oxipng: updated to 6.0.1

v6.0.1
Bugfix] Fix an issue where Zopfli mode could generate corrupt images

(adam)

Updated lang/python38, lang/python39, lang/py38-html-docs, lang/py39-html-docs

(adam)

python39 py39-html-docs: updated to 3.9.14

Python 3.9.14

Security
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735.

This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.

Core and Builtins
gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.

The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for more details.

Library
gh-94821: Fix binding of unix socket to empty address on Linux to use an available address from the abstract namespace, instead of “0”.
gh-91810: Suppress writing an XML declaration in open files in ElementTree.write() with encoding='unicode' and xml_declaration=None.
bpo-45393: Fix the formatting for await x and not x in the operator precedence table when using the help() system.
bpo-46197: Fix ensurepip environment isolation for subprocess running pip.

Tests
gh-95280: Fix problem with test_ssl test_get_ciphers on systems that require perfect forward secrecy (PFS) ciphers.
gh-94208: test_ssl is now checking for supported TLS version and protocols in more tests.
bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and setuptools. Patch by Illia Volochii and Adam Turner.

(adam)

python38 py38-html-docs: updated to 3.8.14

Python 3.8.14

Security
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735.

This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.

Core and Builtins
gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.

The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for more details.

Library
bpo-46197: Fix ensurepip environment isolation for subprocess running pip.
bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. Patch by Sergey Fedoseev.

Documentation
gh-91888: Add a new gh role to the documentation to link to GitHub issues.
bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.4.4.

Tests
gh-94208: test_ssl is now checking for supported TLS version and protocols in more tests.
bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and setuptools. Patch by Illia Volochii and Adam Turner.
bpo-46114: Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses 0xMNN00PP0L.

Windows
bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.

(adam)

Updated math/py-numpy, fonts/py-fonttools

(adam)

py-fonttools: updated to 4.37.1

4.37.1 (released 2022-08-24)
----------------------------

- [subset] Fixed regression introduced with v4.37.0 while subsetting the VarStore of
  ``HVAR`` and ``VVAR`` tables, whereby an ``AttributeError: subset_varidxes`` was
  thrown because an apparently unused import statement (with the side-effect of
  dynamically binding that ``subset_varidxes`` method to the VarStore class) had been
  accidentally deleted in an unrelated PR.
- [pens] Added ``cairoPen``.
- [gvar] Read ``gvar`` more lazily by not parsing all of the ``glyf`` table.
- [ttGlyphSet] Make ``drawPoints(pointPen)`` method work for CFF fonts as well via
  adapter pen.

4.37.0 (released 2022-08-23)
----------------------------

- [varLib.models] Reverted PR 2717 which added support for "narrow tents" in v4.36.0,
  as it introduced a regression. It will be restored in upcoming release
  once we found a solution to the bug.
- [cff.specializer] Fixed issue in charstring generalizer with the ``blend`` operator.
- [varLib.models] Added support for extrapolation.
- [ttGlyphSet] Ensure the newly added ``_TTVarGlyphSet`` inherits from ``_TTGlyphSet``
  to keep backward compatibility with existing API.
- [kern] Allow compiling legacy kern tables with more than 64k entries (d21cfdede).
- [visitor] Added new visitor API to traverse tree of objects and dispatch based
  on the attribute type: cf. ``fontTools.misc.visitor`` and ``fontTools.ttLib.ttVisitor``. Added ``fontTools.ttLib.scaleUpem`` module that uses the latter to
  change a font's units-per-em and scale all the related fields accordingly.

4.36.0 (released 2022-08-17)
----------------------------

- [varLib.models] Use a simpler model that generates narrower "tents" (regions, master
  supports) whenever possible: specifically when any two axes that actively "cooperate"
  (have masters at non-zero positions for both axes) have a complete set of intermediates.
  The simpler algorithm produces fewer overlapping regions and behaves better with
  respect to rounding at the peak positions than the generic solver, always matching
  intermediate masters exactly, instead of maximally 0.5 units off. This may be useful
  when 100% metrics compatibility is desired.
- [feaLib] Remove warning when about ``GDEF`` not being built when explicitly not
  requested; don't build one unconditonally even when not requested.
- [ttFont] ``TTFont.getGlyphSet`` method now supports selecting a location that
  represents an instance of a variable font (supports both user-scale and normalized
  axes coordinates via the ``normalized=False`` parameter). Currently this only works
  for TrueType-flavored variable fonts.

