py-ruff: update to 0.15.20.
Preview features
Allow human-readable names in rule selectors (#25887)
Emit a warning instead of an error for unknown rule selectors (#26113)
Match noqa shebang handling in ruff:ignore comments (#26286)
[ruff] Remove pytest-fixture-autouse (RUF076) (#26240, #26371)
Documentation
Add versioning sections to custom crate READMEs (#26317)
Update ruff_python_parser README for crates.io (#26315)
[perflint] Clarify that PERF402 applies to any iterable (#26242)
py-hpack: updated to 4.2.0
4.2.0 (2026-06-22)
**API Changes (Backward Incompatible)**
- Support for Python 3.9 has been removed.
- Support for PyPy 3.9 has been removed.
**API Changes (Backward Compatible)**
- Support for Python 3.14 has been added.
**Bugfixes**
- Headers marked as `sensitive` will no longer log their value at DEBUG level. Instead a placeholder value of `SENSITIVE_REDACTED` is logged.
- Fixed perfect match missed for headers with empty values.
- Restricted variable integer decoding to uint32 to prevent run-away computation. With thanks to `Hiroki Nishino`_.
p5-List-SomeUtils-XS: update to 0.59.
0.59 2026-06-22
- Fix a heap buffer overflow in the pairwise function when it would return a very large list. Fixed
by Paul Johnson.
expat: update to 2.8.2.
Release 2.8.2 Thu June 25 2026
Security fixes:
#1246 CVE-2026-50219 -- Disallow calls to functions
`XML_GetBuffer`, `XML_Parse`, `XML_ParseBuffer`,
`XML_ParserFree`, `XML_ParserReset` to guard e.g.
Expat bindings from memory corruption;
this CPython issue is related:
https://github.com/python/cpython/issues/146169
#1267 CVE-2026-56131 -- Protect XML_ResumeParser from being called
from a handler, plugging a hole in the fix
to CVE-2026-50219
#1272 CVE-2026-56132 -- Fix out-of-bound scaffolding index store
in `doProlog`
#1229 #1232 CVE-2026-56403 -- Integer overflow in `storeAtts`
#1249 CVE-2026-56404 -- Integer overflow in `addBinding`
#1251 CVE-2026-56405 -- Integer overflow in `getAttributeId`
#1255 CVE-2026-56406 -- Integer overflow in `XML_ParseBuffer`
[70 lines not shown]
nono: update to 1.8.1.
1.8.1 (2026/06/25)
vm(Update): "Rewrite whole SSG(YM2149). Implement envelope and noise."
vm(Fix): "Fix some tone pitches on SSG(YM2149)."
vm(New): "Support SSG(YM2149) even on LUNA-88K."
vm(Fix): "Fix an issue where the time display would become incorrect after 115 days since ver 1.8.0."
host(New): "Add PulseAudio to host sound driver. It can be enabled by configure --enable-pulseaudio."
host(Update): "Sound latency may be improved."
GUI(Update): "Show spectrum analyzer on the sound monitor."
resterm: Update to v0.44.2
v0.44.2
Dedicated test results block in the status bar
Script/assertion test results now render as their
own segment in the status bar instead of being appended
to the response status text.
New status bar block - test outcomes (@assert and script tests)
get a dedicated, separately styled segment in the left status sections,
colored by level (pass = success, fail = warn, error = error).
The main response status (e.g. 200 OK (200)) stays the same but is no
longer suffixed with - X 1 test(s) failed.
Summaries - the block shows V tests passed, X N test(s) failed (with correct singular/plural) or ! test error.
HTTP and gRPC - the test block is populated for both HTTP and gRPC responses.
Header icon - the test error icon in the response header changed from /!\ to !
powerdns: Update to 5.1.2
Released: 25th of June 2026
This is release 5.1.2 of the Authoritative Server. It contains a security fix only.
Please review the Upgrade Notes before upgrading from versions < 5.1.x.
Bug Fixes
Fix PowerDNS Security Advisory 2026-07 for PowerDNS Authoritative Server
dnsdist: Update to 2.0.7
Released: 25th of June 2026
Bug Fixes
CVE-2026-42005: An attacker can send a web request that causes unlimited memory allocation in the internal web server,
leading to a denial of service. The internal web server is disabled by default.
CVE-2026-40210: An out-of-bounds read might happen when SetMacAddrAction is used,
potentially resulting in uninitialized memory being sent over the network or a crash.
CVE-2026-40209: An attacker might be able to cause outgoing TCP connections to backend to be
stuck until a timeout occurs instead of being released immediately by sending IXFR queries.
This could be used to cause a denial of service if there is a limit to the number of
concurrent connections to this backend, or if the process runs out of file descriptors.
CVE-2026-42004: An attacker can send a crafted EDNS OPT record that will be ignored by
DNSdist�s filtering rules, but will be rewritten as a valid OPT record when EDNS Client
Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
[11 lines not shown]
