Package manager feeds
Combined feed from package-managers-opml. 222 items from 79 feeds, generated 2026-06-07T13:25:07Z.
Sun 7 Jun 2026
-
Renovate releases 43.214.4
43.214.4 (2026-06-07) Bug Fixes deps: update ghcr.io/renovatebot/base-image docker tag to v13.56.6 (main) ( #43853 ) ( 52d88af ) Documentation schema: link config options to docs ( #43613 ) ( def98d0 ) Miscellaneous Chores deps: update dependency lint-staged to v17.0.7 (main) ( #43852 ) ( 8a58267 ) deps: update ghcr.io/containerbase/devcontainer docker tag to v14.10.24 (main) ( #43849 ) ( 76a45a1 )
-
Renovate releases 43.214.3
43.214.3 (2026-06-07) Bug Fixes deps: update ghcr.io/renovatebot/base-image docker tag to v13.56.5 (main) ( #43851 ) ( 5d451e9 ) Miscellaneous Chores deps: update codecov/codecov-action action to v6.0.2 (main) ( #43848 ) ( 5df20fd ) deps: update containerbase/internal-tools action to v4.6.40 (main) ( #43846 ) ( afcc22e ) deps: update dependency lint-staged to v17.0.6 (main) ( #43843 ) ( 9ccca70 ) deps: update linters to v1.67.0 (main) ( #42416 ) ( 9245b57 )
-
Cabal releases cabal-head
No release body provided.
-
Pub releases SDK-3.13.0-180.0.dev
SDK 3.13.0-180.0.dev
-
Added (aqua) Support multiple custom registries via aqua.registries ; deprecates single-string aqua.registry_url ( #10179 by @risu729 ). (env) Decrypt SOPS-encrypted TOML env files ( .env.toml ) through rops ( #10201 by @risu729 ). (hooks) Add run_windows for Windows-specific inline hook commands ( #10202 by @risu729 ). (task) Render task_config.includes with the Tera config context and expand ~/ for local includes ( #10225 by @risu729 ). (task) Support standalone .toml task files via git:: dir…
Sat 6 Jun 2026
-
mise releases aqua-registry-v2026.6.1
Release aqua-registry 2026.6.1
-
mise releases vfox-v2026.6.1
Release vfox 2026.6.1
-
NuGet Client releases 7.9.0.17
Insert 7.9.0.17 into main on 06/06/2026 12:26:41
-
Renovate releases 43.214.2
43.214.2 (2026-06-06) Bug Fixes config/validation: validate children of arrays in global config ( #43836 ) ( 460fa82 ) types: allow global config to be set in repositories ( #43837 ) ( 0ba948c ) Tests config/validation: remove platformConfig test ( #43835 ) ( d0deb90 )
-
Pub releases SDK-3.13.0-179.0.dev
SDK 3.13.0-179.0.dev
-
Pub releases SDK-3.13.0-178.0.dev
SDK 3.13.0-178.0.dev
-
Pub releases SDK-3.13.0-177.0.dev
SDK 3.13.0-177.0.dev
Fri 5 Jun 2026
-
Renovate releases 43.214.1
43.214.1 (2026-06-05) Miscellaneous Chores deps: update dependency [email protected] to v8.5.0 (main) ( #43842 ) ( 37d5ec5 ) Build System deps: update dependency protobufjs to v8.5.0 (main) ( #43841 ) ( 3dabd1f )
-
NuGet Client releases 7.8.0.59
Insert 7.8.0.59 into rel/insiders on 06/05/2026 22:28:21
-
Renovate releases 43.214.0
43.214.0 (2026-06-05) Features manager/nuget: default rangeStrategy to bump ( #43820 ) ( 4f7eed4 ) Documentation manger/github-actions: reword "community actions" section ( #43829 ) ( 4bf6bd9 ) Tests workers/global: fix typo ( #43838 ) ( 8c6a8d8 )
-
Renovate releases 43.213.3
43.213.3 (2026-06-05) Bug Fixes conda/pypi: allow nullable strings ( #43834 ) ( 5835388 ) Tests config/validation: validate all warnings / errors ( #43832 ) ( 6e41173 ) datasource/pypi: cover null and missing home_page ( #43828 ) ( c3998a3 ), closes #43814 Continuous Integration don't cancel "stale" PR workflows ( #43830 ) ( 15e719b )
-
NuGet Client releases 7.9.0.15
Insert 7.9.0.15 into main on 06/05/2026 12:25:12
-
Renovate releases 43.213.2
43.213.2 (2026-06-05) Bug Fixes datasource/pypi: allow null home_page in PyPI JSON response ( #43814 ) ( 1c3a16c ) deps: update ghcr.io/renovatebot/base-image docker tag to v13.56.4 (main) ( #43824 ) ( 059d4fe ) Tests config/validation: explicitly check error/warning messages ( #43799 ) ( b0d84ad ) config: ensure no default options require migrating ( #43806 ) ( 7a87094 ), closes #43804
-
Renovate releases 43.213.1
43.213.1 (2026-06-05) Bug Fixes config: remove deprecated rebaseStalePrs from lockFileMaintenance default ( #43804 ) ( c91f9f3 )
-
Mamba releases 2.8.0
You can update micromamba to this version using: micromamba self-update Bug fixes: [libmamba] fix: Restore cross-channel expansion by @jjerphan in #4304 [libmamba, micromamba] JSON output api rewritten to avoid JSON flattening by @Klaim in #4284
-
Swift Package Manager releases swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-06-03-a
Tag build swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-06-03-a
-
Renovate releases 43.213.0
43.213.0 (2026-06-05) Features github-actions: add community actions ( #43821 ) ( 27a3f58 ) Documentation update pip-compile project URL ( #43816 ) ( e84d2db ) Miscellaneous Chores deps: update jdx/mise-action action to v4.1.0 (main) ( #43813 ) ( 95c42c8 ) Tests config/validation: remove untested bumpVersions code ( #39710 ) ( 981df6a )
-
pnpm releases pnpm 11.5.2
Patch Changes Peer dependency resolution now reuses the peer contexts already recorded in the lockfile when those providers are still present in the dependency graph and still satisfy the peer ranges. This avoids unnecessary peer-context rewrites during lockfile regeneration. Current manifest choices remain authoritative: a newly added, explicitly updated, or aliased direct provider, a changed nested provider, or a locked version that no longer satisfies the range still takes precedence. The lo…
-
Pub releases SDK-3.13.0-176.0.dev
SDK 3.13.0-176.0.dev
-
Pub releases SDK-3.13.0-175.0.dev
SDK 3.13.0-175.0.dev
-
Pub releases SDK-3.13.0-174.0.dev
SDK 3.13.0-174.0.dev
-
Pub releases SDK-3.13.0-173.0.dev
SDK 3.13.0-173.0.dev
-
Pub releases SDK-3.13.0-172.0.dev
SDK 3.13.0-172.0.dev
-
Pub releases SDK-3.13.0-171.0.dev
SDK 3.13.0-171.0.dev
-
winget releases Windows Package Manager 1.29.250
This is a release candidate of Windows Package Manager v1.29. If you find any bugs or problems, please help us out by filing an issue . New in v1.29 New Feature: Source Priority Note Experimental under sourcePriority ; defaulted to disabled. With this feature, one can assign a numerical priority to sources when added or later through the source edit command. Sources with higher priority are sorted first in the list of sources, which results in them getting put first in the results if other thin…
Thu 4 Jun 2026
-
Renovate releases 43.212.4
43.212.4 (2026-06-04) Bug Fixes config: clarify that bumpVersions.bumpType supports templating ( #43805 ) ( 83bba0e ) config: mark relevant options with patternMatch ( #43798 ) ( 309af5a ), closes #40805
-
Mamba releases 2.7.0
