news/pan: update to 0.165
v0.165 "Kostiantynivka"
The main changes of this release are:
task-xover: fix date parsing, a potential crash and a memory leak
group-prefs-dialog: fix missing spellcheck language entry
header-pane: fix crash when backspace key is hit wihout articles
net/dnsdist: Update to version 2.0.5
From drixter via wip.
2.0.5
Released: 23rd of April 2026
Improvements
Do not keep the parsed EDNS options around
References: pull request 17165
Bug Fixes
Hardened DoQ internal error handling for cross-protocol queries
References: pull request 17170
Give TCP thread as default for definition USE_SINGLE_ACCEPTOR_THREAD
References: #17109, pull request 17168
Hardened DoH3 internal error handling for cross-protocol queries
References: pull request 17173
Handle missing X-Forwarded-For on existing DoH connection
References: pull request 17176
[36 lines not shown]
net/powerdns-recursor: Update to version 5.4.1
From drixter via wip.
5.4.1
Released: 22th of April 2026
Bug Fixes
Fix PowerDNS Security Advisory 2026-03 for PowerDNS Recursor: Multiple Issues
References: pull request TBD
net/powerdns: Update to version 5.0.4
From drixter via wip.
5.0.4
Released: 22th of April 2026
This is release 5.0.4 of the Authoritative Server. It contains security fixes only.
Please review the Upgrade Notes before upgrading from versions < 4.9.x.
Bug Fixes
Fix PowerDNS Security Advisory 2026-05 for PowerDNS Authoritative Server: Multiple Issues
References: pull request 17191
chat/soju: update to 0.10.1
# changes
0.10.1:
- upstream: fix delay after connect commands
- upstream: clean up upstreamConn.runUntilRegistered()
- user: also delay channel joining when authenticating via certificate
- cmd/sojuctl: fix fmt.Errorf format strings
- downstream: fetch Server.Config once in downstreamConn.welcome
- Consistently log STATUSMSG messages to the same file
0.10.0:
- The default configuration file now stores messages in the database instead of the filesystem.
- Add support for IRCv3 draft/message-redaction and draft/ICON.
- Introduce a new soju.im/blocked IRCv3 metadata key to block messages originating from a specific user.
- Avoid unnecessary Web Push notifications (e.g. when quickly marked read, for muted conversations, etc).
- Add workaround to delay joining channels after -connect-command on legacy servers (e.g. for channels requiring NickServ authentication).
[12 lines not shown]
py-wheel: updated to 0.47.0
0.47.0
- Added the ``wheel info`` subcommand to display metadata about wheel files without
unpacking them
- Fixed ``WheelFile`` raising ``Missing RECORD file`` when the wheel filename contains
uppercase characters (e.g. ``Django-3.2.5.whl``) but the ``.dist-info`` directory
inside uses normalized lowercase naming
py-simplejson: updated to 4.1.0
Version 4.1.0 released 2026-04-22
* The C extension now accelerates encoding when ``indent=`` is set.
Previously the encoder fell back to the pure-Python implementation
whenever a non-None ``indent`` was passed; now the C encoder emits
the newline-plus-indent prefix, the level-aware item separator, and
the closing indent directly. A representative nested-dict workload
benchmarks about 4-5x faster end-to-end, and the ``indent=0`` and
empty-container edge cases continue to match the Python output
byte-for-byte.
* The C extension now emits PEP 678 ``exc.add_note()`` annotations on
serialization failures, matching the pure-Python encoder. A chained
error on ``{'a': [1, object(), 3]}`` produces the same three notes
(``when serializing object object``, ``when serializing list item 1``,
``when serializing dict item 'a'``) whether the speedups are loaded
or not, so the add_note assertions in ``test_errors.py`` no longer
need ``indent=2`` to force the Python path.
py-scrapy: updated to 2.15.1
Scrapy 2.15.1 (2026-04-23)
Bug fixes
- Sharing of the SSL context between multiple connections, introduced in
Scrapy 2.15.0, is reverted as it caused problems and wasn't actually
needed.
- Fixed :meth:`scrapy.settings.BaseSettings.getwithbase` failing on keys with
dots that aren't import names. It now works the way it worked before Scrapy
2.15.0, without trying to match class objects and import path. A separate
method,
:func:`~scrapy.settings.BaseSettings.get_component_priority_dict_with_base`,
was added that does that, and it is now used for :ref:`component priority
dictionaries <component-priority-dictionaries>`.
- Documentation rendering improvements.
py-faker: updated to 40.15.0
40.15.0 - 2026-04-17
* Add job providers for `ar_DZ` and `fr_DZ` locales
* Add company providers for `ar_DZ` and `fr_DZ` locales
* Add geo providers for `ar_DZ` and `fr_DZ` locales
* Add currency providers for `ar_DZ` and `fr_DZ` locales
* Add `date_time` provider for `ar_DZ` locale
* Add ssn providers for `ar_DZ` and `fr_DZ` locales
py-greenlet: updated to 3.4.0
3.4.0 (2026-04-08)
- Publish binary wheels for RiscV 64.
- Fix multiple rare crash paths during interpreter shutdown.
Note that this now relies on the ``atexit`` module, and introduces
subtle API changes during interpreter shutdown (for example,
``getcurrent`` is no longer available once the ``atexit`` callback fires).
- Address the results of an automated code audit performed by
Daniel Diniz. This includes several minor correctness changes that
theoretically could have been crashing bugs, but typically only in
very rare circumstances.
- Fix several race conditions that could arise in free-threaded
builds when using greenlet objects from multiple threads, some of
which could lead to assertion failures or interpreter crashes.
opensc: updated to 0.27.1
New in 0.27.1; 2026-03-31
* Bugfix release to fix up infrastructure issues.
New in 0.27.0; 2026-03-30
Security
* CVE-2025-13763: Several uses of potentially uninitialized memory detected by fuzzers
* CVE-2025-49010: Possible write beyond buffer bounds during processing of GET RESPONSE APDU
* CVE-2025-66215: Possible write beyond buffer bounds in oberthur driver
* CVE-2025-66038: Possible read beyond buffer bounds when parsing historical bytes in PIV driver
* CVE-2025-66037: Possible buffer overrun while parsing SPKI
* More low-severity data handling issues when parsing profile configuration
General improvements
* Added support for PKCS#11 3.2 in tools and pkcs11-spy and p11test
* Added support for Ed448, X448 mechanisms and improve support for
[52 lines not shown]
py-tox: updated to 4.53.0
Features - 4.53.0
TOML env_list now accepts bare range dicts ({ prefix = "3.", start = 12, stop = 14 }) and bare labeled dicts ({ ecosystem = ["oci", "python"] }) as top-level items, removing the { product = [...] } wrapper when there is only a single factor group
Bug fixes - 4.53.0
Nesting a range or labeled dict inside a product factor-group list now raises a clear error pointing at the un-nesting fix, instead of silently producing a malformed environment name
