Closed pinkforest closed 2 years ago
RReverser
commented
2 years ago Good question, I haven't seen those xml-rs updates. xml-rs was pretty essential to this crate (as reflected in the name), but I suppose we could theoretically switch to something else... Depends how much interest there is and whether there are similar alternatives.
RReverser
commented
2 years ago quick-xml seems promising, but it has its own Serde support already. Maybe we should just redirect users to them... https://github.com/tafia/quick-xml
pinkforest
commented
2 years ago Yeah maybe just wait and see - there is supposed to be a new maintainer sometime in the next three months on xml-rs.
Would be good to continue to have an alternative like serde-xml-rs still around so thanks for caring -
Closing as serde-xml-rs cannot really do much re: upstream deps and the maintainer is around :)
Hi @RReverser @punkstarman
xml-rs is of unmaintained status -
https://github.com/netvl/xml-rs/issues/219 https://github.com/netvl/xml-rs/issues/210 https://github.com/netvl/xml-rs/issues/204
There are concerns that the xml-rs crate may have issues parsing untrusted data as it is both unmaintained and has parsing issues that include integer overflows / panic etc.
I wonder if people should be using this crate which depends on xml-rs - e.g. if this crate is maintained or would it be preferable / should we nudge people about it ?
Thanks!