Skip to content

chore(deps): bump justhtml from 0.40.0 to 1.10.0#24

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/justhtml-1.10.0
Closed

chore(deps): bump justhtml from 0.40.0 to 1.10.0#24
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/justhtml-1.10.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 17, 2026

Bumps justhtml from 0.40.0 to 1.10.0.

Release notes

Sourced from justhtml's releases.

Release v1.10.0

Security

  • (Severity: Low) Harden JustHTML against denial-of-service from attacker-controlled deeply nested HTML. Parsing post-processing, deep cloning, pretty HTML serialization, and Markdown rendering now use iterative traversal instead of recursion, preventing RecursionError crashes on pathological nesting.

Release v1.9.1

Fixed

  • Serialization: Preserve literal text inside script and style elements during HTML serialization so round-trips do not turn raw text content like > or & into entity text.

Release v1.9.0

Added

  • Builder: Add justhtml.builder with explicit element(), text(), comment(), and doctype() factories for programmatic HTML construction.
  • Parser: Allow JustHTML(...) to accept built nodes directly and normalize them through the existing HTML5 parser.
  • Docs: Add a dedicated Building HTML guide and expand the API/README documentation around programmatic HTML generation.

Changed

  • Sanitization: Preserve doctypes by default in document mode.
  • Sanitization: Add <caption> to the default allowed tag set.
  • Typing: Normalize SanitizationPolicy.allowed_tags to frozenset[str], improving type safety when composing policies.

Fixed

  • Builder & Serialization: Preserve arbitrary doctype names and identifiers across build/serialize/parse round-trips.
  • Builder: Reject unsupported namespaces up front; builder namespaces are limited to HTML, SVG, and MathML.

Release v1.8.0

Added

  • CLI: Add --strict flag to fail with exit code 2 and print an error message on any parse error.

Release v1.7.0

Added

  • Selectors: Add query_one() on JustHTML and Node for retrieving the first match (or None).

Fixed

  • Packaging: Include py.typed in wheels for PEP 561 type hinting support.

Changed

  • Performance: ~9% faster JustHTML(...).to_html(pretty=False) than 1.6.0 on the web100k justhtml_to_html benchmark (200 files x 3 iterations): 7.244s -> 6.571s (median).
  • Performance: Multiple internal speedups in serializer, tokenizer, tree builder, and transforms for lower per-document overhead.

Docs

  • Expand API and selector documentation (including performance notes).

Release v1.6.0

Added

  • Text extraction: Add separator_blocks_only to to_text() (and CLI --separator-blocks-only) to only apply separator between block-level elements.

Changed

  • Transforms: Improve performance of URL attribute handling and comment sanitization when applying DOM transforms.

Release v1.5.0

Added

... (truncated)

Changelog

Sourced from justhtml's changelog.

[1.10.0] - 2026-03-15

Security

  • (Severity: Low) Harden JustHTML against denial-of-service from attacker-controlled deeply nested HTML. Parsing post-processing, deep cloning, pretty HTML serialization, and Markdown rendering now use iterative traversal instead of recursion, preventing RecursionError crashes on pathological nesting.

[1.9.1] - 2026-03-10

Fixed

  • Serialization: Preserve literal text inside script and style elements during HTML serialization so round-trips do not turn raw text content like > or & into entity text.

[1.9.0] - 2026-03-08

Added

  • Builder: Add justhtml.builder with explicit element(), text(), comment(), and doctype() factories for programmatic HTML construction.
  • Parser: Allow JustHTML(...) to accept built nodes directly and normalize them through the existing HTML5 parser.
  • Docs: Add a dedicated Building HTML guide and expand the API/README documentation around programmatic HTML generation.

Changed

  • Sanitization: Preserve doctypes by default in document mode.
  • Sanitization: Add <caption> to the default allowed tag set.
  • Typing: Normalize SanitizationPolicy.allowed_tags to frozenset[str], improving type safety when composing policies.

Fixed

  • Builder & Serialization: Preserve arbitrary doctype names and identifiers across build/serialize/parse round-trips.
  • Builder: Reject unsupported namespaces up front; builder namespaces are limited to HTML, SVG, and MathML.

[1.8.0] - 2026-03-05

Added

  • CLI: Add --strict flag to fail with exit code 2 and print an error message on any parse error.

[1.7.0] - 2026-02-08

Added

  • Selectors: Add query_one() on JustHTML and Node for retrieving the first match (or None).

Fixed

  • Packaging: Include py.typed in wheels for PEP 561 type hinting support.

Changed

  • Performance: ~9% faster JustHTML(...).to_html(pretty=False) than 1.6.0 on the web100k justhtml_to_html benchmark (200 files x 3 iterations): 7.244s -> 6.571s (median).
  • Performance: Multiple internal speedups in serializer, tokenizer, tree builder, and transforms for lower per-document overhead.

Docs

  • Expand API and selector documentation (including performance notes).

[1.6.0] - 2026-02-06

Added

  • Text extraction: Add separator_blocks_only to to_text() (and CLI --separator-blocks-only) to only apply separator between block-level elements.

... (truncated)

Commits
  • 5095a05 Release v1.10.0
  • fd2abec security: Document iterative traversal implementation to prevent denial-of-se...
  • 9226fd0 security: Implement non-recursive handling for deeply nested nodes in seriali...
  • a60467d security: implement iterative cloning for deep trees in Node and Document cla...
  • a866b60 Release v1.9.1
  • 3384b8f fix: update CHANGELOG for version 1.9.1 to document serialization fix for <sc...
  • 7b43ce7 feat: enhance text serialization for <script> and <style> elements to preserv...
  • 66897e3 Release v1.9.0
  • 8567f10 chore: update CHANGELOG for version 1.9.0 with new features, changes, and fixes
  • 7347c18 docs: update README to enhance clarity and add new features overview
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump justhtml from 0.40.0 to 1.10.0
d9231b5 
Bumps [justhtml](https://github.com/emilstenstrom/justhtml) from 0.40.0 to 1.10.0.
- [Release notes](https://github.com/emilstenstrom/justhtml/releases)
- [Changelog](https://github.com/EmilStenstrom/justhtml/blob/main/CHANGELOG.md)
- [Commits](EmilStenstrom/justhtml@v0.40.0...v1.10.0)

---
updated-dependencies:
- dependency-name: justhtml
  dependency-version: 1.10.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Dependency updates python Python ecosystem updates labels Mar 17, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Mar 18, 2026

Superseded by #25.

@dependabot dependabot bot closed this Mar 18, 2026
@dependabot dependabot bot deleted the dependabot/uv/justhtml-1.10.0 branch March 18, 2026 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Dependency updates python Python ecosystem updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants