Commit Graph

39055 Commits

Author SHA1 Message Date
Wang Mingyu 01318c106c python3-twitter: upgrade 4.16.0 -> 4.17.0
Changelog:
============
- Add reset_time parameter to TooManyRequests
- Replace deprecated datetime.utcnow() in MongodbCache.store

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:06 -07:00
Wang Mingyu b3fd19341f python3-sentry-sdk: upgrade 2.63.0 -> 2.64.0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:05 -07:00
Wang Mingyu d8631e3c54 python3-responses: upgrade 0.26.1 -> 0.26.2
Changelog:
============
* Default headers (such as "Content-Type", "Date" and "Server") are now stripped
  from recorded files regardless of header name case. Previously, responses recorded from
  servers that send lowercase header names (for example over HTTP/2) kept these redundant
  headers in the generated file.
* Fixed 'query_param_matcher' mutating the caller's params dict when numeric
  values are provided.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:05 -07:00
Wang Mingyu 1bbf616f26 python3-pillow: upgrade 12.2.0 -> 12.3.0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:05 -07:00
Wang Mingyu b1057e7630 python3-mlcommons-loadgen: upgrade 6.0.15 -> 6.0.16
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:05 -07:00
Wang Mingyu f6f776cce2 python3-lazy: upgrade 1.6 -> 2.0
License-Update: Copyright year updated to 2026

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:05 -07:00
Wang Mingyu 35d73585bd python3-jsbeautifier: upgrade 2.0.1 -> 2.0.3
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:05 -07:00
Wang Mingyu 172ef6ae60 python3-humanize: upgrade 4.15.0 -> 4.16.0
Changelog:
============
- Add Latvian language localization
- Add i18n support for naturalsize() and French translation
- Performance improvements: 1.07x - 8.4x
- Lazy imports for Python 3.15+
- Drop experimental Python 3.13 free-threaded
- Refactor: simplify scientific() and extract _SUPERSCRIPT_MAP constant
- Fix naturalsize() rounding rollover at unit boundaries
- Carry metric() to the next SI prefix when rounding reaches 1000
- Stop printing two minus signs in fractional for a negative mixed number
- Return an empty string from natural_list() for an empty list
- Handle tz-aware datetimes in naturalday() and naturaldate()
- Fix Arabic translation
- Fix Spanish large number translations to use long scale

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:04 -07:00
Wang Mingyu bc97dfed04 python3-huey: upgrade 3.0.3 -> 3.1.1
Changelog:
============
- Ensure we use a safe name for long postgres queue names. PG has a 63 byte
  limit on the channel name.
- Ensure recycled worker threads no longer leak their LISTEN connections
  w/Postgres.
- Add first-class Postgres support: PostgresHuey. Workers use LISTEN/NOTIFY
  when a task is enqueued, giving Redis-like dequeue latency without polling,
  and dequeues use select ... for update skip locked so any number of consumers
  can share one database (requires psycopg 3.2+).
- The django.tasks backend is now also compatible with the django-tasks
  backport package, extending support to pre-6.0 Django.
- Use an explicit fork multiprocessing context for process workers, rather than
  setting the global start-method from the consumer entry-points. Fixes -k
  process on MacOS 3.8+ / Linux 3.14+ when the consumer is started via the
  huey_consumer console-script or a programmatic create_consumer().run().

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:04 -07:00
Wang Mingyu 1a6467d065 python3-faker: upgrade 40.23.0 -> 40.28.1
Changelog:
===========
- Fix: compute valid ISO 7064 Mod 11,10 check digit for de_DE vat_id
- Add es_MX automotive license plate provider
- Add sr_BA SSN provider
- Update providers job, phone_number, bank and ssn
- Update phone number test regex
- Update outdated Korean locale names
- Fix: prevent infinite recursion in _safe_random_int when both bounds collapse to the same integer
- Add mk_MK (Macedonian) locale
- CI: run PR checks against PR code instead of base branch.
- Fix: raise NotImplementedError in bank() for locales without banks data
- Fix outdated links in README credits section
- Bump actions/cache from 5 to 6
- Bump actions/checkout from 6 to 7

