Skip to content

chore(deps): bump lxml from 5.1.0 to 6.1.0#310

Merged
mlissner merged 1 commit into
mainfrom
dependabot/uv/lxml-6.1.0
Jun 22, 2026
Merged

chore(deps): bump lxml from 5.1.0 to 6.1.0#310
mlissner merged 1 commit into
mainfrom
dependabot/uv/lxml-6.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps lxml from 5.1.0 to 6.1.0.

Release notes

Sourced from lxml's releases.

lxml-6.1.0

No release notes provided.

lxml-6.0.4

No release notes provided.

lxml-6.0.3

No release notes provided.

lxml-6.0.2

No release notes provided.

lxml-6.0.1

No release notes provided.

lxml-6.0.0

No release notes provided.

lxml-5.4.0

5.4.0 (2025-04-22)

Bugs fixed

  • LP#2107279: Binary wheels use libxml2 2.13.8 and libxslt 1.1.43 to resolve several CVEs. (Binary wheels for Windows continue to use a patched libxml2 2.11.9 and libxslt 1.1.39.) Issue found by Anatoly Katyushin, see https://bugs.launchpad.net/lxml/+bug/2107279

lxml-5.3.2

No release notes provided.

lxml-5.3.1

No release notes provided.

lxml-5.3.0

No release notes provided.

lxml-5.2.2

5.2.2 (2024-05-12)

Bugs fixed

  • GH#417: The test_feed_parser test could fail if lxml_html_clean was not installed. It is now skipped in that case.

  • LP#2059910: The minimum CPU architecture for the Linux x86 binary wheels was set back to "core2", without SSE 4.2.

... (truncated)

Changelog

Sourced from lxml's changelog.

6.1.0 (2026-04-17)

This release fixes a possible external entity injection (XXE) vulnerability in iterparse() and the ETCompatXMLParser.

Features added

  • GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in lxml.html.defs. This allows lxml_html_clean to pass them through. Patch by oomsveta.

  • The default chunk size for reading from file-likes in iterparse() is now configurable with a new chunk_size argument.

Bugs fixed

  • LP#2146291: The resolve_entities option was still set to True for iterparse and ETCompatXMLParser, allowing for external entity injection (XXE) when using these parsers without setting this option explicitly. The default was now changed to 'internal' only (as for the normal XML and HTML parsers since lxml 5.0). Issue found by Sihao Qiu as CVE-2026-41066.

6.0.4 (2026-04-12)

Bugs fixed

  • LP#2148019: Spurious MemoryError during namespace cleanup.

6.0.3 (2026-04-09)

Bugs fixed

  • Several out of memory error cases now raise MemoryError that were not handled before.

  • Slicing with large step values (outside of +/- sys.maxsize) could trigger undefined C behaviour.

  • LP#2125399: Some failing tests were fixed or disabled in PyPy.

  • LP#2138421: Memory leak in error cases when setting the public_id or system_url of a document.

... (truncated)

Commits
  • 43722f4 Update changelog.
  • 8747040 Name version of option change in docstring.
  • 6c36e6c Fix pypistats URL in download statistics script.
  • c7d76d6 Change security policy to point to Github security advisories.
  • 378ccf8 Update project income report.
  • 315270b Docs: Reduce TOC depth of package pages and move module contents first.
  • 6dbba7f Docs: Show current year in copyright line.
  • e4385bf Update project income report.
  • 5bed1e1 Validate file hashes in release download script.
  • c13ee10 Prepare release of 6.1.0.
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 22, 2026

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Major version bump for lxml (5.x → 6.x); the breaking changes (iterparse/ETCompatXMLParser entity-resolution defaults) don't touch the APIs used here (lxml.html.fromstring, lxml.etree), but a human should confirm CI is green before merging.

Extended reasoning...

Overview\nThis is a Dependabot dependency bump for lxml from 5.1.0 to 6.1.0, modifying only uv.lock (revision also bumped 2 → 3). The pyproject.toml constraint (lxml>=4.6.3) is unchanged and already permits 6.x. Codebase usage is limited to lxml.html.fromstring in eyecite/clean.py and from lxml import etree in eyecite/utils.py.\n\n### Security risks\nNo new security surface introduced by this PR itself. lxml 6.1.0 actually fixes CVE-2026-41066 (XXE in iterparse/ETCompatXMLParser via resolve_entities default), though this project doesn't use those parsers, so the security upside is incidental rather than load-bearing here.\n\n### Level of scrutiny\nLow-to-moderate. Lock-file-only Dependabot updates are usually trivial to approve, but this is a major version bump for an XML parsing library that the project uses in its HTML cleanup and citation extraction paths. Major version bumps warrant a quick CI-pass confirmation by a human even when the API surfaces touched look stable.\n\n### Other factors\nNo bugs were flagged by the bug hunting system. The lxml 6.x release notes don't list breaking changes that affect html.fromstring or the etree import surface used here. CI should catch any binary-wheel or behavioral regressions. Deferring rather than auto-approving because the major version jump combined with use in core parsing code is exactly the kind of low-probability-but-nonzero-risk change that benefits from a human glance at the CI status before merge.

@dependabot
dependabot Bot force-pushed the dependabot/uv/lxml-6.1.0 branch 2 times, most recently from f2a9c5c to 5b146ff Compare June 22, 2026 18:57
Bumps [lxml](https://github.com/lxml/lxml) from 5.1.0 to 6.1.0.
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-5.1.0...lxml-6.1.0)

---
updated-dependencies:
- dependency-name: lxml
  dependency-version: 6.1.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/uv/lxml-6.1.0 branch from 5b146ff to 199bfb9 Compare June 22, 2026 19:05
@mlissner
mlissner merged commit 01c1342 into main Jun 22, 2026
6 of 8 checks passed
@mlissner
mlissner deleted the dependabot/uv/lxml-6.1.0 branch June 22, 2026 19:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant