We added XML (Akoma Ntoso) support for our REST PUT endpoint in #873 but there's some confusion over whether we actually need defusedxml or not, to guard against certain types of attacks. See e.g. #868 (comment) for more details.