ocaml-dune: update to 3.23.1.
3.23.1 (2026-05-14)
-------------------
### Fixed
- Fix the `menhir` opam dependency injection introduced in 3.23. Dune
now only fills in the lower bound `{>= "20180523"}` on an existing
user-declared `menhir` dependency; it no longer adds `menhir` as a
new dependency to packages that did not declare it themselves.
(#14434, fixes #14428, @robinbb)
- Gate the `dune` version-bound deduplication in generated opam files
(introduced in 3.23) on `(lang dune 3.23)`. Projects at earlier lang
versions get the prior `And [...]` shape — e.g.
`{>= "3.17" & >= "3.20"}` — restoring 3.22 behaviour and avoiding a
silent change to opam output on dune-binary upgrade. (#14436,
@robinbb)
[13 lines not shown]
moor: update to 2.13.2.
v2.13.2: Fix a crash when filtering Latest
This release fixes an intermittent crash that could happen when
filtering a file down to zero lines.
Also, this release improves performance for rendering long (100KB)
lines.
v2.13.1: Performance improvements for searching
Performance when searching and scrolling sideways to search hits has
been significantly improved. Hits are now also centered on the screen
when scrolling sideways.
Also in this release:
[2 lines not shown]
libpaper: update to 2.2.8.
This release fixes a typo in the C4 envelope size, which has been
present for a long time (since libpaper 1). Thanks to @yegord for
the bug report and fix.
dasel: update to 3.10.1.
v3.10.1 - 2026-05-13
Fixed
Fixed a non-terminating loop in the selector lexer when tokenizing unterminated regex patterns (e.g. r/abc). The tokenizer now returns an error instead of looping indefinitely.
Fix panic when selector query contains a trailing backslash in a quoted string (GHSA-m5j3-4634-c2vq).
v3.10.0 - 2026-05-13
Added
KDL format support (-i kdl / -o kdl) for reading and writing KDL configuration files (#504). Supports both v1 and v2 syntax with automatic version detection. Output version is configurable via --write-flag kdl-version=1 or --write-flag kdl-version=2 (default).
v3.9.0 - 2026-05-13
Added
[4 lines not shown]
miniflux: update to 2.3.0.
Security
Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login.
Non-resident credentials can no longer be used for first-factor authentication to prevent username enumeration before password verification. They are intended for post-password MFA flows, which Miniflux does not currently support.
Persist WebAuthn backup eligibility/state and validated credential state after login.
Require POST requests for logout, feed refresh, and OAuth2 unlink actions.
Apply CSRF protection to all non-safe HTTP methods.
Add http.CrossOriginProtection middleware for the web UI.
Validate redirect URL schemes in HTMLRedirect to prevent unsafe redirects.
Restore URL scheme validation in templates for untrusted feed URLs.
Sanitize filenames in Content-Disposition headers to prevent header injection.
Reject empty OAuth2 state parameters when no authentication flow is in progress.
Allow configured private proxies while still enforcing private-network restrictions for direct requests and redirects.
Validate URI schemes case-insensitively according to RFC 3986.
Pin third-party GitHub Actions to immutable commit SHAs to reduce supply-chain risks.
Cap the maximum entry limit to 1000 across the UI, API, and storage layer.
[41 lines not shown]
meta-pkgs/bulk-test-doxygen: import bulk-test-doxygen-20260517
Meta-package for testing doxygen updates.
Do not forget to turn on the 'doxygen' option when testing this.
py-typeguard: updated to 4.5.2
4.5.2
- Fixed ``IndexError`` raised from ``check_signature_compatible`` when the subject
method has no positional parameters
py-tifffile: updated to 2026.5.15
2026.5.15
- Update ZarrFileSequenceStore to zarr format 3 (breaking).
- Derive ZarrFileSequenceStore dimension names from FileSequence.dims.
- Add option to override dimension names in zarr stores.
- Add support for Python 3.15.
