chore(deps): Bump quick-xml from 0.39.2 to 0.39.4 in /components/core

[dependabot]

Bumps quick-xml from 0.39.2 to 0.39.4.

Release notes

Sourced from quick-xml's releases.

v0.39.4 - Fix another panics when parse malformed DTD

Bug Fixes

• #957: Fix slice-index panic when reading malformed DTD whose unknown markup is split across BufReader chunks. As with #950, the returned Event::DocType may contain the malformed DTD; this fix only ensures that the parser does not panic.
• #960: Fix sibling slice-index panic when a single chunk delivers < followed by 9+ bytes of unknown markup inside a DTD internal subset. Same disposition as #957 / #950: parser must not panic; DTD validity reporting is a future improvement.

#950: tafia/quick-xml#950 #957: tafia/quick-xml#957 #960: tafia/quick-xml#960

Full Changelog: tafia/quick-xml@v0.39.3...v0.39.4

v0.39.3 - Fix panic when parse malformed DTD

Bug Fixes

• #950: Fix subtraction with overflow when parse malformed DTD in some cases. Note, that currently we do not check the validity of DTD, so the returned Event::DocType may contain the malformed DTD.

Full Changelog: tafia/quick-xml@v0.39.2...v0.39.3

Changelog

Sourced from quick-xml's changelog.

0.39.4 -- 2026-05-08

Bug Fixes

• #957: Fix slice-index panic when reading malformed DTD whose unknown markup is split across BufReader chunks. As with #950, the returned Event::DocType may contain the malformed DTD; this fix only ensures that the parser does not panic.
• #960: Fix sibling slice-index panic when a single chunk delivers < followed by 9+ bytes of unknown markup inside a DTD internal subset. Same disposition as #957 / #950: parser must not panic; DTD validity reporting is a future improvement.

#950: tafia/quick-xml#950 #957: tafia/quick-xml#957 #960: tafia/quick-xml#960

0.39.3 -- 2026-05-04

Bug Fixes

• #950: Fix subtraction with overflow when parse malformed DTD in some cases. Note, that currently we do not check the validity of DTD, so the returned Event::DocType may contain the malformed DTD.

#950: tafia/quick-xml#950

Commits

• f72e8b3 Release 0.39.4
• b8b3bbe Fix slice-index panic in DtdParser on long single-chunk unknown markup (#960)
• fd5b908 Fix slice-index panic in DtdParser on chunked unknown markup (#957)
• e156b0b Release 0.39.3
• fa0f8c8 Update xml5ever & markup5even: 0.37 -> 0.38; rxml: 0.13 -> 0.14
• 9ebd88d Add some explanation comments and fix misprints
• b3800c8 Fix subtraction with overflow
• 93865dc Add regression test for #950 - err
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: automated, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.