GNU bug report logs - #78727
diffoscope.comparators.xml: Vulnerable version of pyexpat detected; disabling comparison of XML documents. Install defusedxml or upgrade your pyexpat.

Package: guix;

Reported by: "nomike (they/them)" <nomike <at> nomike.com>

Date: Mon, 9 Jun 2025 04:16:02 UTC

Severity: normal

View this message in rfc822 format

From: "nomike (they/them)" <nomike <at> nomike.com>
To: 78727 <at> debbugs.gnu.org
Subject: bug#78727: diffoscope.comparators.xml: Vulnerable version of pyexpat detected; disabling comparison of XML documents. Install defusedxml or upgrade your pyexpat.
Date: Mon, 9 Jun 2025 06:15:21 +0200

Hi!

When running `diffoscope` it complains about the version of pyexpat 
being vulnerable.
I wasn't able to find any package named 'pyexpat' or 'python-expat' in 
guix, there is also nothing related to expat in the package inputs of 
'diffoscope'.
'diffoscope' is at the latest available version.

There is the package 'expat' of course, which is at version 2.5.0 and 
could in theory be upgraded to version 2.7.1, but that would trigger 
28379 rebuilds, so it's nothing which could be done easily. And I'm not 
even sure if this would fix the vulnerability after all.
And maybe this has been dealt with via grafts ¯\_(ツ)_/¯?

Thanks

nomike

This bug report was last modified 9 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #78727 diffoscope.comparators.xml: Vulnerable version of pyexpat detected; disabling comparison of XML documents. Install defusedxml or upgrade your pyexpat.

GNU bug report logs - #78727
diffoscope.comparators.xml: Vulnerable version of pyexpat detected; disabling comparison of XML documents. Install defusedxml or upgrade your pyexpat.