shells/brush-shell: Update to v0.4.0
Some key highlights:
A meaningful step forward in bash compatibility.
Major bash language features are now implemented or substantially expanded,
e.g.: set -e, set -u, pipefail, failglob, the ERR trap, coprocesses, and a great deal more.
Improved robustness across edge cases.
Closed pipes, broken stdout, unusual file-descriptor states, non-UTF8 history files,
and platform corner cases are now handled gracefully.
A systematic audit also removed an entire class of avoidable failure modes.
Broader platform support. Using brush as a login shell on macOS is now supported,
Windows path handling is overhauled, FreeBSD, Android and 32-bit targets build cleanly again,
and wasm32-wasip2 is now exercised in CI.
A more capable interactive shell. Optional TOML config,
zsh-style preexec/precmd hooks, experimental terminal integration,
expanded readline-macro support, and many completion improvements.
API improvements and foundations for what's next. Scaffolding for
a winnow-based parser, a generic Shell<Extensions> for embedders,
[4 lines not shown]
gdal-lib: Enable support for reading GeoPDF
gdal-lib could previously write GeoPDF, but could not read it. bl3 on
poppler, as upstream's preferred choice of the possibities that are
already in pkgsrc. This make's gdal-lib's dependencies a bit heavier,
but it's not a large fractional increase.
Tested in that opening a GeoPDF in qgis did not crash or have other
bad behavior. While georeferencing was off, it's not clear if that is
a write-side issue.
audio/vorbis-tools: Update to 1.4.3
1.4.3 -- 2025-04-13
* Made sure utf8_decode() prototype is found by newer GCC.
* Plugged memleak when using vorbiscomment -c (#2328)
* Plugged memory leak in vorbiscomment param parsing.
* Added simple self test check.
* Updated ogg123 http transport to avoid depricated
CURLOPT_PROGRESSFUNCTION.
* Code cleanup and avoiding some reserved names breaking MSVC build.
* Introduced new configure option --enable-gcc-sanitazion for more
checks.
* Updated translation files and added initial Norwegian BokmAYl
translation.
* Changed oggenc to no longer assume output path ends in a file name
(CVE-2023-43361).
* Adjusted build rules to avoi link error on MacOSX.
* Dropped version number from documenation install path.
* Adjusted ogg123 to handle disappearing audio device more
[2 lines not shown]
net/ipv6calc: Update to version 4.4.0
General:
internal databases: update
IP2Location 8.7.0 related (relates to https://github.com/chrislim2888/IP2Location-C-Library/releases/tag/8.7.0
which has unfortunatly incompatible API changes)
ipv6calcweb/ipv6calcweb.cgi.in: add support for new fields in DB26 with 8.7.0
add support for additional data in DB26 usable with IP2Location >= 8.7.0
check IP2Location > 8.6.1 related compatibility/fallback
Extensions:
add option --has-feature <NAME>
py-pip-audit: updated to 2.10.1
2.10.1
Fixed a KeyError crash when an OSV vulnerability record contains an
affected entry that omits the optional ranges field
py-bleach: updated to 6.4.0
Version 6.4.0 (June 5th, 2026)
**NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future
releases including for security issues.**
See issue: `<https://github.com/mozilla/bleach/issues/698>`__
**Backwards incompatible changes**
* Dropped support for pypy 3.10.
**Security fixes**
* Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.
Fix XSS issue with sanitize_uri_value where disallowed schemes with
Unicode invisible characters wouldn't be rejected.
[28 lines not shown]
py-daphne: updated to 4.2.2
4.2.2 (2026-06-03)
* Fixed a denial of service vulnerability via unbounded WebSocket message sizes.
Daphne previously passed no message or frame size limits to autobahn,
whose defaults are unbounded. This allowed an unauthenticated client
to exhaust server memory by sending a very large WebSocket
messages/frames (CVE-2026-44545).
Both limits now default to 1 MiB and can be configured via the new
``--websocket-max-message-size`` and ``--websocket-max-frame-size`` CLI
flags (or the matching ``Server`` constructor arguments). Pass ``0`` to
restore the previous unlimited behaviour.
Thanks to ParkHyunWoo for the report.
* Fixed a header injection vulnerability on the WebSocket upgrade path
(CVE-2026-44546).
[12 lines not shown]
ldns: updated to 1.9.2
1.9.2 2026-06-10
* Fix to set VERSION_INFO to create .so.3 instead of .so.11 which will
be reserved for a future 1.10.0 release
1.9.1 2026-06-10
* Bugfix: Insufficient verification that responses belong to a
query (CVE-2026-10846). Thanks Pablo Ruiz from 'codecome.ai'