gam: update to 7.40.00 and take maintainership
Take maintainership.
Changes since 7.38.00:
7.40.00
Updated gam print|show businessprofileaccounts (client access) to gam <UserTypeEntity> print|show businessprofileaccounts (service account access). You'll need to run gam user user at domain.com update serviceaccount and select 2) Business Account Management API.
7.39.08
Fixed bug in gam oauth create that caused a trap when 0) Business Account Management API was selected.
Upgraded to Python 3.14.4 on macOS and Windows; Linux is still 3.14.3.
7.39.07
Upgraded to OpenSSL 3.6.2.
[58 lines not shown]
sdl12-compat: updated to 1.2.76
1.2.76
This is a stable bugfix release, with the following changes:
Fixed Sacred Gold crash during initial loading screen, requires SDL 3.4.4
Fixed perl language binding test failures
rust: Avoid bootstrap sanity checks on SunOS.
This is untested due to gnulib fallout, but should fix issue where the illumos
bootstrap kit conflicts with the checks for m68k-netbsd, and avoids a patch.
buf: updated to 1.67.0
1.67.0
Fix LSP not skipping buf.build/docs links for lint rules from check plugins and policies.
Fix buf dep graph --format json silently dropping dependencies when a dependency was already seen.
Add support for --rbs_out as a protoc_builtin plugin (requires protoc v34.0+).
Add relevant links from CEL LSP hover documentation to either <celbyexample.com> or <protovalidate.com>
Add OpenBSD and FreeBSD release binaries for amd64 and arm64.
Skip writing unchanged output files in buf generate to preserve modification times
Update buf beta registry plugin delete to prompt the user for deletion, matching the UX of the other deletion commands. Use --force to restore the old behavior.
rclone: updated to 1.73.4
v1.73.4 - 2026-04-08
- Bug Fixes
- build
- Update to go 1.25.9 to fix multiple CVEs (Nick Craig-Wood)
- CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on Linux
- CVE-2026-32289: html/template: JS template literal context incorrectly tracked
- CVE-2026-33810: crypto/x509: excluded DNS constraints not properly applied to wildcard domains
- CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap checking
- CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination
- CVE-2026-32288: archive/tar: unbounded allocation when parsing old format GNU sparse map
- CVE-2026-32283: crypto/tls: multiple key update handshake messages can cause connection to deadlock
- CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG
- CVE-2026-32280: crypto/x509: unexpected work during chain building
- CVE-2026-32281: crypto/x509: inefficient policy validation
- Fix Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder (dependabot[bot])
- Update golang.org/x/image to 0.38.0 to fix CVE-2026-33809 (dependabot[bot])
[7 lines not shown]
shfmt: updated to 3.13.1
3.13.1
- **cmd/shfmt**
- Add support for `[[zsh]]` in EditorConfig files
- Detect the shell variant from filenames like `.zshrc` and `.bash_profile`
- Fix `--apply-ignore` when used with explicit args
- **syntax**
- Revert an accidental change to how array subscripts are formatted
- Never join `;;` with the previous line when formatting
- Fix a bug where `$1[foo]` was parsed as a subscript in Zsh
- Correctly parse `$!` in double quotes in Zsh
- Allow indexing into special parameters in Zsh
- Allow parameter expansions with empty names in Zsh
- **interp**
- Test against Bash 5.3 and fix three new discrepancies
- Fix a few bugs related to `nameref` variables
- Avoid panics when user input encounters unimplemented features
python314 py314-html-docs: updated to 3.14.4
Python 3.14.4
Security
gh-145986: xml.parsers.expat: Fixed a crash caused by unbounded C recursion when converting deeply nested XML content models with ElementDeclHandler(). This addresses CVE 2026-4224.
gh-145599: Reject control characters in http.cookies.Morsel update() and js_output(). This addresses CVE 2026-3644.
gh-145506: Fixes CVE 2026-2297 by ensuring that SourcelessFileLoader uses io.open_code() when opening .pyc files.
gh-144370: Disallow usage of control characters in status in wsgiref.handlers to prevent HTTP header injections. Patch by Benedikt Johannes.
gh-143930: Reject leading dashes in URLs passed to webbrowser.open().
Core and Builtins
gh-148157: Fix an unlikely crash when parsing an invalid type comments for function parameters. Found by OSS Fuzz in 492782951.
gh-148144: Initialize _PyInterpreterFrame.visited when copying interpreter frames so incremental GC does not read an uninitialized byte from generator and frame-object copies.
gh-146615: Fix a crash in __get__() for METH_METHOD descriptors when an invalid (non-type) object is passed as the second argument. Patch by Steven Sun.
[188 lines not shown]
python313 py313-html-docs: updated to 3.13.13
Python 3.13.13
macOS
gh-144551: Update macOS installer to use OpenSSL 3.0.19.
gh-137586: Invoke osascript with absolute path in webbrowser and turtledemo.
Windows
gh-144551: Updated bundled version of OpenSSL to 3.0.19.
gh-140131: Fix REPL cursor position on Windows when module completion suggestion line hits console width.
Tests
gh-144418: The Android testbed’s emulator RAM has been increased from 2 GB to 4 GB.
gh-146202: Fix a race condition in regrtest: make sure that the temporary directory is created in the worker process. Previously, temp_cwd() could fail on Windows if the “build” directory was not created. Patch by Victor Stinner.
gh-144739: When Python was compiled with system expat older then 2.7.2 but tests run with newer expat, still skip test.test_pyexpat.MemoryProtectionTest.
[128 lines not shown]
hdf5: add mpi option
While here:
- ignore a file for shell checking because it's a bash script
- comment out unwrap SUBST block because it fails to do anything here
