CVS commit: pkgsrc/lang

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Thu Jun 11 12:12:50 UTC 2026

Modified Files:
        pkgsrc/lang/py313-html-docs: Makefile distinfo
        pkgsrc/lang/python313: PLIST dist.mk distinfo

Log Message:
python313 py313-html-docs: updated to 3.13.14

Python 3.13.14

macOS
gh-124111: Update macOS installer to use Tcl/Tk 8.6.18.
gh-150644: When system logging is enabled (with config.use_system_logger, messages are now tagged as public. This allows the macOS 26 system logger to view messages without special configuration.
gh-115119: Update macOS installer to use libmpdecimal 4.0.1.
Windows
gh-151159: Updated bundled version of OpenSSL to 3.0.21.
gh-151159: Update macOS installer to use OpenSSL 3.0.21.
Tests
gh-151130: Add more tests for PyWeakref_* C API.
gh-149776: Fix test_socket on Linux kernel 7.1 and newer: skip UDP Lite tests if it’s not supported. Patch by Victor Stinner.
Security
gh-151159: Bumps the OpenSSL version to 3.0.21 on Android.
gh-150599: Fix a possible stack buffer overflow in bz2 when a bz2.BZ2Decompressor is reused after a decompression error. The decompressor now becomes unusable after libbz2 reports an error.
gh-149835: shutil.move() now resolves symlinks via os.path.realpath() when checking whether the destination is inside the source directory, preventing a symlink-based bypass of that guard.
gh-149698: Update bundled libexpat to version 2.8.1 for the fix for CVE 2026-45186.
gh-87451: The ftplib module’s undocumented ftpcp function no longer trusts the IPv4 address value returned from the source server in response to the PASV command by default, completing the fix for 
CVE-2021-4189. As with ftplib.FTP, the former behavior can be re-enabled by setting the trust_server_pasv_ipv4_address attribute on the source ftplib.FTP instance to True. Thanks to Qi Deng at 
Aurascape AI for the report.
gh-149486: tarfile.data_filter() now validates link targets using the same normalised value that is written to disk, strips trailing separators from the member name when resolving a symlink’s 
directory, and rejects link members that would replace the destination directory itself. This closes several path-traversal bypasses of the data extraction filter.
gh-149079: Fix a potential denial of service in unicodedata.normalize(). The canonical ordering step of Unicode normalization used a quadratic-time insertion sort for reordering combining characters, 
which could be exploited with crafted input containing many combining characters in non-canonical order. Replaced with a linear-time counting sort for long runs.
gh-149018: Improved protection against XML hash-flooding attacks in xml.parsers.expat and xml.etree.ElementTree when Python is compiled with libExpat 2.8.0 or later.
gh-149017: Update bundled libexpat to version 2.8.0.
gh-90309: Base64-encode values when embedding cookies to JavaScript using the http.cookies.BaseCookie.js_output() method to avoid injection and escaping.
gh-148808: Added buffer boundary check when using nbytes parameter with asyncio.AbstractEventLoop.sock_recvfrom_into(). Only relevant for Windows and the asyncio.ProactorEventLoop.
gh-148395: Fix a dangling input pointer in lzma.LZMADecompressor, bz2.BZ2Decompressor, and internal zlib._ZlibDecompressor when memory allocation fails with MemoryError, which could let a subsequent 
decompress() call read or write through a stale pointer to the already-released caller buffer.
gh-148169: A bypass in webbrowser allowed URLs prefixed with %action to pass the dash-prefix safety check.
gh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP files on Windows which allowed to write files outside of the destination tree if the patch in the archive contains a Windows drive 
prefix. Now such invalid paths will be skipped. Files containing “..” in the name (like “foo..bar”) are no longer skipped.
gh-146333: Fix quadratic backtracking in configparser.RawConfigParser option parsing regexes (OPTCRE and OPTCRE_NV). A crafted configuration line with many whitespace characters could cause excessive 
CPU usage.
gh-146211: Reject CR/LF characters in tunnel request headers for the HTTPConnection.set_tunnel() method.
Library
gh-150913: Fix sqlite3.Blob slice assignment to raise TypeError and IndexError for type and size mismatches respectively, even when the target slice is empty.
gh-143008: Fix race conditions when re-initializing a io.TextIOWrapper object.
gh-150685: Update bundled pip to 26.1.2
gh-150406: Fix a possible crash occurring during socket module initialization when the system is out of memory on platforms without a reentrant gethostbyname.
gh-150372: readline: Fix a potential crash during tab completion caused by an out-of-memory error during module initialization.
gh-150175: Fix race condition in unittest.mock.ThreadingMock where concurrent calls could lose increments to call_count and other attributes due to a missing lock in _increment_mock_call.
gh-84353: Preserve non-UTF-8 encoded filenames when appending to a zipfile.ZipFile. Previously, non-ASCII names stored in a legacy encoding (without the UTF-8 flag bit set) could be corrupted when 
the central directory was rewritten: they were decoded as cp437 and then re-stored as UTF-8.
gh-149995: Update various docstrings in typing.
gh-88726: The email package now uses standard MIME charset names “gb2312” and “big5” instead of non-standard names “eucgb2312_cn” and “big5_tw”.
gh-149571: Fix the C implementation of xml.etree.ElementTree.Element.itertext(): it no longer emits text for comments and processing instructions.
gh-149921: Fix reference leaks in error paths of the _interpchannels and _interpqueues extension modules.
gh-149801: Add IANA registered names and aliases with leading zeros before number (like IBM00858, CP00858, IBM01140, CP01140) for corresponding codecs.
gh-149701: Fix bad return code from Lib/venv/bin/activate if hashing is disabled
gh-112821: In the REPL, autocompletion might run arbitrary code in the getter of a descriptor. If that getter raised an exception, autocompletion would fail to present any options for the entire 
object. Autocompletion now works as expected for these objects.
gh-149388: Make asyncio.windows_utils.PipeHandle closing idempotent.
gh-149489: Fix ElementTree serialization to HTML. The content of elements “xmp”, “iframe”, “noembed”, “noframes”, and “plaintext” is no longer escaped. The “plaintext” element no longer have the 
closing tag.
gh-149377: Update bundled pip to 26.1.1
gh-149231: In tomllib, the number of parts in TOML keys is now limited.
gh-149117: Fix runpy.run_module() and runpy.run_path() to set the name attribute on the ImportError they raise.
gh-149148: ensurepip: Upgrade bundled pip to 26.1. This version fixes the CVE 2026-3219 vulnerability. Patch by Victor Stinner.
gh-148093: Fix an out-of-bounds read of one byte in binascii.a2b_uu(). Raise binascii.Error, instead of reading past the buffer end.
gh-148914: Fix memoization of in-band PickleBuffer in the Python implementation of pickle. Previously, identical PickleBuffers did not preserve identity, and empty writable PickleBuffer memoized an 
empty bytearray object in place of b'', so the following references to b'' were unpickled as an empty bytearray object.
gh-138907: Support RFC 9309 in urllib.robotparser.
gh-148954: Fix XML injection vulnerability in xmlrpc.client.dumps() where the methodname was not being escaped before interpolation into the XML body.
gh-148801: xml.etree.ElementTree: Fix a crash in Element.__deepcopy__ on deeply nested trees.
gh-148735: xml.etree.ElementTree: Fix a use-after-free in Element.findtext when the element tree is mutated concurrently during the search.
gh-146553: Fix infinite loop in typing.get_type_hints() when __wrapped__ forms a cycle. Patch by Shamil Abdulaev.
gh-148508: An intermittent timing error when running SSL tests on iOS has been resolved.
gh-148518: If an email containing an address header that ended in an open double quote was parsed with a non-compat32 policy, accessing the username attribute of the mailbox accessed through that 
header object would result in an IndexError. It now correctly returns an empty string as the result.
gh-148370: configparser: prevent quadratic behavior when a ParsingError is raised after a parser fails to parse multiple lines. Patch by Bénédikt Tran.
gh-148254: Use singular “sec” instead of “secs” in timeit verbose output for consistency with other time units.
gh-148192: email.generator.Generator._make_boundary could fail to detect a duplicate boundary string if linesep was not n. It now correctly detects boundary strings when linesep is rn as well.
gh-146313: Fix a deadlock in multiprocessing’s resource tracker where the parent process could hang indefinitely in os.waitpid() during interpreter shutdown if a child created via os.fork() still 
held the resource tracker’s pipe open.
gh-145831: Fix email.quoprimime.decode() leaving a stray \r when eol='\r\n' by stripping the full eol string instead of one character.
gh-145105: Fix crash in csv reader when iterating with a re-entrant iterator that calls next() on the same reader from within __next__.
gh-130750: Restore quoting of choices in argparse error messages for improved clarity and consistency with documentation.
gh-105936: Attempting to mutate non-field attributes of dataclasses with both frozen and slots being True now raises FrozenInstanceError instead of TypeError. Their non-dataclass subclasses can now 
freely mutate non-field attributes, and the original non-slotted class can be garbage collected. The fix also handles the case of an empty __class__ cell on a function found within the class 
(gh-148947).
gh-142516: ssl: fix reference leaks in ssl.SSLContext objects. Patch by Bénédikt Tran.
gh-142831: Fix a crash in the json module where a use-after-free could occur if the object being encoded is modified during serialization.
gh-140287: The asyncio REPL now handles exceptions when executing PYTHONSTARTUP scripts. Patch by Bartosz Sławecki.
gh-90949: Add SetBillionLaughsAttackProtectionActivationThreshold() and SetBillionLaughsAttackProtectionMaximumAmplification() to xmlparser objects to tune protections against billion laughs attacks. 
Patch by Bénédikt Tran.
gh-132631: Fix “I/O operation on closed file” when parsing JSON Lines file with JSON CLI.
gh-128110: Fix bug in the parsing of email address headers that could result in extraneous spaces in the decoded text when using a modern email policy. Space between pairs of adjacent RFC 2047 
encoded-words is now ignored, per section 6.2 (and consistent with existing parsing of unstructured headers like Subject).
gh-107398: Fix tarfile stream mode exception when process the file with the gzip extra field.
gh-123853: Update the table of Windows language code identifiers (LCIDs) used by locale.getdefaultlocale() on Windows to protocol version 16.0 (2024-04-23).
gh-70039: Fixed bug where smtplib.SMTP.starttls() could fail if smtplib.SMTP.connect() is called explicitly rather than implicitly.
gh-83281: email: improve handling trailing garbage in address lists to avoid throwing AttributeError in certain edge cases
gh-91099: imaplib.IMAP4.login() now raises exceptions with str instead of bytes. Patch by Florian Best.
IDLE
bpo-6699: Warn the user if a file will be overwritten when saving.
Documentation
gh-150319: Generic builtin and standard library types now document the meaning of their type parameters.
gh-148663: Document that calendar.IllegalMonthError is a subclass of both ValueError and IndexError since Python 3.12.
gh-146646: Document that glob.glob(), glob.iglob(), pathlib.Path.glob(), and pathlib.Path.rglob() silently suppress OSError exceptions raised from scanning the filesystem.
gh-109503: Fix documentation for shutil.move() on usage of os.rename() since nonatomic move might be used even if the files are on the same filesystem. Patch by Fang Li
Core and Builtins
gh-151112: Fix a crash in the compiler that could occur when running out of memory.