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:04 -07:00
Wang Mingyu ef1f22628d python3-discovery: upgrade 1.4.2 -> 1.4.3
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:04 -07:00
Wang Mingyu eded3d63e1 python3-cbor2: upgrade 6.1.2 -> 6.1.3
Changelog:
============
- Fixed the decoder registering 6-byte strings in the string reference
  namespace at indices 65536–4294967295 where the encoder does not,
  desynchronising the namespace and resolving later string references to the
  wrong value
- Fixed the IPv4/IPv6 network decoders (tags 52 and 54) silently truncating an
  address byte string that is longer than the address size instead of rejecting
  it as malformed
- Fixed quadratic decoding time for indefinite-length and large definite-length
  byte and text strings, caused by concatenating each chunk onto the
  accumulated result with + instead of building the result once
- Fixed datetime_as_timestamp encoding whole-second datetimes before 1970 or
  after 2106 as floats instead of integers, because the timestamp was narrowed
  through an unsigned 32-bit integer
- Fixed the encoder measuring text strings by code point count instead of UTF-8
  byte length when deciding whether to add them to the string reference
  namespace, desynchronising it from the decoder (which counts bytes) and
  corrupting later string references for non-ASCII strings
- Fixed the decoder rejecting scoped IPv6 addresses (tag 54) with a
  CBORDecodeError reading invalid types in input array; the encoder emits them
  as [address, null, zone id] but the decoder only handled the network and
  interface array forms, so a scoped ~ipaddress.IPv6Address could not be decoded
  back

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:04 -07:00
Wang Mingyu 6ff01237c0 python3-bumble: upgrade 0.0.230 -> 0.0.231
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:04 -07:00
Wang Mingyu 4408a001a3 python3-argcomplete: upgrade 3.6.3 -> 3.7.0
Changelog:
============
- Escape glob and brace metacharacters in quote_completions
- Quote prefix passed to compgen in FilesCompleter
- Remove deprecated easy_install script detection
- Type hinting improvements

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:03 -07:00
Wang Mingyu 444365724b python3-aiohappyeyeballs: upgrade 2.6.2 -> 2.7.1
Changelog:
===========
- Use defaultdict to help with performance
- Simplify _interleave_addrinfos family grouping
- Collapse collect-then-remove pattern in utils helpers
- Merge identical except blocks in _connect_sock cleanup
- Add python 3.14 support

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:03 -07:00
Wang Mingyu 9a28381414 ostree: upgrade 2026.1 -> 2026.2
0001-trivial-httpd-Fix-const-correctness-of-slash-pointer.patch
removed since it's included in 2026.2

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:03 -07:00
Wang Mingyu df123bfb0b openvpn: upgrade 2.7.4 -> 2.7.5
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:03 -07:00
Wang Mingyu 0c7930db93 ndctl: upgrade v84 -> v85
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:03 -07:00
Wang Mingyu 837affbf94 mm-common: upgrade 1.0.7 -> 1.0.8
Changelog:
============
* doc-reference.am: Distribute .svg files from the HTML directory
* Add skeletonmm/tools/generate_from_gir.sh
* Allow -Duse-network=if-no-local-tag-file (new default value)
* Replace gtkmm.org by gtkmm.gnome.org.
* Require meson >= 0.62.0

