of entropy
+          (depending on the size of type <code>unsigned long</code>) while the SipHash
+          implementation used by Expat can leverage up to 16 bytes of entropy — at least
+          twice as much. Function <code><a href=
+          "#XML_SetHashSalt16Bytes">XML_SetHashSalt16Bytes</a></code> of Expat &gt;=2.8.0
+          (and where backported) matches the amount of entropy supported by SipHash.
+        </p>
+
         <p>
           <b>Note:</b> This call is optional, as the parser will auto-generate a new
-          random salt value if no value has been set at the start of parsing.
+          random salt value internally if no value has been set by the start of parsing.
         </p>
 
         <p>
@@ -3475,6 +3492,34 @@ XML_SetHashSalt(XML_Parser p,
         </p>
       </div>
 
+      <h4 id="XML_SetHashSalt16Bytes">
+        XML_SetHashSalt16Bytes
+      </h4>
+
+      <pre class="fcndec">
+/* Added in Expat 2.8.0. */
+XML_Bool XMLCALL
+XML_SetHashSalt16Bytes(XML_Parser parser,
+                       const uint8_t entropy[16]);
+</pre>
+      <div class="fcndef">
+        Sets the hash salt to use for internal hash calculations. Helps in preventing DoS
+        attacks based on predicting hash function behavior. In order to have an effect
+        this must be called before parsing has started. Returns <code>XML_TRUE</code> if
+        successful, <code>XML_FALSE</code> when called after <code>XML_Parse</code> or
+        <code>XML_ParseBuffer</code> or when <code>parser</code> is <code>NULL</code>.
+        <p>
+          <b>Note:</b> Setting a salt that is <em>not</em> from a source of high quality
+          entropy (like <code>getentropy(3)</code>) will make the parser vulnerable to
+          hash flooding attacks.
+        </p>
+
+        <p>
+          <b>Note:</b> This call is optional, as the parser will auto-generate a new
+          random salt value internally if no value has been set by the start of parsing.
+        </p>
+      </div>
+
       <h4 id="XML_UseForeignDTD">
         XML_UseForeignDTD
       </h4>
diff --git a/contrib/expat/doc/xmlwf.1 b/contrib/expat/doc/xmlwf.1
index 75318fccc856..0736f110e3c1 100644
--- a/contrib/expat/doc/xmlwf.1
+++ b/contrib/expat/doc/xmlwf.1
@@ -5,7 +5,7 @@
 \\$2 \(la\\$1\(ra\\$3
 ..
 .if \n(.g .mso www.tmac
-.TH XMLWF 1 "March 17, 2026" "" ""
+.TH XMLWF 1 "April 24, 2026" "" ""
 .SH NAME
 xmlwf \- Determines if an XML document is well-formed
 .SH SYNOPSIS
diff --git a/contrib/expat/doc/xmlwf.xml b/contrib/expat/doc/xmlwf.xml
index c4fe92d44fb4..3a3897750cb1 100644
--- a/contrib/expat/doc/xmlwf.xml
+++ b/contrib/expat/doc/xmlwf.xml
@@ -21,7 +21,7 @@
           "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
   <!ENTITY dhfirstname "<firstname>Scott</firstname>">
   <!ENTITY dhsurname   "<surname>Bronson</surname>">
-  <!ENTITY dhdate      "<date>March 17, 2026</date>">
+  <!ENTITY dhdate      "<date>April 24, 2026</date>">
   <!-- Please adjust this^^ date whenever cutting a new release. -->
   <!ENTITY dhsection   "<manvolnum>1</manvolnum>">
   <!ENTITY dhemail     "<email>bronson@rinspin.com</email>">
diff --git a/contrib/expat/examples/element_declarations.c b/contrib/expat/examples/element_declarations.c
index d644b2ffa5ea..d864cf70a2f7 100644
--- a/contrib/expat/examples/element_declarations.c
+++ b/contrib/expat/examples/element_declarations.c
@@ -16,6 +16,7 @@
    Copyright (c) 2017      Rhodri James <rhodri@wildebeest.org.uk>
    Copyright (c) 2019      Zhongyuan Zhou <zhouzhongyuan@huawei.com>
    Copyright (c) 2024      Hanno Böck <hanno@gentoo.org>
+   Copyright (c) 2026      Matthew Fernandez <matthew.fernandez@gmail.com>
    Licensed under the MIT license:
 
