chore(deps): bump lxml from 5.1.0 to 6.1.0#310
Merged
Conversation
There was a problem hiding this comment.
Major version bump for lxml (5.x → 6.x); the breaking changes (iterparse/ETCompatXMLParser entity-resolution defaults) don't touch the APIs used here (lxml.html.fromstring, lxml.etree), but a human should confirm CI is green before merging.
Extended reasoning...
Overview\nThis is a Dependabot dependency bump for lxml from 5.1.0 to 6.1.0, modifying only uv.lock (revision also bumped 2 → 3). The pyproject.toml constraint (lxml>=4.6.3) is unchanged and already permits 6.x. Codebase usage is limited to lxml.html.fromstring in eyecite/clean.py and from lxml import etree in eyecite/utils.py.\n\n### Security risks\nNo new security surface introduced by this PR itself. lxml 6.1.0 actually fixes CVE-2026-41066 (XXE in iterparse/ETCompatXMLParser via resolve_entities default), though this project doesn't use those parsers, so the security upside is incidental rather than load-bearing here.\n\n### Level of scrutiny\nLow-to-moderate. Lock-file-only Dependabot updates are usually trivial to approve, but this is a major version bump for an XML parsing library that the project uses in its HTML cleanup and citation extraction paths. Major version bumps warrant a quick CI-pass confirmation by a human even when the API surfaces touched look stable.\n\n### Other factors\nNo bugs were flagged by the bug hunting system. The lxml 6.x release notes don't list breaking changes that affect html.fromstring or the etree import surface used here. CI should catch any binary-wheel or behavioral regressions. Deferring rather than auto-approving because the major version jump combined with use in core parsing code is exactly the kind of low-probability-but-nonzero-risk change that benefits from a human glance at the CI status before merge.
dependabot
Bot
force-pushed
the
dependabot/uv/lxml-6.1.0
branch
2 times, most recently
from
June 22, 2026 18:57
f2a9c5c to
5b146ff
Compare
Bumps [lxml](https://github.com/lxml/lxml) from 5.1.0 to 6.1.0. - [Release notes](https://github.com/lxml/lxml/releases) - [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt) - [Commits](lxml/lxml@lxml-5.1.0...lxml-6.1.0) --- updated-dependencies: - dependency-name: lxml dependency-version: 6.1.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/uv/lxml-6.1.0
branch
from
June 22, 2026 19:05
5b146ff to
199bfb9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps lxml from 5.1.0 to 6.1.0.
Release notes
Sourced from lxml's releases.
... (truncated)
Changelog
Sourced from lxml's changelog.
... (truncated)
Commits
43722f4Update changelog.8747040Name version of option change in docstring.6c36e6cFix pypistats URL in download statistics script.c7d76d6Change security policy to point to Github security advisories.378ccf8Update project income report.315270bDocs: Reduce TOC depth of package pages and move module contents first.6dbba7fDocs: Show current year in copyright line.e4385bfUpdate project income report.5bed1e1Validate file hashes in release download script.c13ee10Prepare release of 6.1.0.