Bump the python-packages group across 1 directory with 6 updates

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps the python-packages group with 6 updates in the / directory:

Package	From	To
beautifulsoup4	4.7.1	4.13.5
lxml	6.0.0	6.0.1
xmltodict	0.11.0	0.15.0
pyinstaller	6.14.2	6.15.0
pymupdf	1.26.3	1.26.4
markdown	3.8.2	3.9

Updates beautifulsoup4 from 4.7.1 to 4.13.5

Updates lxml from 6.0.0 to 6.0.1

Changelog

Sourced from lxml's changelog.

6.0.1 (2025-08-22)

Bugs fixed

• LP#2116333: lxml.sax._getNsTag() could fail with an exception on malformed input.

• GH#467: Some test adaptations were made for libxml2 2.15. Patch by Nick Wellnhofer.

• LP2119510, GH#473: A Python compatibility test was fixed for Python 3.14+. Patch by Lumír Balhar.

• GH#471: Wheels for "riscv64" on recent Python versions were added. Patch by ffgan.

• GH#469: The wheel build no longer requires the wheel package unconditionally. Patch by Miro Hrončok.

• Binary wheels use the library version libxml2 2.14.5.

• Windows binary wheels continue to use a security patched library version libxml2 2.11.9.

Commits

• 5aca07d Prepare release of lxml 6.0.1.
• f0e555a Build: Add Py3.14 also to tox.ini.
• afc745a Update changelog.
• 25242c6 Build: Add "riscv64" wheels for Py3.12+.
• 457c564 Build: Mark Py3.14 as officially supported.
• 66a3cc3 Remove Py2 test code.
• 6e88838 CI: Fix version usage in cache keys.
• fe5df46 Build: bump the github-actions group across 1 directory with 3 updates (#476)
• 9177121 CI: Configure library versions centrally in pyproject.toml to prevent build t...
• 525c6b9 Build: Separate libs cache by CPU architecture.
• Additional commits viewable in compare view

Updates xmltodict from 0.11.0 to 0.15.0

Changelog

Sourced from xmltodict's changelog.

v0.15.0

• Security: Prevent XML injection (CVE-2025-9375) by rejecting '<'/'>' in element and attribute names (including @xmlns prefixes) during unparse. This limits validation to avoiding tag-context escapes; attribute values continue to be escaped by the SAX XMLGenerator. Advisory: https://fluidattacks.com/advisories/mono

v0.14.2

• Revert "Ensure significant whitespace is not trimmed"
  • This changed was backwards incompatible and caused downstream issues.

v0.14.1

• Drop support for Python older than 3.6
• Additional ruff/Pyflakes/codespell fixes.
  • Thanks @​DimitriPapadopoulos!

v0.14.0

• Drop old Python 2 support leftover code and apply several RUFF code health fixes.
  • Thanks, @​DimitriPapadopoulos!
• Add Python 3.11, 3.12 and 3.13 support and tests.
  • Thanks, @​angvp!
• Tests in gh-action.
  • Thanks, @​almaz.kun!
• Remove defusedexpat import.
  • Thanks, @​hanno!
• Replace deprecated BadZipfile with BadZipFile.
  • Thanks, @​hugovk!
• Support indent using integer format, enable python -m unittest tests/*.py.
  • Thanks, @​hiiwave!
• Ensure significant whitespace is not trimmed
  • Thanks, @​trey.franklin!
• added conda installation command
  • Thanks, @​sugatoray!
• fix attributes not appearing in streaming mode
  • Thanks, @​timnguyen001!
• Fix Travis CI status badge URL
• Update push_release.sh to use twine.

v0.13.0

• Add install info to readme for openSUSE. (#205)
  • Thanks, @​smarlowucf!
• Support defaultdict for namespace mapping (#211)
  • Thanks, @​nathanalderson!

... (truncated)

Commits

• af02d26 Bump version and update CHANGELOG
• ecd456a Prevent XML injection: reject '<'/'>' in element/attr names (incl. @​xmlns)
• 9b076cc Add CVE note to README
• 0952f38 Bump version and update CHANGELOG.
• 13068aa Revert "Ensure significant whitespace is not trimmed"
• 34759c3 Bump version and update CHANGELOG.
• e3f7161 Drop Python 3.4 and 3.5
• cc54376 Fix misspellings found by codespell
• 01cea1e Apply ruff/Pyflakes rule F841
• 48b47c9 Bump version and update CHANGELOG.
• Additional commits viewable in compare view

Updates pyinstaller from 6.14.2 to 6.15.0

Release notes

Sourced from pyinstaller's releases.

v6.15.0

Please see the v6.15.0 section of the changelog for a list of the changes since v6.14.2.