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:03 -07:00
Wang Mingyu abc5c5be3b memcached: upgrade 1.6.42 -> 1.6.43
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:03 -07:00
Wang Mingyu 851b222a4a libxmp: upgrade 4.7.0 -> 4.7.1
Changelog:
==========
- Add xmp_set_player(ctx, XMP_PLAYER_DEFPAN, 50) to relevant examples
  in libxmp.rst and in the examples directory, clarify it must be
  used BEFORE calling xmp_load_module, and recommend its usage.
- Fix crashes and other bugs in the smix API.
- Rewrite the smix API WAV loader to support stereo samples.
- Fix XM channel default instrument memory (should be no instrument).
- Fix IT high offset being applied when no Oxx effect is present.
- Fix IT offsets >length setting the offset to sample end instead of 0
  in new effects mode.
- Fix conversion of MED synth/hybrid finetune.
- Fix Magnetic Fields Packer track loading and optimize tracks.
- Fix path_join when loading a module from the current directory.
- Fix loading truncated Startrekker AM instruments.
- Startrekker AM instruments now take precedence over sampled
  instruments in the same slot (fixes GTS/fa.worse face.mod and
  WOTW/intro 12.mod).
- Fix StarTrekker AM instrument envelope, P.FALL, and FQ toneporta
  bugs by reimplementing these features using extras (fixes
  Epsilon (ES)/frankie.mod, WOTW/intro 12.mod, maybe others).
- Allow Archimedes MUSX modules to load if the SDAT instrument
  subchunk is broken (fixes 5-OverPar).
- Fix various -fsanitize=shift-base warnings:
- Prevent overflow read in lha depacker pm2 decoder.
- Add OS/2 EMX makefiles for KLIBC environment. Build tested under linux
  using cross-os2emx toolchain at https://github.com/komh/cross-os2emx
- Build the PDF without date information to improve reproducibility.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:02 -07:00
Wang Mingyu 15024435a7 libsdl3: upgrade 3.4.10 -> 3.4.12
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:02 -07:00
Wang Mingyu a4750af2fe libio-compress-perl: upgrade 2.221 -> 2.223
Changelog:
===========
* Fix typo in Makefile.PL
* Compress::Raw::Zlib version 2.222 required--this is only version 2.221
  Update to version 2.223
* Tag `:constants` no longer exports all constants Fixes #78, #64
* Bump actions/checkout from 6 to 7

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:02 -07:00
Wang Mingyu c63bd731e4 imagemagick: upgrade 7.1.2-26 -> 7.1.2-27
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:02 -07:00
Wang Mingyu 73e6c67465 graphviz: upgrade 15.0.0 -> 15.1.0
Changelog:
=============
- When using the fdp layout algorithm ('dot -Kfdp …' or 'fdp …'), a new command
  line option '-Lm…' is supported for controlling the "m-limit".
- The vt plugin has a new option for using Unicode octant characters to render
  8-pixels-per-cell output, '-Tvt-8up2'.
- When building from source from a Git checkout, builds with
  '--disable-python'/'--disable-python3' once again work.
- Gvedit no longer leaves temporary files on disk when previewing.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:02 -07:00
Wang Mingyu 57de930d76 geoclue: upgrade 2.8.1 -> 2.8.2
Fixes:
- Accept NMEA GGA sentences with 11 or more parts (needed 14 or more previously)
- Use async D-bus 'Set' methods to set client properties in libgeoclue to improve robustness
- Do not change Client Location property on updates which are below threshold to avoid leaking location to D-bus
- Ignore wired WPA interfaces when finding an interface for WiFi scanning

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:02 -07:00
Wang Mingyu b5741b081f ctags: upgrade 6.2.20260628.0 -> 6.2.20260705.0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:01 -07:00
Wang Mingyu c75b94b284 bcc: upgrade 0.36.1 -> 0.37.0
0001-Add-ARM64-syscall-prefix-detection-in-C-API.patch
0002-Add-riscv-syscall-prefix-detection-in-C-API.patch
0003-folly-tracing-Remove-x86-specific-naming-from-tracin.patch
0004-folly-tracing-Add-ARM-and-AArch64-support-to-static-.patch
0001-Fix-build-with-LLVM-22.patch
removed since they're included in 0.37.0

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-08 11:05:01 -07:00
Jason Schonberg 0770ef4043 c-ares: upgrade 1.34.6 -> 1.34.8
Version 1.34.8 is a bug fix (a regression that shipped with version 1.34.7)

Version  1.34.7 is a security fix addressing memory leaks, null pointer
  dereferences, denial of service, use after free etc.  Fixes CVE-2026-33630

Changelog: https://github.com/c-ares/c-ares/releases/tag/v1.34.8
Changelog: https://github.com/c-ares/c-ares/releases/tag/v1.34.7

Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 22:18:49 -07:00
Leon Anavi 17afdec9d8 libheif: Upgrade 1.21.2 -> 1.23.1
Upgrade to release 1.23.1.

