Update lxml to 6.1.0

[pyup-bot]

This PR updates lxml from 6.0.2 to 6.1.0.

Changelog

6.1.0

==================

This release fixes a possible external entity injection (XXE) vulnerability in
``iterparse()`` and the ``ETCompatXMLParser``.

Features added
--------------

* GH486: The HTML ARIA accessibility attributes were added to the set of safe attributes
in ``lxml.html.defs``.  This allows ``lxml_html_clean`` to pass them through.
Patch by oomsveta.

* The default chunk size for reading from file-likes in ``iterparse()`` is now configurable
with a new ``chunk_size`` argument.

Bugs fixed
----------

* LP2146291: The ``resolve_entities`` option was still set to ``True`` for
``iterparse`` and ``ETCompatXMLParser``, allowing for external entity injection (XXE)
when using these parsers without setting this option explicitly.
The default was now changed to ``'internal'`` only (as for the normal XML and HTML parsers
since lxml 5.0).
Issue found by Sihao Qiu as CVE-2026-41066.

6.0.4

==================

Bugs fixed
----------

* LP2148019: Spurious MemoryError during namespace cleanup.

6.0.3

==================

Bugs fixed
----------

* Several out of memory error cases now raise ``MemoryError`` that were not handled before.

* Slicing with large step values (outside of ``+/- sys.maxsize``) could trigger undefined C behaviour.

* LP2125399: Some failing tests were fixed or disabled in PyPy.

* LP2138421: Memory leak in error cases when setting the ``public_id`` or ``system_url`` of a document.

* Memory leak in case of a memory allocation failure when copying document subtrees.

* When mapping an XPath result to Python failed, the result memory could leak.

* When preparing an XSLT transform failed, the XSLT parameter memory could leak.

Other changes
-------------

* Built using Cython 3.2.4.

* Binary wheels use zlib 1.3.2.

Links

• PyPI: https://pypi.org/project/lxml
• Changelog: https://data.safetycli.com/changelogs/lxml/
• Homepage: https://lxml.de/