Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package yq for openSUSE:Factory checked in at 2026-05-26 16:34:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yq (Old) and /work/SRC/openSUSE:Factory/.yq.new.2084 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yq" Tue May 26 16:34:55 2026 rev:25 rq:1355143 version:4.53.2 Changes: -------- --- /work/SRC/openSUSE:Factory/yq/yq.changes 2026-03-18 16:53:27.940421474 +0100 +++ /work/SRC/openSUSE:Factory/.yq.new.2084/yq.changes 2026-05-26 16:35:08.242740929 +0200 @@ -1,0 +2,22 @@ +Sun May 24 08:53:05 UTC 2026 - Egbert Eich <[email protected]> + +- update to v4.53.2 + * Add system(command; args) operator (disabled by default). + * TOML encoder: prefer readable table sections over inline tables. + * Fix TOML encoder to quote keys containing special characters. + * Add string slicing support. + * Fix findInArray misuse on MappingNodes in equality and contains. + * Fix panic on negative slice indices that underflow after adjustment. + * Fix stack overflow from circular alias in traverse. + * Fix panic and OOM in repeatString for large repeat counts. +- update to v4.52.5 + * Fix: reset TOML decoder state between files. + * Fix: preserve original filename when using --front-matter. +- Integrate vulnchecker support into %check stage (optional: + set `%%_with_vulncheck 1`). +- Fix CVE-2026-33814 (bsc#1266248): + * update golang.org/x/net to v0.53.0. +- Add Fix-testcase-for-32bit-platforms.patch: + This fixes the test suite for 32-bit. + +------------------------------------------------------------------- @@ -60,0 +83,3 @@ + * Fixes CVE-2025-58190 (GO-2026-4441) (bsc#1251540) + CVE-2025-47911 (GO-2026-4440) (bsc#1251339) by + updating golang.org/x/net to v0.46.0. @@ -95,0 +121,2 @@ + * Fixed CVE-2025-22872 (GO-2025-3595) (bsc#1241719) by + updating golang.org/x/net to 0.39.0. Old: ---- yq-4.52.4.tar.gz New: ---- Fix-testcase-for-32bit-platforms.patch yq-4.53.2.tar.gz ----------(New B)---------- New: * update golang.org/x/net to v0.53.0. - Add Fix-testcase-for-32bit-platforms.patch: This fixes the test suite for 32-bit. ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yq.spec ++++++ --- /var/tmp/diff_new_pack.g9qO99/_old 2026-05-26 16:35:09.038773862 +0200 +++ /var/tmp/diff_new_pack.g9qO99/_new 2026-05-26 16:35:09.038773862 +0200 @@ -16,17 +16,20 @@ # +%{bcond_with vulncheck} + %global provider_prefix github.com/mikefarah/yq %global import_path %{provider_prefix} Name: yq -Version: 4.52.4 +Version: 4.53.2 Release: 0 Summary: A portable command-line YAML processor License: MIT URL: https://github.com/mikefarah/yq Source0: https://github.com/mikefarah/yq/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: vendor.tar.gz +Patch1: Fix-testcase-for-32bit-platforms.patch # conflict with all python3X-yq packages since they install /usr/bin/yq # we need to handle Leap 15.4 specially since the python3dist() is not # generated there @@ -36,6 +39,10 @@ Conflicts: python3-yq %endif BuildRequires: golang(API) = 1.25 +%if %{with vulncheck} +BuildRequires: govulncheck +BuildRequires: govulncheck-vulndb +%endif %description A lightweight and portable command-line YAML processor. yq uses jq like syntax @@ -78,6 +85,13 @@ %check go test ./... +%if %{with vulncheck} +for i in $(find %{buildroot} -executable -and -not -type d \ + -and -not -name "*.debug" -and -not -name "*.so*"); do + file $i | grep -q "^$i: ELF" || continue + govulncheck -mode=binary -db file:///usr/share/vulndb/ $i +done +%endif %install install -D -m 0755 ./bin/%{name} "%{buildroot}/%{_bindir}/%{name}" ++++++ Fix-testcase-for-32bit-platforms.patch ++++++ From: Egbert Eich <[email protected]> Date: Sun May 24 15:00:14 2026 +0200 Subject: Fix testcase for 32bit platforms Patch-mainline: Not yet Git-commit: c74405b1b344c5038293063e26b2fca74342dc1f References: Signed-off-by: Egbert Eich <[email protected]> Signed-off-by: Egbert Eich <[email protected]> --- pkg/yqlib/operator_multiply_test.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/yqlib/operator_multiply_test.go b/pkg/yqlib/operator_multiply_test.go index 2c31b6f..15a7777 100644 --- a/pkg/yqlib/operator_multiply_test.go +++ b/pkg/yqlib/operator_multiply_test.go @@ -2,6 +2,7 @@ package yqlib import ( "fmt" + "math" "strings" "testing" ) @@ -710,8 +711,8 @@ var multiplyOperatorScenarios = []expressionScenario{ // The size guard must not overflow: len * count can wrap to // a negative or small value on 64-bit, bypassing the check. skipDoc: true, - expression: `"ab" * 4611686018427387904`, - expectedError: "result of repeating string (2 bytes) by 4611686018427387904 would exceed 10485760 bytes", + expression: fmt.Sprintf(`"ab" * %d`, (math.MaxInt>>1)+1), + expectedError: fmt.Sprintf("result of repeating string (2 bytes) by %d would exceed 10485760 bytes", (math.MaxInt>>1)+1), }, } ++++++ _service ++++++ --- /var/tmp/diff_new_pack.g9qO99/_old 2026-05-26 16:35:09.086775848 +0200 +++ /var/tmp/diff_new_pack.g9qO99/_new 2026-05-26 16:35:09.090776013 +0200 @@ -1,5 +1,9 @@ <services> <service name="download_files" mode="manual"/> - <service name="go_modules" mode="manual"/> + <service name="go_modules" mode="manual"> + <param name="replace"> + golang.org/x/net=golang.org/x/[email protected] + </param> + </service> </services> ++++++ vendor.tar.gz ++++++ ++++ 19832 lines of diff (skipped) ++++++ yq-4.52.4.tar.gz -> yq-4.53.2.tar.gz ++++++ ++++ 4296 lines of diff (skipped)
