Skip to content

Remove quick-xml RUSTSEC-2026-0194/0195 deny.toml ignores once opendal upgrades quick-xml #647

Description

@staging-devin-ai-integration

Two new advisories against `quick-xml 0.39.4` (transitive dep via `opendal` -> `opendal-core`, used by `streamkit-nodes` for the S3 object_store feature) started failing `cargo deny check advisories`:

  • RUSTSEC-2026-0194: quadratic runtime checking duplicate attribute names (CPU-exhaustion DoS)
  • RUSTSEC-2026-0195: unbounded namespace-declaration allocation in `NsReader` (memory-exhaustion DoS)

Both are fixed in `quick-xml >= 0.41.0`, but `opendal-core 0.57.0` (latest) pins `quick-xml = 0.39.3`, so no upgrade path exists yet.

Exposure is limited: opendal only parses XML from the operator-configured S3 endpoint's responses, not attacker-supplied input, so the DoS vectors require a malicious/compromised object-store endpoint.

Temporary `deny.toml` ignores were added (first flagged on #631). Remove them once an opendal release depending on `quick-xml >= 0.41` is available (`cargo update -p opendal` / bump in `crates/nodes/Cargo.toml`).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions