[BUG] Bump libexpat in Skia deps to ≥2.6.4 (CVE-2024-50602)

[pkedalag]

Description

https://nvd.nist.gov/vuln/detail/CVE-2024-50602 affects libexpat < 2.6.4 . Request to update third_party/libexpat to 2.6.4+ and rebuild Skia so downstream native assets like SkiaSharp do not contain the vulnerable expat.

Code

.

Expected Behavior

No response

Actual Behavior

No response

Version of SkiaSharp

2.88.9 (Previous)

Last Known Good Version of SkiaSharp

Other (Please indicate in the description)

IDE / Editor

Visual Studio Code (Windows)

Platform / Operating System

tvOS, Windows

Platform / Operating System Version

No response

Devices

No response

Relevant Screenshots

No response

Relevant Log Output

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

Triage Summary

Labels will be applied to indicate the affected components (SkiaSharp, tvOS, and Windows-Classic) regarding the security vulnerability from a dependency update.

This issue is not categorized as a regression, as it pertains to a security vulnerability instead of functionality changes or performance problems.

Additional remarks:

• The focus is primarily on updating a dependency due to a security concern.
• There are no relevant labels available to further specify the issue's context regarding backend categories.

Detailed Summary and Actions

Summary of the triage:

• The issue involves updating a dependency (libexpat) affecting Skia and its C# bindings, specifically related to a security vulnerability.
• The issue is relevant to the tvOS platform as it has been specifically mentioned.
• Development is being conducted in a Windows environment using Visual Studio Code, which corresponds to the Windows-Classic label.
• This is not a regression and does not affect performance, reliability, or compatibility.

Summary of the actions that will be performed:

Action	Item	Description
Apply Label	area/libSkiaSharp.native	The issue relates to updating a dependency (libexpat) affecting Skia and its C# bindings due to security.
Apply Label	os/tvOS	The issue specifically mentions impact on the tvOS platform.
Apply Label	os/Windows-Classic	The issue is being developed and addressed in a Windows environment using Visual Studio Code.

This entire triage process was automated by AI and mistakes may have been made. Please let us know so we can continue to improve.