libffi: updated to 3.7.0
3.7.0 adds three new public interfaces (ffi_call_plan_alloc,
ffi_call_plan_invoke, ffi_call_plan_free) additively, with no
existing interface removed or changed. Per the libtool rules:
increment current, reset revision, increment age (11:1:3 -> 12:0:4).
This keeps the change ABI backward-compatible; the soname stays
libffi.so.8 (current - age = 8).
py-testfixtures: updated to 12.3.0
12.3.0 (8 Jul 2026)
- Added :doc:`pydantic <pydantic>` support: a :func:`comparer <testfixtures.pydantic.compare_basemodel>`
for :class:`~pydantic.BaseModel` is automatically registered, and the ``testfixtures[pydantic]``
extra installs a compatible version.
- Added :class:`ReprComparison` and :func:`repr_like` for asserting an object's type along with its
:func:`repr`.
- Added :class:`StrComparison` and :func:`str_like` for asserting an object's type along with its
:class:`str`.
- Added :func:`mapping`, the typed helper for :class:`MappingComparison`.
- :func:`like` now accepts a regular expression, as a string or a compiled :class:`re.Pattern`,
returning a :class:`TextComparison` typed as a :class:`str`. :class:`TextComparison` can also
now be built directly from a compiled :class:`re.Pattern`.
[9 lines not shown]
py-flask-caching: updated to 2.4.1
2.4.1
- Use ``pallets_sphinx_themes`` for the documentation.
- Type ``CachedResponse.__init__`` so it doesn't trigger mypy ``[no-untyped-call]``
in strict downstream codebases. :issue:`628`
- Docs: clarify that ``@memoize`` uses ``repr(obj)``
(or ``__caching_id__``) for the ``self``/``cls`` identity, not Python's
:func:`id`. :issue:`555`
- Fix test failure with pytest 9.1. :issue:`651`
py-asn1: updated to 0.6.4
0.6.4, released 08-07-2026
- CVE-2026-59885 (GHSA-8ppf-4f7h-5ppj): Fixed quadratic time
complexity in the OBJECT IDENTIFIER and RELATIVE-OID decoders.
A small crafted substrate encoding many arcs could consume
excessive CPU. Arcs are now accumulated in linear time; decoded
values are unchanged (thanks for reporting, tynus2)
- CVE-2026-59884 (GHSA-m4p7-r5rc-7g4j): Limited BER long-form tag
IDs to 20 octets (140 bits), matching the OID arc limit introduced
in 0.6.2. Unbounded tag IDs allowed a crafted substrate to consume
excessive CPU and memory; longer tag IDs are now rejected with
PyAsn1Error. Also fixed Tag and TagSet repr() failing on huge tag
(thanks for reporting, mikeappsec)
IDs due to the integer-to-string conversion limit (Python 3.11+)
- CVE-2026-59886 (GHSA-hm4w-wwcw-mr6r): Fixed excessive memory and
CPU consumption in Real.__float__() for values with large base-10
exponents. Conversion no longer materializes huge intermediate
[7 lines not shown]