From f96ac331edb3a1592fc2e37c7dfbee3e92cf1149 Mon Sep 17 00:00:00 2001
From: Markus Heiser <markus.heiser@darmarIT.de>
Date: Wed, 29 Apr 2026 07:11:13 +0200
Subject: [PATCH] [upd] pypi: Bump lxml from 6.0.4 to 6.1.0 (#6036)

Release 6.1.0 fixes a possible external entity injection (XXE) vulnerability in
``iterparse()`` and the ``ETCompatXMLParser``.

https://github.com/lxml/lxml/blob/64ed06c1a0c1833bfac99f209f16c3bdfddfde79/CHANGES.txt#L42-L66

- Closes https://github.com/searxng/searxng/issues/6025

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
---
 requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index 52f7b1acb..dba9ad157 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -3,7 +3,7 @@ babel==2.18.0
 flask-babel==4.0.0
 flask==3.1.3
 jinja2==3.1.6
-lxml==6.0.4
+lxml==6.1.0
 pygments==2.20.0
 python-dateutil==2.9.0.post0
 pyyaml==6.0.3