4.35.0 (released 2022-08-15)
----------------------------

- [otData/otConverters] Added support for 'biased' PaintSweepGradient start/end angles
  to match latest COLRv1 spec.
- [varLib.instancer] Fixed bug in ``_instantiateFeatureVariations`` when at the same
  time pinning one axis and restricting the range of a subsequent axis; the wrong axis
  tag was being used in the latter step (as the records' axisIdx was updated in the
  preceding step but looked up using the old axes order in the following step).
- [mtiLib] Pad script tags with space when less than 4 char long.
- [merge] Use ``'.'`` instead of ``'#'`` in duplicate glyph names.
- [gvar] Added support for lazily loading glyph variations.
- [varLib] In ``build_many``, we forgot to pass on ``colr_layer_reuse`` parameter to
  the ``build`` method.
- [svgPathPen] Add a main that prints SVG for input text (6df779fd).
- [cffLib.width] Fixed off-by-one in optimized values; previous code didn't match the
  code block above it (2963fa50).
- [varLib.interpolatable] Support reading .designspace and .glyphs files (via optional
  ``glyphsLib``).
- Compile some modules with Cython when available and building/installing fonttools
  from source: ``varLib.iup`` (35% faster), ``pens.momentsPen`` (makes
  ``varLib.interpolatable`` 3x faster).
- [feaLib] Allow features to be built for VF without also building a GDEF table (e.g.
  only build GSUB); warn when GDEF would be needed but isn't requested.
- [otBase] Fixed ``AttributeError`` when uharfbuzz < 0.23.0 and 'repack' method is
  missing (32aa8eaf). Use new ``uharfbuzz.repack_with_tag`` when available (since
  uharfbuzz>=0.30.0), enables table-specific optimizations to be performed during
  repacking.
- [statisticsPen] By default report all glyphs (4139d891). Avoid division-by-zero
  (52b28f90).
- [feaLib] Added missing required argument to FeatureLibError exception
- [varLib.merge] Fixed error during error reporting. Fixed undefined
  ``NotANone`` variable.

4.34.4 (released 2022-07-07)
----------------------------

- Fixed typo in varLib/merger.py that causes NameError merging COLR glyphs
  containing more than 255 layers.

4.34.3 (released 2022-07-07)
----------------------------

- [designspaceLib] Don't make up bad PS names when no STAT data

4.34.2 (released 2022-07-06)
----------------------------

- [varStore/subset] fixed KeyError exception to do with NO_VARIATION_INDEX while
  subsetting varidxes in GPOS/GDEF (a08140d).

4.34.1 (released 2022-07-06)
----------------------------

- [instancer] When optimizing HVAR/VVAR VarStore, use_NO_VARIATION_INDEX=False to avoid
  including NO_VARIATION_INDEX in AdvWidthMap, RsbMap, LsbMap mappings, which would
  push the VarIdx width to maximum (4bytes), which is not desirable. This also fixes
  a hard crash when attempting to subset a varfont after it had been partially instanced
  with use_NO_VARIATION_INDEX=True.

4.34.0 (released 2022-07-06)
----------------------------

- [instancer] Set RIBBI bits in head and OS/2 table when cutting instances and the
  subfamily nameID=2 contains strings like 'Italic' or 'Bold'.
- [otTraverse] Addded module containing methods for traversing trees of otData tables
.
- [otTables] Made DeltaSetIndexMap TTX dump less verbose by omitting no-op entries
.
- [colorLib.builder] Added option to disable PaintColrLayers's reuse of layers from
  LayerList.
- [varLib] Added support for merging multiple master COLRv1 tables into a variable
  COLR table. Base color glyphs of same name in different masters must have
  identical paint graph structure (incl. number of layers, palette indices, number
  of color line stops, corresponding paint formats at each level of the graph),
  but can differ in the variable fields (e.g. PaintSolid.Alpha). PaintVar* tables
  are produced when this happens and a VarStore/DeltaSetIndexMap is added to the
  variable COLR table. It is possible for non-default masters to be 'sparse', i.e.
  omit some of the color glyphs present in the default master.
- [feaLib] Let the Parser set nameIDs 1 through 6 that were previously reserved.
- [varLib.varStore] Support NO_VARIATION_INDEX in optimizer and instancer.
- [feaLib] Show all missing glyphs at once at end of parsing.
- [varLib.iup] Rewrite force-set conditions and limit DP loopback length.
  For Noto Sans, IUP time drops from 23s down to 9s, with only a slight size increase
  in the final font. This basically turns the algorithm from O(n^3) into O(n).
- [featureVars] Report about missing glyphs in substitution rules.
- [mutator/instancer] Added CLI flag to --no-recalc-timestamp.
- [SVG] Allow individual SVG documents in SVG OT table to be compressed on uncompressed,
  and remember that when roundtripping to/from ttx. The SVG.docList is now a list
  of SVGDocument namedtuple-like dataclass containing an extra ``compressed`` field,
  and no longer a bare 3-tuple.
- [designspaceLib] Check for descriptor types with hasattr() to allow custom classes
  that don't inherit the default descriptors.
- [subset] Enable sharing across subtables of extension lookups for harfbuzz packing
. Updated how table packing falls back to fontTools from harfbuzz.
- [subset] Updated default feature tags following current Harfbuzz.
- [svgLib] Fixed regex for real number to support e.g. 1e-4 in addition to 1.0e-4.
  Support parsing negative rx, ry on arc commands.
- [subset] Fixed subsetting SinglePosFormat2 when ValueFormat=0.

(adam)

py-numpy: updated to 1.23.2

NUMPY 1.23.0 RELEASED

Jun 22, 2022 – NumPy 1.23.0 is now available. The highlights of the release are:

Implementation of loadtxt in C, greatly improving its performance.
Exposure of DLPack at the Python level for easy data exchange.
Changes to the promotion and comparisons of structured dtypes.
Improvements to f2py.
The NumPy 1.23.0 release continues the ongoing work to improve the handling and promotion of dtypes, increase the execution speed, clarify the documentation, and expire old deprecations. It is the work of 151 contributors spread over 494 pull requests. The Python versions supported by this release 3.8-3.10. Python 3.11 will be supported when it reaches the rc stage.

