should we go for 2.2.5 or 2.2.6? the latter is marked yellow and we'll have to modify its ebuild to build for our architecture...

https://packages.gentoo.org/packages/dev-libs/expat

go with whichever version makes sense for us.  don't look too strongly at the stable/unstable status in Gentoo.

i see, either one has the fixed required and 2.2.6 will probably outdate by the time we uprev again. so let's go with 2.2.5 to be consistent with upstream gentoo.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/c49c38f4d1c8c8baa9f3669c1f87301ed08073d1

commit c49c38f4d1c8c8baa9f3669c1f87301ed08073d1
Author: Xiaochu Liu <xiaochu@chromium.org>
Date: Fri Dec 07 06:06:52 2018

expat: uprev to 2.2.5

Latest upstream version is 2.2.6 while the latest stable is 2.2.5.

BUG= chromium:912356 
TEST=emerge-kefka expat

Change-Id: Ie5b6a49899f57c634c563c0f3c45dd6541c8127c
Reviewed-on: https://chromium-review.googlesource.com/1363346
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Xiaochu Liu <xiaochu@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[delete] https://crrev.com/0cad4f37d84c1f813d016f9d14b0d57316b66513/dev-libs/expat/expat-2.1.1-r2.ebuild
[delete] https://crrev.com/0cad4f37d84c1f813d016f9d14b0d57316b66513/dev-libs/expat/files/expat-2.1.1-CVE-2015-1283-refix.patch
[delete] https://crrev.com/0cad4f37d84c1f813d016f9d14b0d57316b66513/dev-libs/expat/files/expat-2.1.1-CVE-2016-0718-v2-2-1.patch
[modify] https://crrev.com/c49c38f4d1c8c8baa9f3669c1f87301ed08073d1/dev-libs/expat/Manifest
[modify] https://crrev.com/c49c38f4d1c8c8baa9f3669c1f87301ed08073d1/dev-libs/expat/metadata.xml
[add] https://crrev.com/c49c38f4d1c8c8baa9f3669c1f87301ed08073d1/dev-libs/expat/expat-2.2.5.ebuild
[delete] https://crrev.com/0cad4f37d84c1f813d016f9d14b0d57316b66513/dev-libs/expat/files/expat-2.1.1-CVE-2012-6702-plus-CVE-2016-5300-v1.patch