(github.com)

77 points ksec | 1 comments | 17 Nov 24 22:11 UTC | HN request time: 0.205s | source

Show context

captn3m0 ◴[18 Nov 24 09:31 UTC] No.42170994[source]▶

It seems to have an in-tree libxml 2.11 for XPath support, which was released in 2023-04. Almost every second libxml release comes with a CVE, so I'm curious if there's plans to upgrade the libxml version, since it doesn't use the system libxml (same as nokogiri).

One of the reasons I still use nokogiri is because it puts a lot of effort into keeping libxml updated: https://github.com/sparklemotion/nokogiri/releases

replies(1): >>42172117 #

alyandon ◴[18 Nov 24 13:28 UTC] No.42172117[source]▶

>>42170994 #

I once had to remediate security vulns in a gigantic C++ project and came across an ancient vendored version of libxml.

To my knowledge, the project didn't use XML for anything so I started digging into why they vendored it to begin with. Turns out, they vendored the entirety of libxml so it could parse the ~5 line config file for the project that was written in XML instead of literally anything else. The config file format was simple key/value pairs.

I hate working in this field sometimes. :-/

replies(3): >>42172279 #>>42172307 #>>42172355 #

1. andai ◴[18 Nov 24 13:53 UTC] No.42172279[source]▶

>>42172117 #

I've heard it called swatting a fly with a plasma TV.

↑

Nokolexbor: Drop-in replacement for Nokogiri. 5.2x faster at parsing HTML