py-traitlets: updated to 5.15.0
5.15.0
Enhancements made
- Moved definitions of K and V outside of TYPE_CHECKING condition
- Accept integer-valued numbers for Integer
- Update `__new__` method to use Self type for improved type hinting
- Fix whitespace formatting in CLI help.
Bugs fixed
- Fix `traitlets.__all__`
- The --config option with absolute paths will be loaded only once.
- Avoid using `return t.cast` which can prevent attribute access during process teardown
- Suppress exceptions when closing handlers during `__del__`
py-bidi: updated to 0.6.9
0.6.9
* Rust extension declares ``gil_used = false`` so it runs under free-threaded (no-GIL) Python [Meir Kriheli]
* Added concurrent stress test for ``get_display`` under free-threaded builds [Meir Kriheli]
* CI: optional cp313t/cp314t wheel builds when setup-python provides those interpreters; free-threaded test job prefers 3.14t with 3.13t fallback [Meir Kriheli]
* CI: Intel macOS wheels now built on macOS 15 (replacing macOS 13) [Meir Kriheli]
* Use ``uv`` for nox virtualenvs; add ``uv.lock`` and document uv-based dev setup in README and CONTRIBUTING [Meir Kriheli]
* Set ``requires-python = ">=3.9"`` explicitly in ``pyproject.toml`` [Meir Kriheli]
0.6.8
* Added missing 3.14 build for Linux
rsync: updated to 3.4.2
rsync 3.4.2 (28 Apr 2026)
Changes in this version:
SECURITY RELATED:
Several security-relevant defects were reported and fixed since 3.4.1. None were assigned a CVE — rsync's fork-per-connection design scopes the impact of each of these to the attacker's own connection, which is equivalent to the client closing the socket itself — but they are fixed here as a matter of hygiene and to reduce the chances of a future exploitable combination. Many thanks to the external researchers who reported these issues.
Fixed a signed integer overflow in the PROXY protocol v2 header parser: a negative len field could bypass the size check and cause a stack buffer overflow in read_buf(). Reported by John Walker of ZeroPath.
Fixed an invalid access to the files array. Reported by Calum Hutton of Rapid7.
Reject negative token values in the compressed-stream token decoder; a negative value could cause callers to misinterpret a missing data pointer as literal data. Reported by Will Sergeant.
Fixed the element count passed to the xattr qsort() (see https://www.openwall.com/lists/oss-security/2026/04/16/2).
Fixed a buffer underflow in clean_fname(), and added a regression test.
[60 lines not shown]
rclone: updated to 1.74.1
v1.74.1 - 2026-05-08
Bug Fixes
bisync: Fix retryable without --resync error message when --resync has a critical failure (Gustavo V. F.)
build
Fix multiple CVEs by upgrading to go1.26.3 (Nick Craig-Wood)
CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum database
CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters
CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL byte on Windows
CVE-2026-42499: net/mail: quadratic string concatenation in consumePhrase
CVE-2026-39820: net/mail: quadratic string concatentation in consumeComment
CVE-2026-39819: cmd/go: "go bug" follows symlinks in predictable temporary filenames
CVE-2026-39817: cmd/go: "go tool pack" does not sanitize output paths
CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE
CVE-2026-39826: html/template: escaper bypass leads to XSS
CVE-2026-33811: net: crash when handling long CNAME response
CVE-2026-39823: html/template: bypass of meta content URL escaping causes XSS
[14 lines not shown]
timescaledb-tune: updated to 0.19.0
0.19.0
ci: derive TMPDIR from config path in integration tests
Bump work_mem recommendation and drop Windows-specific tuning
Add PG19 support to timescaledb-tune
py-textile: updated to 4.0.4
4.0.4
* Update supported python versions to include 3.13, and 3.14. Minimum support for pypy has increased to pypy3.11.
* Bugfixes:
** Allow text blocks with spaces around first and last newlines
py-coverage: updated to 7.14.0
Version 7.14.0 — 2026-05-10
- Feature: now when running one of the reporting commands, if there are
parallel data files that need combining, they will be implicitly combined
before creating the report. There is no option to avoid the combination; let
us know if you have a use case that requires it. Thanks, `Tim Hatch
<pull 2162_>`_. Closes `issue 1781`_.
- Fix: the output from ``combine`` was too verbose, listing each file
considered. Now it shows a single line with the counts of files combined,
files skipped, and files with errors. The ``-q`` flag suppresses this line.
The old detailed lines are available with the new ``--debug=combine`` option.
- Fix: running a Python file through a symlink now sets the sys.path correctly,
matching regular Python behavior. Fixes `issue 2157`_.
- Fix: ``Collector.flush_data`` could fail with "RuntimeError: Set changed
[10 lines not shown]
py-hypothesis: updated to 6.152.5
6.152.5 - 2026-05-10
This patch improves the Phase.explain phase so that simple cases like assert n1 == n2 no longer get a misleading # or any other generated value comment. Before falling back to random sampling, we now also try borrowing values from each other arg slice with matching shape.
6.152.4 - 2026-04-27
This patch fixes a rare internal error during Phase.explain introduced in version 6.149.0 for certain strategies.
6.152.3 - 2026-04-26
The hypothesis-urandom backend now reads from /dev/urandom with buffering disabled, which improves the control of those hooking /dev/urandom to change or read Hypothesis’s random decisions.
py-idna: updated to 3.14
3.14 (2026-05-10)
- Removed opportunity to process long inputs into quadratic
time by rejecting oversize inputs up-front. Closes a bypass
of the CVE-2024-3651 mitigation. [GHSA-65pc-fj4g-8rjx]
py-requests-cache: updated to 1.3.2
1.3.2
Update CachedResponse for compatibility with requests 2.34
If a request contains a header that is in both ignored_parameters and Vary (for example, Authorization + Vary: Authorization), always consider it a cache miss
Ignore + redact some additional common authentication headers + params by default
py-uv py-uv-build: updated to 0.11.13
0.11.13
Bug fixes
Include data files in editable builds
Respect --require-hashes when installing from pylock.toml files
Python
Add CPython 3.14.5
py-gobject3*: move pygobject-types.h to -common package
The header is included by pygobject.h, which is already
installed by the -common package.
Bump PKGREVISION.
