chore(deps): bundled third-party library updates for 1.15.3#5351
Merged
Conversation
The bundled tessil/ordered-map snapshot already corresponds to upstream v1.2.0 (verified by diffing the headers), but the version was not recorded in dependencies/tessil/CMakeLists.txt and the README table listed "n/a". This caused dependencies/check-upstream-versions.sh to report "(cannot compare)" for tessil. Add the standard "# Version: X.Y.Z" comment and update the README so the upstream version checker can compare correctly. The local "static" removal on numeric_cast/deserialize_value remains in place, tracked by the existing README note pointing to upstream PR #54.
…-2026-45186) Security fixes from upstream: - CVE-2026-45186 (2.8.1): Quadratic runtime from attribute name collision checks allowed denial of service through moderately sized crafted XML input (CWE-407). Compression amplifies the attack. - CVE-2026-41080 (2.8.0): Hash flooding protection used only 4-8 bytes of salt entropy where 16 are supported by SipHash. New XML_SetHashSalt16Bytes API; XML_SetHashSalt is now deprecated. Other notable upstream changes carried in: - New getentropy(3) entropy source support in xmlparse.c. - Various bug fixes around errno propagation after randomization calls and uint8_t character-type assumptions. - Library SOVERSION moved from 1.12.0 to 1.12.1. Bundled-build adjustments: - Restore Poco's portable expat_config.h after the update script overwrote it with the upstream autoconf-generated copy. The Poco version sets BYTEORDER from compiler predefined macros so the bundle works across all supported targets without per-platform generation. - Expat 2.8.x split each entropy source into its own random_*.c file. Add the new files to dependencies/expat/src/ and gate them per platform in CMakeLists.txt to mirror upstream's lib/CMakeLists.txt -- without gating, random_getrandom.c fails to compile on macOS because it references SYS_getrandom unguarded. Verified: XML-testrunner -all passes (138 tests) on macOS arm64 and Linux arm64 (orb).
Patch release that addresses problems reported in 3.53.0. Most notable: Fix the WAL-reset database corruption bug. Reference: https://www.sqlite.org/releaselog/3_53_1.html Verified: DataSQLite-testrunner -all passes (100 tests) on macOS arm64 and Linux arm64 (orb).
Patch release that fixes a regression introduced in 1.6.56: png_get_PLTE() returned stale palette data when gamma correction or alpha-compositing was the only transform applied. Reference: http://www.libpng.org/pub/png/libpng.html The bundled pnglibconf.h is preserved (it is a generated configuration file maintained locally and is not present in the upstream tarball). Verified: PDF-testrunner -all passes (8 tests, libpng linked through libharu) on macOS arm64 and Linux arm64 (orb).
Upstream changes (https://www.7-zip.org/history.txt): - Linux can use huge pages (2 MB) for ~10% faster 7z/xz/LZMA/LZMA2 compression. - New -spo[d|c|r] switch for output-directory path generation. - Several bug fixes. The bundled snapshot is the LZMA SDK subset only; this update brings in upstream changes to Alloc, Threads, 7zArcIn, LzmaEnc, etc. -- 13 files with substantive diffs out of 86 in the SDK; the rest are byte-identical between 26.00 and 26.01. POCO has no SevenZip testsuite, so verification is by: - libPocoSevenZip builds cleanly on macOS arm64 and Linux arm64 (orb). - The un7zip sample builds and successfully lists + extracts a 7z archive created with the system 7z tool.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refresh four bundled third-party dependencies and record tessil's actual version. Five commits, one per dependency.
9376f1a291.2.0in CMakeLists/READMEstaticremoval onnumeric_cast/deserialize_valueremains, tracked by upstream PR #54.0f9fc99a1expat_config.hafter the update script clobbered it, plus adding the newrandom_*.{c,h}files and gating them per platform in CMakeLists to mirror upstream.bc56c38b92f8ef3a9cpng_get_PLTE()returning stale palette data when gamma correction or alpha-compositing is the only transform applied (regression from 1.6.56). The bundledpnglibconf.his preserved.afbc44fd2After this PR,
dependencies/check-upstream-versions.shreports all bundled deps up to date.Test plan
XML-testrunner -all(138 tests) on macOS arm64 + Linux arm64DataSQLite-testrunner -all(100 tests) on macOS arm64 + Linux arm64PDF-testrunner -all(8 tests) on macOS arm64 + Linux arm64.7zarchive (list + extract round-trip)CHANGELOG entries (suggested)
For the "Bundled Third-Party Library Upgrades" section of 1.15.3: