update-checkout: bump libcurl to 8.17.0

[marcprux]

Following on from a discussion at swiftlang/swift-docker#488 (comment), this PR updates the following dependencies for main, 6.3, next, and rebranch:

• libcurl from 8.9.1 (Jul 31, 2024) to 8.17.0 (Nov 5, 2025)
• libxml2 from 2.11.5 (Feb 4, 2024) to 2.15.1 (Oct 16, 2025)

Given that both of these libraries process untrusted input, keeping up with the latest releases is probably a good idea. libxml2, in particular, has had some serious CVEs addressed since 8.9.1.

@compnerd, you did the last bump in #75717 and #75868, where you did Windows at the same time. Should I tack the Windows update onto this PR or do it separately?

[marcprux]

CC: @etcwilde

[marcprux]

@swift-ci please test

[marcprux]

What's up with this wasm build error on Linux I wonder?

13:40:50  FAILED: CMakeFiles/LibXml2.dir/xmlIO.c.obj 
13:40:50  /home/build-user/swift-nightly-install/usr/bin/clang --target=wasm32-unknown-wasip1 --sysroot=/home/build-user/build/buildbot_linux/wasi-sysroot/wasm32-wasip1  -I/home/build-user/build/buildbot_linux/wasmswiftsdk-linux-x86_64/libxml2/wasm32-unknown-wasip1 -I/home/build-user/libxml2/include -resource-dir /home/build-user/build/buildbot_linux/wasmswiftsdk-linux-x86_64/Toolchains/wasm32-unknown-wasip1/usr/lib/swift_static/clang -pedantic -Wall -Wextra -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wno-format-extra-args -Wno-array-bounds -O3 -DNDEBUG -std=gnu11 -fPIC -MD -MT CMakeFiles/LibXml2.dir/xmlIO.c.obj -MF CMakeFiles/LibXml2.dir/xmlIO.c.obj.d -o CMakeFiles/LibXml2.dir/xmlIO.c.obj -c /home/build-user/libxml2/xmlIO.c
13:40:50  /home/build-user/libxml2/xmlIO.c:1230:12: error: call to undeclared function 'dup'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
13:40:50   1230 |     copy = dup(fd);
13:40:50        |            ^

[compnerd]

Windows should be done at the same time; the libxml2 update is invalid - that breaks ABI and is not compatible with Foundation. I could not get Foundation to work with the new ABI as the behaviour of some of the parsing changed, see swiftlang/swift-corelibs-foundation#5082 for some of the initial work to support that.

[marcprux]

the libxml2 update is invalid - that breaks ABI and is not compatible with Foundation

I'm confused — we are building libxml2 from source and only linking to it from FoundationXML. Why is ABI compatibility a concern? Do you mean that the API changed in some incompatible way? If so, then that is indeed a problem, but one that we will need to address eventually if we ever want to move forward with libxml2 updates (and the attendant security fixes).

Regardless, I don't think that is the source of the error I cited, which is a build failure with libxml2 itself.

In any case, this might be a bigger task than I had anticipated, so perhaps I should split up the libcurl and libxml2 updates into two separate PRs (especially since I am mostly interested in the libcurl upgrade for the SSDK4A)…

[compnerd]

The semantics of the API have changed, not the shape of the API. So while source compatible (i.e. the code will build), it behaves differently. I was clumping it under ABI compatibility, but, yes, it could be deemed an API break.

Splitting up the updates makes sense to me - and is generally better IMO.

[marcprux]

OK, scaling back my ambitions and making this jump bump libcurl.

@swift-ci please test

[marcprux]

The libcurl version seems to no longer be hardcoded in build.ps1. Do you know where it is coming from, @compnerd? Is it possible that it is getting it from update-checkout-config.json‎ (in which case we'd only need this one change)?

swift/utils/build.ps1

Lines 2646 to 2649 in 0709a78

	Build-CMakeProject `
	-Src $SourceCache\curl `
	-Bin "$BinaryCache\$($Platform.Triple)\curl" `
	-InstallTo "$BinaryCache\$($Platform.Triple)\usr" `

[compnerd]

Yeah, updating update-checkout-config.json should update the version that Windows uses to build as well.

[marcprux]

@swift-ci please test macOS platform

[marcprux]

CC: @swiftlang/android-workgroup (as mentioned at the meeting today)

[finagolfin]

Merging since this version is only used on Windows and the Android SDK, for which all the relevant parties have signed off, whereas the static linux SDK downloads curl separately.