gh-151126: Fix a crash, when there’s no memory left on a device, which happened in:

code compilation - _winapi.CreateProcess()
Now these places raise proper MemoryError errors.

gh-150633: Fix the frozen importer accepting module names with embedded null bytes, which caused it to bypass the sys.modules cache and create duplicate module objects.

gh-149156: Fix an intermittent crash after os.fork() when perf trampoline profiling is enabled and the child returns through trampoline frames inherited from the parent process.

gh-149449: Fix a use-after-free crash when the unicodedata module was removed from sys.modules and garbage-collected between calls that decode \N{...} escapes or use the namereplace codec error 
handler.

gh-148450: Fix abc.register() so it invalidates type version tags for registered classes.

gh-150207: Fix a crash when a memory allocation fails during tokenizer initialization. A proper MemoryError is now raised instead.

gh-150107: asyncio: sendfile() and sock_sendfile() event loop methods now call file.seek(offset) if file has a seek() method, even if offset is 0 (default value).

gh-150146: Fix a crash on a complex type variable substitution.

from typing import TypeVar; memoryview[TypeVar("")][*typing.Mapping[..., ...]] used to fail due to missing NULL check on _unpack_args C function call.

gh-149590: Fix crash when faulthandler is imported more than once.

gh-149738: sqlite3: Disallow removing row_factory and text_factory attributes of a connection to prevent a crash on a query.

gh-139808: Add branch protections for AArch64 (BTI/PAC) in assembly code used by -X perf_jit (Linux perf profiler integration).

gh-148820: Fix a race in _PyRawMutex on the free-threaded build where a Py_PARK_INTR return from _PySemaphore_Wait could let the waiter destroy its semaphore before the unlocking thread’s 
_PySemaphore_Wakeup completed, causing a fatal ReleaseSemaphore error.

gh-148653: Forbid marshalling recursive code objects which cannot be correctly unmarshalled.

gh-148390: Fix an undefined behavior in memoryview when using the native boolean format (?) in cast(). Previously, on some common platforms, calling memoryview(b).cast("?").tolist() incorrectly 
returned [False] instead of [True] for any even byte b. Patch by Bénédikt Tran.

gh-148418: Fix a possible reference leak in a corrupted TYPE_CODE marshal stream.

gh-148222: Fix vectorcall support in types.GenericAlias when the underlying type does not support the vectorcall protocol. Fix possible leaks in types.GenericAlias and types.UnionType in case of 
memory error.

gh-145376: Fix reference leaks in various unusual error scenarios.
C API
gh-150907: Fix dynamic_annotations.h header file when built with C++ and Valgrind: add extern "C++" scope for the C++ template. Patch by Victor Stinner.
Build
gh-149351: Avoid possible broken macOS framework install names when DESTDIR is specified during builds.
gh-146475: Block Apple Clang from being used to build the JIT as it ships without required LLVM tools.
gh-148535: No longer use the gcc -fprofile-update=atomic flag on i686. The flag has been added to fix a random GCC internal error on PGO build (gh-145801) caused by corruption of profile data (.gcda 
files). The problem is that it makes the PGO build way slower (up to 47x slower) on i686. Since the GCC internal error was not seen on i686 so far, don’t use -fprofile-update=atomic on i686 anymore. 
Patch by Victor Stinner.


To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 pkgsrc/lang/py313-html-docs/Makefile \
    pkgsrc/lang/py313-html-docs/distinfo
cvs rdiff -u -r1.13 -r1.14 pkgsrc/lang/python313/PLIST
cvs rdiff -u -r1.14 -r1.15 pkgsrc/lang/python313/dist.mk
cvs rdiff -u -r1.20 -r1.21 pkgsrc/lang/python313/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/py313-html-docs/Makefile
diff -u pkgsrc/lang/py313-html-docs/Makefile:1.14 pkgsrc/lang/py313-html-docs/Makefile:1.15
--- pkgsrc/lang/py313-html-docs/Makefile:1.14   Thu Apr  9 07:15:07 2026
+++ pkgsrc/lang/py313-html-docs/Makefile        Thu Jun 11 12:12:50 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.14 2026/04/09 07:15:07 adam Exp $
+# $NetBSD: Makefile,v 1.15 2026/06/11 12:12:50 adam Exp $
 
