Log message:
*: recursive bump for icu 78.1

Log message:
lang/python313: remove unknown configure option

Log message:
python313 py313-html-docs: updated to 3.13.11

Python 3.13.11

Security

gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing.
gh-119451: Fix a potential memory denial of service in the http.client module. \ 
When connecting to a malicious server, it could cause an arbitrary amount of \ 
memory to be allocated. This could have led to symptoms including a MemoryError, \ 
swapping, out of memory (OOM) killed processes or containers, or even system \ 
crashes.
gh-119452: Fix a potential memory denial of service in the http.server module. \ 
When a malicious user is connected to the CGI server on Windows, it could cause \ 
an arbitrary amount of memory to be allocated. This could have led to symptoms \ 
including a MemoryError, swapping, out of memory (OOM) killed processes or \ 
containers, or even system crashes.

Library

gh-140797: Revert changes to the undocumented re.Scanner class. Capturing groups \ 
are still allowed for backward compatibility, although using them can lead to \ 
incorrect result. They will be forbidden in future Python versions.
gh-142206: The resource tracker in the multiprocessing module now uses the \ 
original communication protocol, as in Python 3.14.0 and below, by default. This \ 
avoids issues with upgrading Python while it is running. (Note that such \ 
‘in-place’ upgrades are not tested.) The tracker remains compatible with \ 
subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, \ 
3.14.1 and 3.15).

Core and Builtins

gh-142218: Fix crash when inserting into a split table dictionary with a non str \ 
key that matches an existing key.

Log message:
python313: do not use system expat - it is not portable anymore

Log message:
python313 py313-html-docs: updated to 3.13.10

Python 3.13.10

Tools/Demos

gh-141442: The iOS testbed now correctly handles test arguments that contain spaces.
Tests
gh-140482: Preserve and restore the state of stty echo as part of the test \ 
environment.
gh-140082: Update python -m test to set FORCE_COLOR=1 when being run with color \ 
enabled so that unittest which is run by it with redirected output will output \ 
in color.
gh-136442: Use exitcode 1 instead of 5 if unittest.TestCase.setUpClass() raises \ 
an exception
Security
gh-139700: Check consistency of the zip64 end of central directory record. \ 
Support records with “zip64 extensible data” if there are no bytes prepended \ 
to the ZIP file.
gh-137836: Add support of the “plaintext” element, RAWTEXT elements \ 
“xmp”, “iframe”, “noembed” and “noframes”, and optionally \ 
RAWTEXT element “noscript” in html.parser.HTMLParser.
gh-136063: email.message: ensure linear complexity for legacy HTTP parameters \ 
parsing. Patch by Bénédikt Tran.
gh-136065: Fix quadratic complexity in os.path.expandvars().
gh-119342: Fix a potential memory denial of service in the plistlib module. When \ 
reading a Plist file received from untrusted source, it could cause an arbitrary \ 
amount of memory to be allocated. This could have led to symptoms including a \ 
MemoryError, swapping, out of memory (OOM) killed processes or containers, or \ 
even system crashes.

