Comment # 2 on bug 1232608 from Dave Plater

@kill_it
Konstantin this CVE refers to the VST addon, there's no mention of xpat in the
audacity sources.
find . -iname "*xpat*"
./cmake-proxies/cmake-modules/dependencies/expat.cmake
./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat
./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat/expat.h
./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat/expat_external.h

Can you fix it or should we remove it from the build? Either an updated xpat
without the vulnerability or a patch should do.