(adam)

Fix build with cbindgen > 0.23

(pho)

Revbump all Go packages after go118 security update

(bsiegert)

Updated security/py-cryptography, security/py-cryptography_vectors

(adam)

py-cryptography py-cryptography_vectors: updated to 38.0.0

38.0.0 - 2022-09-06
~~~~~~~~~~~~~~~~~~~

* Final deprecation of OpenSSL 1.1.0. The next release of ``cryptography``
  will drop support.
* We no longer ship ``manylinux2010`` wheels. Users should upgrade to the
  latest ``pip`` to ensure this doesn't cause issues downloading wheels on
  their platform. We now ship ``manylinux_2_28`` wheels for users on new
  enough platforms.
* Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0.
  Users with the latest ``pip`` will typically get a wheel and not need Rust
  installed, but check :doc:`/installation` for documentation on installing a
  newer ``rustc`` if required.
* :meth:`~cryptography.fernet.Fernet.decrypt` and related methods now accept
  both ``str`` and ``bytes`` tokens.
* Parsing ``CertificateSigningRequest`` restores the behavior of enforcing
  that the ``Extension`` ``critical`` field must be correctly encoded DER. See
  `the issue <https://github.com/pyca/cryptography/issues/6368>`_ for complete
  details.
* Added two new OpenSSL functions to the bindings to support an upcoming
  ``pyOpenSSL`` release.
* When parsing :class:`~cryptography.x509.CertificateRevocationList` and
  :class:`~cryptography.x509.CertificateSigningRequest` values, it is now
  enforced that the ``version`` value in the input must be valid according to
  the rules of :rfc:`2986` and :rfc:`5280`.
* Using MD5 or SHA1 in :class:`~cryptography.x509.CertificateBuilder` and
  other X.509 builders is deprecated and support will be removed in the next
  version.
* Added additional APIs to
  :class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`, including
  :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_hash_algorithm`,
  :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_algorithm`,
  :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature`, and
  :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.extension_bytes`.
* Added :attr:`~cryptography.x509.Certificate.tbs_precertificate_bytes`, allowing
  users to access the to-be-signed pre-certificate data needed for signed
  certificate timestamp verification.
* :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC` and
  :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC` now support
  :attr:`~cryptography.hazmat.primitives.kdf.kbkdf.CounterLocation.MiddleFixed`
  counter location.
* Fixed :rfc:`4514` name parsing to reverse the order of the RDNs according
  to the section 2.1 of the RFC, affecting method
  :meth:`~cryptography.x509.Name.from_rfc4514_string`.
* It is now possible to customize some aspects of encryption when serializing
  private keys, using
  :meth:`~cryptography.hazmat.primitives.serialization.PrivateFormat.encryption_builder`.
* Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL
  versions older than 22.0 will need to upgrade.
* Added
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES128` and
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES256` classes.
  These classes do not replace
  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` (which
  allows all AES key lengths), but are intended for applications where
  developers want to be explicit about key length.

(adam)

Recursive bump for recently updated Haskell packages

(pho)

doc: Updated devel/hs-protolude to 0.3.2nb1

(pho)

devel/hs-protolude: Update to 0.3.2

0.3.2
* GHC 9.2.2 support
* Drop export executable

0.3.1
* GHC 9.0.1 and 9.2.1 support
* Add HasCallStack to unsafe* functions.
* Banish String on readMaybe and readEither.

(pho)

doc: Updated lang/go118 to 1.18.6

(bsiegert)

go118: update to 1.18.6 (security)

This minor release includes 2 security fixes following the security policy:

net/http: handle server errors after sending GOAWAY

A closing HTTP/2 server connection could hang forever waiting for a clean
shutdown that was preempted by a subsequent fatal error. This failure mode
could be exploited to cause a denial of service.

Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
and Kaan Onarlioglu for reporting this.

This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.

net/url: JoinPath does not strip relative path components in all circumstances

JoinPath and URL.JoinPath would not remove ../ path components appended to a
relative path. For example, JoinPath("https://go.dev", "../go") returned the
URL https://go.dev/../go, despite the JoinPath documentation stating that ../
path elements are cleaned from the result.

Thanks to q0jt for reporting this issue.

This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

(bsiegert)

devel/Makefile: + hs-monoidal-containers

(pho)

doc: Added devel/hs-monoidal-containers version 0.6.2.0

(pho)

devel/hs-monoidal-containers: import hs-monoidal-containers-0.6.2.0

