A crash was resolved when using iterwalk() (or canonicalize())
after parsing certain incorrect input. Note that iterwalk() can crash
on valid input parsed with the same parser after failing to parse the
incorrect input.
4.9.0 (2022-06-01)
Bugs fixed
GH#341: The mixin inheritance order in lxml.html was corrected.
Patch by xmo-odoo.
Other changes
Built with Cython 0.29.30 to adapt to changes in Python 3.11 and 3.12.
Wheels include zlib 1.2.12, libxml2 2.9.14 and libxslt 1.1.35
(libxml2 2.9.12+ and libxslt 1.1.34 on Windows).
GH#343: Windows-AArch64 build support in Visual Studio.
Patch by Steve Dower.
4.8.0 (2022-02-17)
Features added
GH#337: Path-like objects are now supported throughout the API instead of just strings.
Patch by Henning Janssen.
The ElementMaker now supports QName values as tags, which always override
the default namespace of the factory.
Bugs fixed
GH#338: In lxml.objectify, the XSI float annotation "nan" and "inf" were spelled in
lower case, whereas XML Schema datatypes define them as "NaN" and "INF" respectively.
... (truncated)
Commits
d01872c Prevent parse failure in new test from leaking into later test runs.
Relaxed the restriction introduced in 2.6.2 so that the Proxy-Authentication header can again be set explicitly in certain cases, restoring compatibility with scrapy-zyte-smartproxy 2.1.0 and older
- ``scrapy.utils.iterators.xmliter`` is now deprecated in favor of
:func:`~scrapy.utils.iterators.xmliter_lxml`, which
:class:`~scrapy.spiders.XMLFeedSpider` now uses.
To minimize the impact of this change on existing code,
:func:`~scrapy.utils.iterators.xmliter_lxml` now supports indicating
the node namespace with a prefix in the node name, and big files with
highly nested trees when using libxml2 2.7+.
- Fixed regular expressions in the implementation of the
:func:`~scrapy.utils.response.open_in_browser` function.
Please, see the `cc65-xxvf-f7r9 security advisory`_ for more information.
.. _ReDoS vulnerabilities: https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
.. _cc65-xxvf-f7r9 security advisory: https://github.com/scrapy/scrapy/security/advisories/GHSA-cc65-xxvf-f7r9
:setting:DOWNLOAD_MAXSIZE and :setting:DOWNLOAD_WARNSIZE now also apply
to the decompressed response body. Please, see the 7j7m-v7m3-jqm7 security advisory_ for more information.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/scrapinghub/shublang/network/alerts).
Bumps the pip group with 4 updates in the / directory: certifi, lxml, py and scrapy.
Updates
certifi
from 2019.9.11 to 2023.7.22Commits
8fb96ed
2023.07.22afe7722
Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)2038739
Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)44df761
Hash pin Actions and enable dependabot (#228)8b3d7ba
2023.05.0753da240
ci: Add Python 3.12-dev to the testing (#224)c2fc3b1
Create a Security Policy (#222)c211ef4
Set up permissions to github workflows (#218)2087de5
Don't let deprecation warning fail CI (#219)e0b9fc5
remove paragraphs about 1024-bit roots from READMEUpdates
lxml
from 4.4.1 to 4.9.1Changelog
Sourced from lxml's changelog.
... (truncated)
Commits
d01872c
Prevent parse failure in new test from leaking into later test runs.d65e632
Prepare release of lxml 4.9.1.86368e9
Fix a crash when incorrect parser input occurs together with usages of iterwa...50c2764
Delete unused Travis CI config and reference in docs (GH-345)8f0bf2d
Try to speed up the musllinux AArch64 build by splitting the different CPytho...b9f7074
Remove debug print from test.b224e0f
Try to install 'xz' in wheel builds, if available, since it's now needed to e...897ebfa
Update macOS deployment target version from 10.14 to 10.15 since 10.14 starts...853c9e9
Prepare release of 4.9.0.d3f77e6
Add a test for https://bugs.launchpad.net/lxml/+bug/1965070 leaving out the a...Updates
py
from 1.10.0 to 1.11.0Changelog
Sourced from py's changelog.
Commits
447bac5
Update CHANGELOG.rst6d003d9
Update CHANGELOG.rst9cf613f
Declare support for Python 3.8-3.10d831150
Update python_requires: Python 3.4 was already droppede68532e
Update CHANGELOG for 1.11.02f03e5a
Merge pull request #258 from blueyed/NO_COLORe116b2b
Merge pull request #275 from pytest-dev/upgrade-vendor-libsf3a1a59
remove build pin againf6cbf28
try to use pipx tox3fe9ad7
try to use preinstalled toxUpdates
scrapy
from 1.8.1 to 2.11.1Release notes
Sourced from scrapy's releases.
... (truncated)
Changelog
Sourced from scrapy's changelog.
... (truncated)
Commits
2f1d345
Solve test issues502addc
Bump version: 2.11.0 → 2.11.16b88b33
Set the release date of versions 2.11.1 and 1.8.4479619b
Merge branch '2.11-redos' into 2.11809bfac
Merge branch '2.11-compression-bomb' into 2.115bcb8fd
Merge branch '2.11-authorization' into 2.11a55e933
Release notes for 2.11.1 (#6150)5e5a920
Remove slow leftovers810aaa6
Undo an unintended changec5dad41
Speed up tests, remove comments without regexpsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show