mariadb1011: Update to 10.6.27
This update fixes various stability and security issues.
Verified to build on NetBSD, FreeBSD, macOS, and Linux, with the
exception of mariadb1011-embedded (quite messy).
yt-dlp: updated to 2026.6.9
yt-dlp 2026.06.09
Important changes
The minimum supported versions of Deno, Node, and Bun have been raised.
The minimum required version of Deno is now v2.3.0; supported Node versions are v22 and up; Bun support has been deprecated and limited to versions 1.2.11 through 1.3.14.
Security
Usage of vulnerable conversions (e.g. %()s) with the --exec option is an all-too-common pitfall. To remedy this, --exec now only allows safe conversions in its command templates.
Most users can simply replace %(...)s with %(...)q in their --exec argument(s). Numeric conversions are unaffected by this change. Using unsafe conversions with --exec poses a significant security risk. Read more
[CVE-2026-50019] File Downloader cookie leak with curl
Impact is limited to users of --downloader curl; cookies are now properly passed to curl so that it respects their scope
[CVE-2026-50023] Dangerous file type creation via insufficient filename sanitization
Writing files with the extensions .desktop, .url, or .webloc is now only allowed in the context of --write-link functionality
[CVE-2026-50574] Arbitrary code execution via manifest downloads with aria2c
Impact is limited to users of --downloader aria2c
Support for downloading HLS and DASH formats with aria2c has been removed. Users affected by this change should migrate to use -N for concurrent fragment downloads via the native downloader
libtorrent-rasterbar: updated to 2.0.13
2.0.13
stricter basic auth handling for web seed
fix bug in tracker announcements involving i2p trackers
improve performance of disk job pool
fix race when removing an auto managed torrent
fix bug in post_download_queue() when a torrent complete
in create_torrent, store symbolic links according to BEP 47
strengthen peer encryption (obfuscation)
improve HTTP response parsing
optimize sanitization of symlinks when loading torrents
stricter checking of tracker URLs
fixed piece-picker accounting issue for filtered pieces
add setting for NAT-PMP lease duration
optimize v2 request sizes
fix socks5 issues
fix issue in loading v2 resume data merkle trees
chat/py-xmpppy: Update to 0.7.4
2026-06-09 0.7.4
================
- Fixed ``UnicodeDecodeError`` while logging large stanzas by using ``backslashreplace`` handler.
Thanks, @vthriller and @normanr.
- Improved compatibility with Python 2. Thanks, @vbontchev.
(math/R-dplyr) Updated 1.1.4 to 1.2.1, fix build against R 4.6.0
# dplyr 1.2.1
* dplyr is now fully compliant with the R C API (#7819).
# dplyr 1.2.0
## New features
* New `filter_out()` companion to `filter()`.
* Use `filter()` when specifying rows to _keep_.
* Use `filter_out()` when specifying rows to _drop_.
`filter_out()` simplifies cases where you would have previously used
a `filter()` to drop rows. It is particularly useful when missing
values are involved. For example, to drop rows where the `count` is
[376 lines not shown]
(math/R-reshape2) Updated 1.4.4 to 1.4.5
(pkgsrc)
- Fix build against R 4.6.0 by adding files/Makevar
(upstream)
# reshape2 1.4.5
* No longer uses non-API entry points (@kevinushey, #106).
* Other various fixes for `R CMD check` issues.