    Permission is  hereby granted,  free of charge,  to any  person obtaining
@@ -82,7 +83,7 @@ stackPopFree(Stack *stackTop) {
   return newStackTop;
 }
 
-static char *
+static const char *
 contentTypeName(enum XML_Content_Type contentType) {
   switch (contentType) {
   case XML_CTYPE_EMPTY:
@@ -102,7 +103,7 @@ contentTypeName(enum XML_Content_Type contentType) {
   }
 }
 
-static char *
+static const char *
 contentQuantName(enum XML_Content_Quant contentQuant) {
   switch (contentQuant) {
   case XML_CQUANT_NONE:
diff --git a/contrib/expat/expat_config.h.in b/contrib/expat/expat_config.h.in
index 7541bf6005e6..4d7d732e8052 100644
--- a/contrib/expat/expat_config.h.in
+++ b/contrib/expat/expat_config.h.in
@@ -24,6 +24,9 @@
 /* Define to 1 if you have the <fcntl.h> header file. */
 #undef HAVE_FCNTL_H
 
+/* Define to 1 if you have the `getentropy' function. */
+#undef HAVE_GETENTROPY
+
 /* Define to 1 if you have the 'getpagesize' function. */
 #undef HAVE_GETPAGESIZE
 
diff --git a/contrib/expat/lib/Makefile.am b/contrib/expat/lib/Makefile.am
index 493077231c57..27bf2ab64769 100644
--- a/contrib/expat/lib/Makefile.am
+++ b/contrib/expat/lib/Makefile.am
@@ -55,6 +55,42 @@ libexpat_la_SOURCES = \
     xmltok.c \
     xmlrole.c
 
+if WITH_ARC4RANDOM
+    libexpat_la_SOURCES += \
+        random_arc4random.c \
+        random_arc4random.h
+endif
+
+if WITH_ARC4RANDOM_BUF
+    libexpat_la_SOURCES += \
+        random_arc4random_buf.c \
+        random_arc4random_buf.h
+endif
+
+if ! MINGW
+    libexpat_la_SOURCES += \
+        random_dev_urandom.c \
+        random_dev_urandom.h
+endif
+
+if WITH_GETENTROPY
+    libexpat_la_SOURCES += \
+        random_getentropy.c \
+        random_getentropy.h
+endif
+
+if WITH_EITHER_GETRANDOM
+    libexpat_la_SOURCES += \
+        random_getrandom.c \
+        random_getrandom.h
+endif
+
+if MINGW
+    libexpat_la_SOURCES += \
+        random_rand_s.c \
+        random_rand_s.h
+endif
+
 if WITH_TESTS
 libtestpat_la_CPPFLAGS = -DXML_TESTING
 
