summaryrefslogtreecommitdiff
path: root/lang
AgeCommit message (Collapse)AuthorFilesLines
2022-10-10lang/ruby26: remove packagetaca2-30/+0
Ruby 2.6 reached to EOL on 22th April 2022.
2022-10-10lang/Makefile: remove ruby26taca1-2/+1
Start removing of Ruby 2.6.
2022-10-08openjdk: fix building "zero" vm with GCC < 10nia2-9/+5
2022-10-08ocaml: Needs imprecise-c99-float-ops to build on NetBSD/armnia1-2/+3
2022-10-06py-mypy: updated to 0.982adam3-425/+27
0.981 * Support for Python 3.6 and 2 Dropped * Generate Error on Unbound TypeVar Return Type * Methods with Empty Bodies in Protocols Are Abstract * Implicit Optional Types Will Be Disabled by Default * Precise Types for **kwds Using TypedDict * Experimental Support for General Recursive Types * Generic NamedTuples and TypedDicts * Better Support for Callable Attributes * Per-Module Error Code Configuration * Experimental Support for Interactive Inspection of Expressions
2022-10-05Update go119 to 1.19.2bsiegert3-7/+13
This minor release includes 3 security fixes following the security policy: - archive/tar: unbounded memory consumption when reading headers Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-2879 and Go issue https://go.dev/issue/54853. - net/http/httputil: ReverseProxy should not forward unparseable query parameters Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. Thanks to Gal Goldstein (Security Researcher, Oxeye) and Daniel Abeles (Head of Research, Oxeye) for reporting this issue. This is CVE-2022-2880 and Go issue https://go.dev/issue/54663. - regexp/syntax: limit memory used by parsing regexps The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
2022-10-05go118: update to 1.18.7bsiegert3-7/+11
This minor release includes 3 security fixes following the security policy: - archive/tar: unbounded memory consumption when reading headers Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-2879 and Go issue https://go.dev/issue/54853. - net/http/httputil: ReverseProxy should not forward unparseable query parameters Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. Thanks to Gal Goldstein (Security Researcher, Oxeye) and Daniel Abeles (Head of Research, Oxeye) for reporting this issue. This is CVE-2022-2880 and Go issue https://go.dev/issue/54663. - regexp/syntax: limit memory used by parsing regexps The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
2022-10-02pyversion.mk: Define PYPKGPREFIX in error casegdt1-1/+3
The specification for pyversion.mk says that it defines PYPKGPREFIX and PYVERSSUFFIX. Various buildlink files rely on these being defined, as they are tested without guarding them for being empty. When there is no valid python version, _PYTHON_VERSION was set to "none", and PKG_FAIL_REASON defined, so the user gets a reasonable error. However, if a buildlink3 uses an unguarded PYPKGPREFIX, a syntax error results, and the PKG_FAIL_REASON is not display. This commit defines the two variables to "none" in the case of no valid version, mirroring the treatment of _PYTHON_VERSION and correcting a failure to follow the specification. In this case the build is going to fail one way or another, but it's vastly better to have a useful error message. (Tested earlier, but deferred during freeze.)
2022-10-02nodejs: Fix PLIST without dtrace optionryoon1-2/+2
2022-10-01go19, go110, go116, go117: removebsiegert52-36975/+1
Go 1.9 and 1.10 are no longer useful because they do not support module-based builds, which is most other packages now. Go 1.16 and 1.17 are end of life. ok to remove from gdt@ on tech-pkg@.
