Our dependency SBOM was flagged for a vulnerability in 5.4.0 - this is pinned by Plone 6.1.4 constraints and it appears to be the last minor/bug release for that version of lxml. Is updating to lxml 6.1.0 a bad idea? If the next bug version of Plone 6.1 (or even 6.2) is going to upgrade lxml that is probably sufficient for us.
Side note, are there any docs for running tests on the whole Plone environment (all zope/plone packages, not just CMFPlone)? I know there was talk of moving tests in some packages outside of the src/ section so I'm not sure this is even possible without cloning it in a dev environment.
I meant how to run tests on Plone itself, I think the Makefile command only runs your project's tests? I was referring to this discussion where people were considering moving tests out of the wheels Pytest test structure? - #14 by gforcada. I don't see a resolution there, but at least on a couple packages I've looked at the tests are still included in the wheels.
I have bumped lxml from 6.0.2 to 6.1.0 in Plone 6.2 today, see PR 1088.
I won't update Plone 6.1 to use any lxml 6 version. Updating 6.2 earlier this year was hard enough, see some problems mentioned in PR 1070 and the links it contains. You can try it in an own project if you want, but you at least need the latest repoze.xmliter 2.0a2 as well.
To run the tests of all Plone packages, you can use the Plone core development buildout. It has "buildout" in the name, which is correct, but nowadays you don't have to use buildout here if you don't want to. Basically:
Clone the repository with git and go to that directory.
Run make test
There are more possibilities. I am updating the readme in PR 1085.
Actually, this does not run the tests of all core Plone packages, but most of them. Notable exceptions are the packages that use pytest and that have their tests outside of their src directory, for example plone.exportimport.