Mend ensures you have the greatest risk reduction ("Recommended Fix"-highlighted in green) by removing as many vulnerabilities as possible. Click to see how we calculate risk reduction.
Release Notes
lxml/lxml (lxml)
### [`v4.9.4`](https://togithub.com/lxml/lxml/blob/HEAD/CHANGES.txt#494-2023-12-19)
[Compare Source](https://togithub.com/lxml/lxml/compare/lxml-4.9.3...lxml-4.9.4)
\==================
## Bugs fixed
- [LP#2046398](https://togithub.com/LP/lxml/issues/2046398): Inserting/replacing an ancestor into a node's children could loop indefinitely.
- [LP#1980767](https://togithub.com/LP/lxml/issues/1980767), [GH#379](https://togithub.com/GH/lxml/issues/379): `TreeBuilder.close()` could fail with a `TypeError` after
parsing incorrect input. Original patch by Enrico Minack.
- [LP#1522052](https://togithub.com/LP/lxml/issues/1522052): A file-system specific test is now optional and should no longer fail
on systems that don't support it.
## Other changes
- Wheels include zlib 1.3, libxml2 2.10.3 and libxslt 1.1.39
(zlib 1.2.12, libxml2 2.10.3 and libxslt 1.1.37 on Windows).
- Built with Cython 0.29.37.
### [`v4.9.3`](https://togithub.com/lxml/lxml/blob/HEAD/CHANGES.txt#493-2023-07-05)
[Compare Source](https://togithub.com/lxml/lxml/compare/lxml-4.9.2...lxml-4.9.3)
\==================
## Bugs fixed
- [LP#2008911](https://togithub.com/LP/lxml/issues/2008911): `lxml.objectify` accepted non-decimal numbers like `²²²` as integers.
- A memory leak in `lxml.html.clean` was resolved by switching to Cython 0.29.34+.
- [GH#348](https://togithub.com/GH/lxml/issues/348): URL checking in the HTML cleaner was improved.
Patch by Tim McCormack.
- [GH#371](https://togithub.com/GH/lxml/issues/371), [GH#373](https://togithub.com/GH/lxml/issues/373): Some regex strings were changed to raw strings to fix Python warnings.
Patches by Jakub Wilk and Anthony Sottile.
## Other changes
- Wheels include zlib 1.2.13, libxml2 2.10.3 and libxslt 1.1.38
(zlib 1.2.12, libxml2 2.10.3 and libxslt 1.1.37 on Windows).
- Built with Cython 0.29.36 to adapt to changes in Python 3.12.
### [`v4.9.2`](https://togithub.com/lxml/lxml/blob/HEAD/CHANGES.txt#492-2022-12-13)
[Compare Source](https://togithub.com/lxml/lxml/compare/lxml-4.9.1...lxml-4.9.2)
\==================
## Bugs fixed
- CVE-2022-2309: A Bug in libxml2 2.9.1\[0-4] could let namespace declarations
from a failed parser run leak into later parser runs. This bug was worked around
in lxml and resolved in libxml2 2.10.0.
https://gitlab.gnome.org/GNOME/libxml2/-/issues/378
## Other changes
- [LP#1981760](https://togithub.com/LP/lxml/issues/1981760): `Element.attrib` now registers as `collections.abc.MutableMapping`.
- lxml now has a static build setup for macOS on ARM64 machines (not used for building wheels).
Patch by Quentin Leffray.
### [`v4.9.1`](https://togithub.com/lxml/lxml/blob/HEAD/CHANGES.txt#491-2022-07-01)
[Compare Source](https://togithub.com/lxml/lxml/compare/lxml-4.9.0...lxml-4.9.1)
\==================
## Bugs fixed
- A crash was resolved when using `iterwalk()` (or `canonicalize()`)
after parsing certain incorrect input. Note that `iterwalk()` can crash
on *valid* input parsed with the same parser *after* failing to parse the
incorrect input.
### [`v4.9.0`](https://togithub.com/lxml/lxml/blob/HEAD/CHANGES.txt#490-2022-06-01)
[Compare Source](https://togithub.com/lxml/lxml/compare/lxml-4.8.0...lxml-4.9.0)
\==================
## Bugs fixed
- [GH#341](https://togithub.com/GH/lxml/issues/341): The mixin inheritance order in `lxml.html` was corrected.
Patch by xmo-odoo.
## Other changes
- Built with Cython 0.29.30 to adapt to changes in Python 3.11 and 3.12.
- Wheels include zlib 1.2.12, libxml2 2.9.14 and libxslt 1.1.35
(libxml2 2.9.12+ and libxslt 1.1.34 on Windows).
- [GH#343](https://togithub.com/GH/lxml/issues/343): Windows-AArch64 build support in Visual Studio.
Patch by Steve Dower.
### [`v4.8.0`](https://togithub.com/lxml/lxml/blob/HEAD/CHANGES.txt#480-2022-02-17)
[Compare Source](https://togithub.com/lxml/lxml/compare/lxml-4.7.1...lxml-4.8.0)
\==================
## Features added
- [GH#337](https://togithub.com/GH/lxml/issues/337): Path-like objects are now supported throughout the API instead of just strings.
Patch by Henning Janssen.
- The `ElementMaker` now supports `QName` values as tags, which always override
the default namespace of the factory.
## Bugs fixed
- [GH#338](https://togithub.com/GH/lxml/issues/338): In lxml.objectify, the XSI float annotation "nan" and "inf" were spelled in
lower case, whereas XML Schema datatypes define them as "NaN" and "INF" respectively.
Patch by Tobias Deiminger.
## Other changes
- Built with Cython 0.29.28.
### [`v4.7.1`](https://togithub.com/lxml/lxml/blob/HEAD/CHANGES.txt#471-2021-12-13)
[Compare Source](https://togithub.com/lxml/lxml/compare/lxml-4.6.5...lxml-4.7.1)
\==================
## Features added
- Chunked Unicode string parsing via `parser.feed()` now encodes the input data
to the native UTF-8 encoding directly, instead of going through `Py_UNICODE` /
`wchar_t` encoding first, which previously required duplicate recoding in most cases.
## Bugs fixed
- The standard namespace prefixes were mishandled during "C14N2" serialisation on Python 3.
See https://mail.python.org/archives/list/lxml@python.org/thread/6ZFBHFOVHOS5GFDOAMPCT6HM5HZPWQ4Q/
- `lxml.objectify` previously accepted non-XML numbers with underscores (like "1\_000")
as integers or float values in Python 3.6 and later. It now adheres to the number
format of the XML spec again.
- [LP#1939031](https://togithub.com/LP/lxml/issues/1939031): Static wheels of lxml now contain the header files of zlib and libiconv
(in addition to the already provided headers of libxml2/libxslt/libexslt).
## Other changes
- Wheels include libxml2 2.9.12+ and libxslt 1.1.34 (also on Windows).
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
==4.6.5->==4.9.4This PR resolves the vulnerabilities described in Issue #5
Version 4.6.5
| Risk ChangeVersion 4.9.4
| Risk ChangeMend ensures you have the greatest risk reduction ("Recommended Fix"-highlighted in green) by removing as many vulnerabilities as possible. Click to see how we calculate risk reduction.
Release Notes
lxml/lxml (lxml)
### [`v4.9.4`](https://togithub.com/lxml/lxml/blob/HEAD/CHANGES.txt#494-2023-12-19) [Compare Source](https://togithub.com/lxml/lxml/compare/lxml-4.9.3...lxml-4.9.4) \================== ## Bugs fixed - [LP#2046398](https://togithub.com/LP/lxml/issues/2046398): Inserting/replacing an ancestor into a node's children could loop indefinitely. - [LP#1980767](https://togithub.com/LP/lxml/issues/1980767), [GH#379](https://togithub.com/GH/lxml/issues/379): `TreeBuilder.close()` could fail with a `TypeError` after parsing incorrect input. Original patch by Enrico Minack. - [LP#1522052](https://togithub.com/LP/lxml/issues/1522052): A file-system specific test is now optional and should no longer fail on systems that don't support it. ## Other changes - Wheels include zlib 1.3, libxml2 2.10.3 and libxslt 1.1.39 (zlib 1.2.12, libxml2 2.10.3 and libxslt 1.1.37 on Windows). - Built with Cython 0.29.37. ### [`v4.9.3`](https://togithub.com/lxml/lxml/blob/HEAD/CHANGES.txt#493-2023-07-05) [Compare Source](https://togithub.com/lxml/lxml/compare/lxml-4.9.2...lxml-4.9.3) \================== ## Bugs fixed - [LP#2008911](https://togithub.com/LP/lxml/issues/2008911): `lxml.objectify` accepted non-decimal numbers like `²²²` as integers. - A memory leak in `lxml.html.clean` was resolved by switching to Cython 0.29.34+. - [GH#348](https://togithub.com/GH/lxml/issues/348): URL checking in the HTML cleaner was improved. Patch by Tim McCormack. - [GH#371](https://togithub.com/GH/lxml/issues/371), [GH#373](https://togithub.com/GH/lxml/issues/373): Some regex strings were changed