firefox140: update to 140.10.1
Mozilla Foundation Security Advisory 2026-36
Security Vulnerabilities fixed in Firefox ESR 140.10.1
Announced
April 28, 2026
Impact
high
Products
Firefox ESR
Fixed in
Firefox ESR 140.10.1
#CVE-2026-7320: Information disclosure due to incorrect boundary conditions in the Audio/Video component
Reporter
Xuehao Guo
[45 lines not shown]
dasel: update to 3.8.1.
install man pages and shell completion
## [v3.8.1] - 2026-04-30
- `dasel man` now generates a reproducible manpage based on [SOURCE_DATE_EPOCH](https://reproducible-builds.org/specs/source-date-epoch).
sysutils/upower: update to 1.91.2
# upstream changes (since 1.90.9)
Version 1.91.2
--------------
Released: 2026-04-01
- Feature: Skip the systemd inhibitor when performing CriticalPowerAction (!309)
- Feature: Introduce "Auto" CriticalPowerAction using systemd-logind Sleep() (!309)
- Fix: Test CanPowerOff() availability before calling PowerOff() (!311)
- Fix: Add charge limit support for systems providing only charge_control_end_threshold (!310, #342, #285)
Version 1.91.1
--------------
Released: 2026-02-10
- Fix: a resource leak (!294)
- Fix: a NULL exception caused by a Non-NULL GError pointer (!295, #331)
[31 lines not shown]
glib2: avoid false g_module_symbol() failures on NetBSD
On NetBSD, do not turn a non-NULL dlsym() result into a
g_module_symbol() failure only because dlerror() has a non-NULL value.
POSIX specifies that it is implementation-defined whether dlerror()
is thread-safe:
https://pubs.opengroup.org/onlinepubs/9799919799/functions/dlerror.html
as already noted in gmodule-dl.c comments.
On NetBSD, dlerror(3) state is process-global and not thread-safe,
so a non-NULL dlerror() value is not a reliable reason to reject
a non-NULL dlsym() result. Marking dlerror() as not thread-safe
in GLib by DLERROR_IS_THREADSAFE=0 would only serialize GLib's
own dynamic linker calls and would not protect against dynamic
linker calls made outside GLib.
POSIX also specifies that dlsym() returns a null pointer if the
symbol cannot be found. However, glibc documents cases where
[8 lines not shown]
graphics/lcms2: Explain upstream's (very unclear) cmake status
I asked upstream a bunch of questions just now. For now, avoid
jumping to cmake because 1) upstream hasn't said it's baked and 2)
usually new cmake systems have regressions and this one hasn't been
tested.
py-test-order: updated to 1.4.0
1.4.0
Allows the plugin to run after `--failed-first` and similar options.
Changes
* removed official support for Python 3.7-3.9 (EOL), added Python 3.13 and 3.14
New features
* added option `--order-after-ff`, that allows to run `pytest-order` after built-in hooks
like the `--failed-first` option
Infrastructure
* use trusted publisher for release (see https://docs.pypi.org/trusted-publishers/)
* use `pyproject.toml` for project setup
Documentation
* use a theme for documentation supporting dark mode
* added use case for ordering test modules
* fixed documentation for `--indulgent-ordering` option
py-test-codspeed: updated to 4.5.0
4.5.0
Internals
Pre-build macos binary
Bump instrument-hooks submodule to use int32_t as pid
Add macos integration test
graphics/lcms: Drop MAINTAINERship
(Note that this is lcms-1, last released in 2009. It is a deletion
candidate, but there are multiple (surely unmaintained) packages
depending on it.)
mimalloc: updated to 3.3.2
3.3.2
various bug and security fixes through LLM audit (by @Zoxc). Only increase
minimal purge size automatically if allow_thp is set to 2. Enable large OS
alignment on all platforms (fixing OS large pages on Windows). Fix accounting
of committed memory on Linux/macOS. Update MSVC atomics implementation when
using C mode. Upstream Emscripten fixes. Proper atomic do-once implementation.
buf: updated to 1.69.0
1.69.0
- Increase check plugin WASM memory limits to 1GiB.
- Fix LSP stale diagnostics persisting after a file is closed or deleted.
- Fix handling of unprefixed newlines in block comments.
- Add LSP code lenses for `buf.gen.yaml` files: "Run buf generate" and "Check for plugin updates".
- Add LSP warnings for `lint.ignore` and `breaking.ignore` paths in `buf.yaml` that do not match any file in the workspace.
py-pip: updated to 26.1
26.1 (2026-04-26)
Deprecations and Removals
- Drop support for Python 3.9.
Features
- Add experimental support to read requirements from standardized pylock.toml files (``-r pylock.toml``).
- Allow ``--uploaded-prior-to`` to accept a duration in days (e.g., ``P3D`` for 3 days ago).
Enhancements
- Speed up dependency resolution when there are complex conflicts.
- Reduce memory usage when resolving large dependency trees.
- Emit a deprecation warning when pip imports an unexpected module after
installation of a distribution has started.
[30 lines not shown]
ham/hamlib: Update to 4.7.1
Upstream NEWS, less bugfixes and minor improvements:
Version 4.7.1
* 2026-04-15
* Add power off capability to Flrig backend. (TNX Philip Rose)
* New simplecat backend. Supports Bunzee Labs DDX. (TNX Dhiru Kholia)
* Add new rig model Harris PRC-138. (TNX Antonio Regazzoni)
textproc/rucula: update to 0.9.0
Release Notes
Added an additional configuration option that allows users to freely customize the columns shown in the select screen and their headers.
This also adds the new, optional columns 'Score' and 'LastModified' (and technically 'Shuffle', which doesn't show anyhting).
Also added the option to manually sort by score after another sorting option had been chosen with an active filter.
The tag list is now also navigable with the arrow keys.
PageUp and PageDown can now be used to move by 10 lines in the select screen and the tag list.
Replaced several icons that used to require an installed Nerd font with their unicode counterparts to increase readability.
Updated several dependencies to fix security issues.
Updated dependencies to allow configuration files to use newer TOML versions.
Fixed a bug that caused the vault path to not get corrected when a malformed config file was detected, thus crashing the program instead of displaying an error message.
Rucola now detects when $EDITOR or the editor configuration option are set to the empty string and ignores them in this case.
When falling back to the open crate, rucola now uses the first command (xdg-open) instead of the last command (kde-open).
This should reduce the amount of users for whom rucola will crash when running with neither editor nor $EDITOR set.
Added a nix flake for direct installation on NixOS as well as installation instructions.
