Skip to content

Conversation

@renovate-bot
Copy link
Contributor

This PR contains the following updates:

Package Change Age Confidence
xmltodict ==0.13.0 -> ==1.0.0 age confidence

Release Notes

martinblech/xmltodict (xmltodict)

v1.0.0

Compare Source

⚠ BREAKING CHANGES
  • modernize for Python 3.9+; drop legacy compat paths
Features
  • unparse: add limited XML comment round-trip; unify _emit behavior (e43537e)
  • unparse: add selective force_cdata support (bool/tuple/callable) (a497fed), closes #​375
Bug Fixes
  • namespaces: attach [@xmlns](https://redirect.github.com/xmlns) to declaring element when process_namespaces=True (f0322e5), closes #​163
  • streaming: avoid parent accumulation at item_depth; add regression tests (220240c)
  • unparse: handle non-string #text with attributes; unify value conversion (927a025), closes #​366
  • unparse: skip empty lists to keep pretty/compact outputs consistent (ab4c86f)
Reverts
  • remove initial Release Drafter config (c0b74ed)
Documentation
  • readme: add API reference for parse()/unparse() kwargs (e5039ad)
  • readme: mention types-xmltodict stub package (58ec03e)
Code Refactoring
  • modernize for Python 3.9+; drop legacy compat paths (7364427)

v0.15.1

Compare Source

  • Security: Further harden XML injection prevention during unparse (follow-up to
    v0.15.0). In addition to '<'/'>' rejection, now also reject element and
    attribute names (including @xmlns prefixes) that:
    • start with '?' or '!'
    • contain '/' or any whitespace
    • contain quotes (' or ") or '='
    • are non-strings (names must be str; no coercion)

v0.15.0

Compare Source

  • Security: Prevent XML injection (CVE-2025-9375) by rejecting '<'/'>' in
    element and attribute names (including @xmlns prefixes) during unparse.
    This limits validation to avoiding tag-context escapes; attribute values
    continue to be escaped by the SAX XMLGenerator.
    Advisory: https://fluidattacks.com/advisories/mono

v0.14.2

Compare Source

  • Revert "Ensure significant whitespace is not trimmed"
    • This changed was backwards incompatible and caused downstream issues.

v0.14.1

Compare Source

v0.14.0

Compare Source

  • Drop old Python 2 support leftover code and apply several RUFF code health fixes.
  • Add Python 3.11, 3.12 and 3.13 support and tests.
  • Tests in gh-action.
  • Remove defusedexpat import.
  • Replace deprecated BadZipfile with BadZipFile.
  • Support indent using integer format, enable python -m unittest tests/*.py.
  • Ensure significant whitespace is not trimmed
  • added conda installation command
  • fix attributes not appearing in streaming mode
  • Fix Travis CI status badge URL
  • Update push_release.sh to use twine.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested review from a team as code owners September 12, 2025 21:43
@trusted-contributions-gcf trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Sep 12, 2025
@product-auto-label product-auto-label bot added samples Issues that are directly related to samples. api: cloudfunctions Issues related to the Cloud Run functions API. labels Sep 12, 2025
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the xmltodict Python library to its major version 1.0.0. This upgrade ensures the project benefits from the latest features, performance improvements, and critical security patches. Given the breaking changes introduced in xmltodict v1.0.0, particularly the modernization for Python 3.9+ and removal of legacy compatibility, careful review is advised to ensure continued compatibility with existing code.

Highlights

  • Dependency Update: The xmltodict Python library has been updated from version 0.13.0 to 1.0.0.
  • Breaking Changes: Version 1.0.0 of xmltodict introduces breaking changes, primarily modernizing the library for Python 3.9+ and dropping legacy compatibility paths. This may require adjustments if the project relies on older Python versions or specific legacy behaviors.
  • New Features and Bug Fixes: This update incorporates new features such as limited XML comment round-trip and selective force_cdata support, along with several bug fixes related to namespaces, streaming, and unparsing non-string #text.
  • Security Enhancements: Intermediate versions included in this upgrade (0.15.0, 0.15.1) introduced security fixes to prevent XML injection during unparsing by rejecting unsafe characters in element and attribute names.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in issue comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@kokoro-team kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Sep 12, 2025
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This PR updates xmltodict to v1.0.0, which is a major version bump. The new version requires Python 3.9+, but this project seems to support Python 3.8 based on other dependencies like functions-framework. This will cause dependency conflicts and break the setup for Python 3.8 environments. I've suggested pinning xmltodict to 0.15.1, the last version to support older Python interpreters, to resolve this.

google-cloud-storage==2.9.0; python_version < '3.7'
google-cloud-storage==2.9.0; python_version > '3.6'
xmltodict==0.13.0
xmltodict==1.0.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The update to xmltodict version 1.0.0 requires Python 3.9+, as stated in the release notes. However, other dependencies in this file, such as functions-framework==3.9.2, indicate support for Python 3.8. This version mismatch will cause dependency installation to fail on Python 3.8 environments. To maintain compatibility, I recommend pinning xmltodict to the latest version that supports Python 3.8, which is 0.15.1.

xmltodict==0.15.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

api: cloudfunctions Issues related to the Cloud Run functions API. owlbot:run Add this label to trigger the Owlbot post processor. samples Issues that are directly related to samples.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants