Bump bleach from 6.1.0 to 6.4.0 in /tools/workload/benchmark_velox/analysis

[dependabot]

Bumps bleach from 6.1.0 to 6.4.0.

Changelog

Sourced from bleach's changelog.

Version 6.4.0 (June 5th, 2026)

NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future releases including for security issues. See issue: <https://github.com/mozilla/bleach/issues/698>__

Backwards incompatible changes

• Dropped support for pypy 3.10. (#764)

Security fixes

• Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.

  Fix XSS issue with sanitize_uri_value where disallowed schemes with Unicode invisible characters wouldn't be rejected.

  For example::

  import bleach payload1 = 'Click' result1 = bleach.clean(payload1) print(repr(result1))

  outputs::

  'Click'

  See the advisory for details.

• Fix GHSA-gj48-438w-jh9v.

  Fix issue where URI sanitization wasn't happening in formaction attributes.

  See the advisory for details.

Bug fixes

• Add support for pypy 3.11. (#764)

• Drop version max in tinycss2 pin. (#772)

  This removes one of the things we had to keep checking and updating. Users now own the responsibility for correctness with the version of tinycss2 they're using.

Version 6.3.0 (October 27th, 2025)

... (truncated)

Commits

• f0355a7 fix: fix last release date in CHANGES
• ae4e8a2 chore: bleach 6.4.0 and final release
• 970df58 fix: uri-sanitization in formaction attributes
• 7c4867c fix: xss bypass in allowed protocol test using unicode invisible characters
• 913ab75 fix: reduce redundancy in workflow jobs
• 218c15a fix: rework pip caching
• 4f0b097 fix: fix tox platform restrictions
• e95a79d chore: update pytest
• 91539d4 Bump actions/cache from 5.0.3 to 5.0.4
• cd47b4c fix: handle left-angle-bracket that's not a tag (#733)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[lisanping09-bit]

将漂白剂的浓度从 6.1.0 提高到 6.4.0。

更新日志
资料来源：bleach 的更新日志。

版本 6.4.0（2026 年 6 月 5 日）

注意：2026年6月5日：Bleach 已停止维护。未来不会发布任何版本，包括安全问题修复版本。
参见问题：<https://github.com/mozilla/bleach/issues/698>__
向后不兼容的更改

• 已停止支持 PyPy 3.10。（#764）

安全修复

• 修复错误 2023812 / GHSA-8rfp-98v4-mmr6。
  修复 sanitize_uri_value 的 XSS 问题，该问题会导致包含 Unicode 不可见字符的不允许的方案不会被拒绝。
  例如：：
  import bleach payload1 = 'Click' result1 = bleach.clean(payload1) print(repr(result1))
  输出::
  '点击'
  详情请参阅公告。
• 修复GHSA-gj48-438w-jh9v。
  修复了 formaction 属性中 URI 清理未生效的问题。
  详情请参阅公告。

错误修复

• 添加对 PyPy 3.11 的支持。（#764）
• 在 tinycss2 中降低版本上限。（#772）
  这样就省去了我们需要不断检查和更新的一项内容。现在，用户需要自行负责确保他们使用的 tinycss2 版本的正确性。

版本 6.3.0（2025 年 10 月 27 日）

（节选）

提交

• f0355a7修复：修复 CHANGES 中的最后发布日期
• ae4e8a2任务：漂白剂 6.4.0 和最终版本
• 970df58修复：formaction 属性中的 uri 清理
• 7c4867c修复：使用 Unicode 不可见字符绕过允许协议测试中的 XSS 漏洞
• 913ab75修复方案：减少工作流作业中的冗余
• 218c15a修复：重构 pip 缓存
• 4f0b097修复：修复 tox 平台限制
• e95a79d任务：更新 pytest
• 91539d4将 actions/cache 从 5.0.3 升级到 5.0.4
• cd47b4c修复：处理不是标签的左尖括号（#733）
• 比较视图中可查看其他提交记录

只要您不自行修改此 PR，Dependabot 将自动解决所有冲突。您也可以通过评论手动触发 rebase @dependabot rebase。

Dependabot 命令和选项