chore(deps): bump https://github.com/microsoft/vcpkg from HEAD to 2026.03.18

[dependabot]

Bumps https://github.com/microsoft/vcpkg from HEAD to 2026.03.18. This release includes the previously tagged commit.

Release notes

Sourced from https://github.com/microsoft/vcpkg's releases.

2026.03.18 Release

This release contains a fix for a vulnerability in how vcpkg packaged OpenSSL on Windows: microsoft/vcpkg#50518

The vulnerability was originally reported by Xavier DANEST working with TrendAI Zero Day Initiative and assigned ZDI-CAN-29616 (visible at the time of this writing on https://www.zerodayinitiative.com/advisories/upcoming/ ). It has also been recorded as GitHub advisory GHSA-p322-v6vw-vrq9 .

If you only want to update OpenSSL you should be able to override the selected version to 3.6.1#3 or later.

Total port count: 2773

Total port count per triplet (tested): https://dev.azure.com/vcpkg/public/_build/results?buildId=128681&view=results

triplet	ports available
x86-windows	2583
x64-windows	2714
x64-windows-release	2714
x64-windows-static	2594
x64-windows-static-md	(infrastructure failed... 2 days earlier build result was 2648)
arm64-windows	2346
arm64-windows-static-md	2329
arm64-osx	2528
x64-linux	2725
arm64-linux	2091
arm-neon-android	2135
x64-android	2197
arm64-android	2144

The following vcpkg-tool releases have occurred since the last registry release:

• https://github.com/microsoft/vcpkg-tool/releases/tag/2026-03-04

In those tool releases, the following changes are particularly meaningful:

• Fix mismatched VCPKG_ROOT warnings when Visual Studio has vcpkg installed by @​BillyONeal in microsoft/vcpkg-tool#1931

port	version
ddtdanilo-lmdb-wrapper	1.0.1
frei0r	2.5.4
hesphoros-uniconv	3.3.2
libdxfrw	2025-09-25
libsharp	1.0.0
obfuscxx	1.3.1
sdl3-mixer	3.2.0
spine-c	4.2.20260227
spine-cpp	4.2.20260227
stillwater-universal	3.96

... (truncated)

Commits

• c3867e7 Fix IncrementalClean deleting vcpkg-deployed DLLs on incremental builds (#50521)
• 5111afd [openssl] Don't set openssldir to a potentially-world-writable location. (#50...
• a621075 [lexbor] update to 2.7.0 (#50452)
• b00467f [spine-runtimes] Update to 4.2.20260227 (#50251)
• ddf4743 [nlopt] add a feature to compile luksan's alg and fill the license field in j...
• 5becb67 Update Detours (#50487)
• 717f2c1 [aws-c-io] update to 0.26.2 (#50526)
• 4ef2a71 [many ports] switch to vcpkg-make (#50498)
• 7e99dc2 [basisu] update to 2.1.0 (#50522)
• a9ebf22 [tmxlite] update to 1.4.5 (#50523)
• Additional commits viewable in compare view

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: The number of snapshots compared for the base SHA (2) and the head SHA (1) do not match. You may see unexpected removals in the diff.

Consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details

Scanned Files

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Overview

This Dependabot PR updates the vcpkg baseline from commit d1ff36c to c3867e7, bringing in the 2026.03.18 release. Key changes include a security fix for a vulnerability in how vcpkg packaged OpenSSL on Windows (ZDI-CAN-29616 / GHSA-p322-v6vw-vrq9).

Severity	Count
CRITICAL	0
WARNING	0
SUGGESTION	0

Files Reviewed (1 file)

• vcpkg-configuration.json - Dependency version update only, no code issues

---

_{Reviewed by minimax-m2.5-20260211 · 164,061 tokens}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[dependabot]

Superseded by #543.