Updated in wip by @wiz and myself.
14.0.6
-This release is a bug-fix release and is API and ABI compatible with 14.0.0.
This release fixes a bug that was introduced in 14.0.5.
This will likely be the last 14.0.x release.
14.0.5
-This release is a bug-fix release and is API and ABI compatible with 14.0.0.
Note that we have adopted a new release schedule for the project, so there
will be a new bug-fix release (14.0.x) every 2 weeks.
14.0.5 is the last planned release, but we may do a 14.0.6 release if there
are critical issues found in 14.0.5.
14.0.4
-This release is a bug-fix release and is API and ABI compatible with 14.0.0.
14.0.0
Changes to the LLVM IR
Using the legacy pass manager for the optimization pipeline is deprecated
and will be removed after LLVM 14. In the meantime, only minimal effort will
be made to maintain the legacy pass manager for the optimization pipeline.
Max allowed integer type was reduced from 2^24-1 bits to 2^23 bits.
Max allowed alignment was increased from 2^29 to 2^32.
Changes to building LLVM
Building LLVM with Visual Studio now requires version 2019 or later.
Changes to the AArch64 Backend
Added support for the Armv9-A, Armv9.1-A and Armv9.2-A architectures.
The compiler now recognises the “tune-cpu” function attribute to support
the use of the -mtune frontend flag. This allows certain scheduling features
and optimisations to be enabled independently of the architecture.
If the “tune-cpu” attribute is absent it tunes according to the
“target-cpu”.
Fixed relocations against temporary symbols (e.g. in jump tables and
constant pools) in large COFF object files.
Auto-vectorization now targets SVE by default when available.
Changes to the ARM Backend
Added support for the Armv9-A, Armv9.1-A and Armv9.2-A architectures.
Added support for the Armv8.1-M PACBTI-M extension.
Changed the assembly comment string for MSVC targets to @ (consistent with
the MinGW and ELF targets), freeing up ; to be used as statement separator.
Changes to the PowerPC Target
Linux improvements:
Provided a number of builtins for compatibility with the XL compiler.
Allow MMA builtin types in pre-P10 compilation units.
Add support for Return Oriented Programming (ROP) protection for 32 bit.
Refactored code to use more inclusive language.
Switched to LLD as the default linker for pre-built Linux binaries.
Enabled IEEE quad long double on Linux via PPC_LINUX_DEFAULT_IEEELONGDOUBLE
in cmake config.
Added __ibm128 type to represent IBM double-double format, also
available as __attribute__((mode(IF))).
-mfloat128 can now be used in Linux subtargets with VSX enabled.
Added quadword atomic load/store support in codegen; not enabled by default.
Codegen improvements for splat load, byval parameter, stack lowering, etc.
Implemented P10 instruction scheduling model.
Implemented P10 instruction fusion pairs.
Improved handling of #pragma clang loop unroll_and_jam.
Various bug fixes.
AIX Support/improvements:
Variadic (ellipsis) functions with C complex types are now supported.
Added toc-data support for AIX 64-bit.
Added toc-data support for read-only globals.
Updated default target on AIX from pwr4 to pwr7.
AIX 64-bit code generation now uses fast-isel for O0.
Added DWARF support for 32-bit XCOFF.
Changes to the RISC-V Target
Codegen improvements for RV64 around the selection of addw/subw/mulw/slliw
instructions and removal of redundant sext.w instructions (using the new
RISCVSExtWRemoval pass).
The various RISC-V vector extensions were updated to version 1.0 and are no
longer experimental.
The Zba, Zbb, Zbc, and Zbs bit-manipulation extensions were updated to
version 1.0 and are no longer experimental.
Added MC layer support for the ratified scalar cryptography extensions.
The Zfh and Zfhmin extensions for half-precision floating point were updated
to version 1.0 and are no longer experimental.
Added support for the .insn directive.
Various improvements to immediate materialisation, including when
bit-manipulation extensions are enabled. Additionally, the constant pool is
now used for large integers.
Added support for constrained FP intrinsics for scalar types.
Added support for CSRs introduced in the Sscofpmf, Smstateen, and Sstc
extensions.
The experimental ‘Zbproposedc’ extension was removed, as was the ‘B’
extension (including all bit-manipulation sub-extensions). Individual ‘Zb*’
extensions should be used instead.
Changes to the X86 Target
Support for AVX512-FP16 instructions has been added.
Removed incomplete support for Intel MPX. (D111517)
Changes to the AMDGPU Target
Changes to the Windows Target
Changed how the .pdata sections refer to the code they’re describing, to
avoid conflicting unwind info if weak symbols are overridden.
Fixed code generation for calling support routines for converting 128 bit
integers from/to floats on x86_64.
The preferred path separator form (backslashes or forward slashes) can be
configured in Windows builds of LLVM now, with the
LLVM_WINDOWS_PREFER_FORWARD_SLASH CMake option. This defaults to true in
MinGW builds of LLVM.
Set proper COFF symbol types for function aliases (e.g. for Itanium C++
constructors), making sure that GNU ld exports all of them correctly as
functions, not data, when linking a DLL.
Handling of temporary files on more uncommon file systems (network mounts,
ramdisks) on Windows is fixed now (which previously either errored out or
left stray files behind).
Changes to the C API
LLVMSetInstDebugLocation has been deprecated in favor of the more general
LLVMAddMetadataToInst.
Fixed building LLVM-C.dll for i386 targets with MSVC, which had been broken
since the LLVM 8.0.0 release.
Changes to the LLVM tools
llvm-cov: -name-allowlist is now accepted in addition to -name-whitelist.
-name-whitelist is marked as deprecated and to be removed in future
releases.
llvm-ar now supports --thin for creating a thin archive. The modifier T has
a different meaning in some ar implementations. (D116979)
llvm-ar now supports reading big archives for XCOFF. (D111889)
llvm-nm now demangles Rust symbols. (D111937)
llvm-objcopy’s ELF port now avoids reordering section headers to preserve
st_shndx fields of dynamic symbols. (D107653)
llvm-objcopy now supports --update-section for ELF and Mach-O. (D112116)
(D117281)
llvm-objcopy now supports --subsystem for PE/COFF. (D116556)
llvm-objcopy now supports mips64le relocations for ELF. (D115635)
llvm-objcopy --rename-section now renames relocation sections together with
their targets. (D110352)
llvm-objdump --symbolize-operands now supports PowerPC. (D114492)
llvm-objdump -p now dumps PE header. (D113356)
llvm-objdump -R now supports ELF position-dependent executables. (D110595)
llvm-objdump -T now prints symbol versions. (D108097)
llvm-readobj: Improved printing of symbols in Windows unwind data.
llvm-readobj now supports --elf-output-style=JSON for JSON output and
--pretty-print for pretty printing of this output. (D114225)
llvm-readobj now supports several dump styles (--needed-libs, --relocs,
--syms) for XCOFF.
llvm-symbolizer now supports –debuginfod. (D113717)
llvm-cov now accepts “allowlist” spelling for -name-allowlist.
llvm-nm now supports XCOFF object files.
Added --needed-libs, aux header, and symbols support in llvm-readobj.
Added --symbolize-operands support in llvm-objdump.
Tools that read archive files now support reading AIX big format archive
files.
Added dump section support in obj2yaml.
Added yaml2obj support for 64-bit XCOFF.
Changes to LLDB
A change in Clang’s type printing has changed the way LLDB names array types
(from int [N] to int[N]) - LLDB pretty printer type name matching code may
need to be updated to handle this.
The following commands now ignore non-address bits (e.g. AArch64 pointer
signatures) in address arguments. In addition, non-address bits will not be
shown in the output of the commands.
memory find
memory read
memory region (see below)
memory tag read
memory tag write
The memory region command and GetMemoryRegionInfo API method now ignore
non-address bits in the address parameter. This also means that on systems
with non-address bits the last (usually unmapped) memory region will not
extend to 0xF…F. Instead it will end at the end of the mappable range that
the virtual address size allows.
The memory read command has a new option --show-tags. Use this option to
show memory tags beside the contents of tagged memory ranges.
Fixed continuing from breakpoints and singlestepping on Windows on ARM/ARM64.
LLDB has been included in Windows on ARM64 binary release with Python
support disabled.
Changes to BOLT
BOLT project is added to the LLVM monorepo. BOLT is a post-link optimizer
developed to speed up large applications. Build and usage instructions are
given in README.
Additional Information
A wide variety of additional information is available on the LLVM web page, in
particular in the documentation section. The web page also contains versions of
the API documentation which is up-to-date with the Git version of the source
code. You can access versions of these documents specific to this release by
going into the llvm/docs/ directory in the LLVM tree.
If you have any questions or comments about LLVM, please feel free to contact
us via the mailing lists.
The package changed with the addition of its libepoll-shim dependency.
Otherwise, we can get:
ERROR: libepoll-shim>=0.0.20210418 is not installed; can't buildlink files.
Both gcc and binutils ship an ansidecl.h. Until now this hasn't been a
problem, but the recent binutils 2.39 update ships an ansidecl.h that removes
things like "PTR" which GCC depends on, and it seems as though the binutils
version is being chosen ahead of the in-tree GCC version so the build breaks.
Avoiding buildink3 ensures the headers aren't visible, and the builds are
now progressing further.
0.12.1
Changed
- `Document` objects now expose a text document's `language_id`
- Various Pyodide improvements
- Improved tests for more reliable CI
0.12
Added
- Allow custom word matching for `Document.word_at_point`
Changed
- Upgraded Python support to 3.10, dropping support for 3.6
- Dependency updates, notably Pydantic 1.9 and Websockets 10
NetBSD/aarch64 version (which we maintain locally) is kept back at
1.17.8nb1 since it works OK for bootstrap and I don't feel like regen'ing
the binaries unless there is some bug that warrants it.
CHANGELOG:
Janet 1.23.0
------------
This release brings a number of new features that will make Janet useful in
even more domains, including mutexes and reader-writer locks to the ev module
to improve interactions with multi-threaded, native code, better named
arguments support, and an experimental FFI module. Also a number of
improvements and simplification to Janet's debugging capabilities have been
made, and exposed with the new debugger function.
- Add experimental ffi/ module for interfacing with dynamic libraries and raw
function pointers. Only available on 64 bit linux, mac, and bsd systems.
- Allow using &named in function prototypes for named arguments. This is a more
ergonomic variant of &keys that isn't as redundant, more self documenting,
and allows extension to things like default arguments.
- Add delay macro for lazy evaluate-and-save thunks.
- Remove pthread.h from janet.h for easier includes.
- Add debugger - an easy to use debugger function that just takes a fiber.
- dofile will now start a debugger on errors if the environment it is passed
has :debug set.
- Add debugger-on-status function, which can be passed to run-context to start
a debugger on abnormal fiber signals.
- Allow running scripts with the -d flag to use the built-in debugger on errors
and breakpoints.
- Add mutexes (locks) and reader-writer locks to ev module for thread
coordination.
- Add parse-all as a generalization of the parse function.
- Add os/cpu-count to get the number of available processors on a machine
Janet 1.22.0
------------
- Prohibit negative size argument to table/new.
- Add module/value.
- Remove file/popen. Use os/spawn with the :pipe options instead.
- Fix bug in peg thru and to combinators.
- Fix printing issue in doc macro.
- Numerous updates to function docstrings
- Add defdyn aliases for various dynamic bindings used in core.
- Install janet.h symlink to make Janet native libraries and applications
easier to build without jpm.
Janet 1.21.2
------------
- Fix patch release - (version info)
Janet 1.21.1
------------
- Patch release to fix some versioning issues in the previous 1.21.0 release.
No new changes here.
Janet 1.21.0
------------
- C functions janet_dobytes and janet_dostring will now enter the event loop if
it is enabled.
- Fix hashing regression - hash of negative 0 must be the same as positive 0
since they are equal.
- The flycheck function no longer pollutes the module/cache
- Fix quasiquote bug in compiler
- Disallow use of cancel and resume on fibers scheduled or created with ev/go,
as well as the root fiber.
Janet 1.20.0
------------
Add :missing-symbol hook to compile that will act as a catch-all macro for
undefined symbols.
- Add :redef dynamic binding that will allow users to redefine top-level
bindings with late binding. This is intended for development use.
- Fix a bug with reading from a stream returned by os/open on Windows and
Linux.
- Add :ppc64 as a detectable OS type.
- Add & more support for destructuring in the match macro.
- Add & more support for destructuring in all binding forms (def).
Janet 1.19.2
------------
- Fix bug with missing status lines in some stack traces.
- Update hash function to have better statistical properties.
Janet 1.19.1
------------
- Add an optional prefix parameter to debug/stacktrace to allow printing
prettier error messages.
- Remove appveyor for CI pipeline
- Fixed a bug that prevented sending threaded abstracts over threaded channels.
- Fix bug in the map function with arity at least 3.
Janet 1.19.0
------------
- Add math/log-gamma to replace math/gamma, and change math/gamma to be the
expected gamma function.
- Fix leaking file-descriptors in os/spawn and os/execute.
- Ctrl-C will now raise SIGINT.
- Allow quoted literals in the match macro to behave as expected in patterns.
- Fix windows net related bug for TCP servers.
- Allow evaluating ev streams with dofile.
- Fix ev related bug with operations on already closed file descriptors.
- Add struct and table agnostic getproto function.
- Add a number of functions related to structs.
- Add prototypes to structs. Structs can now inherit from other structs, just
like tables.
- Create a struct with a prototype with struct/with-proto.
- Deadlocked channels will no longer exit early - instead they will hang, which
is more intuitive.
Python 3.10.6 final
Release date: 2022-08-01
Security
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.
gh-92888: Fix memoryview use after free when accessing the backing buffer in certain cases.
Core and Builtins
gh-95355: _PyPegen_Parser_New now properly detects token memory allocation errors. Patch by Honglin Zhu.
gh-94938: Fix error detection in some builtin functions when keyword argument name is an instance of a str subclass with overloaded __eq__ and __hash__. Previously it could cause SystemError or other undesired behavior.
gh-94949: ast.parse() will no longer parse parenthesized context managers when passed feature_version less than (3, 9). Patch by Shantanu Jain.
gh-94947: ast.parse() will no longer parse assignment expressions when passed feature_version less than (3, 8). Patch by Shantanu Jain.
gh-94869: Fix the column offsets for some expressions in multi-line f-strings ast nodes. Patch by Pablo Galindo.
gh-91153: Fix an issue where a bytearray item assignment could crash if it’s resized by the new value’s __index__() method.
gh-94329: Compile and run code with unpacking of extremely large sequences (1000s of elements). Such code failed to compile. It now compiles and runs correctly.
gh-94360: Fixed a tokenizer crash when reading encoded files with syntax errors from stdin with non utf-8 encoded text. Patch by Pablo Galindo
gh-94192: Fix error for dictionary literals with invalid expression as value.
gh-93964: Strengthened compiler overflow checks to prevent crashes when compiling very large source files.
gh-93671: Fix some exponential backtrace case happening with deeply nested sequence patterns in match statements. Patch by Pablo Galindo
gh-93021: Fix the __text_signature__ for __get__() methods implemented in C. Patch by Jelle Zijlstra.
gh-92930: Fixed a crash in _pickle.c from mutating collections during __reduce__ or persistent_id.
gh-92914: Always round the allocated size for lists up to the nearest even number.
gh-92858: Improve error message for some suites with syntax error before ‘:’
Library
gh-95339: Update bundled pip to 22.2.1.
gh-95045: Fix GC crash when deallocating _lsprof.Profiler by untracking it before calling any callbacks. Patch by Kumar Aditya.
gh-95087: Fix IndexError in parsing invalid date in the email module.
gh-95199: Upgrade bundled setuptools to 63.2.0.
gh-95194: Upgrade bundled pip to 22.2.
gh-93899: Fix check for existence of os.EFD_CLOEXEC, os.EFD_NONBLOCK and os.EFD_SEMAPHORE flags on older kernel versions where these flags are not present. Patch by Kumar Aditya.
gh-95166: Fix concurrent.futures.Executor.map() to cancel the currently waiting on future on an error - e.g. TimeoutError or KeyboardInterrupt.
gh-93157: Fix fileinput module didn’t support errors option when inplace is true.
gh-94821: Fix binding of unix socket to empty address on Linux to use an available address from the abstract namespace, instead of “0”.
gh-94736: Fix crash when deallocating an instance of a subclass of _multiprocessing.SemLock. Patch by Kumar Aditya.
gh-94637: SSLContext.set_default_verify_paths() now releases the GIL around SSL_CTX_set_default_verify_paths call. The function call performs I/O and CPU intensive work.
gh-94510: Re-entrant calls to sys.setprofile() and sys.settrace() now raise RuntimeError. Patch by Pablo Galindo.
gh-92336: Fix bug where linecache.getline() fails on bad files with UnicodeDecodeError or SyntaxError. It now returns an empty string as per the documentation.
gh-89988: Fix memory leak in pickle.Pickler when looking up dispatch_table. Patch by Kumar Aditya.
gh-94254: Fixed types of struct module to be immutable. Patch by Kumar Aditya.
gh-94245: Fix pickling and copying of typing.Tuple[()].
gh-94207: Made _struct.Struct GC-tracked in order to fix a reference leak in the _struct module.
gh-94101: Manual instantiation of ssl.SSLSession objects is no longer allowed as it lead to misconfigured instances that crashed the interpreter when attributes where accessed on them.
gh-84753: inspect.iscoroutinefunction(), inspect.isgeneratorfunction(), and inspect.isasyncgenfunction() now properly return True for duck-typed function-like objects like instances of unittest.mock.AsyncMock.
This makes inspect.iscoroutinefunction() consistent with the behavior of asyncio.iscoroutinefunction(). Patch by Mehdi ABAAKOUK.
gh-83499: Fix double closing of file description in tempfile.
gh-79512: Fixed names and __module__ value of weakref classes ReferenceType, ProxyType, CallableProxyType. It makes them pickleable.
gh-90494: copy.copy() and copy.deepcopy() now always raise a TypeError if __reduce__() returns a tuple with length 6 instead of silently ignore the 6th item or produce incorrect result.
gh-90549: Fix a multiprocessing bug where a global named resource (such as a semaphore) could leak when a child process is spawned (as opposed to forked).
gh-79579: sqlite3 now correctly detects DML queries with leading comments. Patch by Erlend E. Aasland.
gh-93421: Update sqlite3.Cursor.rowcount when a DML statement has run to completion. This fixes the row count for SQL queries like UPDATE ... RETURNING. Patch by Erlend E. Aasland.
gh-91810: Suppress writing an XML declaration in open files in ElementTree.write() with encoding='unicode' and xml_declaration=None.
gh-93353: Fix the importlib.resources.as_file() context manager to remove the temporary file if destroyed late during Python finalization: keep a local reference to the os.remove() function. Patch by Victor Stinner.
gh-83658: Make multiprocessing.Pool raise an exception if maxtasksperchild is not None or a positive int.
gh-74696: shutil.make_archive() no longer temporarily changes the current working directory during creation of standard .zip or tar archives.
gh-91577: Move imports in SharedMemory methods to module level so that they can be executed late in python finalization.
bpo-47231: Fixed an issue with inconsistent trailing slashes in tarfile longname directories.
bpo-46755: In QueueHandler, clear stack_info from LogRecord to prevent stack trace from being written twice.
bpo-46053: Fix OSS audio support on NetBSD.
bpo-46197: Fix ensurepip environment isolation for subprocess running pip.
bpo-45924: Fix asyncio incorrect traceback when future’s exception is raised multiple times. Patch by Kumar Aditya.
bpo-34828: sqlite3.Connection.iterdump() now handles databases that use AUTOINCREMENT in one or more tables.
Documentation
gh-94321: Document the PEP 246 style protocol type sqlite3.PrepareProtocol.
gh-86128: Document a limitation in ThreadPoolExecutor where its exit handler is executed before any handlers in atexit.
gh-61162: Clarify sqlite3 behavior when Using the connection as a context manager.
gh-87260: Align sqlite3 argument specs with the actual implementation.
gh-86986: The minimum Sphinx version required to build the documentation is now 3.2.
gh-88831: Augmented documentation of asyncio.create_task(). Clarified the need to keep strong references to tasks and added a code snippet detailing how to to this.
bpo-47161: Document that pathlib.PurePath does not collapse initial double slashes because they denote UNC paths.
Tests
gh-95280: Fix problem with test_ssl test_get_ciphers on systems that require perfect forward secrecy (PFS) ciphers.
gh-95212: Make multiprocessing test case test_shared_memory_recreate parallel-safe.
gh-91330: Added more tests for dataclasses to cover behavior with data descriptor-based fields.
# Write your Misc/NEWS entry below. It should be a simple ReST paragraph. # Don’t start with “- Issue #<n>: ” or “- gh-issue-<n>: ” or that sort of stuff. ###########################################################################
gh-94208: test_ssl is now checking for supported TLS version and protocols in more tests.
gh-93951: In test_bdb.StateTestCase.test_skip, avoid including auxiliary importers.
gh-93957: Provide nicer error reporting from subprocesses in test_venv.EnsurePipTest.test_with_pip.
gh-57539: Increase calendar test coverage for calendar.LocaleTextCalendar.formatweekday().
gh-92886: Fixing tests that fail when running with optimizations (-O) in test_zipimport.py
bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and setuptools. Patch by Illia Volochii and Adam Turner.
Build
gh-94841: Fix the possible performance regression of PyObject_Free() compiled with MSVC version 1932.
bpo-45816: Python now supports building with Visual Studio 2022 (MSVC v143, VS Version 17.0). Patch by Jeremiah Vivian.
Windows
gh-90844: Allow virtual environments to correctly launch when they have spaces in the path.
gh-92841: asyncio no longer throws RuntimeError: Event loop is closed on interpreter exit after asynchronous socket activity. Patch by Oleg Iarygin.
bpo-42658: Support native Windows case-insensitive path comparisons by using LCMapStringEx instead of str.lower() in ntpath.normcase(). Add LCMapStringEx to the _winapi module.
IDLE
gh-95511: Fix the Shell context menu copy-with-prompts bug of copying an extra line when one selects whole lines.
gh-95471: In the Edit menu, move Select All and add a new separator.
gh-95411: Enable using IDLE’s module browser with .pyw files.
gh-89610: Add .pyi as a recognized extension for IDLE on macOS. This allows opening stub files by double clicking on them in the Finder.
Tools/Demos
gh-94538: Fix Argument Clinic output to custom file destinations. Patch by Erlend E. Aasland.
gh-94430: Allow parameters named module and self with custom C names in Argument Clinic. Patch by Erlend E. Aasland
C API
gh-94930: Fix SystemError raised when PyArg_ParseTupleAndKeywords() is used with # in (...) but without PY_SSIZE_T_CLEAN defined.
gh-94864: Fix PyArg_Parse* with deprecated format units “u” and “Z”. It returned 1 (success) when warnings are turned into exceptions.
Only needed for NetBSD i386, no need to copypasta it to all configurations.
XXX is it even needed on i386? Bootstrap toolchain should ship with PaX
settings if needed.
Bump PKGREVISION for www/nginx.
<ChangeLog>
nginx modules:
*) Feature: improved r.args object. Added support for multiple
arguments with the same key. Added case sensitivity for
keys. Keys and values are percent-decoded now.
*) Bugfix: fixed r.headersOut setter for special headers.
Core:
*) Feature: added Symbol.for() and Symbol.keyfor().
*) Feature: added btoa() and atob() from WHATWG spec.
*) Bugfix: fixed large non-decimal literals.
*) Bugfix: fixed unicode argument trimming in parseInt().
*) Bugfix: fixed break instruction in a try-catch block.
*) Bugfix: fixed async function declaration in CLI.
</ChangeLog>
pkg_alternatives does not support manual pages (it creates its own wrappers
based on the binary names), and including them breaks upgrade rebuilds.
Bump PKGREVISION.
pkg_alternatives does not support manual pages (it creates its own wrappers
based on the binary names), and including them breaks upgrade rebuilds.
Bump PKGREVISION.
I've dug through the source code and removed loads of '-arch ' invocations but
still can't find the one that is incorrectly adding '-arch x86_64', so for now
we're just brute-force transforming it.
v8.14.0 (2022-07-13)
Features
feat: add npm audit signatures (@feelepxyz)
feat: Add web auth type (@jumoel)
feat(arborist): add support for dependencies script (@nlf)
feat: notify on adduser of upcoming cmds, login and register (@fritzy)
feat: warn on config --auth-type=sso/saml/oauth, undeprecate --auth-type (@fritzy)
Bug Fixes
fix: properly open package arg repo inside workspace (@wraithgar)
Documentation
docs: typo in npm command (@crisanmm)
docs: update reference to deprecated spdx package (@kachick)
docs: naming of files in example code should be consistent (@xc1427)
docs: document dependencies script
Version 18.6.0 (Current)
Notable Changes
Experimental ESM Loader Hooks API
Node.js ESM Loader hooks now support multiple custom loaders, and composition is achieved via "chaining": foo-loader calls bar-loader calls qux-loader (a custom loader must now signal a short circuit when intentionally not calling the next). See the ESM docs for details.
This minor release includes 9 security fixes following the security policy:
net/http: improper sanitization of Transfer-Encoding header
The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
a "chunked" encoding. This could potentially allow for request smuggling, but
only if combined with an intermediate server that also improperly failed to
reject the header as invalid.
This is CVE-2022-1705 and https://go.dev/issue/53188.
When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map
containing a nil value for the X-Forwarded-For header, ReverseProxy would set
the client IP as the value of the X-Forwarded-For header, contrary to its
documentation. In the more usual case where a Director function set the
X-Forwarded-For header value to nil, ReverseProxy would leave the header
unmodified as expected.
This is https://go.dev/issue/53423 and CVE-2022-32148.
Thanks to Christian Mehlmauer for reporting this issue.
compress/gzip: stack exhaustion in Reader.Read
Calling Reader.Read on an archive containing a large number of concatenated
0-length compressed files can cause a panic due to stack exhaustion.
This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.
encoding/xml: stack exhaustion in Unmarshal
Calling Unmarshal on a XML document into a Go struct which has a nested field
that uses the any field tag can cause a panic due to stack exhaustion.
This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.
encoding/xml: stack exhaustion in Decoder.Skip
Calling Decoder.Skip when parsing a deeply nested XML document can cause a
panic due to stack exhaustion.
The Go Security team discovered this issue, and it was independently reported
by Juho Nurminen of Mattermost.
This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.
encoding/gob: stack exhaustion in Decoder.Decode
Calling Decoder.Decode on a message which contains deeply nested structures can
cause a panic due to stack exhaustion.
This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.
path/filepath: stack exhaustion in Glob
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.
io/fs: stack exhaustion in Glob
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.
go/parser: stack exhaustion in all Parse* functions
Calling any of the Parse functions on Go source code which contains deeply
nested types or declarations can cause a panic due to stack exhaustion.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.
Rails 7.0.3.1 (2022-07-12) updates databases/ruby-activerecord70 only.
databases/ruby-activerecord70
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
o config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but
leaving the possible escalation vulnerability in place. Setting this
option to true is *not* recommended, but can aid in upgrading.
o config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be
deserialized by default. This option allows you to specify classes deemed
"safe" in your application. For example, if your application uses Symbol
and Time in serialized data, you can add Symbol and Time to the allowed
list as follows:
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
[CVE-2022-32224]
Rails 6.1.6.1 (2022-07-12) updates databases/ruby-activerecord61 only.
databases/ruby-activerecord61
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
o config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but
leaving the possible escalation vulnerability in place. Setting this
option to true is *not* recommended, but can aid in upgrading.
o config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be
deserialized by default. This option allows you to specify classes deemed
"safe" in your application. For example, if your application uses Symbol
and Time in serialized data, you can add Symbol and Time to the allowed
list as follows:
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
[CVE-2022-32224]
Rails 6.0.5.1 (2022-07-12) updates databases/ruby-activerecord60 only.
databases/ruby-activerecord60
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
o config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but
leaving the possible escalation vulnerability in place. Setting this
option to true is *not* recommended, but can aid in upgrading.
o config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be
deserialized by default. This option allows you to specify classes deemed
"safe" in your application. For example, if your application uses Symbol
and Time in serialized data, you can add Symbol and Time to the allowed
list as follows:
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
[CVE-2022-32224]
Rails 5.2.8.1 (2022-07-12) updates databases/ruby-activerecord52 only.
databases/ruby-activerecord52
* Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
o config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but
leaving the possible escalation vulnerability in place. Setting this
option to true is *not* recommended, but can aid in upgrading.
o config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be
deserialized by default. This option allows you to specify classes deemed
"safe" in your application. For example, if your application uses Symbol
and Time in serialized data, you can add Symbol and Time to the allowed
list as follows:
config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
[CVE-2022-32224]
This minor release includes 9 security fixes following the security policy:
net/http: improper sanitization of Transfer-Encoding header
The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
a "chunked" encoding. This could potentially allow for request smuggling, but
only if combined with an intermediate server that also improperly failed to
reject the header as invalid.
This is CVE-2022-1705 and https://go.dev/issue/53188.
When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map
containing a nil value for the X-Forwarded-For header, ReverseProxy would set
the client IP as the value of the X-Forwarded-For header, contrary to its
documentation. In the more usual case where a Director function set the
X-Forwarded-For header value to nil, ReverseProxy would leave the header
unmodified as expected.
This is https://go.dev/issue/53423 and CVE-2022-32148.
Thanks to Christian Mehlmauer for reporting this issue.
compress/gzip: stack exhaustion in Reader.Read
Calling Reader.Read on an archive containing a large number of concatenated
0-length compressed files can cause a panic due to stack exhaustion.
This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.
encoding/xml: stack exhaustion in Unmarshal
Calling Unmarshal on a XML document into a Go struct which has a nested field
that uses the any field tag can cause a panic due to stack exhaustion.
This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.
encoding/xml: stack exhaustion in Decoder.Skip
Calling Decoder.Skip when parsing a deeply nested XML document can cause a
panic due to stack exhaustion.
The Go Security team discovered this issue, and it was independently reported
by Juho Nurminen of Mattermost.
This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.
encoding/gob: stack exhaustion in Decoder.Decode
Calling Decoder.Decode on a message which contains deeply nested structures can
cause a panic due to stack exhaustion.
This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.
path/filepath: stack exhaustion in Glob
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.
io/fs: stack exhaustion in Glob
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.
go/parser: stack exhaustion in all Parse* functions
Calling any of the Parse functions on Go source code which contains deeply
nested types or declarations can cause a panic due to stack exhaustion.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.
The intention was to avoid nodejs-18.x which no longer supports older
platforms, but that didn't work as pbulk still chooses the latest anyway, so
we'll need to fix that a different way.
It also has the downside of tying them to a specific version, which meant you
could no longer use the npm or yarn package managers with anything other than
the default nodejs version.
Version 16.16.0 'Gallium' (LTS)
This is a security release.
Notable changes
deps:
upgrade openssl sources to OpenSSL_1_1_1q (RafaelGSS)
src:
add OpenSSL config appname (Daniel Bevenius)
As documented in pkg/56774, when WRKOBJDIR is in LOCALBASE (eg set to
${LOCALBASE}/work) then changes done to Python's setup.py made it
unable to locate its own built-in modules, then failing to bootstrap and
build.
As suggested by tnn@; tested on NetBSD/amd64.
XXX pull-up to pkgsrc-2022Q2
While not strictly true, it's required to avoid pbulk always choosing nodejs18
as the preferred dependency, which is incorrect on platforms where it does not
build (macOS 10.14) and NODE_VERSION_DEFAULT is set to 16.
GCC 10.4
60 bug reports were fixed.
Target Specific Changes
x86-64
* The x86-64 ABI of passing and returning structures with a 64-bit
integer vector changed in GCC 10.1 when MMX is disabled. Disabling
MMX no longer changes how they are passed nor returned. This ABI
change is now diagnosed with -Wpsabi.
By now a large number of Rust projects have migrated to edition = 2021, which
requires Rust >= 1.56.
Some projects still using edition = 2018 could, technically build with 1.20.
But, since several libs have also adopted edition = 2021, many would fail while
building dependencies.
By now a large number of Rust projects have migrated to edition = 2021, which
requires Rust >= 1.56.
Some projects still using edition = 2018 could, technically build with 1.20.
But, since several libs have also adopted edition = 2021, many would fail while
building dependencies.
camlp4 is an outdated way to build packages with caml and does not work
with pkgsrc ocaml versions for more than a year.
Remove camlp4 and all packages using it.
Ok jaapb@
Core Enhancements
use v5.36
-g command-line flag
Unicode 14.0 is supported
regex sets are no longer considered experimental
Variable length lookbehind is mostly no longer considered experimental
SIGFPE no longer deferred
Stable boolean tracking
iterating over multiple values at a time (experimental)
builtin functions (experimental)
defer blocks (experimental)
try/catch can now have a finally block (experimental)
non-ASCII delimiters for quote-like operators (experimental)
@_ is now experimental within signatured subs
Incompatible Changes
A physically empty sort is now a compile-time error
Deprecations
use VERSION (where VERSION is below v5.11) after use v5.11 is deprecated
Performance Enhancements
The build errored with:
configure: error: fma does not work, enable emulation with --enable-imprecise-c99-float-ops
and thus that arg is passed to configure.
With the change, ocaml builds, and that unison builds and works.
(No change on any other platform.)
We carried a patch that changed the installation of the standard Tcl modules,
to some old style with names that apparently made PLIST generation easier.
Now, we got some more fixed version numbers that will change on updates,
but the upside is that R does not enter an endless loop anymore on installing
R-tcltk2 when DISPLAY is empty, see pkg/56696, which should be fixed now.
Take care with PLIST when updating and please don't re-introduce the bug.
A better fix might be to fix the endless loop in Tcl as called by R, but
just messing around with upstream installation is not a good starting
point.
(Update during freeze ok gdt@; even if this version might be broken,
that beats definitely broken.)
pkgsrc changes: use -native-compiler ondemand as recommended upstream.
Now uses dune to build, and uses ocaml-zarith instead of ocaml-num.
Upstream change summary:
(see https://coq.github.io/doc/v8.15/refman/changes.html for the full
change notes)
Coq 8.15.2 fixes:
- Added: intuition and dintuition use Tauto.intuition_solver (defined
as auto with *) instead of hardcoding auto with *. This makes it
possible to change the default solver with Ltac Tauto.intuition_solver
::= ... (#15866, fixes#7725, by Gaëtan Gilbert).
- Fixed: uncaught exception UnableToUnify with bidirectionality hints
(#16066, fixes#16063, by Gaëtan Gilbert).
- Fixed: multiple CoqIDE bugs (#15938, fixes#15861, #15939, fixes
#15882, #15964, fixes#15799, #15984, partially fixes#15873, #15996,
#15912, fixes#15903, all by Jim Fehrle).
-Fixed: an incorrect implementation of SFClassify, allowing for a
proof of False since 8.11.0, due to Axioms present in
Float.Axioms. (#16101, fixes#16096, by Ali Caglayan).
Coq 8.15.1 fixes:
- Fixed: cases of incompletenesses in the guard condition for
fixpoints in the presence of cofixpoints or primitive projections
(#15498, fixes#15451, by Hugo Herbelin).
- Fixed: inconsistency when using module subtyping with squashed
inductives (#15839, fixes#15838 (reported by Pierre-Marie Pédrot), by
Gaëtan Gilbert).
- Fixed: Check for prior declaration of a custom entry was missing
for notations in only printing mode (#15628, fixes#15619, by Hugo
Herbelin).
- Fixed: rewrite_strat regression in 8.15.0 related to Transitive
instances (#15577, fixes#15568, by Gaëtan Gilbert).
- Fixed: When setoid_rewrite succeeds in rewriting at some occurrence
but the resulting equality is the identity, it now tries rewriting in
subterms of that occurrence instead of giving up (#15612, fixes#8080,
by Gaëtan Gilbert).
- Fixed: Ill-typed goals created by clearbody in the presence of
transitive dependencies in the body of a hypothesis (#15634, fixes
#15606, by Hugo Herbelin).
- Fixed: cbn knows to refold fixpoints when Arguments with / and !
was used (#15653, fixes#15567, by Gaëtan Gilbert).
- Fixed a bug where coqc -vok was not creating an empty '.vok'
file. (#15745, by Ramkumar Ramachandra).
- Fixed: Line numbers shown in the Errors panel of CoqIDE were
incorrect; they didn't match the error locations in the script panel
(#15532, fixes#15531, by Jim Fehrle).
- Fixed: anomaly when using proof diffs with no focused goal (#15633,
fixes#15578, by Jim Fehrle).
- Fixed: Attempted edits to the processed part of a buffer while Coq
is busy processing a request are now ignored to ensure "processed"
highlighting is accurate (#15714, fixes#15733 and #15675 and #15725,
by Jim Fehrle).
- Fixed: Ensure that the names of arguments of inductive schemes are
distinct so that the new Coq 8.15 preservation of argument names in
the with clause of tactics in #13837 works as in Coq 8.14 for these
schemes (#15537, fixes#15420, by Hugo Herbelin).
Coq 8.15.0 summary:
- The apply with tactic no longer renames arguments unless
compatibility flag Apply With Renaming is set.
- Improvements to the auto tactic family, fixing the Hint Unfold
behavior, and generalizing the use of discrimination nets.
- The typeclasses eauto tactic has a new best_effort option allowing
it to return partial solutions to a proof search problem, depending on
the mode declarations associated to each constraint. This mode is used
by typeclass resolution during type inference to provide more precise
error messages.
- Many commands and options were deprecated or removed after
deprecation and more consistently support locality attributes.
- The Import command is extended with import_categories to select the
components of a module to import or not, including features such as
hints, coercions, and notations.
- A visual Ltac debugger is now available in CoqIDE.
Coq 8.14.2 fixes:
- Instance warns about the default locality immediately rather than
waiting until the instance is ready to be defined. This changes which
command warns when the instance has a separate proof: the Instance
command itself warns instead of the proof closing command (such as
Defined). (#15243, fixes#14704, by Gaëtan Gilbert).
Coq 8.14.1 fixes:
- Fix the implementation of persistent arrays used by the VM and
native compute so that it uses a uniform representation. Previously,
storing primitive floats inside primitive arrays could cause memory
corruption (#15081, closes#15070, by Pierre-Marie Pédrot).
- Fixed missing registration of universe constraints in Module Type
elaboration (#14666, fixes#14505, by Hugo Herbelin).
- Fixed: abstract more robust with respect to Ltac constr bindings
containing existential variables (#14671, fixes#10796, by Hugo
Herbelin).
- Fixed: correct support of trailing let by tactic specialize
(#15046, fixes#15043, by Hugo Herbelin).
- Fixed: anomaly with Extraction Conservative Types when extracting
pattern-matching on singleton types (#14669, fixes#3527, by Hugo
Herbelin).
- Fixed: a regular error instead of an anomaly when calling Separate
Extraction in a module (#14670, fixes#10796, by Hugo Herbelin).
Coq 8.14.0 summary:
- The internal representation of match has changed to a more space-
efficient and cleaner structure, allowing the fix of a completeness
issue with cumulative inductive types in the type-checker. The
internal representation is now closer to the user-level view of match,
where the argument context of branches and the inductive binders in
and as do not carry type annotations.
- A new coqnative binary performs separate native compilation of
libraries, starting from a .vo file. It is supported by coq_makefile.
- Improvements to typeclasses and canonical structure resolution,
allowing more terms to be considered as classes or keys.
- More control over notations declarations and support for primitive
types in string and number notations.
- Removal of deprecated tactics, notably omega, which has been
replaced by a greatly improved lia, along with many bug fixes.
- New Ltac2 APIs for interaction with Ltac1, manipulation of
inductive types and printing.
- Many changes and additions to the standard library in the numbers,
vectors and lists libraries. A new signed primitive integers library
Sint63 is available in addition to the unsigned Uint63 library.
Coq 8.13.2:
- Fixed crash when using vm_compute on an irreducible PArray.set
(#14005, fixes#13998, by Guillaume Melquiond).
- Fix: Never store persistent arrays as VM / native structured
values. This could be used to make vo marshalling crash, and probably
breaking some other invariants of the kernel (#14007, fixes#14006, by
Pierre-Marie Pédrot).
- Fix: Ltac2 Array.init no longer incurs exponential overhead when
used recursively (#14012, fixes#14011, by Jason Gross).
Coq 8.13.1:
- Fix arities of VM opcodes for some floating-point operations that
could cause memory corruption (#13867, by Guillaume Melquiond).
- Added options -v and --version to CoqIDE (#13870, by Guillaume
Melquiond).
Coq 8.13.0 summary:
- Introduction of primitive persistent arrays in the core language,
implemented using imperative persistent arrays.
- Introduction of definitional proof irrelevance for the equality
type defined in the SProp sort.
- Cumulative record and inductive type declarations can now specify
the variance of their universes.
- Various bugfixes and uniformization of behavior with respect to the
use of implicit arguments and the handling of existential variables in
declarations, unification and tactics.
- New warning for unused variables in catch-all match branches that
match multiple distinct patterns.
- New warning for Hint commands outside sections without a locality
attribute, whose goal is to eventually remove the fragile default
behavior of importing hints only when using Require. The recommended
fix is to declare hints as export, instead of the current default
global, meaning that they are imported through Require Import only,
not Require. See the following rationale and guidelines for details.
- General support for boolean attributes.
- Many improvements to the handling of notations, including number
notations, recursive notations and notations with bindings. A new
algorithm chooses the most precise notation available to print an
expression, which might introduce changes in printing behavior.
- Tactic improvements in lia and its zify preprocessing step, now
supporting reasoning on boolean operators such as Z.leb and supporting
primitive integers Int63.
- Typing flags can now be specified per-constant / inductive.
- Improvements to the reference manual including updated syntax
descriptions that match Coq's grammar in several chapters, and
splitting parts of the tactics chapter to independent sections.
This caused a build failure on OpenServer. As the comment hinted
would be necessary, limit the workaround to linux and sunos, which are
known to have poll. (expect does not have a configure test for poll
already.)
Version 18.4.0 (Current)
Notable Changes
crypto:
remove Node.js-specific webcrypto extensions
add CFRG curves to Web Crypto API
dns:
accept 'IPv4' and 'IPv6' for family
report:
add more heap infos in process report
GCC 12
Caveats
An ABI incompatibility between C and C++ when passing or returning by value certain aggregates containing zero width bit-fields has been discovered on various targets. As mentioned in PR102024, since the PR42217 fix in GCC 4.5 the C++ front-end has been removing zero width bit-fields from the internal representation of the aggregates after the layout of those aggregates, but the C front-end kept them, so passing e.g. struct S { float a; int : 0; float b; } or struct T { float c; int : 0; } by value could differ between C and C++. Starting with GCC 12 the C++ front-end no longer removes those bit-fields from the internal representation and per clarified psABI some targets have been changed, so that they either ignore those bit-fields in the argument passing by value decisions in both C and C++, or they always take them into account. x86-64, ARM and AArch64 will always ignore them (so there is a C ABI incompatibility between GCC 11 and earlier with GCC 12 or later), PowerPC64 ELFv2 and S/390 always take them into account (so there is a C++ ABI incompatibility, GCC 4.4 and earlier compatible with GCC 12 or later, incompatible with GCC 4.5 through GCC 11). RISC-V has changed the handling of these already starting with GCC 10. As the ABI requires, MIPS takes them into account handling function return values so there is a C++ ABI incompatibility with GCC 4.5 through 11. For function arguments on MIPS, refer to the MIPS specific entry. GCC 12 on the above targets will report such incompatibilities as warnings or other diagnostics unless -Wno-psabi is used.
C: Computed gotos require a pointer type now.
C++: Two non-standard std::pair constructors have been deprecated. These allowed the use of an rvalue and a literal 0 to construct a pair containing a move-only type and a pointer. The nullptr keyword should be used to initialize the pointer member instead of a literal 0, as this is portable to other C++ implementations.
The configuration option --enable-libstdcxx-allocator no longer supports the bitmap, mt, and pool arguments. Those configurations had been broken for some time.
Fortran: OpenMP code using the omp_lib.h include file can no longer be compiled with -std=f95 but now requires at least -std=f2003. Alternatively, use the omp_lib module, which still supports -std=f95 and is recommended to be used instead in general.
OpenMP offloading to Intel MIC has been deprecated and will be removed in a future release.
The cr16 target with the cr16-*-* configuration has been obsoleted and will be removed in a future release.
The hppa[12]*-*-hpux10* and hppa[12]*-*-hpux11* configurations targeting 32-bit PA-RISC with HP-UX have been obsoleted and will be removed in a future release.
The m32c*-*-rtems* configuration has been obsoleted and will be removed in a future release.
The support for the m32r-*-linux*, m32rle-*-linux*, m68k*-*-openbsd* and vax-*-openbsd* configurations has been removed.
STABS: Support for emitting the STABS debugging format is deprecated and will be removed in the next release. All ports now default to emit DWARF (version 2 or later) debugging info or are obsoleted.
The optimization level -Ofast now implies -fno-semantic-interposition.
General Improvements
Vectorization is enabled at -O2 which is now equivalent to the original -O2 -ftree-vectorize -fvect-cost-model=very-cheap. Note that default vectorizer cost model has been changed which used to behave as -fvect-cost-model=cheap were specified.