to raw strings to fix Python warnings. Patches by Jakub Wilk and Anthony Sottile. ## Other changes - Wheels include zlib 1.2.13, libxml2 2.10.3 and libxslt 1.1.38 (zlib 1.2.12, libxml2 2.10.3 and libxslt 1.1.37 on Windows). - Built with Cython 0.29.36 to adapt to changes in Python 3.12. ### [`v4.9.2`](https://togithub.com/lxml/lxml/blob/HEAD/CHANGES.txt#492-2022-12-13) [Compare Source](https://togithub.com/lxml/lxml/compare/lxml-4.9.1...lxml-4.9.2) \================== ## Bugs fixed - CVE-2022-2309: A Bug in libxml2 2.9.1\[0-4] could let namespace declarations from a failed parser run leak into later parser runs. This bug was worked around in lxml and resolved in libxml2 2.10.0. https://gitlab.gnome.org/GNOME/libxml2/-/issues/378 ## Other changes - [LP#1981760](https://togithub.com/LP/lxml/issues/1981760): `Element.attrib` now registers as `collections.abc.MutableMapping`. - lxml now has a static build setup for macOS on ARM64 machines (not used for building wheels). Patch by Quentin Leffray. ### [`v4.9.1`](https://togithub.com/lxml/lxml/blob/HEAD/CHANGES.txt#491-2022-07-01) [Compare Source](https://togithub.com/lxml/lxml/compare/lxml-4.9.0...lxml-4.9.1) \================== ## Bugs fixed - A crash was resolved when using `iterwalk()` (or `canonicalize()`) after parsing certain incorrect input. Note that `iterwalk()` can crash on *valid* input parsed with the same parser *after* failing to parse the incorrect input. ### [`v4.9.0`](https://togithub.com/lxml/lxml/blob/HEAD/CHANGES.txt#490-2022-06-01) [Compare Source](https://togithub.com/lxml/lxml/compare/lxml-4.8.0...lxml-4.9.0) \================== ## Bugs fixed - [GH#341](https://togithub.com/GH/lxml/issues/341): The mixin inheritance order in `lxml.html` was corrected. Patch by xmo-odoo. ## Other changes - Built with Cython 0.29.30 to adapt to changes in Python 3.11 and 3.12. - Wheels include zlib 1.2.12, libxml2 2.9.14 and libxslt 1.1.35 (libxml2 2.9.12+ and libxslt 1.1.34 on Windows). - [GH#343](https://togithub.com/GH/lxml/issues/343): Windows-AArch64 build support in Visual Studio. Patch by Steve Dower. ### [`v4.8.0`](https://togithub.com/lxml/lxml/blob/HEAD/CHANGES.txt#480-2022-02-17) [Compare Source](https://togithub.com/lxml/lxml/compare/lxml-4.7.1...lxml-4.8.0) \================== ## Features added - [GH#337](https://togithub.com/GH/lxml/issues/337): Path-like objects are now supported throughout the API instead of just strings. Patch by Henning Janssen. - The `ElementMaker` now supports `QName` values as tags, which always override the default namespace of the factory. ## Bugs fixed - [GH#338](https://togithub.com/GH/lxml/issues/338): In lxml.objectify, the XSI float annotation "nan" and "inf" were spelled in lower case, whereas XML Schema datatypes define them as "NaN" and "INF" respectively. Patch by Tobias Deiminger. ## Other changes - Built with Cython 0.29.28. ### [`v4.7.1`](https://togithub.com/lxml/lxml/blob/HEAD/CHANGES.txt#471-2021-12-13) [Compare Source](https://togithub.com/lxml/lxml/compare/lxml-4.6.5...lxml-4.7.1) \================== ## Features added - Chunked Unicode string parsing via `parser.feed()` now encodes the input data to the native UTF-8 encoding directly, instead of going through `Py_UNICODE` / `wchar_t` encoding first, which previously required duplicate recoding in most cases. ## Bugs fixed - The standard namespace prefixes were mishandled during "C14N2" serialisation on Python 3. See https://mail.python.org/archives/list/lxml@python.org/thread/6ZFBHFOVHOS5GFDOAMPCT6HM5HZPWQ4Q/ - `lxml.objectify` previously accepted non-XML numbers with underscores (like "1\_000") as integers or float values in Python 3.6 and later. It now adheres to the number format of the XML spec again. - [LP#1939031](https://togithub.com/LP/lxml/issues/1939031): Static wheels of lxml now contain the header files of zlib and libiconv (in addition to the already provided headers of libxml2/libxslt/libexslt). ## Other changes - Wheels include libxml2 2.9.12+ and libxslt 1.1.34 (also on Windows).