diff --git a/contrib/expat/lib/Makefile.in b/contrib/expat/lib/Makefile.in
index d8e4fd59e117..4cd6fcfc6088 100644
--- a/contrib/expat/lib/Makefile.in
+++ b/contrib/expat/lib/Makefile.in
@@ -126,6 +126,30 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 @HAVE_VSCRIPT_TRUE@am__append_1 = $(VSCRIPT_LDFLAGS),@builddir@/libexpat.map
+@WITH_ARC4RANDOM_TRUE@am__append_2 = \
+@WITH_ARC4RANDOM_TRUE@        random_arc4random.c \
+@WITH_ARC4RANDOM_TRUE@        random_arc4random.h
+
+@WITH_ARC4RANDOM_BUF_TRUE@am__append_3 = \
+@WITH_ARC4RANDOM_BUF_TRUE@        random_arc4random_buf.c \
+@WITH_ARC4RANDOM_BUF_TRUE@        random_arc4random_buf.h
+
+@MINGW_FALSE@am__append_4 = \
+@MINGW_FALSE@        random_dev_urandom.c \
+@MINGW_FALSE@        random_dev_urandom.h
+
+@WITH_GETENTROPY_TRUE@am__append_5 = \
+@WITH_GETENTROPY_TRUE@        random_getentropy.c \
+@WITH_GETENTROPY_TRUE@        random_getentropy.h
+
+@WITH_EITHER_GETRANDOM_TRUE@am__append_6 = \
+@WITH_EITHER_GETRANDOM_TRUE@        random_getrandom.c \
+@WITH_EITHER_GETRANDOM_TRUE@        random_getrandom.h
+
+@MINGW_TRUE@am__append_7 = \
+@MINGW_TRUE@        random_rand_s.c \
+@MINGW_TRUE@        random_rand_s.h
+
 subdir = lib
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
@@ -180,7 +204,21 @@ am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(docdir)" \
 	"$(DESTDIR)$(includedir)"
 LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES)
 libexpat_la_LIBADD =
-am_libexpat_la_OBJECTS = xmlparse.lo xmltok.lo xmlrole.lo
+am__libexpat_la_SOURCES_DIST = xmlparse.c xmltok.c xmlrole.c \
+	random_arc4random.c random_arc4random.h \
+	random_arc4random_buf.c random_arc4random_buf.h \
+	random_dev_urandom.c random_dev_urandom.h random_getentropy.c \
+	random_getentropy.h random_getrandom.c random_getrandom.h \
+	random_rand_s.c random_rand_s.h
+@WITH_ARC4RANDOM_TRUE@am__objects_1 = random_arc4random.lo
+@WITH_ARC4RANDOM_BUF_TRUE@am__objects_2 = random_arc4random_buf.lo
+@MINGW_FALSE@am__objects_3 = random_dev_urandom.lo
+@WITH_GETENTROPY_TRUE@am__objects_4 = random_getentropy.lo
+@WITH_EITHER_GETRANDOM_TRUE@am__objects_5 = random_getrandom.lo
+@MINGW_TRUE@am__objects_6 = random_rand_s.lo
+am_libexpat_la_OBJECTS = xmlparse.lo xmltok.lo xmlrole.lo \
+	$(am__objects_1) $(am__objects_2) $(am__objects_3) \
+	$(am__objects_4) $(am__objects_5) $(am__objects_6)
 libexpat_la_OBJECTS = $(am_libexpat_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -190,10 +228,26 @@ libexpat_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libexpat_la_LDFLAGS) $(LDFLAGS) -o $@
 libtestpat_la_LIBADD =
-am__libtestpat_la_SOURCES_DIST = xmlparse.c xmltok.c xmlrole.c
-am__objects_1 = libtestpat_la-xmlparse.lo libtestpat_la-xmltok.lo \
-	libtestpat_la-xmlrole.lo
-@WITH_TESTS_TRUE@am_libtestpat_la_OBJECTS = $(am__objects_1)
+am__libtestpat_la_SOURCES_DIST = xmlparse.c xmltok.c xmlrole.c \
+	random_arc4random.c random_arc4random.h \
+	random_arc4random_buf.c random_arc4random_buf.h \
+	random_dev_urandom.c random_dev_urandom.h random_getentropy.c \
+	random_getentropy.h random_getrandom.c random_getrandom.h \
+	random_rand_s.c random_rand_s.h
+@WITH_ARC4RANDOM_TRUE@am__objects_7 =  \
+@WITH_ARC4RANDOM_TRUE@	libtestpat_la-random_arc4random.lo
+@WITH_ARC4RANDOM_BUF_TRUE@am__objects_8 = libtestpat_la-random_arc4random_buf.lo
+@MINGW_FALSE@am__objects_9 = libtestpat_la-random_dev_urandom.lo
+@WITH_GETENTROPY_TRUE@am__objects_10 =  \
+@WITH_GETENTROPY_TRUE@	libtestpat_la-random_getentropy.lo
+@WITH_EITHER_GETRANDOM_TRUE@am__objects_11 =  \
+@WITH_EITHER_GETRANDOM_TRUE@	libtestpat_la-random_getrandom.lo
+@MINGW_TRUE@am__objects_12 = libtestpat_la-random_rand_s.lo
+am__objects_13 = libtestpat_la-xmlparse.lo libtestpat_la-xmltok.lo \
+	libtestpat_la-xmlrole.lo $(am__objects_7) $(am__objects_8) \
+	$(am__objects_9) $(am__objects_10) $(am__objects_11) \
