Skip to content

deps: bump lxml from 4.9.3 to 6.0.2#29

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/lxml-6.0.2
Closed

deps: bump lxml from 4.9.3 to 6.0.2#29
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/lxml-6.0.2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 25, 2026

Bumps lxml from 4.9.3 to 6.0.2.

Release notes

Sourced from lxml's releases.

lxml-6.0.2

No release notes provided.

lxml-6.0.1

No release notes provided.

lxml-6.0.0

No release notes provided.

lxml-5.4.0

5.4.0 (2025-04-22)

Bugs fixed

  • LP#2107279: Binary wheels use libxml2 2.13.8 and libxslt 1.1.43 to resolve several CVEs. (Binary wheels for Windows continue to use a patched libxml2 2.11.9 and libxslt 1.1.39.) Issue found by Anatoly Katyushin, see https://bugs.launchpad.net/lxml/+bug/2107279

lxml-5.3.2

No release notes provided.

lxml-5.3.1

No release notes provided.

lxml-5.3.0

No release notes provided.

lxml-5.2.2

5.2.2 (2024-05-12)

Bugs fixed

  • GH#417: The test_feed_parser test could fail if lxml_html_clean was not installed. It is now skipped in that case.

  • LP#2059910: The minimum CPU architecture for the Linux x86 binary wheels was set back to "core2", without SSE 4.2.

  • If libxml2 uses iconv, the compile time version is available as etree.ICONV_COMPILED_VERSION.

lxml-5.2.1

No release notes provided.

lxml-5.2.0

No release notes provided.

... (truncated)

Changelog

Sourced from lxml's changelog.

6.0.2 (2025-09-21)

Bugs fixed

  • LP#2125278: Compilation with libxml2 2.15.0 failed. Original patch by Xi Ruoyao.

  • Setting decompress=True in the parser had no effect in libxml2 2.15.

  • Binary wheels on Linux and macOS use the library version libxml2 2.14.6. See https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.6

  • Test failures in libxml2 2.15.0 were fixed.

Other changes

  • Binary wheels for Py3.9-3.11 on the riscv64 architecture were added.

  • Error constants were updated to match libxml2 2.15.0.

  • Built using Cython 3.1.4.

6.0.1 (2025-08-22)

Bugs fixed

  • LP#2116333: lxml.sax._getNsTag() could fail with an exception on malformed input.

  • GH#467: Some test adaptations were made for libxml2 2.15. Patch by Nick Wellnhofer.

  • LP2119510, GH#473: A Python compatibility test was fixed for Python 3.14+. Patch by Lumír Balhar.

  • GH#471: Wheels for "riscv64" on recent Python versions were added. Patch by ffgan.

  • GH#469: The wheel build no longer requires the wheel package unconditionally. Patch by Miro Hrončok.

  • Binary wheels use the library version libxml2 2.14.5. See https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.5

  • Windows binary wheels continue to use a security patched library version libxml2 2.11.9.

... (truncated)

Commits
  • 283d02e Build: Minor readability cleanup.
  • 52cf97c Revert "Build: Avoid redundant manylinux2014 builds across newer jobs."
  • a21e474 Build: Avoid redundant manylinux2014 builds across newer jobs.
  • 58d4d2b Build: Upgrade libxml2 to 2.14.6.
  • e5d80da Build: Clean up and simplify target selection and environment setup in pyproj...
  • e913380 Build: Limit optimised wheel builds to AMD64 and Arm64 to save time and resou...
  • d22f6a1 Build: bump actions/setup-python in the github-actions group (GH-479)
  • f8fa76d Build: Prevent redundant branch wheel builds for pull requests.
  • b3e9372 Build: bump pypa/cibuildwheel in the github-actions group (GH-478)
  • a7ec229 Prepare release of lxml 6.0.2.
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
deps: bump lxml from 4.9.3 to 6.0.2
fb60180 
Bumps [lxml](https://github.com/lxml/lxml) from 4.9.3 to 6.0.2.
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-4.9.3...lxml-6.0.2)

---
updated-dependencies:
- dependency-name: lxml
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Mar 25, 2026

Labels

The following labels could not be found: security. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Mar 25, 2026
sebastienrousseau added a commit that referenced this pull request Mar 30, 2026
@sebastienrousseau
deps: update lxml to 6.0.2 and refresh poetry.lock
ae81b56 
Remove upper bound on lxml (>=4.9.3) and run poetry update to pull in
latest compatible versions of all dependencies. All 399 tests pass.

Supersedes #26, #27, #28, #29, #30, #31, #33
@sebastienrousseau
Copy link
Copy Markdown
Owner

sebastienrousseau commented Mar 30, 2026

Superseded by dependency refresh in feat/v0.0.4 (commit ae81b56). All deps updated via poetry update and all 399 tests pass.

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Mar 30, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/pip/lxml-6.0.2 branch March 30, 2026 23:39
@sebastienrousseau sebastienrousseau mentioned this pull request Mar 31, 2026
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sebastienrousseau