You can update micromamba to this version using: micromamba self-update Bug fixes: [libmamba] fix: Harden noarch:python entry point linking by @jjerphan in #4282 [libmamba] fix: Guard Root Packages' Expansion by @jjerphan in #4283 [micromamba, libmamba] fix: Adapt root packages expansion by @jjerphan in #4298 [micromamba, libmamba] fix: Populate python_site_packages_path independently from host by @jjerphan in #4288 [libmamba] Fallback to flat cache dir if missing hierarchical by @Hind-M in #42…
-
NuGet Client releases 7.9.0.11
Insert 7.9.0.11 into main on 06/04/2026 12:27:07
-
Packagist Blog Enforce a safe Composer version across your organization
This is the next post in our supply chain security series, following the supply chain security update , the Composer 2.10 release , closing Composer's download fallback paths , and blocking malware downloads for every Composer version . While the protections we have shipped try their best to cover older Composer
-
Swift Package Manager releases swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-06-02-a
Tag build swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-06-02-a
-
Composer releases 2.10.1
Security: Fixed shell escaping when opening an editor ( #12903 ) Security: Verify backup phar signature before restoring it when using self-update --rollback ( #12918 ) Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method ( #12888 ) Fixed source -> dist package updates wiping the .git dir without checking for local changes first ( #12912 ) Fixed GitHub token prompt happening multiple times on parallel auth failures ( #12913 ) Fixed warnings …
-
NuGet Client releases 7.8.0.58
Insert 7.8.0.58 into rel/insiders on 06/04/2026 07:41:43
-
pipx releases 1.14.0
What's Changed ci: declare workflow-level contents: read on 3 remaining workflows by @arpitjain099 in #1822 Fix inject option parsing with --force before dependencies by @bubaizhanshen in #1820 docs: fix self-managed ensurepath command by @EddieBSN in #1823 chore(ci): restrict OIDC token to publish job by @facutuesca in #1826 Add --no-path-check to skip the on-PATH check in pipx run by @findepi in #1825 Add zizmor workflow and address findings by @facutuesca in #1827 Fix release push auth with …
Wed 3 Jun 2026
-
uv releases 0.11.19
Release Notes Released on 2026-06-03. Python Add CPython 3.15.0b2 ( #19531 ) Enhancements Always compute SHA256 for remote distributions ( #19662 ) Add PyEmscripten platform (PEP 783) ( #19629 ) Add Pyodide 2025 target triple ( #19653 ) Preview features Make preview features for commands have names that aren't ambiguous with the command ( #19645 ) Respect --isolated in uv check ( #19666 ) Bug fixes Continue tool uninstall after dangling receipts ( #19623 ) Skip Unix-specific installation steps …
-
Docker Engine releases v29.5.3
29.5.3 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: docker/cli, 29.5.3 milestone moby/moby, 29.5.3 milestone Bug fixes and enhancements Reduce docker system df errors when images are pruned at the same time with the containerd image store. moby/moby#52672 Packaging updates Update containerd (static binaries only) to v2.2.4 . moby/moby#52683 Update Go runtime to 1.26.4 . moby/moby#52753 , docker/cli#7025 Update RootlessKit to v3.0.1 . mob…
-
mise releases v2026.6.0: Corepack-managed npm and aqua Windows parity
A focused release that wires npm into Corepack when requested, brings aqua's Windows extension handling in line with upstream, and fixes task include ordering plus a Git Bash cygdrive regression. Added (npm) Ensure npm itself is managed by Corepack when node.corepack=true and node.npm_shim=false , so the Corepack-managed npm shim is enabled alongside yarn/pnpm ( #10196 by @roele ). (cli) New mise sponsors subcommand and a sponsor block on the docs site that lists sponsors fetched from en.dev/sp…
-
Docker Engine releases v2.0.0-beta.16
v2.0.0-beta.16
-
mise releases aqua-registry-v2026.6.0
Release aqua-registry 2026.6.0
-
mise releases vfox-v2026.6.0
Release vfox 2026.6.0
-
pixi releases 0.70.1 - 2026-06-03
Release Notes ✨ Highlights This release lays the foundation for repodata v3 support and adds a couple of important fixes: parallel pixi install now works reliably issues that came up with parallelized pixi global have been fixed Added Add --index option to specify PyPI index URL by @suleman1412 in #5575 Implement extras and flags support for pixi and pixi-build by @wolfv in #5998 Serialize concurrent environment installs and recover from interrupted ones by @baszalmstra in #6233 Changed Reinsta…
-
Deno releases v2.8.2
2.8.2 / 2026.06.03 feat(compile): improve --bundle dependency resolution and add --minify ( #34536 ) feat(compile): scope --bundle npm embed to packages actually reached ( #34532 ) feat(ext/crypto): add ChaCha20-Poly1305, SHAKE, cSHAKE, TurboSHAKE, SHA-3 HMAC ( #34417 ) feat(ext/crypto): add ML-DSA (FIPS 204) post-quantum signatures ( #34448 ) feat(ext/crypto): implement ML-KEM (FIPS 203) post-quantum KEM ( #34447 ) feat(ext/node): env/global proxy support for node:http and node:https ( #34257 …
-
Homebrew releases 5.1.15
What's Changed tests: Use full constant names sometimes (for Sorbet rule 5001 compat) by @issyl0 in #22415 Sorbet now understands our custom mktmpdir helper method by @issyl0 in #22414 test_runner_formula: treat versioned macOS deps as macOS-only by @ivan-digital in #22420 Check bundle formula link status by @MikeMcQuaid in #22412 Improve cleanup ask output by @MikeMcQuaid in #22416 Fix zsh nested subcommand option completion by @ZhongRuoyu in #22422 Fix cask upgrade env conflict by @MikeMcQuai…
-
NuGet Client releases 7.9.0.10
Insert 7.9.0.10 into main on 06/03/2026 12:25:20
-
Swift Package Manager releases swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-06-01-a
Tag build swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-06-01-a
-
RubyGems releases bundler-v4.0.13
Enhancements: Do not hard-code permissions for new gem directories during bundle install. Pull request #9557 by maxfelsher-cgi Clear gem specification cache after acquiring process lock. Pull request #9310 by ngan Show release date with bundle outdated. Pull request #9337 by hsbt Bug fixes: Apply cooldown to locally installed gem versions. Pull request #9582 by hsbt Security: Add cooldown to delay newly published gem. Pull request #9576 by hsbt
-
RubyGems releases v4.0.13
Enhancements: Prevent extraction from escaping destination_dir via pre-existing symlinks. Pull request #9493 by thesmartshadow Close stdin immediately when using popen2e. Pull request #9540 by rwstauner Fallback to copy symlinks on Windows. Pull request #9296 by larskanis Installs bundler 4.0.13 as a default gem.