2022-10-01go: remove the logic that makes Go 1.9 or 1.10 default for some OSesbsiegert1-11/+1
Removal agreed on tech-pkg@
2022-10-01lang/php80: update to 8.0.24taca2-6/+6
29 Sep 2022, PHP 8.0.24 - Core: . Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function) (Tim Starling) . Fixed bug GH-9361 (Segmentation fault on script exit #9379). (cmb, Christian Schneider) . Fixed bug GH-9407 (LSP error in eval'd code refers to wrong class for static type). (ilutov) . Fix #81727 (Don't mangle semantically meaningful HTTP var names). (derick) - DOM: . Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free). (Nathan Freeman) - FPM: . Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to error_log after daemon reload). (Dmitry Menshikov) . Fixed bug #77780 ("Headers already sent..." when previous connection was aborted). (Jakub Zelenka) - GMP . Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init()). (Girgias) - Intl . Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter). (Girgias) - Phar: . Fix #81726 (DOS when using quine gzip file). (cmb) - PDO_PGSQL: . Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed). (Yurunsoft) - Reflection: . Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure). (cmb, Nicolas Grekas) . Fixed bug GH-9409 (Private method is incorrectly dumped as "overwrites"). (ilutov) - Streams: . Fixed bug GH-9316 ($http_response_header is wrong for long status line). (cmb, timwolla)
2022-10-01lang/php81: update to 8.1.11taca2-6/+6
29 Sep 2022, PHP 8.1.11 - Core: . Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628). (cmb) . Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629). (Derick) . Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function) (Tim Starling) . Fixed bug GH-9361 (Segmentation fault on script exit #9379). (cmb, Christian Schneider) . Fixed bug GH-9447 (Invalid class FQN emitted by AST dump for new and class constants in constant expressions). (ilutov) - DOM: . Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free). (Nathan Freeman) - FPM: . Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to error_log after daemon reload). (Dmitry Menshikov) . Fixed bug #77780 ("Headers already sent..." when previous connection was aborted). (Jakub Zelenka) - GMP . Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init()). (Girgias) - Intl . Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter). (Girgias) - PCRE: . Fixed pcre.jit on Apple Silicon. (Niklas Keller) - PDO_PGSQL: . Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed). (Yurunsoft) - Reflection: . Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure). (cmb, Nicolas Grekas) - Streams: . Fixed bug GH-9316 ($http_response_header is wrong for long status line). (cmb, timwolla)
2022-10-0129 Sep 2022, PHP 7.4.32taca2-6/+6
- Core: . Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628). (cmb) . Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629). (Derick)
2022-09-29nim: Update to 1.6.8charlotte3-7/+8
Noteworthy changes from 1.6.6: - Fixed "Add --gc:arc (or --mm:arc) induce different behavior when using converter" (#19862) - Fixed "Converting unsigned integer to float fails in VM" (#19199) - Fixed "regression(0.20.0 => devel): var params assignment gives silently wrong results in VM" (#15974) - Fixed "genDepend broken for duplicate module names in separate folders" (#18735) - Fixed "Orc booting compiler doesn't work with newSeq operations" (#19404) - Fixed "hasCustomPragma and getCustomPragmaVal don't work on fields with backticks" (#20067) - Fixed "Cant use uint64 in case" (#20031) - Fixed "nim jsondoc output is broken" (#20132) - Fixed "Underscores are unnecessarily escaped in db_mysql" (#20153) - Fixed "Invalid codegen when block ends with lent" (#20107) - Fixed "locals doesn't work with ORC" (#20162) - Fixed "reset does not work on set" (#19967) - Fixed "selectRead and selectWrite are dangerous to use sockets with FD numbers bigger than FD_SETSIZE (1024) on *nixes" (#19973) - Fixed "use-after-free bugs in object variants" (#20305) - Fixed "[ARC] C compiler error when using the result of a template in the subscript operator" (#20303) - Fixed "Calling nullary templates without () doesn't work inside calls inside other templates" (#13515) - Fixed "[Regression] Incorrect captures of pegs \ident macro in nim 1.6" (#19104) - Fixed "Windows gcc shipped with choosenim 1.6.4 with TLS emulation turned off : The application was unable to start correctly (0xc000007b)." (#19713)
2022-09-29nodejs: updated to 18.10.0adam3-7/+9
Version 18.10.0 (Current) Notable changes doc: (SEMVER-MINOR) deprecate modp1, modp2, and modp5 groups (Tobias Nießen) add legendecas to TSC list (Michael Dawson) move policy docs to the permissions scope (Rafael Gonzaga) gyp: libnode for ios app embedding (chexiongsheng) http: (SEMVER-MINOR) throw error on content-length mismatch (sidwebworks) stream: (SEMVER-MINOR) add ReadableByteStream.tee() (Daeyeon Jeong)
2022-09-27nodejs: updated to 18.9.1adam3-12/+10
Version 18.9.1 (Current) This is a security release. Notable changes The following CVEs are fixed in this release: CVE-2022-32212: DNS rebinding in --inspect on macOS (High) Insufficient fix for macOS devices on v18.5.0 CVE-2022-32222: Node 18 reads openssl.cnf from /home/iojs/build/ upon startup on MacOS (Medium) CVE-2022-32213: HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (Medium) Insufficient fix on v18.5.0 CVE-2022-32215: HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium) Insufficient fix on v18.5.0 CVE-2022-35256: HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium) CVE-2022-35255: Weak randomness in WebCrypto keygen
2022-09-27nodejs16: updated to 16.17.1adam2-9/+9
Version 16.17.1 'Gallium' (LTS) This is a security release. Notable changes The following CVEs are fixed in this release: CVE-2022-32212: DNS rebinding in --inspect on macOS (High) CVE-2022-32213: bypass via obs-fold mechanic (Medium) CVE-2022-35255: Weak randomness in WebCrypto keygen CVE-2022-35256: HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)
2022-09-27nodejs14: updated to 14.20.1adam2-9/+9
Version 14.20.1 'Fermium' (LTS) This is a security release. Notable changes The following CVEs are fixed in this release: CVE-2022-32212: DNS rebinding in --inspect on macOS (High) CVE-2022-32213: bypass via obs-fold mechanic (Medium) CVE-2022-35256: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium)
2022-09-26Make Go 1.19 the default Go versionbsiegert1-2/+2
This switches ~all Go packages to be built with Go 1.19 instead of 1.18. Discussed on tech-pkg@ "ok after the freeze"
2022-09-24openjdk8: attempt to work around build failure on aarch64nia2-1/+30
2022-09-24mono: Don't assume <sys/auxv.h> is available on NetBSD/aarch64nia2-1/+36
2022-09-23scheme48: Honor LDFLAGS when linking, fixes RELRO buildsnia2-3/+39
2022-09-22gcc10-aux: disable stack checkwiz1-1/+4
gcc6-aux does not support some of the flags.
2022-09-20lang/mono: fix NetBSD/powerpc supporthe2-4/+16
* Add a cast which is needed * Simplify one other macro Fixes build on NetBSD/macppc.
2022-09-20mono: Force epoll detection to fail on SunOSnia1-1/+4
illumos has the header and functions but it shouldn't be used.
2022-09-17go-module.mk: more sensible default for GO_BUILD_PATTERNbsiegert1-3/+3
The previous default (...) means "build the whole world", which is never what you want. Instead, use "./...", which means "everything below the top-level directory". According to the documentation, this is what was meant the whole time. This is probably a no-op because any useful Go package overrides this currently. no objection from wiz@
2022-09-17go: be more verbose when buildingbsiegert2-4/+4
Requested by nia@ during dev summit @EuroBSDCon
2022-09-16lang/smlnj11072: remove no longer needed powerpc nlffi section.he1-15/+1
This now caused the build to fail, and the build and install now succeeds on NetBSD/macppc.
2022-09-16lang/smlnj: remove the powerpc nlffi section.he1-15/+1
This no longer had any effect, and therefore caused the build to fail. The build and install now succeeds on NetBSD/macppc.
2022-09-14py-libcst: updated to 0.4.7adam5-292/+284
0.4.7 - 2022-07-12 Fixed * Fix get_qualified_names_for matching on prefixes of the given name by @lpetre in https://github.com/Instagram/LibCST/pull/719 Added * Implement lazy loading mechanism for expensive metadata providers by @Chenguang-Zhu in https://github.com/Instagram/LibCST/pull/720 0.4.6 - 2022-07-04 New Contributors - @superbobry made their first contribution in https://github.com/Instagram/LibCST/pull/702 Fixed - convert_type_comments now preserves comments following type comments by @superbobry in https://github.com/Instagram/LibCST/pull/702 - QualifiedNameProvider optimizations - Cache the scope name prefix to prevent scope traversal in a tight loop by @lpetre in https://github.com/Instagram/LibCST/pull/708 - Faster qualified name formatting by @lpetre in https://github.com/Instagram/LibCST/pull/710 - Prevent unnecessary work in Scope.get_qualified_names_for_ by @lpetre in https://github.com/Instagram/LibCST/pull/709 - Fix parsing of parenthesized empty tuples by @zsol in https://github.com/Instagram/LibCST/pull/712 - Support whitespace after ParamSlash by @zsol in https://github.com/Instagram/LibCST/pull/713 - [parser] bail on deeply nested expressions by @zsol in https://github.com/Instagram/LibCST/pull/718 0.4.5 - 2022-06-17 New Contributors - @zzl0 made their first contribution in https://github.com/Instagram/LibCST/pull/704 Fixed - Only skip supported escaped characters in f-strings by @zsol in https://github.com/Instagram/LibCST/pull/700 - Escaping quote characters in raw string literals causes a tokenizer error by @zsol in https://github.com/Instagram/LibCST/issues/668 - Corrected a code example in the documentation by @zzl0 in https://github.com/Instagram/LibCST/pull/703 - Handle multiline strings that start with quotes by @zzl0 in https://github.com/Instagram/LibCST/pull/704 - Fixed a performance regression in libcst.metadata.ScopeProvider by @lpetre in https://github.com/Instagram/LibCST/pull/698 0.4.4 - 2022-06-13 New Contributors - @adamchainz made their first contribution in https://github.com/Instagram/LibCST/pull/688 Added - Add package links to PyPI by @adamchainz in https://github.com/Instagram/LibCST/pull/688 - native: add overall benchmark by @zsol in https://github.com/Instagram/LibCST/pull/692 - Add support for PEP-646 by @zsol in https://github.com/Instagram/LibCST/pull/696 Updated - parser: use references instead of smart pointers for Tokens by @zsol in https://github.com/Instagram/LibCST/pull/691
2022-09-12clojure: Update to 1.11.1.1155ryoon3-7/+11
