nodejs: updated to 25.8.0
25.8.0
Notable Changes
- build, doc: use new api doc tooling (flakey5)
- (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin)
- (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS)
- (SEMVER-MINOR) src,permission: add --permission-audit (RafaelGSS)
- (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan)
python310 py310-html-docs: updated to 3.10.20
Python 3.10.20
Security
gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650).
gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs.
gh-143925: Reject control characters in data: URL media types.
gh-143919: Reject control characters in http.cookies.Morsel fields and values.
gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters.
gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing. In order to do this without breaking existing users, we also add the ownerDocument attribute to xml.dom.minidom elements and attributes created by directly instantiating the Element or Attr class. Note that this way of creating nodes is not supported; creator functions like xml.dom.Document.documentElement() should be used instead.
gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser.
gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran.
gh-136065: Fix quadratic complexity in os.path.expandvars().
gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes.
gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes.
gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes.
[10 lines not shown]
python311 py311-html-docs: updated to 3.11.15
Python 3.11.15
Security
gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650).
gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs.
gh-143925: Reject control characters in data: URL media types.
gh-143919: Reject control characters in http.cookies.Morsel fields and values.
gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters.
gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing. In order to do this without breaking existing users, we also add the ownerDocument attribute to xml.dom.minidom elements and attributes created by directly instantiating the Element or Attr class. Note that this way of creating nodes is not supported; creator functions like xml.dom.Document.documentElement() should be used instead.
gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser.
gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran.
gh-136065: Fix quadratic complexity in os.path.expandvars().
gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes.
gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes.
gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes.
[10 lines not shown]
python312 py312-html-docs: updated to 3.12.13
Python 3.12.13
Security
gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650).
gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs.
gh-143925: Reject control characters in data: URL media types.
gh-143919: Reject control characters in http.cookies.Morsel fields and values.
gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters.
gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing. In order to do this without breaking existing users, we also add the ownerDocument attribute to xml.dom.minidom elements and attributes created by directly instantiating the Element or Attr class. Note that this way of creating nodes is not supported; creator functions like xml.dom.Document.documentElement() should be used instead.
gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser.
gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran.
gh-136065: Fix quadratic complexity in os.path.expandvars().
gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes.
gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes.
gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes.
[5 lines not shown]
nginx nginx-devel: updated to 1.28.2 and 1.29.5
nginx-1.28.2 stable and nginx-1.29.5 mainline versions have been released, with
a fix for the SSL upstream injection vulnerability (CVE-2026-1642).
py-sqlalchemy: updated to 2.0.48
2.0.48
engine
[engine] [bug]
Fixed a critical issue in Engine where connections created in conjunction with the DialectEvents.do_connect() event listeners would receive shared, mutable collections for the connection arguments, leading to a variety of potential issues including unlimited growth of the argument list as well as elements within the parameter dictionary being shared among concurrent connection calls. In particular this could impact do_connect routines making use of complex mutable authentication structures.
py-tifffile: updated to 2026.3.3
2026.3.3
- Pass 5137 tests.
- Do not convert TVIPS pixel sizes to m.
- Support writing packed integers with imagecodecs > 2026.1.14.
- Support reading ccitt compressed images with imagecodecs > 2026.1.14.
flameshot: update to 13.3.0
New in version 13:
Package maintainers can compile out the update checker using -DDISABLE_UPDATE_CHECKER.
The pixelation feature has been replaced with a new "secure" implementation that only uses pixels outside of the area to be redacted.
Pinned images can now be rotated.
A grim based screenshot adapter has been added to work with more wlroots Wayland compositors. Users can enable this in settings.
Users can symmetrically resize (holding Shift) and preserve aspect ratio (using Ctrl) while resizing.
Pinned images can have a transparency effect applied.
A grid can be optionally enabled via the sidebar, and users can have their annotations snap to grid.
SingleApplication dependency has moved to KdSingleApplication to work around a Qt SharedMemory bug.
New dateformat of %d-%m-%Y has been added.
New option to prompt user before exiting has been added to config.
JPEG quality option has been added.
Enable saving HEIF/HEIC when supported by 3rd party plug-ins.
Kde-connect share integration. (needs more testing)
Add Shortcut to Cancel current selection using CtrlBackspace
Pinned images now have window titled flameshot-pin.
Separate tool size for the tools.
[11 lines not shown]
print/zathura: set BUILDLINK_API_DEPENDS.zathura>=2026.02.22
We missed the API and ABI bump at version 0.5.8. The API and ABI versions
are exposed to zathura plugins, so to be safe adjust the API version to
match the latest update to zathura-2026.02.22.
Discussed on tech-pkg.
print/mupdf: update to mupdf-1.27.2
Patches updated:
patches/patch-Makelists:
"Fix compiling with a pre-c++20 compiler" has been addressed
by upstream in a similar way, by testing whether USE_ZXINGCPP
is set.
patches/patch-source_fitz_stext-search.c:
Since we don't use the thirdparty libraries from MuPDF, MuPDF
needs include/mujs/regexp.h from lang/mujs. Please see the
post-install target in lang/mujs/Makefile.
List of changes in MuPDF 1.27
New and updated documentation! Build local HTML and Markdown
[94 lines not shown]