Skip to content

Update lxml to 4.9.2 #252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update lxml to 4.9.2 #252

wants to merge 1 commit into from

Conversation

@pyup-bot
Copy link
Contributor

@pyup-bot pyup-bot commented Dec 14, 2022

This PR updates lxml from 4.6.2 to 4.9.2.

Changelog

4.9.2

==================

Bugs fixed
----------

* CVE-2022-2309: A Bug in libxml2 2.9.1[0-4] could let namespace declarations
from a failed parser run leak into later parser runs.  This bug was worked around
in lxml and resolved in libxml2 2.10.0.
https://gitlab.gnome.org/GNOME/libxml2/-/issues/378

Other changes
-------------

* LP1981760: ``Element.attrib`` now registers as ``collections.abc.MutableMapping``.

* lxml now has a static build setup for macOS on ARM64 machines (not used for building wheels).
Patch by Quentin Leffray.

4.9.1

==================

Bugs fixed
----------

* A crash was resolved when using ``iterwalk()`` (or ``canonicalize()``)
after parsing certain incorrect input.  Note that ``iterwalk()`` can crash
on *valid* input parsed with the same parser *after* failing to parse the
incorrect input.

4.9.0

==================

Bugs fixed
----------

* GH341: The mixin inheritance order in ``lxml.html`` was corrected.
Patch by xmo-odoo.

Other changes
-------------

* Built with Cython 0.29.30 to adapt to changes in Python 3.11 and 3.12.

* Wheels include zlib 1.2.12, libxml2 2.9.14 and libxslt 1.1.35
(libxml2 2.9.12+ and libxslt 1.1.34 on Windows).

* GH343: Windows-AArch64 build support in Visual Studio.
Patch by Steve Dower.

4.8.0

==================

Features added
--------------

* GH337: Path-like objects are now supported throughout the API instead of just strings.
Patch by Henning Janssen.

* The ``ElementMaker`` now supports ``QName`` values as tags, which always override
the default namespace of the factory.

Bugs fixed
----------

* GH338: In lxml.objectify, the XSI float annotation "nan" and "inf" were spelled in
lower case, whereas XML Schema datatypes define them as "NaN" and "INF" respectively.
Patch by Tobias Deiminger.

Other changes
-------------

* Built with Cython 0.29.28.

4.7.1

==================

Features added
--------------

* Chunked Unicode string parsing via ``parser.feed()`` now encodes the input data
to the native UTF-8 encoding directly, instead of going through ``Py_UNICODE`` /
``wchar_t`` encoding first, which previously required duplicate recoding in most cases.

Bugs fixed
----------

* The standard namespace prefixes were mishandled during "C14N2" serialisation on Python 3.
See https://mail.python.org/archives/list/lxmlpython.org/thread/6ZFBHFOVHOS5GFDOAMPCT6HM5HZPWQ4Q/

* ``lxml.objectify`` previously accepted non-XML numbers with underscores (like "1_000")
as integers or float values in Python 3.6 and later. It now adheres to the number
format of the XML spec again.

* LP1939031: Static wheels of lxml now contain the header files of zlib and libiconv
(in addition to the already provided headers of libxml2/libxslt/libexslt).

Other changes
-------------

* Wheels include libxml2 2.9.12+ and libxslt 1.1.34 (also on Windows).

4.7.0

==================

* Release retracted due to missing files in lxml/includes/.

4.6.5

==================

Bugs fixed
----------

* A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script
content through SVG images (CVE-2021-43818).

* A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script
content through CSS imports and other crafted constructs (CVE-2021-43818).

4.6.4

==================

Features added
--------------

* GH317: A new property ``system_url`` was added to DTD entities.
Patch by Thirdegree.

* GH314: The ``STATIC_*`` variables in ``setup.py`` can now be passed via env vars.
Patch by Isaac Jurado.

4.6.3

==================

Bugs fixed
----------

* A vulnerability (CVE-2021-28957) was discovered in the HTML Cleaner by Kevin Chung,
which allowed JavaScript to pass through.  The cleaner now removes the HTML5
``formaction`` attribute.
Links

@pyup-bot pyup-bot mentioned this pull request Dec 14, 2022
Closed
@codecov
Copy link

codecov bot commented Dec 14, 2022

Codecov Report

Merging #252 (97ad6e1) into master (2060130) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #252   +/-   ##
=======================================
  Coverage   98.06%   98.06%           
=======================================
  Files          27       27           
  Lines        1293     1293           
=======================================
  Hits         1268     1268           
  Misses         25       25

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pyup-bot