Bump bleach from 6.3.0 to 6.4.0

[dependabot]

Bumps bleach from 6.3.0 to 6.4.0.

Changelog

Sourced from bleach's changelog.

Version 6.4.0 (June 5th, 2026)

NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future releases including for security issues. See issue: <https://github.com/mozilla/bleach/issues/698>__

Backwards incompatible changes

• Dropped support for pypy 3.10. (#764)

Security fixes

• Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.

  Fix XSS issue with sanitize_uri_value where disallowed schemes with Unicode invisible characters wouldn't be rejected.

  For example::

  import bleach payload1 = 'Click' result1 = bleach.clean(payload1) print(repr(result1))

  outputs::

  'Click'

  See the advisory for details.

• Fix GHSA-gj48-438w-jh9v.

  Fix issue where URI sanitization wasn't happening in formaction attributes.

  See the advisory for details.

Bug fixes

• Add support for pypy 3.11. (#764)

• Drop version max in tinycss2 pin. (#772)

  This removes one of the things we had to keep checking and updating. Users now own the responsibility for correctness with the version of tinycss2 they're using.

Commits

• f0355a7 fix: fix last release date in CHANGES
• ae4e8a2 chore: bleach 6.4.0 and final release
• 970df58 fix: uri-sanitization in formaction attributes
• 7c4867c fix: xss bypass in allowed protocol test using unicode invisible characters
• 913ab75 fix: reduce redundancy in workflow jobs
• 218c15a fix: rework pip caching
• 4f0b097 fix: fix tox platform restrictions
• e95a79d chore: update pytest
• 91539d4 Bump actions/cache from 5.0.3 to 5.0.4
• cd47b4c fix: handle left-angle-bracket that's not a tag (#733)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Thank you for your contribution @dependabot[bot] 🚀! Your github-pages is ready for download 👉 here 👈!
_{(The artifact expires on 2026-06-23T22:19:09Z. You can re-generate it by re-running the workflow here.)}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.62%. Comparing base (1189239) to head (22f1d45).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #840   +/-   ##
=======================================
  Coverage   98.62%   98.62%           
=======================================
  Files          56       56           
  Lines        2178     2178           
=======================================
  Hits         2148     2148           
  Misses         30       30           

Flag	Coverage Δ
unittests	98.62% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.