GraphicsMagick p5-GraphicsMagick: updated to 1.3.47
1.3.47
Security Fixes:
DPX: Fix subsampling validation logic which was failing due to incorrect logic. This avoids a divide by zero possibility.
JNG writer: Properly handle and report the case where ImageToBlob()returns NULL.
MNG writer: Enforce that MNG only supports a color palette up to 256 colors (ImageMagick CVE-2026-28690).
MagickXImageWindowCommand(): Assure that static buffer does not overflow if the user keeps a numeric key depressed (ImageMagick CVE-2026-33535).
PCD: Prevent an out of bounds read (ImageMagick security advisory GHSA-wrhr-rf8j-r842).
PNG writer: Detect and report an excessively large profile, an other unexpected conditions (ImageMagick CVE-2026-30883).
RenderFreetype(): Use MagickConfirmAccess() to verify that font file name is allowed to be read.
TIFF EXIF IFD writer: Detect and prevent infinite looping (EXIF IFD writer code may be excluded by the -DEXPERIMENTAL_EXIF_TAGS=0 define).
TIFF EXIF IFD writer: Only transfer tags from EXIF and GPS IFDs. Do not transfer tags from the main IFDs.
YUV: Fix validation of 'sampling-factor' argument. (ImageMagick CVE-2026-25799). Given that the argument normally comes from a user (rather than an input file) this seems to be a minor security issue at most.
PS, PS2, PS3: Enforce that width and height dimensions, and total pixels, to/from Ghostscript are within the same limits as specified for GraphicsMagick. This helps avoid Ghostscript-based denial of service opportunities.
SVG: Add validations for element id syntax. Reject invalid attribute values which contain single quotes.
XCF: Report an error if there are no layers. Fix two unsigned integer overflow cases.
[53 lines not shown]
py-matplotlib: updated to 3.11.0
3.11.0
The largest change within this release is a complete overhaul of text and font
processing. Through the use of libraqm, HarfBuzz, SheenBidi, and an updated
release of FreeType, all text should now support modern font features, enabling
full internationalization in all languages. Not all features of these libraries
are supported yet, but we expect this work to enable further improvements in an
easier manner.
Outside of text handling, there are several improvements to 3D Axes,
performance, new accessible colour sequences, flexible figure management, and
more. See the release notes for more information.
py-checkdmarc: updated to 5.17.3
5.17.3
Changed
Narrow the advisory SPF record size check to catch only UnicodeError (raised when a record can't be encoded to UTF-8) instead of swallowing every exception, and log the skip at debug level
Replace the remaining broad except Exception handlers across the package with the specific exception types each block can recover from, so unexpected programming errors surface instead of being masked. As a result, intentional record-validation errors (e.g. MultipleSPFRTXTRecords, MTASTSRecordInWrongLocation) now propagate as their own types rather than being converted to a generic "record not found" error
Modernize type annotations to PEP 604 syntax (X | None and X | Y instead of Optional[X] and Union[X, Y]) throughout the package
Fixed
Declare the supported Python floor with the correct requires-python key (the previous python_requires key is not recognized in a PEP 621 [project] table, so the published metadata advertised no minimum and pip would install on end-of-life Python versions where the modern type-alias syntax fails). Also add per-version Python classifiers for 3.10–3.14
5.17.2
Fixed
Discard TXT records with leading whitespace instead of treating them as valid SPF records, since RFC 7208 section 4.5 requires a record to begin with exactly v=spf1
[4 lines not shown]
py-vcs-versioning: updated to 2.2.1
2.2.1 (2026-06-29)
Fixed
- Fix crash in `_warn_if_tracked` when the version file target is a relative path
by resolving it against the project root before comparison.
Also warn (instead of crashing) when the target resolves outside the project root.
sysutils/dua-cli: update to 2.37.1
Bug Fixes
degrade entries title on narrow terminals
improve the interactive top-bar so narrow terminal
sizes degrade gracefully. Statistics should disappear when the current path
needs the space, and the path should compact by removing the fewest consecutive
middle components needed to fit.
shells/starship: update to 1.26.0
1.26.0 (2026-06-28)
Features
git_state: show git am progress (#7500) (26ce2cc)
git: enable sha256 support (#7531) (e1418b2)
nix-shell: Add level variable to show nix shell depth (#7394) (b85b7b9)
pixi: expose PIXI_PROJECT_NAME as format placeholder (#7346) (cfd5e76)
time: improve timezone handling by switching to jiff (#7222) (3dd8c14)
Bug Fixes
gcloud: honor CLOUDSDK_COMPUTE_REGION env variable (#7451) (d0e2468)
improve reliability of config-file writing (#5426) (57bb99b)
maven: avoid detecting user .mvn config as project (#7426) (d455255)
nodejs: avoid deno project files (#7478) (96c1f90)
preset: make OS symbol dynamic in Tokyo Night theme (#7555) (9627650)
statusline: handle null context_window fields at session start (#7533) (0185e48)
use cargo-zigbuild for riscv64gc-unknown-linux-musl release builds (#7449) (166d7bb)
xfontsel: update to 1.1.2.
Alan Coopersmith (6):
Improve man page formatting
man page: fix warnings from `mandoc -T lint` and `groff -rCHECKSTYLE=10`
gitlab CI: drop the ci-fairy check-mr job
meson: Add option to build with meson
configure: fix warning about redefining AM_CPPFLAGS in Makefile.am
xfontsel 1.1.2
xedit: update to 1.2.5.
Alan Coopersmith (10):
Assume all target platforms have strcasecmp() now
AUTHORS: remove Xprint code (which was itself removed back in 2010)
Use _stricmp() instead of strcasecmp() on Windows
Improve man page formatting
Strip trailing whitespace from source files
lisp: avoid buffer overflow if $HOME is larger than PATH_MAX bytes
gitlab CI: drop the ci-fairy check-mr job
lisp/re/tests: return count of failed tests
meson: Add option to build with meson
xedit 1.2.5
py-fsspec: updated to 2026.6.0
2026.6.0
Fixes
- FTP: preserve filenames containing whitespace in _mlsd2
- Prevent attribute error for 'forced' before flushing cache
- Reflect async _walk correctly
- Fix infinite recursion in expand_path with glob magic characters
- Do not strip trailing slashes from data URIs
- Fix referenceFS for new zarr and pandas
- Omit get_ident() from cache token for async impl in sync mode
Other
- Fix AsyncFileSystem._cat_ranges on_error handling
- Forward kwargs from cat_ranges to cat_file
- Don't parse refFS templates by default
[2 lines not shown]