go: update to 1.26.4 and 1.25.11 (security).
These releases include 3 security fixes following the security policy:
- mime: quadratic complexity in WordDecoder.DecodeHeader
Decoding a maliciously-crafted MIME header containing many invalid
encoded-words could consume excessive CPU.
The MIME decoder now better handles this case.
Thanks to p4p3r (https://hackerone.com/p4p3r_hak) for reporting this issue.
This is CVE-2026-42504 and Go issue https://go.dev/issue/79217.
- net/textproto: arbitrary input are included in errors without any escaping
When returning errors, functions in the net/textproto package would
include its input as part of the error, without any escaping. Note that
said input is often controlled by external parties when using this
[26 lines not shown]
textproc/xan: update to 0.58.0
Breaking
Stopping to serialize moonblade lists either as joined by some separator or JSON. This was awkard, error-prone & potentially lossy. Use the join function manually to format output when required.
As per previous point, dropping xan scrape --sep.
Dropping implicit unary function calls in moonblade pipelines. This feature was not well-known, confusing (an indentifier, could be understood as a call in a pipeline, only if not in first position...), and mostly useless now that moonblade has had a proper dot operator.
xan plot -A/--aggregate does not take an expression anymore but has an automatic selection of two modes: sum and mean. It should also be faster.
Renaming the index function as row_index for clarity.
xan agg -C/--along-columns & -M/--along-matrix & xan groupby -C/--along-columns & -M/--along-matrix will not map current column index to the result of the index() function. The col_index() can be now used instead for this very purpose.
xan window -g/--groupby does not require the file to be sorted anymore. This means using -g/--groupby will now require the whole file to be buffered into memory by the command. The old behavior can still be used through the -S/--sorted flag, thus aligning the xan window command with the rest of the tool.
row_index will now error if the expression has no concept of row index, instead of returning nothing.
xan parallel -z/--compress now take the desired compression (either gzip or zstd).
Retiring the xan grep command in favor of xan search -Z/--fast-parser.
xan tokenize --keep short flag becomes -k instead of -K to harmonize with other commands.
Retiring the xan flatmap command in favor of xan explode -e.
Retiring the xan fuzzy-join command in favor of a consolidated xan join command.
Changing xan from -f txt -c <name> default to line instead of value.
Renaming xan join -L/--prefix-left & -R/--prefix-right short flags to -l & -r respectively to avoid colliding with the added -R/--reverse flag that can be used for merge joins.
[70 lines not shown]
chat/senpai: update to 0.5.0
This large senpai release brings 1 year of features
and bug fixes!
Major features:
- Take a /SCREENSHOT from senpai, uploading it to
your bouncer
- Do an /UPLOAD from your clipboard by pasting an
image with Ctrl+Alt+V
- Customize your keyboard shortcuts with the shortcuts
config directive, see man 5 senpai for details
- Enable lightweight spell-check from your config,
using harper-ls if installed
- Pin/mute channels and users (ignore coming soon),
saved across your bouncer
Minor features:
- irc:// links are now properly handled everywhere!
[77 lines not shown]
audio/ncspot: update to 1.3.4
Maintenance release
Minor updates, including a crash fix when a user tries to add a song to an existing playlist and dependency updates.
What's Changed
Fix crash when adding a song to a playlist by @AnAngryRaven in #1783
chore(toolchain): update by @hrkfdn in #1785
chore(deps): bump the cargo group across 1 directory with 11 updates by @dependabot[bot] in #1787
test: add queue unit tests, fix shuffle append bug by @hrkfdn in #1788
chore(deps): bump chrono from 0.4.43 to 0.4.44 in the cargo group by @dependabot[bot] in #1791
chore(deps): bump the cargo group with 3 updates by @dependabot[bot] in #1792
chore(deps): bump quinn-proto from 0.11.13 to 0.11.14 by @dependabot[bot] in #1794
chore(toolchain): update by @hrkfdn in #1796
chore(deps): bump the cargo group with 3 updates by @dependabot[bot] in #1797
chore(deps): bump rustls-webpki from 0.103.8 to 0.103.10 by @dependabot[bot] in #1798
chore(deps): bump softprops/action-gh-release from 2 to 3 in the github-actions group by @dependabot[bot] in #1807
chore(deps): bump rand from 0.10.0 to 0.10.1 by @dependabot[bot] in #1809
[7 lines not shown]
devel/garden: update to 2.6.0
v2.6.0 Released 2026-03-14
Features:
garden <custom-cmd> now has a -x | --echo option that enables the shell's
native echo mode.
Packaging:
Prebuilt binaries for Apple Darwin aarch64
are now available.
Garden can now be installed directly via
Homebrew on macOS.
The garden-rs/homebrew-garden tap repository has been archived and is no
longer maintained.
news/eilmeldung: update to 1.5.4
1.5.4 - 2026-06-04
Quick bugfix release
- fixed crash when width/height of focused panel was set to 100% (see article_list_focused_height, etc.)
octave: updated to 11.3.0
Summary of bugs fixed for version 11.3.0 (2026-06-01):
This version brings only minor changes compared to Octave 11.2.0. Most
importantly, it fixes the SOVERSION of the `liboctinterp` library.
