From 3d755a4d780dd05fef2574538bbe6c2b3958b22d Mon Sep 17 00:00:00 2001
From: Chris Jones <chris@lumi-ai.com>
Date: Mon, 4 May 2026 12:56:13 -0400
Subject: [PATCH] fix: raise lxml upper bound to <7.0.0

lxml 6.0 support was already validated (see TestLxmlCurlyBraceCompatibility).
lxml 6.1 introduces no breaking changes for this package: all lxml usage
goes through BeautifulSoup4, which abstracts the parser API, and none of
the deprecated/removed lxml 6.x APIs (setElementClassLookup, apply,
evaluate, MemDebug, text_content smart strings) are called directly.

Bumping the cap from <=6.0.2 to <7.0.0 unblocks downstream users who
need lxml 6.1.0+ to address CVE-2026-41066.
---
 requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index f5faa63..12d4502 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -3,7 +3,7 @@ pytz>=2020.1
 beautifulsoup4>=4.13.5,<5.0.0
 boto3>=1.42.22,<2.0.0
 requests>=2.23.0,<3.0.0
-lxml>=4.6.5,<=6.0.2
+lxml>=4.6.5,<7.0.0
 botocore>=1.12.201,<2.0.0
 packaging
 setuptools