-VERS=          3.13.13
+VERS=          3.13.14
 DISTNAME=      python-${VERS}-docs-html
 PKGNAME=       py313-html-docs-${VERS}
 CATEGORIES=    lang python
Index: pkgsrc/lang/py313-html-docs/distinfo
diff -u pkgsrc/lang/py313-html-docs/distinfo:1.14 pkgsrc/lang/py313-html-docs/distinfo:1.15
--- pkgsrc/lang/py313-html-docs/distinfo:1.14   Thu Apr  9 07:15:07 2026
+++ pkgsrc/lang/py313-html-docs/distinfo        Thu Jun 11 12:12:50 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.14 2026/04/09 07:15:07 adam Exp $
+$NetBSD: distinfo,v 1.15 2026/06/11 12:12:50 adam Exp $
 
-BLAKE2s (python-3.13.13-docs-html.tar.bz2) = 56523a38bb1b4e771324db22b96f0e6cd0cc5b3ff6a7a1aaebb22fa8b3416191
-SHA512 (python-3.13.13-docs-html.tar.bz2) = 12326cbe3a238cd529df37f47a4bab9beeb2d0663df907bc8572954cd4c18e76b7fac6b10999866698c70df34836fda9a0e6c0df57591dd2c6b6b6f9cfe10aaa
-Size (python-3.13.13-docs-html.tar.bz2) = 10439311 bytes
+BLAKE2s (python-3.13.14-docs-html.tar.bz2) = 20a90e48d5dd473dc24cc81f90a7bdd1d062e69d6e1eac7033fb932bc43f6a2c
+SHA512 (python-3.13.14-docs-html.tar.bz2) = adadb39d3b92b4572c5844cfb3f46d517d9d3ff55b3a3a0e4b21c00377e2d04139db980cf23fc995b9c52d793dc272e29d9c0f19ee3fad41d40748844a3a15e7
+Size (python-3.13.14-docs-html.tar.bz2) = 10489722 bytes

Index: pkgsrc/lang/python313/PLIST
diff -u pkgsrc/lang/python313/PLIST:1.13 pkgsrc/lang/python313/PLIST:1.14
--- pkgsrc/lang/python313/PLIST:1.13    Thu Apr  9 07:15:07 2026
+++ pkgsrc/lang/python313/PLIST Thu Jun 11 12:12:50 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.13 2026/04/09 07:15:07 adam Exp $
+@comment $NetBSD: PLIST,v 1.14 2026/06/11 12:12:50 adam Exp $
 bin/idle${PY_VER_SUFFIX}
 bin/pydoc${PY_VER_SUFFIX}
 bin/python${PY_VER_SUFFIX}
@@ -1159,7 +1159,7 @@ lib/python${PY_VER_SUFFIX}/ensurepip/__i
 lib/python${PY_VER_SUFFIX}/ensurepip/__main__.py
 lib/python${PY_VER_SUFFIX}/ensurepip/__main__.pyc
 lib/python${PY_VER_SUFFIX}/ensurepip/__main__.pyo
-lib/python${PY_VER_SUFFIX}/ensurepip/_bundled/pip-26.0.1-py3-none-any.whl
+lib/python${PY_VER_SUFFIX}/ensurepip/_bundled/pip-26.1.2-py3-none-any.whl
 lib/python${PY_VER_SUFFIX}/ensurepip/_uninstall.py
 lib/python${PY_VER_SUFFIX}/ensurepip/_uninstall.pyc
 lib/python${PY_VER_SUFFIX}/ensurepip/_uninstall.pyo
@@ -3092,6 +3092,9 @@ lib/python${PY_VER_SUFFIX}/test/test_cap
 lib/python${PY_VER_SUFFIX}/test/test_capi/test_watchers.py
 lib/python${PY_VER_SUFFIX}/test/test_capi/test_watchers.pyc
 lib/python${PY_VER_SUFFIX}/test/test_capi/test_watchers.pyo
+lib/python${PY_VER_SUFFIX}/test/test_capi/test_weakref.py
+lib/python${PY_VER_SUFFIX}/test/test_capi/test_weakref.pyc
+lib/python${PY_VER_SUFFIX}/test/test_capi/test_weakref.pyo
 lib/python${PY_VER_SUFFIX}/test/test_cext/__init__.py
 lib/python${PY_VER_SUFFIX}/test/test_cext/__init__.pyc
 lib/python${PY_VER_SUFFIX}/test/test_cext/__init__.pyo
@@ -4424,6 +4427,7 @@ lib/python${PY_VER_SUFFIX}/test/test_jso
 lib/python${PY_VER_SUFFIX}/test/test_json/__main__.py
 lib/python${PY_VER_SUFFIX}/test/test_json/__main__.pyc
 lib/python${PY_VER_SUFFIX}/test/test_json/__main__.pyo
+lib/python${PY_VER_SUFFIX}/test/test_json/json_lines.jsonl
 lib/python${PY_VER_SUFFIX}/test/test_json/test_decode.py
 lib/python${PY_VER_SUFFIX}/test/test_json/test_decode.pyc
 lib/python${PY_VER_SUFFIX}/test/test_json/test_decode.pyo

