diff --git a/backport-lib-Relax-fix-to-CVE-2022-25236-with-regard-to-RFC-3.patch b/backport-lib-Relax-fix-to-CVE-2022-25236-with-regard-to-RFC-3.patch
deleted file mode 100644
index c6ff5a5..0000000
--- a/backport-lib-Relax-fix-to-CVE-2022-25236-with-regard-to-RFC-3.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-From 2ba6c76fca21397959145e18c5ef376201209020 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Sun, 27 Feb 2022 16:58:08 +0100
-Subject: [PATCH] lib: Relax fix to CVE-2022-25236 with regard to RFC
- 3986 URI characters
-
----
- lib/xmlparse.c | 139 ++++++++++++++++++++++++++++++++++++++++++++++++---
- 1 file changed, 131 insertions(+), 8 deletions(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 59da19c..6fe2cf1 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -3705,6 +3705,117 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
-   return XML_ERROR_NONE;
- }
- 
-+static XML_Bool
-+is_rfc3986_uri_char(XML_Char candidate) {
-+  // For the RFC 3986 ANBF grammar see
-+  // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
-+
-+  switch (candidate) {
-+  // From rule "ALPHA" (uppercase half)
-+  case 'A':
-+  case 'B':
-+  case 'C':
-+  case 'D':
-+  case 'E':
-+  case 'F':
-+  case 'G':
-+  case 'H':
-+  case 'I':
-+  case 'J':
-+  case 'K':
-+  case 'L':
-+  case 'M':
-+  case 'N':
-+  case 'O':
-+  case 'P':
-+  case 'Q':
-+  case 'R':
-+  case 'S':
-+  case 'T':
-+  case 'U':
-+  case 'V':
-+  case 'W':
-+  case 'X':
-+  case 'Y':
-+  case 'Z':
-+
-+  // From rule "ALPHA" (lowercase half)
-+  case 'a':
-+  case 'b':
-+  case 'c':
-+  case 'd':
-+  case 'e':
-+  case 'f':
-+  case 'g':
-+  case 'h':
-+  case 'i':
-+  case 'j':
-+  case 'k':
-+  case 'l':
-+  case 'm':
-+  case 'n':
-+  case 'o':
-+  case 'p':
-+  case 'q':
-+  case 'r':
-+  case 's':
-+  case 't':
-+  case 'u':
-+  case 'v':
-+  case 'w':
-+  case 'x':
-+  case 'y':
-+  case 'z':
-+
-+  // From rule "DIGIT"
-+  case '0':
-+  case '1':
-+  case '2':
-+  case '3':
-+  case '4':
-+  case '5':
-+  case '6':
-+  case '7':
-+  case '8':
-+  case '9':
-+
-+  // From rule "pct-encoded"
-+  case '%':
-+
-+  // From rule "unreserved"
-+  case '-':
-+  case '.':
-+  case '_':
-+  case '~':
-+
-+  // From rule "gen-delims"
-+  case ':':
-+  case '/':
-+  case '?':
-+  case '#':
-+  case '[':
-+  case ']':
-+  case '@':
-+
-+  // From rule "sub-delims"
-+  case '!':
-+  case '$':
-+  case '&':
-+  case '\'':
-+  case '(':
-+  case ')':
-+  case '*':
-+  case '+':
-+  case ',':
-+  case ';':
-+  case '=':
-+    return XML_TRUE;
-+
-+  default:
-+    return XML_FALSE;
-+  }
-+}
-+
- /* addBinding() overwrites the value of prefix->binding without checking.
-    Therefore one must keep track of the old value outside of addBinding().
- */
-@@ -3763,14 +3874,26 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
-         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
-       isXMLNS = XML_FALSE;
- 
--    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
--    //       we have to at least make sure that the XML processor on top of
--    //       Expat (that is splitting tag names by namespace separator into
--    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
--    //       by an attacker putting additional namespace separator characters
--    //       into namespace declarations.  That would be ambiguous and not to
--    //       be expected.
--    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
-+    // NOTE: While Expat does not validate namespace URIs against RFC 3986
-+    //       today (and is not REQUIRED to do so with regard to the XML 1.0
-+    //       namespaces specification) we have to at least make sure, that
-+    //       the application on top of Expat (that is likely splitting expanded
-+    //       element names ("qualified names") of form
-+    //       "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
