Skip to content

Bump justhtml from 2.2.0 to 3.1.0#25130

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/justhtml-3.1.0
Open

Bump justhtml from 2.2.0 to 3.1.0#25130
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/justhtml-3.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Contributor

Bumps justhtml from 2.2.0 to 3.1.0.

Release notes

Sourced from justhtml's releases.

Release v3.1.0

Changed

  • CollapseWhitespace(...) now trims leading and trailing whitespace at block-container edges by default. Pass trim_blocks=False to keep the previous html5lib-like behavior, or customize block_tags=(...) for project-specific block containers.
  • Document that DOM insertion methods adopt existing nodes, and show how to clone nodes before appending when using parsed DOMs as templates.

Fixed

  • Apply explicit UrlPolicy.allow_rules to custom URL attributes in constructor sanitization and DropUrlAttrs(...). Previously, rules such as ("el-custom", "data-url") were ignored unless the attribute name was one of JustHTML's built-in URL sinks.
  • Restore strict-mode reporting for unexpected </p> end tags after implicit paragraph closure.

Performance

  • Speed up pretty HTML serialization for direct text-only elements, repeated tag/attribute names, and common empty-attribute elements; reduce repeated selector name normalization and hot parser namespace checks; and fix the real-world profiler script when run directly.
  • Speed up parser URL sanitization for common lowercase http:// and https:// attributes.

Release v3.0.0

JustHTML 3.0.0 ships a new parser core. The old tokenizer and tree-builder are now one integrated system, which makes the parser much faster while keeping browser-style HTML5 recovery and default-safe behavior intact. In practice, this release is mainly about getting materially better performance without asking most users to change how they use the library.

The breaking part is narrow: if you do not depend on doc.errors or on the exact diagnostic details raised by strict=True, this release should behave like a faster, more robust JustHTML. If you do depend on parser diagnostics, expect different error codes, counts, locations, and ordering from the old implementation.

Changed

  • Replace the legacy tokenizer/tree-builder split with one plan-driven parser engine shared across sanitized, unsanitized, fragment, streaming, diagnostic, and source-location modes. This is a new parser architecture, not just an optimization pass: scanning, tree construction, and default-safe decisions now run as one coordinated system.
  • BREAKING: Rework parser diagnostics around a smaller, higher-value built-in error set. collect_errors=True and strict=True still surface parser problems, but callers should expect different error codes, counts, locations, and ordering than the old tokenizer/tree-builder pipeline.

Performance

  • Deliver roughly a 2x parsing speedup from the new fused engine while preserving browser-style HTML5 recovery behavior. The hot path now avoids the old tokenizer-to-treebuilder handoff, compiles default sanitizer decisions into parser tag actions, and scans projected attributes directly while parsing.

Fixed

  • Preserve HTML5 tree-construction behavior across foreign-content integration points, select/table recovery, framesets, plaintext formatting reconstruction, form-pointer handling, malformed comments, foreign attribute parsing, adoption-agency edge cases, and scope-repair bugs found through Chromium and html5lib differentials.
  • Stabilize sanitization of malformed foreign-namespace rawtext structures so trailing HTML cannot be exposed by mutation-XSS reparsing.

Breaking

  • BREAKING: Error collection is no longer a compatibility surface for the legacy parser internals. Applications that assert on the exact contents of doc.errors, or on the specific exception details raised by strict=True, must update to the new diagnostic model. Other users should not need API changes for this release.

Release v2.4.1

Fixed

  • Prevent the leading-line-feed exception for <pre>, <listing>, and <textarea> from leaking past intervening non-character tokens and removing a later newline.
  • Apply paragraph closing and leading-line-feed handling to <pre> and <listing> inside customizable <select> content.
  • Preserve U+000C FORM FEED in HTML text like browsers do, while retaining its intentional conversion to a space in XML-coercion mode.

Release v2.4.0

Fixed

  • Handle <hr> using the HTML in-body void-element rules in delegated insertion modes, preserving following content in table cells and captions, closing open paragraphs, and acknowledging self-closing syntax.

Release v2.3.0

Fixed

  • Preserve pretty-printed paragraph line breaks when sanitization is disabled and comments are present in block containers.

Performance

  • Speed up tree construction scope checks by tracking open elements for common scoped element names.

... (truncated)

Changelog

Sourced from justhtml's changelog.

[3.1.0] - 2026-07-02

Changed

  • CollapseWhitespace(...) now trims leading and trailing whitespace at block-container edges by default. Pass trim_blocks=False to keep the previous html5lib-like behavior, or customize block_tags=(...) for project-specific block containers.
  • Document that DOM insertion methods adopt existing nodes, and show how to clone nodes before appending when using parsed DOMs as templates.

