Fixes:
- Moved "headers" input type back to Mapping to avoid invariance issues
with MutableMapping and inferred dict types.
Users calling Request.headers.update() may need to narrow typing in code
(Closes#7441).
Security:
- CVE-2026-25645: Fixed extract_zipped_paths to extract contents to
a non-deterministic temp directory, to prevent malicious file replacement.
Does not affect default usage of Requests, only apps calling this utility
directly.
Changelog:
https://github.com/psf/requests/releases/tag/v2.34.2
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Fixes (click 8.3.3):
- Fix help strings for "help_option_names" that do not contain "-"
- Help string generation now properly handles option names with dashes
Changelog:
https://github.com/pallets/click/releases
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
apk's ADB binary package format rejects both the backslash-escape and
the percent-encoding variants of the previous CPE id:
cpe:/a:erlang:erlang\/otp ERROR: info field 'tags' has invalid value
cpe:/a:erlang:erlang%2Fotp ERROR: info field 'tags' has invalid value
apk's tag value parser only accepts a restricted alphabet for ADB
package format and neither '\' nor '%' make the cut. The result is
that the package never produces an .apk.
Drop the '/otp' suffix entirely and use cpe:/a:erlang:erlang, which
matches the higher-level Erlang CPE entry. cve scanners that walked
the more specific erlang\/otp entry will fall back to this one.
This effectively reverts the product portion of bfdf01496 ("lang/erlang:
fix PKG_CPE_ID"), which was correct against the NIST 2.3 string but
incompatible with apk's tag parser.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
On some build systems, the miniperl binary is created without execute
permission (errno 126 when running it as /bin/sh). This breaks building
the mro extension and cascades to all dependent packages.
Fix by ensuring chmod +x on miniperl after the main build step.
This matches how many other build systems handle this same issue.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Add source packages and library to version check overrides.
Fixes: b5d3a38e ("python3: move version checks to override")
Signed-off-by: George Sapkin <george@sapk.in>
1.0.1 fixes a false-positive path-traversal check in destinations.py:
the 1.0.0 code used Path.resolve() to validate that each installed file
stays within the --destdir, but Path.resolve() follows symlinks.
OpenWrt's staging dir and toolchain directories contain many symlinks,
so resolved paths could escape the destdir comparison and trigger:
ValueError: Attempting to write <file> outside of the target directory
1.0.1 replaces Path.resolve() with os.path.abspath(), which normalises
the path without following symlinks, eliminating the false positive.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
perlbase-archive, perlbase-pod, and perlbase-test install Perl script
wrappers (ptar, pod2man, prove, etc.) that do not output the OpenWrt
package version string (5.40.0), causing generic version check failures
in CI.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Starlette is a lightweight ASGI framework/toolkit, which is ideal for
building async web services in Python.
Signed-off-by: George Sapkin <george@sapk.in>
Lightweight JSON-RPC 2.0 protocol implementation and asynchronous server
powered by asyncio. This library is a successor of json-rpc and written
by the same team.
Signed-off-by: George Sapkin <george@sapk.in>
micropython-lib is a companion repository to micropython, versioned in
lockstep. Both are now at 1.28.0 (released 2026-04-06).
The 001-build-unix-ffi.patch remains needed as the upstream has not yet
incorporated the --unix-ffi argument into the tools/build.py script.
test.sh:
- micropython-lib: verify stdlib-replacement modules (collections,
functools, base64) can be imported via the /usr/lib/micropython path
- micropython-lib-unix: verify the micropython-unix wrapper script exists
and that sqlite3/select are importable via the unix-ffi path
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changes since 1.27.0:
- New machine.CAN class with bindings for the stm32 port; support across
all ports to follow
- machine.PWM support added to stm32 and alif ports, completing coverage
of all Tier 1/2 MCU-based ports
- Template strings (t-strings, PEP 750) added at the "full feature" level
- weakref module added with weakref.ref and weakref.finalize classes
- f-strings now support nested f-strings within expressions
- Optimisations to native emitter; new RISC-V Zcmp arch flag for RV32
- extmod.mk: add extmod/machine_can.c (shifts the mbedtls hunk by 1 line;
update 040-extmod-use-external-mbedtls.patch accordingly)
micropython-lib is updated in lockstep in a separate commit.
Ref: https://github.com/micropython/micropython/releases/tag/v1.28.0
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Flup was heavily used in downstream distribution (Turris OS)
for their Web UI - reForis. Since there are no other
dependent packages in this repository, Flup is no longer needed.
The package appears to be abandoned and is no longer maintained
The latest version dates back to 2009.
It was previously required for Seafile.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Upstream release 28.5 (2026-04-23), patch release for OTP 28.
Applications updated:
- erl_interface-5.7: new --{enable,disable}-use-embedded-3pp-alternatives
configure option; allows using system zstd, zlib, ryu, openssl, tcl
instead of bundled copies (default: zlib uses OS version if available)
- erts-16.4: fixed bug in enif_make_map_from_arrays for arrays with >= 33
keys (duplicates could produce broken maps); fixed Unicode handling in
erl.exe args_file on Windows
- mnesia-4.25.3: bug fixes
- ssl-11.6: bug fixes
Highlight: new "Secure Coding Guidelines" document added to Design
Principles describing how to write secure Erlang code.
Reference: https://github.com/erlang/otp/releases/tag/OTP-28.5
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
FindLuaJIT.cmake uses NO_DEFAULT_PATH and only searches hardcoded
luajit-specific paths, so it never finds regular Lua. However if
LUAJIT_INCLUDE_DIRS and LUAJIT_LIBRARY are pre-set in the CMake
cache, find_path/find_library skip their searches, the module sets
LUAJIT_FOUND=ON and also sets LUA_INCLUDE_DIR/LUA_LIBRARIES from
those values, and the if(NOT LUAJIT_FOUND) guard skips the broken
find_package(Lua REQUIRED) call that fails under CMake 4.3.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changes in 3.10:
- improve semanage man pages: add examples for -r RANGE flag usage
- semanage: reset active value when deleting boolean customizations
- various libsemanage/libsepol bug fixes and security hardening
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The CMakeLists.txt first tries FindLuaJIT.cmake which uses
NO_DEFAULT_PATH with hardcoded host paths, so it always fails in
cross-compilation. The fallback find_package(Lua REQUIRED) may also
fail to find a flat sysroot layout where lua.h lives at
/usr/include/lua.h rather than a versioned subdirectory.
Explicitly pass LUA_INCLUDE_DIR and LUA_LIBRARY to CMake to bypass
both finders, and depend on +liblua (the library package) instead of
+lua to ensure Build/InstallDev runs and Lua headers are present in
the staging directory before this package builds.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The pyproject.toml for zope.event 6.1 specifies a strict build
dependency of setuptools>=78.1.1,<81. We currently package
setuptools>=81, causing pip to report a missing dependency and
fail the build.
Add patch 001-relax-setuptools-version.patch to drop the <81 upper
bound, allowing the package to build with any recent setuptools.
Add test.sh to verify the installed version and exercise the core
event API (subscribers list, notify(), event dispatch).
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Alexandru Ardelean