Library

gh-74389: When the stdin being used by a subprocess.Popen instance is closed, \ 
this is now ignored in subprocess.Popen.communicate() instead of leaving the \ 
class in an inconsistent state.
gh-87512: Fix subprocess.Popen.communicate() timeout handling on Windows when \ 
writing large input. Previously, the timeout was ignored during stdin writing, \ 
causing the method to block indefinitely if the child process did not consume \ 
input quickly. The stdin write is now performed in a background thread, allowing \ 
the timeout to be properly enforced.
gh-141473: When subprocess.Popen.communicate() was called with input and a \ 
timeout and is called for a second time after a TimeoutExpired exception before \ 
the process has died, it should no longer hang.
gh-59000: Fix pdb breakpoint resolution for class methods when the module \ 
defining the class is not imported.
gh-141570: Support file-like object raising OSError from fileno() in color \ 
detection (_colorize.can_colorize()). This can occur when sys.stdout is \ 
redirected.
gh-141659: Fix bad file descriptor errors from _posixsubprocess on AIX.
gh-141497: ipaddress: ensure that the methods IPv4Network.hosts() and \ 
IPv6Network.hosts() always return an iterator.
gh-140938: The statistics.stdev() and statistics.pstdev() functions now raise a \ 
ValueError when the input contains an infinity or a NaN.
gh-124111: Updated Tcl threading configuration in _tkinter to assume that \ 
threads are always available in Tcl 9 and later.
gh-137109: The os.fork and related forking APIs will no longer warn in the \ 
common case where Linux or macOS platform APIs return the number of threads in a \ 
process and find the answer to be 1 even when a os.register_at_fork() \ 
after_in_parent= callback (re)starts a thread.
gh-141314: Fix assertion failure in io.TextIOWrapper.tell() when reading files \ 
with standalone carriage return (\r) line endings.
gh-141311: Fix assertion failure in io.BytesIO.readinto() and undefined behavior \ 
arising when read position is above capcity in io.BytesIO.
gh-141141: Fix a thread safety issue with base64.b85decode(). Contributed by \ 
Benel Tayar.
gh-140911: collections: Ensure that the methods UserString.rindex() and \ 
UserString.index() accept collections.UserString instances as the sub argument.
gh-140797: The undocumented re.Scanner class now forbids regular expressions \ 
containing capturing groups in its lexicon patterns. Patterns using capturing \ 
groups could previously lead to crashes with segmentation fault. Use \ 
non-capturing groups (?:…) instead.
gh-140815: faulthandler now detects if a frame or a code object is invalid or \ 
freed. Patch by Victor Stinner.
gh-100218: Correctly set errno when socket.if_nametoindex() or \ 
socket.if_indextoname() raise an OSError. Patch by Bénédikt Tran.
gh-140875: Fix handling of unclosed character references (named and numerical) \ 
followed by the end of file in html.parser.HTMLParser with \ 
convert_charrefs=False.
gh-140734: multiprocessing: fix off-by-one error when checking the length of a \ 
temporary socket file path. Patch by Bénédikt Tran.
gh-140874: Bump the version of pip bundled in ensurepip to version 25.3
gh-140691: In urllib.request, when opening a FTP URL fails because a data \ 
connection cannot be made, the control connection’s socket is now closed to \ 
avoid a ResourceWarning.
gh-103847: Fix hang when cancelling process created by \ 
asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by \ 
Kumar Aditya.
gh-140590: Fix arguments checking for the functools.partial.__setstate__() that \ 
may lead to internal state corruption and crash. Patch by Sergey Miryanov.
gh-140634: Fix a reference counting bug in os.sched_param.__reduce__().
gh-140633: Ignore AttributeError when setting a module’s __file__ attribute \ 
when loading an extension module packaged as Apple Framework.
gh-140593: xml.parsers.expat: Fix a memory leak that could affect users with \ 
ElementDeclHandler() set to a custom element declaration handler. Patch by \ 
Sebastian Pipping.
gh-140607: Inside io.RawIOBase.read(), validate that the count of bytes returned \ 
by io.RawIOBase.readinto() is valid (inside the provided buffer).
gh-138162: Fix logging.LoggerAdapter with merge_extra=True and without the extra \ 
argument.
gh-140474: Fix memory leak in array.array when creating arrays from an empty str \ 
and the u type code.
gh-140272: Fix memory leak in the clear() method of the dbm.gnu database.
gh-140041: Fix import of ctypes on Android and Cygwin when ABI flags are present.
gh-139905: Add suggestion to error message for typing.Generic subclasses when \ 
cls.__parameters__ is missing due to a parent class failing to call \ 
super().__init_subclass__() in its __init_subclass__.
gh-139845: Fix to not print KeyboardInterrupt twice in default asyncio REPL.
gh-139783: Fix inspect.getsourcelines() for the case when a decorator is \ 
followed by a comment or an empty line.
gh-70765: http.server: fix default handling of HTTP/0.9 requests in \ 
BaseHTTPRequestHandler. Previously, BaseHTTPRequestHandler.parse_request() \ 
incorrectly waited for headers in the request although those are not supported \ 
in HTTP/0.9. Patch by Bénédikt Tran.
gh-139391: Fix an issue when, on non-Windows platforms, it was not possible to \ 
gracefully exit a python -m asyncio process suspended by Ctrl+Z and later \ 
resumed by fg other than with kill.
gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004', 'euc_jisx0213' and \ 
'euc_jis_2004' codecs truncating null chars as they were treated as part of \ 
multi-character sequences.
gh-139246: fix: paste zero-width in default repl width is wrong.
gh-90949: Add SetAllocTrackerActivationThreshold() and \ 
SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of \ 
disproportional amounts of dynamic memory from within an Expat parser. Patch by \ 
Bénédikt Tran.
gh-139065: Fix trailing space before a wrapped long word if the line length is \ 
exactly width in textwrap.
gh-138993: Dedent credits text.
gh-138859: Fix generic type parameterization raising a TypeError when omitting a \ 
ParamSpec that has a default which is not a list of types.
gh-138775: Use of python -m with base64 has been fixed to detect input from a \ 
terminal so that it properly notices EOF.
gh-98896: Fix a failure in multiprocessing resource_tracker when SharedMemory \ 
names contain colons. Patch by Rani Pinchuk.
gh-75989: tarfile.TarFile.extractall() and tarfile.TarFile.extract() now \ 
overwrite symlinks when extracting hardlinks. (Contributed by Alexander Enrique \ 
Urieles Nieto in gh-75989.)
gh-83424: Allows creating a ctypes.CDLL without name when passing a handle as an \ 
argument.
gh-136234: Fix asyncio.WriteTransport.writelines() to be robust to connection \ 
failure, by using the same behavior as write().
gh-136057: Fixed the bug in pdb and bdb where next and step can’t go over the \ 
line if a loop exists in the line.
gh-135307: email: Fix exception in set_content() when encoding text and \ 
max_line_length is set to 0 or None (unlimited).
gh-134453: Fixed subprocess.Popen.communicate() input= handling of memoryview \ 
instances that were non-byte shaped on POSIX platforms. Those are now properly \ 
cast to a byte shaped view instead of truncating the input. Windows platforms \ 
did not have this bug.
gh-102431: Clarify constraints for “logical” arguments in methods of \ 
decimal.Context.

