yt-dlp: update to 2026.2.21.
Security: [CVE-2026-26331] Arbitrary command injection with the --netrc-cmd option
The argument passed to the command in --netrc-cmd is now limited to a safe subset of characters
Changelog
Core changes
cookies: Ignore cookies with control characters (#15862) by bashonly, syphyr
jsinterp
Fix bitwise operations (#15985) by bashonly
Stringify bracket notation keys in object access (#15989) by bashonly
Support string concatenation with + and += (#15990) by bashonly
Extractor changes
Add browser impersonation support to more extractors (#16029) by bashonly
Limit netrc_machine parameter to shell-safe characters by Grub4K
[42 lines not shown]
Update devel/objfw to 1.5
Legend:
* Changes of existing features or bug fixes
+ New features
ObjFW 1.4.4 -> ObjFW 1.5, 2026-02-22
+ Adds OFColorSpace and adds support for color spaces to OFColor. Supports
sRGB, linear sRGB, BT.709, Display-P3, linear Display-P3, BT.2020, linear
BT.2020, Adobe RGB and linear Adobe RGB.
+ Adds OFImage to store an image in various pixel formats and color spaces.
+ Adds OFCanvas to create (draw) images, including bilinear image scaling and
alpha blending in linear color space and pixel format and color space
transformations when source and destination use a different pixel format
and/or color space.
+ Adds OFImageFormatHandler as a generic interface to handle image formats
including a registry for image formats so that it can be extended by 3rd
parties.
+ Adds an OFImageFormatHandler for BMP and QOI images.
[66 lines not shown]
libgcrypt: updated to 1.12.1
Noteworthy changes in version 1.12.1 (2026-02-20)
* Bug fixes:
- Fix for aSmartOS (Solaris) build problem due to AVX2 changes.
- Fix a regression in gcry_mpi_ec_curve_point.
- Make sure to have MPI limbs pre-allocated in ECC and fix
Weierstrass curve use with PUBKEY_FLAG_PARAM.
* Other:
- Add MPI configuration for NetBSD m68k.
Appease clang not liking ","+len:
error: adding 'size_t' (aka 'unsigned long') to a string does not append
to the string [-Werror,-Wstring-plus-int]
note: use array indexing to silence this warning
doc/pkg-vulnerabilities: add rails eol and clean up
* Tweak package names for older Ruby on Rails pacakges.
* Add eol for Ruby on Rails packages 7.0 and 7.1.
* Add php81* with eol.
slumber: update to 5.1.0.
## [5.1.0] - 2026-02-20
### Added
- Add `mime_overrides` config field to modify response `Content-Type` [#721](https://github.com/LucasPickering/slumber/issues/721)
### Changed
- Upgrade to Rust 1.90
- Sidebar now only closes with the toggle keybind (`s`)
- Pressing `Enter`/`Esc` on the Profile/History sidebars will revert to the Recipe sidebar
### Fixed
- Fix request being persisted incorrectly when changing collections while in-flight
- Fix Exchange pane fullscreening as the Profile pane if the Profile list was the last opened sidebar
py-werkzeug: update to 3.1.6.
Version 3.1.6
-------------
Released 2026-02-19
- ``safe_join`` on Windows does not allow special devices names in
multi-segment paths. :ghsa:`29vq-49wr-vm6x`
py-textual: update to 8.0.0.
The major version change is due to changing Select.BLANK to Select.NULL, to avoid an unfortunate name clash.
[8.0.0] - 2026-02-16
Added
Added mode argument to push_screen and push_screen_wait to enable pushing a screen to a non-active mode #6362
Added App.mode_change_signal and App.screen_change_signal #6362
Added Tabs.get_tab #6362
Added Catppuccin Frappe and Macchiato themes #6335
Changed
It is no longer a NOOP and warning to dismiss a non-active screen. The dismiss will still work, but the screen may not update if the current mode is not active. #6362
Added 50ms delay when switching screens to allow state to udpate and prevent janky flash of old content #6362
Breaking change: Changed Select.BLANK to Select.NULL to avoid clash with newer Widget.BLANK Classvar #6374
py-ruff: update to 0.15.2.
Preview features
Expand the default rule set (#23385)
In preview, Ruff now enables a significantly expanded default rule set of 412 rules, up from the stable default set of 59 rules. The new rules are mostly a superset of the stable defaults, with the exception of these rules, which are removed from the preview defaults:
multiple-imports-on-one-line (E401)
module-import-not-at-top-of-file (E402)
module-import-not-at-top-of-file (E701)
multiple-statements-on-one-line-semicolon (E702)
useless-semicolon (E703)
none-comparison (E711)
true-false-comparison (E712)
not-in-test (E713)
not-is-test (E714)
type-comparison (E721)
lambda-assignment (E731)
ambiguous-variable-name (E741)
[50 lines not shown]
py-pylint: update to 4.0.5.
False Positives Fixed
---------------------
- Fix possibly-used-before-assignment false positive when using self.fail() in tests.
- Fixed false positive for ``logging-unsupported-format`` when no arguments are provided to logging functions.
According to Python's logging documentation, no formatting is performed when no arguments are supplied, so strings like ``logging.error("%test")`` are valid.
- Fix a false positive for ``invalid-name`` where a dataclass field typed with ``Final``
was evaluated against the ``class_const`` regex instead of the ``class_attribute`` regex.
- Avoid emitting `unspecified-encoding` (W1514) when `py-version` is 3.15+.
Other Bug Fixes
---------------
[5 lines not shown]
py-puremagic: update to 2.0.0.
Version 2.0.0
-------------
- Adding deep scan for improved accuracy #102 #94 #85 #70 #69 #12 #3
- Changing to full semantic versioning to be able to denote bugfixes vs minor features
- Changing to use uv instead of requirements
- Removing support for python 3.7, 3.8, 3.9, 3.10 and 3.11 please stick to 1.x release chain to support older versions
