Update dependency lxml to v4.9.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
lxml (source, changelog)	==4.6.2 -> ==4.9.0

---

Release Notes

lxml/lxml

v4.9.0

Compare Source

==================

Bugs fixed

• GH#​341: The mixin inheritance order in lxml.html was corrected.
  Patch by xmo-odoo.

Other changes

• Built with Cython 0.29.30 to adapt to changes in Python 3.11 and 3.12.

• Wheels include zlib 1.2.12, libxml2 2.9.14 and libxslt 1.1.35
  (libxml2 2.9.12+ and libxslt 1.1.34 on Windows).

• GH#​343: Windows-AArch64 build support in Visual Studio.
  Patch by Steve Dower.

v4.8.0

Compare Source

==================

Features added

• GH#​337: Path-like objects are now supported throughout the API instead of just strings.
  Patch by Henning Janssen.

• The ElementMaker now supports QName values as tags, which always override
  the default namespace of the factory.

Bugs fixed

• GH#​338: In lxml.objectify, the XSI float annotation "nan" and "inf" were spelled in
  lower case, whereas XML Schema datatypes define them as "NaN" and "INF" respectively.
  Patch by Tobias Deiminger.

Other changes

• Built with Cython 0.29.28.

v4.7.1

Compare Source

==================

Features added

• Chunked Unicode string parsing via parser.feed() now encodes the input data
  to the native UTF-8 encoding directly, instead of going through Py_UNICODE /
  wchar_t encoding first, which previously required duplicate recoding in most cases.

Bugs fixed

• The standard namespace prefixes were mishandled during "C14N2" serialisation on Python 3.
  See https://mail.python.org/archives/list/[email protected]/thread/6ZFBHFOVHOS5GFDOAMPCT6HM5HZPWQ4Q/

• lxml.objectify previously accepted non-XML numbers with underscores (like "1_000")
  as integers or float values in Python 3.6 and later. It now adheres to the number
  format of the XML spec again.

• LP#​1939031: Static wheels of lxml now contain the header files of zlib and libiconv
  (in addition to the already provided headers of libxml2/libxslt/libexslt).

Other changes

• Wheels include libxml2 2.9.12+ and libxslt 1.1.34 (also on Windows).

v4.7.0

Compare Source

==================

• Release retracted due to missing files in lxml/includes/.

v4.6.5

Compare Source

==================

Bugs fixed

• A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script
  content through SVG images (CVE-2021-43818).

• A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script
  content through CSS imports and other crafted constructs (CVE-2021-43818).

v4.6.4

Compare Source

==================

Features added

• GH#​317: A new property system_url was added to DTD entities.
  Patch by Thirdegree.

• GH#​314: The STATIC_* variables in setup.py can now be passed via env vars.
  Patch by Isaac Jurado.

v4.6.3

Compare Source

==================

Bugs fixed

• A vulnerability (CVE-2021-28957) was discovered in the HTML Cleaner by Kevin Chung,
  which allowed JavaScript to pass through. The cleaner now removes the HTML5
  formaction attribute.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by Mend Renovate. View repository job log here.