RUSTSEC-2022-0048: xml-rs is Unmaintained

Question

RUSTSEC-2022-0048: xml-rs is Unmaintained

Opened this issue 2 years ago · 1 comments

xml-rs is Unmaintained

Details
Status	unmaintained
Package	`xml-rs`
Version	`0.8.4`
URL	https://github.com/netvl/xml-rs/issues
Date	2022-01-26

xml-rs is a XML parser has open issues around parsing including integer
overflows / panics that may or may not be an issue with untrusted data.

Together with these open issues with Unmaintained status xml-rs
may or may not be suited to parse untrusted data.

Alternatives

quick-xml

See advisory page for additional details.

Answer 1 · 2022-11-17T19:28:15.000Z

cargo tree --invert xml-rs
xml-rs v0.8.4
├── gl_generator v0.14.0
│   [build-dependencies]
│   ├── glutin_egl_sys v0.1.6
│   │   └── glutin v0.29.1
│   │       └── eframe v0.19.0
│   │           [dev-dependencies]
│   │           └── reducer v3.0.1 (/home/bruno/projects/rust/reducer)
│   └── glutin_glx_sys v0.1.8
│       └── glutin v0.29.1 (*)
└── wayland-scanner v0.29.5
    [build-dependencies]
    ├── wayland-client v0.29.5
    │   ├── glutin v0.29.1 (*)
    │   ├── smithay-client-toolkit v0.16.0
    │   │   ├── sctk-adwaita v0.4.3
    │   │   │   └── winit v0.27.5
    │   │   │       ├── eframe v0.19.0 (*)
    │   │   │       ├── egui-winit v0.19.0
    │   │   │       │   └── eframe v0.19.0 (*)
    │   │   │       └── glutin v0.29.1 (*)
    │   │   ├── smithay-clipboard v0.6.6
    │   │   │   └── egui-winit v0.19.0 (*)
    │   │   └── winit v0.27.5 (*)
    │   ├── smithay-clipboard v0.6.6 (*)
    │   ├── wayland-cursor v0.29.5
    │   │   └── smithay-client-toolkit v0.16.0 (*)
    │   ├── wayland-egl v0.29.5
    │   │   └── glutin v0.29.1 (*)
    │   ├── wayland-protocols v0.29.5
    │   │   ├── smithay-client-toolkit v0.16.0 (*)
    │   │   └── winit v0.27.5 (*)
    │   └── winit v0.27.5 (*)
    └── wayland-protocols v0.29.5 (*)