p5-Mojolicious: update to 9.48.
9.48 2026-07-14
- Fixed a security issue where CSRF tokens were vulnerable to BREACH attacks. Tokens are now masked with a fresh
random value on every request, instead of being reused for the whole lifetime of a session.
9.47 2026-07-05
- Added support for the QUERY HTTP request method from RFC 10008.
- Added query and query_p methods to Mojo::UserAgent.
- Added query method to Mojolicious::Routes::Route.
- Added query method to Mojolicious::Lite.
- Added query_ok method to Test::Mojo.
- Fixed a security issue where the pure-Perl implementation of Mojo::JSON could exhaust all available memory when
decoding deeply nested data. Decoding is now limited to 512 levels of nesting, to match the default of
Cpanel::JSON::XS.
- Fixed a memory leak in Morbo. (heikojansen)
- Fixed Mojo::File::list_tree to no longer follow symbolic links to directories.
9.46 2026-06-04
[16 lines not shown]
p5-DBI: update to 1.651.
1.651 - 2026-07-14, H.Merijn Brand & Robert Rothenberg
* Fix inverted comparisons for strings in DBI::SQL::Nano (CVE-2026-15043)
* Document that IS NULL matches empty strings in DBI::SQL::Nano
* Fix DBD::File to ensure that the table is not a symlink outside of f_dir (CVE-2026-15392)
* Fix an out-of-bounds error when a statement handle has no fields but the source row is not empty (CVE-2026-60082)
* Add an overridable upper bound $MAX_PATH_DEPTH for DBI::ProfileData (CVE-2026-60081)
* *** WARNING: Next release will require perl-5.12 ***
toxic: update to 0.16.3
## Features
- Added a run option (`-N`) that allows the use of custom DHT
bootstrap lists
- The Python API now supports groupchat commands
## Bug Fixes
- The Python API /run command no longer segfaults and can now only be
invoked on .py files
- Fixed out of bounds pointer arithmetic in Python API
- Python API registered scripts no longer segfault
- Fixed some memory/file descriptor leaks in Python API
## Maintenance
- Python API now builds with newer versions of Python3
- Various improvements to Python API docs
kew: update to 4.2.2
- Clickable songs/folders.
- Current not supported in pkgsrc
- Scrollbar on lists.
- Faster seek on long files.
- Switched mp4 lib from minimp4 to libmp4 because Fedora doesn't accept the minimp4 license.
- .Mp4 file support.
- Always logs errors to ~/.local/state/kew/logs/error.log.
- Fixed two bugs on windows, small images and resize crash.
- Non-square covers are now correctly displayed.
- Fixed regression bug that affected gapless playback introduced in 4.1.8.
- Starts playing directories faster for people with big folders with unsorted files.
Now that bad144 handling is isolated to the places that care about it,
garbage-collect it from all of the various machine-dependent files that
have been cargo-culting it around needlessly for 20+ years.
Version bump to 11.99.7 because this changes the size of struct cpu_disklabel
on some platforms, and that structure is exposed in the module ABI.
py-urwid: updated to 4.0.4
Urwid 4.0.4
New features
* urwid.Colmns: re-calculate column_widths only if pack widgets changed
Bug fixes
* Fix IndexError in decompose_tagmarkup when a nested sublist is empty
Documentation
* Typing: partially annotate examples and fix annotations
* urwid.WidgetContainerMixin: return use protocol base class
py-svglib: updated to 2.0.2
2.0.2 (2026-06-18)
Supply-chain hygiene release — no code changes.
The 2.0.1 PyPI attestation was generated by a manual `workflow_dispatch` run
from `refs/heads/main` that raced ahead of the release event. As a result the
Sigstore certificate embedded in the PEP 740 attestation identified
`refs/heads/main` as the source rather than `refs/tags/v2.0.1`, making it
impossible to verify the package against the tagged commit. This release is
published exclusively via the `release: [published]` trigger so the attestation
identity is `refs/tags/v2.0.2`.
2.0.1 (2026-06-17)
Supply-chain hygiene release — no code changes.
This release replaces 2.0.0, which was published directly with `uv publish`
[26 lines not shown]
rumdl: update to 0.2.33.
