Skip to content

chore(deps): bump justhtml from 0.40.0 to 1.13.0#27

Merged
pankaj28843 merged 1 commit intomainfrom
dependabot/uv/justhtml-1.13.0
Mar 25, 2026
Merged

chore(deps): bump justhtml from 0.40.0 to 1.13.0#27
pankaj28843 merged 1 commit intomainfrom
dependabot/uv/justhtml-1.13.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 24, 2026

Bumps justhtml from 0.40.0 to 1.13.0.

Release notes

Sourced from justhtml's releases.

Release v1.13.0

Security

  • (Severity: High): Harden fenced code generation in to_markdown() by choosing backtick delimiters longer than any run inside <pre> content, preventing attacker-controlled backticks from breaking out of code blocks and exposing raw HTML to downstream Markdown renderers.
  • (Severity: Low): Treat text that starts at the beginning of a rendered Markdown line as text, not block syntax, by escaping line-leading headings, blockquotes, list markers, thematic breaks, setext underlines, and fenced-code delimiters from untrusted HTML content.

Release v1.12.0

Security

  • (Severity: High) Markdown output now HTML-escapes text-node content before applying Markdown escaping, preventing attacker-controlled text such as <script> from turning into raw HTML when to_markdown() output is rendered.
  • (Severity: Moderate) Sanitization now hardens script and style raw-text content by neutralizing embedded closing-tag sequences and dropping non-text children, preventing sanitized DOM trees from serializing into breakout HTML.

Release v1.11.0

Added

  • Sanitization: Add SanitizationPolicy.strip_invisible_unicode to strip invisible Unicode used for obfuscation from text and attribute values before other sanitizer checks run.

Changed

  • Sanitization: strip_invisible_unicode is enabled by default and covers variation selectors, zero-width/bidi controls, and private-use characters.

Security

  • (Severity: Low) Harden sanitization against invisible-Unicode obfuscation in text, attributes, and URL-like values such as disguised javascript: schemes.

Release v1.10.0

Security

  • (Severity: Low) Harden JustHTML against denial-of-service from attacker-controlled deeply nested HTML. Parsing post-processing, deep cloning, pretty HTML serialization, and Markdown rendering now use iterative traversal instead of recursion, preventing RecursionError crashes on pathological nesting.

Release v1.9.1

Fixed

  • Serialization: Preserve literal text inside script and style elements during HTML serialization so round-trips do not turn raw text content like > or & into entity text.

Release v1.9.0

Added

  • Builder: Add justhtml.builder with explicit element(), text(), comment(), and doctype() factories for programmatic HTML construction.
  • Parser: Allow JustHTML(...) to accept built nodes directly and normalize them through the existing HTML5 parser.
  • Docs: Add a dedicated Building HTML guide and expand the API/README documentation around programmatic HTML generation.

Changed

  • Sanitization: Preserve doctypes by default in document mode.
  • Sanitization: Add <caption> to the default allowed tag set.
  • Typing: Normalize SanitizationPolicy.allowed_tags to frozenset[str], improving type safety when composing policies.

Fixed

  • Builder & Serialization: Preserve arbitrary doctype names and identifiers across build/serialize/parse round-trips.
  • Builder: Reject unsupported namespaces up front; builder namespaces are limited to HTML, SVG, and MathML.

Release v1.8.0

Added

  • CLI: Add --strict flag to fail with exit code 2 and print an error message on any parse error.

Release v1.7.0

Added

  • Selectors: Add query_one() on JustHTML and Node for retrieving the first match (or None).

... (truncated)

Changelog

Sourced from justhtml's changelog.

[1.13.0] - 2026-03-21

Security

  • (Severity: High): Harden fenced code generation in to_markdown() by choosing backtick delimiters longer than any run inside <pre> content, preventing attacker-controlled backticks from breaking out of code blocks and exposing raw HTML to downstream Markdown renderers.
  • (Severity: Low): Treat text that starts at the beginning of a rendered Markdown line as text, not block syntax, by escaping line-leading headings, blockquotes, list markers, thematic breaks, setext underlines, and fenced-code delimiters from untrusted HTML content.

[1.12.0] - 2026-03-17

Security

  • (Severity: High) Markdown output now HTML-escapes text-node content before applying Markdown escaping, preventing attacker-controlled text such as <script> from turning into raw HTML when to_markdown() output is rendered.
  • (Severity: Moderate) Sanitization now hardens script and style raw-text content by neutralizing embedded closing-tag sequences and dropping non-text children, preventing sanitized DOM trees from serializing into breakout HTML.

