chore(wecom): make defusedxml dep acquireable and tolerant of absence

Follow-up on top of @TheOnlyMika's #32155 cherry-pick. The defusedxml hardening import was unconditional, which would break the gateway for anyone running a WeComCallback adapter without the (transitive-only) defusedxml present. - Wrap the import in the same try/except pattern as aiohttp/httpx in the same file. Sets DEFUSEDXML_AVAILABLE flag. - Extend check_wecom_callback_requirements() to gate on the flag, so the gateway logs the actual missing dep and skips the adapter instead of crashing. - Add [wecom] extra to pyproject.toml with defusedxml==0.7.1. - Register platform.wecom_callback in tools/lazy_deps.py so users get prompted to install it on first WeComCallback configuration, same pattern as discord/slack/matrix. defusedxml is still the right call for pre-auth XML parsing — this commit just makes the dep declarative and recoverable instead of a hard import-time crash.
2026-05-29 06:31:32 +00:00 · 2026-05-25 23:22:00 -07:00 · 2026-05-25 23:22:00 -07:00 · 31c8d5ff5f
commit 31c8d5ff5f
parent 5744b17579
5 changed files with 24 additions and 4 deletions
--- a/gateway/platforms/wecom_callback.py
+++ b/gateway/platforms/wecom_callback.py
@ -21,7 +21,13 @@ from typing import Any, Dict, List, Optional
 # defusedxml to block billion-laughs / entity-expansion (and XXE) DoS. The
 # parsing API (fromstring) is a drop-in for the stdlib calls used below;
 # response-building XML lives in wecom_crypto.py and is not parsed here.
-import defusedxml.ElementTree as ET
+try:
+    import defusedxml.ElementTree as ET
+
+    DEFUSEDXML_AVAILABLE = True
+except ImportError:
+    ET = None  # type: ignore[assignment]
+    DEFUSEDXML_AVAILABLE = False

 try:
    from aiohttp import web
@ -53,7 +59,7 @@ MESSAGE_DEDUP_TTL_SECONDS = 300


 def check_wecom_callback_requirements() -> bool:
-    return AIOHTTP_AVAILABLE and HTTPX_AVAILABLE
+    return AIOHTTP_AVAILABLE and HTTPX_AVAILABLE and DEFUSEDXML_AVAILABLE


 class WecomCallbackAdapter(BasePlatformAdapter):
--- a/gateway/run.py
+++ b/gateway/run.py
@ -6294,7 +6294,7 @@ class GatewayRunner:
                check_wecom_callback_requirements,
            )
            if not check_wecom_callback_requirements():
-                logger.warning("WeComCallback: aiohttp/httpx not installed")
+                logger.warning("WeComCallback: aiohttp/httpx/defusedxml not installed")
                return None
            return WecomCallbackAdapter(config)