GCC now supports the ShadowCallStack sanitizer, which can be enabled using the command-line option -fsanitize=shadow-call-stack. This sanitizer currently only works on AArch64 targets and it requires an environment in which all code has been compiled with -ffixed-r18. Its primary initial user is the Linux kernel.
Add some PRINT_PLIST_AWK statements to do the standard transformations
that I used to do by hand. With this change, "make print-PLIST" outputs
the correct PLIST without a need for manually fixing some lines.
The patches had a comment from 2012 that I cannot understand at all.
This replaces them with my best guess at the point of the patches.
Add users to Makefile.common, apparently only this package.
Tested by building (and hence building clisp) on NetBSD 9 amd64, and
running sbcl and evaluating (+ 1 2), following report by Chavdar
Ivanov.
Upstream NEWS (less bugfixes and minor improvements)
changes in sbcl-2.2.5 relative to sbcl-2.2.4:
* minor incompatible change: SB-EXT:*DERIVE-FUNCTION-TYPES* being NIL now
means that function calls will strictly only use type information from
proclaimed ftypes. The previous behavior (still the default) of using
derived type information from the same file is specified with :SAME-FILE.
(lp#1393302)
* minor incompatible change: RENAME-FILE now overwrites the target file on
Windows too, making its behaviour consistent with other platforms.
* minor incompatible change: inlining of local function is inhibited if
policy DEBUG = 3.
* platform support:
** single-stepping is now supported on 64-bit PowerPC platforms. (thanks
to Thomas Fitzsimmons)
** the :SB-LINKABLE-RUNTIME feature is now supported on 32-bit and 64-bit
PowerPC platforms. (thanks to Thomas Fitzsimmons)
* enhancement: debug source locations now work correctly for top level forms
with policy DEBUG = 1, as well as for block compiled files.
* enhancement: TRACE now supports tracing macro functions, compiler-macro
functions, individual methods and local functions. See the user manual for
more details. (lp#375314)
changes in sbcl-2.2.4 relative to sbcl-2.2.3:
* enhancement: better constraint propagation in the compiler. Specifically,
the compiler can now derive the type of X in control flow join situations
such as
(LAMBDA (X) (ECASE (1 ...) (2 ...)) X)
or
(LAMBDA (X) (ETYPECASE (INTEGER ...) (SYMBOL ...)) X)
instead of forgetting all information about X after the E(TYPE)CASE.
changes in sbcl-2.2.3 relative to sbcl-2.2.2:
* minor incompatible change: SB-THREAD:MUTEX-OWNER may return :THREAD-DEAD
if the apparent owner either exited nearly instantly after releasing the
mutex (and is not now the owner), or died and never released it.
* minor incompatible change: building the system with the simple semi-space
copying collector is no longer supported.
* minor incompatible change: support for PPC/Darwin has been removed.
* platform support:
** threads are now enabled by default on RISC-V.
** The generational garbage collector is now supported on MIPS.
changes in sbcl-2.2.2 relative to sbcl-2.2.1:
* platform support:
** all architectures now share the coverage mark instrumentation
implementation, meaning that performance now equals what had been
implemented only on x86 architectures.
* enhancement: improved handling of source locations for some classes
of compile time and runtime errors.
* enhancement: better source locations for structure accessors.
changes in sbcl-2.2.1 relative to sbcl-2.2.0:
* incompatible change: DEFINE-ALIEN-CALLBACK, which has never been exported
from a public package, has been deleted. It is superseded by
SB-ALIEN:DEFINE-ALIEN-CALLABLE.
* minor incompatible change: compiler warnings are emitted on more
provably-erroneous code involving sequence functions on specialized
arrays.
* platform support:
** support getting thread IDs on FreeBSD. (thanks to Felix Lange)
* enhancement: provide a restart for method lambda list mismatches that
fmakunbounds the generic function.
* enhancement: provide a USE-VALUE restart around type errors signalled from
(SETF SLOT-VALUE).
* enhancement: when UPDATE-INSTANCE-FOR-DIFFERENT-CLASS (or -REDEFINED-)
undergoes a non-local exit, restore the instance to its original state.
(thanks to Michał phoe Herda)
* enhancement: the :SYNCHRONIZED keyword argument to MAKE-HASH-TABLE is no
longer experimental.
changes in sbcl-2.2.0 relative to sbcl-2.1.11:
* platform support:
** support for FreeBSD on 64-bit arm platforms has been added.
** the :SB-LINKABLE-RUNTIME build-time feature is now supported on 32-bit
and 64-bit arm platforms, and on the FreeBSD operating system.
* enhancement: catch type mismatches for REPLACE, SUBSTITUTE, MAKE-ARRAY
with :INITIAL-CONTENTS.
When both lang/llvm and lang/clang are built with the z3 option enabled,
the Z3 constraint solver is activated for the Clang static analyzer.
This option is not enabled by default.
When both lang/llvm and lang/clang are built with the z3 option enabled,
the Z3 constraint solver is activated for the Clang static analyzer.
This option is not enabled by default.
Python 3.10.5 final
Core and Builtins
gh-93418: Fixed an assert where an f-string has an equal sign ‘=’ following an expression, but there’s no trailing brace. For example, f”{i=”.
gh-91924: Fix __ltrace__ debug feature if the stdout encoding is not UTF-8. Patch by Victor Stinner.
gh-93061: Backward jumps after async for loops are no longer given dubious line numbers.
gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.
The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for more details.
gh-92311: Fixed a bug where setting frame.f_lineno to jump over a list comprehension could misbehave or crash.
gh-92112: Fix crash triggered by an evil custom mro() on a metaclass.
gh-92036: Fix a crash in subinterpreters related to the garbage collector. When a subinterpreter is deleted, untrack all objects tracked by its GC. To prevent a crash in deallocator functions expecting objects to be tracked by the GC, leak a strong reference to these objects on purpose, so they are never deleted and their deallocator functions are not called. Patch by Victor Stinner.
gh-91421: Fix a potential integer overflow in _Py_DecodeUTF8Ex.
bpo-47212: Raise IndentationError instead of SyntaxError for a bare except with no following indent. Improve SyntaxError locations for an un-parenthesized generator used as arguments. Patch by Matthieu Dartiailh.
bpo-47182: Fix a crash when using a named unicode character like "\N{digit nine}" after the main interpreter has been initialized a second time.
bpo-46775: Some Windows system error codes(>= 10000) are now mapped into the correct errno and may now raise a subclass of OSError. Patch by Dong-hee Na.
bpo-47117: Fix a crash if we fail to decode characters in interactive mode if the tokenizer buffers are uninitialized. Patch by Pablo Galindo.
bpo-39829: Removed the __len__() call when initializing a list and moved initializing to list_extend. Patch by Jeremiah Pascual.
bpo-46962: Classes and functions that unconditionally declared their docstrings ignoring the --without-doc-strings compilation flag no longer do so.
The classes affected are ctypes.UnionType, pickle.PickleBuffer, testcapi.RecursingInfinitelyError, and types.GenericAlias.
The functions affected are 24 methods in ctypes.
Patch by Oleg Iarygin.
bpo-36819: Fix crashes in built-in encoders with error handlers that return position less or equal than the starting position of non-encodable characters.
Library
gh-93156: Accessing the pathlib.PurePath.parents sequence of an absolute path using negative index values produced incorrect results.
gh-89973: Fix re.error raised in fnmatch if the pattern contains a character range with upper bound lower than lower bound (e.g. [c-a]). Now such ranges are interpreted as empty ranges.
gh-93010: In a very special case, the email package tried to append the nonexistent InvalidHeaderError to the defect list. It should have been InvalidHeaderDefect.
gh-92839: Fixed crash resulting from calling bisect.insort() or bisect.insort_left() with the key argument not equal to None.
gh-91581: utcfromtimestamp() no longer attempts to resolve fold in the pure Python implementation, since the fold is never 1 in UTC. In addition to being slightly faster in the common case, this also prevents some errors when the timestamp is close to datetime.min. Patch by Paul Ganssle.
gh-92530: Fix an issue that occurred after interrupting threading.Condition.notify().
gh-92049: Forbid pickling constants re._constants.SUCCESS etc. Previously, pickling did not fail, but the result could not be unpickled.
bpo-47029: Always close the read end of the pipe used by multiprocessing.Queue after the last write of buffered data to the write end of the pipe to avoid BrokenPipeError at garbage collection and at multiprocessing.Queue.close() calls. Patch by Géry Ogam.
gh-91401: Provide a fail-safe way to disable subprocess use of vfork() via a private subprocess._USE_VFORK attribute. While there is currently no known need for this, if you find a need please only set it to False. File a CPython issue as to why you needed it and link to that from a comment in your code. This attribute is documented as a footnote in 3.11.
gh-91910: Add missing f prefix to f-strings in error messages from the multiprocessing and asyncio modules.
gh-91810: ElementTree method write() and function tostring() now use the text file’s encoding (“UTF-8” if not available) instead of locale encoding in XML declaration when encoding="unicode" is specified.
gh-91832: Add required attribute to argparse.Action repr output.
gh-91734: Fix OSS audio support on Solaris.
