Migrating from ply library

[Jungorend]

Currently rule-engine uses ply as a dependency. According to its README, as of December of 2025, it will no longer be updated in any capacity.

A vulnerability was also recently discovered in sly that allows for remote code execution:
CVE-2025-56005

While rule-engine doesn't seem to use the offending parameter (pickle in the yacc function) and so is not currently vulnerable, it may be worth moving to a parser/lexer which is actively maintained in case of other vulnerabilities being discovered.

[zeroSteiner]

The last time I vaguely looked into migrating away from Ply led me to believe it would be a large effort. The parser of the project is just about the most complicated component. I just can't justify the investment of time to make this change because something might happen in a project that I'm not really relying on as much these days. The attack surface of Ply isn't that large, so I'm willing to take that chance. It'll become a problem when I need to shift the supported versions of Python, but I haven't even released a major version bump to drop 3.6, 3.7 and 3.8.

If someone else would like to look into this, I'd be happy to help with testing and merge the changes but to set realistic expectations, I'm not sinking my personal time into a massive rewrite at this time.