IDLE

gh-96491: Deduplicate version number in IDLE shell title bar after saving to a file.

Documentation

gh-141994: xml.sax.handler: Make Documentation of \ 
xml.sax.handler.feature_external_ges warn of opening up to external entity \ 
attacks. Patch by Sebastian Pipping.
gh-140578: Remove outdated sencence in the documentation for multiprocessing, \ 
that implied that concurrent.futures.ThreadPoolExecutor did not exist.

Core and Builtins

gh-142048: Fix quadratically increasing garbage collection delays in \ 
free-threaded build.
gh-141930: When importing a module, use Python’s regular file object to ensure \ 
that writes to .pyc files are complete or an appropriate error is raised.
gh-120158: Fix inconsistent state when enabling or disabling monitoring events \ 
too many times.
gh-141579: Fix sys.activate_stack_trampoline() to properly support the perf_jit \ 
backend. Patch by Pablo Galindo.
gh-141312: Fix the assertion failure in the __setstate__ method of the range \ 
iterator when a non-integer argument is passed. Patch by Sergey Miryanov.
gh-140939: Fix memory leak when bytearray or bytes is formated with the %*b \ 
format with a large width that results in a MemoryError.
gh-140530: Fix a reference leak when raise exc from cause fails. Patch by \ 
Bénédikt Tran.
gh-140576: Fixed crash in tokenize.generate_tokens() in case of specific \ 
incorrect input. Patch by Mikhail Efimov.
gh-140551: Fixed crash in dict if dict.clear() is called at the lookup stage. \ 
Patch by Mikhail Efimov and Inada Naoki.
gh-140471: Fix potential buffer overflow in ast.AST node initialization when \ 
encountering malformed _fields containing non-str.
gh-140406: Fix memory leak when an object’s __hash__() method returns an \ 
object that isn’t an int.
gh-140306: Fix memory leaks in cross-interpreter channel operations and shared \ 
namespace handling.
gh-140301: Fix memory leak of PyConfig in subinterpreters.
gh-140000: Fix potential memory leak when a reference cycle exists between an \ 
instance of typing.TypeAliasType, typing.TypeVar, typing.ParamSpec, or \ 
typing.TypeVarTuple and its __name__ attribute. Patch by Mikhail Efimov.
gh-139748: Fix reference leaks in error branches of functions accepting path \ 
strings or bytes such as compile() and os.system(). Patch by Bénédikt Tran.
gh-139516: Fix lambda colon erroneously start format spec in f-string in tokenizer.
gh-139640: Fix swallowing some syntax warnings in different modules if they \ 
accidentally have the same message and are emitted from the same line. Fix \ 
duplicated warnings in the finally block.
gh-137400: Fix a crash in the free threading build when disabling profiling or \ 
tracing across all threads with PyEval_SetProfileAllThreads() or \ 
PyEval_SetTraceAllThreads() or their Python equivalents \ 
threading.settrace_all_threads() and threading.setprofile_all_threads().
gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to match old pre-3.13 \ 
REPL behavior.

