fix(security): bump quick-xml 0.37→0.41 (RUSTSEC-2026-0194/0195)#660
Merged
Conversation
…026-0195) quick-xml 0.37.5 carries two advisories, both fixed in >=0.41.0: - RUSTSEC-2026-0194: quadratic run time when checking a start tag for duplicate attribute names. - RUSTSEC-2026-0195: unbounded namespace-declaration allocation in NsReader enabling a memory-exhaustion DoS. Both are reachable through reqif import of untrusted XML. The advisories were failing the Security Audit gate on every PR. The 0.37→0.41 API shift touched one consumer, rivet-core/src/junit.rs: - BytesText::unescape() was removed → decode() + escape::unescape(). - Attribute::unescape_value() deprecated → normalized_value(Implicit1_0) (spec-compliant XML-1.0 attribute-value normalization). reqif.rs reads via serde (quick-xml `serialize`), so it was unaffected. Behavior preserved: rivet-core lib suite (1168) incl. junit (25) + reqif module tests, the CLI reqif roundtrip integration test (4), and cargo clippy --all-targets -- -D warnings on both crates are all green. Trace: skip
📐 Rivet artifact deltaNo artifact changes in this PR. Code-only changes (renderer, CLI wiring, tests) don't touch the artifact graph. |
There was a problem hiding this comment.
⚠️ Performance Alert ⚠️
Possible performance regression was detected for benchmark 'Rivet Criterion Benchmarks'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.20.
| Benchmark suite | Current: b71895a | Previous: 68de65c | Ratio |
|---|---|---|---|
traceability_matrix/1000 |
58144 ns/iter (± 404) |
43888 ns/iter (± 403) |
1.32 |
query/10000 |
334499 ns/iter (± 2826) |
251668 ns/iter (± 7507) |
1.33 |
document_parse/100 |
173961 ns/iter (± 493) |
143906 ns/iter (± 1186) |
1.21 |
This comment was automatically generated by workflow using github-action-benchmark.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security bump
quick-xml0.37.5 carries two advisories, both fixed in >=0.41.0:NsReader→ memory-exhaustion DoS.Both are reachable through reqif import of untrusted XML, and they were failing the Security Audit (RustSec) gate on every PR.
API adaptation
The 0.37→0.41 shift touched one consumer,
rivet-core/src/junit.rs:BytesText::unescape()was removed →decode()+escape::unescape()(decode bytes, then resolve entities — JUnit failure bodies carry</&).Attribute::unescape_value()deprecated →normalized_value(XmlVersion::Implicit1_0)(spec-compliant XML-1.0 attribute-value normalization).reqif.rsreads via serde (serializefeature), so it was unaffected.Verification (behavior preserved)
reqif_export_has_specification_and_roundtrips_via_cli, etc.)cargo clippy --all-targets -- -D warningsexit 0 on both crates;cargo fmtcleanTrace: skip— dependency security maintenance; maps to no rivet requirement.🤖 Generated with Claude Code