devel/ruby-simplecov: update to 1.0.2
1.0.0 (2026-07-12)
Changes are too many to write here, please refer:
<https://github.com/simplecov-ruby/simplecov/releases/tag/v1.0.0> in detail.
1.0.1 (2026-07-14)
* Code coverage for Ruby with a powerful configuration library and
* automatic merging of coverage across test suites.
1.0.2 (2026-07-18)
* Bump ruby/setup-ruby from 1.315.0 to 1.316.0 by @dependabot[bot] in #1229
* Bump step-security/harden-runner from 2.19.4 to 2.20.0 by @dependabot[bot]
in #1230
devel/ruby-io-event: upddate to 1.19.2
1.19.2 (2026-07-12)
* Use rb_process_status_for when available to construct URing process_wait
results directly from waitid, avoiding the extra reap syscall previously
needed to build a Process::Status.
devel/ruby-bindata: update to 3.0.0
3.0.0 (2026-07-13)
* Ruby 2.x now has its own separate branch.
* Namespacing now uses Ruby modules, rather than prefixes.
* Added class names to dynamically generated ints and bits.
* Forward keyword arguments. Thanks to Simon Coffey.
Update to nabud-1.4.2. Upstream changes:
- Return ENOENT, not EIO, for NHACP's LIST-DIR on an empty directory.
- Fix an assertion in the storage extension layer when attempting to
open a file / URL that does not exist.
devel/anonymous_loader: add version 0.1.3
This package is required by ruby-oauth-tty 1.0.13.
AnonymousLoader
AnonymousLoader evaluates Ruby source files inside fresh anonymous modules.
It is useful when a tool needs to inspect or reuse code that declares
constants whose top-level names may collide with the host process.
The loaded source keeps its normal constant nesting, but that nesting starts
inside the returned anonymous namespace. For example, source that declares
Auth::Sanitizer becomes namespace::Auth::Sanitizer, and does not create
Object::Auth.
AnonymousLoader can load explicitly named files, or resolve a file using
RubyGems metadata with a $LOAD_PATH fallback. The fallback is intended for
Bundler standalone and similar environments where code is loadable but a gem
is not visible through Gem.loaded_specs or the normal RubyGems index.
geography/proj-doc: Work around upstream CM problems
Upstream seems to replace the documentation pdf, even though it is at
a URL which should be stable. Work around this by uploading the pdf
to ftp.n.o and using that to fetch from.
No PKGREVISION, as the package is unchanged for those who had the bits
specified by hash in distinfo. It's just that now others get those
bits.
lang/ruby33: update to 3.3.12
pkgsrc change: stop installing obsolete ChangeLog.
Note: erb's security problem was already fixed with ruby33-3.3.11nb2.
3.3.12 (2026-07-16)
What's Changed
This release includes the following security fixes.
* CVE-2026-41316: ERB @_init deserialization guard bypass via def_module /
def_method / def_class
This release updates the default gem erb to 4.0.3.1 and the bundled gem
net-imap to 0.4.25. The net-imap update fixes CVE-2026-42245,
CVE-2026-42246, CVE-2026-42256, CVE-2026-42257, CVE-2026-42258,
[3 lines not shown]
lang/ruby40: update to 4.0.6
pkgsrc change: stop installing obsolete ChangeLog.
4.0.6 (2026-07-14)
What's Changed
* Bug #22070: Thread.each_caller_location(1, 1) segfaults when called from a
cfunc
* Bug #22075: heap-use-after-free in rb_vm_ci_lookup under parallel Ractors
* Bug #22076: defined? returns nil for protected methods defined in a module
even when callable
* Bug #22072: [BUG] should have cvar cache entry
* Bug #22074: YJIT misaligns locals when there are > 256 local variables
* Bug #22064: GC compaction breaks compare-by-identity sets
* Bug #22084: invokesuper from define_method in Ractor can call wrong super
method or crash
[37 lines not shown]
www/php-ja-wordpress: update to 6.9.5
6.9.5 (2026-7-17)
This is security release fixes these
* A facilitated SQL injection issue reported as a team by TF1T, dtro, and
haongo. (CVE-2026-60137 / GHSA-fpp7-x2x2-2mjf)
* A REST API batch-route confusion and SQL injection issue leading to Remote
Code. (CVE-2026-63030 / GHSA-ff9f-jf42-662q)
www/wordpress: update to 6.9.5
6.9.5 (2026-7-17)
This is security release fixes these
* A facilitated SQL injection issue reported as a team by TF1T, dtro, and
haongo. (CVE-2026-60137 / GHSA-fpp7-x2x2-2mjf)
* A REST API batch-route confusion and SQL injection issue leading to Remote
Code. (CVE-2026-63030 / GHSA-ff9f-jf42-662q)