0.2.33
Fixed
md044: stop flagging proper names inside bare URLs (5e9b51a)
md040: recognize file-extension fence labels as known languages (686ba20)
cli: replace unhelpful panic message with an actionable one (#717) (37ac880)
reflow: re-search cached inline-math after a dollar sign (a30a4f9)
reflow: support multiple backticks and optimize code span parsing (81944c5)
md013: stop reflow from starting lines with block markers (eebd18b)
Performance
reflow: implement cached match lookups to prevent quadratic suffix scanning (1cc8d2b)
0.2.32
[11 lines not shown]
textproc/xan: update to 0.60.0
Breaking
Renaming xan from --path to --root.
Renaming xan separate -T/--txt to -L/--lines.
Features
Adding xan count -c/--check-alignment & -H/--human-readable.
Adding xan sort -e -z/--compress.
Adding xan sample -g -S/--sorted.
Adding xan from -f=(json|ndjson) --model.
Adding xan cat rows -I/--intersection & -U/--union.
Adding xan top -g -S/--sorted.
Adding the sort, dedup, flatten & flat_map moonblade function.
Adding support for list & map columns when using xan from -f=parquet.
Fixes
[16 lines not shown]
misc/tui-journal: update to 0.17.0
Added
Provide Linux ARM64 release binaries
Changed
Return focus to the entries list when pressing Escape in the editor's normal mode
Improve JSON backend performance when assigning entry IDs and priorities
Rename misspelled theme cursor keys while retaining compatibility with existing themes
Use unique temporary files when opening entries in an external editor
Add operation and path context to backend I/O errors
Increase the minimum supported Rust version to 1.92.0
Switch release automation to tag-based releases and remove Aeruginous changelog tooling
Stop publishing Intel macOS release binaries
Fixed
Preserve an entry's original ID when undoing its deletion
net/xfr: update to 0.9.21
What's Changed
fix(tcp): resume partial regular writes and zero-copy sends from correct offset by @lance0 in #113
fix(server): clean up active test entry and metrics on abort/cancel/error by @lance0 in #114
fix(server,stats,diff): aggregate final TCP info, round RTT averages, flag zero-baseline regressions by @lance0 in #115
fix(output,ci,install): harden output and release paths by @lance0 in #116
fix(auth,serve,cli): LAN-158 + LAN-171 security hardening by @lance0 in #117
fix(protocol,probe,net): LAN-167 + LAN-168 protocol/probe validation by @lance0 in #118
fix(tui,config,main): LAN-163 + LAN-173 TUI/preset polish by @lance0 in #119
fix(misc): LAN-172 low-risk cleanups batch by @lance0 in #120
fix(protocol,tcp): harden version and receive teardown by @lance0 in #121
chore(tests): clean stale rate-limit timeout comment by @lance0 in #122
Bump actions/checkout from 6 to 7 by @dependabot[bot] in #109
Bump actions/cache from 5 to 6 by @dependabot[bot] in #111
Bump the rust-dependencies group across 1 directory with 6 updates by @dependabot[bot] in #112
fix: address post-release review regressions by @lance0 in #123
fix: LAN-161 pause channel closure busy-loop and unawaited QUIC tasks by @lance0 in #124
[7 lines not shown]
net/ttl: update to 0.21.0
v0.21.0
What's Changed
ci: harden workflow coverage and automation by @lance0 in #120
feat(update): allow disabling the update check (#110) by @lance0 in #122
v0.20.2
What's Changed
Bump docker/setup-buildx-action from 3 to 4 by @dependabot[bot] in #86
Bump docker/metadata-action from 5 to 6 by @dependabot[bot] in #87
Bump docker/setup-qemu-action from 3 to 4 by @dependabot[bot] in #88
Bump docker/login-action from 3 to 4 by @dependabot[bot] in #89
Bump docker/build-push-action from 6 to 7 by @dependabot[bot] in #90
fix: PMTUD correlation, lock ordering, and enrichment dedup by @lance0 in #104
fix: harden unsafe socket code against alignment UB and bad cmsg by @lance0 in #102
fix: harden CLI validation against panics and port overflow by @lance0 in #99
[17 lines not shown]
net/piratebay: update to 0.4.1
v0.4.1
No Changelog provided.
v0.4.0
What's Changed
feat: add ratatui TUI with search, categories, download and magnet copy by @tsirysndr in #21
v0.3.0
What's Changed
feat: add pure-rust torrent download with streaming by @tsirysndr in #18