Skip to content

[Dependabot]: Update lxml requirement from <7.0,>=6.1 to >=6.1.1,<7.0#91

Open
dependabot[bot] wants to merge 2 commits into
devfrom
dependabot/pip/dev/lxml-gte-6.1.0-and-lt-7.0
Open

[Dependabot]: Update lxml requirement from <7.0,>=6.1 to >=6.1.1,<7.0#91
dependabot[bot] wants to merge 2 commits into
devfrom
dependabot/pip/dev/lxml-gte-6.1.0-and-lt-7.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026

Copy link
Copy Markdown
Contributor

Updates the requirements on lxml to permit the latest version.

Changelog

Sourced from lxml's changelog.

6.1.1 (2026-05-18)

Bugs fixed

6.1.0 (2026-04-17)

This release fixes a possible external entity injection (XXE) vulnerability in iterparse() and the ETCompatXMLParser.

Features added

  • GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in lxml.html.defs. This allows lxml_html_clean to pass them through. Patch by oomsveta.

  • The default chunk size for reading from file-likes in iterparse() is now configurable with a new chunk_size argument.

Bugs fixed

  • LP#2146291: The resolve_entities option was still set to True for iterparse and ETCompatXMLParser, allowing for external entity injection (XXE) when using these parsers without setting this option explicitly. The default was now changed to 'internal' only (as for the normal XML and HTML parsers since lxml 5.0). Issue found by Sihao Qiu as CVE-2026-41066.

6.0.4 (2026-04-12)

Bugs fixed

  • LP#2148019: Spurious MemoryError during namespace cleanup.

... (truncated)

Commits
  • b4a4c59 Build: Fix build in Py3.8.
  • a116dcb Fix typo: type annotions -> type annotations in PEP 560 comments (GH-504)
  • 7287a75 Prepare release of 6.1.1.
  • 5927a6d Add missing "xlink:href" to the known HTML link attributes.
  • 23efeb4 Build: Fix build in Py3.8.
  • 2c0563b Build: Add bug patch for libxslt 1.1.43 and apply it during the static librar...
  • 8a35fcc Fix doctest in PyPy3.9.
  • See full diff in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot requested a review from Paebbels as a code owner April 27, 2026 22:14
@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results
Complexity 0
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@Paebbels Paebbels force-pushed the dev branch 6 times, most recently from 146df87 to 2b86090 Compare May 15, 2026 23:42
@Paebbels

Paebbels commented Jul 5, 2026

Copy link
Copy Markdown
Member

@dependabot recreate

@dependabot dependabot Bot changed the title [Dependabot]: Update lxml requirement from <7.0,>=5.4 to >=6.1.0,<7.0 [Dependabot]: Update lxml requirement from <7.0,>=6.1 to >=6.1.1,<7.0 Jul 5, 2026
Updates the requirements on [lxml](https://github.com/lxml/lxml) to permit the latest version.
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-6.1.0...lxml-6.1.1)

---
updated-dependencies:
- dependency-name: lxml
  dependency-version: 6.1.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/dev/lxml-gte-6.1.0-and-lt-7.0 branch from 257dbce to 8d2b5fd Compare July 5, 2026 15:18
@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

A newer version of lxml exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant