CVS commit: pkgsrc/lang

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Thu, 11 Jun 2026 12:13:39 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Thu Jun 11 12:13:39 UTC 2026

Modified Files:
        pkgsrc/lang/py314-html-docs: Makefile distinfo
        pkgsrc/lang/python314: Makefile PLIST dist.mk distinfo

Log Message:
python314 py314-html-docs: updated to 3.14.6

Python 3.14.6

Security
gh-151159: Update Android and iOS installers to use OpenSSL 3.5.7.
gh-150599: Fix a possible stack buffer overflow in bz2 when a bz2.BZ2Decompressor is reused after a decompression error. The decompressor now becomes unusable after libbz2 reports an error.
gh-149835: shutil.move() now resolves symlinks via os.path.realpath() when checking whether the destination is inside the source directory, preventing a symlink-based bypass of that guard.
gh-149698: Update bundled libexpat to version 2.8.1 for the fix for CVE 2026-45186.
gh-87451: The ftplib module’s undocumented ftpcp function no longer trusts the IPv4 address value returned from the source server in response to the PASV command by default, completing the fix for 
CVE-2021-4189. As with ftplib.FTP, the former behavior can be re-enabled by setting the trust_server_pasv_ipv4_address attribute on the source ftplib.FTP instance to True. Thanks to Qi Deng at 
Aurascape AI for the report.
gh-149486: tarfile.data_filter() now validates link targets using the same normalised value that is written to disk, strips trailing separators from the member name when resolving a symlink’s 
directory, and rejects link members that would replace the destination directory itself. This closes several path-traversal bypasses of the data extraction filter.
gh-149079: Fix a potential denial of service in unicodedata.normalize(). The canonical ordering step of Unicode normalization used a quadratic-time insertion sort for reordering combining characters, 
which could be exploited with crafted input containing many combining characters in non-canonical order. Replaced with a linear-time counting sort for long runs.
gh-149018: Improved protection against XML hash-flooding attacks in xml.parsers.expat and xml.etree.ElementTree when Python is compiled with libExpat 2.8.0 or later.
Core and Builtins
gh-151112: Fix a crash in the compiler that could occur when running out of memory.

gh-151126: Fix a crash, when there’s no memory left on a device, which happened in:

code compilation - _winapi.CreateProcess()
Now these places raise proper MemoryError errors.

gh-150700: Fix a SystemError when compiling a class-scope comprehension containing a lambda that references __class__, __classdict__, or __conditional_annotations__. Patch by Bartosz Sławecki.

gh-150633: Fix the frozen importer accepting module names with embedded null bytes, which caused it to bypass the sys.modules cache and create duplicate module objects.

gh-148613: Fix a data race in the free-threaded build between gc.set_threshold() and garbage collection scheduling during object allocation.

gh-149156: Fix an intermittent crash after os.fork() when perf trampoline profiling is enabled and the child returns through trampoline frames inherited from the parent process.

gh-149449: Fix a use-after-free crash when the unicodedata module was removed from sys.modules and garbage-collected between calls that decode \N{...} escapes or use the namereplace codec error 
handler.

gh-150207: Fix a crash when a memory allocation fails during tokenizer initialization. A proper MemoryError is now raised instead.

gh-150107: asyncio: sendfile() and sock_sendfile() event loop methods now call file.seek(offset) if file has a seek() method, even if offset is 0 (default value).

gh-150146: Fix a crash on a complex type variable substitution.

from typing import TypeVar; memoryview[TypeVar("")][*typing.Mapping[..., ...]] used to fail due to missing NULL check on _unpack_args C function call.

gh-149590: Fix crash when faulthandler is imported more than once.

gh-149816: Fix a race condition in _PyBytes_FromList in free-threading mode.

gh-149816: Fix a race condition in memoryview with free-threading.

gh-149805: Fix a SystemError when compiling a compiling __classdict__ class annotation.

gh-149738: sqlite3: Disallow removing row_factory and text_factory attributes of a connection to prevent a crash on a query.

gh-139808: Add branch protections for AArch64 (BTI/PAC) in assembly code used by -X perf_jit (Linux perf profiler integration).

gh-148450: Fix abc.register() so it invalidates type version tags for registered classes.
Library
gh-151039: Fix a crash when static datetime types outlive the _datetime module.
gh-150913: Fix sqlite3.Blob slice assignment to raise TypeError and IndexError for type and size mismatches respectively, even when the target slice is empty.
gh-143008: Fix race conditions when re-initializing a io.TextIOWrapper object.
gh-150750: Fix a race condition in collections.deque.index() with free-threading.
gh-150685: Update bundled pip to 26.1.2
gh-150406: Fix a possible crash occurring during socket module initialization when the system is out of memory on platforms without a reentrant gethostbyname.
gh-150372: readline: Fix a potential crash during tab completion caused by an out-of-memory error during module initialization.
gh-150157: Fix a crash in free-threaded builds that occurs when pickling by name objects without a __module__ attribute while sys.modules is concurrently being modified.
gh-150175: Fix race condition in unittest.mock.ThreadingMock where concurrent calls could lose increments to call_count and other attributes due to a missing lock in _increment_mock_call.
gh-84353: Preserve non-UTF-8 encoded filenames when appending to a zipfile.ZipFile. Previously, non-ASCII names stored in a legacy encoding (without the UTF-8 flag bit set) could be corrupted when 
the central directory was rewritten: they were decoded as cp437 and then re-stored as UTF-8.
gh-149816: Fix race condition in ssl.SSLContext.sni_callback
gh-149995: Update various docstrings in typing.
gh-88726: The email package now uses standard MIME charset names “gb2312” and “big5” instead of non-standard names “eucgb2312_cn” and “big5_tw”.
gh-149571: Fix the C implementation of xml.etree.ElementTree.Element.itertext(): it no longer emits text for comments and processing instructions.
gh-149921: Fix reference leaks in error paths of the _interpchannels and _interpqueues extension modules.
gh-149816: Fix a race condition in _random.Random.__init__ method in free-threading mode.
gh-149801: Add IANA registered names and aliases with leading zeros before number (like IBM00858, CP00858, IBM01140, CP01140) for corresponding codecs.
gh-149701: Fix bad return code from Lib/venv/bin/activate if hashing is disabled
gh-112821: In the REPL, autocompletion might run arbitrary code in the getter of a descriptor. If that getter raised an exception, autocompletion would fail to present any options for the entire 
object. Autocompletion now works as expected for these objects.
gh-149489: Fix ElementTree serialization to HTML. The content of elements “xmp”, “iframe”, “noembed”, “noframes”, and “plaintext” is no longer escaped. The “plaintext” element no longer have the 
closing tag.
gh-149231: In tomllib, the number of parts in TOML keys is now limited.
gh-149046: io: Fix io.StringIO serialization: no longer call str(obj) on str subclasses. Patch by Thomas Kowalski.
gh-148954: Fix XML injection vulnerability in xmlrpc.client.dumps() where the methodname was not being escaped before interpolation into the XML body.
gh-148441: xml.parsers.expat: prevent a crash in CharacterDataHandler() when the character data size exceeds the parser’s buffer size.
gh-146452: Fix segfault in pickle when pickling a dictionary concurrently mutated by another thread in the free-threaded build.
gh-142831: Fix a crash in the json module where a use-after-free could occur if the object being encoded is modified during serialization.
gh-90949: Add SetBillionLaughsAttackProtectionActivationThreshold() and SetBillionLaughsAttackProtectionMaximumAmplification() to xmlparser objects to tune protections against billion laughs attacks. 
Patch by Bénédikt Tran.
gh-134261: zip: On reproducible builds, ZipFile uses UTC instead of the local time when writing file datetimes to avoid underflows.
gh-128110: Fix bug in the parsing of email address headers that could result in extraneous spaces in the decoded text when using a modern email policy. Space between pairs of adjacent RFC 2047 
encoded-words is now ignored, per section 6.2 (and consistent with existing parsing of unstructured headers like Subject).
gh-107398: Fix tarfile stream mode exception when process the file with the gzip extra field.
gh-123853: Update the table of Windows language code identifiers (LCIDs) used by locale.getdefaultlocale() on Windows to protocol version 16.0 (2024-04-23).
gh-91099: imaplib.IMAP4.login() now raises exceptions with str instead of bytes. Patch by Florian Best.
Documentation
gh-150319: Generic builtin and standard library types now document the meaning of their type parameters.
gh-109503: Fix documentation for shutil.move() on usage of os.rename() since nonatomic move might be used even if the files are on the same filesystem. Patch by Fang Li
Tests
gh-151130: Add more tests for PyWeakref_* C API.
gh-149776: Fix test_socket on Linux kernel 7.1 and newer: skip UDP Lite tests if it’s not supported. Patch by Victor Stinner.
Build
gh-148294: Corrected the use of AC_PATH_TOOL in configure.ac to allow a C++ compiler to be found on PATH.
Windows
gh-151159: Updated bundled version of OpenSSL to 3.5.7.
macOS
gh-151159: Update macOS installer to use OpenSSL 3.5.7.
gh-150644: When system logging is enabled (with config.use_system_logger, messages are now tagged as public. This allows the macOS 26 system logger to view messages without special configuration.
gh-115119: Update macOS installer to use libmpdecimal 4.0.1.
IDLE
bpo-6699: Warn the user if a file will be overwritten when saving.
C API
gh-150907: Fix dynamic_annotations.h header file when built with C++ and Valgrind: add extern "C++" scope for the C++ template. Patch by Victor Stinner.
gh-145235: Made PyDict_AddWatcher(), PyDict_ClearWatcher(), PyDict_Watch(), and PyDict_Unwatch() thread-safe on the free threaded build.


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 pkgsrc/lang/py314-html-docs/Makefile \
    pkgsrc/lang/py314-html-docs/distinfo
cvs rdiff -u -r1.14 -r1.15 pkgsrc/lang/python314/Makefile
cvs rdiff -u -r1.5 -r1.6 pkgsrc/lang/python314/PLIST
cvs rdiff -u -r1.6 -r1.7 pkgsrc/lang/python314/dist.mk
cvs rdiff -u -r1.10 -r1.11 pkgsrc/lang/python314/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/py314-html-docs/Makefile
diff -u pkgsrc/lang/py314-html-docs/Makefile:1.6 pkgsrc/lang/py314-html-docs/Makefile:1.7
--- pkgsrc/lang/py314-html-docs/Makefile:1.6    Mon May 11 11:53:45 2026
+++ pkgsrc/lang/py314-html-docs/Makefile        Thu Jun 11 12:13:39 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.6 2026/05/11 11:53:45 adam Exp $
+# $NetBSD: Makefile,v 1.7 2026/06/11 12:13:39 adam Exp $
 
-VERS=          3.14.5
+VERS=          3.14.6
 DISTNAME=      python-${VERS}-docs-html
 PKGNAME=       py314-html-docs-${VERS}
 CATEGORIES=    lang python
Index: pkgsrc/lang/py314-html-docs/distinfo
diff -u pkgsrc/lang/py314-html-docs/distinfo:1.6 pkgsrc/lang/py314-html-docs/distinfo:1.7
--- pkgsrc/lang/py314-html-docs/distinfo:1.6    Mon May 11 11:53:45 2026
+++ pkgsrc/lang/py314-html-docs/distinfo        Thu Jun 11 12:13:39 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.6 2026/05/11 11:53:45 adam Exp $
+$NetBSD: distinfo,v 1.7 2026/06/11 12:13:39 adam Exp $
 
