Skip to content

Upgrade bundled dependencies #5207#5208

Merged
matejk merged 6 commits intomainfrom
5207-dependencies-update-1.15.1
Feb 16, 2026
Merged

Upgrade bundled dependencies #5207#5208
matejk merged 6 commits intomainfrom
5207-dependencies-update-1.15.1

Conversation

@matejk
Copy link
Copy Markdown
Contributor

@matejk matejk commented Feb 14, 2026
edited
Loading

Summary

Upgrade all out-of-date bundled dependencies and add version/source comments to all dependency CMakeLists.txt files.

Dependency Upgrades

Dependency From To Priority
libpng 1.6.53 1.6.55 CRITICAL — CVE-2026-22801 (heap over-read), CVE-2026-25646 (heap buffer overflow, potential RCE)
utf8proc 2.11.0 2.11.1 MEDIUM — out-of-bounds memory access fix
SQLite 3.51.1 3.51.2 MEDIUM — deadlock fix, query optimizer bug fixes
zlib 1.3.1 1.3.1.2 LOW — build/portability improvements, inflateCopy() OOB fix
LZMA SDK 25.01 26.00 LOW — format improvements, sparse file TAR fix

Already Up-to-Date (no changes)

PCRE2 10.47, expat 2.7.4, double-conversion 3.3.1, libharu 2.4.5, Quill 11.0.2, pdjson, wepoll

CMakeLists.txt Version Comments

Added consistent version and source URL header comments to all 12 bundled dependency CMakeLists.txt files (2 already had them: expat and v8_double_conversion).

Test plan

  • CMake configure succeeds
  • Foundation builds (tests zlib, PCRE2, utf8proc, double-conversion)
  • PDF builds (tests libpng, libharu)
  • DataSQLite builds (tests SQLite)
  • Zip builds (tests zlib)
  • SevenZip builds (tests LZMA SDK)
  • CI passes on Linux, macOS, Windows

Resolves #5207

@matejk
enh(deps): Upgrade bundled libpng from 1.6.53 to 1.6.55
a39c4b1 
Security fixes:
- CVE-2026-22801: heap buffer over-read in png_image_write_* functions
- CVE-2026-25646: heap buffer overflow in png_set_quantize() (potential RCE)

Refs #5207
@matejk
enh(deps): Upgrade bundled utf8proc from 2.11.0 to 2.11.1
2626422 
Fixes out-of-bounds memory access when calling utf8proc_map with
both UTF8PROC_CHARBOUND and UTF8PROC_DECOMPOSE flags set.

Refs #5207
@matejk
enh(deps): Upgrade bundled SQLite from 3.51.1 to 3.51.2
a7137c3 
Fixes deadlock in broken-posix-lock detection logic and multiple
problems in the EXISTS-to-JOIN optimization from 3.51.0.

Refs #5207
@matejk
enh(deps): Upgrade bundled zlib from 1.3.1 to 1.3.1.2
f9ea5ac 
Build/portability improvements, out-of-bounds pointer arithmetic
fix in inflateCopy(), deflateBound() made more conservative.

Refs #5207
@matejk
enh(deps): Upgrade bundled LZMA SDK from 25.01 to 26.00
5b29db6 
Improved code for ZIP, CPIO, RAR, UDF, QCOW, and Compound archive
formats. Fixed TAR archive extraction for sparse files.

Refs #5207
@matejk
enh(dependencies): Embed version of bundled dependencies into CMakeLi…
36ff816 
…sts.txt
@matejk matejk merged commit b864ea0 into main Feb 16, 2026
102 checks passed
@matejk matejk deleted the 5207-dependencies-update-1.15.1 branch February 16, 2026 13:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Upgrade bundled dependencies to latest versions

1 participant

@matejk