←back to thread

77 points ksec | 1 comments | | HN request time: 0.2s | source
Show context
captn3m0 ◴[] No.42170994[source]
It seems to have an in-tree libxml 2.11 for XPath support, which was released in 2023-04. Almost every second libxml release comes with a CVE, so I'm curious if there's plans to upgrade the libxml version, since it doesn't use the system libxml (same as nokogiri).

One of the reasons I still use nokogiri is because it puts a lot of effort into keeping libxml updated: https://github.com/sparklemotion/nokogiri/releases

replies(1): >>42172117 #
alyandon ◴[] No.42172117[source]
I once had to remediate security vulns in a gigantic C++ project and came across an ancient vendored version of libxml.

To my knowledge, the project didn't use XML for anything so I started digging into why they vendored it to begin with. Turns out, they vendored the entirety of libxml so it could parse the ~5 line config file for the project that was written in XML instead of literally anything else. The config file format was simple key/value pairs.

I hate working in this field sometimes. :-/

replies(3): >>42172279 #>>42172307 #>>42172355 #
1. ◴[] No.42172307[source]