py-requests-ratelimiter: update to 0.10.0.
0.10.0 (2026-04-22)
Add max_delay parameter compatible with pyrate-limiter v4 (previously removed in 0.9)
Fix per-host rate-limiting for Redis and Postgres backends
If both per_host=True and a bucket_name is specified, use bucket_name as a bucket prefix
Add warning if a custom Limiter object is passed with per_host=True and no HostBucketFactory
py-packaging: update to 26.2.
26.2 - 2026-04-24
~~~~~~~~~~~~~~~~~
Fixes:
* Fix incorrect sysconfig var name for pyemscripten in (:pull:`1160`)
* Make ``Version``, ``Specifier``, ``SpecifierSet``, ``Tag``, ``Marker``, and ``Requirement`` pickle-safe
and backward-compatible with pickles created in 25.0-26.1 (including references to the removed
``packaging._structures`` module) (:pull:`1163`, :pull:`1168`, :pull:`1170`, :pull:`1171`)
* Re-export ``ExceptionGroup`` in metatadata for now in (:pull:`1164`)
Documentation:
* Add errors section and fix missing details in (:pull:`1159`)
* Document our property-based test suite in (:pull:`1167`)
* Fix a ``DirectUrl`` typo in (:pull:`1167`)
* Add example of ``is_unsatisfiable`` in (:pull:`1166`)
[6 lines not shown]
py-nh3: update to 0.3.5.
Add usage examples for clean() and Cleaner arguments by @gghez in #120
Add doctest coverage for module docstrings and RST files by @gghez in #121
Bump pyo3 from 0.28.2 to 0.28.3 by @dependabot[bot] in #123
Add tags parameter to clean_text by @gghez in #122
py-flask-wtf: update to 1.3.0.
Version 1.3.0
-------------
Released 2026-04-23
- Don't read the whole uploaded files to know their size. :pr:`635`
- Stop support for Python 3.9. Start support for Python 3.14. :pr:`648`
- Migrate the project to uv. :pr:`649`
- Allow setting a ``nonce`` on :class:`~flask_wtf.recaptcha.RecaptchaField`
(string or zero-argument callable) for nonce-based Content Security
Policies. :pr:`312`
- Add ``csrf_meta_tag()`` helper and ``WTF_CSRF_META_NAME`` setting to render
the CSRF token as an HTML ``<meta>`` tag.
- Forward keyword arguments passed to the reCAPTCHA widget as HTML attributes
on the captcha ``<div>``, with the field id used as a default ``id``.
:pr:`353`
- Add ``apply_exemptions`` parameter to
[3 lines not shown]
ov: update to 0.52.0.
New Features
Word Wrap Mode
Word wrap has been added, and the --wrap / -w option now accepts a string instead of a boolean.
-w or -w=char (default): Wrap lines at screen width, breaking anywhere (character-based).
-w=word: Wrap lines at screen width, breaking at word boundaries.
-w=none: Disable line wrapping.
Toggle word wrap with the new default key alt+w.
⚠ Breaking change: The configuration key WrapMode: true must be updated to Wrap: "character".
View Mode Sidebar
When pressing p to enter view mode selection, the sidebar now opens automatically and displays the list of available view modes with index numbers. You can select a mode either by name or by its number (e.g., entering 1 selects the second mode in the list).
[4 lines not shown]
game-music-emu: update to 0.6.5.
Most importand changes
Removed CPP demo as it uses private API.
Reworked demos so they no longer use private API.
Implemented some undocumented OPcodes for NES CPU (Thanks to @drfiemost for the contribution) (#86)
Fixed several compile warnings.
The fade length is now passed to the track info for SPC files. (Thanks to @myQwil for the contribution)
The C++ runtime library is now properly exported. (Thanks to @robUx4 for the contribution)
Fixed several crashes and security vulnerabilities reported by people.
The YM2413 chip emulator has been updated to the version v1.5.9. (Thanks to @drfiemost for the contribution)
Added ADPCM support for the HES emulator, backported from Kode54's fork. (Thanks to @drfiemost for the contribution)
devel/task: update to 3.50.0
* Added enum.ref support in requires: enum constraints can now reference
variables or template pipelines (e.g., ref: .ALLOWED_ENVS) instead of
duplicating static lists. Combined with sh: variables, this enables fully
dynamic enum validation.
