pyvo icon indicating copy to clipboard operation
pyvo copied to clipboard

Published 20 hours ago verified publisher icon astropy

Dependency with XML parser

Open somilia opened this issue 1 year ago • 1 comments

The code implementing the MIVOT feature (PR #497) uses lxml.etree. The data model handling requires to run XML operations: parsing and XPATH queries.

However, lxml is not a part of the PyVO dependencies, and is considered insecure as well as the xml native package (xml documentation), the reason why we have been resilient in using them.

The two possibilities are:

  • use defusedxml which will also add a new dependency.
  • add the fragment needed of defusedxml in PyVO (defusedxml is on Python Software Foundation License)

What would you recommend?

somilia avatar Nov 20 '23 10:11 somilia

Either of them ends up as a dependency they will need to be an optional dependency, e.g imports needs to be done as part of conditionals, test should be skipped when the dependency is missing, etc. For examples see the case e.g. regions in astroquery.

bsipocz avatar Nov 20 '23 10:11 bsipocz