Changelog: 1.11.1.1155 (Aug 5, 2022) * TDEPS-228 Add support for auto inferred Sourcehut git urls * Update aws-api, Maven, etc dep versions * Use tools.deps.alpha 0.14.1222 1.11.1.1149 (Jun 21, 2022) * clj -Ttools install-latest - refine how versions are filtered, sorted, and newest selected * Update to tools.tools v0.2.8 * Use tools.deps.alpha 0.14.1212 1.11.1.1139 (Jun 16, 2022) * Add clj -Ttools install-latest api function, examples: * Install tool: clj -Ttools install-latest :lib io.github.clojure/ tools.deps.graph :as graph * Update tool: clj -Ttools install-latest :tool graph * Fix regression with clj -X:deps find-versions from 1.11.1.1119 * Output from clj -X:deps find-versions now provides :git/tag and :git/sha * Update to tools.tools v0.2.6 * Use tools.deps.alpha 0.14.1205 1.11.1.1129 (Jun 14, 2022) * Fix directory context of -X:deps prep with transitive local deps * Use tools.deps.alpha 0.14.1194 1.11.1.1124 (Jun 11, 2022) * Fix bug in TDEPS-213 change * Use tools.deps.alpha 0.14.1189 1.11.1.1119 (Jun 9, 2022) * TDEPS-213 - Add -X:deps aliases to list available aliases * TDEPS-226 - More nunanced error handling for s3 downloads * Better error message when git url can??t be inferred * Use tools.deps.alpha 0.14.1185 1.11.1.1113 (Apr 25, 2022) * TDEPS-153 - yet more fixes for errors during concurrent Maven downloads * Use tools.deps.alpha 0.14.1178 1.11.1.1105 (Apr 5, 2022) * Default to Clojure 1.11.1 if no Clojure version specified 1.11.0.1100 (Mar 28, 2022) * Default to Clojure 1.11.0 if no Clojure version specified * TDEPS-153 Fix concurrency issues in Maven artifact downloads 1.10.3.1087 (Feb 28, 2022) * Fix error message when git url missing or not inferred * Pass :exec-fn and :exec-args to -X/-T even when using -Scp * TDEPS-222 Make Clojure dependency in pom a compile dependency, not provided * TDEPS-203 In -X:deps prep - now takes basis settings, including aliases * TDEPS-197 -X:deps git-resolve-tags - now resolves to :git/tag and :git/sha * -X:deps tree - now takes basis settings * -X:deps mvn-pom - now takes basis settings * -X:deps list - put license abbreviation list in a resource and load on demand * Use tools.deps.alpha 0.12.1158 1.10.3.1075 (Feb 2, 2022) * TDEPS-216 - Built-in :deps alias should remove project paths from classpath * Improve error if git sha is not found in git repo * Improve prep error if transtive dep??s prep function is unresolvable * Bump AWS deps to latest versions * Use tools.deps.alpha 0.12.1135 1.10.3.1069 (Jan 26, 2022) * Update some Maven transitive deps to address some CVEs * Update to tools.tools v0.2.5 * Add check to error on invocation of multiple exec functions * Use tools.deps.alpha 0.12.1120 1.10.3.1058 (Jan 5, 2022) * TDEPS-207 Fix deadlock in version range resolution * TDEPS-215 Fix race condition during parallel loading of s3 transporter * Don??t track local deps.edn manifest for caching if deps project doesn??t have one * Update maven-core to 3.8.4, aws libs, tools.build, tools.tools to latest * Use tools.deps.alpha 0.12.1109 1.10.3.1040 (Dec 1, 2021) * Add clj -X:deps list for listing the full transitive set of deps and their license info - see docs * Improved error handling for unknown tool with -T or -X:deps find-versions * Use tools.deps.alpha 0.12.1084 1.10.3.1029 (Nov 8, 2021) * TDEPS-212 Cover a much wider range of valid git dep urls, including git file urls * Use tools.deps.alpha 0.12.1071 1.10.3.1020 (Nov 5, 2021) * TDEPS-83 Invalidate classpath cache when local dep manifests change * Add new clj -X:deps list program to list the full lib set on the classpath, see API docs for more info * Bump deps to more recent versions - aws-api, jetty-client, etc * Clean up exception handling for -X/-T * Use tools.deps.alpha 0.12.1067 1.10.3.998 (Oct 26, 2021) * Remove bottle :unneeded from brew formulas (no longer needed) * TDEPS-209 Include only jar files in classpath from Maven artifacts * Update to tools.tools v0.2.1 (minor improvements in clj -Ttools list) * Use tools.deps.alpha 0.12.1058 1.10.3.986 (Sep 22, 2021) * Fix nested session cache computation for local pom model building * Use tools.deps.alpha 0.12.1048 1.10.3.981 (Sep 21, 2021) * Update to latest AWS API libs * Downgrade Maven resolver libs to better match Maven core libs * Use tools.deps.alpha 0.12.1041 1.10.3.967 (Sep 1, 2021) * Refine exec exceptions for missing namespace vs missing function in namespace * Replace Maven-based build process with tools.build * Compile entry points in tools.deps used for building classpaths for performance * Use tools.deps.alpha 0.12.1036 1.10.3.943 (Aug 13, 2021) * TDEPS-199 Use default http-client in S3 transporter * Cache S3 transporter