* Fixed Fish completion using hardcoded task binary name instead of
$GO_TASK_PROGNAME for experiments cache.
* Fixed watch mode ignoring SIGHUP signal, causing the watcher to exit
instead of restarting.
* Fixed a long time bug where the task wouldn't re-run as it should when
using method: timestamp and the files listed on generates: were
deleted. This makes method: timestamp behaves the same as method:
checksum.
py-OpenSSL: updated to 26.1.0
26.1.0 (2026-04-24)
Changes:
- Maximum supported ``cryptography`` version is now 47.x.
- Fixed ``X509Name`` field setters to correctly pass the value length to OpenSSL. Previously, values containing NUL bytes would be silently truncated, causing a divergence between the stored ASN.1 value and the value visible from Python. Credit to **BudongJW** for reporting the issue. **CVE-2026-40475**
py-cryptography py-cryptography_vectors: updated to 47.0.0
47.0.0 - 2026-04-24
Support for Python 3.8 is deprecated and will be removed in the next cryptography release.
BACKWARDS INCOMPATIBLE: Support for binary elliptic curves (SECT* classes) has been removed. These curves are rarely used and have additional security considerations that make them undesirable.
BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.x has been removed. OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC continue to be supported.
BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 4.1.
BACKWARDS INCOMPATIBLE: Loading keys with unsupported algorithms or keys with unsupported explicit curve encodings now raises :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of ValueError. This change affects :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`, :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`, :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`, :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`, and :meth:`~cryptography.x509.Certificate.public_key` when called on certificates with unsupported public key algorithms.
BACKWARDS INCOMPATIBLE: When parsing elliptic curve private keys, we now reject keys that incorrectly encode a private key of the wrong length because such keys are impossible to process in a constant-time manner. We do not believe keys with this problem are in wide use, however we may revert this change based on the feedback we receive.
Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to :class:`~cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES`. In a future release, only 192-bit (24-byte) keys will be accepted. Users should expand shorter keys themselves (e.g., for single DES: key + key + key, for two-key: key + key[:8]).
Updated the minimum supported Rust version (MSRV) to 1.83.0, from 1.74.0.
Support for x86_64 macOS (including publishing wheels) is deprecated and will be removed in the next release. We will switch to publishing an arm64 only wheel for macOS.
Support for 32-bit Windows (including publishing wheels) is deprecated and will be removed in the next release. Users should move to a 64-bit Python installation.
public_bytes and private_bytes methods on keys now raise TypeError (instead of ValueError) if an invalid encoding is provided for the given format.
Moved :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB`, :class:`~cryptography.hazmat.decrepit.ciphers.modes.OFB`, and :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB8` into :doc:`/hazmat/decrepit/index` and deprecated them in the modes module. They will be removed from the modes module in 49.0.0.
Moved :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Camellia` into :doc:`/hazmat/decrepit/index` and deprecated it in the cipher module. It will be removed from the cipher module in 49.0.0.
Added :meth:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF.extract` to :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`. The previous private implementation will be removed in 49.0.0.
Added support for loading elliptic curve keys that contain explicit encodings of the curves secp256r1, secp384r1, and secp521r1.
[13 lines not shown]
mpg123: updated to 1.33.5
1.33.5
- mpg123: Fix generic control mode for largefile-sensitive builds, where 32 bit
off_t was used with mpg123 API calls expecting 64 bit off_t.
I am appalled that it took a user on 32 bit ARM and a specific https stream
to notice this (bug 385, regression since 1.32.0).
The security impact of this could be serious, with memory corruption including
segfault being observed.
- mpg123-id3dump, out123: Enable 64 bit offset usage on largefile-sensitive
platforms (regression since 1.32.0).
- libmpg123:
-- Announce support for shadow stack / IBT in x86-64 assembly.
-- Also announce PAC/BTI for non-accurate neon64 (aarch64) synth.
- libout123: Add a safeguard to ensure variable-length records from buffer
communication are always zero-terminated.
- libsyn123: Use union work buffer to avoid casts that may look like breaking
strict aliasing.