Containers with merging via monoidal accumulation. The Monoid instances
provided by the "containers" and "unordered-containers" packages merge
structures in a left-biased manner instead of using the underlying monoidal
structure of the value.

This package wraps the types provided by these packages, but provides
Monoid instances implemented in terms of the value type's mappend. For
instance, the Monoid Map instance looks like,

  instance (Ord k, Semigroup a) => Monoid (MonoidalMap k a)

(pho)

devel/Makefile: + hs-newtype

(pho)

doc: Added devel/hs-newtype version 0.2.2.0

(pho)

devel/hs-newtype: import hs-newtype-0.2.2.0

Per Conor McBride, the "Newtype" typeclass represents the packing and
unpacking of a newtype, and allows you to operate under that newtype with
functions such as "ala".

(pho)

doc: Updated lang/purescript to 0.15.4

(pho)

lang/purescript: Update to 0.15.4

Release notes are too long to paste here:
* 0.15.4: https://github.com/purescript/purescript/releases/tag/v0.15.4
* 0.15.3: https://github.com/purescript/purescript/releases/tag/v0.15.3
* 0.15.2: https://github.com/purescript/purescript/releases/tag/v0.15.2
* 0.15.0: https://github.com/purescript/purescript/releases/tag/v0.15.0
* 0.14.9: https://github.com/purescript/purescript/releases/tag/v0.14.9
* 0.14.8: https://github.com/purescript/purescript/releases/tag/v0.14.8
* 0.14.7: https://github.com/purescript/purescript/releases/tag/v0.14.7

(pho)

doc: Updated sysutils/hs-typed-process to 0.2.10.1

(pho)

sysutils/typed-process: Update to 0.2.10.1

0.2.10.0
* Add mkPipeStreamSpec

0.2.9.0
* Re-export StdStream

(pho)

devel/hs-memory: Forgot to update buildlink3.mk

(pho)

doc: Updated devel/hs-memory to 0.18.0

(pho)

devel/hs-memory: Update to 0.18.0

* drop support for ghc < 8.8
* compat with ghc 9.4

(pho)

doc: Updated security/hs-cryptonite to 0.30

(pho)

security/hs-cryptonite: Update to 0.30

* Fix some C symbol blake2b prefix to be cryptonite_ prefix (fix mixing
  with other C library)
* add hmac-lazy
* Fix compilation with GHC 9.2
* Drop support for GHC8.0, GHC8.2, GHC8.4, GHC8.6

(pho)

doc: Updated x11/xfce4-notifyd to 0.6.4

(gutteridge)

xfce4-notifyd: update to 0.6.4

Change log:

0.6.4
======
- settings: Improve app icon and name matching
- settings: Sort known apps by notification count
- settings: Show 'Unspecified app' instead of empty line
- daemon: Improve application icon matching
- Correctly reset position during slideout (Fixes #42)
- panel-plugin: Remove duplicate function call (Fixes #40)
- panel-plugin: Fix file monitor (Fixes #40)
- Properly free the GKeyFile
- tests: Add logging test
- Fix compiler warnings
- Fix tooltip grammar
- build: Fix intltool lock file problem during make distcheck
- Update gitignore
- Update COPYING (#61)
- Translation Updates:
  Albanian, Basque, Belarusian, Bulgarian, Catalan, Chinese (China),
  Chinese (Taiwan), Czech, Danish, Dutch, Eastern Armenian, Estonian,
  French, Galician, German, Greek, Hebrew, Indonesian, Italian,
  Japanese, Kazakh, Korean, Lithuanian, Malay, Norwegian Bokm奪l,
  Polish, Portuguese, Portuguese (Brazil), Russian, Serbian, Slovak,
  Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian

(gutteridge)

tex package updates

(markd)

tex-pmhanguljamo{,-doc}: update to 0.5

changes unknown

(markd)

tex-media9{,-doc}: update to 1.25

changes unknown

(markd)

tex-lwarp{,-doc}: update to 0.908

0.908
Fixed obscure reference bug, sometimes seen in citations.

0.907
Fix for SVG images with Windows.

0.906
Improvements for screen readers.

(markd)

tex-luafindfont{,-doc}: update to 0.10

Version 0.10 has a fix for path searching on Windows

(markd)

tex-koma-script: update to 3.37

The source code of the KOMA-Script user manuals has been reorganized.
The old 8+3 names of the manuals have been replaced by more canonical names
`scrguide-de.pdf` (German manual) and `scrguide-en.pdf` (English manual).
`README` has been replaced by `README.md`, `manifest.txt` bei `MANIFEST.md`.
The HTML wrapper files have been replaced by individual files for each class
and package linking to the corresponding chapter of the KOMA-Script user
manuals.

Additionally the issues 21, 23, 24, 25, 28, 29, 30, 31, 32, 33
have been fixed.

(markd)

tex-etoc{,-doc}: update to 1.09f

Maintenance release with documentation improvements and addition of
\etocimmediatedepthtag.toc as well as some other "immediate" variants of
macros writing to the .toc file.  Refer to README.md for details.

The German language documentation was without updates since April 2015 and
had become obsolete in various ways.  It is not distributed anymore.

(markd)

doc: Updated shells/nushell to 0.68.0

(pin)

shells/nushell: update to 0.68.0

This is a huge jump over several releases and it's impossible to list changes.
Please visit https://www.nushell.sh/blog/ for the details of every release.

