py-curl: updated to 7.47.0
PycURL 7.47.0 - 2026-06-29
This release adds AsyncCurlMulti (initial async pycurl support), implements a
curl multi notify API, and adds initial free-threaded CPython support. This
release also fixes numerous minor issues and makes tests more reliable.
minizip-ng: updated to 4.2.2
4.2.2
build(deps): bump actions/download-artifact from 7 to 8
build(deps): bump actions/upload-artifact from 6 to 7
fix: warning: '=': narrowing conversion, possible loss of data
docs: update memory stream test link
fix: mz_crypt_aes_set_*_key for GCM on OpenSSL
test: improve: validate cipher bytes after encryption
fix: reject symlink targets that escape extraction dir
libjpeg-turbo: updated to 3.2.0
3.2.0
Fixed a regression introduced by 3.2 beta1[9] that broke Arm64EC Windows builds.
Hardened the PNG writer (which is used by djpeg and tj3SaveImage*()) against applications that may erroneously attempt to write sample values that are out of range for the specified output data precision. This could have caused a buffer overrun in the PNG writer's rescale array if the output data precision was not 8 or 16 bits. The buffer overrun did not likely pose a security risk, since tj3SaveImage*() is not exposed to arbitrary external input data and since a caller that abused the API in the aforementioned manner could never work properly.
Hardened the libjpeg API against hypothetical applications that may erroneously call jpeg_crop_scanline() with buffered-image mode and raw data output enabled. jpeg_crop_scanline() does not work with raw data output, but due to an oversight, it did not throw an error if both buffered-image mode and raw data output were enabled. If a hypothetical application aborted a normal decompression operation without reading any scanlines, started a new decompression operation using the same libjpeg instance with buffered-image mode and raw data output enabled, then called jpeg_crop_scanline() with arguments that would have caused any of the component planes to be cropped to a width of 1 sample, jpeg_crop_scanline() would have used freed memory. However, this did not likely pose a security risk, since an application that abused the API in the aforementioned manner could never work properly.
Fixed a buffer overrun and subsequent segfault in jpegtran that occurred when attempting to use the -crop and -trim options to expand the width of an image narrower than one iMCU, discard partial iMCUs, and fill each block in the expanded region with the DC coefficient of the nearest block in the input image ("flatten.") Similarly, fixed an infinite loop that occurred when attempting to use the -crop and -trim options to expand the width of an image narrower than one iMCU, discard partial iMCUs, and fill the expanded region with repeated reflections of the input image ("reflect.") When the only iMCU column in the input image is partial and partial iMCUs are trimmed, the flatten and reflect extensions cannot work properly, so jpegtran now throws an error if that is the case. These issues were confined to the jpegtran application and thus did not pose a security risk.
xmp: updated to 4.3.0
4.3.0 (20260508):
Changes by Alice Rowan:
- Support 24-bit and 32-bit output (requires libxmp 4.7.0+):
AHI, ALSA, BeOS/Haiku, CoreAudio, NetBSD, OSS, PulseAudio,
sndio, WinMM, AIFF, file, WAV.
- Use XMP_MAX_SRATE as the limit for -f instead of 48000
(requires libxmp 4.7.0+).
- Amiga: automatically expand stack via stack cookie (OS 4),
NewStackSwap (AROS), NewPPCStackSwap (MorphOS), or StackSwap
(Workbench 2.04+). This feature can be disabled by defining
XMP_NO_STACKSWAP at compile time.
- Report pan value "---" for instruments/samples without
a default panning value (sub->pan < 0).
- Don't unmute muted IT channels unless explicitly unmuted by
the -S/--solo option.
- Haiku: Fix configure C++ compiler detection if CXX variable
contains additional options.
[10 lines not shown]
libxmp: updated to 4.7.0
4.7.0 (20260225):
Changes by Alice Rowan:
- Increase maximum sampling rate (XMP_MAX_SRATE) to 768000.
This increases XMP_MAX_FRAMESIZE to 384000. The tick buffers are now
allocated using the player-provided rate instead of XMP_MAX_FRAMESIZE:
the frame info buffer may also be much smaller than XMP_MAX_FRAMESIZE.
In case of existing software misusing the old XMP_MAX_FRAMESIZE, the
minimum value for mixer_data->total_size is the old XMP_MAX_FRAMESIZE
for now.
- xmp_seek_time now always seeks (even if the position is the same
as the current position) and uses the start row detected by the scan.
- New function: xmp_seek_time_frame, which attempts to seek to the time
requested by the caller within frame precision. This is achieved by
using xmp_seek_time then repeatedly calling xmp_play_frame until the
*next* frame contains the caller-requested time. The caller can then
use xmp_play_frame/xmp_play_buffer to render the requested frame.
WARNING: this is more computationally expensive than xmp_seek_time.
[114 lines not shown]
rocksndiamonds: updated to 4.4.2.3
4.4.2.3
This patch release fixes some bugs and improves some Diamond Caves related stuff:
added checkbox to use optional EM/DC style player explosions
changed killing player not before, but after digging land mine
fixed highlighting player name after editing on names screen
fixed a few potential string buffer overflow problems
SDL3_mixer: updated to 3.2.4
3.2.4
This is a stable bugfix release, with the following changes:
Added MIX_PROP_AUDIO_LOAD_IGNORE_LOOPS_BOOLEAN, to ignore looping information in an audio file's metadata
Fixed crash bug in MIX_SetTrackGroup()
Fixed crash in MIX_StopTrack(t, 0) if its MIX_TrackStoppedCallback destroys the track
Fixed crash when MIX_PROP_PLAY_MAX_* is less than the track's start position
Fixed unexpected decoding failures when using MIX_AudioDecoder
Fixed .OXM files being treated as Ogg Vorbis (they're actually mod files with embedded Vorbis samples)
Apps can set custom FluidSynth string settings (previously only ints and floats worked)
Various other small bugs and memory leaks fixed
SDL2_mixer: updated to 2.8.2
2.8.2
This is a stable bugfix release, with the following changes:
Improved OGG decoding speed when using stb_vorbis
Updated to newer versions of decoding libraries
rust: updated to 1.96.1
Rust 1.96.1 fixes:
Missing retries / timeouts in Cargo's HTTP client
Miscompilation in a MIR optimization
It also fixes three CVEs affecting libssh2 (which is compiled into Cargo):
CVE-2025-15661CVE-2026-55199CVE-2026-55200
