Skip to content

Python: Bump bleach from 6.3.0 to 6.4.0 in /python#14089

Merged
moonbox3 merged 2 commits into
mainfrom
dependabot/uv/python/bleach-6.4.0
Jun 17, 2026
Merged

Python: Bump bleach from 6.3.0 to 6.4.0 in /python#14089
moonbox3 merged 2 commits into
mainfrom
dependabot/uv/python/bleach-6.4.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown
Contributor

Bumps bleach from 6.3.0 to 6.4.0.

Changelog

Sourced from bleach's changelog.

Version 6.4.0 (June 5th, 2026)

NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future releases including for security issues. See issue: <https://github.com/mozilla/bleach/issues/698>__

Backwards incompatible changes

  • Dropped support for pypy 3.10. (#764)

Security fixes

  • Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.

    Fix XSS issue with sanitize_uri_value where disallowed schemes with Unicode invisible characters wouldn't be rejected.

    For example::

    import bleach payload1 = 'Click' result1 = bleach.clean(payload1) print(repr(result1))

    outputs::

    'Click'

    See the advisory for details.

  • Fix GHSA-gj48-438w-jh9v.

    Fix issue where URI sanitization wasn't happening in formaction attributes.

    See the advisory for details.

Bug fixes

  • Add support for pypy 3.11. (#764)

  • Drop version max in tinycss2 pin. (#772)

    This removes one of the things we had to keep checking and updating. Users now own the responsibility for correctness with the version of tinycss2 they're using.

Commits
  • f0355a7 fix: fix last release date in CHANGES
  • ae4e8a2 chore: bleach 6.4.0 and final release
  • 970df58 fix: uri-sanitization in formaction attributes
  • 7c4867c fix: xss bypass in allowed protocol test using unicode invisible characters
  • 913ab75 fix: reduce redundancy in workflow jobs
  • 218c15a fix: rework pip caching
  • 4f0b097 fix: fix tox platform restrictions
  • e95a79d chore: update pytest
  • 91539d4 Bump actions/cache from 5.0.3 to 5.0.4
  • cd47b4c fix: handle left-angle-bracket that's not a tag (#733)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump bleach from 6.3.0 to 6.4.0 in /python
a64bb46 
Bumps [bleach](https://github.com/mozilla/bleach) from 6.3.0 to 6.4.0.
- [Changelog](https://github.com/mozilla/bleach/blob/main/CHANGES)
- [Commits](mozilla/bleach@v6.3.0...v6.4.0)

---
updated-dependencies:
- dependency-name: bleach
  dependency-version: 6.4.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file. Used by Dependabot. python:uv Pull requests that update python:uv code labels Jun 17, 2026
Copilot AI review requested due to automatic review settings June 17, 2026 00:59
@dependabot dependabot Bot requested a review from a team as a code owner June 17, 2026 00:59
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file. Used by Dependabot. python:uv Pull requests that update python:uv code labels Jun 17, 2026
Copilot AI reviewed Jun 17, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@moonbox3 moonbox3 added the python Pull requests for the Python Semantic Kernel label Jun 17, 2026
@github-actions github-actions Bot changed the title Bump bleach from 6.3.0 to 6.4.0 in /python Python: Bump bleach from 6.3.0 to 6.4.0 in /python Jun 17, 2026
github-actions[bot]
github-actions Bot reviewed Jun 17, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated Code Review

Reviewers: 5 | Confidence: 59% | Result: All clear

Reviewed: Correctness, Security Reliability, Test Coverage, Failure Modes, Design Approach

Automated review by dependabot[bot]'s agents

@moonbox3

moonbox3 commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator

@copilot: fix the CI/CD failures

Python: fix test_crud_operations_pandas CI failure on Windows Python …
a7a8887 
…3.10

Add dedicated async fixture for pandas vector store tests to avoid
pytest-asyncio 0.26.0 wrap_in_sync bug where asyncio.get_event_loop()
raises RuntimeError after set_event_loop(None) on Python 3.10 Windows.

Copilot AI commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@copilot: fix the CI/CD failures

Fixed in commit b4e14d8.

Root cause: test_crud_operations_pandas[definition_pandas] was failing on Windows Python 3.10 due to a pytest-asyncio 0.26.0 bug. When indirect=True parametrization is used for async tests, pytest-asyncio's wrap_in_sync calls asyncio.get_event_loop() internally. After a previous test caused pytest-asyncio to call asyncio.set_event_loop(None) during teardown of an unclosed ProactorEventLoop, Python 3.10's get_event_loop() raises RuntimeError: There is no current event loop (because _set_called=True prevents auto-creation).

Fix: Added a dedicated pandas_vector_store_record_collection async fixture in conftest.py and updated test_crud_operations_pandas and test_crud_batch_operations_pandas to use it directly — removing the indirect=True parametrization. With an async fixture, pytest-asyncio establishes the event loop before the fixture runs, bypassing the wrap_in_sync code path entirely.

Copilot AI requested a review from moonbox3 June 17, 2026 05:45
@moonbox3 moonbox3 requested a review from eavanvalkenburg June 17, 2026 11:46
@moonbox3 moonbox3 enabled auto-merge June 17, 2026 11:46
@moonbox3 moonbox3 added this pull request to the merge queue Jun 17, 2026
Merged via the queue into main with commit 91efa21 Jun 17, 2026
32 checks passed
@moonbox3 moonbox3 deleted the dependabot/uv/python/bleach-6.4.0 branch June 17, 2026 12:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments
Copilot code review Copilot Copilot left review comments
@eavanvalkenburg eavanvalkenburg eavanvalkenburg approved these changes
@moonbox3 moonbox3 moonbox3 approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file. Used by Dependabot. python:uv Pull requests that update python:uv code python Pull requests for the Python Semantic Kernel

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@moonbox3 @eavanvalkenburg