+	$(am__objects_12)
+@WITH_TESTS_TRUE@am_libtestpat_la_OBJECTS = $(am__objects_13)
 libtestpat_la_OBJECTS = $(am_libtestpat_la_OBJECTS)
 @WITH_TESTS_TRUE@am_libtestpat_la_rpath =
 AM_V_P = $(am__v_P_@AM_V@)
@@ -211,10 +265,22 @@ am__v_at_1 =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/conftools/depcomp
 am__maybe_remake_depfiles = depfiles
-am__depfiles_remade = ./$(DEPDIR)/libtestpat_la-xmlparse.Plo \
+am__depfiles_remade = ./$(DEPDIR)/libtestpat_la-random_arc4random.Plo \
+	./$(DEPDIR)/libtestpat_la-random_arc4random_buf.Plo \
+	./$(DEPDIR)/libtestpat_la-random_dev_urandom.Plo \
+	./$(DEPDIR)/libtestpat_la-random_getentropy.Plo \
+	./$(DEPDIR)/libtestpat_la-random_getrandom.Plo \
+	./$(DEPDIR)/libtestpat_la-random_rand_s.Plo \
+	./$(DEPDIR)/libtestpat_la-xmlparse.Plo \
 	./$(DEPDIR)/libtestpat_la-xmlrole.Plo \
-	./$(DEPDIR)/libtestpat_la-xmltok.Plo ./$(DEPDIR)/xmlparse.Plo \
-	./$(DEPDIR)/xmlrole.Plo ./$(DEPDIR)/xmltok.Plo
+	./$(DEPDIR)/libtestpat_la-xmltok.Plo \
+	./$(DEPDIR)/random_arc4random.Plo \
+	./$(DEPDIR)/random_arc4random_buf.Plo \
+	./$(DEPDIR)/random_dev_urandom.Plo \
+	./$(DEPDIR)/random_getentropy.Plo \
+	./$(DEPDIR)/random_getrandom.Plo ./$(DEPDIR)/random_rand_s.Plo \
+	./$(DEPDIR)/xmlparse.Plo ./$(DEPDIR)/xmlrole.Plo \
+	./$(DEPDIR)/xmltok.Plo
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
@@ -235,7 +301,7 @@ am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
 SOURCES = $(libexpat_la_SOURCES) $(libtestpat_la_SOURCES)
-DIST_SOURCES = $(libexpat_la_SOURCES) \
+DIST_SOURCES = $(am__libexpat_la_SOURCES_DIST) \
 	$(am__libtestpat_la_SOURCES_DIST)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
@@ -428,11 +494,9 @@ lib_LTLIBRARIES = libexpat.la
 @WITH_TESTS_TRUE@noinst_LTLIBRARIES = libtestpat.la
 libexpat_la_LDFLAGS = @AM_LDFLAGS@ @LIBM@ -no-undefined -version-info \
 	@LIBCURRENT@:@LIBREVISION@:@LIBAGE@ $(am__append_1)
-libexpat_la_SOURCES = \
-    xmlparse.c \
-    xmltok.c \
-    xmlrole.c
-
+libexpat_la_SOURCES = xmlparse.c xmltok.c xmlrole.c $(am__append_2) \
+	$(am__append_3) $(am__append_4) $(am__append_5) \
+	$(am__append_6) $(am__append_7)
 @WITH_TESTS_TRUE@libtestpat_la_CPPFLAGS = -DXML_TESTING
 @WITH_TESTS_TRUE@libtestpat_la_SOURCES = $(libexpat_la_SOURCES)
 doc_DATA = \
@@ -548,9 +612,21 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtestpat_la-random_arc4random.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtestpat_la-random_arc4random_buf.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtestpat_la-random_dev_urandom.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtestpat_la-random_getentropy.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtestpat_la-random_getrandom.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtestpat_la-random_rand_s.Plo@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtestpat_la-xmlparse.Plo@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtestpat_la-xmlrole.Plo@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtestpat_la-xmltok.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random_arc4random.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random_arc4random_buf.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random_dev_urandom.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random_getentropy.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random_getrandom.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random_rand_s.Plo@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xmlparse.Plo@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xmlrole.Plo@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xmltok.Plo@am__quote@ # am--include-marker
@@ -603,6 +679,48 @@ libtestpat_la-xmlrole.lo: xmlrole.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libtestpat_la-xmlrole.lo `test -f 'xmlrole.c' || echo '$(srcdir)/'`xmlrole.c
 