-
RubyGems Blog 4.0.13 Released
RubyGems 4.0.13 includes enhancements and Bundler 4.0.13 includes enhancements, bug fixes and security. To update to the latest RubyGems you can run: gem update --system [--pre] To update to the latest Bundler you can run: gem install bundler [--pre] bundle update --bundler=4.0.13 RubyGems Release Notes Enhancements: Prevent extraction from escaping destination_dir via pre-existing symlinks. Pull request #9493 by thesmartshadow Close stdin immediately when using popen2e. Pull request #9540 by r…
-
Most supply-chain attacks against RubyGems exploit a narrow window: an account is compromised, a malicious version ships, and any bundle install in the minutes that follow resolves straight to it. Bundler 4.0.13 introduces cooldown , a time-based filter that refuses to resolve to a version until it has been public for at least N days. Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window. The feature was designed in the open , drawing on how o…
Tue 2 Jun 2026
-
Go releases [release-branch.go1.25] go1.25.11
Change-Id: I294bec3e2b7893fc24bcaf8755de77e1afb31fd1 Reviewed-on: https://go-review.googlesource.com/c/go/+/786221 Reviewed-by: David Chase [email protected] TryBot-Bypass: Gopher Robot [email protected] Auto-Submit: Gopher Robot [email protected] Reviewed-by: Mark Freeman [email protected]
-
Go releases [release-branch.go1.26] go1.26.4
Change-Id: I1c45ebded2d678b73081c6716a0fdd15a0b1824e Reviewed-on: https://go-review.googlesource.com/c/go/+/786201 TryBot-Bypass: Gopher Robot [email protected] Auto-Submit: Gopher Robot [email protected] Reviewed-by: Mark Freeman [email protected] Reviewed-by: David Chase [email protected]
-
This is the next post in our supply chain security series, following the supply chain security update , the Composer 2.10 release , and the recent post on closing Composer's download fallback paths . Composer 2.10's dependency policy framework is a substantial step forward for PHP supply
-
NuGet Client releases 7.9.0.2
Insert 7.9.0.2 into main on 06/02/2026 12:39:17
-
Swift Package Manager releases swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-05-31-a
Tag build swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-05-31-a
-
pixi releases pixi-build-cmake-v0.3.14
chore: bump backend versions ( #6254 )
-
pixi releases pixi-build-mojo-v0.1.14
chore: bump backend versions ( #6254 )
-
pixi releases pixi-build-python-v0.5.2
chore: bump backend versions ( #6254 )
-
pixi releases pixi-build-rattler-build-v0.3.13
chore: bump backend versions ( #6254 )
-
pixi releases pixi-build-ros-v0.5.0
chore: bump backend versions ( #6254 )
-
pixi releases pixi-build-rust-v0.4.11
chore: bump backend versions ( #6254 )
-
pnpm releases pnpm 11.5.1
Patch Changes Improve pnpm audit performance by pruning non-vulnerable lockfile subtrees and stopping path enumeration once vulnerable findings reach the path cap. Avoid crashing when the workspace state cache is partially written or malformed. Set npm_config_user_agent for root lifecycle scripts during headless installs. Preserve the integrity field of a remote (non-registry) tarball dependency when its lockfile entry is rebuilt. Re-resolving such a dependency without re-fetching it (for examp…
-
Yarn releases v4.16.0
What's Changed PnP: Include Node 22.22.3 in fstat workaround by @junjuny0227 in #7141 Implements yarn npm stage by @arcanis in #7147 fix: Stop using EBADF workaround for Node 24.16.0+ by @MJDSys in #7152 Bumps eslint-plugin-arca by @arcanis in #7163 Enables staged publishing by @arcanis in #7164 feat: Add editor SDK support for oxc (oxfmt & oxlint) by @slainless in #7078 docs: fix npmMinimalAgeGate default value. by @ryanfox1985 in #7125 New Contributors @junjuny0227 made their first contributi…
-
Yarn releases 2026-06-02
2026-06-02
-
Yarn releases @yarnpkg/eslint-config/3.1.1
@yarnpkg/eslint-config
-
Yarn releases @yarnpkg/plugin-npm-cli/4.5.0
@yarnpkg/plugin-npm-cli
-
Yarn releases @yarnpkg/plugin-pnp/4.1.7
@yarnpkg/plugin-pnp
-
Yarn releases @yarnpkg/pnp/4.1.7
@yarnpkg/pnp
-
Yarn releases @yarnpkg/sdks/3.3.0
@yarnpkg/sdks
-
Hatch releases Hatch v1.17.0
Changed: The hatch fmt command is now deprecated in favor of the new hatch check command group Migrate HTTP client from httpx to httpx2 Added: Add hatch check command group with subcommands for check code (linting), check fmt (formatting), and check types (type checking) Add hatch check types command for type checking using Pyrefly, with --summarize and --cover flags Add hatch env lock command to generate PEP 751 compliant lockfiles ( pylock.toml ) for environments Add hatch dep lock and hatch …
-
Hatch releases Hatchling v1.30.1
Fixed Default core metadata version kept at 2.4 until more tools support 2.5
-
If you want to financially support the development of Rust, please consider donating to the Rust Foundation Maintainers Fund. A few months ago, the Rust Foundation announced the Rust Foundation Maintainers Fund (RFMF). Since then, the Rust Project has been closely cooperating with the Rust Foundation to determine how exactly this fund will be used to support Rust maintainers. This resulted in the acceptance of RFC #3931 , which established the Funding team and the Maintainer in Residence progra…
Mon 1 Jun 2026
-
Conda releases 26.5.2
Bug fixes Validate Python entry point definitions before generating entry point scripts. ( #16168 ) Contributors @jaimergp Full Changelog : 26.5.1...26.5.2
-
uv releases 0.11.18
Release Notes Released on 2026-06-01. Performance Fix performance regression in unzip of local wheels ( #19637 ) Preview Add uv check to run ty from uv ( #19605 ) Bug fixes Update activation scripts with upstream fixes ( #19628 ) Other changes Bump MSRV to 1.94 ( #19600 ) Install uv 0.11.18 Install prebuilt binaries via shell script curl --proto ' =https ' --tlsv1.2 -LsSf https://releases.astral.sh/github/uv/releases/download/0.11.18/uv-installer.sh | sh Install prebuilt binaries via powershell…
-
vcpkg releases 2026-05-27 Release
What's Changed Accept libcurl.so as a provider of curl. by @podsvirov in #1984 Add arm64 CMake presets, delete MSI extraction. by @BillyONeal in #1995 Ignore HTTPS_PROXY and NO_PROXY if env variable is set to empty value by @TobiasFunk in #1988 x-add-version: Regenerate baseline on --all. by @BillyONeal in #2003 integrate install: Remove VS2015 integration. by @BillyONeal in #2011 Fix empty vs. unset environment variables on Windows. by @BillyONeal in #1997 Fix self-cascade bug in feature test …
-
Mamba releases 2.7.0.alpha0
You can update micromamba to this pre-release version using: micromamba self-update -c conda-forge/label/micromamba_prerelease "micromamba==2.7.0.alpha0" Bug fixes: [libmamba] fix: Harden noarch:python entry point linking by @jjerphan in #4282 [libmamba] fix: Guard Root Packages' Expansion by @jjerphan in #4283 [micromamba, libmamba] fix: Adapt root packages expansion by @jjerphan in #4298 [micromamba, libmamba] fix: Populate python_site_packages_path independently from host by @jjerphan in #42…
-
sbt releases 2.0.0-RC14
