GNU bug report logs - #78727
diffoscope.comparators.xml: Vulnerable version of pyexpat detected; disabling comparison of XML documents. Install defusedxml or upgrade your pyexpat.

Previous Next

To reply to this bug, email your comments to 78727 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: "nomike (they/them)" <nomike <at> nomike.com>
To: bug-guix <at> gnu.org
Subject: diffoscope.comparators.xml: Vulnerable version of pyexpat detected;
 disabling comparison of XML documents. Install defusedxml or upgrade your
 pyexpat.
Date: Mon, 9 Jun 2025 06:15:21 +0200

Hi!

When running `diffoscope` it complains about the version of pyexpat 
being vulnerable.
I wasn't able to find any package named 'pyexpat' or 'python-expat' in 
guix, there is also nothing related to expat in the package inputs of 
'diffoscope'.
'diffoscope' is at the latest available version.

There is the package 'expat' of course, which is at version 2.5.0 and 
could in theory be upgraded to version 2.7.1, but that would trigger 
28379 rebuilds, so it's nothing which could be done easily. And I'm not 
even sure if this would fix the vulnerability after all.
And maybe this has been dealt with via grafts ¯\_(ツ)_/¯?

Thanks

nomike

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.