Index: pkgsrc/lang/python313/dist.mk
diff -u pkgsrc/lang/python313/dist.mk:1.14 pkgsrc/lang/python313/dist.mk:1.15
--- pkgsrc/lang/python313/dist.mk:1.14  Thu Apr  9 07:15:07 2026
+++ pkgsrc/lang/python313/dist.mk       Thu Jun 11 12:12:50 2026
@@ -1,6 +1,6 @@
-# $NetBSD: dist.mk,v 1.14 2026/04/09 07:15:07 adam Exp $
+# $NetBSD: dist.mk,v 1.15 2026/06/11 12:12:50 adam Exp $
 
-PY_DISTVERSION=        3.13.13
+PY_DISTVERSION=        3.13.14
 DISTNAME=      Python-${PY_DISTVERSION}
 EXTRACT_SUFX=  .tar.xz
 DISTINFO_FILE= ${.CURDIR}/../../lang/python313/distinfo

Index: pkgsrc/lang/python313/distinfo
diff -u pkgsrc/lang/python313/distinfo:1.20 pkgsrc/lang/python313/distinfo:1.21
--- pkgsrc/lang/python313/distinfo:1.20 Thu Apr  9 07:15:07 2026
+++ pkgsrc/lang/python313/distinfo      Thu Jun 11 12:12:50 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.20 2026/04/09 07:15:07 adam Exp $
+$NetBSD: distinfo,v 1.21 2026/06/11 12:12:50 adam Exp $
 
-BLAKE2s (Python-3.13.13.tar.xz) = 004b82366701c7ae639a025ba9d613b6f8b6286e44366c2abfe349c4ba4f1c04
-SHA512 (Python-3.13.13.tar.xz) = 0ef615150a52865fe7ca0d0e106cf98488f113a56e5ae1b1437673f03880423839d04abe1999006f9835c77d8802d5ae94a1bdf63d18074a9a19c81e6f7b69e8
-Size (Python-3.13.13.tar.xz) = 22957612 bytes
+BLAKE2s (Python-3.13.14.tar.xz) = e3f15eec754fac36cd47efe5f7b09bcecca78aab9ecb27de2d241e4c0ddeba84
+SHA512 (Python-3.13.14.tar.xz) = 0790da65f8ce88a13b06d3b287ace5a1f36b0a8f630a3af00fbbdf93b6ef0944dea05173a20c9e1336d280ef9a97ae2b95a44a4b487a7bbb71fda53b6331c0eb
+Size (Python-3.13.14.tar.xz) = 23021880 bytes
 SHA1 (patch-Include_pymacro.h) = 7611315fefc305a48b4965f2f2b9bee53ae3d987
 SHA1 (patch-Lib_ctypes_util.py) = 3dec1b6b7a36e46cbfa0dfcd71c5e7fac9f60764
 SHA1 (patch-Lib_sysconfig_____init____.py) = 6c151d3dca0367cbb38c1175b9dba894509cf1a4