Be aware that there are lots of changes across all aspects of Nushell.

- There's a new engine, new line editor, and new commands.
- Configuration files will not work and have to be re-written.
- Previous scripts will need to be updated, and you'll need to learn some of
  the new ways of doing things in Nushell to get back to the same level of
  comfort.
- Several shell improvements and behavior changes.
- There's also a new plugin architecture and quite a number of breaking
  changes after fixing design flaws, cleaned-up the design, and rethought how
  commands should work.
- New additional startup file (env.nu) which, sets up the environment that
  you'll run Nushell in. As a result, you're able to set up important
  environment variables like $env.NU_LIB_DIRS before 'config.nu' begins to run.
- Deeper integration with SQLite, new completion logic, introduction of
  overlays, hooks, lazy dataframes, input overloading, input/output type,
  new variable naming convention ...

So, please do read about the changes before.

(pin)

doc: fix entry

(wiz)

doc: Updated parallel/py-ipyparallel to 8.4.1nb1

(wiz)

py-ipyparallel: fix PLIST

Bump PKGREVISION.

Fix a pkglint warning while here.

(wiz)

doc: Updated time/hs-clock to 0.8.3

(pho)

Update to clock-0.8.3

* Dropped support for GHC < 7.8.
* Tested with GHC 7.8 - 9.2.
* TODO: new module System.Clock.Seconds
* TODO: new functions
* TODO: other changes

(pho)

Fix a wrong COMMENT

(pho)

Updated devel/py-astroid, devel/py-ipython, lang/python310, lang/py310-html-docs

(adam)

py310-html-docs: updated to 3.10.7

Match python310 version.

(adam)

python310: updated to 3.10.7

Python 3.10.7 final

Security
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735.

This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.

Core and Builtins
gh-96187: Fixed a bug that caused _PyCode_GetExtra to return garbage for negative indexes. Patch by Pablo Galindo
gh-95876: Fix format string in _PyPegen_raise_error_known_location that can lead to memory corruption on some 64bit systems. The function was building a tuple with i (int) instead of n (Py_ssize_t) for Py_ssize_t arguments.
gh-95605: Fix misleading contents of error message when converting an all-whitespace string to float.
gh-93592: coroutine.throw() now properly initializes the frame.f_back when resuming a stack of coroutines. This allows e.g. traceback.print_stack() to work correctly when an exception (such as CancelledError) is thrown into a coroutine.
gh-94996: ast.parse() will no longer parse function definitions with positional-only params when passed feature_version less than (3, 8). Patch by Shantanu Jain.

Library
gh-68163: Correct conversion of numbers.Rational窶冱 to float.
gh-96159: Fix a performance regression in logging TimedRotatingFileHandler. Only check for special files when the rollover time has passed.
gh-96175: Fix unused localName parameter in the Attr class in xml.dom.minidom.
gh-95609: Update bundled pip to 22.2.2.
gh-95231: Fail gracefully if EPERM or ENOSYS is raised when loading crypt methods. This may happen when trying to load MD5 on a Linux kernel with FIPS enabled.

Documentation
gh-96098: Improve discoverability of the higher level concurrent.futures module by providing clearer links from the lower level threading and multiprocessing modules.
gh-95789: Update the default RFC base URL from deprecated tools.ietf.org to datatracker.ietf.org
gh-91207: Fix stylesheet not working in Windows CHM htmlhelp docs. Contributed by C.A.M. Gerlach.
bpo-47115: The documentation now lists which members of C structs are part of the Limited API/Stable ABI.

Tests
gh-95243: Mitigate the inherent race condition from using find_unused_port() in testSockName() by trying to find an unused port a few times before failing. Patch by Ross Burton.

Build
gh-94682: Build and test with OpenSSL 1.1.1q

IDLE
gh-65802: Document handling of extensions in Save As dialogs.
gh-95191: Include prompts when saving Shell (interactive input and output).

(adam)

py-ipython: updated to 8.5.0

IPython 8.5.0
-------------
First release since a couple of month due to various reasons and timing preventing
me for sticking to the usual monthly release the last Friday of each month. This
is of non negligible size as it has more than two dozen PRs with various fixes
an bug fixes.

(adam)

doc: Updated lang/go119 to 1.19.1

(bsiegert)

go119: update to 1.19.1 (security)

This minor release includes 2 security fixes following the security policy:

net/http: handle server errors after sending GOAWAY

A closing HTTP/2 server connection could hang forever waiting for a clean
shutdown that was preempted by a subsequent fatal error. This failure mode
could be exploited to cause a denial of service.

Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
and Kaan Onarlioglu for reporting this.

This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.

net/url: JoinPath does not strip relative path components in all circumstances

