Skip to content

security: pin lxml >=6.1.0 to fix CVE-2026-41066#2218

Merged
MikaKerman merged 1 commit intomasterfrom
fix/pin-lxml-minimum-version
Apr 27, 2026
Merged

security: pin lxml >=6.1.0 to fix CVE-2026-41066#2218
MikaKerman merged 1 commit intomasterfrom
fix/pin-lxml-minimum-version

Conversation

@MikaKerman
Copy link
Copy Markdown
Contributor

@MikaKerman MikaKerman commented Apr 27, 2026
edited by coderabbitai Bot
Loading

Summary

  • Pin lxml >= 6.1.0 to resolve the last remaining high-severity Dependabot alert (CVE-2026-41066 — XXE via default iterparse() / ETCompatXMLParser() config)
  • Follow-up to security: fix 7 high/critical Dependabot alerts #2216 which cleared 6 of 7 alerts by removing dbt-fabricspark/dbt-vertica; this one needed an explicit pin since Dependabot still resolved lxml to a vulnerable version

Test plan

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Added lxml as a project dependency.

@MikaKerman @claude
security: pin lxml >=6.1.0 to fix CVE-2026-41066 (XXE)
442e053 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 27, 2026

👋 @MikaKerman
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in this pull request.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 27, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 38b694e3-a915-4b62-b7f4-d4438ba3d004

📥 Commits

Reviewing files that changed from the base of the PR and between 9d9b61e and 442e053.

📒 Files selected for processing (1)
  • pyproject.toml
📝 Walkthrough

Walkthrough

The pull request adds lxml as a project dependency with a minimum version constraint of >=6.1.0 in the pyproject.toml file, expanding the Poetry dependency configuration.

Changes

Cohort / File(s) Summary
Dependency Addition
pyproject.toml		 Added lxml >=6.1.0 to the Poetry dependencies in [tool.poetry.dependencies].

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 Whiskers twitch with glee so bright,
A dependency now added just right!
LXML joins our merry crew,
Version six-point-one will do!
Our project grows with every hop! 🌱

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: pinning lxml to version >=6.1.0 to address a specific security vulnerability (CVE-2026-41066).
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/pin-lxml-minimum-version

Comment @coderabbitai help to get the list of available commands and usage tips.

@MikaKerman MikaKerman merged commit 046fb47 into master Apr 27, 2026
13 of 27 checks passed
@MikaKerman MikaKerman deleted the fix/pin-lxml-minimum-version branch April 27, 2026 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haritamar haritamar haritamar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MikaKerman @haritamar