🐛 bug fixes fix: Fixes Scala Native artifact publishing by @anatoliykmetyuk in #9118 fix: Fix duplicate autoplugins packageBin mappings by @anatoliykmetyuk in #9255 perf: Parallelize dependency resolution when no progress bar is rendered by @BrianHotopp in #9270 fix: Report a missing input file clearly by @BrianHotopp in #9271 fix: Reimplement FarmHash without using sun.misc.Unsafe by @eed3si9n in #9267 + #9278 fix: Fixes backtick-quoted project handling by @xuwei-k in #9277 perf: Improve incre…
-
pixi releases 0.70.0 - 2026-06-01
Release Notes ✨ Highlights This release brings a lot of exciting features. Workspace dependencies We now allow to define workspace dependencies that allows to set package matchspecs that then can be inherited by package dependencies. This is how it looks like: [ workspace . dependencies ] numpy = " 1.* " boltons = { version = " >=24 " , channel = " conda-forge " } # Build packages [ package . build ] backend = { name = " foo-build " , workspace = true } [ package . host-dependencies ] cmake = {…
-
Dependabot Core releases v0.380.0
What's Changed bundler: avoid adding Bundler checksum for lockfiles using 4.0.0-4.0.10 by @thavaahariharangit in #15164 Remove beta ecosystem flag handling for Deno by @markhallen in #15173 [bun] Add lockfile generator for bun by @brrygrdn in #14882 Pass --config.minimumReleaseAge=0 for pnpm security updates to bypass pnpm-workspace.yaml by @yeikel in #15170 build(deps): bump terraform to 1.15.3 by @HorizonNet in #15055 Change cron schedule from Thursday to Monday by @robaiken in #15181 Add spe…
-
Swift Package Manager releases swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-05-30-a
Tag build swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-05-30-a
-
pub.dev releases 20260601t084200-all
Deployment at 2026-06-01T08:42:29.038167Z.
-
This is the next post in our supply chain security series, following the supply chain security update and the Composer 2.10 release . Each post in this series covers a specific Composer behavior worth understanding, and a Private Packagist feature we are introducing on top of it. Today: How Composer&
-
Hatch releases hatchling-v1.30.0
Fix draft release uploads. ( #2293 )
Sun 31 May 2026
-
sbt releases v2.0.0-RC13-1
2.0.0-RC13-1
-
mise releases v2026.5.17: Custom aqua registry cache and Windows fixes
A catch-up release for the tag that shipped the compiled custom aqua registry cache, several Windows task/shim fixes, and a handful of backend install improvements. This release is backfilled without binary assets; use v2026.5.18 or newer for downloadable artifacts. Added (aqua) Add a compiled custom registry cache to speed up aqua registry lookups and reduce repeated parsing work ( #9583 by @jdx ). Fixed (upgrade) Handle a lone v prefix in --bump latest queries ( #10130 by @jdx ). (env) Force …
-
mise releases v2026.5.18: Hook script arrays and lock-identity fixes
A focused release that teaches hooks to accept script arrays, ships an npm install -g mise package, and tightens lock identity across several backends so mise.lock entries can no longer be reused for option combinations that resolve to a different artifact set. Added (config) Hooks now accept script / scripts arrays for current-shell hooks ( #9836 by @risu729 ): [ hooks . enter ] shell = " bash " script = [ " source completions.sh " , " export PROJECT_READY=1 " , ] Note that run is still string…
-
mise releases vfox-v2026.5.17
Release vfox 2026.5.17
-
pip releases 26.1.2
Release 26.1.2
-
mise releases vfox-v2026.5.16
Release vfox 2026.5.16
-
Swift Package Manager releases swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-05-29-a
Tag build swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-05-29-a
Sat 30 May 2026
-
Stack releases rc/v3.11.0.1 (release candidate)
Changes since v3.9.3: Major changes: On 64-bit Windows, the default msys-environment configuration option is now CLANG64 , rather than MINGW64 (which remains an option). The MSYS2 project deprecated the latter environment on 15 March 2026. The GHC project has used the former toolchain from GHC 9.4.1. No default is provided for 32-bit Windows, rather than MINGW32 (which remains an option). The MSYS2 project ceased to actively support it on 17 May 2020. 32-bit Windows is not supported by the GHC …
-
Cargo releases 0.97.1
0.97.1 release
-
Swift Package Manager releases swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-05-28-a
Tag build swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-05-28-a
-
NixOS Blog NixOS 26.05 released
Hey everyone, we are yayayayaka and jopejoe1 , the release managers of the newest release of NixOS. We are very proud to announce the public availability of NixOS 26.05 "Yarara". NixOS is a Linux distribution. Its underlying package repository Nixpkgs can also be used on other Linux systems and macOS with the Nix package manager. This release will receive bugfixes and security updates for seven months (up until 2026-12-31). The old release 25.11 "Xantusia" is now officially deprecated and will …
-
pipx releases 1.13.0
What's Changed Add shared libs auto-upgrade opt-out by @Herrtian in #1809 Fix app script shebang isolation by @sjh9714 in #1819 Update deprecation message in get-pipx.py; obsoleted, not deprecated by @Spitfire1900 in #1813 docs: clarify runpip cache warnings by @Sean-Kenneth-Doherty in #1815 Refresh legacy standalone Python index cache by @Sean-Kenneth-Doherty in #1814 New Contributors @sjh9714 made their first contribution in #1819 @Sean-Kenneth-Doherty made their first contribution in #1815 F…
Fri 29 May 2026
-
winget releases Windows Package Manager 1.29.240
This is a release candidate of Windows Package Manager v1.29. If you find any bugs or problems, please help us out by filing an issue . Note: This version is not fully localized yet. Localized strings will be included in a future build before stable release. New in v1.29 New Feature: Source Priority Note Experimental under sourcePriority ; defaulted to disabled. With this feature, one can assign a numerical priority to sources when added or later through the source edit command. Sources with hi…
-
NuGet.Server releases NuGet.Server 3.4.3
What's Changed Fixed a denial-of-service vulnerability (CWE-696/CWE-400) where unauthenticated callers could exhaust server resources via the package upload endpoint by moving API key validation before expensive file I/O and package processing. Full Changelog : 3.4.2...3.4.3
-
pnpm releases pnpm 11.5
Minor Changes Added a new hoistingLimits setting for nodeLinker: hoisted installs, mirroring yarn's nmHoistingLimits . It accepts none (the default — hoist as far as possible), workspaces (hoist only as far as each workspace package), or dependencies (hoist only up to each workspace package's direct dependencies). Originally proposed in #6468 , closing #6457 . Replaced enquirer with @inquirer/prompts for all interactive prompts. Fixes the update -i scrolling overflow bug where long choice lists…
-
Snapd releases 2.76
tagging package snapd version 2.76
-
Swift Package Manager releases swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-05-26-a
Tag build swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-05-26-a
-
pnpm Blog pnpm 11.5
pnpm 11.5 adds a hoistingLimits setting for controlling how far dependencies hoist in nodeLinker: hoisted installs, replaces the interactive prompt library to fix scrolling in long choice lists, recognizes staged publishes in the trust scale, and ships several install and dist-tag fixes.
