Skip to content

deps(deps): bump quick-xml from 0.40.1 to 0.41.0 in /src-tauri#10

Merged
codeandbrain merged 1 commit into
mainfrom
dependabot/cargo/src-tauri/quick-xml-0.41.0
Jul 7, 2026
Merged

deps(deps): bump quick-xml from 0.40.1 to 0.41.0 in /src-tauri#10
codeandbrain merged 1 commit into
mainfrom
dependabot/cargo/src-tauri/quick-xml-0.41.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.


Bumps quick-xml from 0.40.1 to 0.41.0.

Release notes

Sourced from quick-xml's releases.

v0.41.0 - Secuirity fixes

What's Changed

New Features

  • #970: Add NsReader::resolver_mut() and NamespaceResolver::{max_declarations_per_element, set_max_declarations_per_element}.

Bug Fixes

  • #969: Attributes (and anything that iterates BytesStart::attributes() with the default with_checks(true)) no longer takes O(N²) time on a start tag with a large number of attributes. Small tags keep the previous linear scan; larger ones switch to a 64-bit hash pre-filter, so the whole tag is O(N). The exact AttrError::Duplicated(new, prev) positions are unchanged.
  • #970: NamespaceResolver::push (and hence every NsReader Start/Empty event) now rejects a start tag that declares more than DEFAULT_MAX_DECLARATIONS_PER_ELEMENT (256) xmlns / xmlns:* namespace bindings, returning the new NamespaceError::TooManyDeclarations. Previously push allocated one NamespaceBinding per declaration with no upper bound, before the event was returned to the caller, so an NsReader consumer could not bound its memory exposure on untrusted input. The limit is configurable via NamespaceResolver::set_max_declarations_per_element (use usize::MAX to disable).

#969: tafia/quick-xml#969 #970: tafia/quick-xml#970

New Contributors

Full Changelog: tafia/quick-xml@v0.40.1...v0.41.0

Changelog

Sourced from quick-xml's changelog.

0.41.0 -- 2026-06-29

New Features

  • #970: Add NsReader::resolver_mut() and NamespaceResolver::{max_declarations_per_element, set_max_declarations_per_element}.

Bug Fixes

  • #969: Attributes (and anything that iterates BytesStart::attributes() with the default with_checks(true)) no longer takes O(N²) time on a start tag with a large number of attributes. Small tags keep the previous linear scan; larger ones switch to a 64-bit hash pre-filter, so the whole tag is O(N). The exact AttrError::Duplicated(new, prev) positions are unchanged.
  • #970: NamespaceResolver::push (and hence every NsReader Start/Empty event) now rejects a start tag that declares more than DEFAULT_MAX_DECLARATIONS_PER_ELEMENT (256) xmlns / xmlns:* namespace bindings, returning the new NamespaceError::TooManyDeclarations. Previously push allocated one NamespaceBinding per declaration with no upper bound, before the event was returned to the caller, so an NsReader consumer could not bound its memory exposure on untrusted input. The limit is configurable via NamespaceResolver::set_max_declarations_per_element (use usize::MAX to disable).

#969: tafia/quick-xml#969 #970: tafia/quick-xml#970

Commits
  • 4deda08 Release 0.41.0
  • 1b3b73b Remove unused argument to check!
  • 07f3db8 Fix O(N²) duplicate-attribute check in Attributes iterator
  • 7ca2526 Cap namespace declarations per element in NamespaceResolver::push
  • See full diff in compare view

@dependabot @github

dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Bumps [quick-xml](https://github.com/tafia/quick-xml) from 0.40.1 to 0.41.0.
- [Release notes](https://github.com/tafia/quick-xml/releases)
- [Changelog](https://github.com/tafia/quick-xml/blob/master/Changelog.md)
- [Commits](tafia/quick-xml@v0.40.1...v0.41.0)

---
updated-dependencies:
- dependency-name: quick-xml
  dependency-version: 0.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/cargo/src-tauri/quick-xml-0.41.0 branch from 0a5a3cb to 34fb551 Compare July 7, 2026 07:09
@codeandbrain codeandbrain merged commit 0222181 into main Jul 7, 2026
2 of 4 checks passed
@codeandbrain codeandbrain deleted the dependabot/cargo/src-tauri/quick-xml-0.41.0 branch July 7, 2026 07:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant