From 7ef880d57f04733bc705028028c7462197702ab2 Mon Sep 17 00:00:00 2001
From: HCL-JasonR <jason.riendeau@hcl-software.com>
Date: Wed, 1 Apr 2026 12:56:51 -0400
Subject: [PATCH 1/3] Update libpng.py to 1.6.56

This fixes two High CVEs.
https://www.cve.org/CVERecord?id=CVE-2026-33416
https://www.cve.org/CVERecord?id=CVE-2026-33636
---
 tools/ports/libpng.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tools/ports/libpng.py b/tools/ports/libpng.py
index 7da6231c17f06..34e2e71fefd87 100644
--- a/tools/ports/libpng.py
+++ b/tools/ports/libpng.py
@@ -6,8 +6,8 @@
 import os
 import shutil
 
-TAG = '1.6.55'
-HASH = '45d3c4c3bd3d22dd93026e1bdff8df8133459a2903fb70be178899a55d256bab55bb5c4220d790202fce578e346c040c5c00e1f004cf5c4dcbf387a30d43e701'
+TAG = '1.6.56'
+HASH = 'e9b7c90e5b29d877e0c0888fe35e5498ae513619943728d7a05269b261786c476808df06de460ec27f6d045cf7193a5e3656b95c553539b4edcdd2fd0c5fa422'
 
 deps = ['zlib']
 variants = {
@@ -32,6 +32,8 @@ def get_lib_name(settings):
 
 def get(ports, settings, shared):
   # This is an emscripten-hosted mirror of the libpng repo from Sourceforge.
+  # Reviewer - please add libpng-1.6.56 binary to storage
+  # https://sourceforge.net/projects/libpng/files/libpng16/1.6.56/libpng-1.6.56.tar.gz/download
   ports.fetch_project('libpng', f'https://storage.googleapis.com/webassembly/emscripten-ports/libpng-{TAG}.tar.gz', sha512hash=HASH)
 
   def create(final):

From 69c6c0fd2cb6542542853f659c586fc67d4ec397 Mon Sep 17 00:00:00 2001
From: HCL-JasonR <jason.riendeau@hcl-software.com>
Date: Wed, 1 Apr 2026 13:41:07 -0400
Subject: [PATCH 2/3] Removing review comment

---
 tools/ports/libpng.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tools/ports/libpng.py b/tools/ports/libpng.py
index 34e2e71fefd87..5737caba3fb90 100644
--- a/tools/ports/libpng.py
+++ b/tools/ports/libpng.py
@@ -32,8 +32,6 @@ def get_lib_name(settings):
 
 def get(ports, settings, shared):
   # This is an emscripten-hosted mirror of the libpng repo from Sourceforge.
-  # Reviewer - please add libpng-1.6.56 binary to storage
-  # https://sourceforge.net/projects/libpng/files/libpng16/1.6.56/libpng-1.6.56.tar.gz/download
   ports.fetch_project('libpng', f'https://storage.googleapis.com/webassembly/emscripten-ports/libpng-{TAG}.tar.gz', sha512hash=HASH)
 
   def create(final):

From a11da50c68b0bf9663b69890a01d0aa5ff1240e4 Mon Sep 17 00:00:00 2001
From: HCL-JasonR <jason.riendeau@hcl-software.com>
Date: Wed, 1 Apr 2026 13:41:56 -0400
Subject: [PATCH 3/3] Update ChangeLog.md

---
 ChangeLog.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ChangeLog.md b/ChangeLog.md
index b4a9bab199aa3..117c3b4d8eb69 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -27,6 +27,7 @@ See docs/process.md for more on how version tagging works.
   `--experimental-wasm-bulk-memory` flags when used with versions of node older
   than v16. (#26560)
 - SDL3 port updated from 3.2.30 to 3.4.2 (#26572)
+- libpng port updated from 1.6.55 to 1.6.56. (#26592)
 
 5.0.4 - 03/23/26
 ----------------