Bump from 46.0.7 to the current 48.0.0 release. Notable upstream
changes since 46.0.7:
- 48.0.0 drops Python 3.8 support (requires 3.9+); raises
Py_LIMITED_API floor to 0x030900f0.
- Adds ML-KEM / ML-DSA post-quantum primitives via OpenSSL 3.5.0+
(in addition to existing AWS-LC / BoringSSL paths).
- BACKWARDS INCOMPATIBLE: stricter X.509 CRL signature-algorithm
matching (mismatched inner/outer algs now raise ValueError at parse
time).
- Drops 32-bit Windows wheels and ships macOS only on arm64.
Replace the old downstream cross-compile fix with a backport of the
upstream-merged version from pyca/cryptography PR #14904
(commit 5d072cb2a685, scheduled for the release after 48.0.0).
Release notes:
https://cryptography.io/en/latest/changelog/#v48-0-0
Fixes: https://github.com/openwrt/packages/issues/29521
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
When python3 -m build is invoked during host-compile, it fails with:
/builder/staging_dir/hostpkg/bin/python3.14: No module named build
The package's HOST_BUILD_DEPENDS only pulled in python3 and
python-packaging, missing the actual host tooling for the new
pyproject build flow:
- python-build : provides the 'build' module itself
- python-installer : installs the resulting wheel
- python-wheel : wheel format support
- python-flit-core : marshmallow's declared build-backend
(build-backend = "flit_core.buildapi" in
pyproject.toml)
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The three CLI helpers shipped by python3-argcomplete
(activate-global-python-argcomplete, register-python-argcomplete,
python-argcomplete-check-easy-install-script) don't accept a --version
flag and emit no PKG_VERSION string in their usage output. With all
three executables missing the version, the generic CI test stage
fails with "No executables in the package provided version 3.6.3".
Add a test-version.sh that emits a line containing PKG_VERSION so the
framework's "Version check override" passes. The existing test.sh
already exercises the Python module import.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
New features (pipx 1.12.0):
- Add --fetch-python / PIPX_FETCH_PYTHON env var (always|missing|never)
to control standalone Python interpreter downloads
- Add opt-in "uv" backend: pipx can now use "uv venv" and "uv pip" for
managing virtual environments
* When "uv" is on PATH, defaults to using uv for NEW venvs
* Existing venvs keep their recorded backend (pip or uv)
* Set PIPX_DEFAULT_BACKEND=pip to force pip even with uv available
* pipx install pip always uses the pip backend (uv venvs have no pip)
Deprecations:
- --fetch-missing-python and PIPX_FETCH_MISSING_PYTHON deprecated;
use --fetch-python=missing or PIPX_FETCH_PYTHON=missing instead
Changelog:
https://github.com/pypa/pipx/releases/tag/1.12.0
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Fixes:
- Moved "headers" input type back to Mapping to avoid invariance issues
with MutableMapping and inferred dict types.
Users calling Request.headers.update() may need to narrow typing in code
(Closes#7441).
Security:
- CVE-2026-25645: Fixed extract_zipped_paths to extract contents to
a non-deterministic temp directory, to prevent malicious file replacement.
Does not affect default usage of Requests, only apps calling this utility
directly.
Changelog:
https://github.com/psf/requests/releases/tag/v2.34.2
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Fixes (click 8.3.3):
- Fix help strings for "help_option_names" that do not contain "-"
- Help string generation now properly handles option names with dashes
Changelog:
https://github.com/pallets/click/releases
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Add source packages and library to version check overrides.
Fixes: b5d3a38e ("python3: move version checks to override")
Signed-off-by: George Sapkin <george@sapk.in>
1.0.1 fixes a false-positive path-traversal check in destinations.py:
the 1.0.0 code used Path.resolve() to validate that each installed file
stays within the --destdir, but Path.resolve() follows symlinks.
OpenWrt's staging dir and toolchain directories contain many symlinks,
so resolved paths could escape the destdir comparison and trigger:
ValueError: Attempting to write <file> outside of the target directory
1.0.1 replaces Path.resolve() with os.path.abspath(), which normalises
the path without following symlinks, eliminating the false positive.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Starlette is a lightweight ASGI framework/toolkit, which is ideal for
building async web services in Python.
Signed-off-by: George Sapkin <george@sapk.in>
Lightweight JSON-RPC 2.0 protocol implementation and asynchronous server
powered by asyncio. This library is a successor of json-rpc and written
by the same team.
Signed-off-by: George Sapkin <george@sapk.in>
micropython-lib is a companion repository to micropython, versioned in
lockstep. Both are now at 1.28.0 (released 2026-04-06).