-+    //       in its element handler code) cannot be confused by an attacker
-+    //       putting additional namespace separator characters into namespace
-+    //       declarations.  That would be ambiguous and not to be expected.
-+    //
-+    //       While the HTML API docs of function XML_ParserCreateNS have been
-+    //       advising against use of a namespace separator character that can
-+    //       appear in a URI for >20 years now, some widespread applications
-+    //       are using URI characters (':' (colon) in particular) for a
-+    //       namespace separator, in practice.  To keep these applications
-+    //       functional, we only reject namespaces URIs containing the
-+    //       application-chosen namespace separator if the chosen separator
-+    //       is a non-URI character with regard to RFC 3986.
-+    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
-+        && ! is_rfc3986_uri_char(uri[len])) {
-       return XML_ERROR_SYNTAX;
-     }
-   }
--- 
-1.8.3.1
-
diff --git a/backport-tests-Cover-relaxed-fix-to-CVE-2022-25236.patch b/backport-tests-Cover-relaxed-fix-to-CVE-2022-25236.patch
deleted file mode 100644
index d79b37a..0000000
--- a/backport-tests-Cover-relaxed-fix-to-CVE-2022-25236.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From e0f852db1e3b1e6d34922c68a653c3cc4b85361c Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Thu, 3 Mar 2022 17:29:54 +0100
-Subject: [PATCH] tests: Cover relaxed fix to CVE-2022-25236
-
----
- tests/runtests.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/tests/runtests.c b/tests/runtests.c
-index 60da868..712706c 100644
---- a/tests/runtests.c
-+++ b/tests/runtests.c
-@@ -7406,16 +7406,18 @@ START_TEST(test_ns_separator_in_uri) {
-   struct test_case {
-     enum XML_Status expectedStatus;
-     const char *doc;
-+    XML_Char namesep;
-   };
-   struct test_case cases[] = {
--      {XML_STATUS_OK, "<doc xmlns='one_two' />"},
--      {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />"},
-+      {XML_STATUS_OK, "<doc xmlns='one_two' />", XCS('\n')},
-+      {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />", XCS('\n')},
-+      {XML_STATUS_OK, "<doc xmlns='one:two' />", XCS(':')},
-   };
- 
-   size_t i = 0;
-   size_t failCount = 0;
-   for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
--    XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
-+    XML_Parser parser = XML_ParserCreateNS(NULL, cases[i].namesep);
-     XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
-     if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
-                   /*isFinal*/ XML_TRUE)
--- 
-1.8.3.1
-
diff --git a/expat-2.4.6.tar.gz b/expat-2.4.6.tar.gz
deleted file mode 100644
index 6b4c850..0000000
Binary files a/expat-2.4.6.tar.gz and /dev/null differ
diff --git a/expat-2.4.8.tar.gz b/expat-2.4.8.tar.gz
new file mode 100644
index 0000000..2227964
Binary files /dev/null and b/expat-2.4.8.tar.gz differ
diff --git a/expat.spec b/expat.spec
index 587f306..20fb3d0 100644
--- a/expat.spec
+++ b/expat.spec
@@ -1,15 +1,12 @@
 %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/')
 Name:           expat
-Version:        2.4.6
-Release:        2
+Version:        2.4.8
+Release:        1
 Summary:        An XML parser library
 License:        MIT
 URL:            https://libexpat.github.io/
 Source0:        https://github.com/libexpat/libexpat/releases/download/%{Rversion}/expat-%{version}.tar.gz
 
-Patch0:         backport-lib-Relax-fix-to-CVE-2022-25236-with-regard-to-RFC-3.patch
-Patch1:         backport-tests-Cover-relaxed-fix-to-CVE-2022-25236.patch
-
 BuildRequires:  sed,autoconf,automake,gcc-c++,libtool,xmlto
 
 %description
@@ -62,6 +59,9 @@ make check
 %{_mandir}/man1/*
 
 %changelog
+* Fri Jul 1 2022 panxiaohe <panxh.life@foxmail.com> - 2.4.8-1
+- update to 2.4.8
+
 * Mon Mar 7 2022 yangzhuangzhuang <yangzhuangzhuang1@h-partners.com> - 2.4.6-2
 - Relax fix to CVE-2022-25236