Black recomends replacing lxml with defusedxml

[CommanderStorm]

event though we kind of trust the stuwerk, it is better to be save than sorry

Issue: [B410:blacklist] Using html to parse untrusted XML data is known to be vulnerable to XML attacks. Replace html with the equivalent defusedxml package.
   Severity: Low   Confidence: High
   Location: src/menu_parser.py:19
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b410-import-lxml
18      import requests
19      from lxml import html

[Philipp000]

Is this still relevant?
I looked into it a bit, and noticed, that the lxml package of defusedxml (as recommended in the comment) is deprecated. https://pypi.org/project/defusedxml/#defusedxml-lxml

So as far as I see it, a replacement would require to rewrite the parser?
Or is there another option?

[CommanderStorm]

tiran/defusedxml#38 states, that the package is no longer nessesary, but will be availibele until a real fix is found, so probably still worth to keep subscribed on this issue.

the lxml-FAQ has some recomendations, on how to avert the size/compute-blowup vulnerabilities, but does not seem to specific on how to secure the html parsing ability we use from this library.
https://lxml.de/FAQ.html#how-do-i-use-lxml-safely-as-a-web-service-endpoint

I have not researched, if the html parsing of lxml is also vulnerable to these kinds of attacks.