Fixed

  • Apply explicit UrlPolicy.allow_rules to custom URL attributes in constructor sanitization and DropUrlAttrs(...). Previously, rules such as ("el-custom", "data-url") were ignored unless the attribute name was one of JustHTML's built-in URL sinks.
  • Restore strict-mode reporting for unexpected </p> end tags after implicit paragraph closure.

Performance

  • Speed up pretty HTML serialization for direct text-only elements, repeated tag/attribute names, and common empty-attribute elements; reduce repeated selector name normalization and hot parser namespace checks; and fix the real-world profiler script when run directly.
  • Speed up parser URL sanitization for common lowercase http:// and https:// attributes.

[3.0.0] - 2026-06-21

JustHTML 3.0.0 ships a new parser core. The old tokenizer and tree-builder are now one integrated system, which makes the parser much faster while keeping browser-style HTML5 recovery and default-safe behavior intact. In practice, this release is mainly about getting materially better performance without asking most users to change how they use the library.

The breaking part is narrow: if you do not depend on doc.errors or on the exact diagnostic details raised by strict=True, this release should behave like a faster, more robust JustHTML. If you do depend on parser diagnostics, expect different error codes, counts, locations, and ordering from the old implementation.

Changed

  • Replace the legacy tokenizer/tree-builder split with one plan-driven parser engine shared across sanitized, unsanitized, fragment, streaming, diagnostic, and source-location modes. This is a new parser architecture, not just an optimization pass: scanning, tree construction, and default-safe decisions now run as one coordinated system.
  • BREAKING: Rework parser diagnostics around a smaller, higher-value built-in error set. collect_errors=True and strict=True still surface parser problems, but callers should expect different error codes, counts, locations, and ordering than the old tokenizer/tree-builder pipeline.

Performance

  • Deliver roughly a 2x parsing speedup from the new fused engine while preserving browser-style HTML5 recovery behavior. The hot path now avoids the old tokenizer-to-treebuilder handoff, compiles default sanitizer decisions into parser tag actions, and scans projected attributes directly while parsing.

Fixed

  • Preserve HTML5 tree-construction behavior across foreign-content integration points, select/table recovery, framesets, plaintext formatting reconstruction, form-pointer handling, malformed comments, foreign attribute parsing, adoption-agency edge cases, and scope-repair bugs found through Chromium and html5lib differentials.
  • Stabilize sanitization of malformed foreign-namespace rawtext structures so trailing HTML cannot be exposed by mutation-XSS reparsing.

Breaking

  • BREAKING: Error collection is no longer a compatibility surface for the legacy parser internals. Applications that assert on the exact contents of doc.errors, or on the specific exception details raised by strict=True, must update to the new diagnostic model. Other users should not need API changes for this release.

[2.4.1] - 2026-06-21

Fixed

  • Prevent the leading-line-feed exception for <pre>, <listing>, and <textarea> from leaking past intervening non-character tokens and removing a later newline.
  • Apply paragraph closing and leading-line-feed handling to <pre> and <listing> inside customizable <select> content.
  • Preserve U+000C FORM FEED in HTML text like browsers do, while retaining its intentional conversion to a space in XML-coercion mode.

[2.4.0] - 2026-06-20

Fixed

  • Handle <hr> using the HTML in-body void-element rules in delegated insertion modes, preserving following content in table cells and captions, closing open paragraphs, and acknowledging self-closing syntax.

[2.3.0] - 2026-06-12

Fixed

  • Preserve pretty-printed paragraph line breaks when sanitization is disabled and comments are present in block containers.

... (truncated)

Commits
  • e264ed2 Release v3.1.0
  • 2bf6892 docs: Update API and building documentation to clarify node handling and cloning
  • 0780c83 feat: Implement custom attribute URL rules in sanitization and transformation...
  • d468a89 feat: Enhance CollapseWhitespace transform with block edge trimming and custo...
  • fd2c59f bug: Add error reporting for nested paragraph handling in strict mode
  • 81a9b3a perf: Improve URL validation by ensuring printable characters in HTTP/HTTPS s...
  • 0a9f228 perf: Improve URL sanitization for common HTTP/HTTPS schemes
  • 3a23bdf chore: Enhance argument parsing and add support for multiple HTML processing ...
  • d23d091 chore: Update changelog and improve HTML serialization for void elements with...
  • 66cd5a9 perf: Enhance performance by optimizing HTML serialization and improving sele...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [justhtml](https://github.com/emilstenstrom/justhtml) from 2.2.0 to 3.1.0.
- [Release notes](https://github.com/emilstenstrom/justhtml/releases)
- [Changelog](https://github.com/EmilStenstrom/justhtml/blob/main/CHANGELOG.md)
- [Commits](EmilStenstrom/justhtml@v2.2.0...v3.1.0)

---
updated-dependencies:
- dependency-name: justhtml
  dependency-version: 3.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants