yeah seriously, I was looking at this like "I remember patching and documenting XXE bugs in FreeBSD packages like 10 years ago, how it this still a thing? Shouldn't everything be hardened against this by default because of all the SOAP exploits everyone was screaming about around 2010?"

This design by committee shit is inexcusable.

Also, personally, I think it's inexcusable to leave libraries vulnerable by default because of being afraid of breaking backwards compatibility which I assume is the reasoning here.