JoinPath and URL.JoinPath would not remove ../ path components appended to a
relative path. For example, JoinPath("https://go.dev", "../go") returned the
URL https://go.dev/../go, despite the JoinPath documentation stating that ../
path elements are cleaned from the result.

Thanks to q0jt for reporting this issue.

This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

(bsiegert)

py-astroid: updated to 2.12.8

What's New in astroid 2.12.8?
=============================
* Fixed a crash in the ``dataclass`` brain for ``InitVars`` without subscript typing.
* Fixed parsing of default values in ``dataclass`` attributes.

What's New in astroid 2.12.7?
=============================
* Fixed a crash in the ``dataclass`` brain for uninferable bases.

(adam)

doc: Updated www/hs-bower-json to 1.1.0.0

(pho)

Update to bower-json-1.1.0.0

No release notes have been provided by the upstream.

(pho)

Updated databases/sqlite3, databases/sqlite3-docs, databases/sqlite3-tcl, devel/lemon

(adam)

sqlite3: updated to 3.39.3

Changes in version 3.39.3 (2022-09-05):

Use a statement journal on DML statement affecting two or more database rows if the statement makes use of a SQL functions that might abort. See forum thread 9b9e4716c0d7bbd1.
Use a mutex to protect the PRAGMA temp_store_directory and PRAGMA data_store_directory statements, even though they are deprecated and documented as not being threadsafe. See forum post 719a11e1314d1c70.
Other bug and warning fixes. See the timeline for details.

(adam)

Updated net/nmap, net/ndiff, net/zenmap

(adam)

nmap ndiff zenmap: updated to 7.93

Nmap 7.93 [2022-09-01]

o This release commemorates Nmap's 25th anniversary! It all started with this
  September 1, 1997 Phrack article by Fyodor: https://nmap.org/p51-11.html.

o [Windows] Upgraded Npcap (our Windows raw packet capturing and
  transmission driver) from version 1.50 to the latest version 1.71. It
  includes dozens of performance improvements, bug fixes and feature
  enhancements described at https://npcap.com/changelog.

o Ensure Nmap builds with OpenSSL 3.0 using no deprecated API functions.
  Binaries for this release include OpenSSL 3.0.5.

o Upgrade included libraries: libssh2 1.10.0, zlib 1.2.12, Lua 5.3.6, libpcap 1.10.1

o Fix a bug that prevented Nmap from discovering interfaces on Linux
  when no IPv4 addresses were configured. [Daniel Miller, nnposter]

o [NSE] NSE "exception handling" with nmap.new_try() will no longer
  result in a stack traceback in debug output nor a "ERROR: script execution
  failed" message in script output, since the intended behavior has always been
  to end the script immediately without output. [Daniel Miller]

o Update the Nmap output DTD to match actual output since the
  `<hosthint>` element was added in Nmap 7.90.

o [NSE] Fix newtargets support: since Nmap 7.92, scripts could not add
  targets in script pre-scanning phase. [Daniel Miller]

o Scripts dhcp-discover and broadcast-dhcp-discover now support
  setting a client identifier. [nnposter]

o Script oracle-tns-version was not reporting the version
  correctly for Oracle 19c or newer [linholmes]

o Script redis-info was crashing or producing inaccurate
  information about client connections and/or cluster nodes. [nnposter]

o Nmap and Nping were unable to obtain system routes on FreeBSD
  [benpratt, nnposter]

o Script ipidseq was broken due to calling an unreachable library
  function. [nnposter]

o Support for EC crypto was not properly enabled if Nmap
  was compiled with OpenSSL in a custom location. [nnposter]

o [NSE] Improvements to event handling and pcap socket garbage collection,
  fixing potential hangs and crashes. [Daniel Miller]

o We ceased creating the Nmap win32 binary zipfile. It was useful back when
  you could just unzip it and run Nmap from there, but that hasn't worked well
  for many years. The win32 self-installer handles Npcap installation and many
  other dependencies and complexities. Anyone who needs the binaries for some
  reason can still install Nmap on any system and retrieve them from there.
  For now we're keeping the Win32 zipfile in the Nmap OEM Edition
  (https://nmap.org/oem) for companies building Nmap into their own
  products. But even in that case we believe that running the Nmap OEM
  self-installer in silent mode is a better approach.

o Fix TDS7 password encoding for mssql.lua, which had been assuming
  ASCII input even though other parts of the library had been passing it Unicode.

o Replace deprecated CPEs for IIS with their updated identifier,
  cpe:/a:microsoft:internet_information_services [Esa Jokinen]

o [NSE] Fix script-terminating error when unknown BSON data types are
  encountered. Added parsers for most standard data types. [Daniel Miller]

o [Ncat] Fix hostname/certificate comparison and matching to handle ASN.1
  strings without null terminators, a similar bug to OpenSSL's CVE-2021-3712.

o [Ncat] Added support for SOCKS5 proxies that return bind addresses
  as hostnames, instead of IPv4/IPv6 addresses. [pomu0325]

(adam)

doc: Updated devel/hs-ansi-terminal to 0.11.3

(pho)

Update to ansi-terminal-0.11.3

Version 0.11.3
* Add "hyperlink", "hyperlinkWithId" and "hyperlinkWithParams", and support
  for clicable hyperlinks.

Version 0.11.2
* On Windows, fix compatability with the Windows I/O Manager (WinIO) when
  GHC >= 9.0.1 but Win32 < 2.9.0.0.
* Improvements to Haddock documentation.

(pho)

doc: Updated converters/hs-aeson-better-errors to 0.9.1.1

(pho)

Update to aeson-better-errors-0.9.1.1

Make compatible with aeson >2.0.0.0

(pho)

Fix type for misc/open2300-pgsql addition

(martin)

doc: Updated misc/open2300-pgsql to 1.10nb1

(martin)

Add the Postgres version of the WS2300 logger

(martin)

doc: Updated emulators/sameboy to 0.15.5

(nia)

sameboy: Update to 0.15.5

Version 0.15.5

  This version is backwards compatible with save states from SameBoy 0.14.3
  and newer, as well as save states from any BESS compliant emulator

  New/Improved Features

    * Both frontends now include links to the debugger documentation and to
      the GitHub Sponsors page

  Accuracy Improvements/Fixes

    * Fixed a bug where certain color correction modes were desaturating
      colors in an unbalanced manner
    * Accurate emulation of the first-frame-behavior while emulating the
      Game Boy Color and Game Boy Advance; fixes white flashes while playing
      games developed by THQ
    * More accurate emulation of the square channels sample repeat glitch,
      fixing certain audio pops in LSDj and various games while using a
      vibrato effect

  Bug Fixes

    * Fixed a bug where MBC state was not properly reset, fixing bugs
      resulting in some games not booting correctly if they were loaded
      after certain other games in the SDL frontend, libretro, and other
      3rd-party frontends

  Misc Internal Changes

    * New memory management APIs for better integration of SameBoy as a
      library

(nia)

doc: Updated www/firefox91 to 91.13.0

(nia)

firefox91: update to 91.13.0

Security Vulnerabilities fixed in Firefox ESR 91.13

    #CVE-2022-38472: Address bar spoofing via XSLT error handling

    #CVE-2022-38473: Cross-origin XSLT Documents would have inherited the
    parent's permissions

    #CVE-2022-38478: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2,
    and Firefox ESR 91.13

(nia)

doc: Updated pkgtools/pkgin to 22.9.0

(jperkin)

pkgin: Update to 22.9.0.

## Version 22.9.0 (2022-09-06)

* Pass verbose flag down to libfetch operations too.

* Update show-keep/show-no-keep output format (Sunil Nimmagadda).

* Add -4 and -6 flags to force libfetch to use IPv4/IPv6 (Staffan Thom辿n,
  Sebastian Wiedenroth).

* Convert many SQL queries to use sqlite3_snprintf() and sqlite3 format
  strings to reduce potential SQL injection attacks (Taylor R Campbell).

* Use sqlite3 savepoints, fixing issue around interrupted local summary
  updates (Taylor R Campbell).

* Use posix_spawn() on newer macOS.

(jperkin)

bmpanel2: fix accidentally committed debug goo

(nia)

doc: Updated devel/py-pygit2 to 1.10.1

(wiz)

py-pygit2: update to 1.10.1.

1.10.1 (2022-08-28)
-------------------------

- Fix segfault in ``Signature`` repr
  `#1155 <https://github.com/libgit2/pygit2/pull/1155>`_

- Linux and macOS wheels for Python 3.11
  `#1154 <https://github.com/libgit2/pygit2/pull/1154>`_

1.10.0 (2022-07-24)
-------------------------

- Upgrade to libgit2 1.5

- Add support for ``GIT_OPT_GET_OWNER_VALIDATION`` and
  ``GIT_OPT_SET_OWNER_VALIDATION``
  `#1150 <https://github.com/libgit2/pygit2/pull/1150>`_

- New ``untracked_files`` and ``ignored`` optional arguments for
  ``Repository.status(...)``
  `#1151 <https://github.com/libgit2/pygit2/pull/1151>`_

1.9.2 (2022-05-24)
-------------------------

- New ``Repository.create_commit_string(...)`` and
  ``Repository.create_commit_with_signature(...)``
  `#1142 <https://github.com/libgit2/pygit2/pull/1142>`_

- Linux and macOS wheels updated to libgit2 v1.4.3

- Remove redundant line
  `#1139 <https://github.com/libgit2/pygit2/pull/1139>`_

1.9.1 (2022-03-22)
-------------------------

- Type hints: added to C code and Branches/References
  `#1121 <https://github.com/libgit2/pygit2/pull/1121>`_
  `#1132 <https://github.com/libgit2/pygit2/pull/1132>`_

- New ``Signature`` supports ``str()`` and ``repr()``
  `#1135 <https://github.com/libgit2/pygit2/pull/1135>`_

- Fix ODB backend's read in big endian architectures
  `#1130 <https://github.com/libgit2/pygit2/pull/1130>`_

- Fix install with poetry
  `#1129 <https://github.com/libgit2/pygit2/pull/1129>`_
  `#1128 <https://github.com/libgit2/pygit2/issues/1128>`_

- Wheels: update to libgit2 v1.4.2

- Tests: fix testing ``parse_diff``
  `#1131 <https://github.com/libgit2/pygit2/pull/1131>`_

- CI: various fixes after migration to libgit2 v1.4