Thu 28 May 2026
-
uv releases 0.11.17
Release Notes Released on 2026-05-28. Enhancements Add a diagnostic for uv add with standard library modules ( #19572 ) Expose uv workspace and its list subcommand in help output ( #19533 ) Improve the "403 forbidden" hint to suggest ignore-error-codes when applicable ( #19521 ) Skip direct URL lock freshness checks while offline ( #19596 ) Add import-names and import-namespaces support to uv-build ( PEP 794 ) ( #19380 ) Add a --no-editable-package flag to various commands ( #19584 ) Infer Pyth…
-
Cargo releases 0.97.0
0.97.0 release
-
Dependabot Core releases v0.379.0
What's Changed Fix duplicate updated dependencies in multi-directory group refresh by @markhallen in #15098 Recategorise lockfile generation errors as known types by @brrygrdn in #15084 [Graph Job] Do not treat Dependabot::UnexpectedExternalCode as a hard failure by @brrygrdn in #15075 [Graph] Fix handling of multiple version resolution by @brrygrdn in #15099 Bun: Upgrade to Node JS 24 by @yeikel in #14964 Add API integration to fetch blocked versions at job construction by @kbukum1 in #14917 F…
-
Conan releases 2.29.0 (28-May-2026)
Feature: Limited support for python_requires in workspace, only in conanws.yml file. ( #20028 ). Docs: 📃 Feature: Added new public attribute binaries to the MesonToolchain generator. ( #20017 ) Feature: Add support for Apple OS 26.5 release. ( #19976 ) Feature: Document RemoveAPI . ( #19930 ) Feature: New global_user.conf file to locally customize global.conf . ( #19923 ). Docs: 📃 Feature: Add support for GCC 16. ( #19921 ) Fix: Forward -vxxx verbosity argument to conan workspace build/install …
-
Chocolatey releases 2.7.0
As part of this release we had 11 issues closed. Dependency Change Update bundled 7zip executables to v26.00. See #3857 by AdmiringWorm , resolved in !3858 by AdmiringWorm . Enhancements Capture the source that was being used when searching for packages. See #3849 by gep13 , resolved in !3850 by gep13 . Bug Fix Chocolatey does not handle passwords with non ASCII characters when interacting with authenticating sources See #3600 by pfremy , resolved in !3762 by AdmiringWorm . Contributors 2 contr…
-
Gradle releases 9.6.0 RC1
The Gradle team is excited to announce Gradle 9.6.0 RC1. Here are the highlights of this release: Improved Configuration Cache hit rates Additional CLI rendering options Important project hierarchy lookup deprecations Read the Release Notes We would like to thank the following community members for their contributions to this release of Gradle: Aharnish Solanki , Benedikt Johannes , Devendra Reddy Pennabadi , Dmytro Rodionov , Dreeam , Elías Hernández Rodríguez , Eng Zer Jun , FinlayRJW , Kamal…
-
Swift Package Manager releases swift-DEVELOPMENT-SNAPSHOT-2026-05-27-a
Tag build swift-DEVELOPMENT-SNAPSHOT-2026-05-27-a
-
pub.dev releases 20260528t110400-all
Deployment at 2026-05-28T11:04:47.905202Z.
-
Composer releases 2.10.0
Read the Composer 2.10 Release Announcement for more details on the release highlights. Full Changelog BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 ( #12885 ) BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the aud…
-
Packagist Blog Composer 2.10 Release
We are excited to announce the release of Composer 2.10.0 , introducing native malware filtering and consolidated future-proof customizable dependency policy configuration to control the handling of security advisories, abandoned packages, and now malware. Fast detection of malware for packages published on Packagist.org is provided by Aikido . This
-
pub.dev releases 20260528t104000-all
Deployment at 2026-05-28T10:40:52.185885Z.
-
pub.dev releases 20260528t103900-all
Deployment at 2026-05-28T10:39:17.154788Z.
-
Rust Blog Announcing Rust 1.96.0
The Rust team is happy to announce a new version of Rust, 1.96.0. Rust is a programming language empowering everyone to build reliable and efficient software. If you have a previous version of Rust installed via rustup , you can get 1.96.0 with: $ rustup update stable If you don't have it already, you can get rustup from the appropriate page on our website, and check out the detailed release notes for 1.96.0 . If you'd like to help us out by testing future releases, you might consider updating …
Wed 27 May 2026
-
pnpm releases pnpm 10.34.1
Patch Changes Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity: ) and serve modified content at the referenced tarball URL could install a tampered package without any error — including u…
-
npm CLI releases libnpmversion: v8.0.4
8.0.4 (2026-05-27) Documentation c5e9d73 #9390 Document npm_old_version and npm_new_version environment variables ( #9389 ) (@github-actions[bot], @36degrees ) Chores 40fcab4 #8991 @npmcli/[email protected] ( @wraithgar )
-
npm CLI releases libnpmpack: v9.1.9
Dependencies workspace : @npmcli/[email protected]
-
npm CLI releases libnpmfund: v7.0.23
Dependencies workspace : @npmcli/[email protected]
-
npm CLI releases libnpmexec: v10.2.9
10.2.9 (2026-05-27) Bug Fixes 5000cbf #9409 exempt local project introspection from allow-directory ( @owlstronaut ) Dependencies workspace : @npmcli/[email protected]
-
npm CLI releases libnpmdiff: v8.1.9
Dependencies workspace : @npmcli/[email protected]
-
npm CLI releases config: v10.10.0
10.10.0 (2026-05-27) Features 4b67f6e #9416 publish --access=private alias for restricted ( #9416 ) (@github-actions[bot], @reggi , @Copilot) a10c7ca #9415 Phase 1 of allowScripts opt-in install-script policy ( #9360 ) ( #9415 ) ( @owlstronaut , @JamieMagee )
-
npm CLI releases arborist: v9.7.0
9.7.0 (2026-05-27) Features a10c7ca #9415 Phase 1 of allowScripts opt-in install-script policy ( #9360 ) ( #9415 ) ( @owlstronaut , @JamieMagee ) Bug Fixes d8a7803 #9418 arborist: drop self-link materialization for undeclared workspaces ( #9418 ) (@github-actions[bot], @manzoorwanijk ) 4d141a0 #9417 skip hidden lockfile save on dry run ( #9417 ) (@github-actions[bot], @puneetdixit200 , @puneetdixit200 )
-
npm CLI releases v11.16.0
11.16.0 (2026-05-27) Features 4b67f6e #9416 publish --access=private alias for restricted ( #9416 ) (@github-actions[bot], @reggi , @Copilot) a10c7ca #9415 Phase 1 of allowScripts opt-in install-script policy ( #9360 ) ( #9415 ) ( @owlstronaut , @JamieMagee ) Bug Fixes 1f7869b #9411 fix typo of fullMetadata ( @owlstronaut ) cde03ba #9390 config: pause progress spinner during interactive editor spawn ( #9388 ) (@github-actions[bot], @Zelys-DFKH , @claude ) Documentation c5e9d73 #9390 Document np…
-
Packagist Blog An update on Composer & Packagist supply chain security
The last months, and even more so the last weeks, saw an increasing amount of software supply chain attacks targeting open-source ecosystems. A handful of these have hit the PHP ecosystem too, via taken-over GitHub accounts and stolen access tokens that let attackers publish new tags on packages they had
-
pnpm releases pnpm 10.34
Minor Changes Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY , silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile. pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a h…
-
pnpm releases pnpm 11.4
Minor Changes Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY , silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile. pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a h…
-
Deno releases v2.8.1
2.8.1 / 2026.05.27 Revert "fix(ext/node): polyfill module.enableCompileCache and companions" ( #34190 ) ( #34348 ) feat(bundle): support browser field map in package.json ( #34407 ) fix(bundle): read package.json sideEffects field ( #34406 ) fix(cli): clearer error when importing .node addon via ESM ( #34361 ) fix(config): don't panic when --config path can't be converted to URL ( #34351 ) fix(core): allow host objects to round-trip through core.deserialize ( #34380 ) fix(core): keep lazy_loade…
-
NuGet Client releases 7.8.0.45
Insert 7.8.0.45 into main on 05/27/2026 12:24:24
-
Chocolatey releases 2.7.3-beta-20260527
2.7.3-beta-20260527
-
pnpm Blog pnpm 11.4
pnpm 11.4 closes a cluster of supply-chain holes around lockfile integrity, credential scoping, git resolutions, patch files, and dependency aliases, makes tarball-integrity mismatches a hard install failure by default (with a narrowly-scoped --update-checksums opt-in), and changes pnpm runtime set to write to devEngines.runtime instead of engines.runtime by default.
