◐ Shell
reader mode source ↗
Skip to content

gh-149017: Upgrade bundled Expat to 2.8.0#149020

Merged
StanFromIreland merged 5 commits into
python:mainfrom
StanFromIreland:expat-2.8.0
Apr 27, 2026
Merged

gh-149017: Upgrade bundled Expat to 2.8.0#149020
StanFromIreland merged 5 commits into
python:mainfrom
StanFromIreland:expat-2.8.0

Conversation

@StanFromIreland

@StanFromIreland StanFromIreland commented Apr 26, 2026
edited by bedevere-app Bot
Loading

Copy link
Copy Markdown
Member

@bedevere-app bedevere-app Bot mentioned this pull request Apr 26, 2026
Open
@hartwork

hartwork commented Apr 26, 2026

Copy link
Copy Markdown
Contributor

@StanFromIreland I think I should note that CPython defines XML_POOR_ENTROPY and passes entropy using an explicit call to XML_SetHashSalt (related to #149018). The new _pyexpat_random.c wrapper is in some conflict with that approach, I believe.

@StanFromIreland StanFromIreland marked this pull request as draft April 26, 2026 17:10
@StanFromIreland StanFromIreland marked this pull request as ready for review April 26, 2026 17:48
@StanFromIreland StanFromIreland requested a review from picnixz April 26, 2026 17:49
@StanFromIreland StanFromIreland requested a review from picnixz April 26, 2026 18:44
16 hidden items Load more…
Hide details View details @StanFromIreland StanFromIreland merged commit 005555a into python:main Apr 27, 2026
66 checks passed
@StanFromIreland StanFromIreland deleted the expat-2.8.0 branch April 27, 2026 20:22
@miss-islington-app

miss-islington-app Bot commented Apr 27, 2026

Copy link
Copy Markdown

Thanks @StanFromIreland for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11, 3.12, 3.13, 3.14.
🐍🍒⛏🤖

@miss-islington-app

miss-islington-app Bot commented Apr 27, 2026

Copy link
Copy Markdown

Sorry, @StanFromIreland, I could not cleanly backport this to 3.14 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 005555a3f0ae20ee8154eb4ee172e1e355144c8c 3.14

@miss-islington-app

miss-islington-app Bot commented Apr 27, 2026

Copy link
Copy Markdown

Sorry, @StanFromIreland, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 005555a3f0ae20ee8154eb4ee172e1e355144c8c 3.13

@miss-islington-app

miss-islington-app Bot commented Apr 27, 2026

Copy link
Copy Markdown

Sorry, @StanFromIreland, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 005555a3f0ae20ee8154eb4ee172e1e355144c8c 3.12

@miss-islington-app

miss-islington-app Bot commented Apr 27, 2026

Copy link
Copy Markdown

Sorry, @StanFromIreland, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 005555a3f0ae20ee8154eb4ee172e1e355144c8c 3.11

@miss-islington-app

miss-islington-app Bot commented Apr 27, 2026

Copy link
Copy Markdown

Sorry, @StanFromIreland, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 005555a3f0ae20ee8154eb4ee172e1e355144c8c 3.10

@bedevere-app

bedevere-app Bot commented Apr 27, 2026

Copy link
Copy Markdown

GH-149073 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.14 bugs and security fixes label Apr 27, 2026
@StanFromIreland StanFromIreland removed needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Apr 27, 2026
@StanFromIreland

StanFromIreland commented Apr 27, 2026

Copy link
Copy Markdown
Member Author

3.12/3.13 should hopefully be the same as the 3.14 one, so moving the labels over.

@bedevere-app

bedevere-app Bot commented Apr 27, 2026

Copy link
Copy Markdown

GH-149074 is a backport of this pull request to the 3.11 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.11 only security fixes label Apr 27, 2026
@bedevere-app

bedevere-app Bot commented Apr 27, 2026

Copy link
Copy Markdown

GH-149075 is a backport of this pull request to the 3.10 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.10 only security fixes label Apr 27, 2026
hugovk pushed a commit that referenced this pull request Apr 28, 2026
@StanFromIreland
[3.14] gh-149017: Upgrade bundled Expat to 2.8.0 (GH-149020) (#149073)
c181c5f 
(cherry picked from commit 005555a)
StanFromIreland added a commit that referenced this pull request May 14, 2026
@miss-islington @StanFromIreland
[3.13] gh-149017: Upgrade bundled Expat to 2.8.0 (GH-149020) (#149099)
ae31e50 
(cherry picked from commit 005555a)

Co-authored-by: Stan Ulbrych <stan@python.org>
Yhg1s pushed a commit that referenced this pull request May 18, 2026
@miss-islington @StanFromIreland
[3.12] gh-149017: Upgrade bundled Expat to 2.8.0 (GH-149020) (GH-149073
aeb348e 
…) (#150007)

[3.14] gh-149017: Upgrade bundled Expat to 2.8.0 (GH-149020) (GH-149073)
(cherry picked from commit c181c5f)


(cherry picked from commit 005555a)

Co-authored-by: Stan Ulbrych <stan@python.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpshead gpshead gpshead approved these changes

@sethmlarson sethmlarson

@encukou encukou Awaiting requested review from encukou

@picnixz picnixz Awaiting requested review from picnixz

+1 more reviewer

@hartwork hartwork hartwork left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@StanFromIreland StanFromIreland

Labels

release-blocker type-security A security issue

Projects

Release and Deferred blockers 🚫
Status: Done +1 more

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@StanFromIreland @hartwork @gpshead @picnixz @sethmlarson