+libtestpat_la-random_arc4random.lo: random_arc4random.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libtestpat_la-random_arc4random.lo -MD -MP -MF $(DEPDIR)/libtestpat_la-random_arc4random.Tpo -c -o libtestpat_la-random_arc4random.lo `test -f 'random_arc4random.c' || echo '$(srcdir)/'`random_arc4random.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libtestpat_la-random_arc4random.Tpo $(DEPDIR)/libtestpat_la-random_arc4random.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='random_arc4random.c' object='libtestpat_la-random_arc4random.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libtestpat_la-random_arc4random.lo `test -f 'random_arc4random.c' || echo '$(srcdir)/'`random_arc4random.c
+
+libtestpat_la-random_arc4random_buf.lo: random_arc4random_buf.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libtestpat_la-random_arc4random_buf.lo -MD -MP -MF $(DEPDIR)/libtestpat_la-random_arc4random_buf.Tpo -c -o libtestpat_la-random_arc4random_buf.lo `test -f 'random_arc4random_buf.c' || echo '$(srcdir)/'`random_arc4random_buf.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libtestpat_la-random_arc4random_buf.Tpo $(DEPDIR)/libtestpat_la-random_arc4random_buf.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='random_arc4random_buf.c' object='libtestpat_la-random_arc4random_buf.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libtestpat_la-random_arc4random_buf.lo `test -f 'random_arc4random_buf.c' || echo '$(srcdir)/'`random_arc4random_buf.c
+
+libtestpat_la-random_dev_urandom.lo: random_dev_urandom.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libtestpat_la-random_dev_urandom.lo -MD -MP -MF $(DEPDIR)/libtestpat_la-random_dev_urandom.Tpo -c -o libtestpat_la-random_dev_urandom.lo `test -f 'random_dev_urandom.c' || echo '$(srcdir)/'`random_dev_urandom.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libtestpat_la-random_dev_urandom.Tpo $(DEPDIR)/libtestpat_la-random_dev_urandom.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='random_dev_urandom.c' object='libtestpat_la-random_dev_urandom.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libtestpat_la-random_dev_urandom.lo `test -f 'random_dev_urandom.c' || echo '$(srcdir)/'`random_dev_urandom.c
+
+libtestpat_la-random_getentropy.lo: random_getentropy.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libtestpat_la-random_getentropy.lo -MD -MP -MF $(DEPDIR)/libtestpat_la-random_getentropy.Tpo -c -o libtestpat_la-random_getentropy.lo `test -f 'random_getentropy.c' || echo '$(srcdir)/'`random_getentropy.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libtestpat_la-random_getentropy.Tpo $(DEPDIR)/libtestpat_la-random_getentropy.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='random_getentropy.c' object='libtestpat_la-random_getentropy.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libtestpat_la-random_getentropy.lo `test -f 'random_getentropy.c' || echo '$(srcdir)/'`random_getentropy.c
+
