UNCLASSIFIED - NO CUI

Skip to content

Update dependency xmltodict to v0.15.1

POPs Triggerrequested to merge
renovate/xmltodict-0.x into development

This MR contains the following updates:

Package Type Update Change
xmltodict ironbank-pypi minor 0.14.1 -> 0.15.1

Release Notes

martinblech/xmltodict (xmltodict)

v0.15.1

Compare Source

  • Security: Further harden XML injection prevention during unparse (follow-up to v0.15.0). In addition to '<'/'>' rejection, now also reject element and attribute names (including @xmlns prefixes) that:
    • start with '?' or '!'
    • contain '/' or any whitespace
    • contain quotes (' or ") or '='
    • are non-strings (names must be str; no coercion)

v0.15.0

Compare Source

  • Security: Prevent XML injection (CVE-2025-9375) by rejecting '<'/'>' in element and attribute names (including @xmlns prefixes) during unparse. This limits validation to avoiding tag-context escapes; attribute values continue to be escaped by the SAX XMLGenerator. Advisory: https://fluidattacks.com/advisories/mono

v0.14.2

Compare Source

  • Revert "Ensure significant whitespace is not trimmed"
    • This changed was backwards incompatible and caused downstream issues.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited by POPs Trigger

Merge request reports

UNCLASSIFIED - NO CUI