jq: update to 1.8.2.
Security fix release.
Ok leot@
# 1.8.2
This is a patch release with security fixes and bug fixes since 1.8.1, along with new builds for Windows arm64 and Docker arm/v7.
Full commit log can be found at <https://github.com/jqlang/jq/compare/jq-1.8.1...jq-1.8.2>.
## Security fixes
- CVE-2026-32316: Fix heap buffer overflow in `jvp_string_append` and `jvp_string_copy_replace_bad`.
@itchyny e47e56d226519635768e6aab2f38f0ab037c09e5
- CVE-2026-33947: Limit path depth to prevent stack overflow in `jv_setpath`, `jv_getpath`, `jv_delpaths`.
@itchyny fb59f1491058d58bdc3e8dd28f1773d1ac690a1f
- CVE-2026-33948: Fix NUL truncation in the JSON parser.
@itchyny 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b
[88 lines not shown]
(devel/R-pkgload) Updated 1.4.0 to 1.5.3, this is needed for fixing R-devtools packaging
# pkgload 1.5.3
* When reloading a package, `load_all()` now runs the unload hooks of the
previously loaded package (`.onUnload()` and user hooks registered with
`setHook()`), whether it was loaded with pkgload or regularly. The old
namespace and its DLL are still kept loaded so that dangling references
continue to work, and errors thrown from `.onUnload()` are demoted to
warnings so that they can't prevent reloading (#253).
# pkgload 1.5.2
* Better handling of S7 topics (#332).
# pkgload 1.5.1
* Fixes for CRAN checks.
[23 lines not shown]
(geography/R-sf) Updated 1.0.19 to 1.1.1, fix build against R-4.6.0
# version 1.1-1
---------------
* use RAII in functions calling GEOS for handling context, based on
how terra does this; #2604
* `st_graticule()` simplifies output lines; #1364
* `dplyr::count()` drops geometries if `.drop_geom = TRUE` is set;
#2596
* better handle graticules crossing the antemeridian; #2561
* add the option `by_element = TRUE` to binary geometry predicates,
measures and transformers; #2594 and #2595 by @rariariari w. help
from Claude
* add `MULTISURFACE` and `CURVEPOLYGON` to vctrs methods; #2589 #2601
[100 lines not shown]
py-pdf: update to 6.13.3.
Security fix release.
Security (SEC)
Apply MAX_DECLARED_STREAM_LENGTH to streams without length as well (#3871) by @stefan6419846
Performance Improvements (PI)
Avoid per-pixel getpixel loop for 1-bit indexed images (#3854) by @Samuel-Harris
Robustness (ROB)
Several fixes by @metsw24-max
Maintenance (MAINT)
Make mypy assert messages consistent (#3849) by @j-t-1
mail/mutt: Update to version 2.4.0
Changes since version 2.3.3:
! Maildir folders are now only recognized if they contain cur, new, and tmp
subfolders. Previously mutt only checked for the cur subfolder when
opening.
! --without-wc-funcs configure option is deprecated.
+ New functions <open-thread>, <open-all-threads>, <close-thread>,
<close-all-threads> were added to explicitly open/close a thread, in
addition to the thread toggle functions.
+ $tmpdraftdir, defaulting /var/tmp, sets the directory where message
composition drafts are saved.
! --textmode is no longer required for pgp classic mode signing, although
mutt still keeps the flags in the sample config files.
! ~C and ~L patterns match Bcc recipient lists too.
! When querying for addresses, via <query> or <complete-query>,
the query menu can be exiting via <quit> after tagging entries.
Previously, <select-entry> had to be used for tagged entries to be
processed.
[10 lines not shown]
py-msgpack: update to 1.2.1.
Security fix release.
1.2.1
Bump pypa/cibuildwheel from 4.0.0 to 4.1.0 in the all-dependencies group by @dependabot[bot] in #694
release v1.2.1 by @methane in #698
1.2.0
relax setuptools version by @methane in #652
update setuptools requirements to >=78.1.1 by @methane in #653
cython: freethreading_compatible by @methane in #654
drop Python 3.9 by @methane in #656
update cython and cibuildwheel by @methane in #658
ci: add riscv64 manylinux/musllinux wheels by @justeph in #664
fix: check unpack_callback_uint32 result by @KowalskiThomas in #666
fix: re-raise existing exception when available by @KowalskiThomas in #667
[23 lines not shown]
plasma6-plasma-workspace: mark as BROKEN
to save others investigating this build issue
Needs wip/plasma6-kwin to build, which needs pipewire... both can be
imported after the freeze.
chromium: update to 149.0.7827.155
* 149.0.7827.155
This update includes 33 security fixes. Below, we highlight fixes
that were contributed by external researchers.
Please see the Chrome Security Page for more information.
[N/A][516496659] Critical CVE-2026-12437: Use after free in WebShare. Reported by Google on 2026-05-25
[N/A][516947912] Critical CVE-2026-12438: Inappropriate implementation in WebView. Reported by Google on 2026-05-27
[N/A][519728275] Critical CVE-2026-12439: Use after free in Digital Credentials. Reported by Google on 2026-06-03
[N/A][519731619] Critical CVE-2026-12440: Use after free in DigitalCredentials. Reported by Google on 2026-06-03
[N/A][520157118] Critical CVE-2026-12441: Use after free in File Input. Reported by Google on 2026-06-05
[N/A][521950423] Critical CVE-2026-12442: Use after free in Passwords. Reported by Google on 2026-06-09
[N/A][522566295] Critical CVE-2026-12443: Use after free in Web Authentication. Reported by Google on 2026-06-11
[N/A][513160088] High CVE-2026-12444: Out of bounds read in Chromoting. Reported by Google on 2026-05-14
[N/A][513199795] High CVE-2026-12445: Use after free in Extensions. Reported by Google on 2026-05-14
[N/A][513313107] High CVE-2026-12446: Insufficient data validation in Passwords. Reported by Google on 2026-05-14
[N/A][513405023] High CVE-2026-12447: Heap buffer overflow in WebRTC. Reported by Google on 2026-05-15
[25 lines not shown]
xmon: Fix building with GCC 14 and GCC 15.
This code makes frequent use of K&Risms such as implicit
function declarations, implicit int, etc. Fix a few and
force an older C standard to ensure this keeps building.