The 001-build-unix-ffi.patch remains needed as the upstream has not yet
incorporated the --unix-ffi argument into the tools/build.py script.
test.sh:
- micropython-lib: verify stdlib-replacement modules (collections,
functools, base64) can be imported via the /usr/lib/micropython path
- micropython-lib-unix: verify the micropython-unix wrapper script exists
and that sqlite3/select are importable via the unix-ffi path
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changes since 1.27.0:
- New machine.CAN class with bindings for the stm32 port; support across
all ports to follow
- machine.PWM support added to stm32 and alif ports, completing coverage
of all Tier 1/2 MCU-based ports
- Template strings (t-strings, PEP 750) added at the "full feature" level
- weakref module added with weakref.ref and weakref.finalize classes
- f-strings now support nested f-strings within expressions
- Optimisations to native emitter; new RISC-V Zcmp arch flag for RV32
- extmod.mk: add extmod/machine_can.c (shifts the mbedtls hunk by 1 line;
update 040-extmod-use-external-mbedtls.patch accordingly)
micropython-lib is updated in lockstep in a separate commit.
Ref: https://github.com/micropython/micropython/releases/tag/v1.28.0
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Flup was heavily used in downstream distribution (Turris OS)
for their Web UI - reForis. Since there are no other
dependent packages in this repository, Flup is no longer needed.
The package appears to be abandoned and is no longer maintained
The latest version dates back to 2009.
It was previously required for Seafile.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Changes in 3.10:
- improve semanage man pages: add examples for -r RANGE flag usage
- semanage: reset active value when deleting boolean customizations
- various libsemanage/libsepol bug fixes and security hardening
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The pyproject.toml for zope.event 6.1 specifies a strict build
dependency of setuptools>=78.1.1,<81. We currently package
setuptools>=81, causing pip to report a missing dependency and
fail the build.
Add patch 001-relax-setuptools-version.patch to drop the <81 upper
bound, allowing the package to build with any recent setuptools.
Add test.sh to verify the installed version and exercise the core
event API (subscribers list, notify(), event dispatch).
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Add HOST_PYTHON3_PIP_VARS and --no-build-isolation to MAKE_VARS.
Without --no-build-isolation, pip creates an isolated build environment
which fails during cross-compilation because _sysconfigdata is missing.
Aligns with python-selinux which already has this fix.
The libsemanage pywrap uses the host Python's EXT_SUFFIX to name the
C extension, so we will use the PYCEXT env-var to correct that.
Add basic test.sh to verify the semanage Python bindings load correctly
in environments without SELinux kernel support.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Add --no-build-isolation to PYTHON_SETUP_ARGS. Without it, pip creates
an isolated build environment which fails during cross-compilation
because _sysconfigdata is missing for the target arch.
Add test.sh with basic import and API sanity checks.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Major changes since 3.10.0:
4.0:
- add CORS_ALLOW_PRIVATE_NETWORK setting for Local Network Access spec support
- add async middleware support, reducing overhead on async views
- remove deprecated CORS_REPLACE_HTTPS_REFERER and CorsPostCsrfMiddleware
- remove three header names from default allowed list (accept-encoding, dnt, origin)
4.3:
- fix access-control-allow-credentials header not being omitted on
non-allowed responses
4.6:
- drop support for Django 3.2 through 4.1
4.9:
- add Django 6.0 support
- tighten validation of sequence-type settings (e.g. CORS_ALLOW_METHODS)
Add PYPI_SOURCE_NAME:=django_cors_headers as the 4.x sdist uses
underscores in the filename.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changelog since 0.9.6.1:
- add product version number to the PRODID tag in iCalendar output
- add support for GEO tags in vCards
- various bugfixes and compatibility improvements
Also need to update setup.cfg at build time to insert the version
to allow the package to build.
Otherwise we get
```
2026-04-21T08:17:17.9341927Z File "/builder/staging_dir/hostpkg/lib/python3.14/site-packages/setuptools/config/setupcfg.py", line 296, in __setitem__
2026-04-21T08:17:17.9342520Z parsed = self.parsers.get(option_name, lambda x: x)(value)
2026-04-21T08:17:17.9343117Z File "/builder/staging_dir/hostpkg/lib/python3.14/site-packages/setuptools/config/setupcfg.py", line 602, in _parse_version
2026-04-21T08:17:17.9343777Z return expand.version(self._parse_attr(value, self.package_dir, self.root_dir))
2026-04-21T08:17:17.9344201Z ~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2026-04-21T08:17:17.9344938Z File "/builder/staging_dir/hostpkg/lib/python3.14/site-packages/setuptools/config/setupcfg.py", line 421, in _parse_attr
2026-04-21T08:17:17.9345544Z return expand.read_attr(attr_desc, package_dir, root_dir)
2026-04-21T08:17:17.9345876Z ~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2026-04-21T08:17:17.9346409Z File "/builder/staging_dir/hostpkg/lib/python3.14/site-packages/setuptools/config/expand.py", line 191, in read_attr
2026-04-21T08:17:17.9346947Z return getattr(module, attr_name)
2026-04-21T08:17:17.9347261Z AttributeError: module 'vobject' has no attribute 'VERSION'
2026-04-21T08:17:17.9598878Z
```
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Patch release with stability and correctness fixes over 2.4.3:
- fix memory leak in certain array creation paths
- fix thread-safety issues in ufunc dispatch
- fix hash collisions in np.isin() on certain inputs
- fix OpenBLAS threading hang on ARM targets
- miscellaneous annotation and documentation improvements
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Alexandru Ardelean