update-checkout: bump libcurl to 8.17.0

[marcprux]

Following on from a discussion at swiftlang/swift-docker#488 (comment), this PR updates the following dependencies for main, 6.3, next, and rebranch:

• libcurl from 8.9.1 (Jul 31, 2024) to 8.17.0 (Nov 5, 2025)
• libxml2 from 2.11.5 (Feb 4, 2024) to 2.15.1 (Oct 16, 2025)

Given that both of these libraries process untrusted input, keeping up with the latest releases is probably a good idea. libxml2, in particular, has had some serious CVEs addressed since 8.9.1.

@compnerd, you did the last bump in #75717 and #75868, where you did Windows at the same time. Should I tack the Windows update onto this PR or do it separately?

[marcprux]

CC: @etcwilde

[marcprux]

@swift-ci please test

[marcprux]

What's up with this wasm build error on Linux I wonder?

13:40:50  FAILED: CMakeFiles/LibXml2.dir/xmlIO.c.obj 
13:40:50  /home/build-user/swift-nightly-install/usr/bin/clang --target=wasm32-unknown-wasip1 --sysroot=/home/build-user/build/buildbot_linux/wasi-sysroot/wasm32-wasip1  -I/home/build-user/build/buildbot_linux/wasmswiftsdk-linux-x86_64/libxml2/wasm32-unknown-wasip1 -I/home/build-user/libxml2/include -resource-dir /home/build-user/build/buildbot_linux/wasmswiftsdk-linux-x86_64/Toolchains/wasm32-unknown-wasip1/usr/lib/swift_static/clang -pedantic -Wall -Wextra -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wno-format-extra-args -Wno-array-bounds -O3 -DNDEBUG -std=gnu11 -fPIC -MD -MT CMakeFiles/LibXml2.dir/xmlIO.c.obj -MF CMakeFiles/LibXml2.dir/xmlIO.c.obj.d -o CMakeFiles/LibXml2.dir/xmlIO.c.obj -c /home/build-user/libxml2/xmlIO.c
13:40:50  /home/build-user/libxml2/xmlIO.c:1230:12: error: call to undeclared function 'dup'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
13:40:50   1230 |     copy = dup(fd);
13:40:50        |            ^

[compnerd]

Windows should be done at the same time; the libxml2 update is invalid - that breaks ABI and is not compatible with Foundation. I could not get Foundation to work with the new ABI as the behaviour of some of the parsing changed, see swiftlang/swift-corelibs-foundation#5082 for some of the initial work to support that.

[marcprux]

the libxml2 update is invalid - that breaks ABI and is not compatible with Foundation

I'm confused — we are building libxml2 from source and only linking to it from FoundationXML. Why is ABI compatibility a concern? Do you mean that the API changed in some incompatible way? If so, then that is indeed a problem, but one that we will need to address eventually if we ever want to move forward with libxml2 updates (and the attendant security fixes).

Regardless, I don't think that is the source of the error I cited, which is a build failure with libxml2 itself.

In any case, this might be a bigger task than I had anticipated, so perhaps I should split up the libcurl and libxml2 updates into two separate PRs (especially since I am mostly interested in the libcurl upgrade for the SSDK4A)…

[compnerd]

The semantics of the API have changed, not the shape of the API. So while source compatible (i.e. the code will build), it behaves differently. I was clumping it under ABI compatibility, but, yes, it could be deemed an API break.

Splitting up the updates makes sense to me - and is generally better IMO.

[marcprux]

OK, scaling back my ambitions and making this jump bump libcurl.

@swift-ci please test

[marcprux]

The libcurl version seems to no longer be hardcoded in build.ps1. Do you know where it is coming from, @compnerd? Is it possible that it is getting it from update-checkout-config.json‎ (in which case we'd only need this one change)?

swift/utils/build.ps1

Lines 2646 to 2649 in 0709a78

	Build-CMakeProject `
	-Src $SourceCache\curl `
	-Bin "$BinaryCache\$($Platform.Triple)\curl" `
	-InstallTo "$BinaryCache\$($Platform.Triple)\usr" `

[compnerd]

Yeah, updating update-checkout-config.json should update the version that Windows uses to build as well.

[marcprux]

@swift-ci please test macOS platform

[marcprux]

CC: @swiftlang/android-workgroup (as mentioned at the meeting today)

[finagolfin]

Merging since this version is only used on Windows and the Android SDK, for which all the relevant parties have signed off, whereas the static linux SDK downloads curl separately.

[rintaro]

@marcprux FYI we reverted this in #86762 🙏

[marcprux]

I hadn't anticipated that this would cause such a large issue. Was it resulting in test failures somewhere that I hadn't seen?

I do think it is important to move forward on modernizing these dependencies. What might we need to do to lay the groundwork?

[finagolfin]

Here's the kind of failure it was causing on the Windows CI yesterday, alongside that pull Saleem added to change the flags passed to Curl. Looks like bumping the version alone here isn't enough, work will also need to be done to adjust the Curl build flags passed in for Windows and Android, the only two platforms that use this Curl version from update-checkout.