Can the upcoming 0.8.0 be released before March 2024 #107
Comments
|
Hello, Will this library be regularly maintained? We are working with Python 3.11 in my company, and the latest official version (0.7) is a no go for us. Best Regards, |
|
@nicostubi Are you running into any kind of bugs or problems? If yes, then please open a bug report. I'll release 0.8.0 when I have time to verify the code with 3.13.rc1. There are minimal changes between 0.7 and 0.8, mostly documentation and infrastructure improvements. |
|
No, I am evaluating the possiblity to replace lxml by defusedxml, and the viability of this project is the last question that keep me from evaluating its usage in my current feature branch :-) |
|
defusedxml is not a replacement for lxml. It's a wrapper on top of Python's stdlib xml modules to solve DoS vulnerabilities when parsing of XML from untrusted sources. There is also a lxml wrapper with some opinionated settings. |
|
I'm trying to find a solution to CWE-20 raised by Bandit: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b410-import-lxml |
|
after having read this article: https://realpython.com/python-xml-parser/#defuse-the-xml-bomb-with-secure-parsers
I could use: and keep on using lxml, or standard libraries if possible. |
|
For this specific case what I've done is to add a #nosec inline comment for I manually do the parsing using defusedxml afterwards |
|
that's exactly what I've done: I keep my feature implemented with lxml and I ensure the xml can be defused. The only difference is I do use defuse before parsing the xml with lxml and I catch any exception to log, and raise it. |
v0.8.0rc2 has been released on Sep 29, 2023 and I'd like to know whether can 0.8.0 released before March 2024.Thank you.
The text was updated successfully, but these errors were encountered: