CVS commit: pkgsrc/textproc/typst

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/textproc/typst
From: "pin" <pin%netbsd.org@localhost>
Date: Sat, 13 Dec 2025 19:55:16 +0000

Module Name:    pkgsrc
Committed By:   pin
Date:           Sat Dec 13 19:55:16 UTC 2025

Modified Files:
        pkgsrc/textproc/typst: Makefile cargo-depends.mk distinfo
        pkgsrc/textproc/typst/patches: patch-Cargo.toml

Log Message:
textproc/typst: update to 0.14.2

Version 0.14.2 (December 12, 2025)

Security

    Updated the WebAssembly runtime used for executing plugins. The version used in Typst 0.14.0 and 0.14.1 suffers from a memory handling vulnerability. Based on our investigation, the vulnerability 
would be very hard to exploit in practice, but an exploit could theoretically be feasible. In any case, we recommend upgrading to Typst 0.14.2. This holds in particular for local users. In the web 
app, the bug is not critical as the browser offers an extra layer of protection.

    Typst 0.13.1 and below are not affected by this vulnerability.

    Technical details: The wasmi WebAssembly runtime versions used in 0.14.0 and 0.14.1 have a use-after-free memory handling bug in certain memory growth situations. Specifically, the bug occurs 
when the plugin tries to grow its memory, but allocating the requested amount of memory fails. Based on our investigation, the bug is hard to trigger in practice as the WebAssembly linear memory is 
always limited to 4GB on a technical level and modern operating systems rarely fail to serve a 4GB memory allocation request (typically not even under RAM pressure). Once the bug is triggered, it 
would also still be very challenging to turn it into an actual exploit. Regardless, we recommend upgrading to Typst 0.14.2 for protection against a potential exploit.

Diagnostics

    Added a hint when array.sorted fails because a pair of elements could not be compared. This hint aids with fixing bugs in user code that were surfaced by a change in internal sorting behavior in 
Typst 0.14.1.


To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 pkgsrc/textproc/typst/Makefile \
    pkgsrc/textproc/typst/cargo-depends.mk
cvs rdiff -u -r1.19 -r1.20 pkgsrc/textproc/typst/distinfo
cvs rdiff -u -r1.12 -r1.13 pkgsrc/textproc/typst/patches/patch-Cargo.toml

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/textproc/typst/Makefile
diff -u pkgsrc/textproc/typst/Makefile:1.18 pkgsrc/textproc/typst/Makefile:1.19
--- pkgsrc/textproc/typst/Makefile:1.18 Wed Dec  3 18:23:52 2025
+++ pkgsrc/textproc/typst/Makefile      Sat Dec 13 19:55:16 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.18 2025/12/03 18:23:52 pin Exp $
+# $NetBSD: Makefile,v 1.19 2025/12/13 19:55:16 pin Exp $
 
-DISTNAME=      typst-0.14.1
+DISTNAME=      typst-0.14.2
 CATEGORIES=    textproc
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=typst/}
 GITHUB_PROJECT=        typst
@@ -16,7 +16,7 @@ LICENSE=      apache-2.0
 RUST_REQ=      1.89.0
 
 # Depends on an unpublished crate. Can't use cargo.mk to fetch it.
-TYPST-DEV-ASSETS_REV=  03addcfb64f3f95209464a521e6aa49645bd271a
+TYPST-DEV-ASSETS_REV=  fe6cad916d8b20c20742512b2a3f3b247a2bc4f8
 DISTFILES=             ${DEFAULT_DISTFILES}
 DISTFILES+=            typst-dev-assets-${TYPST-DEV-ASSETS_REV}.tar.gz
 SITES.typst-dev-assets-${TYPST-DEV-ASSETS_REV}.tar.gz+=        -${MASTER_SITE_GITHUB:=typst/}typst-dev-assets/archive/${TYPST-DEV-ASSETS_REV}.tar.gz
Index: pkgsrc/textproc/typst/cargo-depends.mk
diff -u pkgsrc/textproc/typst/cargo-depends.mk:1.18 pkgsrc/textproc/typst/cargo-depends.mk:1.19
--- pkgsrc/textproc/typst/cargo-depends.mk:1.18 Wed Dec  3 18:23:52 2025
+++ pkgsrc/textproc/typst/cargo-depends.mk      Sat Dec 13 19:55:16 2025
@@ -1,4 +1,4 @@
-# $NetBSD: cargo-depends.mk,v 1.18 2025/12/03 18:23:52 pin Exp $
+# $NetBSD: cargo-depends.mk,v 1.19 2025/12/13 19:55:16 pin Exp $
 
 CARGO_CRATE_DEPENDS+=  adler2-2.0.0
 CARGO_CRATE_DEPENDS+=  aho-corasick-1.1.3
@@ -311,8 +311,8 @@ CARGO_CRATE_DEPENDS+=       toml_edit-0.22.23
 CARGO_CRATE_DEPENDS+=  ttf-parser-0.25.1
 CARGO_CRATE_DEPENDS+=  two-face-0.4.3
 CARGO_CRATE_DEPENDS+=  typed-arena-2.0.2
-CARGO_CRATE_DEPENDS+=  typst-assets-0.14.1
-#CARGO_CRATE_DEPENDS+= typst-dev-assets-0.14.1
+CARGO_CRATE_DEPENDS+=  typst-assets-0.14.2
+#CARGO_CRATE_DEPENDS+= typst-dev-assets-0.14.2
 CARGO_CRATE_DEPENDS+=  unic-langid-0.9.6
 CARGO_CRATE_DEPENDS+=  unic-langid-impl-0.9.6
 CARGO_CRATE_DEPENDS+=  unic-langid-macros-0.9.6
@@ -347,10 +347,10 @@ CARGO_CRATE_DEPENDS+=     wasm-bindgen-backe
 CARGO_CRATE_DEPENDS+=  wasm-bindgen-macro-0.2.100
 CARGO_CRATE_DEPENDS+=  wasm-bindgen-macro-support-0.2.100
 CARGO_CRATE_DEPENDS+=  wasm-bindgen-shared-0.2.100
-CARGO_CRATE_DEPENDS+=  wasmi-0.51.2
-CARGO_CRATE_DEPENDS+=  wasmi_collections-0.51.2
-CARGO_CRATE_DEPENDS+=  wasmi_core-0.51.2
-CARGO_CRATE_DEPENDS+=  wasmi_ir-0.51.2
+CARGO_CRATE_DEPENDS+=  wasmi-0.51.5
+CARGO_CRATE_DEPENDS+=  wasmi_collections-0.51.5
+CARGO_CRATE_DEPENDS+=  wasmi_core-0.51.5
+CARGO_CRATE_DEPENDS+=  wasmi_ir-0.51.5
 CARGO_CRATE_DEPENDS+=  wasmparser-0.228.0
 CARGO_CRATE_DEPENDS+=  web-sys-0.3.77
 CARGO_CRATE_DEPENDS+=  weezl-0.1.8

Index: pkgsrc/textproc/typst/distinfo
diff -u pkgsrc/textproc/typst/distinfo:1.19 pkgsrc/textproc/typst/distinfo:1.20
--- pkgsrc/textproc/typst/distinfo:1.19 Wed Dec  3 18:23:52 2025
+++ pkgsrc/textproc/typst/distinfo      Sat Dec 13 19:55:16 2025
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.19 2025/12/03 18:23:52 pin Exp $
+$NetBSD: distinfo,v 1.20 2025/12/13 19:55:16 pin Exp $
 
