Skip to content

chore(deps): bump justhtml from 0.40.0 to 1.12.0#25

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/justhtml-1.12.0
Closed

chore(deps): bump justhtml from 0.40.0 to 1.12.0#25
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/justhtml-1.12.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 18, 2026

Bumps justhtml from 0.40.0 to 1.12.0.

Release notes

Sourced from justhtml's releases.

Release v1.12.0

Security

  • (Severity: High) Markdown output now HTML-escapes text-node content before applying Markdown escaping, preventing attacker-controlled text such as <script> from turning into raw HTML when to_markdown() output is rendered.
  • (Severity: Moderate) Sanitization now hardens script and style raw-text content by neutralizing embedded closing-tag sequences and dropping non-text children, preventing sanitized DOM trees from serializing into breakout HTML.

Release v1.11.0

Added

  • Sanitization: Add SanitizationPolicy.strip_invisible_unicode to strip invisible Unicode used for obfuscation from text and attribute values before other sanitizer checks run.

Changed

  • Sanitization: strip_invisible_unicode is enabled by default and covers variation selectors, zero-width/bidi controls, and private-use characters.

Security

  • (Severity: Low) Harden sanitization against invisible-Unicode obfuscation in text, attributes, and URL-like values such as disguised javascript: schemes.

Release v1.10.0

Security

  • (Severity: Low) Harden JustHTML against denial-of-service from attacker-controlled deeply nested HTML. Parsing post-processing, deep cloning, pretty HTML serialization, and Markdown rendering now use iterative traversal instead of recursion, preventing RecursionError crashes on pathological nesting.

Release v1.9.1

Fixed

  • Serialization: Preserve literal text inside script and style elements during HTML serialization so round-trips do not turn raw text content like > or & into entity text.

Release v1.9.0

Added

  • Builder: Add justhtml.builder with explicit element(), text(), comment(), and doctype() factories for programmatic HTML construction.
  • Parser: Allow JustHTML(...) to accept built nodes directly and normalize them through the existing HTML5 parser.
  • Docs: Add a dedicated Building HTML guide and expand the API/README documentation around programmatic HTML generation.

Changed

  • Sanitization: Preserve doctypes by default in document mode.
  • Sanitization: Add <caption> to the default allowed tag set.
  • Typing: Normalize SanitizationPolicy.allowed_tags to frozenset[str], improving type safety when composing policies.

Fixed

  • Builder & Serialization: Preserve arbitrary doctype names and identifiers across build/serialize/parse round-trips.
  • Builder: Reject unsupported namespaces up front; builder namespaces are limited to HTML, SVG, and MathML.

Release v1.8.0

Added

  • CLI: Add --strict flag to fail with exit code 2 and print an error message on any parse error.

Release v1.7.0

Added

  • Selectors: Add query_one() on JustHTML and Node for retrieving the first match (or None).

Fixed

  • Packaging: Include py.typed in wheels for PEP 561 type hinting support.

Changed

... (truncated)

Changelog

Sourced from justhtml's changelog.

[1.12.0] - 2026-03-17

Security

  • (Severity: High) Markdown output now HTML-escapes text-node content before applying Markdown escaping, preventing attacker-controlled text such as <script> from turning into raw HTML when to_markdown() output is rendered.
  • (Severity: Moderate) Sanitization now hardens script and style raw-text content by neutralizing embedded closing-tag sequences and dropping non-text children, preventing sanitized DOM trees from serializing into breakout HTML.

[1.11.0] - 2026-03-15

Added

  • Sanitization: Add SanitizationPolicy.strip_invisible_unicode to strip invisible Unicode used for obfuscation from text and attribute values before other sanitizer checks run.

Changed

  • Sanitization: strip_invisible_unicode is enabled by default and covers variation selectors, zero-width/bidi controls, and private-use characters.

Security

  • (Severity: Low) Harden sanitization against invisible-Unicode obfuscation in text, attributes, and URL-like values such as disguised javascript: schemes.

[1.10.0] - 2026-03-15

Security

  • (Severity: Low) Harden JustHTML against denial-of-service from attacker-controlled deeply nested HTML. Parsing post-processing, deep cloning, pretty HTML serialization, and Markdown rendering now use iterative traversal instead of recursion, preventing RecursionError crashes on pathological nesting.

[1.9.1] - 2026-03-10

Fixed

  • Serialization: Preserve literal text inside script and style elements during HTML serialization so round-trips do not turn raw text content like > or & into entity text.

[1.9.0] - 2026-03-08

Added

  • Builder: Add justhtml.builder with explicit element(), text(), comment(), and doctype() factories for programmatic HTML construction.
  • Parser: Allow JustHTML(...) to accept built nodes directly and normalize them through the existing HTML5 parser.
  • Docs: Add a dedicated Building HTML guide and expand the API/README documentation around programmatic HTML generation.

Changed

  • Sanitization: Preserve doctypes by default in document mode.
  • Sanitization: Add <caption> to the default allowed tag set.
  • Typing: Normalize SanitizationPolicy.allowed_tags to frozenset[str], improving type safety when composing policies.

Fixed

  • Builder & Serialization: Preserve arbitrary doctype names and identifiers across build/serialize/parse round-trips.
  • Builder: Reject unsupported namespaces up front; builder namespaces are limited to HTML, SVG, and MathML.

[1.8.0] - 2026-03-05

Added

  • CLI: Add --strict flag to fail with exit code 2 and print an error message on any parse error.

[1.7.0] - 2026-02-08

... (truncated)

Commits
  • c518565 Release v1.12.0
  • 1786471 chore: Update changelog for version 1.12.0 with new security enhancements
  • bd2ddd9 security: Enhance sanitization to neutralize raw text end tag sequences and d...
  • 23c1882 security: to_markdown() does not HTML-escape text-node content, so text that ...
  • 1604105 Release v1.11.0
  • 4107f3d chore: Update changelog for version 1.11.0 with new sanitization features and...
  • 014c62a feat: Add support for stripping invisible Unicode to prevent obfuscation in s...
  • 5095a05 Release v1.10.0
  • fd2abec security: Document iterative traversal implementation to prevent denial-of-se...
  • 9226fd0 security: Implement non-recursive handling for deeply nested nodes in seriali...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump justhtml from 0.40.0 to 1.12.0
276be68 
Bumps [justhtml](https://github.com/emilstenstrom/justhtml) from 0.40.0 to 1.12.0.
- [Release notes](https://github.com/emilstenstrom/justhtml/releases)
- [Changelog](https://github.com/EmilStenstrom/justhtml/blob/main/CHANGELOG.md)
- [Commits](EmilStenstrom/justhtml@v0.40.0...v1.12.0)

---
updated-dependencies:
- dependency-name: justhtml
  dependency-version: 1.12.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Dependency updates python Python ecosystem updates labels Mar 18, 2026
@dependabot dependabot bot mentioned this pull request Mar 18, 2026
Closed
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Mar 24, 2026

Superseded by #27.

@dependabot dependabot bot closed this Mar 24, 2026
@dependabot dependabot bot deleted the dependabot/uv/justhtml-1.12.0 branch March 24, 2026 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Dependency updates python Python ecosystem updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants