CVS commit: pkgsrc/lang

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Thu, 9 Apr 2026 07:15:07 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Thu Apr  9 07:15:07 UTC 2026

Modified Files:
        pkgsrc/lang/py313-html-docs: Makefile distinfo
        pkgsrc/lang/python313: PLIST dist.mk distinfo

Log Message:
python313 py313-html-docs: updated to 3.13.13

Python 3.13.13

macOS

gh-144551: Update macOS installer to use OpenSSL 3.0.19.
gh-137586: Invoke osascript with absolute path in webbrowser and turtledemo.

Windows

gh-144551: Updated bundled version of OpenSSL to 3.0.19.
gh-140131: Fix REPL cursor position on Windows when module completion suggestion line hits console width.

Tests

gh-144418: The Android testbed’s emulator RAM has been increased from 2 GB to 4 GB.
gh-146202: Fix a race condition in regrtest: make sure that the temporary directory is created in the worker process. Previously, temp_cwd() could fail on Windows if the “build” directory was not 
created. Patch by Victor Stinner.
gh-144739: When Python was compiled with system expat older then 2.7.2 but tests run with newer expat, still skip test.test_pyexpat.MemoryProtectionTest.

Security

gh-145986: xml.parsers.expat: Fixed a crash caused by unbounded C recursion when converting deeply nested XML content models with ElementDeclHandler(). This addresses CVE 2026-4224.
gh-145599: Reject control characters in http.cookies.Morsel update() and js_output(). This addresses CVE 2026-3644.
gh-145506: Fixes CVE 2026-2297 by ensuring that SourcelessFileLoader uses io.open_code() when opening .pyc files.
gh-144370: Disallow usage of control characters in status in wsgiref.handlers to prevent HTTP header injections. Patch by Benedikt Johannes.
gh-143930: Reject leading dashes in URLs passed to webbrowser.open().

Library

gh-144503: Fix a regression introduced in 3.14.3 and 3.13.12 where the multiprocessing forkserver start method would fail with BrokenPipeError when the parent process had a very large sys.argv. The 
argv is now passed to the forkserver as separate command-line arguments rather than being embedded in the -c command string, avoiding the operating system’s per-argument length limit.
gh-146613: itertools: Fix a crash in itertools.groupby() when the grouper iterator is concurrently mutated.
gh-146080: ssl: fix a crash when an SNI callback tries to use an SSL object that has already been garbage-collected. Patch by Bénédikt Tran.
gh-146090: sqlite3: fix a crash when sqlite3.Connection.create_collation() fails with SQLITE_BUSY. Patch by Bénédikt Tran.
gh-146090: sqlite3: properly raise MemoryError instead of SystemError when a context callback fails to be allocated. Patch by Bénédikt Tran.
gh-145633: Fix struct.pack('f', float): use PyFloat_Pack4() to raise OverflowError. Patch by Sergey B Kirpichev and Victor Stinner.
gh-146310: The ensurepip module no longer looks for pip-*.whl wheel packages in the current directory.
gh-146083: Update bundled libexpat to version 2.7.5.
gh-146076: zoneinfo: fix crashes when deleting _weak_cache from a zoneinfo.ZoneInfo subclass.
gh-146054: Limit the size of encodings.search_function() cache. Found by OSS Fuzz in 493449985.
gh-145883: zoneinfo: Fix heap buffer overflow reads from malformed TZif data. Found by OSS Fuzz, issues 492245058 and 492230068.
gh-145750: Avoid undefined behaviour from signed integer overflow when parsing format strings in the struct module. Found by OSS Fuzz in 488466741.
gh-145492: Fix infinite recursion in collections.defaultdict __repr__ when a defaultdict contains itself. Based on analysis by KowalskiThomas in gh-145492.
gh-145623: Fix crash in struct when calling repr() or __sizeof__() on an uninitialized struct.Struct object created via Struct.__new__() without calling __init__().
gh-145616: Detect Android sysconfig ABI correctly on 32-bit ARM Android on 64-bit ARM kernel
gh-145376: Fix null pointer dereference in unusual error scenario in hashlib.
gh-145551: Fix InvalidStateError when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by Daan De Meyer.
gh-145417: venv: Prevent incorrect preservation of SELinux context when copying the Activate.ps1 script. The script inherited the SELinux security context of the system template directory, rather 
than the destination project directory.
gh-145301: hashlib: fix a crash when the initialization of the underlying C extension module fails.
gh-145264: Base64 decoder (see binascii.a2b_base64(), base64.b64decode(), etc) no longer ignores excess data after the first padded quad in non-strict (default) mode. Instead, in conformance with RFC 
4648, section 3.3, it now ignores the pad character, “=”, if it is present before the end of the encoded data.
gh-145158: Avoid undefined behaviour from signed integer overflow when parsing format strings in the struct module.
gh-144984: Fix crash in xml.parsers.expat.xmlparser.ExternalEntityParserCreate() when an allocation fails. The error paths could dereference NULL handlers and double-decrement the parent parser’s 
reference count.
gh-88091: Fix unicodedata.decomposition() for Hangul characters.
gh-144835: Added missing explanations for some parameters in glob.glob() and glob.iglob().
gh-144833: Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed.
gh-144259: Fix inconsistent display of long multiline pasted content in the REPL.
gh-144156: Fix the folding of headers by the email library when RFC 2047 encoded words are used. Now whitespace is correctly preserved and also correctly added between adjacent encoded words. The 
latter property was broken by the fix for gh-92081, which mostly fixed previous failures to preserve whitespace.
gh-66305: Fixed a hang on Windows in the tempfile module when trying to create a temporary file or subdirectory in a non-writable directory.
gh-140814: multiprocessing.freeze_support() no longer sets the default start method as a side effect, which previously caused a subsequent multiprocessing.set_start_method() call to raise 
RuntimeError.
gh-144475: Calling repr() on functools.partial() is now safer when the partial object’s internal attributes are replaced while the string representation is being generated.
gh-144538: Bump the version of pip bundled in ensurepip to version 26.0.1
gh-144363: Update bundled libexpat to 2.7.4
gh-143637: Fixed a crash in socket.sendmsg() that could occur if ancillary data is mutated re-entrantly during argument parsing.
gh-143880: Fix data race in functools.partial() in the free threading build.
gh-143543: Fix a crash in itertools.groupby that could occur when a user-defined __eq__() method re-enters the iterator during key comparison.
gh-140652: Fix a crash in _interpchannels.list_all() after closing a channel.
gh-143698: Allow scheduler and setpgroup arguments to be explicitly None when calling os.posix_spawn() or os.posix_spawnp(). Patch by Bénédikt Tran.
gh-143698: Raise TypeError instead of SystemError when the scheduler in os.posix_spawn() or os.posix_spawnp() is not a tuple. Patch by Bénédikt Tran.
gh-143304: Fix ctypes.CDLL to honor the handle parameter on POSIX systems.
gh-142781: zoneinfo: fix a crash when instantiating ZoneInfo objects for which the internal class-level cache is inconsistent.
gh-142763: Fix a race condition between zoneinfo.ZoneInfo creation and zoneinfo.ZoneInfo.clear_cache() that could raise KeyError.
gh-142787: Fix assertion failure in sqlite3 blob subscript when slicing with indices that result in an empty slice.
gh-142352: Fix asyncio.StreamWriter.start_tls() to transfer buffered data from StreamReader to the SSL layer, preventing data loss when upgrading a connection to TLS mid-stream (e.g., when 
implementing PROXY protocol support).
gh-141707: Don’t change tarfile.TarInfo type from AREGTYPE to DIRTYPE when parsing GNU long name or link headers.
gh-139933: Improve AttributeError suggestions for classes with a custom __dir__() method returning a list of unsortable values. Patch by Bénédikt Tran.
gh-138891: Fix SyntaxError when inspect.get_annotations(f, eval_str=True) is called on a function annotated with a PEP 646 star_expression
gh-137335: Get rid of any possibility of a name conflict for named pipes in multiprocessing and asyncio on Windows, no matter how small.
gh-80667: Support lookup for Tangut Ideographs in unicodedata.
bpo-40243: Fix unicodedata.ucd_3_2_0.numeric() for non-decimal values.

Documentation

gh-126676: Expand argparse documentation for type=bool with a demonstration of the surprising behavior and pointers to common alternatives.
gh-145450: Document missing public wave.Wave_write getter methods.

Core and Builtins

gh-148157: Fix an unlikely crash when parsing an invalid type comments for function parameters. Found by OSS Fuzz in 492782951.

gh-146615: Fix a crash in __get__() for METH_METHOD descriptors when an invalid (non-type) object is passed as the second argument. Patch by Steven Sun.

gh-146128: Fix a bug which could cause constant values to be partially corrupted in AArch64 JIT code. This issue is theoretical, and hasn’t actually been observed in unmodified Python interpreters.

gh-146250: Fixed a memory leak in SyntaxError when re-initializing it.

gh-146245: Fixed reference leaks in socket when audit hooks raise exceptions in socket.getaddrinfo() and socket.sendto().

gh-146227: Fix wrong type in _Py_atomic_load_uint16 in the C11 atomics backend (pyatomic_std.h), which used a 32-bit atomic load instead of 16-bit. Found by Mohammed Zuhaib.

gh-146056: Fix repr() for lists containing NULLs.

gh-145990: python --help-env sections are now sorted by environment variable name.

gh-145376: Fix GC tracking in structseq.__replace__().

gh-142183: Avoid a pathological case where repeated calls at a specific stack depth could be significantly slower.

gh-145783: Fix an unlikely crash in the parser when certain errors were erroneously not propagated. Found by OSS Fuzz in 491369109.

gh-145701: Fix SystemError when __classdict__ or __conditional_annotations__ is in a class-scope inlined comprehension. Found by OSS Fuzz in 491105000.

gh-145335: Fix a crash in os.pathconf() when called with -1 as the path argument.

gh-145234: Fixed a SystemError in the parser when an encoding cookie (for example, UTF-7) decodes to carriage returns (\r). Newlines are now normalized after decoding in the string tokenizer.

Patch by Pablo Galindo.

gh-130555: Fix use-after-free in dict.clear() when the dictionary values are embedded in an object and a destructor causes re-entrant mutation of the dictionary.

gh-145008: Fix a bug when calling certain methods at the recursion limit which manifested as a corruption of Python’s operand stack. Patch by Ken Jin.

gh-144872: Fix heap buffer overflow in the parser found by OSS-Fuzz.

gh-144766: Fix a crash in fork child process when perf support is enabled.

gh-144759: Fix undefined behavior in the lexer when start and multi_line_start pointers are NULL in _PyLexer_remember_fstring_buffers() and _PyLexer_restore_fstring_buffers(). The NULL pointer 
arithmetic (NULL - valid_pointer) is now guarded with explicit NULL checks.

gh-144601: Fix crash when importing a module whose PyInit function raises an exception from a subinterpreter.

gh-143636: Fix a crash when calling SimpleNamespace.__replace__() on non-namespace instances. Patch by Bénédikt Tran.

gh-143650: Fix race condition in importlib where a thread could receive a stale module reference when another thread’s import fails.

gh-140594: Fix an out of bounds read when a single NUL character is read from the standard input. Patch by Shamil Abdulaev.

gh-91636: While performing garbage collection, clear weakrefs to unreachable objects that are created during running of finalizers. If those weakrefs were are not cleared, they could reveal 
unreachable objects.

gh-130327: Fix erroneous clearing of an object’s __dict__ if overwritten at runtime.

gh-80667: Literals using the \N{name} escape syntax can now construct CJK ideographs and Hangul syllables using case-insensitive names.

Build

gh-146541: The Android testbed can now be built for 32-bit ARM and x86 targets.
gh-146450: The Android build script was modified to improve parity with other platform build scripts.
gh-145801: When Python build is optimized with GCC using PGO, use -fprofile-update=atomic option to use atomic operations when updating profile information. This option reduces the risk of gcov Data 
Files (.gcda) corruption which can cause random GCC crashes. Patch by Victor Stinner.
gh-129259: Fix AIX build failures caused by incorrect struct alignment in _Py_CODEUNIT and _Py_BackoffCounter by adding AIX-specific #pragma pack directives.


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 pkgsrc/lang/py313-html-docs/Makefile \
    pkgsrc/lang/py313-html-docs/distinfo
cvs rdiff -u -r1.12 -r1.13 pkgsrc/lang/python313/PLIST
cvs rdiff -u -r1.13 -r1.14 pkgsrc/lang/python313/dist.mk
cvs rdiff -u -r1.19 -r1.20 pkgsrc/lang/python313/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/py313-html-docs/Makefile
diff -u pkgsrc/lang/py313-html-docs/Makefile:1.13 pkgsrc/lang/py313-html-docs/Makefile:1.14
--- pkgsrc/lang/py313-html-docs/Makefile:1.13   Wed Feb  4 14:15:49 2026
+++ pkgsrc/lang/py313-html-docs/Makefile        Thu Apr  9 07:15:07 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.13 2026/02/04 14:15:49 adam Exp $
+# $NetBSD: Makefile,v 1.14 2026/04/09 07:15:07 adam Exp $
 
-VERS=          3.13.12
+VERS=          3.13.13
 DISTNAME=      python-${VERS}-docs-html
 PKGNAME=       py313-html-docs-${VERS}
 CATEGORIES=    lang python
Index: pkgsrc/lang/py313-html-docs/distinfo
diff -u pkgsrc/lang/py313-html-docs/distinfo:1.13 pkgsrc/lang/py313-html-docs/distinfo:1.14
--- pkgsrc/lang/py313-html-docs/distinfo:1.13   Wed Feb  4 14:15:49 2026
+++ pkgsrc/lang/py313-html-docs/distinfo        Thu Apr  9 07:15:07 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.13 2026/02/04 14:15:49 adam Exp $
+$NetBSD: distinfo,v 1.14 2026/04/09 07:15:07 adam Exp $
 
-BLAKE2s (python-3.13.12-docs-html.tar.bz2) = 9cbfe6f66d71302ebbb081bb3d10087b5d42d280d525fccb333acdf30b040c40
-SHA512 (python-3.13.12-docs-html.tar.bz2) = ef162025c68bdf00323710441b8894679a06e1b6614360de81c221a74b458be57fa7b37f6aa9debb6f54bbd9f3a7a473a775ed9c9d8f13a7f33e98dc355ca936
-Size (python-3.13.12-docs-html.tar.bz2) = 10439375 bytes
+BLAKE2s (python-3.13.13-docs-html.tar.bz2) = 56523a38bb1b4e771324db22b96f0e6cd0cc5b3ff6a7a1aaebb22fa8b3416191
+SHA512 (python-3.13.13-docs-html.tar.bz2) = 12326cbe3a238cd529df37f47a4bab9beeb2d0663df907bc8572954cd4c18e76b7fac6b10999866698c70df34836fda9a0e6c0df57591dd2c6b6b6f9cfe10aaa
+Size (python-3.13.13-docs-html.tar.bz2) = 10439311 bytes

Index: pkgsrc/lang/python313/PLIST
diff -u pkgsrc/lang/python313/PLIST:1.12 pkgsrc/lang/python313/PLIST:1.13
--- pkgsrc/lang/python313/PLIST:1.12    Wed Feb  4 14:15:49 2026
+++ pkgsrc/lang/python313/PLIST Thu Apr  9 07:15:07 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.12 2026/02/04 14:15:49 adam Exp $
+@comment $NetBSD: PLIST,v 1.13 2026/04/09 07:15:07 adam Exp $
 bin/idle${PY_VER_SUFFIX}
 bin/pydoc${PY_VER_SUFFIX}
 bin/python${PY_VER_SUFFIX}
@@ -1159,7 +1159,7 @@ lib/python${PY_VER_SUFFIX}/ensurepip/__i
 lib/python${PY_VER_SUFFIX}/ensurepip/__main__.py
 lib/python${PY_VER_SUFFIX}/ensurepip/__main__.pyc
 lib/python${PY_VER_SUFFIX}/ensurepip/__main__.pyo
-lib/python${PY_VER_SUFFIX}/ensurepip/_bundled/pip-25.3-py3-none-any.whl
+lib/python${PY_VER_SUFFIX}/ensurepip/_bundled/pip-26.0.1-py3-none-any.whl
 lib/python${PY_VER_SUFFIX}/ensurepip/_uninstall.py
 lib/python${PY_VER_SUFFIX}/ensurepip/_uninstall.pyc
 lib/python${PY_VER_SUFFIX}/ensurepip/_uninstall.pyo
@@ -2590,6 +2590,9 @@ lib/python${PY_VER_SUFFIX}/test/mp_prelo
 lib/python${PY_VER_SUFFIX}/test/mp_preload_flush.py
 lib/python${PY_VER_SUFFIX}/test/mp_preload_flush.pyc
 lib/python${PY_VER_SUFFIX}/test/mp_preload_flush.pyo
+lib/python${PY_VER_SUFFIX}/test/mp_preload_large_sysargv.py
+lib/python${PY_VER_SUFFIX}/test/mp_preload_large_sysargv.pyc
+lib/python${PY_VER_SUFFIX}/test/mp_preload_large_sysargv.pyo
 lib/python${PY_VER_SUFFIX}/test/mp_preload_main.py
 lib/python${PY_VER_SUFFIX}/test/mp_preload_main.pyc
 lib/python${PY_VER_SUFFIX}/test/mp_preload_main.pyo
@@ -4805,9 +4808,6 @@ lib/python${PY_VER_SUFFIX}/test/test_pyr
 lib/python${PY_VER_SUFFIX}/test/test_pyrepl/__main__.py
 lib/python${PY_VER_SUFFIX}/test/test_pyrepl/__main__.pyc
 lib/python${PY_VER_SUFFIX}/test/test_pyrepl/__main__.pyo
-lib/python${PY_VER_SUFFIX}/test/test_pyrepl/eio_test_script.py
-lib/python${PY_VER_SUFFIX}/test/test_pyrepl/eio_test_script.pyc
-lib/python${PY_VER_SUFFIX}/test/test_pyrepl/eio_test_script.pyo
 lib/python${PY_VER_SUFFIX}/test/test_pyrepl/support.py
 lib/python${PY_VER_SUFFIX}/test/test_pyrepl/support.pyc
 lib/python${PY_VER_SUFFIX}/test/test_pyrepl/support.pyo
@@ -5275,6 +5275,9 @@ lib/python${PY_VER_SUFFIX}/test/test_too
 lib/python${PY_VER_SUFFIX}/test/test_tools/msgfmt_data/general.json
 lib/python${PY_VER_SUFFIX}/test/test_tools/msgfmt_data/general.mo
 lib/python${PY_VER_SUFFIX}/test/test_tools/msgfmt_data/general.po
+lib/python${PY_VER_SUFFIX}/test/test_tools/test_compute_changes.py
+lib/python${PY_VER_SUFFIX}/test/test_tools/test_compute_changes.pyc
+lib/python${PY_VER_SUFFIX}/test/test_tools/test_compute_changes.pyo
 lib/python${PY_VER_SUFFIX}/test/test_tools/test_freeze.py
 lib/python${PY_VER_SUFFIX}/test/test_tools/test_freeze.pyc
 lib/python${PY_VER_SUFFIX}/test/test_tools/test_freeze.pyo

