[Bug 2060811] Re: FFe updating lxml to the 5.2.1 release

Graham Inggs 2060811 at bugs.launchpad.net
Wed Apr 10 14:01:21 UTC 2024 

package split and bugfixes seems fine to me
FFe granted, please go ahead

** Also affects: pandas (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: readability (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: lxml (Ubuntu)
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to lxml in Ubuntu.
https://bugs.launchpad.net/bugs/2060811

Title:
  FFe updating lxml to the 5.2.1 release

Status in lxml package in Ubuntu:
  Triaged
Status in pandas package in Ubuntu:
  New
Status in readability package in Ubuntu:
  New

Bug description:
  updating lxml to the 5.2.1 release allows us to gid rid off the lxml-
  html-clean module into a separate package lxmö-html-clean (already in
  noble), and demote it to universe  This module is responsible for
  almost all CVEs in lxml in the past years.

  Changes in 5.2.1 compared to 5.1.0:

  5.2.1 (2024-04-02)
  ==================

  Bugs fixed
  ----------

  * LP#2059910: The minimum CPU architecture for the Linux x86 binary wheels was set back to
    "core2", but with SSE 4.2 enabled.

  * LP#2059977: ``Element.iterfind("//absolute_path")`` failed with a ``SyntaxError``
    where it should have issued a warning.

  * GH#416: The documentation build was using the non-standard ``which`` command.
    Patch by Michał Górny.

  
  5.2.0 (2024-03-30)
  ==================

  Other changes
  -------------

  * LP#1958539: The ``lxml.html.clean`` implementation suffered from several (only if used)
    security issues in the past and was now extracted into a separate library:

    https://github.com/fedora-python/lxml_html_clean

    Projects that use lxml without "lxml.html.clean" will not notice any difference,
    except that they won't have potentially vulnerable code installed.
    The module is available as an "extra" setuptools dependency "lxml[html_clean]",
    so that Projects that need "lxml.html.clean" will need to switch their requirements
    from "lxml" to "lxml[html_clean]", or install the new library themselves.

  * The minimum CPU architecture for the Linux x86 binary wheels was upgraded to
    "sandybridge" (launched 2011), and glibc 2.28 / gcc 12 (manylinux_2_28) wheels were added.

  * Built with Cython 3.0.10.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxml/+bug/2060811/+subscriptions

More information about the foundations-bugs mailing list