Skip to content

chore(deps): bump lxml from 6.0.2 to 6.1.1#1100

Merged
canihavesomecoffee merged 1 commit into
masterfrom
dependabot/pip/lxml-6.1.0
May 31, 2026
Merged

chore(deps): bump lxml from 6.0.2 to 6.1.1#1100
canihavesomecoffee merged 1 commit into
masterfrom
dependabot/pip/lxml-6.1.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 20, 2026
edited
Loading

Bumps lxml from 6.0.2 to 6.1.1.

Changelog

Sourced from lxml's changelog.

6.1.1 (2026-05-18)

Bugs fixed

6.1.0 (2026-04-17)

This release fixes a possible external entity injection (XXE) vulnerability in iterparse() and the ETCompatXMLParser.

Features added

  • GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in lxml.html.defs. This allows lxml_html_clean to pass them through. Patch by oomsveta.

  • The default chunk size for reading from file-likes in iterparse() is now configurable with a new chunk_size argument.

Bugs fixed

  • LP#2146291: The resolve_entities option was still set to True for iterparse and ETCompatXMLParser, allowing for external entity injection (XXE) when using these parsers without setting this option explicitly. The default was now changed to 'internal' only (as for the normal XML and HTML parsers since lxml 5.0). Issue found by Sihao Qiu as CVE-2026-41066.

6.0.4 (2026-04-12)

Bugs fixed

  • LP#2148019: Spurious MemoryError during namespace cleanup.

... (truncated)

Commits
  • b4a4c59 Build: Fix build in Py3.8.
  • a116dcb Fix typo: type annotions -> type annotations in PEP 560 comments (GH-504)
  • 7287a75 Prepare release of 6.1.1.
  • 5927a6d Add missing "xlink:href" to the known HTML link attributes.
  • 23efeb4 Build: Fix build in Py3.8.
  • 2c0563b Build: Add bug patch for libxslt 1.1.43 and apply it during the static librar...
  • 8a35fcc Fix doctest in PyPy3.9.
  • 43722f4 Update changelog.
  • 8747040 Name version of option change in docstring.
  • 6c36e6c Fix pypistats URL in download statistics script.
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Apr 20, 2026
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Apr 20, 2026
@dependabot dependabot Bot mentioned this pull request Apr 20, 2026
Closed
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 20, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@canihavesomecoffee
Copy link
Copy Markdown
Member

canihavesomecoffee commented May 31, 2026

@dependabot rebase

@dependabot
chore(deps): bump lxml from 6.0.2 to 6.1.1
32827c1 
Bumps [lxml](https://github.com/lxml/lxml) from 6.0.2 to 6.1.1.
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-6.0.2...lxml-6.1.1)

---
updated-dependencies:
- dependency-name: lxml
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump lxml from 6.0.2 to 6.1.0 chore(deps): bump lxml from 6.0.2 to 6.1.1 May 31, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/lxml-6.1.0 branch from 88f178f to 32827c1 Compare May 31, 2026 07:46
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 31, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@canihavesomecoffee canihavesomecoffee merged commit a93359b into master May 31, 2026
6 checks passed
@dependabot dependabot Bot deleted the dependabot/pip/lxml-6.1.0 branch May 31, 2026 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@canihavesomecoffee canihavesomecoffee canihavesomecoffee approved these changes

@thealphadollar thealphadollar Awaiting requested review from thealphadollar thealphadollar is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@canihavesomecoffee