py-sphinx-issues: updated to 6.0.0
6.0.0 (2026-03-13)
Backwards-incompatible: Remove implicit extraction of group/project from GitHub URLs in issues_uri. If you relied on setting _only_ issues_uri (e.g. https://github.com/myuser/myproject/issues/{issue}) without also setting issues_github_path or issues_default_group_project, you must now explicitly set one of those options in your conf.py:
Before:
issues_uri = "https://github.com/myuser/myproject/issues/{issue}"
After:
issues_github_path = "myuser/myproject"
Support Python 3.10-3.14. 3.9 is no longer supported, as it is EOL.
Pin lower bound of Sphinx to 8.1.0 (see "Sphinx version support policy above").
py-tornado: updated to 6.5.6
6.5.6
Security fixes
SimpleAsyncHTTPClient now strips the Authorization and Cookie headers from the request when following a redirect to a different origin. This matches the default behavior of CurlAsyncHTTPClient. Applications that need different behavior here can set follow_redirects=False and handle redirects manually. Thanks to [Yannick Wang](https://github.com/noobone123) for being first to report this issue, as well as additional reporters [Kai Aizen](https://github.com/SnailSploit), [HunSec](https://github.com/0xHunSec), and [Thai Son Dinh](https://github.com/sondt99).
SimpleAsyncHTTPClient now enforces max_body_size on the decompressed size of the response, rather than the compressed size. This prevents a denial-of-service attack via a very large compressed response. Thanks to [Yuichiro Kedashiro](https://github.com/yuui25) for reporting this issue.
Fixed a bug in the C extension that could have read up to three bytes past the end of an input array. Thanks to [Thai Son Dinh](https://github.com/sondt99) for reporting this issue.
OpenIDMixin has improved parsing for the check_authentication response. Thanks to [Yannick Wang](https://github.com/noobone123) for reporting this issue.
Bug fixes
CurlAsyncHTTPClient has been updated to use non-deprecated APIs, avoiding deprecation warnings with recent versions of pycurl.
py-apache-libcloud: updated to 3.9.1
Changes in Apache Libcloud 3.9.1
Compute
- [VSphere] Add verify_ssl option
Add verify_ssl option, to enable the user to avoid SSL verification explicitly.
- [OpenStack] Initial Blazar support
This is an initial implementation of Blazar support in Libcloud. It currently
supports listing the available leases and hosts.
- [Azure ARM] Update US GovCloud AD endpoint for AZURE_ARM provider.
- [OpenStack] Add hypervisor_hostname attribute to OpenStack node.
- [GCP] Use the fully-qualified name for the GCP IMDS endpoint.
- [Azure ARM, Amazon S3] Add signed upload to azure and s3.
- [RcodeZero]: Fix issue when adding a record where a record with a different type already exists
DNS
[8 lines not shown]
py-sphinx-autodoc-typehints: updated to 3.10.3
3.10.3
Show version in error tracebacks
Support PEP 695 type statement and python 3.12+ TypeAliasType
Fix typehints_formatter cache warning
fix(stubs): resolve type hints for PyO3 native submodules
py-test_socket: updated to 0.8.0
0.8.0
Enhancements:
Block DNS resolution (getaddrinfo, gethostbyname) when sockets are disabled
Support CIDR network ranges in allow_hosts
Warn before raising on a blocked socket call
Cache hostname resolutions during a test run
Changes:
Removed support for Python 3.8 and 3.9. Python 3.10 is now the minimum.
Test against Python 3.13, 3.14, and free-threaded 3.13t/3.14t
Replaced Poetry with uv
Added type hints
Swapped pytest-httpbin for a local test fixture
Dependency, CI, and development updates
cargo-deny: added version 0.19.8
cargo-deny is a cargo plugin that lets you lint your project's dependency graph
to ensure all your dependencies conform to your expectations and requirements.
www/freenginx-devel: update from 1.31.1 to 1.31.2
Sponsored by: tipi.work
<ChangeLog>
*) Bugfix: a segmentation fault might occur in a worker process if
nested captures were used in the "rewrite" directive.
*) Bugfix: the "if" directive incorrectly handled relative paths when
checking files.
</ChangeLog>
libde265: updated to 1.1.0
1.1.0
Added de265_security_limits parameters to limit the maximum image size and memory that libde265 will use during decoding.
Security fixes
CVE TBD (GHSA-g2rg-wj66-w594) - Out-of-bounds write in process_reference_picture_set via predicted short-term RPS
CVE TBD (GHSA-vv8h-932h-7r86) - Heap buffer overflow in de265_image_get_buffer via SPS dimension integer overflow
CVE TBD (GHSA-g5hj-rf9f-7vxm) - Unbounded memory accumulation via orphaned slice headers in read_slice_NAL
(GHSA-x27c-jp65-g395) - Quadratic CPU consumption in NAL parser (remove_stuffing_bytes, resize)
py-virtualenv: updated to 21.4.0
Features - 21.4.0
Remove dead code targeting Python versions below the supported target range (PyPy 3.6, deprecated importlib APIs) and simplify the runtime import hook in _virtualenv.py.
Support Windows debug builds (python_d.exe, venvlauncher_d.exe) matching CPython venv behavior, remove dead __SCRIPT_DIR__ replacement and has_shim version guard, drop unreachable Python 3.7 branch from pyvenv_launch_patch_active, and fix wheel deprecation message to say >= 3.9.
py-python-discovery: updated to 1.4.0
1.4.0
- Add ``debug_build`` attribute to :class:`PythonInfo` exposing whether the interpreter is a debug build
(``Py_DEBUG``)
tmux: update to 3.6b.
CHANGES FROM 3.6a TO 3.6b
* Remove images from the correct list when they are removed while in the
alternate screen (reported by xlabai at tencent dot com).
perl: fix security problem in Archive::Tar
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via
attacker controlled entry size field in tar header
Bump PKGREVISION.