Changelog

Sourced from pyinstaller's changelog.

6.15.0 (2025-08-03)

Features

* Add Python 3.14 support. (:issue:`9192`)
Bugfix

* (non-Windows) Ensure that binary dependency analysis creates symbolic
  links in top-level application directory for shared libraries that are
  not resolvable during binary dependency analysis but are nevertheless
  collected due to being explicitly collected by a hook or by the user.
  (:issue:`9186`)
* Attempt to mitigate the issue with module exclusion when a top-level
  package hook excludes its own subpackage to prevent its collection
  in the absence of any external references; such exclusion rule would
  prevent collection of modules from such subpackage even when it is
  supposed to be collected due to an external reference (for example, an
  explicit import from the user's program). (:issue:`9193`)
* Fix a bug in module exclusion part of analysis codepath that would cause
  certain types of relative imports to be misinterpreted and thus fail to
  exclude them. (:issue:`9197`)
</code></pre>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/7c5dcd97a7679c5f3b04c43a0aae0ffeabe7462b&quot;&gt;&lt;code&gt;7c5dcd9&lt;/code&gt;&lt;/a> Release v6.15.0. [skip ci]</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/7c6eca9c0408300fe59fa5d01f1538edc44964ee&quot;&gt;&lt;code&gt;7c6eca9&lt;/code&gt;&lt;/a> bootloader: fix compile errors when building for 32-bit with MSVC</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/31da65c9fc21ef5d7eb6a1e60b01b4cfd43ee8ea&quot;&gt;&lt;code&gt;31da65c&lt;/code&gt;&lt;/a> analysis: account for hook-excluded but externally-referenced subpackages</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/d258b14bc4f09284dc4ebcf05a36de549c0359fb&quot;&gt;&lt;code&gt;d258b14&lt;/code&gt;&lt;/a> tests: add more subpackage exclusion tests</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/42dd4584c917242d41fe3303afe89c7504aadc18&quot;&gt;&lt;code&gt;42dd458&lt;/code&gt;&lt;/a> analysis: module exclusion: fix module name construction for relative imports</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/39caee95cd8ef7f7b04fb0f2f6dfeded1423614a&quot;&gt;&lt;code&gt;39caee9&lt;/code&gt;&lt;/a> tests: add test for subpackage exclusion from top-level package hook</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/a194f0d7b2d02450ae54019d2202974c3b0feb5e&quot;&gt;&lt;code&gt;a194f0d&lt;/code&gt;&lt;/a> tests: run the module exclusion tests only in onedir mode</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/f2c42a3fa39e4ee9dba84e5a2d956256019992d0&quot;&gt;&lt;code&gt;f2c42a3&lt;/code&gt;&lt;/a> ci: enable CI with python 3.14-dev and 3.14t-dev</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/42528d90d719fcbb88b850c57ede84e1854ae407&quot;&gt;&lt;code&gt;42528d9&lt;/code&gt;&lt;/a> bootloader: implement string conversion to UTF-8 for PEP 741 codepath</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/0352806e7ed8a9c3515a214334763d375a57d931&quot;&gt;&lt;code&gt;0352806&lt;/code&gt;&lt;/a> bootloader: implement UTF8-naive PEP 741 configuration</li>

<li>Additional commits viewable in <a href="https://github.com/pyinstaller/pyinstaller/compare/v6.14.2...v6.15.0&quot;&gt;compare view</a></li>

</ul>

</details>
<br />


Updates pymupdf from 1.26.3 to 1.26.4

Release notes
Sourced from pymupdf's releases.

PyMuPDF-1.26.4 released
Wheels for Windows, Linux and MacOS, and the sdist, are available on pypi.org and can be installed in the usual way, for example:
python -m pip install --upgrade pymupdf

[Linux-aarch64 wheels will be built and uploaded later.]
Changes in version 1.26.4


Use MuPDF-1.26.7.


Fixed issues:

Fixed #3806
Fixed #4388
Fixed #4457
Fixed #4462
Fixed #4533
Fixed #4565
Fixed #4571
Fixed #4590
Fixed #4614
Fixed #4639



Other:

Check that #4392 Segfault when running with pytest and -Werror is fixed if PyMuPDF is built with swig>=4.4.
Add Page.clip_to_rect().
Improved search for Tesseract data.
Retrospectively mark #4496 as fixed in 1.26.1.
Retrospectively mark #4503 as fixed in 1.26.3.
Added experimental support for Graal.






Changelog
Sourced from pymupdf's changelog.

Change Log
Changes in version 1.26.5


Fixed issues:


Other:


Partially address 2883 <https://github.com/pymupdf/PyMuPDF/issues/2883>_: Improve the Python type annotations for fitz_new
We now define all class methods explicitly instead of with dynamic assignment.


