lxml < 6.1.0 has a high severity vulnerability.

[johanneswuerbach]

lxml < 6.1.0 has a high severity vulnerability GHSA-vfmq-68hx-4jfw and lxml is currently pinned to lxml>=4.6.5,<=6.0.2 here.

Based on 356583b I understand there was a particular parsing bug in lxml v6, but I'm not sure why the range wasn't set to lxml>=4.6.5,<7.0.0 as lxml seems to follow semver.

Would you support changing the range to lxml>=4.6.5,<7.0.0 or are there any other blockers?

[luancaius]

I'm having the same issue. I tried to bypass it by doing:

[tool.uv]
override-dependencies = [
    "lxml==6.1.0",
]

and it worked for the build, but security checks complained.

[zhatiayua]

Same here, need the fix for this issue

[kgniza-splunk]

Same here, marked as SECURITY_HIGH vulnerability, and we have to update it to v6.1.0

[TomTomoki]

There is a PR for this, but I'm not sure if it'll be included in the next release: #275