C API

gh-140042: Removed the sqlite3_shutdown call that could cause closing \ 
connections for sqlite when used with multiple sub interpreters.
gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API 3.11 and older: don’t \ 
treat Py_NotImplemented as immortal. Patch by Victor Stinner.

Log message:
python313 py313-html-docs: updated to 3.13.9

Python 3.13.9

Library
gh-139783: Fix inspect.getsourcelines() for the case when a decorator is \ 
followed by a comment or an empty line.

Log message:
python313: fix zip vulnerability

Bump PKGREVISION.

Log message:
python313 py313-html-docs: updated to 3.13.8

3.13.8

Python 3.13.8

macOS

gh-124111: Update macOS installer to use Tcl/Tk 8.6.17.
gh-139573: Updated bundled version of OpenSSL to 3.0.18.

Windows

gh-139573: Updated bundled version of OpenSSL to 3.0.18.
gh-138896: Fix error installing C runtime on non-updated Windows machines

Tools/Demos

gh-139330: SBOM generation tool didn’t cross-check the version and checksum \ 
values against the Modules/expat/refresh.sh script, leading to the values \ 
becoming out-of-date during routine updates.
gh-137873: The iOS test runner has been simplified, resolving some issues that \ 
have been observed using the runner in GitHub Actions and Azure Pipelines test \ 
environments.

Tests

gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the --verbose option \ 
anymore. Patch by Victor Stinner.
Security
gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only \ 
garbage-collected once they are no longer referenced by subparsers created by \ 
ExternalEntityParserCreate(). Patch by Sebastian Pipping.
gh-139283: sqlite3: correctly handle maximum number of rows to fetch in \ 
Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by \ 
Bénédikt Tran.
gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the \ 
HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private \ 
method _set_support_cdata() which can be used to specify how to parse \ 
<[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a \ 
bogus comment in the HTML namespace.