New features:
- FFmpeg decoder plugin gains AV1, VVC, JPEG, and JPEG 2000/HTJ2K
  decoding
- SVT-AV1 encoder: new tune=iq and ms-ssim tune parameters
- C++ API: added getters/setters for the CLLI and MDCV HDR metadata
  boxes
- Sequence decoder now scales the alpha auxiliary track to the main
  image size

Bug fixes:
- Fixed pixi box writing for multi-channel images
- Corrected the placement of the TAI clock_type field into the top
  2 bits
- Empty/unset plugin directory is no longer scanned

Security fixes:
- CVE-TBD (GHSA-jc8f-p23p-5hjg) Integer underflow in Fraction
  constructor via double clap transform application
- CVE-TBD (GHSA-73p7-m7gg-w2jv) Out-of-bounds read in uncompressed
  unci tile range slicing
= CVE-TBD (GHSA-xpw3-9rhw-482x) Heap out of bounds write in libheif
  uncompressed encoder when writing images with mismatched
  auxiliary alpha dimensions
- CVE-TBD (GHSA-9ww4-9v47-m7pj) Reachable assertion in
  HeifContext::get_track() aborts on a valid-but-empty HEIF
  sequence file
- (GHSA-46rp-pcq2-rpmr) Heap out-of-bounds write in the
  uncompressed encoder for RRGGBB images with interleaved bit-depth
  lower or equal to 8

Remove CVE-2026-3949.patch because the fix has been included in
the source code for this release of libheif.

This work was sponsored by GOVCERT.LU.

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 11:22:41 -07:00
Leon Anavi 13b0363478 python3-pycurl: Enable tests
Inherit ptest, update runtime dependencies and include the tests
for pycurl.

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 11:22:41 -07:00
Leon Anavi 175976dbf9 python3-flaky: Add recipe
Add a new recipe for flaky, plugin for pytest that automatically
reruns flaky tests. It is required by pycurl tests.

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 11:22:41 -07:00
Leon Anavi a0e385b75b python3-pycurl: Upgrade 7.46.0 -> 7.47.0
Upgrade to release 7.47.0:

- Use dynamic SSL ports in certificate tests
- Harden test_clear_assignment_inside_socket_callback_resets_socketp
  test
- Rename index field to idx in HstsIndex to avoid shadowing
- Fix test_callbacks_non_minus_one_return_continues_transfer on macOS
- Use PYCURL_REQUIRE_HANDLE and PYCURL_REQUIRE_NOT_RUNNING instead of
  magic numbers
- Convert pycurl to a Python package with the C extension renamed to
  pycurl._pycurl
- Fix flaky CONNECT_ONLY send/recv tests by waiting on active socket
  readiness instead of sleeping after EAGAIN
- Add PyMutex support on Python 3.13+
- Modernize ssh_key_cb_test and use a local SFTP server
- Use set instead of dict for saving refs to easy objects in multi
- Make closed as property instead a method
- Add free-threaded CPython support
- Add AsyncCurlMulti
- Fix flaky memory_mgmt callback
- Add libcurl strerror wrappers (easy/multi/share/url)
- Modernize write/header tests
- Implement Curl multi notify API
- Pin socket callback tests to IPv4 to handle dual-stack localhost
  resolution
- Integrate notify in AsyncCurlMulti
- Review GIL management
- Capture more expected warnings during tests
- Fix/update/remove some examples
- Fix truncated timeout value in multi timer callback
- Fix incorrect argument type in debug callback
- Fix some reference leaks
- Ensure errors are logged in progress/xferinfo callbacks
- Support zero-copy write/header callbacks
- Evolve CurlShare with share()/unshare(), Python-level thread safety,
  and CURLSHcode error propagation
- Fix test_default_mode_autopongs_server_ping with libcurl 8.21.0

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 11:22:41 -07:00
Leon Anavi 38b4e99b5b python3-filelock: Upgrade 3.29.4 -> 3.29.6
Upgrade to release 3.29.6:

