fix(deps): update dependency xmlsec to <1.3.18

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
xmlsec (changelog)	<1.3.15 → <1.3.18

---

Release Notes

mehcode/python-xmlsec (xmlsec)

v1.3.17

Compare Source

Release Date: 2025-11-11
Version: 1.3.17

---

Compatibility and Wheel Support

This release provides binary wheels that are fully compatible with lxml v6.0.2. The compatibility is ensured by using the same underlying libxml2 version in both python-xmlsec and lxml.

Because of this strict requirement, the wheels cannot be used with versions of lxml lower than 6.0.2. Mixing versions will lead to runtime errors.

Common Error

If you see the following message:

lxml & xmlsec libxml2 library version mismatch

it indicates that the version of libxml2 used to build lxml does not match the version used to build python-xmlsec.

Recommended Solutions

• Upgrade lxml to v6.0.2, or
• Build both lxml and python-xmlsec manually from source using the same libxml2 version

---

Wheel Build Configuration

Linux and macOS Wheels

These wheels are built against the following versions, which match those used in lxml v6.0.2:

• libxml2 v2.14.6
• libxslt v1.1.43
• xmlsec1 v1.3.9
• zlib v1.3.1
• libiconv v1.18
• openssl v3.6.0

Windows Binary Wheels

The Windows binary wheels were compiled using Visual Studio 2022 and include the following libraries:

• iconv v1.18-1
• libxml2 v2.11.9-3
• libxslt v1.1.39
• openssl v3.0.16.pl1
• xmlsec v1.3.7
• zlib v1.3.1

These versions are compatible with those used in lxml v6.0.2.

---

Noticeable changes

• Supporting new wheels
  • Windows ARM
  • RISC-V 64
  • Python 3.14

Acknowledgements

Special thanks to

• @​TomiBelan for helping with the creation of Windows ARM binary wheels
• @​ffgan for adding riscv64 wheels
• @​clement-escolano for adding wheels for Python 3.14

New Contributors

• @​paulzakin made their first contribution in xmlsec#373
• @​ffgan made their first contribution in xmlsec#387
• @​clement-escolano made their first contribution in xmlsec#393

Full Changelog: xmlsec/python-xmlsec@1.3.16...1.3.17

v1.3.16

Compare Source

Release Date: 2025-07-10
Version: 1.3.16

---

Compatibility and Wheel Support

This release provides binary wheels that are fully compatible with lxml v6.0.0. The compatibility is ensured by using the same underlying libxml2 version in both python-xmlsec and lxml.

Because of this strict requirement, the wheels cannot be used with versions of lxml lower than 6.0.0. Mixing versions will lead to runtime errors.

Common Error

If you see the following message:

lxml & xmlsec libxml2 library version mismatch

it indicates that the version of libxml2 used to build lxml does not match the version used to build python-xmlsec.

Recommended Solutions

• Upgrade lxml to v6.0.0, or
• Build both lxml and python-xmlsec manually from source using the same libxml2 version

---

Wheel Build Configuration

Linux and macOS Wheels

These wheels are built against the following versions, which match those used in lxml v6.0.0:

• libxml2 v2.14.4
• libxslt v1.1.43
• xmlsec1 v1.3.7

Windows Binary Wheels

The Windows binary wheels were compiled using Visual Studio 2022 and include the following libraries:

• iconv v1.18-1
• libxml2 v2.11.9-3
• libxslt v1.1.39
• openssl v3.0.16.pl1
• xmlsec v1.3.7
• zlib v1.3.1

These versions are compatible with those used in lxml v6.0.0.

---

Acknowledgements

Special thanks to @​TomiBelan for helping with the creation of binary wheels for this release.

v1.3.15

Compare Source

What's Changed

• Explicitly cast the pointer type in PyXmlSec_ClearReplacedNodes by @​hroncok in xmlsec#325
• Fix sdist CI workflow by @​jonathangreen in xmlsec#330
• Build wheels for Python 3.13 by @​jonathangreen in xmlsec#329
• Fix linuxbrew workflow by @​jonathangreen in xmlsec#331
• Fix macosx CI workflow by @​jonathangreen in xmlsec#332
• Fix type mismatch in PyXmlSec_ClearReplacedNodes for Python 3.13 compatibility by @​haya4ux in xmlsec#340

New Contributors

• @​hroncok made their first contribution in xmlsec#325
• @​haya4ux made their first contribution in xmlsec#340

Full Changelog: xmlsec/python-xmlsec@1.3.14...1.3.15

---

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone US/Eastern, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sentry]

Bug: The xmlsec upgrade conflicts with the pinned lxml version, which will break SAML authentication for deployments using the optional touchstone dependency.
_{Severity: HIGH}

Suggested Fix

Update the lxml constraint in the root pyproject.toml to allow a version compatible with the new xmlsec requirement, such as lxml>=6.0.2. Alternatively, revert the xmlsec upgrade.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: src/authentication/pyproject.toml#L23

Potential issue: The upgrade of `xmlsec` to version `1.3.17` introduces a requirement
for `lxml >= 6.0.2`. However, the root `pyproject.toml` file pins `lxml` to version
`<=5.3.2`. This creates a dependency conflict. While `xmlsec` is part of an optional
dependency group (`touchstone`), any deployment that installs this group to enable SAML
authentication will experience a runtime failure. The conflict will break SAML
functionality when the code attempts to use both libraries together.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[sentry]

Bug: The updated xmlsec<1.3.18 constraint allows xmlsec==1.3.17, which is incompatible with lxml<6.0.2. The package doesn't enforce a compatible lxml version, risking runtime errors for consumers.
_{Severity: HIGH}

Suggested Fix

Add a corresponding lxml>=6.0.2 constraint to the same optional dependency group (touchstone) where xmlsec<1.3.18 is specified. This ensures that any environment installing the touchstone extra will have compatible versions of both xmlsec and lxml.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: src/authentication/pyproject.toml#L23

Potential issue: The optional dependency `xmlsec` is updated to `<1.3.18`, which allows
version `1.3.17`. According to its release notes, `xmlsec==1.3.17` binary wheels are
incompatible with `lxml<6.0.2`. However, the `pyproject.toml` for
`mitol-django-authentication` does not enforce a minimum `lxml` version. Downstream
consumers installing the `touchstone` extra could resolve `xmlsec==1.3.17` alongside an
older, incompatible version of `lxml` (e.g., `5.x`), leading to a runtime crash with an
`lxml & xmlsec libxml2 library version mismatch` error when SAML authentication is used.