Skip to content

build(deps-dev): bump unstructured from 0.18.14 to 0.24.1 in /backend#3404

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/pip/backend/unstructured-0.24.0
Open

build(deps-dev): bump unstructured from 0.18.14 to 0.24.1 in /backend#3404
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/pip/backend/unstructured-0.24.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown

Bumps unstructured from 0.18.14 to 0.24.1.

Release notes

Sourced from unstructured's releases.

0.24.1

What's Changed

Full Changelog: Unstructured-IO/unstructured@0.24.0...0.24.1

0.24.0

What's Changed

New Contributors

Full Changelog: Unstructured-IO/unstructured@0.23.1...0.24.0

0.23.1

What's Changed

Full Changelog: Unstructured-IO/unstructured@0.23.0...0.23.1

0.23.0

What's Changed

Full Changelog: Unstructured-IO/unstructured@0.22.32...0.23.0

0.22.32

What's Changed

Full Changelog: Unstructured-IO/unstructured@0.22.31...0.22.32

0.22.31

What's Changed

Full Changelog: Unstructured-IO/unstructured@0.22.30...0.22.31

0.22.30

What's Changed

... (truncated)

Changelog

Sourced from unstructured's changelog.

0.24.1

Fixes

  • Fix stored XSS in v2 (ontology) HTML output (GHSA-v5mq-3xhg-98m9): partition_html(html_parser_version="v2"), elements_to_html(), and metadata.text_as_html previously emitted untrusted document markup without output encoding, allowing attacker-controlled content (on* handlers, javascript: links, tag/attribute breakout) to execute when the HTML was viewed. Output is now sanitized — text and attribute values are HTML-escaped, event-handler attributes are dropped, tags/attributes are allowlisted, and URL schemes are filtered (http/https/mailto/tel/relative preserved; data: limited to raster image MIME types on img[src]). Legitimate formatting is unaffected.

0.24.0

Enhancements

  • Centralize outbound URL fetching: partition, partition_html, and partition_md now route url= fetches through a single shared helper (unstructured/safe_http.py) instead of ad-hoc requests.get calls. The helper applies an http/https scheme allowlist, a hostname denylist with IDNA normalization, address validation performed at connect time, manual redirect handling with per-hop re-validation (dropping credential material on cross-origin hops), refusal of proxied requests, and a default (connect, read) timeout. Behavior change: fetches that resolve to non-routable, loopback, or link-local addresses are now rejected by default. Set UNSTRUCTURED_ALLOW_PRIVATE_URL=1 (or pass allow_private=True) to opt out for controlled local usage.

0.23.3

Fixes

  • Stabilize the partition-runtime benchmark CI check: the gate compared each run against a single all-time-minimum runtime, which a one-off fast runner could poison into an unbeatable floor (a frozen ~81s baseline vs a real ~130s fleet), failing every PR. It now compares against a rolling median of recent main runs with a warm-up period, so runner-speed variance can't block unrelated PRs. CI/tooling only; no library behavior changes.

0.23.2

Enhancements

  • v2 (ontology) HTML parser derives category_depth from heading level: partition_html(html_parser_version="v2") now sets category_depth from a heading's HTML level (h1→0, h2→1, …) via a shared helper reused by the v1 parser, instead of DOM nesting depth. Depth no longer changes from multi-column layout alone, and parent_id chains subsections under their enclosing heading. Layout structure and text_as_html are preserved.

Fixes

  • unstructured_elements_to_ontology handles empty and malformed input: returns an empty Document for empty input (instead of raising IndexError), and a layout container whose parent_id matches no open container now nests in the current container rather than popping to the document root and mis-nesting subsequent content.

0.23.1

Enhancements

  • Extract filled AcroForm field values as text: values typed into fillable PDF form fields live in widget annotations rather than the page content stream, so pdfminer's text pass missed them. They are now recovered for both the fast and hi_res strategies and emitted as elements alongside the content-stream text.

Fixes

  • Fix inferred/extracted layout merge skipping subregion removal for single-region pages: the rule that removes an inferred box overlapping an extracted region was gated on any(extracted_to_keep), which evaluated False when the only kept extracted region was at index 0. On single-region pages (e.g. a PDF whose only text is one filled form field) this left a duplicate element; the guard now checks the array size.

0.23.0

Enhancements

  • Add enrichment_origins metadata field for per-attribute model provenance: ElementMetadata gains a serialized enrichment_origins field mapping a written attribute name (e.g. text, text_as_html, embeddings) to a list of records {"type", "provider", "model"}, in application order. Enrichment producers stamp which model wrote (or contributed to) each attribute; authoring enrichments overwrite the list while additive ones append, preserving the prior author. A new ConsolidationStrategy.DICT_LIST_UNIQUE merges these dicts across elements during chunking (union keys, concatenate then dedupe records, preserving first-seen order).

0.22.34

Fixes

  • Keep extracted text aligned with rotated PDF page images in hi_res: when unstructured-inference rotates a rendered page image to make its text upright, the same rotation is now mirrored onto the pdfminer-extracted coordinates so the extracted-text layer and the object-detection layer share one coordinate frame and merge correctly. Previously the two layers could be off by the page's /Rotate, scattering extracted text in the merged output.

... (truncated)

Commits
  • cda16b3 fix: sanitize v2 HTML output to prevent stored XSS (GHSA-v5mq-3xhg-98m9) (#4394)
  • 445c957 refactor: centralize URL fetching with host validation and default timeouts (...
  • f6eea75 fix(ci): stabilize partition benchmark with a rolling-median baseline (#4375)
  • 37635f7 feat: derive category_depth from heading level in the v2 (ontology) HTML pars...
  • 5ead69a feat: extract filled AcroForm field text in PDF partitioning (#4372)
  • dacae2c feat: add enrichment origins metadata field (#4370)
  • dedf144 fix: keep extracted text aligned with rotated PDF page images in hi_res (#4367)
  • 19857c1 fix: stop decimating embedded text on dense PDF pages (#4368)
  • 620cde7 fix(hi_res): recover text inside PDF figure overlays (#4363)
  • 7c8f675 fix: rename isolate_tables chunking option to isolate_table (#4355)
  • Additional commits viewable in compare view

@dependabot @github

dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Bumps [unstructured](https://github.com/Unstructured-IO/unstructured) from 0.18.14 to 0.24.1.
- [Release notes](https://github.com/Unstructured-IO/unstructured/releases)
- [Changelog](https://github.com/Unstructured-IO/unstructured/blob/main/CHANGELOG.md)
- [Commits](Unstructured-IO/unstructured@unstructured_0.18.14...0.24.1)

---
updated-dependencies:
- dependency-name: unstructured
  dependency-version: 0.24.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/backend/unstructured-0.24.0 branch from 54c539f to 657f599 Compare July 14, 2026 03:14
@dependabot dependabot Bot changed the base branch from main to develop July 14, 2026 03:14
@dependabot dependabot Bot changed the title chore(deps-dev): bump unstructured from 0.18.14 to 0.24.0 in /backend build(deps-dev): bump unstructured from 0.18.14 to 0.24.1 in /backend Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants