Accepting request 1319931 from devel:languages:python

OBS-URL: https://build.opensuse.org/request/show/1319931
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-xmltodict?expand=0&rev=13

python-xmltodict.changes

@@ -1,3 +1,64 @@
+-------------------------------------------------------------------
+Mon Nov 24 09:03:54 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 1.0.2
+  * allow DOCTYPE with disable_entities=True (default)
+- from version 1.0.1
+  * fail closed when entities disabled
+  * validate XML comments
+  * add SECURITY.md
+  * clarify behavior for empty lists
+  * clarify process_comments docs
+  * clarify strip whitespace comment behavior
+  * create AGENTS.md for coding agents
+  * replace travis with actions badge
+  * update CONTRIBUTING.md
+- Drop skip-tests-expat-245.patch, no longer required
+
+-------------------------------------------------------------------
+Fri Sep 12 19:34:16 UTC 2025 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 1.0.0
+  BREAKING CHANGES
+  * modernize for Python 3.9+; drop legacy compat paths.
+  Features
+  * unparse: add limited XML comment round-trip; unify _emit
+    behavior (e43537e).
+  * unparse: add selective force_cdata support
+    (bool/tuple/callable) (a497fed), closes #375.
+  Bug Fixes
+  * namespaces: attach [@xmlns](https://github.com/xmlns) to
+    declaring element when process_namespaces=True.
+  * streaming: avoid parent accumulation at item_depth; add
+    regression tests (220240c).
+  * unparse: handle non-string #text with attributes; unify
+    value conversion (927a025).
+  * unparse: skip empty lists to keep pretty/compact outputs
+    consistent (ab4c86f).
+  Reverts
+  * remove initial Release Drafter config (c0b74ed).
+
+-------------------------------------------------------------------
+Tue Sep  9 07:46:33 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 0.15.1
+  * Security: Further harden XML injection prevention during unparse (follow-up
+    to v0.15.0). In addition to '<'/'>' rejection, now also reject element and
+    attribute names (including `@xmlns` prefixes) that:
+    - start with '?' or '!'
+    - contain '/' or any whitespace
+    - contain quotes (' or ") or '='
+    - are non-strings (names must be `str`; no coercion)
+
+-------------------------------------------------------------------
+Mon Sep  8 11:26:39 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 0.15.0
+  * Security: Prevent XML injection (CVE-2025-9375) by rejecting '<'/'>' in
+    element and attribute names (including `@xmlns` prefixes) during unparse.
+    This limits validation to avoiding tag-context escapes; attribute values
+    continue to be escaped by the SAX `XMLGenerator`. (bsc#1249036, CVE-2025-9375)
+
 -------------------------------------------------------------------
 Tue Oct 29 16:11:13 UTC 2024 - Martin Hauke <mardnh@gmx.de>
 

python-xmltodict.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-xmltodict
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,13 +18,12 @@
 
 %{?sle15_python_module_pythons}
 Name:           python-xmltodict
-Version:        0.14.2
+Version:        1.0.2
 Release:        0
 Summary:        Module to make XML working resemble JSON
 License:        MIT
 URL:            https://github.com/martinblech/xmltodict
 Source:         https://files.pythonhosted.org/packages/source/x/xmltodict/xmltodict-%{version}.tar.gz
-Patch0:         skip-tests-expat-245.patch
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module pytest}
 BuildRequires:  %{python_module setuptools}

skip-tests-expat-245.patch

@@ -1,28 +0,0 @@
-Index: xmltodict-0.12.0/tests/test_xmltodict.py
-===================================================================
---- xmltodict-0.12.0.orig/tests/test_xmltodict.py
-+++ xmltodict-0.12.0/tests/test_xmltodict.py
-@@ -8,6 +8,7 @@ except ImportError:
- 
- from xml.parsers.expat import ParserCreate
- from xml.parsers import expat
-+import pyexpat
- 
- 
- def _encode(s):
-@@ -167,6 +168,7 @@ class XMLToDictTestCase(unittest.TestCas
-         self.assertEqual(parse(xml),
-                          parse(xml.encode('utf-8')))
- 
-+    @unittest.skipIf(pyexpat.version_info >= (2, 4, 5), reason="Makes no sense with current Expat")
-     def test_namespace_support(self):
-         xml = """
-         <root xmlns="http://defaultns.com/"
-@@ -195,6 +197,7 @@ class XMLToDictTestCase(unittest.TestCas
-         res = parse(xml, process_namespaces=True)
-         self.assertEqual(res, d)
- 
-+    @unittest.skipIf(pyexpat.version_info >= (2, 4, 5), reason="Makes no sense with current Expat")
-     def test_namespace_collapse(self):
-         xml = """
-         <root xmlns="http://defaultns.com/"

xmltodict-1.0.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:54306780b7c2175a3967cad1db92f218207e5bc1aba697d887807c0fb68b7649
+size 25725