for a repo * Fixed session cache to work properly across threads / binding stacks for better perf * Replace specific maven version range requests with non-range request to reduce repo metadata lookups * Load and cache Maven settings once for perf * Cache version range resolution results for perf * Use tools.deps.alpha 0.12.1019 1.10.3.933 (July 28, 2021) * deps.edn + git deps o If a git library name follows the repo convention names, the :git/ url can now be inferred (:git/url can also be specified explicitly and takes precedence) o :git/tag and prefix :git/sha can now be specified instead of the full sha. Both must point to the same commit. o :sha has been renamed to :git/sha but the original is still supported for backwards compatibility + :deps/prep-lib - a new top-level key can be used to say how a source lib should be prepared before being added to the classpath. This key??s value is a map with :alias, :fn, and :ensures. See prep docs for more info. + :tools/usage - a new top-level key can be used to provide the :ns-default and :ns-aliases context for a tool * Tools - git-based programs that can be installed with a local name. Tools can provide their own usage context in deps.edn. + Added new auto-installed tool named tools with functions install, list, remove. See reference. + Install a tool with clojure -Ttools install <lib> <coord> :as <toolname> + Run a tool with clojure -T<toolname> fn (also takes -X style args) * Clojure CLI + New -T option is like -X (executes a function) but does not use the project classpath, instead uses tool classpath (and adds :paths ["."] by default). -T:aliases is otherwise same as -X. -Ttoolname resolves named tool by name and uses that tool lib. + TDEPS-198 - -X and -T will not wait to exit if futures/agents have been used + TDEPS-182 - Improve deprecation messages to be more accurate + TDEPS-183 - Fix -Sdescribe output to be valid EDN on Windows + TDEPS-179 - Fix incorrect classpath when :classpath-overrides removes path + Delay computation of local-repo path (don??t compute at load time) + Use tools.deps.alpha 0.12.1003 * New -X:deps programs: + find-versions - to find versions of Maven or git libs or tools + prep - use to prep source libs + help/dir - to list available functions in a tool namespace + help/doc - to list docs for a tool namespace or function Read more at Source Libs and Builds. 1.10.3.855 (May 25, 2021) * Fix in applying :jvm-opts with -X execution on Windows 1.10.3.849 (May 21, 2021) * Adds support for a trailing map of kvs in -X calls (similar to Clojure 1.11 trailing map to vararg calls) * Updates all Maven deps to latest (maven-resolver 1.7.0, maven core 1.8.3) to address these security concerns + CVE-2020-13956 - bumps deps on Apache HttpClient used by Maven + CVE-2021-26291 - potential security problems regarding Maven repositories: o Due to the possibility of MITM (man in the middle) attacks, http repo access is now blocked by default. tools.deps/Clojure CLI has always used https repos in the default repository list (central and clojars), so this mostly impacts any explicit http repositories defined in deps.edn o Concerns over the "hijacking" of repository urls by transitive pom deps (or their super poms) to download artifacts from malicious repos. Maven made no changes here, but did clarify how repos are resolved on this page. From a deps perspective, we only use repositories declared in the top-level deps.edn (if transitive deps need a custom repo, you will need to add it at top-level too). For tools.deps use of pom dependencies, we are providing the repos of the top deps.edn file (which should always put Maven Central and Clojars first), then deferring to Maven for the rest. * Use tools.deps.alpha 0.11.922 1.10.3.839 (May 12, 2021) * Fix Linux installer breakage in 1.10.3.833 1.10.3.833 (May 11, 2021) * TDEPS-177 - Fix Maven mirrors to look up by id, not name * Remove flag when fetching git deps so that older git versions work * Tweak some warning messages * Clean up scripts to simplify variable replacement * Use tools.deps.alpha 0.11.918 1.10.3.822 (Apr 3, 2021) * Fix issue with git deps where new commits on branches were not fetched 1.10.3.814 (Mar 16, 2021) * git