+libtestpat_la-random_getrandom.lo: random_getrandom.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libtestpat_la-random_getrandom.lo -MD -MP -MF $(DEPDIR)/libtestpat_la-random_getrandom.Tpo -c -o libtestpat_la-random_getrandom.lo `test -f 'random_getrandom.c' || echo '$(srcdir)/'`random_getrandom.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libtestpat_la-random_getrandom.Tpo $(DEPDIR)/libtestpat_la-random_getrandom.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='random_getrandom.c' object='libtestpat_la-random_getrandom.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libtestpat_la-random_getrandom.lo `test -f 'random_getrandom.c' || echo '$(srcdir)/'`random_getrandom.c
+
+libtestpat_la-random_rand_s.lo: random_rand_s.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libtestpat_la-random_rand_s.lo -MD -MP -MF $(DEPDIR)/libtestpat_la-random_rand_s.Tpo -c -o libtestpat_la-random_rand_s.lo `test -f 'random_rand_s.c' || echo '$(srcdir)/'`random_rand_s.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libtestpat_la-random_rand_s.Tpo $(DEPDIR)/libtestpat_la-random_rand_s.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='random_rand_s.c' object='libtestpat_la-random_rand_s.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libtestpat_la-random_rand_s.lo `test -f 'random_rand_s.c' || echo '$(srcdir)/'`random_rand_s.c
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -779,9 +897,21 @@ clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \
 	clean-noinstLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
+	-rm -f ./$(DEPDIR)/libtestpat_la-random_arc4random.Plo
+	-rm -f ./$(DEPDIR)/libtestpat_la-random_arc4random_buf.Plo
+	-rm -f ./$(DEPDIR)/libtestpat_la-random_dev_urandom.Plo
+	-rm -f ./$(DEPDIR)/libtestpat_la-random_getentropy.Plo
+	-rm -f ./$(DEPDIR)/libtestpat_la-random_getrandom.Plo
+	-rm -f ./$(DEPDIR)/libtestpat_la-random_rand_s.Plo
 	-rm -f ./$(DEPDIR)/libtestpat_la-xmlparse.Plo
 	-rm -f ./$(DEPDIR)/libtestpat_la-xmlrole.Plo
 	-rm -f ./$(DEPDIR)/libtestpat_la-xmltok.Plo
+	-rm -f ./$(DEPDIR)/random_arc4random.Plo
+	-rm -f ./$(DEPDIR)/random_arc4random_buf.Plo
+	-rm -f ./$(DEPDIR)/random_dev_urandom.Plo
+	-rm -f ./$(DEPDIR)/random_getentropy.Plo
+	-rm -f ./$(DEPDIR)/random_getrandom.Plo
+	-rm -f ./$(DEPDIR)/random_rand_s.Plo
 	-rm -f ./$(DEPDIR)/xmlparse.Plo
 	-rm -f ./$(DEPDIR)/xmlrole.Plo
 	-rm -f ./$(DEPDIR)/xmltok.Plo
@@ -831,9 +961,21 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
+	-rm -f ./$(DEPDIR)/libtestpat_la-random_arc4random.Plo
+	-rm -f ./$(DEPDIR)/libtestpat_la-random_arc4random_buf.Plo
+	-rm -f ./$(DEPDIR)/libtestpat_la-random_dev_urandom.Plo
+	-rm -f ./$(DEPDIR)/libtestpat_la-random_getentropy.Plo
+	-rm -f ./$(DEPDIR)/libtestpat_la-random_getrandom.Plo
+	-rm -f ./$(DEPDIR)/libtestpat_la-random_rand_s.Plo
 	-rm -f ./$(DEPDIR)/libtestpat_la-xmlparse.Plo
 	-rm -f ./$(DEPDIR)/libtestpat_la-xmlrole.Plo
 	-rm -f ./$(DEPDIR)/libtestpat_la-xmltok.Plo
+	-rm -f ./$(DEPDIR)/random_arc4random.Plo
+	-rm -f ./$(DEPDIR)/random_arc4random_buf.Plo
+	-rm -f ./$(DEPDIR)/random_dev_urandom.Plo
+	-rm -f ./$(DEPDIR)/random_getentropy.Plo
+	-rm -f ./$(DEPDIR)/random_getrandom.Plo
+	-rm -f ./$(DEPDIR)/random_rand_s.Plo
 	-rm -f ./$(DEPDIR)/xmlparse.Plo
 	-rm -f ./$(DEPDIR)/xmlrole.Plo
 	-rm -f ./$(DEPDIR)/xmltok.Plo
diff --git a/contrib/expat/lib/expat.h b/contrib/expat/lib/expat.h
index 18dbaebde293..79c609f19aa4 100644
--- a/contrib/expat/lib/expat.h
+++ b/contrib/expat/lib/expat.h
@@ -45,6 +45,7 @@
 #ifndef Expat_INCLUDED
 #  define Expat_INCLUDED 1
 