- serialise singleton construction in FileLockMeta
- _util: drop the dead st_mtime=0 short-circuit in
  raise_on_not_writable_file
- test: silence fork DeprecationWarning on 3.15

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 11:22:40 -07:00
Leonard Göhrs 7c601563fa python3-aiohttp: add buildpath HOME check exception due to upstream pkg
The upstream tarball fetched from pypi contains `.hash` files like these:

  $ cat aiohttp/.hash/hdrs.py.hash
  a46ad6c3a2faf8d26a2c6afc1a2210ce379a23f2799fce7b26a01f6ce5a40642  /home/runner/work/aiohttp/aiohttp/aiohttp/hdrs.py

These file trigger the relatively new HOME buildpath check _if_ the recipe
happens to be built by someone with HOME set to /home/runner
(for example someone building in a GitHub workflow):

  ERROR: python3-aiohttp-3.14.1-r0 do_package_qa: QA Issue:
  File /usr/lib/python3.14/site-packages/aiohttp/.hash/hdrs.py.hash
  in package python3-aiohttp contains a reference to the build host HOME directory.
  If upstream hardcodes a directory path that matches your home,
  you can set OEQA_BUILDPATHS_SKIP = "/home/runner" in the recipe. [buildpaths]

Follow the suggested fix of setting `OEQA_BUILDPATHS_SKIP`.
See also openembedded-core commit ee29a9132a ("oeqa: allow exceptions in
buildpath HOME checks") for an example of `OEQA_BUILDPATHS_SKIP` used.

Signed-off-by: Leonard Göhrs <l.goehrs@pengutronix.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 11:22:40 -07:00
Alex Kiernan 6b5556bba4 python3-pyroute2: Add sqlite3 to RDEPENDS
python3-sqlite is required by the NDB code, irrespective of ptest:

  File "/usr/lib/python3.14/site-packages/pyroute2/__init__.py", line 31, in <module>
  File "/usr/lib/python3.14/site-packages/pyroute2/ipdb/__init__.py", line 16, in <module>
  File "/usr/lib/python3.14/site-packages/pyroute2/ndb/main.py", line 317, in <module>
  File "/usr/lib/python3.14/site-packages/pyroute2/ndb/task_manager.py", line 9, in <module>
  File "/usr/lib/python3.14/site-packages/pyroute2/ndb/schema.py", line 99, in <module>
ModuleNotFoundError: No module named 'sqlite3'

Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 11:22:40 -07:00
Alex Kiernan 4c9bde7759 minisign: Add recipe
Dead-simple Ed25519 file signing tool.

Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 11:22:40 -07:00
Deepak Rathore 0eda0f3c55 mbedtls: set CVE_STATUS for CVE-2025-66442
Analysis:
- The Mbed TLS advisory states the issue occurs when LLVM
  select-optimize is enabled. [1]
- The same advisory also states that Arm/x86 builds with
  MBEDTLS_HAVE_ASM enabled are not affected. The default mbedtls
  configuration in this branch enables MBEDTLS_HAVE_ASM.
- NVD also describes the issue as occurring only with LLVM's
  select-optimize feature. [2]
- The mbedtls recipes now evaluate the effective build flags across
  target, native, and nativesdk variants, handle the supported
  -mllvm spellings, and only mark the CVE unpatched when the
  vulnerable LLVM option combination is explicitly enabled and the
  Arm/x86 MBEDTLS_HAVE_ASM carve-out does not apply.
- When those conditions are not met, the current mbedtls build
  configuration is not affected.
- Hence ignoring/deferred the CVE for now.

Reference:
[1] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-66442

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 11:22:40 -07:00
Jason Schonberg 34b5cd16f1 php: upgrade 8.5.7 -> 8.5.8
This is a security release.