Library

gh-139312: Upgrade bundled libexpat to 2.7.3
gh-139289: Do a real lazy-import on rlcompleter in pdb and restore the existing \ 
completer after importing rlcompleter.
gh-139210: Fix use-after-free when reporting unknown event in \ 
xml.etree.ElementTree.iterparse(). Patch by Ken Jin.
gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in subprocess.
gh-112729: Fix crash when calling _interpreters.create when the process is out \ 
of memory.
gh-139076: Fix a bug in the pydoc module that was hiding functions in a Python \ 
module if they were implemented in an extension module and the module did not \ 
have __all__.
gh-138998: Update bundled libexpat to 2.7.2
gh-130567: Fix possible crash in locale.strxfrm() due to a platform bug on macOS.
gh-138779: Support device numbers larger than 2**63-1 for the st_rdev field of \ 
the os.stat_result structure.
gh-128636: Fix crash in PyREPL when os.environ is overwritten with an invalid \ 
value for mac
gh-88375: Fix normalization of the robots.txt rules and URLs in the \ 
urllib.robotparser module. No longer ignore trailing ?. Distinguish raw special \ 
characters ?, = and & from the percent-encoded ones.
gh-138515: email is added to Emscripten build.
gh-111788: Fix parsing errors in the urllib.robotparser module. Don’t fail \ 
trying to parse weird paths. Don’t fail trying to decode non-UTF-8 robots.txt \ 
files.
gh-138432: zoneinfo.reset_tzpath() will now convert any os.PathLike objects it \ 
receives into strings before adding them to TZPATH. It will raise TypeError if \ 
anything other than a string is found after this conversion. If given an \ 
os.PathLike object that represents a relative path, it will now raise ValueError \ 
instead of TypeError, and present a more informative error message.
gh-138008: Fix segmentation faults in the ctypes module due to invalid argtypes. \ 
Patch by Dung Nguyen.
gh-60462: Fix locale.strxfrm() on Solaris (and possibly other platforms).
gh-138204: Forbid expansion of shared anonymous memory maps on Linux, which \ 
caused a bus error.
gh-138010: Fix an issue where defining a class with a \ 
@warnings.deprecated-decorated base class may not invoke the correct \ 
__init_subclass__() method in cases involving multiple inheritance. Patch by \ 
Brian Schubert.
gh-138133: Prevent infinite traceback loop when sending CTRL^C to Python through \ 
strace.
gh-134869: Fix an issue where pressing Ctrl+C during tab completion in the REPL \ 
would leave the autocompletion menu in a corrupted state.
gh-137317: inspect.signature() now correctly handles classes that use a \ 
descriptor on a wrapped __init__() or __new__() method. Contributed by Yongyu \ 
Yan.
gh-137754: Fix import of the zoneinfo module if the C implementation of the \ 
datetime module is not available.
gh-137490: Handle ECANCELED in the same way as EINTR in signal.sigwaitinfo() on \ 
NetBSD.
gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and \ 
inspect.getsource() for generator expressions.
gh-137017: Fix threading.Thread.is_alive to remain True until the underlying OS \ 
thread is fully cleaned up. This avoids false negatives in edge cases involving \ 
thread monitoring or premature threading.Thread.is_alive calls.
gh-136134: SMTP.auth_cram_md5() now raises an SMTPException instead of a \ 
ValueError if Python has been built without MD5 support. In particular, SMTP \ 
clients will not attempt to use this method even if the remote server is assumed \ 
to support it. Patch by Bénédikt Tran.
gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if CRAM-MD5 \ 
authentication is not supported. Patch by Bénédikt Tran.
gh-135386: Fix opening a dbm.sqlite3 database for reading from read-only file or \ 
directory.
gh-126631: Fix multiprocessing forkserver bug which prevented __main__ from \ 
being preloaded.
gh-123085: In a bare call to importlib.resources.files(), ensure the caller’s \ 
frame is properly detected when importlib.resources is itself available as a \ 
compiled module only (no source).
gh-118981: Fix potential hang in multiprocessing.popen_spawn_posix that can \ 
happen when the child proc dies early by closing the child fds right away.
gh-78319: UTF8 support for the IMAP APPEND command has been made RFC compliant.
bpo-38735: Fix failure when importing a module from the root directory on \ 
unix-like platforms with sys.pycache_prefix set.
bpo-41839: Allow negative priority values from os.sched_get_priority_min() and \ 
os.sched_get_priority_max() functions.

Core and Builtins

gh-134466: Don’t run PyREPL in a degraded environment where setting termios \ 
attributes is not allowed.
gh-71810: Raise OverflowError for (-1).to_bytes() for signed conversions when \ 
bytes count is zero. Patch by Sergey B Kirpichev.
gh-105487: Remove non-existent __copy__(), __deepcopy__(), and __bases__ from \ 
the __dir__() entries of types.GenericAlias.
gh-134163: Fix a hang when the process is out of memory inside an exception handler.
gh-138479: Fix a crash when a generic object’s __typing_subst__ returns an \ 
object that isn’t a tuple.
gh-137576: Fix for incorrect source code being shown in tracebacks from the \ 
Basic REPL when PYTHONSTARTUP is given. Patch by Adam Hartz.
gh-132744: Certain calls now check for runaway recursion and respect the system \ 
recursion limit.

C API

gh-87135: Attempting to acquire the GIL after runtime finalization has begun in \ 
a different thread now causes the thread to hang rather than terminate, which \ 
avoids potential crashes or memory corruption caused by attempting to terminate \ 
a thread that is running code not specifically designed to support termination. \ 
In most cases this hanging is harmless since the process will soon exit anyway.

While not officially marked deprecated until 3.14, PyThread_exit_thread is no \ 
longer called internally and remains solely for interface compatibility. Its \ 
behavior is inconsistent across platforms, and it can only be used safely in the \ 
unlikely case that every function in the entire call stack has been designed to \ 
support the platform-dependent termination mechanism. It is recommended that \ 
users of this function change their design to not require thread termination. In \ 
the unlikely case that thread termination is needed and can be done safely, \ 
users may migrate to calling platform-specific APIs such as pthread_exit (POSIX) \ 
or _endthreadex (Windows) directly.

Build

gh-135734: Python can correctly be configured and built with ./configure \ 
--enable-optimizations --disable-test-modules. Previously, the profile data \ 
generation step failed due to PGO tests where immortalization couldn’t be \ 
properly suppressed. Patch by Bénédikt Tran.