+#  include <stdint.h> // for uint8_t
 #  include <stdlib.h>
 #  include "expat_external.h"
 
@@ -917,10 +918,21 @@ XML_SetParamEntityParsing(XML_Parser parser,
    function behavior. This must be called before parsing is started.
    Returns 1 if successful, 0 when called after parsing has started.
    Note: If parser == NULL, the function will do nothing and return 0.
+   DEPRECATED since Expat 2.8.0.
 */
 XMLPARSEAPI(int)
 XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt);
 
+/* Sets the hash salt to use for internal hash calculations.
+   Helps in preventing DoS attacks based on predicting hash function behavior.
+   This must be called before parsing is started.
+   Returns XML_TRUE if successful, XML_FALSE when called after parsing has
+   started or when parser is NULL.
+   Added in Expat 2.8.0.
+*/
+XMLPARSEAPI(XML_Bool)
+XML_SetHashSalt16Bytes(XML_Parser parser, const uint8_t entropy[16]);
+
 /* If XML_Parse or XML_ParseBuffer have returned XML_STATUS_ERROR, then
    XML_GetErrorCode returns information about the error.
 */
@@ -1081,8 +1093,8 @@ XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled);
    See https://semver.org
 */
 #  define XML_MAJOR_VERSION 2
-#  define XML_MINOR_VERSION 7
-#  define XML_MICRO_VERSION 5
+#  define XML_MINOR_VERSION 8
+#  define XML_MICRO_VERSION 0
 
 #  ifdef __cplusplus
 }
diff --git a/contrib/expat/lib/expat_external.h b/contrib/expat/lib/expat_external.h
index d9ddeb612f6d..7f5c4c3aae4d 100644
--- a/contrib/expat/lib/expat_external.h
+++ b/contrib/expat/lib/expat_external.h
@@ -12,9 +12,10 @@
    Copyright (c) 2001-2002 Greg Stein <gstein@users.sourceforge.net>
    Copyright (c) 2002-2006 Karl Waclawek <karl@waclawek.net>
    Copyright (c) 2016      Cristian Rodríguez <crrodriguez@opensuse.org>
-   Copyright (c) 2016-2026 Sebastian Pipping <sebastian@pipping.org>
+   Copyright (c) 2016-2025 Sebastian Pipping <sebastian@pipping.org>
    Copyright (c) 2017      Rhodri James <rhodri@wildebeest.org.uk>
    Copyright (c) 2018      Yury Gribov <tetra2005@gmail.com>
+   Copyright (c) 2026      Matthew Fernandez <matthew.fernandez@gmail.com>
    Licensed under the MIT license:
 
    Permission is  hereby granted,  free of charge,  to any  person obtaining
@@ -45,7 +46,7 @@
 /* Expat tries very hard to make the API boundary very specifically
    defined.  There are two macros defined to control this boundary;
    each of these can be defined before including this header to
-   achieve some different behavior, but doing so it not recommended or
+   achieve some different behavior, but doing so is not recommended or
    tested frequently.
 