deps: switch from using jgit to shelling out to git (must be git >= 2.5) + New env vars for control: o GITLIBS_COMMAND - command to invoke when shelling out to git, default = git o GITLIBS_DEBUG - set to true to print git commands and output to stderr, default = false * Made git fetch only when shas can??t be resolved to improve performance * Bump dep versions for tools.cli and aws api to latest * Use tools.deps.alpha 0.11.905 1.10.2.796 (Feb 23, 2021) * Fix clj -X:deps git-resolve-tags to update the sha to match the tag * Perf improvements for git or local deps using pom.xml * Use tools.deps.alpha 0.9.884 1.10.2.790 (Feb 19, 2021) * Add -version and --version options * TDEPS-56 - Fix main-opts and jvm-opts word splitting on spaces * TDEPS-125 - Use JAVA_CMD if set (thanks Gregor Middell!) * Add warning if :paths or :extra-paths refers to a directory outside the project root (in the future will become an error) * Use tools.deps.alpha 0.9.871 1.10.2.774 (Jan 26, 2021) * Improve error when git dep version relationship can??t be determined * Switch to 1.10.2 for default Clojure version * Use tools.deps.alpha 0.9.863 1.10.1.763 (Dec 10, 2020) * Set exit code for -X ex-info error * Sync up cli syntax for aliases in help * Use tools.deps.alpha 0.9.857 1.10.1.754 (Dec 7, 2020) * New, more informative tree format for clj -Stree / clj -X:deps tree * Added options for use with clj -X:deps tree * Use tools.deps.alpha 0.9.857 1.10.1.739 (Nov 23, 2020) * Fix use of jdk profile activation in local deps with pom files * Fix error handling for -X to avoid double throw * Add error handling for -A used without an alias * Use tools.deps.alpha 0.9.840 1.10.1.727 (Oct 21, 2020) * Fix clj -X:deps tree adding tools.deps.alpha to tree * Fix clj -X:deps mvn-pom adding tools.deps.alpha to pom deps * Fix clj -X:deps git-resolve-tags not working * TDEPS-169 - Fix clj -X:deps mvn-install on jar to also install embedded pom * Fix clj -Spom not respecting dep modifications from -A (regression) * Use tools.deps.alpha 0.9.833 1.10.1.716 (Oct 10, 2020) * Make edn reading tolerant of unknown tagged literals * Update to latest dependencies for maven-resolver and aws-api * Use tools.deps.alpha 0.9.821 1.10.1.708 (Oct 7, 2020) * Fixes to handling transitive deps when newer versions of a dep are found in the dep expansion * TDEPS-168 - Improvements to -X error message handling * Use tools.deps.alpha 0.9.816 1.10.1.697 (Sept 25, 2020) * Added execution mode (-X) * Added prepare mode (-P) * Expanded main execution (-M) to support all argmap arguments * Added new argmap attributes for namespace resolution: + :ns-aliases and :ns-default * Added new clojure.tools.cli.api available via -X:deps alias: + clj -X:deps git-resolve-tags + clj -X:deps mvn-install + clj -X:deps mvn-pom + clj -X:deps tree * Deprecated -R, -C (use -X, -M, or -A instead) * Deprecated unqualified lib names in deps.edn (use fully qualified lib names) * Deprecated alias tool args :deps and :paths (use :replace-deps and :replace-paths) * Removed -O (use -X, -M, or -A) * Removed -Sresolve-tags (use -X:deps git-resolve-tags) * TDEPS-152 - Fixes to -Spom generation with srcDirectory * TDEPS-155 - Better error handling for bad coordinates * TDEPS-167 - Handle absolute resource paths in pom deps * Use tools.deps.alpha 0.9.810 1.10.1.561 (July 17, 2020) * Rework exclusion handling when exclusion sets differ for same lib/version * Use tools.deps.alpha 0.8.709 1.10.1.547 (June 11, 2020) * (Windows) Write -Spath to output, not to host * TDEPS-152 - Fix bad addition of srcDirectory in pom gen * TDEPS-155 - Add error checking for missing :mvn/version * Use tools.deps.alpha 0.8.695 1.10.1.536 (Feb 28, 2020) * Release automation work, no tool changes 1.10.1.510 (Feb 14, 2020) * TDEPS-150 - Fix regression in supporting -Scp flag (avoid resolving deps) * TDEPS-148 - Fix incorrect path resolution for git/local dep without deps.edn * Use tools.deps.alpha 0.8.677
2022-09-12go: Force GOHOSTARCH for Darwin x86_64.jperkin1-1/+5
Fixes builds of go118 and newer in x86_64 chroots on an arm64 host. The go build system parses "uname -v" and incorrectly assumes that if you're running on an arm64 host you always want arm64 binaries.
