Show HN: Xmloxide – an agent-made Rust replacement for libxml2
61 points| jawiggins | 22 hours ago |github.com
- Cursor attempted to make a browser from scratch: https://cursor.com/blog/scaling-agents
- Anthropic attempted to make a C Compiler: https://www.anthropic.com/engineering/building-c-compiler
I have been wondering if there are software packages that can be easily reproduced by taking the available test suites and tasking agents to work on projects until the existing test suites pass.
After playing with this concept by having Claude Code reproduce redis and sqlite, I began looking for software packages where an agent-made reproduction might actually be useful.
I found libxml2, a widely used, open-source C language library designed for parsing, creating, and manipulating XML and HTML documents. Three months ago it became unmaintained with the update, "This project is unmaintained and has [known security issues](https://gitlab.gnome.org/GNOME/libxml2/-/issues/346). It is foolish to use this software to process untrusted data.".
With a few days of work, I was able to create xmloxide, a memory safe rust replacement for libxml2 which passes the compatibility suite as well as the W3C XML Conformance Test Suite. Performance is similar on most parsing operations and better on serialization. It comes with a C API so that it can be a replacement for existing uses of libxml2.
- crates.io: https://crates.io/crates/xmloxide
- GitHub release: https://github.com/jonwiggins/xmloxide/releases/tag/v0.1.0
While I don't expect people to cut over to this new and unproven package, I do think there is something interesting to think about here in how coding agents like Claude Code can quickly iterate given a test suite. It's possible the legacy code problem that COBOL and other systems present will go away as rewrites become easier. The problem of ongoing maintenance to fix CVEs and update to later package versions becomes a larger percentage of software package management work.
wooptoo|20 hours ago
nwellnhof|11 hours ago
It should also be noted that the remaining security issues in the core parser have to do with algorithmic complexity, not memory safety. Many other parts of libxml2 aren't security-critical at all.
[1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/976
[2] https://codeberg.org/nwellnhof/libxml2-ee
jawiggins|20 hours ago
I know a few companies have programs where engineers can designate specific projects as important and give them funds. But it doesn't happen enough to support all the projects that currently need work, maybe AI coding tools will lower the cost of maintenance enough to improve this.
I do think there are two possible approaches that policy makers could consider.
1) There could probably be tax credits or deductions for SWEs who 'volunteer' their time to work on these projects.
2) Many governments have tried to create cyber reserve corps, I bet they could designate people as maintainers of key projects that they rely on to maintain both the projects as well as people skilled with the tools that they deem important.
socalgal2|14 hours ago
redhat, apple, samsung, huawei, google, etc...
ddlsmurf|17 hours ago
da_chicken|18 hours ago
black_13|20 hours ago
[deleted]
kburman|21 hours ago
As a side note and this isn't a knock on your project specifically. I think the community needs to normalize disclaimers for "vibe-coded" packages. Consumers really need to understand the potential risks of relying on agent-generated code upfront.
nine_k|17 hours ago
Unlike the development work of old (pre-2025), work with high-end models incurs a very direct monetary cost, one burns tokens which cost money, and you can't have something as powerful to be running locally (even if you happened to have a Mac Pro Ultra with RAM maxed out).
Some of my friends burned through hundreds of dollars a day while doing large amounts of (allegedly efficient) work with Claude Code.
jawiggins|20 hours ago
As for the workflow, I think the best advice I can give is to setup as many guardrails and tools as possible, so Claude and do as many iterations before needing any intervention. So in this case I setup pre-commit hooks for linting and formatting, gave it access to the full testing suite, and let it rip. The majority of the work was done in a single thinking loop that lasted ~3 hours where Claude was able to run the tests, see what failed, and iterate until they all passed. From there, there was still lots of iterations to add features, clean up, test, and improve performance - but allowing Claude to iterate quickly on it's own without my involvement was crucial.
socalgal2|14 hours ago
This feels like if you want to know if the code is good or bad, read the code and check the tests. Assuming human = good, LLM = bad does not make much sense given the amount of bad human code I've seen.
Sure, if the code is from a repuatable company or creator then I'd take that as a strong signal quality over an LLM but I wouldn't take a random human programmer as a strong signal over generated.
hrtla|17 hours ago
blegge|21 hours ago
Why "in the public API"? Does this imply it's using unsafe behind the hood? If so, what for?
gpm|19 hours ago
The only usages of unsafe are in src/ffi, which is only compiled when the ffi feature is enabled. ffi is fundamentally unsafe ("unsafe" meaning "the compiler can't automatically verify this code won't result in undefined behavior") so using it there is reasonable, and the rest of the crate is properly free of unsafe.
fulafel|19 hours ago
DetroitThrow|20 hours ago
alexhans|20 hours ago
This is a point I've tried to advocate for a while. Specially to empower non coders and make them see that we CAN approach automation with control.
Some aspects will be the classic unit or integration tests for validation. Others, will be AI Evals [1] which to me could be the common language for product design for different families/disciplines who don't quite understand how to collaborate with each other.
The amount of progress in a short time is amazing to see.
- [1] https://ai-evals.io/
koakuma-chan|19 hours ago
yobbo|14 hours ago
It could be doing double checks in both tokeniser and parser and things like that.
Actually looks like a good starting point and reference for someone working on xml parsers in rust.
mkj|17 hours ago
agentifysh|15 hours ago
libxml2 is always one of those libraries that i used to have trouble with for different platforms
I think its great that more and more OSS projects get attention now with ai coding agents
nicoburns|21 hours ago
jawiggins|20 hours ago
fourthark|21 hours ago
jawiggins|20 hours ago
blegge|21 hours ago
Doesn't seem to have shut down or even be unmaintained. Perhaps it was briefly, and has now been resurrected?
notpushkin|20 hours ago
Imustaskforhelp|13 hours ago
benatkin|19 hours ago
dmitrygr|14 hours ago
mdavid626|16 hours ago
It’s time to make this mandatory.
Nothing against AI - just to inform people about quality, maintainability and future of this library. No human has mental model of the code, so don’t waste your time creating it - the original author didn’t either.
agentifysh|15 hours ago
none of your arguments make sense here
lynxbot2026|18 hours ago
[deleted]
jawiggins|18 hours ago
1. fuzz_xml_parse: throws arbitrary bytes at the XML parser in both strict and recovery mode
2. fuzz_html_parse: throws arbitrary bytes at the HTML parser
3. fuzz_xpath: throws arbitrary XPath expressions at the evaluator
4. fuzz_roundtrip: parse → serialize → re-parse, checking that the pipeline never panics
Because this project uses memory safe rust, there isn't really the need to find the memory bugs that were the majority of libxml2's CVEs.
There is a valid point about logic bugs or infinite loops, which I suppose could be present in any software package, and I'm not sure of a way to totally rule out here.
man4|21 hours ago
[deleted]