For (bug #XXXXX) see https://savannah.gnu.org/bugs/?XXXXX
Improvements and fixes
- Fix returning reciprocal condition number as second output from `det` for
triangular dense matrices.
dnsmasq: updated to 2.93
version 2.93
Fix a corner-case in DNSSEC validation with wildcards. If we have
a wildcard record *.example.com and receive a query for
a.example.com then that's OK, but we have to check that there isn't
an actual a.example.com record. The corner case is when we get a
query for *.example.com in that case the non-existence check
is not required, was being done. Thanks to Jan Breig for
spotting this.
Enable support for inotify on FreeBSD 15.0-RELEASE, which added
Linux-compatible inotify support.
Fix DNSSEC failure with spurious RRSIGs. The presence of wrong
RRSIG RRs in replies caused DNSSEC validation to fail even
when the RRs do not require validation because the zone is
unsigned. Note that, at the time of this commit, Google
[29 lines not shown]
libde265: updated to 1.1.1
1.1.1
The decoding speed has been improved by about 8% on x86 CPUs thanks to more SIMD acceleration and optimized CABAC code. Also the startup time has been improved, which gives a 3% speed improvement when decoding HEIC files with similar-sized tiles.
Build differences
When building shared-libraries in Release mode, we are now using -fvisibility=hidden by default. You can override this with the new cmake option "FORCE_FULL_VISIBILITY".
Security
CVE TBD (GHSA-ccfw-29x7-rrx3) - Pixel accessor signed integer overflow causes heap OOB read/write
CVE TBD (GHSA-j2qq-x2xq-g9wr) - SAO sequential filter heap buffer overflow via signed integer overflow
haproxy: updated to 3.4.0
3.4.0
- BUG/MINOR: tcpcheck: Check LDAP response to not read more data than available
- BUG/MINOR: ssl-gencert: validate SNI characters to prevent SAN certificate injection
- BUG/MINOR: mux-h1: H2 preface rejection doesn't update stick-table glitches
- BUG/MEDIUM: cpu-topo: Enforce thread-hard-limit on policy
- BUG/MEDIUM: qmux: do not crash on too large record
- BUG/MEDIUM: qmux: do not crash on receiving an invalid first frame
- BUG/MINOR: qmux: reject too large initial record
- Revert "BUG/MEDIUM: dns: fix long loops in additional records parse on name failure"
- BUG/MINOR: qpack: Fix index calculation in debug functions
- BUG/MINOR: qpack: fix potential null-pointer dereference in qpack_dht_insert()
- CLEANUP: qpack: fix copy-paste typo in value Huffman debug string
- BUG/MINOR: qpack: fix sign bit mask in qpack_decode_fs_pfx()
- CLEANUP: qpack: fix copy-paste typo in value Huffman debug string for WLN
- BUG/MINOR: qpack: fix huff_dec() error handling in qpack_decode_fs()
- CLEANUP: qpack: move encoded macros to qpack-t.h to avoid duplication
- BUG/MEDIUM: quic: handle ECONNREFUSED on RX side
[76 lines not shown]
py-ruff: updated to 0.15.16
0.15.16
Preview features
[flake8-async] Implement yield-in-context-manager-in-async-generator (ASYNC119)
[pylint] Narrow diagnostic range and exclude cases without exception handlers (PLW0717)
[ruff] Treat yield before break from a terminal loop as terminal (RUF075)
Bug fixes
[eradicate] Avoid flagging ruff:ignore comments as code (ERA001)
[eradicate] Fix ERA001/RUF100 conflict when noqa is on commented-out code
[pyflakes] Avoid removing the format call when it would change behavior (F523)
[pylint] Avoid syntax errors in invalid character replacements in f-strings before Python 3.12 (PLE2510, PLE2512, PLE2513, PLE2514, PLE2515)
[pyupgrade] Avoid converting format calls with more kinds of side effects (UP032)
Rule changes
[16 lines not shown]
py-apsw: updated to 3.53.2.0
3.53.2.0
Reflects changes and updates in SQLite extra. The sqlite3_scrub binary has been removed - use VACUUM INTO instead.
sysutils/uutils-coreutils: update to 0.9.0
Rust Coreutils 0.9.0 Release:
We are excited to announce the release of Rust Coreutils 0.9.0 - a release focused on safety and security.
This cycle was shaped by a third-party security audit, driving extensive TOCTOU hardening and a sustained,
project-wide effort to shrink the amount of unsafe code by removing it outright and migrating low-level
syscalls from nix/libc to rustix.
On top of that, we landed major zero-copy I/O performance work (splice/tee/pipe), broadened WebAssembly,
Cygwin and Windows support, and continued contributing tests and bug reports upstream to GNU coreutils.
Highlights:
GNU Compatibility & Upstream Contributions
629 passing tests (+7 from 0.6.0), with 19 new tests added from the GNU 9.10 update
Updated GNU test reference from 9.9 to 9.10
Contributed numerous patches upstream to GNU coreutils, benefiting both projects
New GNU compatibility fixes across date, fmt, kill, ptx, numfmt, cksum, and more
Took over maintenance of num-prime, the primality testing library used by factor
[105 lines not shown]