2022-09-12go-bin: Support DARWIN_CHROOTED for x86_64 too.jperkin1-3/+3
Fixes build in an x86_64 chroot on an arm64 host.
2022-09-12gawk: update to 5.2.0.wiz5-23/+29
Changes from 5.1.x to 5.2.0 --------------------------- ***************************************************************************** * MPFR mode (the -M option) is now ON PAROLE. This feature is now being * * supported by a volunteer in the development team and not by the primary * * maintainer. If this situation changes, then the feature will be removed. * * For more information see this section in the manual: * * https://www.gnu.org/software/gawk/manual/html_node/MPFR-On-Parole.html * ***************************************************************************** 1. Infrastructure upgrades: Libtool 2.4.7, Bison 3.8.2. 2. Numeric scalars now compare in the same way as C for the relational operators. Comparison order for sorting has not changed. This only makes a difference when comparing Infinity and NaN values with regular numbers; it should not be noticeable most of the time. 3. If the AWK_HASH environment variable is set to "fnv1a" gawk will use the FNV1-A hash function for associative arrays. 4. The CMake infrastructure has been removed. In the five years it was in the tree, nobody used it, and it was not updated. 5. There is now a new function, mkbool(), that creates Boolean-typed values. These values *are* numbers, but they are also tagged as Boolean. This is mainly for use with data exchange to/from languages or environments that support real Boolean values. See the manual for details. 6. As BWK awk has supported interval expressions since 2019, they are now enabled even if --traditional is supplied. The -r/--re-interval option remains, but it does nothing. 7. The rwarray extension has two new functions, writeall() and readall(), for saving / restoring all of gawk's variables and arrays. 8. The new `gawkbug' script should be used for reporting bugs. 9. The manual page (doc/gawk.1) has been considerably reduced in size. Wherever possible, details were replaced with references to the online copy of the manual. 10. Gawk now supports Terence Kelly's "persistent malloc" (pma), allowing gawk to preserve its variables, arrays and user-defined functions between runs. THIS IS AN EXPERIMENTAL FEATURE! For more information, see the manual. A new pm-gawk.1 man page is included, as is a separate user manual that focuses on the feature. 11. Support for OS/2 has been removed. It was not being actively maintained. 12. Similarly, support for DJGPP has been removed. It also was not being actively maintained. 13. VAX/VMS is no longer supported, as it can no longer be tested. The files for it remain in the distribution but will be removed eventually. 14. Some subtle issues with untyped array elements being passed to functions have been fixed. 15. Syntax errors are now immediately fatal. This prevents problems with errors from fuzzers and other such things. 16. There have been numerous minor code cleanups and bug fixes. See the ChangeLog for details.
2022-09-12lang/llvm: fix the logic in the powerpc section...he1-2/+4
...so that we don't insist on -mno-pltseq on older NetBSD.
2022-09-12python37 py37-html-docs: updated to 3.7.14adam6-50/+14
Python 3.7.14 Security gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735. This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form. Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson. gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan. Core and Builtins gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees. The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for more details. Library bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. Patch by Sergey Fedoseev. Documentation gh-91888: Add a new gh role to the documentation to link to GitHub issues. bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.3.1. Tests gh-94208: test_ssl is now checking for supported TLS version and protocols in more tests. bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and setuptools. Patch by Illia Volochii and Adam Turner. bpo-41306: Fixed a failure in test_tk.test_widgets.ScaleTest happening when executing the test with Tk 8.6.10. Windows bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
2022-09-11python: remove twisted support from versioned_dependencieswiz1-3/+2
2022-09-11*: bump PKGREVISION for flac shlib bumpwiz2-4/+4
2022-09-10lang/ruby: add support for Ruby 3.1taca1-1/+2
Add support for Ruby 3.1 which was lack. Real change for it was accidently commited in previous update for Ruby on Rails 7.1 Bump PKGREVISION.
