py-dulwich: updated to 1.2.11
1.2.11 2026-07-16
* Let porcelain functions that consult the environment take an ``env``
argument overriding ``os.environ``. As a side effect ``tag_create`` now
honours ``GIT_COMMITTER_NAME``/``GIT_COMMITTER_EMAIL`` for the tagger line
and ``merge``/``revert`` honour ``GIT_AUTHOR_NAME``/``GIT_AUTHOR_EMAIL``,
matching git. (Jelmer Vernooij)
* Honour the ``core.worktree`` configuration option, so the working tree can
live somewhere other than the parent of the control directory. Relative
paths are resolved against the control directory, and ``core.bare`` and
``core.worktree`` are now rejected as incompatible. (Jelmer Vernooij)
* Clear ``core.bare`` when setting up a submodule's working tree.
``submodule_update`` cloned the submodule bare and then set
``core.worktree`` on it, leaving a configuration git considers invalid.
(Jelmer Vernooij)
[61 lines not shown]
py-ruff: updated to 0.15.22
0.15.22
Preview features
[pycodestyle] Add an autofix for E402
[refurb] Allow subclassing builtins in stub files (FURB189)
[ruff] Add rule to replace noqa comments with ruff:ignore (RUF105)
[ruff] Add rule to use human-readable names in ruff:ignore comments (RUF106)
[ruff] Add rule to use human-readable names in configuration selectors (RUF201)
Bug fixes
[flake8-pyi] Fix false positive in __all__ (PYI053)
Rule changes
[pylint] Ignore mutable type updates in redefined-loop-name (PLW2901)
[14 lines not shown]
p5-YAML-Syck: update to 1.47.
1.47 Jul 13 2026
[Security]
- Fix four libsyck memory-safety CVEs reachable from the default
YAML::Syck::Load() path on untrusted input with no special flags
(reported by Paul Johnson via CPANSec, PR #213):
- CVE-2026-57075 (CWE-125): out-of-bounds read in the base64 decoder
caused by signed-char indexing of the decode table on !!binary input
- CVE-2026-57076 (CWE-416): use-after-free of an anchor key string
shared between the node and the anchors table
- CVE-2026-57077 (CWE-125): one-byte out-of-bounds read in the lexer
newline scan during block-scalar parsing (incomplete-fix follow-on
to CVE-2025-11683)
- CVE-2026-13713 (CWE-416/CWE-415): use-after-free / double-free of an
anchor node on anchor redefinition, a remote-crash DoS from a
7-byte input
- Harden syck_base64dec() to bounds-check each read so it cannot run past
[32 lines not shown]
sysutils/dua-cli: update to 2.38.0
New Features
notify after interactive work when unfocused
Interactive scans, refreshes, deletion, and trash operations can take long
enough that users leave the terminal, but dua previously had no way to signal
completion without exiting the TUI.
Track terminal focus events and emit sanitized OSC 777 notifications only when
the terminal is unfocused. Include concise entry, byte, duration, and error
statistics, and add a notifications config section whose scan_finished and
delete_finished switches default to true.
shells/oh-my-posh: update to 29.31.1
v29.31.1
Bug Fixes
init: isolate strict init scripts (439202c)
zsh: keep the prompt on multi-line loop headers (4bda0c3)
v29.31.0
Features
segment: add Uno Platform support (de6ce37)
shell: add on-demand prompt repaint for zsh and pwsh (971e150), closes #7427
v29.30.0
Features
palette: support templates as color values (dc94c11), closes #7572
template: add .Executed global property (ede9d54), closes #7679
[27 lines not shown]
devel/gitpane: update to 0.9.1
[0.9.1] - 2026-07-14
Added
Custom keybindings. Define [[keybindings]] blocks in the config to bind a single key to a shell command that runs against the selected repository or worktree. Each binding takes a key, a command where {path} expands to the target directory, an optional placement that reuses the [open] vocabulary (command, inline, ask, split-window, new-window), and an optional desc shown in the ? help overlay. Keys already claimed by the built-in global actions stay reserved, a key a panel uses for navigation can be bound but then stops navigating that panel, and gitpane diagnostic lists the bindings that were loaded so a key that does not fire is easy to trace.
CI status on GitHub pull request rows. Each PR in the GitHub panel now shows its rolled-up checks result, fetched through gh's statusCheckRollup: a green ✓ when checks passed, a red ✗ when any failed, and a yellow ● while checks are still running. A PR with no checks shows nothing, and issues are unaffected. Failure takes precedence over a still-running or passing check, matching how GitHub itself summarizes a mixed run.
Right-click graph commits for quick actions including copying commit hashes, opening changed files, search, branch collapse, and graph filters. Filters can include or exclude branches, authors, refs, and first-parent view settings with visible all/none/invert controls and mouse or keyboard navigation.
[0.9.0] - 2026-07-09
Added
A GitHub panel that shows the selected repository's open issues and pull requests, fetched through the gh CLI so it reuses gh's authentication and needs no token of its own. It appears as an optional fourth panel only when the selected repository has a github.com origin with open items, and stays out of the way otherwise; press p to force it open on any repository, and turn it off entirely with [github] enabled = false. Select an item and press Enter to preview its body and comment thread, and for a pull request its file changes, then Enter again to open it in the browser. c cycles the list between open, all, and closed items, and the panel resizes by dragging its border like the others. When gh is missing, the origin is not on github.com, or the network is down, gitpane keeps its usual three panels with a clear message.
Changed
Darkened the selected-row background across the repository, changes, and GitHub panels so a selected row's title and dimmed metadata stay legible.
Updated crossbeam-epoch to 0.9.20 to clear RUSTSEC-2026-0204, an invalid pointer dereference advisory pulled in transitively through the directory walker.
Updated ratatui to 0.30.2 and the ignore crate to 0.4.27.
devel/cargo-edit: update to 0.13.13
v0.13.13 - 2026-07-15
Fixes
- (upgrade) Point single---verbose users to --verbose --verbose when more dependencies are hidden
v0.13.12 - 2026-07-14
Fixes
- (set-version) Error on -p invalid package names