build(deps): bump lxml from 6.0.2 to 6.0.4

[dependabot]

Bumps lxml from 6.0.2 to 6.0.4.

Changelog

Sourced from lxml's changelog.

6.0.4 (2026-04-12)

Bugs fixed

• LP#2148019: Spurious MemoryError during namespace cleanup.

6.0.3 (2026-04-09)

Bugs fixed

• Several out of memory error cases now raise MemoryError that were not handled before.

• Slicing with large step values (outside of +/- sys.maxsize) could trigger undefined C behaviour.

• LP#2125399: Some failing tests were fixed or disabled in PyPy.

• LP#2138421: Memory leak in error cases when setting the public_id or system_url of a document.

• Memory leak in case of a memory allocation failure when copying document subtrees.

• When mapping an XPath result to Python failed, the result memory could leak.

• When preparing an XSLT transform failed, the XSLT parameter memory could leak.

Other changes

• Built using Cython 3.2.4.

• Binary wheels use zlib 1.3.2.

Commits

• 1fd1d6b Fix release date.
• 5154859 CI: Include all library versions in libs cache key to asssure updated on vers...
• 6a606f3 Add "doesn't crash" tests for LP#2148019.
• f488f16 Prepare release of 6.0.4.
• 1255d98 LP#2148019: Prevent spurious MemoryError during namespace cleanup.
• 03b0c4a Remove dead type check.
• a6f833c Fix release date.
• 973d059 Update changelog.
• 9044a52 Build: Downgrade libiconv to 1.18 since 1.19 does not build reliably.
• a34dfdd Build: Upgrade libiconv to 1.19.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency refresh limited to the optional dev extra; primary impact is potential CI/dev-environment breakage from new wheels/behavior changes in lxml.

Overview
Updates the optional dev dependency on lxml from 6.0.2 to 6.0.4 by tightening the constraint in pyproject.toml.

Regenerates poetry.lock to pull in lxml 6.0.4 artifacts (new wheel hashes and updated lock content-hash).

^{Reviewed by Cursor Bugbot for commit a0622cb. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit a0622cb. Configure here.}

[cursor]

Minimum lxml version raised too aggressively from 5.2.2

Medium Severity

The minimum version constraint for lxml was changed from >=5.2.2 to >=6.0.4. For a patch-level dependency bump (6.0.2 → 6.0.4), this unnecessarily raises the floor by an entire major version. Anyone installing the dev optional dependency who previously relied on lxml 5.x compatibility will now be forced to upgrade to 6.0.4+, which is a breaking change in the dependency specification that likely wasn't intended.

 

^{Reviewed by Cursor Bugbot for commit a0622cb. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​lxml@​6.0.2 ⏵ 6.0.4

View full report

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying how lxml is declared in the project for an accurate review.

Verdict: benign

Why this looks safe

• Package identity: lxml is the standard XML/HTML stack for Python; the bump is 6.0.2 → 6.0.4 (patch), with a normal changelog (memory/leak fixes, namespace cleanup, build notes). No typosquatting.

• What actually changes in your repo: A Dependabot PR should only touch manifest + lock (e.g. pyproject.toml / poetry.lock). It does not ship arbitrary upstream source into your tree. Your pyproject.toml already allows lxml with version = ">=6.0.4" as an optional dependency and lists it under dev (lines 102 and 111).

• Malware scanner (aligned with benign)

  • Unicode / confusable / IOC: all 0 — no GlassWorm-style or exfiltration signals from the scan.
  • Heuristics: the six items are expected noise on a real library: subprocess in upstream buildlibxml.py (normal for building libxml), “path-touch” on .github/workflows/ because the upstream diff between tags touched CI (not a red flag for your app’s lockfile bump), and “ghost version” / “maintainer drift” are metadata heuristics (tag/registry resolution), not proof of a compromised wheel. The scanner’s warn status here does not contradict a benign conclusion when the substantive categories are empty.

