Hi, Python embeds a copy of the expat library which already got two major security vulnerabilities: "CVE-2016-0718: expat bug #537" http://python-security.readthedocs.io/vuln/cve-2016-0718_expat_bug_537.html "Issue #26556: Expat 2.1.1" http://python-security.readthedocs.io/vuln/issue_26556_expat_2.1.1.html Would it be possible to maintain this dependency on an external repository which would be easier to maintain? Like http://svn.python.org/projects/external/ used to build Python on Windows. I expect that all Linux distributions build Python using --with-system-expat. It may become the default? What about macOS and other operating systems? By the way, Zachary Ware is working on converting this repository to Git. I don't know his progress: - https://github.com/python/cpython-bin-deps - https://github.com/python/cpython-source-deps Victor