Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump lxml from 4.6.3 to 4.6.5 in /build/ci-cd/python #1096

Merged
merged 1 commit into from
Jan 24, 2022
Merged

Bump lxml from 4.6.3 to 4.6.5 in /build/ci-cd/python #1096

merged 1 commit into from
Jan 24, 2022

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 21, 2022

Bumps lxml from 4.6.3 to 4.6.5.

Changelog

Sourced from lxml's changelog.

4.6.5 (2021-12-12)

Bugs fixed

  • A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script content through SVG images (CVE-2021-43818).

  • A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script content through CSS imports and other crafted constructs (CVE-2021-43818).

4.6.4 (2021-11-01)

Features added

  • GH#317: A new property system_url was added to DTD entities. Patch by Thirdegree.

  • GH#314: The STATIC_* variables in setup.py can now be passed via env vars. Patch by Isaac Jurado.

Commits
  • a9611ba Fix a test in Py2.
  • a3eacbc Prepare release of 4.6.5.
  • b7ea687 Update changelog.
  • 69a7473 Cleaner: cover some more cases where scripts could sneak through in specially...
  • 54d2985 Fix condition in test decorator.
  • 4b220b5 Use the non-depcrecated TextTestResult instead of _TextTestResult (GH-333)
  • d85c6de Exclude a test when using the macOS system libraries because it fails with li...
  • cd4bec9 Add macOS-M1 as wheel build platform.
  • fd0d471 Install automake and libtool in macOS build to be able to install the latest ...
  • f233023 Cleaner: Remove SVG image data URLs since they can embed script content.
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump lxml from 4.6.3 to 4.6.5 in /build/ci-cd/python
c5631f5 
Bumps [lxml](https://github.com/lxml/lxml) from 4.6.3 to 4.6.5.
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-4.6.3...lxml-4.6.5)

---
updated-dependencies:
- dependency-name: lxml
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jan 21, 2022
@aj-stein-nist aj-stein-nist self-assigned this Jan 21, 2022
@aj-stein-nist
Copy link
Contributor

I presume there will be limited changes, just need to test the updated code from the merge of #1070 and ensure it works just to be on the safe side.

@aj-stein-nist aj-stein-nist changed the base branch from main to release-1.0 January 21, 2022 22:36
aj-stein-nist
aj-stein-nist previously approved these changes Jan 22, 2022
View reviewed changes
@aj-stein-nist
Copy link
Contributor

aj-stein-nist commented Jan 22, 2022
edited
Loading

Nevermind, it seems #1070 was pointed to main not release-1.0. This dependency update didn't break anything though, so it is good to go. You ok to merge, @david-waltermire-nist?

@aj-stein-nist aj-stein-nist changed the base branch from release-1.0 to main January 22, 2022 04:03
@aj-stein-nist aj-stein-nist dismissed their stale review January 22, 2022 04:03

The base branch was changed.

@aj-stein-nist aj-stein-nist added this to the OSCAL 1.0.1 milestone Jan 24, 2022
@david-waltermire david-waltermire merged commit 26b6df1 into main Jan 24, 2022
@david-waltermire david-waltermire deleted the dependabot/pip/build/ci-cd/python/lxml-4.6.5 branch January 24, 2022 16:15
iMichaela pushed a commit to iMichaela/OSCAL that referenced this pull request Apr 7, 2022
@dependabot @iMichaela
Bump lxml from 4.6.3 to 4.6.5 in /build/ci-cd/python (usnistgov#1096)
17e2923 
Bumps [lxml](https://github.com/lxml/lxml) from 4.6.3 to 4.6.5.
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-4.6.3...lxml-4.6.5)

---
updated-dependencies:
- dependency-name: lxml
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Rene2mt pushed a commit to Rene2mt/OSCAL that referenced this pull request May 17, 2022
@dependabot @Rene2mt
Bump lxml from 4.6.3 to 4.6.5 in /build/ci-cd/python (usnistgov#1096)
84b3221 
Bumps [lxml](https://github.com/lxml/lxml) from 4.6.3 to 4.6.5.
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-4.6.3...lxml-4.6.5)

---
updated-dependencies:
- dependency-name: lxml
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aj-stein-nist aj-stein-nist aj-stein-nist approved these changes

Assignees

@aj-stein-nist aj-stein-nist

Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code
Projects
None yet
Milestone
OSCAL 1.0.1
Development

Successfully merging this pull request may close these issues.
2 participants
@aj-stein-nist @david-waltermire