chore(deps): update dependency lxml to v6

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
lxml (source, changelog)	==5.2.1 → ==6.0.2

---

Release Notes

lxml/lxml (lxml)

v6.0.2

Compare Source

==================

Bugs fixed

• LP#2125278: Compilation with libxml2 2.15.0 failed.
  Original patch by Xi Ruoyao.

• Setting decompress=True in the parser had no effect in libxml2 2.15.

• Binary wheels on Linux and macOS use the library version libxml2 2.14.6.
  See https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.6

• Test failures in libxml2 2.15.0 were fixed.

Other changes

• Binary wheels for Py3.9-3.11 on the riscv64 architecture were added.

• Error constants were updated to match libxml2 2.15.0.

• Built using Cython 3.1.4.

v6.0.1

Compare Source

==================

Bugs fixed

• LP#2116333: lxml.sax._getNsTag() could fail with an exception on malformed input.

• GH#467: Some test adaptations were made for libxml2 2.15.
  Patch by Nick Wellnhofer.

• LP2119510, GH#473: A Python compatibility test was fixed for Python 3.14+.
  Patch by Lumír Balhar.

• GH#471: Wheels for "riscv64" on recent Python versions were added.
  Patch by ffgan.

• GH#469: The wheel build no longer requires the wheel package unconditionally.
  Patch by Miro Hrončok.

• Binary wheels use the library version libxml2 2.14.5.
  See https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.5

• Windows binary wheels continue to use a security patched library version libxml2 2.11.9.

v6.0.0

Compare Source

==================

Features added

• GH#463: lxml.html.diff is faster and provides structurally better diffs.
  Original patch by Steven Fernandez.

• GH#405: The factories Element and ElementTree can now be used in type hints.

• GH#448: Parsing from memoryview and other buffers is supported to allow zero-copy parsing.

• GH#437: lxml.html.builder was missing several HTML5 tag names.
  Patch by Nick Tarleton.

• GH#458: CDATA can now be written into the incremental xmlfile() writer.
  Original patch by Lane Shaw.

• A new parser option decompress=False was added that controls the automatic
  input decompression when using libxml2 2.15.0 or later. Disabling this option
  by default will effectively prevent decompression bombs when handling untrusted
  input. Code that depends on automatic decompression must enable this option.
  Note that libxml2 2.15.0 was not released yet, so this option currently has no
  effect but can already be used.

• The set of compile time / runtime supported libxml2 feature names is available as
  etree.LIBXML_COMPILED_FEATURES and etree.LIBXML_FEATURES.
  This currently includes
  catalog, ftp, html, http, iconv, icu,
  lzma, regexp, schematron, xmlschema, xpath, zlib.

Bugs fixed

• GH#353: Predicates in .find*() could mishandle tag indices if a default namespace is provided.
  Original patch by Luise K.

• GH#272: The head and body properties of lxml.html elements failed if no such element
  was found. They now return None instead.
  Original patch by FVolral.

• Tag names provided by code (API, not data) that are longer than INT_MAX
  could be truncated or mishandled in other ways.

• .text_content() on lxml.html elements accidentally returned a "smart string"
  without additional information. It now returns a plain string.

• LP#2109931: When building lxml with coverage reporting, it now disables the sys.monitoring
  support due to the lack of support in nedbat/coveragepy#1790

Other changes

• Support for Python < 3.8 was removed.

• Parsing directly from zlib (or lzma) compressed data is now considered an optional
  feature in lxml. It may get removed from libxml2 at some point for security reasons
  (compression bombs) and is therefore no longer guaranteed to be available in lxml.

  As of this release, zlib support is still normally available in the binary wheels
  but may get disabled or removed in later (x.y.0) releases. To test the availability,
  use "zlib" in etree.LIBXML_FEATURES.

• The Schematron class is deprecated and will become non-functional in a future lxml version.
  The feature will soon be removed from libxml2 and stop being available.

• GH#438: Wheels include the arm7l target.

• GH#465: Windows wheels include the arm64 target.
  Patch by Finn Womack.

• Binary wheels use the library versions libxml2 2.14.4 and libxslt 1.1.43.
  Note that this disables direct HTTP and FTP support for parsing from URLs.
  Use Python URL request tools instead (which usually also support HTTPS).
  To test the availability, use "http" in etree.LIBXML_FEATURES.