[1.11.0] - 2026-03-15

Added

  • Sanitization: Add SanitizationPolicy.strip_invisible_unicode to strip invisible Unicode used for obfuscation from text and attribute values before other sanitizer checks run.

Changed

  • Sanitization: strip_invisible_unicode is enabled by default and covers variation selectors, zero-width/bidi controls, and private-use characters.

Security

  • (Severity: Low) Harden sanitization against invisible-Unicode obfuscation in text, attributes, and URL-like values such as disguised javascript: schemes.

[1.10.0] - 2026-03-15

Security

  • (Severity: Low) Harden JustHTML against denial-of-service from attacker-controlled deeply nested HTML. Parsing post-processing, deep cloning, pretty HTML serialization, and Markdown rendering now use iterative traversal instead of recursion, preventing RecursionError crashes on pathological nesting.

[1.9.1] - 2026-03-10

Fixed

  • Serialization: Preserve literal text inside script and style elements during HTML serialization so round-trips do not turn raw text content like > or & into entity text.

[1.9.0] - 2026-03-08

Added

  • Builder: Add justhtml.builder with explicit element(), text(), comment(), and doctype() factories for programmatic HTML construction.
  • Parser: Allow JustHTML(...) to accept built nodes directly and normalize them through the existing HTML5 parser.
  • Docs: Add a dedicated Building HTML guide and expand the API/README documentation around programmatic HTML generation.

Changed

  • Sanitization: Preserve doctypes by default in document mode.
  • Sanitization: Add <caption> to the default allowed tag set.
  • Typing: Normalize SanitizationPolicy.allowed_tags to frozenset[str], improving type safety when composing policies.

Fixed

  • Builder & Serialization: Preserve arbitrary doctype names and identifiers across build/serialize/parse round-trips.
  • Builder: Reject unsupported namespaces up front; builder namespaces are limited to HTML, SVG, and MathML.

[1.8.0] - 2026-03-05

... (truncated)

Commits
  • 044fb58 Release v1.13.0
  • 59b5691 chore: Update changelog for version 1.13.0 with new security enhancements
  • 7f038d9 security: Treat HTML with embedded markdown as text, not markdown.
  • f35f8f7 security: Improve markdown code span and backtick fence handling
  • c518565 Release v1.12.0
  • 1786471 chore: Update changelog for version 1.12.0 with new security enhancements
  • bd2ddd9 security: Enhance sanitization to neutralize raw text end tag sequences and d...
  • 23c1882 security: to_markdown() does not HTML-escape text-node content, so text that ...
  • 1604105 Release v1.11.0
  • 4107f3d chore: Update changelog for version 1.11.0 with new sanitization features and...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added dependencies Dependency updates python Python ecosystem updates labels Mar 24, 2026
@dependabot dependabot bot mentioned this pull request Mar 24, 2026
Closed
@pankaj28843 pankaj28843 force-pushed the dependabot/uv/justhtml-1.13.0 branch from b162e1d to 8d59222 Compare March 25, 2026 09:20
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 25, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.61%. Comparing base (85153e5) to head (8479f61).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #27   +/-   ##
=======================================
  Coverage   99.61%   99.61%           
=======================================
  Files          31       31           
  Lines        3637     3637           
  Branches      509      509           
=======================================
  Hits         3623     3623           
  Misses          6        6           
  Partials        8        8

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dependabot @pankaj28843
chore(deps): bump justhtml from 0.40.0 to 1.13.0
8479f61 
Bumps [justhtml](https://github.com/emilstenstrom/justhtml) from 0.40.0 to 1.13.0.
- [Release notes](https://github.com/emilstenstrom/justhtml/releases)
- [Changelog](https://github.com/EmilStenstrom/justhtml/blob/main/CHANGELOG.md)
- [Commits](EmilStenstrom/justhtml@v0.40.0...v1.13.0)

---
updated-dependencies:
- dependency-name: justhtml
  dependency-version: 1.13.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@pankaj28843 pankaj28843 force-pushed the dependabot/uv/justhtml-1.13.0 branch from 8d59222 to 8479f61 Compare March 25, 2026 09:27
@pankaj28843 pankaj28843 merged commit 30ceec5 into main Mar 25, 2026
18 checks passed
@pankaj28843 pankaj28843 deleted the dependabot/uv/justhtml-1.13.0 branch March 25, 2026 09:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Dependency updates python Python ecosystem updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pankaj28843