[BUG] Bump libexpat in Skia deps to ≥2.7.2 (CVE-2025-59375)

[pkedalag]

Description

https://nvd.nist.gov/vuln/detail/CVE-2025-59375 affects libexpat < 2.7.2 . Request to update third_party/libexpat to R_2_7_2 (libexpat 2.7.2+) and rebuild Skia so downstream native assets like SkiaSharp do not contain the vulnerable expat.

Code

.

Expected Behavior

No response

Actual Behavior

No response

Version of SkiaSharp

3.116.0 (Current)

Last Known Good Version of SkiaSharp

2.88.9 (Previous)

IDE / Editor

Visual Studio Code (Windows)

Platform / Operating System

Windows

Platform / Operating System Version

No response

Devices

No response

Relevant Screenshots

No response

Relevant Log Output

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

Triage Summary

Labels will be applied to indicate compatibility concerns with SkiaSharp and specify the affected platform (Windows Classic) as well as the specific area related to native dependencies.

This issue is not a regression, but rather a matter of maintaining compatibility due to a security vulnerability in a library.

Additional remarks:

• The focus of this issue is on ensuring safety through dependency updates, rather than performance or reliability issues. No labels were applied for specific backends, as the issue is central to the library update.

Detailed Summary and Actions

Summary of the triage:

• The issue involves updating a library in SkiaSharp due to a security vulnerability.
• It relates to ensuring compatibility with various versions that utilize SkiaSharp.
• The development environment in question is Visual Studio Code on Windows Classic.
• The focus is particularly on the native dependencies of SkiaSharp, especially regarding libexpat and dependency management.
• This is a compatibility issue and does not indicate any regression or performance impact.

Summary of the actions that will be performed:

Action	Item	Description
Apply Label	tenet/compatibility	The issue involves updating a library in SkiaSharp due to a security vulnerability affecting compatibility.
Apply Label	os/Windows-Classic	The issue specifies that the behavior is related to the IDE used, which is Visual Studio Code on Windows.
Apply Label	area/libSkiaSharp.native	The issue pertains to the native dependencies of SkiaSharp, particularly the vulnerability in libexpat.

This entire triage process was automated by AI and mistakes may have been made. Please let us know so we can continue to improve.