File `subprojects/expat.wrap` references vulnerable version of Expat?

[hartwork]

Hi!

It has come to my attention that there is hardcoding of a vulnerable version of Expat in here:

exiv2/subprojects/expat.wrap

Lines 2 to 10 in c9cea75

	directory = expat-2.7.1
	source_url = https://github.com/libexpat/libexpat/releases/download/R_2_7_1/expat-2.7.1.tar.xz
	source_filename = expat-2.7.1.tar.bz2
	source_hash = 354552544b8f99012e5062f7d570ec77f14b412a3ff5c7d8d0dae62c0d217c30
	patch_filename = expat_2.7.1-1_patch.zip
	patch_url = https://wrapdb.mesonbuild.com/v2/expat_2.7.1-1/get_patch
	patch_hash = fe28cbbc427a7c9787d08b969ad54d19f59d8dd18294b4a18651cecfc789d4ef
	source_fallback_url = https://github.com/mesonbuild/wrapdb/releases/download/expat_2.7.1-1/expat-2.7.1.tar.bz2
	wrapdb_version = 2.7.1-1

I haven't checked whether or how that's actually used by exiv2, but want to be sure, it gets a chance at being updated.

Thank you!

PS: The latest version of Expat upstream is 2.7.3.

[kevinbackhouse]

@neheb : this directory is only used by meson, and not by cmake, right?

[neheb]

Correct.