Changelog: https://www.php.net/ChangeLog-8.php#8.5.8

Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 00:30:26 -07:00
Wang Mingyu d064444785 fastfetch: drop drm-amdgpu and split vaapi into va-drm/va-x11
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 00:30:26 -07:00
Ross Burton f39021c5df uutils-coreutils: delete .cargo/config.toml
This file hardcodes a specific compiler for aarch64-linux builds, which
is not the compiler that we provide.  As it's otherwise useless, we can
just delete the file.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 00:29:02 -07:00
Ross Burton 4182694dbb librav1e: make nasm dependency x86-specific
nasm is an x86 assembler, so only depend on it (and work around the
build paths errors) on x86-64 (the assembler fastpaths are explicitly
64-bit only).

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 00:29:02 -07:00
Jan Vermaete be38668908 python3-markdown-it-py: version bump 3.0.0 -> 4.2.0
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 00:29:02 -07:00
Leon Anavi ad51aba1a7 python3-genson: Enable tests
Inherit ptest and include tests for genson. The PyPI package
omits files for testing so use the GitHub source instead.

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 00:29:02 -07:00
Leon Anavi 8e729d2423 python3-genson: Upgrade 1.3.0 -> 1.4.0
Upgrade to release 1.4.0:

- add enum support, activated per node by seed schemas
- Performance: strategy deduplication when defining custom
  SchemaBuilder classes is now O(n) instead of O(n2)
- include the complete, runnable test suite in the source
  distribution
- Bugfix: fix "noting to do" typo in the CLI error message
  and remove dead code
- Docs: document the required-dropping behavior and the
  builder-merge gotcha; explain why same-type inputs merge
  rather than producing anyOf; add a NoRequiredObject example
  for suppressing required
- declare python_requires >= 3.10, matching the tested Python
  versions

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 00:29:02 -07:00
Leon Anavi df857d0b27 python3-stevedore: Upgrade 5.8.0 -> 5.9.0
Upgrade to release 5.9.0:

- zuul: Use openstack-python3-next-jobs template
- Do not install code to build release notes
- Drop support for Python 3.10

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 00:29:01 -07:00
Leon Anavi 60e702c713 python3-coverage: Upgrade 7.14.3 -> 7.15.0
Upgrade to release 7.15.0:

- Since 7.14.0, reporting commands implicitly combine parallel data
  files. Now those commands have a new option --keep-combined to retain
  the data files after combining them instead of the default, which is
  to delete them.
- Fix: the LCOV report would incorrectly count excluded functions as
  uncovered, as described in issue 2205. This is now fixed thanks to
  Martin Kuntz Jacobsen.
- When running your program, coverage now correctly sets
  yourmodule.__spec__.loader as strongly recommended, avoiding the
  deprecation warning.
- Fix: with Python 3.10, running with the -I (isolated mode) option
  didn't correctly omit the current directory from the module search
  path. That is now fixed thanks to Ilia Sorokin.

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 00:29:01 -07:00
Leon Anavi 4c1ec8349e python3-croniter: Upgrade 6.2.2 -> 6.2.3
Upgrade to release 6.2.3:

- Fix quadratic expansion of comma-separated range lists for a large
  speed-up on expressions with many ranges.
- Reject a zero step (e.g. 5-5/0) in equal and reversed cron ranges
  instead of silently accepting it.
- Fix expand_from_start_time month low-bound off-by-one so stepped
  month ranges start on the correct month.
- Fix zizmor-reported security findings in GitHub Actions workflows.
- Bump pinned build and CI dependencies via dependabot.
- Upgrade locked development and build dependencies (uv lock --upgrade).

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 00:29:01 -07:00
Etienne Cordonnier 9aef1f7ee6 ttf-noto-emoji: upgrade 20200916 -> 2.051
- NotoEmoji-Regular.ttf was removed upstream in https://github.com/googlefonts/noto-emoji/commit/1442f6acc8463c428c8b38fc558e87c28d8efa5b
- A new COLRv1 format is provided, with a smaller file-size

Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 00:29:01 -07:00
Bartosz Golaszewski 9796702aa7 libgpiod: update to v2.3.1
This bugfix release addresses several build issues after the transision
to meson. These bugs didn't really affect the yocto recipe but let's
update the package for completness.

Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 00:29:01 -07:00