-rustsec-2026-0194-0195
Jul 2, 2026
Merged

fix(security): bump quick-xml 0.37→0.41 (RUSTSEC-2026-0194/0195)#660
avrabe merged 1 commit into
mainfrom
fix/quick-xml-rustsec-2026-0194-0195

Conversation

@avrabe

@avrabe avrabe commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Security bump

quick-xml 0.37.5 carries two advisories, both fixed in >=0.41.0:

  • RUSTSEC-2026-0194 — quadratic run time when checking a start tag for duplicate attribute names.
  • RUSTSEC-2026-0195 — unbounded namespace-declaration allocation in NsReader → memory-exhaustion DoS.

Both are reachable through reqif import of untrusted XML, and they were failing the Security Audit (RustSec) gate on every PR.

API adaptation

The 0.37→0.41 shift touched one consumer, rivet-core/src/junit.rs:

  • BytesText::unescape() was removed → decode() + escape::unescape() (decode bytes, then resolve entities — JUnit failure bodies carry </&).
  • Attribute::unescape_value() deprecated → normalized_value(XmlVersion::Implicit1_0) (spec-compliant XML-1.0 attribute-value normalization).
  • reqif.rs reads via serde (serialize feature), so it was unaffected.

Verification (behavior preserved)

  • rivet-core lib suite 1168 incl. junit 25 + reqif module tests
  • CLI reqif roundtrip integration test 4/4 (reqif_export_has_specification_and_roundtrips_via_cli, etc.)
  • cargo clippy --all-targets -- -D warnings exit 0 on both crates; cargo fmt clean
  • Lockfile carries only quick-xml 0.41.0 (no transitive 0.37)

Trace: skip — dependency security maintenance; maps to no rivet requirement.

🤖 Generated with Claude Code

…026-0195)

quick-xml 0.37.5 carries two advisories, both fixed in >=0.41.0:
- RUSTSEC-2026-0194: quadratic run time when checking a start tag for
  duplicate attribute names.
- RUSTSEC-2026-0195: unbounded namespace-declaration allocation in
  NsReader enabling a memory-exhaustion DoS.
Both are reachable through reqif import of untrusted XML. The advisories
were failing the Security Audit gate on every PR.

The 0.37→0.41 API shift touched one consumer, rivet-core/src/junit.rs:
- BytesText::unescape() was removed → decode() + escape::unescape().
- Attribute::unescape_value() deprecated → normalized_value(Implicit1_0)
  (spec-compliant XML-1.0 attribute-value normalization).
reqif.rs reads via serde (quick-xml `serialize`), so it was unaffected.

Behavior preserved: rivet-core lib suite (1168) incl. junit (25) + reqif
module tests, the CLI reqif roundtrip integration test (4), and
cargo clippy --all-targets -- -D warnings on both crates are all green.

Trace: skip
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

📐 Rivet artifact delta

No artifact changes in this PR. Code-only changes (renderer, CLI wiring, tests) don't touch the artifact graph.

@avrabe avrabe merged commit c7a59b3 into main Jul 2, 2026
26 of 27 checks passed
@avrabe avrabe deleted the fix/quick-xml-rustsec-2026-0194-0195 branch July 2, 2026 15:04

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'Rivet Criterion Benchmarks'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.20.

Benchmark suite Current: b71895a Previous: 68de65c Ratio
traceability_matrix/1000 58144 ns/iter (± 404) 43888 ns/iter (± 403) 1.32
query/10000 334499 ns/iter (± 2826) 251668 ns/iter (± 7507) 1.33
document_parse/100 173961 ns/iter (± 493) 143906 ns/iter (± 1186) 1.21

This comment was automatically generated by workflow using github-action-benchmark.

@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant