Update expat to be based on 2.7.0

Update expat third party library to be based on expat 2.7.0. The minimal external expat version is now 2.6.3, to avoid being effected by vulnerabilities.

requested review from @ben.boeckel

assigned to @spiros.tsalikis

added area:third-party label

mentioned in issue #18013

added 4 commits

• a77f774a - expat: update.sh to 2.7.0
• 318274d8 - Add changelog
• cbca02e4 - expat 2025-03-14 (7716461f)
• aeb51531 - Merge branch 'upstream-expat' into update-expat-2.7.0

Compare with previous version

changed the description

added 85 commits

• aeb51531...6f4157c6 - 81 commits from branch vtk:master
• 5fca0606 - expat: update.sh to 2.7.0
• 9779fe43 - Add changelog
• 6441b800 - expat 2025-03-17 (f5ddda22)
• 0639ea34 - Merge branch 'upstream-expat' into update-expat-2.7.0

Compare with previous version

resolved all threads

+2

Do: merge

mentioned in commit 03550f3e

merged manually

mentioned in commit louis.gombert/paraview@f93b4958

mentioned in merge request paraview/paraview!7230 (merged)

Corresponding update for ParaView: paraview/common-superbuild!698 (merged)

This broke my builds.

 Could NOT find EXPAT: Found unsuitable version "2.5.0", but required is at least "2.6.3" (found
 /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/lib/libexpat.tbd)

The expat that's shipped in macOS is labelled version 2.5, but it's pretty common for security fixes to be cherry picked and backported, and thus the version doesn't really increment.

macOS patched libexpat recently for example: https://support.apple.com/en-us/121839

Does this version check have to be there?

https://formulae.brew.sh/formula/expat

What of it?

That would solve your compilation problem. We can’t assume that a package manager would fix a bug. We just go by versions otherwise it would be a zoo of checks. I hope that makes sense.

What about restoring the minimum but adding a warning for < 2.6.3 versions like we do for old Pythons?

You mean the following?

# Check deprecated versions of Python
if (NOT VTK_LEGACY_SILENT AND vtk_python_version VERSION_LESS vtk_python_version_support)
  message(DEPRECATION
    "Python ${vtk_python_version} support is deprecated, use Python ${vtk_python_version_support}+")
endif ()

The fact is, your check is not checking what you think it is.

As I said, it is extremely common, not just on Apple, but on Ubuntu and many others too, for security fixes to get backported. That's how you get version numbers like "libexpat 2.4.7-1ubuntu0.5". It's 2.4.7 with various security fixes backported.

So failing your version check does not mean the library version has any unfixed security issues.

Our app has always dynamically linked to the expat that's bundled with macOS. That's one less thing for me to build, update, etc. This harsh check now makes that impossible as even the very newest macOS is at 2.5 (+ patches).

What would be the problem of using the internal expat and not your system's one?

What would be the problem of using the internal expat and not your system's one?

Why, are you going to remove VTK_MODULE_USE_EXTERNAL_VTK_expat too? :)

It's just one less thing to build, one less thing to include in our binary, one less thing to document (medical software requires documentation for 3rd party software). Offloading it to just being part of the OS is a nice simplification.

What would be the problem of downgrading the version check to a warning?

There would be no problem, that's why i asked @ben.boeckel if that's the check that he meant.

Nonetheless, if there is a solution that does not require code changes, i think it should be considered.

Yes, that looks like the thing to do. You can probably skip the VTK_LEGACY_* bits as we really don't need to add more usages.