gh-91700: Compilation of regular expression containing a conditional expression (?(group)...) now raises an appropriate re.error if the group number refers to not defined group. Previously an internal RuntimeError was raised.
gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown the per test event loop executor before returning from its run method so that a not yet stopped or garbage collected executor state does not persist beyond the test.
gh-90568: Parsing \N escapes of Unicode Named Character Sequences in a regular expression raises now re.error instead of TypeError.
gh-91595: Fix the comparison of character and integer inside Tools.gdb.libpython.write_repr(). Patch by Yu Liu.
gh-90622: Worker processes for concurrent.futures.ProcessPoolExecutor are no longer spawned on demand (a feature added in 3.9) when the multiprocessing context start method is "fork" as that can lead to deadlocks in the child processes due to a fork happening while threads are running.
gh-91575: Update case-insensitive matching in the re module to the latest Unicode version.
gh-91581: Remove an unhandled error case in the C implementation of calls to datetime.fromtimestamp with no time zone (i.e. getting a local time from an epoch timestamp). This should have no user-facing effect other than giving a possibly more accurate error message when called with timestamps that fall on 10000-01-01 in the local time. Patch by Paul Ganssle.
bpo-47260: Fix os.closerange() potentially being a no-op in a Linux seccomp sandbox.
bpo-39064: zipfile.ZipFile now raises zipfile.BadZipFile instead of ValueError when reading a corrupt zip file in which the central directory offset is negative.
bpo-47151: When subprocess tries to use vfork, it now falls back to fork if vfork returns an error. This allows use in situations where vfork isn’t allowed by the OS kernel.
bpo-27929: Fix asyncio.loop.sock_connect() to only resolve names for socket.AF_INET or socket.AF_INET6 families. Resolution may not make sense for other families, like socket.AF_BLUETOOTH and socket.AF_UNIX.
bpo-43323: Fix errors in the email module if the charset itself contains undecodable/unencodable characters.
bpo-47101: hashlib.algorithms_available now lists only algorithms that are provided by activated crypto providers on OpenSSL 3.0. Legacy algorithms are not listed unless the legacy provider has been loaded into the default OSSL context.
bpo-46787: Fix concurrent.futures.ProcessPoolExecutor exception memory leak
bpo-45393: Fix the formatting for await x and not x in the operator precedence table when using the help() system.
bpo-46415: Fix ipaddress.ip_{address,interface,network} raising TypeError instead of ValueError if given invalid tuple as address parameter.
bpo-28249: Set doctest.DocTest.lineno to None when object does not have __doc__.
bpo-45138: Fix a regression in the sqlite3 trace callback where bound parameters were not expanded in the passed statement string. The regression was introduced in Python 3.10 by bpo-40318. Patch by Erlend E. Aasland.
bpo-44493: Add missing terminated NUL in sockaddr_un’s length
This was potentially observable when using non-abstract AF_UNIX datagram sockets to processes written in another programming language.
bpo-42627: Fix incorrect parsing of Windows registry proxy settings
bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. Patch by Sergey Fedoseev.
Documentation
gh-86438: Clarify that -W and PYTHONWARNINGS are matched literally and case-insensitively, rather than as regular expressions, in warnings.
gh-92240: Added release dates for “What’s New in Python 3.X” for 3.0, 3.1, 3.2, 3.8 and 3.10
gh-91888: Add a new gh role to the documentation to link to GitHub issues.
gh-91783: Document security issues concerning the use of the function shutil.unpack_archive()
gh-91547: Remove “Undocumented modules” page.
bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of shutil.copytree().
bpo-38668: Update the introduction to documentation for os.path to remove warnings that became irrelevant after the implementations of PEP 383 and PEP 529.
bpo-47138: Pin Jinja to a version compatible with Sphinx version 3.2.1.
bpo-46962: All docstrings in code snippets are now wrapped into PyDoc_STR() to follow the guideline of PEP 7’s Documentation Strings paragraph. Patch by Oleg Iarygin.
bpo-26792: Improve the docstrings of runpy.run_module() and runpy.run_path(). Original patch by Andrew Brezovsky.
bpo-40838: Document that inspect.getdoc(), inspect.getmodule(), and inspect.getsourcefile() might return None.
bpo-45790: Adjust inaccurate phrasing in Defining Extension Types: Tutorial about the ob_base field and the macros used to access its contents.
bpo-42340: Document that in some circumstances KeyboardInterrupt may cause the code to enter an inconsistent state. Provided a sample workaround to avoid it if needed.
bpo-41233: Link the errnos referenced in Doc/library/exceptions.rst to their respective section in Doc/library/errno.rst, and vice versa. Previously this was only done for EINTR and InterruptedError. Patch by Yan “yyyyyyyan” Orestes.
bpo-38056: Overhaul the Error Handlers documentation in codecs.
bpo-13553: Document tkinter.Tk args.
Tests
gh-92886: Fixing tests that fail when running with optimizations (-O) in test_imaplib.py.
gh-92670: Skip test_shutil.TestCopy.test_copyfile_nonexistent_dir test on AIX as the test uses a trailing slash to force the OS consider the path as a directory, but on AIX the trailing slash has no effect and is considered as a file.
gh-91904: Fix initialization of PYTHONREGRTEST_UNICODE_GUARD which prevented running regression tests on non-UTF-8 locale.
gh-91607: Fix test_concurrent_futures to test the correct multiprocessing start method context in several cases where the test logic mixed this up.
bpo-47205: Skip test for sched_getaffinity() and sched_setaffinity() error case on FreeBSD.
bpo-47104: Rewrite asyncio.to_thread() tests to use unittest.IsolatedAsyncioTestCase.
bpo-29890: Add tests for ipaddress.IPv4Interface and ipaddress.IPv6Interface construction with tuple arguments. Original patch and tests by louisom.
Build
bpo-47103: Windows PGInstrument builds now copy a required DLL into the output directory, making it easier to run the profile stage of a PGO build.
Windows
gh-92984: Explicitly disable incremental linking for non-Debug builds
bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
bpo-46785: Fix race condition between os.stat() and unlinking a file on Windows, by using errors codes returned by FindFirstFileW() when appropriate in win32_xstat_impl.
bpo-40859: Update Windows build to use xz-5.2.5
Tools/Demos
gh-91583: Fix regression in the code generated by Argument Clinic for functions with the defining_class parameter.
New in 2022.06:
+ Changes:
+ Allow optional : on LHS of signature binding declaration [20fd4f04]
+ Make &[max] and &[min] return RHS for ties [175e716f]
+ Make handles on attribute of type object more natural [1c04360d]
+ Allow openbsd to locate shared libraries by version [5abd57a8]
+ Allow :from<Raku> in identities [3051eefa]
+ Reconsider the way `$*PERL` is deprecated [10d73ada]
+ Allow setting ThreadPoolScheduler's max_threads to semi-infinite
value [4e56f241] [b0ebb5e6] [febff8fb]
+ Additions:
+ Categorize exceptions thrown by role appliers [7a2f3b19][9155b92b]
[d79a261d][86d2a75a]
+ Add :real named argument to DateTime.posix [1ffedd66]
+ Introduce (Exception|Cool).Failure coercer [51c00fdd]
+ Removals:
+ Efficiency:
+ Slightly speedup exponentiation by Ints [6f6fd1f7][1a12c34d]
+ Fix unneeded dependency check [636c805e]
+ Make .tail() on native arrays 25x as fast [7a25fc91]
+ Make .head/.tail faster on native arrays [7a25fc91][3c47f1d4][73b43e5f]
+ Make Date.new(Str) a few % faster [39298f10]
+ Make block exit handling faster for blocks having phasers [9a29735d]
[080abcd8]
+ Fixes:
+ Fix install issue on JVM [e4ba84af]
+ Fix exponentiation by large negative Ints and speedup exponentiation by
any sized negative Ints [c66c98fe][e4ae4737][b2c44bf3]
+ Fix for positional argument binding [83ea6474]
+ Fix infix le on two native strings [e93447cf]
+ Fix execution error when referencing non-existing captures [aaa5615c]
+ Remove counterproductive fallback from ModuleLoader [217960e2]
+ Resolve race conditions when working with symbols and repositories
[6fc2e6c6][0293ae58][ad2fdca4][d1b58910][f5dbd15a][082c7122][466a21d3]
[cef53ac1][2e17ca3d][8940d688][95fb9260][3b4061f6][c2f495b0][18c19fc9]
[6b117a36][2c6bccb4][ddef6461][a5cf1227]
+ Make "make test" clean on newer MacOSes [a6a856a4]
+ Fix my %h is (Set|Bag|Mix|)Hash = foo [62b6792a][51fd091a]
+ Internal:
+ Update BUILDPLAN helper module to uint renumbering [bea59762][9fd893f7]
+ Let core module installer use information from Compiler object [ce86a7db]
+ Put CATCH blocks at the start of the scope for maintainability [9f8eea41]
+ Various micro optimizations and dead code removal [ca5cfed8][0e55e9ff]
[36bdd01a][280a2090][b01c493a][a84e1684][64317c4e][8f70f8db][b84a6d2e]
[59d07871][556f1a2a][bf979d08][e9de06b8][ce86a7db]
New in 2022.04:
+ Changes:
+ Improve error when `make` encounters non-Match $/ (#4834) [2da9eb22]