Index: pkgsrc/lang/python313/dist.mk
diff -u pkgsrc/lang/python313/dist.mk:1.13 pkgsrc/lang/python313/dist.mk:1.14
--- pkgsrc/lang/python313/dist.mk:1.13  Wed Feb  4 14:15:49 2026
+++ pkgsrc/lang/python313/dist.mk       Thu Apr  9 07:15:07 2026
@@ -1,6 +1,6 @@
-# $NetBSD: dist.mk,v 1.13 2026/02/04 14:15:49 adam Exp $
+# $NetBSD: dist.mk,v 1.14 2026/04/09 07:15:07 adam Exp $
 
-PY_DISTVERSION=        3.13.12
+PY_DISTVERSION=        3.13.13
 DISTNAME=      Python-${PY_DISTVERSION}
 EXTRACT_SUFX=  .tar.xz
 DISTINFO_FILE= ${.CURDIR}/../../lang/python313/distinfo

Index: pkgsrc/lang/python313/distinfo
diff -u pkgsrc/lang/python313/distinfo:1.19 pkgsrc/lang/python313/distinfo:1.20
--- pkgsrc/lang/python313/distinfo:1.19 Wed Feb  4 14:15:49 2026
+++ pkgsrc/lang/python313/distinfo      Thu Apr  9 07:15:07 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.19 2026/02/04 14:15:49 adam Exp $
+$NetBSD: distinfo,v 1.20 2026/04/09 07:15:07 adam Exp $
 
-BLAKE2s (Python-3.13.12.tar.xz) = b142b9746c46655805403564f80df354da8b4af0e03c09856209d35076a611fb
-SHA512 (Python-3.13.12.tar.xz) = 5edecdf13999d8629f31543dffdcba521dbb5633577e481ee49275e377509a2f6d700624c26f95b57a8ff9501378d10d7c07c1d0e7e19be0d6c88f05b6315a13
-Size (Python-3.13.12.tar.xz) = 22926488 bytes
+BLAKE2s (Python-3.13.13.tar.xz) = 004b82366701c7ae639a025ba9d613b6f8b6286e44366c2abfe349c4ba4f1c04
+SHA512 (Python-3.13.13.tar.xz) = 0ef615150a52865fe7ca0d0e106cf98488f113a56e5ae1b1437673f03880423839d04abe1999006f9835c77d8802d5ae94a1bdf63d18074a9a19c81e6f7b69e8
+Size (Python-3.13.13.tar.xz) = 22957612 bytes
 SHA1 (patch-Include_pymacro.h) = 7611315fefc305a48b4965f2f2b9bee53ae3d987
 SHA1 (patch-Lib_ctypes_util.py) = 3dec1b6b7a36e46cbfa0dfcd71c5e7fac9f60764
 SHA1 (patch-Lib_sysconfig_____init____.py) = 6c151d3dca0367cbb38c1175b9dba894509cf1a4

Prev by Date: CVS commit: pkgsrc/devel/hdf5
Next by Date: CVS commit: pkgsrc/lang
Previous by Thread: CVS commit: pkgsrc/devel/hdf5
Next by Thread: CVS commit: pkgsrc/lang
Indexes:

Home | Main Index | Thread Index | Old Index