Tue 26 May 2026
-
Conda releases 26.5.1
Bug fixes Fix channel notices display failing with ImportError when a decorated command replaces base python while conda is still running on the previous interpreter. Pre-import conda.notices.views before the command so post-command display does not load modules from rewritten site-packages . ( #16126 via #16142 ) Fix crash in UnavailableInvalidChannel and CondaHTTPError when simplejson is installed and a non-JSON HTTP error response is received. ( #16136 ) Contributors @jezdez @kenodegard Full…
-
Swift Package Manager releases swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-05-24-a
Tag build swift-6.4.x-DEVELOPMENT-SNAPSHOT-2026-05-24-a
Mon 25 May 2026
-
Verdaccio releases v6.7.2
Patch Changes a89aca1 : chore: fix unit test a28cf71 : chore: add missing types #5889 by @mbtools
-
Snapd releases 2.75.2.2
hotfix for tpm/fde
-
Homebrew releases 5.1.14
What's Changed Show quarantine script usage by @MikeMcQuaid in #22375 Ignore flaky VirusTotal docs link by @MikeMcQuaid in #22374 api: fix every formula having a post install defined by @Bo98 in #22378 Fix dynamic completion audit crash by @MikeMcQuaid in #22380 build(deps): bump the bundler group across 2 directories with 13 updates by @dependabot [bot] in #22381 build(deps): bump the github-actions group across 1 directory with 2 updates by @dependabot [bot] in #22382 workflows/incomplete-prs…
-
Gradle releases v9.6.0-M3
Fix close-linked-issue workflow by pinning gha-mjolnir to v1.5.0 ( #37 …
-
The Rust Security Response Team was notified that Cargo incorrectly normalized the URLs of third-party registries using the sparse index protocol . If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. This vulnerability is tracked as CVE-2026-5222. The severity of the vulnerability is low , due to the extremely niche requireme…
-
The Rust Security Response Team was notified that Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. This vulnerability is tracked as CVE-2026-5223. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io are not affected , as crates.io forbids uploading crates containing any symlink. Overview When building a…
Sun 24 May 2026
-
pnpm releases pnpm 11.3
See full v11.0.0 changelog Migration guide: Migrating from v10 to v11 Minor Changes Added pnpm stage with publish , list , view , approve , reject , and download subcommands for npm staged publishing. Added a new setting trustLockfile . When true , pnpm install skips the supply-chain verification pass that re-applies minimumReleaseAge / trustPolicy='no-downgrade' to every entry in the loaded lockfile. The install treats the lockfile as already-trusted — useful for closed-source projects where e…
-
pnpm Blog pnpm 11.3
pnpm 11.3 adds support for npm's staged publishing (pnpm stage), the new trustLockfile setting for skipping the supply-chain verification pass on already-trusted lockfiles, and native implementations of pnpm pkg, pnpm repo, and pnpm set-script. It also adds a --skip-manifest-obfuscation flag for pack / publish and cuts the memory footprint of minimumReleaseAge / trustPolicy verification on large workspaces.
