Two new advisories against `quick-xml 0.39.4` (transitive dep via `opendal` -> `opendal-core`, used by `streamkit-nodes` for the S3 object_store feature) started failing `cargo deny check advisories`:
- RUSTSEC-2026-0194: quadratic runtime checking duplicate attribute names (CPU-exhaustion DoS)
- RUSTSEC-2026-0195: unbounded namespace-declaration allocation in `NsReader` (memory-exhaustion DoS)
Both are fixed in `quick-xml >= 0.41.0`, but `opendal-core 0.57.0` (latest) pins `quick-xml = 0.39.3`, so no upgrade path exists yet.
Exposure is limited: opendal only parses XML from the operator-configured S3 endpoint's responses, not attacker-supplied input, so the DoS vectors require a malicious/compromised object-store endpoint.
Temporary `deny.toml` ignores were added (first flagged on #631). Remove them once an opendal release depending on `quick-xml >= 0.41` is available (`cargo update -p opendal` / bump in `crates/nodes/Cargo.toml`).
Two new advisories against `quick-xml 0.39.4` (transitive dep via `opendal` -> `opendal-core`, used by `streamkit-nodes` for the S3 object_store feature) started failing `cargo deny check advisories`:
Both are fixed in `quick-xml >= 0.41.0`, but `opendal-core 0.57.0` (latest) pins `quick-xml = 0.39.3`, so no upgrade path exists yet.
Exposure is limited: opendal only parses XML from the operator-configured S3 endpoint's responses, not attacker-supplied input, so the DoS vectors require a malicious/compromised object-store endpoint.
Temporary `deny.toml` ignores were added (first flagged on #631). Remove them once an opendal release depending on `quick-xml >= 0.41` is available (`cargo update -p opendal` / bump in `crates/nodes/Cargo.toml`).