Issue #10510 has been updated by Luis Lavena.


What about gem-ification of rexml and allow patches be distributed as gems that can be updated?

(like default gems: json, psych, etc)

I think the introduction of default gem for rexml falls into minor version changes and will allow faster responses and alternate upgrade/mitigation paths.


----------------------------------------
Feature #10510: Remove REXML instead of patching it
https://bugs.ruby-lang.org/issues/10510#change-49971

* Author: Michael Grosser
* Status: Open
* Priority: Normal
* Assignee: 
* Category: 
* Target version: 
----------------------------------------
 There have been at least 3 rexml vulerabilities to date,
 having to patch ruby just to make sure it's not being used is taking a lot
 of time/effort.
 
 Afaik most people do not use xml anyway (and especially not rexml), just
 for comparison: it would make much more sense to have json included, but
 it's not.
 
 So let's just drop it & make it a gem.



-- 
https://bugs.ruby-lang.org/