defusedxml is a Python-focused library for safely parsing XML by “defusing” common XML bomb and exploit patterns such as exponential entity expansion, quadratic blowup, and external entity expansion (including remote fetching and local file access). It’s useful when you need to protect applications that process untrusted XML from attacks that can consume large amounts of CPU or memory or trigger unintended network/file access.
Project status
- Maintenance status: Tagged updates in the provided history stop at v0.8.0rc2 (2023-09-29), and the next visible tags are much older (2021-03-08 and earlier). The only newer evidence is an upstream push on 2024-09-03, so overall the project looks quiet, not clearly actively maintaining via published updates as of 2026-06-09.
- Update cadence: Based on the provided version/tag timestamps, there is a long gap of roughly 2.75 years between the last listed tagged update (2023-09) and today (2026-06). The 2024-09 upstream push suggests some intermittent activity, but the evidence does not show a steady release/update cadence.
AI summary generated 2026-06-09
Recent updates
v0.8.0rc2
2023-09-29v0.8.0rc2 has no publisher-provided release notes in the provided data. The code diff shows a small runtime behavior change in defusedxml.defuse_stdlib (DeprecationWarning suppression), plus CI workflow refactoring, documentation updates, and additional test coverage for DTD and XSD schema includes.
v0.8.0rc1
2023-09-26No publisher release notes were provided for v0.8.0rc1. The code diff shows a major shift toward Python 3-only support, a refactor of the ElementTree facade implementation, and an added batching API (fromstringlist), alongside CI packaging and lint workflow changes.
Featuresv0.7.1
2021-03-08This is a small patch release that restores `defusedxml.ElementTree.ParseError` compatibility with the standard library `xml.etree.ElementTree.ParseError`. Most of the visible changes are changelog/version updates and a targeted runtime fix that patches the pure-Python ElementTree shim so both modules share the same exception class.
v0.7.0
2021-03-04Release 0.7.0 is mostly a finalization of the 0.7.0rc2 line. The published notes describe deprecations and a patching fix, but the actual v0.7.0 diff contains no runtime code changes beyond a version bump and updated changelog/README entries.
Featuresv0.7.0.rc1
2021-01-12This release adds Python 3.9 support and explicitly handles the removal of `xml.etree.cElementTree` in that interpreter. It also begins deprecating Python 2 ahead of its planned removal in 0.8.0, while updating docs, CI, and package metadata to reflect the new support matrix.
BreakingFeaturesv0.7.0rc2
2021-01-12defusedxml 0.7.0rc2 is primarily a compatibility and cleanup release: it reintroduces `defusedxml.cElementTree` as a deprecated module, fixes `xml.etree` state restoration after patching, and moves CI from Travis to GitHub Actions. The codebase and test matrix were also updated for newer Python versions and coverage reporting.
Featuresv0.6.0
2019-05-26Release 0.6.0 updates compatibility and input-handling behavior for the defusedxml parsers. It drops support for Python 3.4, changes how the deprecated XMLParse “html” argument is handled, and makes defusedxml fail early if the stdlib pyexpat module is missing or broken.
Breakingv0.5.0
2019-05-26This release finalizes 0.5.0, documenting Python 3.6 compatibility, dropping support for older Python versions, and fixing an lxml test issue. The actual code diff from rc1 to final contains no functional code changes, only a version string update and a changelog entry.
BreakingFeaturesv0.5.0.rc1
2017-01-28This release adds compatibility with Python 3.6 and removes support for several older Python versions. It also includes a fix related to lxml tests involving an XMLSyntaxError (entity reference loop).
BreakingFeatures