Fri 22 May 2026
-
NuGet Client releases 7.8.0.40
Insert 7.8.0.40 into main on 05/22/2026 12:34:38
-
Deno releases v2.8.0
2.8.0 / 2026.05.22 Read more: http://deno.com/blog/v2.8 feat: accept deno audit fix as alias for deno audit --fix ( #34273 ) feat: add --watch flag to deno check ( #34224 ) feat: add deno bump-version subcommand ( #30562 ) feat: add deno why subcommand ( #32908 ) feat: support workspaces in deno bump-version ( #33689 ) feat(add/install): default to npm registry for unprefixed packages ( #33246 ) feat(compile): add progress bar for deno compile ( #33874 ) feat(compile): support module.registerHo…
Thu 21 May 2026
-
uv releases 0.11.16
Release Notes Released on 2026-05-21. Enhancements Add support for direct archive dependencies in Git ( #10072 ) Adjust hint rendering ( #18090 ) Preview features uv audit: specialize malformed OSV error ( #19515 ) Reject locked malware installations ( #18936 ) Configuration Allow disabling reading the system config with UV_NO_SYSTEM_CONFIG ( #19476 ) Bug fixes Allow environment variables that take a list to be empty ( #19503 ) Ensure that incompatible wheel hints do not leak secrets ( #19504 )…
-
Homebrew releases 5.1.13
What's Changed info: mark deprecated/disabled pkg in install status by @HaraldNordgren in #22334 gitignore: ignore test/.npm/ by @HaraldNordgren in #22337 info, tap-info: skip uninstalled marker and bold when not a problem (align with search) by @HaraldNordgren in #22342 Remove obsolete --skip-update from command-not-found handlers by @rexmhall09 in #22340 Check RubyGems licences by @MikeMcQuaid in #22343 cask: include resolved artifact targets in JSON output by @carlocab in #22346 Move the 'ws…
-
pnpm releases pnpm 11.2.2
See full v11.0.0 changelog Migration guide: Migrating from v10 to v11 Minor Changes Experimental: Adding @pnpm/pacquet (the Rust port of pnpm) to configDependencies in pnpm-workspace.yaml now delegates the materialization phase of pnpm install to the pacquet binary. pnpm still owns dependency resolution; pacquet only fetches and imports from the freshly-written lockfile. This is an opt-in preview of the Rust install engine #11723 . To configure pacquet in a project, run: pnpm add @pnpm/pacquet …
-
NuGet Client releases 7.8.0.39
Insert 7.8.0.39 into main on 05/21/2026 12:25:52
-
pixi releases pixi-build-rust-v0.4.10
chore: bump backend versions ( #6173 )
-
pixi releases 0.69.0 - 2026-05-20
Release Notes ✨ Highlights Pixi now supports easy authentication to prefix.dev, just like GitHub CLI you can run: pixi auth login prefix.dev And it will take you to the login page of prefix.dev. Next to that publishing a package became much easier with --variant , --build-number and more. Added Support build-string-prefix and build-number in [package-build] by @hunger in #6051 Centralize default compiler variants and add CUDA support by @wolfv in #6108 Support build backend secrets by @wolfv in…
-
Dependabot Core releases v0.378.0
What's Changed fix(opentofu): strip v prefix in cooldown version comparison by @diofeher in #15044 Use POM last-modified as Gradle plugin release date fallback by @thavaahariharangit in #15006 Add blocked versions support to updater job by @kbukum1 in #14915 Add blocked versions support to dry-run script by @kbukum1 in #14916 Strip surrounding quotes from go.env values before writing by @yeikel in #15060 Require dependabot-deno in updater setup by @markhallen in #15064 fix(docker): use manifest…
-
PDM releases v2.27.0
Breaking Changes Update the minimum required Python version to 3.10. ( #3787 ) Features & Improvements Respect existing values of pyproject.toml when running pdm init or pdm new . ( #3786 ) Move project plugin installations from .pdm-plugins under the project root to an isolated cache directory, and add a fixer to migrate existing plugin directories. ( #3790 ) Remove legacy importlib compatibility wrappers and use standard-library importlib.metadata and importlib.resources APIs directly. ( #379…
-
Go Blog Introducing the pkg.go.dev API
Introducing the new programmatic API for pkg.go.dev, allowing developers to fetch package and module data directly.
Wed 20 May 2026
-
npm CLI releases v12.0.0-pre.0.0
12.0.0-pre.0.0 (2026-05-20) ⚠️ BREAKING CHANGES npm view --json now always returns an array. npm sbom --sbom-format=cyclonedx now reports the name field from each package's package.json instead of the on-disk directory name. The name , bom-ref , and purl of the root component and of aliased dependencies may change. npm no longer registers man pages with the system when installed globally. man npm-install will no longer work, but npm help install is unaffected. The npm pkg output is no longer fo…
-
npm CLI releases v12.0.0-pre.0
chore: release 12.0.0-pre.0.0
-
Docker Engine releases v29.5.2
29.5.2 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: docker/cli, 29.5.2 milestone moby/moby, 29.5.2 milestone Bug fixes and enhancements Fix docker cp failing with "mkdirat: file exists" when a container has a bind mount whose target traverses an in-container symlink (e.g. /var/run -> /run ). moby/moby#52655
-
Docker Engine releases v2.0.0-beta.15
v2.0.0-beta.15
-
pnpm releases pnpm 11.2.1
Minor Changes Experimental: Adding @pnpm/pacquet (the Rust port of pnpm) to configDependencies in pnpm-workspace.yaml now delegates the materialization phase of pnpm install to the pacquet binary. pnpm still owns dependency resolution; pacquet only fetches and imports from the freshly-written lockfile. This is an opt-in preview of the Rust install engine #11723 . To configure pacquet in a project, run: pnpm add @pnpm/pacquet --config You'll see changes in pnpm-workspace.yaml and pnpm-lock.yaml …
-
Composer releases 2.10.0-RC2
Composer 2.10 is ready for a release, and we need your help to test it and report any regression. Please try it out! Running composer self-update --preview will get you the 2.10.0-RC2 Running composer self-update --stable will get you back on the latest 2.9 stable release if anything broke. Report any issues you encounter as a new issue specifying you tried the 2.10 RC and please include stack traces & repro details. Full Changelog Since 2.10.0-RC1, fixes in 2.9.6 - 2.9.8, many of which securit…
-
pnpm releases pnpm 11.2
See full v11.0.0 changelog Migration guide: Migrating from v10 to v11 Minor Changes Experimental: Adding @pnpm/pacquet (the Rust port of pnpm) to configDependencies in pnpm-workspace.yaml now delegates the materialization phase of pnpm install to the pacquet binary. pnpm still owns dependency resolution; pacquet only fetches and imports from the freshly-written lockfile. This is an opt-in preview of the Rust install engine #11723 . To configure pacquet in a project, run: pnpm add @pnpm/pacquet …
-
RubyGems releases bundler-v4.0.12
Enhancements: Make bundle config get return status 1 when the value is not set. Pull request #9505 by willnet Use Pathname#absolute?. Pull request #9529 by nobu Deprecate parsing non-lockfile content in LockfileParser. Pull request #9502 by kurotaky Print a warning for a potential confusion from the indirect dependencies. Pull request #5029 by junaruga Respect Gemfile bundler setting in Bundler.setup . Pull request #4892 by godfat Bug fixes: Gracefully handle missing checksums in Compact Index.…
-
RubyGems releases v4.0.12
Enhancements: Remove cygwin from WIN_PATTERNS. Pull request #9527 by fd00 Installs bundler 4.0.12 as a default gem. Bug fixes: Fall back to lockfile version when BUNDLE_VERSION is "lockfile". Pull request #9545 by hsbt Read BUNDLE_VERSION env var in BundlerVersionFinder . Pull request #9538 by hsbt
-
Conda Blog May 2026 Releases
May releases of conda and conda-build are out—native lockfiles, a snappier CLI, v1 recipe builds improvements and conda-pypi. 🎉
-
RubyGems Blog 4.0.12 Released
RubyGems 4.0.12 includes enhancements and bug fixes and Bundler 4.0.12 includes enhancements and bug fixes. To update to the latest RubyGems you can run: gem update --system [--pre] To update to the latest Bundler you can run: gem install bundler [--pre] bundle update --bundler=4.0.12 RubyGems Release Notes Enhancements: Remove cygwin from WIN_PATTERNS. Pull request #9527 by fd00 Installs bundler 4.0.12 as a default gem. Bug fixes: Fall back to lockfile version when BUNDLE_VERSION is “lockfile”…
-
pnpm Blog pnpm 11.2
pnpm 11.2 ships an experimental opt-in into pacquet (the Rust port of pnpm) as the install backend, expands config dependencies to install one level of optionalDependencies (so the esbuild/swc platform-binary pattern works for config deps too), wires up the long-documented pnpm login --scope flag, and surfaces runtime entries (Node.js, Deno, Bun) in pnpm outdated and pnpm update --interactive.