-BLAKE2s (python-3.14.5-docs-html.tar.bz2) = 398bd9e30f8cc1c1ce3aae7300584fd81b5588957f1aa948cf907a61f83b93dc
-SHA512 (python-3.14.5-docs-html.tar.bz2) = 3c0a916e5de9f66e237d05e18d2a5fc9fe1e4b98b79d84e93ba7b95640bb2422f23e6dc1ac22b1cb6df0862fa63492c6716f14a0999f7e32a844a716a872775e
-Size (python-3.14.5-docs-html.tar.bz2) = 10975135 bytes
+BLAKE2s (python-3.14.6-docs-html.tar.bz2) = 2daf46d31248eac1cdac908970583c82a10d201006e22e0b7623442ba6dd7708
+SHA512 (python-3.14.6-docs-html.tar.bz2) = 6056edd3aa02f013163b6a12a1981de32a7ce784c215b4315b27bb2e9abe1a3276e76d21763020ffacc7c19dd99ee7863af637294da49afd0b7acdc9f5f438b7
+Size (python-3.14.6-docs-html.tar.bz2) = 11003726 bytes

Index: pkgsrc/lang/python314/Makefile
diff -u pkgsrc/lang/python314/Makefile:1.14 pkgsrc/lang/python314/Makefile:1.15
--- pkgsrc/lang/python314/Makefile:1.14 Mon May 18 21:23:27 2026
+++ pkgsrc/lang/python314/Makefile      Thu Jun 11 12:13:39 2026
@@ -1,9 +1,8 @@
-# $NetBSD: Makefile,v 1.14 2026/05/18 21:23:27 wiz Exp $
+# $NetBSD: Makefile,v 1.15 2026/06/11 12:13:39 adam Exp $
 
 .include "dist.mk"
 
 PKGNAME=       python314-${PY_DISTVERSION}
-PKGREVISION=   1
 CATEGORIES=    lang python
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost

Index: pkgsrc/lang/python314/PLIST
diff -u pkgsrc/lang/python314/PLIST:1.5 pkgsrc/lang/python314/PLIST:1.6
--- pkgsrc/lang/python314/PLIST:1.5     Mon May 11 11:53:45 2026
+++ pkgsrc/lang/python314/PLIST Thu Jun 11 12:13:39 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.5 2026/05/11 11:53:45 adam Exp $
+@comment $NetBSD: PLIST,v 1.6 2026/06/11 12:13:39 adam Exp $
 bin/idle${PY_VER_SUFFIX}
 bin/pydoc${PY_VER_SUFFIX}
 bin/python${PY_VER_SUFFIX}
@@ -1237,7 +1237,7 @@ lib/python${PY_VER_SUFFIX}/ensurepip/__i
 lib/python${PY_VER_SUFFIX}/ensurepip/__main__.py
 lib/python${PY_VER_SUFFIX}/ensurepip/__main__.pyc
 lib/python${PY_VER_SUFFIX}/ensurepip/__main__.pyo
-lib/python${PY_VER_SUFFIX}/ensurepip/_bundled/pip-26.1.1-py3-none-any.whl
+lib/python${PY_VER_SUFFIX}/ensurepip/_bundled/pip-26.1.2-py3-none-any.whl
 lib/python${PY_VER_SUFFIX}/ensurepip/_uninstall.py
 lib/python${PY_VER_SUFFIX}/ensurepip/_uninstall.pyc
 lib/python${PY_VER_SUFFIX}/ensurepip/_uninstall.pyo
@@ -3208,6 +3208,9 @@ lib/python${PY_VER_SUFFIX}/test/test_cap
 lib/python${PY_VER_SUFFIX}/test/test_capi/test_watchers.py
 lib/python${PY_VER_SUFFIX}/test/test_capi/test_watchers.pyc
 lib/python${PY_VER_SUFFIX}/test/test_capi/test_watchers.pyo
+lib/python${PY_VER_SUFFIX}/test/test_capi/test_weakref.py
+lib/python${PY_VER_SUFFIX}/test/test_capi/test_weakref.pyc
+lib/python${PY_VER_SUFFIX}/test/test_capi/test_weakref.pyo
 lib/python${PY_VER_SUFFIX}/test/test_cext/__init__.py
 lib/python${PY_VER_SUFFIX}/test/test_cext/__init__.pyc
 lib/python${PY_VER_SUFFIX}/test/test_cext/__init__.pyo
@@ -3931,6 +3934,9 @@ lib/python${PY_VER_SUFFIX}/test/test_fre
 lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_dict.py
 lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_dict.pyc
 lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_dict.pyo
+lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_dict_watcher.py
+lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_dict_watcher.pyc
+lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_dict_watcher.pyo
 lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_enumerate.py
 lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_enumerate.pyc
 lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_enumerate.pyo
@@ -3973,6 +3979,9 @@ lib/python${PY_VER_SUFFIX}/test/test_fre
 lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_monitoring.py
 lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_monitoring.pyc
 lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_monitoring.pyo
+lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_pickle.py
+lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_pickle.pyc
+lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_pickle.pyo
 lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_races.py
 lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_races.pyc
 lib/python${PY_VER_SUFFIX}/test/test_free_threading/test_races.pyo

