On 19.06.25 03:41, Bruce Momjian wrote: > This blog post explains the serious problems the single libxml2 author > is having in maintaining the library: > > > https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports > > There are few learnings from this: > > * libxml2 is even less production-ready than we thought > * many projects don't have the resources we do >
That's even worse than I thought. Especially this disclaimer consideration: “This is open-source software written by hobbyists, maintained by a single volunteer, badly tested, written in a memory-unsafe language and full of security bugs. It is foolish to use this software to process untrusted data.” No wonder other major databases opt for writing their own XML processing engines. Sadly, despite these issues, there doesn't seem to be a decent alternative to libxml2 :( -- Jim