 BLAKE2s (adler2-2.0.0.crate) = d269f2089344d4a3f4d0908af3257cf2a65755be0349ff42e3854509afd388f3
 SHA512 (adler2-2.0.0.crate) = 12d12579ad617cf1a94cf95ab9d3f5db566c3b2de4bd5735eccd83c668fdad0eff134c996b73c46cbb9f932837682043878b8cc4764191625e9f93ccffcce423
@@ -933,15 +933,15 @@ Size (two-face-0.4.3.crate) = 3390549 by
 BLAKE2s (typed-arena-2.0.2.crate) = 4219b0a8ad00372cbc511bdc54650120d405bedd1ecc63a5e2774944e01412ca
 SHA512 (typed-arena-2.0.2.crate) = 33f43488ff63ab763e4330d124e3290ece41e50ab78b6f12dae3a2be4d7f5bdf6ec876ab3b1f8cd81874e335fc41f3a2254994f250d3d6aba682fce557a6a399
 Size (typed-arena-2.0.2.crate) = 11848 bytes
-BLAKE2s (typst-0.14.1.tar.gz) = 46616edbcc1c78d67f9b03984102b714d3b77729366ce6f86d354187f2ea47cb
-SHA512 (typst-0.14.1.tar.gz) = d02dda0e65070dd63a5f3d11c3c61384d551c66a4e74631e6b0214a225fb11c3ad423071d26e9f76d5aede23500ca01a12b89bbf905fde5ebfcd19d433d977c8
-Size (typst-0.14.1.tar.gz) = 4122919 bytes
-BLAKE2s (typst-assets-0.14.1.crate) = e87ddc5071a6fd35a5081ecaeeca281ea19753fc36b37b658b1ce93c07c279c1
-SHA512 (typst-assets-0.14.1.crate) = c1b8c9abdc2ac06095a608072d3399ddb8a1c8f631b26faff84235183b74c536136f951ddba5b16ea929901d6b94dcc8b05223402ca2bf4d0ee33de6d7929fc7
-Size (typst-assets-0.14.1.crate) = 6376952 bytes
-BLAKE2s (typst-dev-assets-03addcfb64f3f95209464a521e6aa49645bd271a.tar.gz) = dca2140bedacdefa3f654106fc7134b40403d6c532a7da7a64d8903e73efea29
-SHA512 (typst-dev-assets-03addcfb64f3f95209464a521e6aa49645bd271a.tar.gz) = 
b82c19125d3f56fc91f67baf759417e105ef05ffa8d40865fc30eb5d619f5e89b14d147843a21524ebf792e2a288e7d1a7227acd14831b3ba51b4c2ac25ead4c
-Size (typst-dev-assets-03addcfb64f3f95209464a521e6aa49645bd271a.tar.gz) = 29512339 bytes
+BLAKE2s (typst-0.14.2.tar.gz) = 8b4cfbb8f5b12f62de4df5ee227cacd069e9cacaeac74d6014507b44267fb835
+SHA512 (typst-0.14.2.tar.gz) = 008d02323c4dc5164f60543d2631d377c66cf55bf699497c82552b511edecd2060b741f328cb4ede4861e23dab4756e94f94a685354e1d1c77a3a0cd0bd20bd7
+Size (typst-0.14.2.tar.gz) = 4124613 bytes
+BLAKE2s (typst-assets-0.14.2.crate) = a97b30db267f37943f7ba2ede659f38804c14c2cc5d5f3bbc2629af90ae2093d
+SHA512 (typst-assets-0.14.2.crate) = cda4f6b8d2ab43af6a7b69b63a79c71829c48845fe0e61b06979f8bcd702350c5788b00e7eb4a33e4034e963fbdcbba1f65dc3b3f7710efe5f6fe492b61c6d31
+Size (typst-assets-0.14.2.crate) = 6376954 bytes
+BLAKE2s (typst-dev-assets-fe6cad916d8b20c20742512b2a3f3b247a2bc4f8.tar.gz) = b1526ac9dc83adebfb1433a561467c699dfa51f2dadb57009bd0ebdd51588a57
+SHA512 (typst-dev-assets-fe6cad916d8b20c20742512b2a3f3b247a2bc4f8.tar.gz) = 
aa0c8c6a674e369134676b4cf2a099d4d90bb317753dcabb7bba63e073dadaf2b3c61b0fed4830700dd28271b35b65fda20764deb6317928ff646a9916405b7e
+Size (typst-dev-assets-fe6cad916d8b20c20742512b2a3f3b247a2bc4f8.tar.gz) = 29511962 bytes
 BLAKE2s (unic-langid-0.9.6.crate) = c816e3de04df924231cca6c81097a4f7ed6023e6263228e97db4095ecb12b6ff
 SHA512 (unic-langid-0.9.6.crate) = dab095e4db5a227f5f578b9e5ca2a028766aa5ddbbbc7654155c682e7a31fa302a6575e44bab17ebbf5e9fc3fbd87a2e5fa3410674c7a8448b98b62cef6e321e
 Size (unic-langid-0.9.6.crate) = 9031 bytes
@@ -1044,18 +1044,18 @@ Size (wasm-bindgen-macro-support-0.2.100
 BLAKE2s (wasm-bindgen-shared-0.2.100.crate) = a14afb24be38fd15e999c040cf1d13de2525ac6c138d15f182a48da67be34a6d
 SHA512 (wasm-bindgen-shared-0.2.100.crate) = 3fca8ddd1c6b2f66f70f6608c9b341822603f1c0dd71d47d27c6be8fe3f2c88598619946627720734b48cf999cafd0c63a08af5db28ea78a1538d2165a5fba61
 Size (wasm-bindgen-shared-0.2.100.crate) = 8570 bytes
-BLAKE2s (wasmi-0.51.2.crate) = 5994daf3dd46593b31277a248fe1e69f57f36d255ea24b4ce8753fd66ccc2057
-SHA512 (wasmi-0.51.2.crate) = fededb8886d3fe55b6add8c976884d1eb3a6701451821d86d9d2cd2de261ad47636e12b6d09631d9e5c225403727e5b53c91e32653956c5f09bfcaa4591bc47e
-Size (wasmi-0.51.2.crate) = 244288 bytes
-BLAKE2s (wasmi_collections-0.51.2.crate) = 2c33d679569276cf0be59a6274a266d1d5b8e69f8cf25c7940785a3d59ec4439
-SHA512 (wasmi_collections-0.51.2.crate) = 5bc548b7d3815539df1516952dab9a9e1fcc60b492c1f2be1e94c865abffc54c40a34b88cac7f2b13cb52ebbf7fcf6c41f9354cf7fb77d931d89c0b163d890f8
-Size (wasmi_collections-0.51.2.crate) = 19338 bytes
-BLAKE2s (wasmi_core-0.51.2.crate) = 08d409db962eafb78c3507399f19e2e70d6d54057bfbee0e8379d3e7b54ed843
-SHA512 (wasmi_core-0.51.2.crate) = a5999f3b0bce8f96bb01e03f07d992c2b73b31f2c8d1c909c367bb6a2c3c14288c16bd81585131a47c9ff9455880eaa3a274177940727e9e46e3faae6a8e739a
-Size (wasmi_core-0.51.2.crate) = 50291 bytes
-BLAKE2s (wasmi_ir-0.51.2.crate) = 976df2f0fa3d832fa3be1e84786d4179d60c32e39a863ee3ef280df86ec1ab32
-SHA512 (wasmi_ir-0.51.2.crate) = e0821971913cb3ba42229dc7ddcd443cd375d175962077c49d7f609c59e98e9dd97a2ed8b2c2e0d310d33d43cf1c66f0f233d6d095bbcba4b703daa8295f4d3f
-Size (wasmi_ir-0.51.2.crate) = 34476 bytes
+BLAKE2s (wasmi-0.51.5.crate) = ba0db06ce19bb94fd9c95ac0a46c9f33d0af2fd812b27da22c9e9a224c3a97e3
+SHA512 (wasmi-0.51.5.crate) = b76583b10ea1cca3ab4ee49dadce4557ab8f54fb31cd5e92d1591efee5cc59b9a9bd05f49027028233214f1b432c7c9cef1e633658dfb878abc577c77aead4d1
+Size (wasmi-0.51.5.crate) = 244287 bytes
+BLAKE2s (wasmi_collections-0.51.5.crate) = 275692a8df9106ab362fbc50d091a001e1bc342099188075cbabbfa7bc3054ac
+SHA512 (wasmi_collections-0.51.5.crate) = 4c93454edb7babe7876dd237acdccae05a0735f5d63e386df313c58431518c8c67ae0a0e1ac91cdc49d063a298a0dbe0553d104b3e6e229f151f2e56cbe3a4d9
+Size (wasmi_collections-0.51.5.crate) = 19341 bytes
+BLAKE2s (wasmi_core-0.51.5.crate) = 4890afc07c5c6aca2a478c7cbabf144b7b4033e120fbbad76b09de63778b4a33
+SHA512 (wasmi_core-0.51.5.crate) = 020c48d034c727ba3f5f30c7513678fbf644b83986c21c4aa7c54ee2327507b183c6e87c796baaff97e2be1f2d731b118ce220098da70a7fc7597b1c55ae3b50
+Size (wasmi_core-0.51.5.crate) = 50471 bytes
+BLAKE2s (wasmi_ir-0.51.5.crate) = 732fd7fb45e2152c5911c5a596c25588c921f32ba63420141f2454adc2f00a4f
+SHA512 (wasmi_ir-0.51.5.crate) = 847bfadba557a736d1b9b39eaeeb130c4ad605b4b4788b13de5eb75b70b786b1c72af2238c097d64be976a73ab3b875a5b9bc1ffe44c82f25ac433d270774199
+Size (wasmi_ir-0.51.5.crate) = 34479 bytes
 BLAKE2s (wasmparser-0.228.0.crate) = cd5ba120854ee09977ac6876f31398f8a46f5ffe75d0396a26705f5c5d05aa07
 SHA512 (wasmparser-0.228.0.crate) = f760e387658c57fc2a1c7b03b1ed8ce3d03019ccb4f21f969ad6aeeb44493e4ec29c8101b7dada90dcadf0a42bdcfad16c921f8522c771c22bc447215618ad74
 Size (wasmparser-0.228.0.crate) = 249009 bytes
@@ -1200,4 +1200,4 @@ Size (zune-jpeg-0.4.14.crate) = 63388 by
 BLAKE2s (zune-jpeg-0.5.5.crate) = d8b7392e63ffc21d3e190bee3d0065f41feacfd55427547e619d99cdf508ce26
 SHA512 (zune-jpeg-0.5.5.crate) = a9d5ca0ce1bfadbb2392b381d68fd1d68b19da037376736146041951da6d161ad6d7c3bce53906e79484582a236d38d33d27ceab67bbb8585f069cb5f3f802f1
 Size (zune-jpeg-0.5.5.crate) = 77168 bytes
-SHA1 (patch-Cargo.toml) = 5b7b9b35e1679f63836d78d3c66115e3c77feb64
+SHA1 (patch-Cargo.toml) = 5b6e8f9b4be67106c15d1e333e412cd21af7ea80