Index: pkgsrc/lang/python314/dist.mk
diff -u pkgsrc/lang/python314/dist.mk:1.6 pkgsrc/lang/python314/dist.mk:1.7
--- pkgsrc/lang/python314/dist.mk:1.6   Mon May 11 11:53:45 2026
+++ pkgsrc/lang/python314/dist.mk       Thu Jun 11 12:13:39 2026
@@ -1,6 +1,6 @@
-# $NetBSD: dist.mk,v 1.6 2026/05/11 11:53:45 adam Exp $
+# $NetBSD: dist.mk,v 1.7 2026/06/11 12:13:39 adam Exp $
 
-PY_DISTVERSION=        3.14.5
+PY_DISTVERSION=        3.14.6
 DISTNAME=      Python-${PY_DISTVERSION}
 EXTRACT_SUFX=  .tar.xz
 DISTINFO_FILE= ${.CURDIR}/../../lang/python314/distinfo

Index: pkgsrc/lang/python314/distinfo
diff -u pkgsrc/lang/python314/distinfo:1.10 pkgsrc/lang/python314/distinfo:1.11
--- pkgsrc/lang/python314/distinfo:1.10 Mon May 18 21:23:27 2026
+++ pkgsrc/lang/python314/distinfo      Thu Jun 11 12:13:39 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.10 2026/05/18 21:23:27 wiz Exp $
+$NetBSD: distinfo,v 1.11 2026/06/11 12:13:39 adam Exp $
 
-BLAKE2s (Python-3.14.5.tar.xz) = daa101f9c2a21050c6dcf9cb4a61d147d92e7ab9fb698d79d2b4d7e70311bca8
-SHA512 (Python-3.14.5.tar.xz) = efbaf629703cd004f6b7bc75fb16df794185589adaf8807cd45928f212271045a399df3cd9573e47c8708fb5c5002f9d4efe4e41dde4313b81a3e9d73158769f
-Size (Python-3.14.5.tar.xz) = 23903332 bytes
+BLAKE2s (Python-3.14.6.tar.xz) = 3936529a9e193e953fd80932b7fa05182f134677f3a4fe98f098b804556c3d4d
+SHA512 (Python-3.14.6.tar.xz) = 90a82f46c28f0fca613b67358fdc57c145ab05d20fb56bf3bc0c9e4e54947c7d30fbaa6856c41a41909237a9e601d1a7d19579d4b25c7a784ebcfe9012defc41
+Size (Python-3.14.6.tar.xz) = 23921184 bytes
 SHA1 (patch-Include_pymacro.h) = 7611315fefc305a48b4965f2f2b9bee53ae3d987
 SHA1 (patch-Lib___pyrepl_terminfo.py) = 905a1b281afa0a97302db22b55a9d6b7880c73ad
 SHA1 (patch-Lib_ctypes_util.py) = 671f4fcccb738ec96c4ba8ad62b66ea016172651

Prev by Date: CVS commit: pkgsrc/lang
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/lang
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index