    XMLCALL    - The calling convention to use for all calls across the
diff --git a/contrib/expat/lib/internal.h b/contrib/expat/lib/internal.h
index 61266ebb7723..420d4217a569 100644
--- a/contrib/expat/lib/internal.h
+++ b/contrib/expat/lib/internal.h
@@ -28,7 +28,7 @@
    Copyright (c) 2002-2003 Fred L. Drake, Jr. <fdrake@users.sourceforge.net>
    Copyright (c) 2002-2006 Karl Waclawek <karl@waclawek.net>
    Copyright (c) 2003      Greg Stein <gstein@users.sourceforge.net>
-   Copyright (c) 2016-2025 Sebastian Pipping <sebastian@pipping.org>
+   Copyright (c) 2016-2026 Sebastian Pipping <sebastian@pipping.org>
    Copyright (c) 2018      Yury Gribov <tetra2005@gmail.com>
    Copyright (c) 2019      David Loffredo <loffredo@steptools.com>
    Copyright (c) 2023-2024 Sony Corporation / Snild Dolkow <snild@sony.com>
@@ -113,6 +113,7 @@
 #if defined(_WIN32)                                                            \
     && (! defined(__USE_MINGW_ANSI_STDIO)                                      \
         || (1 - __USE_MINGW_ANSI_STDIO - 1 == 0))
+#  define EXPAT_FMT_LLX(midpart) "%" midpart "I64x"
 #  define EXPAT_FMT_ULL(midpart) "%" midpart "I64u"
 #  if defined(_WIN64) // Note: modifiers "td" and "zu" do not work for MinGW
 #    define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d"
@@ -122,6 +123,7 @@
 #    define EXPAT_FMT_SIZE_T(midpart) "%" midpart "u"
 #  endif
 #else
+#  define EXPAT_FMT_LLX(midpart) "%" midpart "llx"
 #  define EXPAT_FMT_ULL(midpart) "%" midpart "llu"
 #  if ! defined(ULONG_MAX)
 #    error Compiler did not define ULONG_MAX for us
diff --git a/contrib/expat/lib/libexpat.map.in b/contrib/expat/lib/libexpat.map.in
index 52e59ed3d931..71a6758fd746 100644
--- a/contrib/expat/lib/libexpat.map.in
+++ b/contrib/expat/lib/libexpat.map.in
@@ -117,3 +117,8 @@ LIBEXPAT_2.7.2 {
 @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerActivationThreshold;
 @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerMaximumAmplification;
 } LIBEXPAT_2.6.0;
+
+LIBEXPAT_2.8.0 {
+ global:
+  XML_SetHashSalt16Bytes;
+} LIBEXPAT_2.7.2;
diff --git a/contrib/expat/lib/random_arc4random.c b/contrib/expat/lib/random_arc4random.c
new file mode 100644
index 000000000000..243fbbc82fda
--- /dev/null
+++ b/contrib/expat/lib/random_arc4random.c
@@ -0,0 +1,56 @@
+/*
+                            __  __            _
+                         ___\ \/ /_ __   __ _| |_
+                        / _ \\  /| '_ \ / _` | __|
+                       |  __//  \| |_) | (_| | |_
+                        \___/_/\_\ .__/ \__,_|\__|
+                                 |_| XML parser
+
+   Copyright (c) 2017-2026 Sebastian Pipping <sebastian@pipping.org>
+   Copyright (c) 2026      Matthew Fernandez <matthew.fernandez@gmail.com>
+   Licensed under the MIT license:
+
+   Permission is  hereby granted,  free of charge,  to any  person obtaining
+   a  copy  of  this  software   and  associated  documentation  files  (the
+   "Software"),  to  deal in  the  Software  without restriction,  including
+   without  limitation the  rights  to use,  copy,  modify, merge,  publish,
+   distribute, sublicense, and/or sell copies of the Software, and to permit
+   persons  to whom  the Software  is  furnished to  do so,  subject to  the
+   following conditions:
+
+   The above copyright  notice and this permission notice  shall be included
+   in all copies or substantial portions of the Software.
+
+   THE  SOFTWARE  IS  PROVIDED  "AS  IS",  WITHOUT  WARRANTY  OF  ANY  KIND,
+   EXPRESS  OR IMPLIED,  INCLUDING  BUT  NOT LIMITED  TO  THE WARRANTIES  OF
+   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+   NO EVENT SHALL THE AUTHORS OR  COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+   DAMAGES OR  OTHER LIABILITY, WHETHER  IN AN  ACTION OF CONTRACT,  TORT OR
+   OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+   USE OR OTHER DEALINGS IN THE SOFTWARE.
+*/
+
+#include "random_arc4random.h"
+
+#if ! defined(_DEFAULT_SOURCE)
+#  define _DEFAULT_SOURCE 1 /* for glibc */
+#endif
+
+#include <stdint.h> // for uint32_t
+#include <stdlib.h> // for arc4random
*** 2045 LINES SKIPPED ***