1.9.0 (2022-02-22)
-------------------------

- Upgrade to libgit2 v1.4

- Documentation, new recipes for committing and cloning
  `#1125 <https://github.com/libgit2/pygit2/pull/1125>`_

1.8.0 (2022-02-04)
-------------------------

- Rename ``RemoteCallbacks.progress(...)`` callback to ``.sideband_progress(...)``
  `#1120 <https://github.com/libgit2/pygit2/pull/1120>`_

- New ``Repository.merge_base_many(...)`` and ``Repository.merge_base_octopus(...)``
  `#1112 <https://github.com/libgit2/pygit2/pull/1112>`_

- New ``Repository.listall_stashes()``
  `#1117 <https://github.com/libgit2/pygit2/pull/1117>`_

- Code cleanup
  `#1118 <https://github.com/libgit2/pygit2/pull/1118>`_

Backward incompatible changes:

- The ``RemoteCallbacks.progress(...)`` callback has been renamed to
  ``RemoteCallbacks.sideband_progress(...)``. This matches the documentation,
  but may break existing code that still uses the old name.

1.7.2 (2021-12-06)
-------------------------

- Universal wheels for macOS
  `#1109 <https://github.com/libgit2/pygit2/pull/1109>`_

1.7.1 (2021-11-19)
-------------------------

- New ``Repository.amend_commit(...)``
  `#1098 <https://github.com/libgit2/pygit2/pull/1098>`_

- New ``Commit.message_trailers``
  `#1101 <https://github.com/libgit2/pygit2/pull/1101>`_

- Windows wheels for Python 3.10
  `#1103 <https://github.com/libgit2/pygit2/pull/1103>`_

- Changed: now ``DiffDelta.is_binary`` returns ``None`` if the file data has
  not yet been loaded, cf. `#962 <https://github.com/libgit2/pygit2/issues/962>`_

- Document ``Repository.get_attr(...)`` and update theme
  `#1017 <https://github.com/libgit2/pygit2/issues/1017>`_
  `#1105 <https://github.com/libgit2/pygit2/pull/1105>`_

1.7.0 (2021-10-08)
-------------------------

- Upgrade to libgit2 1.3.0
  `#1089 <https://github.com/libgit2/pygit2/pull/1089>`_

- Linux wheels now bundled with libssh2 1.10.0 (instead of 1.9.0)

- macOS wheels now include libssh2

- Add support for Python 3.10
  `#1092 <https://github.com/libgit2/pygit2/pull/1092>`_
  `#1093 <https://github.com/libgit2/pygit2/pull/1093>`_

- Drop support for Python 3.6

- New `pygit2.GIT_CHECKOUT_SKIP_LOCKED_DIRECTORIES`
  `#1087 <https://github.com/libgit2/pygit2/pull/1087>`_

- New optional argument ``location`` in ``Repository.applies(..)`` and
  ``Repository.apply(..)``
  `#1091 <https://github.com/libgit2/pygit2/pull/1091>`_

- Fix: Now the `flags` argument in `Repository.blame()` is passed through
  `#1083 <https://github.com/libgit2/pygit2/pull/1083>`_

- CI: Stop using Travis, move to GitHub actions

Caveats:

- Windows wheels for Python 3.10 not yet available.

(wiz)

bmpanel2: Add Python 3 support.

Also use CMAKE_INSTALL_MANDIR so the man page gets installed properly.

(nia)

ruby-train-core: does not support ruby 2.6

(wiz)

doc: Updated www/firefox102 to 102.2.0

(nia)

firefox102: Update to 102.2.0

                  Mozilla Foundation Security Advisory 2022-34

Security Vulnerabilities fixed in Firefox ESR 102.2

    #CVE-2022-38472: Address bar spoofing via XSLT error handling

    #CVE-2022-38473: Cross-origin XSLT Documents would have inherited the
    parent's permissions

    #CVE-2022-38476: Data race and potential use-after-free in PK11_ChangePW

    #CVE-2022-38477: Memory safety bugs fixed in Firefox 104 and Firefox ESR
    102.2

    #CVE-2022-38478: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2,
    and Firefox ESR 91.13

(nia)

firefox*: Add a note about the branding to DESCR to reduce confusion

(nia)

python: Allow PYDISTUTILSPKG to be overridden on a per-package basis.

This is useful for allowing packages that install python egg metadata
to benefit from the PRINT_PLIST_AWK defined in egg.mk even if they don't
actually use setup.py or normal Python build tools.

(nia)

doc: Updated x11/libXft to 2.3.5

(wiz)

libXft: update to 2.3.5.

Version 2.3.5

Add support for BGRA glyphs display and scaling
Add "trackmemusage" property to use in improved _XftFontUncacheGlyph
Revised/completed manual page; all functions are documented.

(wiz)

Updated graphics/oxipng, devel/py-astroid

(adam)

py-astroid: updated to 2.12.6

What's New in astroid 2.12.6?
* Fix a crash involving ``Uninferable`` arguments to ``namedtuple()``.
* The ``dataclass`` brain now understands the ``kw_only`` keyword in dataclass decorators.

(adam)

oxipng: updated to 6.0.0

v6.0.0
[Breaking] Bump minimum Rust version to 1.57.0
[Feature] Add --check/-c CLI option
[Security] Update stderrlog to 0.5.2 (Fixes RUSTSEC-2022-0006)
[Security] Remove chrono as a transitive dependency (Fixes RUSTSEC-2020-0159)
[Misc] Bump clap to 3.2
[Misc] Bump zopfli to 0.7
[Misc] Bump libdeflater to 0.10
[Misc] Remove byteorder dependency in favor of stdlib functions
[Misc] Bump image to 0.24
[Misc] Bump crc to 3.0
[Misc] Bump miniz_oxide to 0.6
[Misc] Update to Rust edition 2021
[Misc] Various internal improvements

(adam)