The following vulnerability was published for expat.
CVE-2022-25235[0]:
| xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain
| validation of encoding, such as checks for whether a UTF-8 character
| is valid in a certain context.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.