• Windows binary wheels use the library versions libxml2 2.11.9, libxslt 1.1.39 and libiconv 1.17.
  They are now based on VS-2022.

• Built using Cython 3.1.2.

• The debug methods MemDebug.dump() and MemDebug.show() were removed completely.
  libxml2 2.13.0 discarded this feature.

v5.4.0

Compare Source

==================

Bugs fixed

• LP#2107279: Binary wheels use libxml2 2.13.8 and libxslt 1.1.43 to resolve several CVEs.
  (Binary wheels for Windows continue to use a patched libxml2 2.11.9 and libxslt 1.1.39.)
  Issue found by Anatoly Katyushin.

v5.3.2

Compare Source

==================

This release resolves CVE-2025-24928 as described in
https://gitlab.gnome.org/GNOME/libxml2/-/issues/847

Bugs fixed

• Binary wheels use libxml2 2.12.10 and libxslt 1.1.42.

• Binary wheels for Windows use a patched libxml2 2.11.9 and libxslt 1.1.39.

v5.3.1

Compare Source

==================

Bugs fixed

• GH#440: Some tests were adapted for libxml2 2.14.0.
  Patch by Nick Wellnhofer.

• LP#2097175: DTD(external_id="…") erroneously required a byte string as ID value.

• GH#450: iterparse() internally triggered the `DeprecationWarning`` added in lxml 5.3.0 when parsing HTML.

Other changes

• GH#442: Binary wheels for macOS no longer use the linker flag -flat_namespace.

v5.3.0

Compare Source

==================

Bugs fixed

• GH#440: Some tests were adapted for libxml2 2.14.0.
  Patch by Nick Wellnhofer.

• LP#2097175: DTD(external_id="…") erroneously required a byte string as ID value.

• GH#450: iterparse() internally triggered the `DeprecationWarning`` added in lxml 5.3.0 when parsing HTML.

Other changes

• GH#442: Binary wheels for macOS no longer use the linker flag -flat_namespace.

v5.2.2

Compare Source

==================

Bugs fixed

• GH#417: The test_feed_parser test could fail if lxml_html_clean was not installed.
  It is now skipped in that case.

• LP#2059910: The minimum CPU architecture for the Linux x86 binary wheels was set back to
  "core2", without SSE 4.2.

• If libxml2 uses iconv, the compile time version is available as etree.ICONV_COMPILED_VERSION.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the lxml Python library to its latest major version, 6.0.2. This update brings significant changes, including dropping support for older Python versions, introducing new parsing and HTML manipulation features, and incorporating various bug fixes and security patches across several minor and patch releases. The change ensures the project benefits from the latest improvements and maintains compatibility with current library standards.

Highlights

• Dependency Update: Updated the lxml dependency from version 5.2.1 to 6.0.2 in requirements.txt.
• Major Version Upgrade: Incorporated the lxml v6.0.0 release, which includes dropping support for Python versions older than 3.8, introducing new features like faster HTML diffing, improved type hinting, and zero-copy parsing from memoryview.
• Bug Fixes and Enhancements: Included numerous bug fixes and minor enhancements from lxml versions 5.3.x, 5.4.x, 6.0.1, and 6.0.2, addressing issues with libxml2 compatibility, SAX parsing, and improvements to binary wheel builds.

Changelog

• cloud-media-livestream/keypublisher/requirements.txt
  • Updated lxml from 5.2.1 to 6.0.2.

Activity

• This pull request was automatically generated by Renovate Bot to update the lxml dependency.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates lxml from version 5.2.1 to 6.0.2. This is a major version upgrade that includes several breaking changes. I've added a comment highlighting a significant change regarding network access during parsing which could affect XML processing in this project, especially since it seems to involve CPIX and signxml. Please ensure this breaking change is handled correctly before merging.

[gemini-code-assist]

This is a major version update for lxml which introduces some significant breaking changes. According to the release notes for v6.0.0, binary wheels now disable direct HTTP and FTP support for parsing from URLs. This can break code that relies on lxml to automatically fetch external resources like DTDs or schemas.

Given that this project uses signxml and likely processes CPIX XML documents, please verify that the application's XML processing logic does not rely on this feature. If it does, you will need to update the code to fetch external resources manually using a library like requests before passing them to the parser.