In 2ada4ad, defusedxml has been added as a dependency to the package to resolve some security warnings from bandit.
According to the docs, defusedxml should not be required anymore with recent Python versions and the recommendation for defusedxml has been removed from the official Python docs after some discussions:
According to the table at https://github.com/tiran/defusedxml?tab=readme-ov-file#python-xml-libraries, the usual attacks should not be possible with modern Python anymore.
One special case is the XInclude support, but this requires an explicit processing call, making fpdf2 not vulnerable to this attack as well: https://docs.python.org/3/library/xml.etree.elementtree.html#xinclude-support
Is the dependency still required here?
In 2ada4ad, defusedxml has been added as a dependency to the package to resolve some security warnings from bandit.
According to the docs, defusedxml should not be required anymore with recent Python versions and the recommendation for defusedxml has been removed from the official Python docs after some discussions:
According to the table at https://github.com/tiran/defusedxml?tab=readme-ov-file#python-xml-libraries, the usual attacks should not be possible with modern Python anymore.
One special case is the XInclude support, but this requires an explicit processing call, making fpdf2 not vulnerable to this attack as well: https://docs.python.org/3/library/xml.etree.elementtree.html#xinclude-support
Is the dependency still required here?