[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#1031701: python3-pandas: Pandas requires version '2.0.1' or newer of 'xlrd'

I don't consider the lack of .xls in pandas worth a freeze exception, but consider it reasonable for others to disagree with that.

As noted in the bug, there are some (possibly not-technically-valid) .xlsx files that xlrd 1 can open but openpyxl can't - _pandas_ won't be able to open those either way, but allowing other applications to do so is still worth something.

There also may be applications that could switch to openpyxl but simply haven't. I don't know how much effort switching is / whether it would be reasonably possible for us to do it.

However, I wasn't aware of the security issues in xlrd 1 when I wrote that, and they may well be a reason to go to xlrd 2 and accept this breakage. Are they the long-standing "denial of service via excessive XML entity expansion" or is there now (also) a risk of something worse?

Reply to: