Back to Explore

tiran/defusedxml

GitHub
1 watchersOpen source

Last release: 3/8/2021

defusedxml is a Python-focused library for safely parsing XML by “defusing” common XML bomb and exploit patterns such as exponential entity expansion, quadratic blowup, and external entity expansion (including remote fetching and local file access). It’s useful when you need to protect applications that process untrusted XML from attacks that can consume large amounts of CPU or memory or trigger unintended network/file access.

Project status

  • Maintenance status: Evidence shows upstream activity as of 2024-09-03, but the last listed published updates are from 2021-03 (v0.7.1), so active maintenance is unclear beyond that later push.
  • Update cadence (apparent): Documented updates appear infrequent and clustered around early 2021 (v0.7.0rc1, v0.7.0rc2, v0.7.0, then v0.7.1), with much older updates in 2019 and 2017.

AI summary generated 2 weeks ago

AI-generated from public sources. May be inaccurate. Report

Recent updates

  • v0.7.1

    3/8/2021

    This is a small patch release that restores `defusedxml.ElementTree.ParseError` compatibility with the standard library `xml.etree.ElementTree.ParseError`. Most of the visible changes are changelog/version updates and a targeted runtime fix that patches the pure-Python ElementTree shim so both modules share the same exception class.

  • v0.7.0

    3/4/2021

    Release 0.7.0 is mostly a finalization of the 0.7.0rc2 line. The published notes describe deprecations and a patching fix, but the actual v0.7.0 diff contains no runtime code changes beyond a version bump and updated changelog/README entries.

    Features

  • v0.7.0.rc1

    1/12/2021

    This release adds Python 3.9 support and explicitly handles the removal of `xml.etree.cElementTree` in that interpreter. It also begins deprecating Python 2 ahead of its planned removal in 0.8.0, while updating docs, CI, and package metadata to reflect the new support matrix.

    BreakingFeatures

  • v0.7.0rc2

    1/12/2021

    defusedxml 0.7.0rc2 is primarily a compatibility and cleanup release: it reintroduces `defusedxml.cElementTree` as a deprecated module, fixes `xml.etree` state restoration after patching, and moves CI from Travis to GitHub Actions. The codebase and test matrix were also updated for newer Python versions and coverage reporting.

    Features

  • v0.6.0

    5/26/2019

    Release 0.6.0 updates compatibility and input-handling behavior for the defusedxml parsers. It drops support for Python 3.4, changes how the deprecated XMLParse “html” argument is handled, and makes defusedxml fail early if the stdlib pyexpat module is missing or broken.

    Breaking

  • v0.5.0

    5/26/2019

    This release finalizes 0.5.0, documenting Python 3.6 compatibility, dropping support for older Python versions, and fixing an lxml test issue. The actual code diff from rc1 to final contains no functional code changes, only a version string update and a changelog entry.

    BreakingFeatures

  • v0.5.0.rc1

    1/28/2017

    This release adds compatibility with Python 3.6 and removes support for several older Python versions. It also includes a fix related to lxml tests involving an XMLSyntaxError (entity reference loop).

    BreakingFeatures