2022-09-10lang/ruby: start update of Ruby on Rails 7.0taca2-3/+5
Start update of Ruby on Rails to 7.0.4.
2022-09-10www/ruby-rails61: update to 6.1.7taca1-2/+2
Ruby on Rails 6.1.7 release on 9th September 2022. Active Record and Active Storage are updated: Active Record * Symbol is allowed by default for YAML columns Étienne Barrié * Fix ActiveRecord::Store to serialize as a regular Hash Previously it would serialize as an ActiveSupport::HashWithIndifferentAccess which is wasteful and cause problem with YAML safe_load. Jean Boussier * Fix PG.connect keyword arguments deprecation warning on ruby 2.7 Fixes . Nikita Vasilevsky Active Storage * Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0. fatkodima
2022-09-10www/ruby-rails60: update to 6.0.6taca1-2/+2
Ruby on Rails 6.0.6 release on 9th September 2022 and Active Record is only updated. databases/ruby-activerecord60 * Symbol is allowed by default for YAML columns Étienne Barrié
2022-09-09vala: update to 0.56.3.wiz2-7/+6
Vala 0.56.3 =========== * Various improvements and bug fixes: - vala: Don't unconditionally expect ObjectType of Class [#1341] - vala: Make try-statement parsing more resilient [#1304] - vala: Avoid problems with '\' in #line directives on Windows [#1353] - gidlparser: Set source reference of parameters * Bindings: - atspi-2: Fix a few binding errors - glib-2.0: Use g_abort for GLib.Process.abort() beginning with 2.50 [#1350] - gtk+-3.0: Correctly unhide BindingSet.by_class to avoid Version attribute
2022-09-08lang/purescript/Makefile: Make use of HASKELL_UNRESTRICTED_DEPENDENCIESpho1-23/+21
2022-09-07python39 py39-html-docs: updated to 3.9.14adam6-15/+15
Python 3.9.14 Security gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735. This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form. Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson. gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan. Core and Builtins gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees. The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for more details. Library gh-94821: Fix binding of unix socket to empty address on Linux to use an available address from the abstract namespace, instead of “0”. gh-91810: Suppress writing an XML declaration in open files in ElementTree.write() with encoding='unicode' and xml_declaration=None. bpo-45393: Fix the formatting for await x and not x in the operator precedence table when using the help() system. bpo-46197: Fix ensurepip environment isolation for subprocess running pip. Tests gh-95280: Fix problem with test_ssl test_get_ciphers on systems that require perfect forward secrecy (PFS) ciphers. gh-94208: test_ssl is now checking for supported TLS version and protocols in more tests. bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and setuptools. Patch by Illia Volochii and Adam Turner.
2022-09-07python38 py38-html-docs: updated to 3.8.14adam5-13/+14
Python 3.8.14 Security gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735. This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form. Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson. gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan. Core and Builtins gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees. The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for more details. Library bpo-46197: Fix ensurepip environment isolation for subprocess running pip. bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. Patch by Sergey Fedoseev. Documentation gh-91888: Add a new gh role to the documentation to link to GitHub issues. bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.4.4. Tests gh-94208: test_ssl is now checking for supported TLS version and protocols in more tests. bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and setuptools. Patch by Illia Volochii and Adam Turner. bpo-46114: Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses 0xMNN00PP0L. Windows bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
2022-09-07Recursive bump for recently updated Haskell packagespho7-12/+14
2022-09-07go118: update to 1.18.6 (security)bsiegert3-12/+30
This minor release includes 2 security fixes following the security policy: net/http: handle server errors after sending GOAWAY A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service. Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this. This is CVE-2022-27664 and Go issue https://go.dev/issue/54658. net/url: JoinPath does not strip relative path components in all circumstances JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path. For example, JoinPath("https://go.dev", "../go") returned the URL https://go.dev/../go, despite the JoinPath documentation stating that ../ path elements are cleaned from the result. Thanks to q0jt for reporting this issue. This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.
2022-09-07lang/purescript: Update to 0.15.4pho11-749/+119
Release notes are too long to paste here: * 0.15.4: https://github.com/purescript/purescript/releases/tag/v0.15.4 * 0.15.3: https://github.com/purescript/purescript/releases/tag/v0.15.3 * 0.15.2: https://github.com/purescript/purescript/releases/tag/v0.15.2 * 0.15.0: https://github.com/purescript/purescript/releases/tag/v0.15.0 * 0.14.9: https://github.com/purescript/purescript/releases/tag/v0.14.9 * 0.14.8: https://github.com/purescript/purescript/releases/tag/v0.14.8 * 0.14.7: https://github.com/purescript/purescript/releases/tag/v0.14.7