Index: pkgsrc/textproc/typst/patches/patch-Cargo.toml
diff -u pkgsrc/textproc/typst/patches/patch-Cargo.toml:1.12 pkgsrc/textproc/typst/patches/patch-Cargo.toml:1.13
--- pkgsrc/textproc/typst/patches/patch-Cargo.toml:1.12 Wed Dec  3 18:23:52 2025
+++ pkgsrc/textproc/typst/patches/patch-Cargo.toml      Sat Dec 13 19:55:16 2025
@@ -1,15 +1,15 @@
-$NetBSD: patch-Cargo.toml,v 1.12 2025/12/03 18:23:52 pin Exp $
+$NetBSD: patch-Cargo.toml,v 1.13 2025/12/13 19:55:16 pin Exp $
 
 Work around unpublished crate.
 
 --- Cargo.toml.orig    2025-12-03 17:36:28.602478465 +0000
 +++ Cargo.toml
 @@ -33,7 +33,7 @@ typst-syntax = { path = "crates/typst-sy
- typst-timing = { path = "crates/typst-timing", version = "0.14.1" }
- typst-utils = { path = "crates/typst-utils", version = "0.14.1" }
- typst-assets = "0.14.1"
--typst-dev-assets = { git = "https://github.com/typst/typst-dev-assets";, tag = "v0.14.1" }
-+typst-dev-assets = { path = "typst-dev-assets-03addcfb64f3f95209464a521e6aa49645bd271a" }
+ typst-timing = { path = "crates/typst-timing", version = "0.14.2" }
+ typst-utils = { path = "crates/typst-utils", version = "0.14.2" }
+ typst-assets = "0.14.2"
+-typst-dev-assets = { git = "https://github.com/typst/typst-dev-assets";, tag = "v0.14.2" }
++typst-dev-assets = { path = "typst-dev-assets-fe6cad916d8b20c20742512b2a3f3b247a2bc4f8" }
  arrayvec = "0.7.4"
  az = "1.2"
  base64 = "0.22"

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index