• Checklist (short)

  • No evidence of obfuscation, unexpected network URLs, persistence writes, or credential exfiltration in the dependency update story you described.
  • Process/spawn hits apply to upstream build tooling, not a typical runtime install path when using PyPI wheels.
  • No npm lifecycle scripts (Python package).
  • Lockfile entries should remain PyPI wheel hashes for lxml-6.0.4-* (verify in PR diff that only lxml / expected lock metadata moved).

Actionable note: If anything in the PR diff is not lockfile + version constraint lines (e.g. random scripts or unrelated packages), re-check that specific diff — but for a standard Dependabot lxml patch bump with empty IOC/unicode findings, approve from a supply-chain perspective.

Compatibility Analysis

Searching the codebase for lxml usage and reviewing how it's declared in project config.

1) Where lxml appears

Location	Role
pyproject.toml	Optional dependency lxml = { version = ">=6.0.4", optional = true } and listed under [project.optional-dependencies] dev.
chia/_tests/process_junit.py	Only application usage found: lxml.etree.parse(...), getroot(), findall / find on JUnit XML, attribute access.

Everything else under .upstream-dependency/ is the vendored upstream lxml tree for review tooling, not Chia runtime code.

2) Overlap with 6.0.3 / 6.0.4 changes

Upstream notes are bug fixes and memory-safety: spurious MemoryError on namespace cleanup, leak fixes on error paths (DTD public_id / system_url, subtree copy, XPath→Python mapping, XSLT param prep), slicing with extreme step, clearer MemoryError on real OOM, PyPy test fixes, wheel build (Cython/zlib/libiconv).

Chia’s usage is plain etree parse + tree walk on JUnit XML. It does not use XSLT, custom XPath-to-Python mapping, DTD mutation, or exotic slicing. So there is no meaningful intersection with the areas called out in the changelog/commits.

3) Risks / unknowns

• OOM behavior: 6.0.3 may raise MemoryError more often when allocation actually fails; for normal JUnit sizes this is negligible.
• Install surface: Still optional dev; production installs that omit dev never pull lxml. Dev/CI that install dev get wheels on common platforms; source builds remain platform/toolchain-dependent (generic risk for any lxml bump, not specific to this patch).
• Malware-scan heuristics (ghost_version_or_missing_tag, etc.) on a fresh 6.0.4 are noise for judging this bump; rely on PyPI hashes in poetry.lock and CI.

4) Recommendation

Merge — patch-level release, fixes align with safer behavior; the only in-repo consumer uses a small, stable subset of lxml.etree unrelated to the changed internals. No need to hold unless CI fails on an unusual platform (then treat as environment/build, not API).

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 9
• Resolution strategy: commit_list
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved refs: from=n/a to=n/a
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 6

Top findings

• buildlibxml.py:518 shell_process_spawn :: import subprocess
• buildlibxml.py:522 shell_process_spawn :: returncode = subprocess.call(cmd, **kw)
• .github/workflows/ci.yml:0 workflow_path_touch :: path-touch
• .github/workflows/wheels.yml:0 workflow_path_touch :: path-touch
• lxml:0 ghost_version_or_missing_tag :: 6.0.4
• lxml:0 maintainer_drift :: 6.0.2->6.0.4

[coveralls-official]

Coverage Report for CI Build 24744816552

Coverage decreased (-0.02%) to 91.154%

Details

• Coverage decreased (-0.02%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 30 coverage regressions across 7 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

30 previously-covered lines in 7 files lost coverage.

File	Lines Losing Coverage	Coverage
chia/server/node_discovery.py	8	79.86%
chia/server/address_manager.py	7	92.83%
chia/server/server.py	7	85.56%
chia/full_node/full_node_api.py	3	86.41%
chia/data_layer/data_layer.py	2	85.68%
chia/_tests/core/test_farmer_harvester_rpc.py	2	98.06%
chia/_tests/core/util/test_file_keyring_synchronization.py	1	96.88%

---

Coverage Stats

Relevant Lines:	117497
Covered Lines:	107269
Line Coverage:	91.3%
Relevant Branches:	11720
Covered Branches:	10518
Branch Coverage:	89.74%
Branches in Coverage %:	Yes
Coverage Strength:	1.83 hits per line

---

💛 - Coveralls