Skip to content

chore(deps): bump bleach from 6.1.0 to 6.4.0 in /bindings/pydeck#10390

Open
dependabot[bot] wants to merge 2 commits into
masterfrom
dependabot/uv/bindings/pydeck/bleach-6.4.0
Open

chore(deps): bump bleach from 6.1.0 to 6.4.0 in /bindings/pydeck#10390
dependabot[bot] wants to merge 2 commits into
masterfrom
dependabot/uv/bindings/pydeck/bleach-6.4.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Contributor

Warning

Dependabot will stop supporting python v3.9!

Please upgrade to one of the following versions: v3.9, v3.10, v3.11, v3.12, v3.13, or v3.14.

Bumps bleach from 6.1.0 to 6.4.0.

Changelog

Sourced from bleach's changelog.

Version 6.4.0 (June 5th, 2026)

NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future releases including for security issues. See issue: <https://github.com/mozilla/bleach/issues/698>__

Backwards incompatible changes

  • Dropped support for pypy 3.10. (#764)

Security fixes

  • Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.

    Fix XSS issue with sanitize_uri_value where disallowed schemes with Unicode invisible characters wouldn't be rejected.

    For example::

    import bleach payload1 = 'Click' result1 = bleach.clean(payload1) print(repr(result1))

    outputs::

    'Click'

    See the advisory for details.

  • Fix GHSA-gj48-438w-jh9v.

    Fix issue where URI sanitization wasn't happening in formaction attributes.

    See the advisory for details.

Bug fixes

  • Add support for pypy 3.11. (#764)

  • Drop version max in tinycss2 pin. (#772)

    This removes one of the things we had to keep checking and updating. Users now own the responsibility for correctness with the version of tinycss2 they're using.

Version 6.3.0 (October 27th, 2025)

... (truncated)

Commits
  • f0355a7 fix: fix last release date in CHANGES
  • ae4e8a2 chore: bleach 6.4.0 and final release
  • 970df58 fix: uri-sanitization in formaction attributes
  • 7c4867c fix: xss bypass in allowed protocol test using unicode invisible characters
  • 913ab75 fix: reduce redundancy in workflow jobs
  • 218c15a fix: rework pip caching
  • 4f0b097 fix: fix tox platform restrictions
  • e95a79d chore: update pytest
  • 91539d4 Bump actions/cache from 5.0.3 to 5.0.4
  • cd47b4c fix: handle left-angle-bracket that's not a tag (#733)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Low Risk
Dev/Jupyter lockfile-only changes with a security patch for HTML sanitization; runtime pydeck library behavior is unaffected unless you rely on the old <3.10 notebook/nbconvert pins.

Overview
Updates bindings/pydeck/uv.lock so bleach moves from 6.1.0 to 6.4.0 on the Python ≥3.10 path (used transitively by nbconvert with the css extra). That release includes XSS fixes in URI/formaction sanitization.

The lock refresh also deduplicates several packages (single anyio, bleach, jsonpointer, etc.) and tightens many dependency markers to python_full_version >= '3.10'. For Python <3.10, resolution now pins older stacks—notably nbconvert 4.3.0, notebook 6.4.8 (drops nbclassic), and adds entrypoints—rather than the previous 6.x/7.x Jupyter pieces on those markers.

Reviewed by Cursor Bugbot for commit 85e056e. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
chore(deps): bump bleach from 6.1.0 to 6.4.0 in /bindings/pydeck
e0f60dd 
Bumps [bleach](https://github.com/mozilla/bleach) from 6.1.0 to 6.4.0.
- [Changelog](https://github.com/mozilla/bleach/blob/main/CHANGES)
- [Commits](mozilla/bleach@v6.1.0...v6.4.0)

---
updated-dependencies:
- dependency-name: bleach
  dependency-version: 6.4.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 20, 2026
@coveralls

coveralls commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown

Coverage Status

coverage: 83.109% (-0.004%) from 83.113% — dependabot/uv/bindings/pydeck/bleach-6.4.0 into master

cursor[bot]
cursor Bot reviewed Jun 29, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 85e056e. Configure here.

Comment thread bindings/pydeck/uv.lock
sdist = { url = "https://files.pythonhosted.org/packages/cb/4e/b4088742e3f8c47ed708b094a3ae98732d6b1f1b532d12d18fe06b544c12/nbconvert-4.3.0.tar.gz", hash = "sha256:d967ec588ffd1ad7336163f1ac8957a348b5c4bce4465632db4cf684ffe4b718", size = 377486, upload-time = "2016-12-14T00:48:12.257Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/cc/9a/cd673b2f773a12c992f41309ef81b99da1690426bd2f96957a7ade0d3ed7/nbconvert-7.16.6-py3-none-any.whl", hash = "sha256:1375a7b67e0c2883678c48e506dc320febb57685e5ee67faa51b18a90f3a712b", size = 258525, upload-time = "2025-01-28T09:29:12.551Z" },
{ url = "https://files.pythonhosted.org/packages/3a/35/fdd3aff03237027f6ed7c1692b1ca7c839e504ae19a5709ea63da2ae1c3a/nbconvert-4.3.0-py2.py3-none-any.whl", hash = "sha256:9428b7995d3fb418749a5356e368eae756a695b88f062770b067b777742146f8", size = 353859, upload-time = "2016-12-14T00:48:09.292Z" },

@cursor cursor Bot Jun 29, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Python 3.9 Jupyter stack downgraded

High Severity

After pinning bleach 6.4.0 for Python 3.10+, the lock resolves nbconvert 4.3.0 and notebook 6.4.8 for Python below 3.10 (including 3.9), instead of the prior 7.x stack. requires-python is still >=3.8, so 3.9 installs lose modern Jupyter/bleach sanitization and the security fixes this bump intended.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 85e056e. Configure here.

@chrisgervang chrisgervang added this to the pydeck 0.9.3 milestone Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments
@chrisgervang chrisgervang chrisgervang approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

pydeck 0.9.3

Development

Successfully merging this pull request may close these issues.

2 participants

@coveralls @chrisgervang