[540c7365]
+ Additions:
+ Make previous values in REPL accessible with `$*N` [190e303d][1292357d]
+ Add `INSIDE_EMACS` environment variable for better embedding of the REPL
inside Emacs [76035de0]
+ Add an `IO::Path.dir-with-entries` method, returning a `Bool` indicating
if the directory has any entries (without danger of resource leaking)
[8a1e7788]
+ Implement `will complain` trait [a203a5af][2c2c5306][beeb9ffc][2baf8bc6]
+ Removals:
+ Remove the $?COMPILATION-ID constant as it was not documented and not
tested [b2a8bfc9]
+ Efficiency:
+ Make IO::Path.mkdir 2x as fast if dir already exists [57a65562]
+ Shortcut many methods on `Empty` (returning `Empty` without needing
to set up an iterator and a `Seq` [1b4977c6][8f5a07d0][943c443c]
[1afc3f4f][78ca49eb]
+ Some optimizations for regex substitution [79cd9d97][55c833ad]
[72f2f400][4503faac]
+ Micro-optimizations to make compilation of Raku code faster
[3b692b1b][9a860ca8][9b07b66c][f6d9e90f][6736bd74][2555660b][f00fa82a]
[a0303b18][0cb12fee][c74b1275][7c1e80c6][3187922b][5dfa9c4e][c891075f]
[91185079][0fe48931]
+ Micro-optimizations to make module loading faster [f19d36b3][412c4625]
[ec20a3f0][173a75b0][97ad3f79][04c8bd6b][55685572][397145a6][83bf9d26]
[1c73cb8d][fc5ee2b0][1fd2d843]
+ Micro-optimize creation of `IO::Special` objects a bit (3x at each
Raku startup) [3e217a0d]
+ Fixes:
+ Add mention of 'sub' potentially missing [a56d239d]
+ Revert "An object will never work if native is expected" compile-time
error [94d4820a]
+ Only assign to caller's `$/` during a regex substitution if it's
writable [aed27864]
+ Make sure we serialize exports [f4cba21c]
+ Ignore any dot files in "dist" directory [07b4422b]
+ Make `*CWD` initialization non-lazy, it is almost always needed and
making it non-lazy prevents a race-condition [e9575349]
+ Don't initialize PROCESS:: variables more than once [e7143e00]
+ Protect setting loading with a lock [5dd82a62][07d3030a][d53d2da9]
+ Don't treat `!=` as a meta-op of `==` [f3b1e95d][12dd09e1]
+ Fix race condition in Rakudo::Supply::BlockState [5658f4da]
+ Fix for a lexical being localized while used in a nested scope [19c6c52f]
+ Fix typed named argument arrays not reporting type correctly [dcb0ac09]
+ Make `uniprop`/`uniprops` thread safe [2bd2ca0f]
+ Correctly check for writeable containers [90d876a3]
+ Internal:
Ruby on Rails 6.1.6 (2022-05-12)
Active Support
* Fix and add protections for XSS in ActionView::Helpers and ERB::Util.
Add the method ERB::Util.xml_name_escape to escape dangerous characters in
names of tags and names of attributes, following the specification of XML.
Action View
* Fix and add protections for XSS in ActionView::Helpers and ERB::Util.
Escape dangerous characters in names of tags and names of attributes in
the tag helpers, following the XML specification. Rename the option
:escape_attributes to :escape, to simplify by applying the option to the
whole tag.
Action Pack
* Allow Content Security Policy DSL to generate for API responses.
Ruby on Rails 6.0.5 (2022-05-12)
Active Support
* Fix tag helper regression.
Action Text
* Disentangle Action Text from ApplicationController
Allow Action Text to be used without having an ApplicationController
defined.
This makes sure:
- Action Text attachments render the correct URL host in mailers.
- an ActionController::Renderer isn't allocated per request.
- Sidekiq doesn't hang with the "classic" autoloader.
Ruby on Rails 5.2.8 (2022-05-12)
Active Support
* Fix tag helper regression.
Action View
* Make `LoadInterlockAwareMonitor` work in Ruby 2.7.
* Retain Ruby 2.2 compatibility.
Actually, strictly speaking this perhaps doesn't need to be kept in
sync, so drop the comment. Probably it makes sense that it should be
anyway, so leave the adjusted minimum as-is.
BUILDLINK_API_DEPENDS must reflect the exact llvm version, as this is
necessary to force the wasi packages to match, or build failures will
occur, because various commands invoked in the Firefox build process
supply the exact clang version in their path. For instance:
wasm-ld: error: cannot open /usr/pkg/lib/clang/13.0.1/lib/wasi/libclang_rt.builtins-wasm32.a: No such file or directory
clang-13: error: linker command failed with exit code 1 (use -v to see invocation)
(No PKGREVISION bump of www/firefox required, as this is a build-only
dependency, and no other packages presently depend on these.)
This minor release includes 4 security fixes following the security policy
<https://go.dev/security>:
- crypto/rand: rand.Read hangs with extremely large buffers
On Windows, rand.Read will hang indefinitely if passed a buffer larger
than 1 << 32 - 1 bytes.
Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go
toolset, for reporting this issue.
This is CVE-2022-30634 and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
Session tickets generated by crypto/tls did not contain a randomly
generated ticket_age_add. This allows an attacker that can observe TLS
handshakes to correlate successive connections by comparing ticket ages
during session resumption.
Thanks to GitHub user @nervuri for reporting this.
This is CVE-2022-30629 and Go issue https://go.dev/issue/52814.
- os/exec: empty Cmd.Path can result in running unintended binary on
Windows
If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput
are executed when Cmd.Path is unset and, in the working directory, there
are binaries named either "..com" or "..exe", they will be executed.
Thanks to Chris Darroch (chrisd8088@github.com), brian m. carlson (
bk2204@github.com), and Mikhail Shcherbakov (https://twitter.com/yu5k3)
for reporting this.
This is CVE-2022-30580 and Go issue https://go.dev/issue/52574.
- path/filepath: Clean(`.\c:`) returns `c:` on Windows
On Windows, the filepath.Clean function could convert an invalid path to
a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.
Thanks to Unrud for reporting this issue.
This is CVE-2022-29804 and Go issue https://go.dev/issue/52476.
This minor release includes 4 security fixes following the security policy
<https://go.dev/security>:
- crypto/rand: rand.Read hangs with extremely large buffers
On Windows, rand.Read will hang indefinitely if passed a buffer larger
than 1 << 32 - 1 bytes.
Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go
toolset, for reporting this issue.
This is CVE-2022-30634 and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
Session tickets generated by crypto/tls did not contain a randomly
generated ticket_age_add. This allows an attacker that can observe TLS
handshakes to correlate successive connections by comparing ticket ages
during session resumption.
Thanks to GitHub user @nervuri for reporting this.
This is CVE-2022-30629 and Go issue https://go.dev/issue/52814.
- os/exec: empty Cmd.Path can result in running unintended binary on
Windows
If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput
are executed when Cmd.Path is unset and, in the working directory, there
are binaries named either "..com" or "..exe", they will be executed.
Thanks to Chris Darroch (chrisd8088@github.com), brian m. carlson (
bk2204@github.com), and Mikhail Shcherbakov (https://twitter.com/yu5k3)
for reporting this.
This is CVE-2022-30580 and Go issue https://go.dev/issue/52574.
- path/filepath: Clean(`.\c:`) returns `c:` on Windows
On Windows, the filepath.Clean function could convert an invalid path to
a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.
Thanks to Unrud for reporting this issue.
This is CVE-2022-29804 and Go issue https://go.dev/issue/52476.
Version 14.19.3 'Fermium' (LTS)
Notable Changes
This release updates OpenSSL to 1.1.1o. This update is not being treated as a security release as the issues addressed in OpenSSL 1.1.1o were assessed to not affect Node.js 14. See https://nodejs.org/en/blog/vulnerability/openssl-fixes-in-regular-releases-may2022/ for more information on how the May 2022 OpenSSL releases affects other Node.js release lines.
The list of GPG keys used to sign releases has been synchronized with the main branch.
Version 14.19.2 'Fermium' (LTS)
Notable Changes
doc:
New release key for Bryan English
npm:
Upgrade npm to v6.14.17.
V8:
V8 had a stack overflow issue affecting the vm module, cherry-picking cc9a8a37445e from V8 solves this issue.
Using getHeapSnapshot() was causing a Node.js crash due a V8 issue, this is fixed by backporting 367b0c1e7a32 from V8.
Mypy 0.960
Minimal Support for LiteralString
Per-file Timing Stats
Performance Improvements
Experimental Fast Module Lookup
Documentation Updates
Improvements to Plugin System
ParamSpec Improvements
Fixes to Crashes
Was added in pkgsrc at a time when hangs during the build were frequent to
give a visual indicator of progress, but just clutters up bulk build logs
now.
This is a long-overdue update, so there are many changes. Details are in
the Changes file in the distribution.
The mk/ocaml file will be moved to lang/ocaml and the logic for selecting
whether to use the native-code compiler will be factored out into
native.mk to avoid duplications.
This is the final version before OCaml 5.0 arrives, which has
multicore support and should be a major change from the 4.x versions.
