cpython: 3.13.12 -> 3.13.13; 3.14.3 -> 3.14.4; 3.15.0a7 -> 3.15.0a8

[mweinelt]

https://docs.python.org/release/3.13.13/whatsnew/changelog.html
https://docs.python.org/release/3.14.4/whatsnew/changelog.html
https://docs.python.org/3.15/whatsnew/changelog.html#python-3-15-0-alpha-8

Fixes: CVE-2026-4224, CVE-2026-3644, CVE-2026-2297

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

[thunze]

• Diff LGTM
• Verified that all of python31{3,4,5} build on x86_64-linux
• Verified basic functionality of the REPLs of all of the above interpreters on x86_64-linux

A screenshot of the new 3.15 fancycompleter:

tkinter is failing transitively due to a mypy test failing:

=================================== FAILURES ===================================
___________________ testAllBase64Features_librt_experimental ___________________
[gw9] linux -- Python 3.13.13 /nix/store/xdj4p7g382ynxgimglm09ghh0p5m9mn4-python3-3.13.13/bin/python3.13
data: /build/source/mypyc/test-data/run-base64.test:1:
Failed: Invalid output (/build/source/mypyc/test-data/run-base64.test, line 1)
----------------------------- Captured stdout call -----------------------------

*** Exit status: 1
----------------------------- Captured stderr call -----------------------------

Generated files: /build/source/.mypyc_test_output (for first failure only)

Expected:
Actual:
  << test_decode_with_extra_data_after_padding >> (diff)
  Traceback (most recent call last): (diff)
    File "driver.py", line 57, in <module> (diff)
      raise failures[-1][1][1] (diff)
    File "driver.py", line 28, in <module> (diff)
      test_func() (diff)
      ~~~~~~~~~^^ (diff)
    File "run-base64.test", line 139, in test_decode_with_extra_data_after_padding (diff)
      check_decode(b"eA==x", encoded=True) (diff)
    File "run-base64.test", line 63, in check_decode (diff)
      assert b64decode(enc) == getattr(base64, "b64decode")(enc) (diff)
    File "/nix/store/xdj4p7g382ynxgimglm09ghh0p5m9mn4-python3-3.13.13/lib/python3.13/base64.py", line 88, in b64decode (diff)
      return binascii.a2b_base64(s, strict_mode=validate) (diff)
             ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^ (diff)
  binascii.Error: Incorrect padding (diff)

Update the test output using --update-data (implies -n0; you can additionally use the -k selector to update only specific tests)
------------------------------ Captured log call -------------------------------
[...]
=========================== short test summary info ============================
FAILED mypyc/test/test_run.py::TestRun::run-base64.test::testAllBase64Features_librt_experimental - data: /build/source/mypyc/test-data/run-base64.test:1:
===== 1 failed, 12820 passed, 362 skipped, 13 xfailed in 95.63s (0:01:35) ======

Looks like python/mypy#21120, upstream is skipping parts of this test for now. But nothing we couldn't fix on staging, as done in the past for similar failures (see e.g. #486806). I'll propose a fix later today when I have more time if this doesn't get picked up by then.

[thunze]

Prepared fixes for mypy and exceptiongroup:

• mypy: disable broken base64 test after cpython decoder change #508403
• python3Packages.exceptiongroup: update repr patch after 3.14 backport #508410

[mweinelt]

Darwin is blocked on libarchive, nothing I can do here.