From 84a825a0b42c206d58fd5393b9e4fc4660031b8e Mon Sep 17 00:00:00 2001
From: vasiliadi <9432426+vasiliadi@users.noreply.github.com>
Date: Fri, 15 Nov 2024 20:08:01 -0600
Subject: [PATCH 1/2] fix: possible XML bombs and other exploits by replacing
 xml.etree.ElementTree with defusedxml.ElementTree

---
 youtube_transcript_api/_transcripts.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/youtube_transcript_api/_transcripts.py b/youtube_transcript_api/_transcripts.py
index f93f717..0c42258 100644
--- a/youtube_transcript_api/_transcripts.py
+++ b/youtube_transcript_api/_transcripts.py
@@ -8,7 +8,7 @@
 
 import json
 
-from xml.etree import ElementTree
+from defusedxml import ElementTree
 
 import re
 

From b473e696d647c7f9331bce433cdefd726238167b Mon Sep 17 00:00:00 2001
From: vasiliadi <9432426+vasiliadi@users.noreply.github.com>
Date: Fri, 15 Nov 2024 20:08:43 -0600
Subject: [PATCH 2/2] build: added defusedxml package

---
 poetry.lock    | 15 +++++++++++++--
 pyproject.toml |  1 +
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/poetry.lock b/poetry.lock
index 5906f03..c2754ec 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.4 and should not be changed by hand.
 
 [[package]]
 name = "certifi"
@@ -220,6 +220,17 @@ files = [
 [package.extras]
 toml = ["tomli"]
 
+[[package]]
+name = "defusedxml"
+version = "0.7.1"
+description = "XML bomb protection for Python stdlib modules"
+optional = false
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*"
+files = [
+    {file = "defusedxml-0.7.1-py2.py3-none-any.whl", hash = "sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61"},
+    {file = "defusedxml-0.7.1.tar.gz", hash = "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69"},
+]
+
 [[package]]
 name = "exceptiongroup"
 version = "1.2.2"
@@ -412,4 +423,4 @@ zstd = ["zstandard (>=0.18.0)"]
 [metadata]
 lock-version = "2.0"
 python-versions = ">=3.8,<3.14"
-content-hash = "370c5c5f94f6000e0fdb76190a3aabd5acadf804802ca70dba41787d306799b4"
+content-hash = "9688fe60ffcd776c6ed6da0a9cedf875f97aefcd72fdc817495978b68afc381b"
diff --git a/pyproject.toml b/pyproject.toml
index ad6de10..ed73331 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -49,6 +49,7 @@ precommit.shell = "poe format && poe lint && poe coverage"
 [tool.poetry.dependencies]
 python = ">=3.8,<3.14"
 requests = "*"
+defusedxml = "^0.7.1"
 
 [tool.poetry.group.test]
 optional = true