Removed pymupdf.utils.Shape class, was duplicate of pymupdf.Shape.


Allow use of cibuildwheel to build and test on Pyodide.


In documentation, added section about Linux wheels and glibc compatibility.


Retrospectively mark #4544 as fixed in 1.26.4.




Changes in version 1.26.4


Use MuPDF-1.26.7.


Fixed issues:

Fixed 3806 <https://github.com/pymupdf/PyMuPDF/issues/3806>_: pdf to image rendering ignore optional content offs
Fixed 4388 <https://github.com/pymupdf/PyMuPDF/issues/4388>_: Incorrect PixMap from page due to cached data from other PDF
Fixed 4457 <https://github.com/pymupdf/PyMuPDF/issues/4457>_: Wrong characters displayed after font subsetting (w/ native method)
Fixed 4462 <https://github.com/pymupdf/PyMuPDF/issues/4462>_: delete_pages() does not accept a single int
Fixed 4533 <https://github.com/pymupdf/PyMuPDF/issues/4533>_: Open PDF error segmentation fault
Fixed 4565 <https://github.com/pymupdf/PyMuPDF/issues/4565>_: MacOS uses Tesseract and not Tesseract-OCR
Fixed 4571 <https://github.com/pymupdf/PyMuPDF/issues/4571>_: Broken merged pdfs.
Fixed 4590 <https://github.com/pymupdf/PyMuPDF/issues/4590>_: TypeError in utils.py scrub(): annot.update_file(buffer=...) is invalid
Fixed 4614 <https://github.com/pymupdf/PyMuPDF/issues/4614>_: Intercept bad widgets when inserting to another PDF
Fixed 4639 <https://github.com/pymupdf/PyMuPDF/issues/4639>_: pymupdf.mupdf.FzErrorGeneric: code=1: Director error: <class 'AttributeError'>: 'JM_new_bbox_device_Device' object has no attribute 'layer_name'
Fixed 4544 <https://github.com/pymupdf/PyMuPDF/issues/4544>_: About pdf_clip_page



Other:

Check that #4392 Segfault when running with pytest and -Werror is fixed if PyMuPDF is built with swig>=4.4.
Add Page.clip_to_rect().
Improved search for Tesseract data.
Retrospectively mark #4496 as fixed in 1.26.1.
Retrospectively mark #4503 as fixed in 1.26.3.
Added experimental support for Graal.





... (truncated)


Commits

530af52 tests/test_general.py:test_4392(): fix expectations on manylinux.
fb457a2 .github/ISSUE_TEMPLATE/bug_report.yml: add 1.26.4 to list of pymupdf versions.
1882b75 changes.txt: fix mupdf version.
77e9746 setup.py: update to pymupdf version 1.26.4 and mupdf version 1.26.7.
719ec6c Updates docs to include section for converting files.
5796732 Amends description for pno parameter for insert_page & new_page.
392eb1a Fixes docs indentation for argument.
e81498e changes.txt: updated to match behaviour with latest mupdf-1.26.x.
c883330 tests/test_general.py: test_2596(): update expectations with latest mupdf 1.2...
bfe0781 tests/test_font.py: test_4457(): update to match updated mupdf 1.26.x.
Additional commits viewable in compare view




Updates markdown from 3.8.2 to 3.9

Release notes
Sourced from markdown's releases.

Release 3.9.0
Changed

Footnotes are now ordered by the occurrence of their references in the
document. A new configuration option for the footnotes extension,
USE_DEFINITION_ORDER, has been added to support restoring the previous
behavior of ordering footnotes by the occurrence of definitions (#1367).

Fixed

Ensure inline processing iterates through elements in document order (#1546).
Fix handling of incomplete HTML tags in code spans in Python 3.14 (#1547).




Changelog
Sourced from markdown's changelog.

title: Changelog
toc_depth: 2
Python-Markdown Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog,
and this project adheres to the
Python Version Specification.
See the Contributing Guide for details.
[3.9.0] - 2025-09-04
Changed

Footnotes are now ordered by the occurrence of their references in the
document. A new configuration option for the footnotes extension,
USE_DEFINITION_ORDER, has been added to support restoring the previous
behavior of ordering footnotes by the occurrence of definitions (#1367).

Fixed

Ensure inline processing iterates through elements in document order (#1546).
Fix handling of incomplete HTML tags in code spans in Python 3.14 (#1547).




Commits

f39cf84 Bump version to 3.9
07bf207 Order footnotes by reference
23c301d Fix failing cases for Python 3.14
4669a09 fix typo
See full diff in compare view




Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.