Tue 19 May 2026
-
Yarn releases 2026-05-19
2026-05-19
-
Yarn releases @yarnpkg/plugin-pnpm/2.2.0
@yarnpkg/plugin-pnpm
-
Yarn releases @yarnpkg/pnp/4.1.6
@yarnpkg/pnp
-
Mamba releases 2.6.2
Bug fixes: [libmamba] fix: Use zlib<1.3.2 for static builds by @jjerphan in #4281 [libmamba] fix: Set environment variables for use_sharded_repodata by @jjerphan in #4279 CI fixes and doc: [all] ci: Use micromamba 2.6.0 by @jjerphan in #4280
-
pub.dev releases 20260519t092000-all
Deployment at 2026-05-19T09:20:44.409819Z.
Mon 18 May 2026
-
uv releases 0.11.15
Release Notes Released on 2026-05-18. Security Fix a TAR parser differential, see GHSA-3cv2-h65g-fgmm ( #19463 ) Enforce that entry points cannot escape in the scripts directory, see GHSA-4gg8-gxpx-9rph ( #19464 ) Enhancements Add TOML v1.1 -> v1.0 backwards compatibility for source distributions ( #18741 ) Add support for Azure request signing ( #19421 ) Apply stricter validation to all wheel filename segments ( #19364 ) Reject empty strings as an invalid package name ( #19435 ) Use structured…
-
Docker Engine releases v29.5.1
29.5.1 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: docker/cli, 29.5.1 milestone moby/moby, 29.5.1 milestone Security This release includes fixes for multiple security vulnerabilities affecting Docker Engine. CVE-2026-41567 Fix a vulnerability in docker cp where archive decompression binaries (e.g. xz , unpigz ) were resolved via PATH inside the container filesystem while running as host root, allowing a malicious container to execute ar…
-
Docker Engine releases v2.0.0-beta.14
v2.0.0-beta.14
-
Package pruning in .NET 10 removes platform-provided packages from your dependency graph. With transitive auditing enabled by default, projects with these defaults have 70% fewer transitive vulnerability reports compared to projects using the previous defaults. The post NuGet Package Pruning: Cleaner Dependencies and Actionable Vulnerability Reports appeared first on .NET Blog .
-
Homebrew releases 5.1.12
What's Changed info: resolve installed formulae from receipt's tap and warn on shadow by @HaraldNordgren in #22224 info: resolve aliased deps when checking installed status by @HaraldNordgren in #22228 audit: don't check livecheck throttle days offline by @bevanjkay in #22233 Add brew exec command by @MikeMcQuaid in #22222 Annotate test-bot dependency impact by @MikeMcQuaid in #22221 Omit platform for all bottles by @MikeMcQuaid in #22227 test/cask: speed up missing source test by @bevanjkay in…
-
Packagist Blog What's new in Private Packagist, May 2026 Update
Over the past three months, we've shipped updates focused on security, integrations with code hosting platforms, and usability improvements throughout Private Packagist. Here's a rundown of the most notable changes. Support for malware filter lists We've added support for malware filter lists to help
-
Docker Engine releases v29.5.0
29.5.0 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: docker/cli, 29.5.0 milestone moby/moby, 29.5.0 milestone Note Rootless: gvisor-tap-vsock is now the new default rootless network driver and should be preferred over slirp4netns which is no longer installed via Docker packaging. New Rootless: Add new default gvisor-tap-vsock network driver. moby/moby#52319 Enable private time namespace for containers by default on supported kernels. moby…
-
sbt releases 2.0.0-RC13
Execution log sbt 2.0.0 adds experimental execution log feature to debug caching issues. The execution log can be enabled with sbt.experimental_execution_log system property has either true or a file path: $ sbt --server -Dsbt.experimental_execution_log=true compile This will generate an execution log file in target/global-logging/exec-log****.log : { "input" : { "digest" : " sha256-a50da1cd086987bc273861a815da4e90ba4735d4a21b965e861e583382a985d6/48 " , "codeContentHash" : " murmur3-00000000000…
-
The 2025H2 Project Goal period has now concluded. Over these months, the Rust Project pursued 41 Project Goals , 13 of which were designated as Flagship Goals . This post contains curated updates on our progress since the last post and the final status for each of the goals (many of which continue as part of the 2026 period). Full details for any particular goal are available in its tracking issue . Thanks to everyone who contributed! <3 Table of contents Flagship: Beyond the & Continue Experim…
Sun 17 May 2026
-
APT releases 3.3.1
apt Debian release 3.3.1
-
Maven releases 3.9.16
🐛 Bug Fixes Trim threadConfiguration to accept input surrounded with spaces ( #12042 ) @slawekjaranowski Backport: Maven 3.10.x fixed plugin resolution ( #12022 ) @cstamas 📦 Dependency updates Bump org.codehaus.plexus:plexus-classworlds from 2.9.0 to 2.11.0 ( #12039 ) @ dependabot[bot] [3.9.x] Bump to parent POM 48 ( #12024 ) @cstamas Bump commons-io:commons-io from 2.21.0 to 2.22.0 ( #11980 ) @ dependabot[bot] Bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre ( #11951 ) @ dependabot[bo…
Sat 16 May 2026
-
Verdaccio releases v6.7.1
Patch Changes a75f9bb : chore: refactor docker publish pipeline
-
Verdaccio releases v6.7.0
⚠️ not available in docker (due pipeline issue) Minor Changes 9f1bcc5 : feat: update Node.js to 24 Bumps the project's Node.js baseline to 24 across runtime and container, and adds a startup warning for users still on an older (but supported) Node. Node 24 bump : .nvmrc 22 → 24 ; Dockerfile base image node:22.22.1-alpine → node:24.15.0-alpine (builder + runtime). Soft-deprecation warning : new RECOMMENDED_NODE_VERSION = '22' and isVersionRecommended() in src/lib/cli/utils.ts ; the init command …
Fri 15 May 2026
-
Dependabot Core releases v0.377.0
What's Changed Implement sbt metadata finder by @AbhishekBhaskar in #15011 Bump NuGet.Client to release/7.6.x and pin dotnet-core to v10.0.8 by @JamieMagee in #14995 feat(opentofu): resolve locals references in module version constraints by @diofeher in #15009 simplify line indent detection by @brettfo in #14980 Fix flaky test: use unique git.store path to avoid parallel race condition by @brettfo in #14944 Update OpenTelemetry packages to 1.15.3 by @brettfo in #15029 Add SBT ecosystem to CI, D…
-
Conda releases 26.5.0
26.5.0 (2026-05-15) Enhancements Add parsing and storage support for conditional dependencies, optional dependency groups, and variant flags in MatchSpec expressions (introduced in conda/ceps#164 , conda/ceps#165 , and conda/ceps#166 ). ( #15443 ) Add --clobber flag to conda create , matching existing support in conda install and conda update . ( #15584 via #15801 ) Display a Warning when exporting lockfiles from environments containing packages installed with pip, uv, or other 3rd party Python…
Thu 14 May 2026
-
Dependabot Core releases v0.376.0
What's Changed Julia: filter yanked versions from get_available_versions by @IanButterworth in #14939 Add blob_oid metadata to manifests in dependency snapshots by @juxtin in #14857 Fix Maven released? check for non-jar packaging types (e.g., aar) by @kbukum1 in #14886 (Python): Move Pip file filtering to grapher by @Copilot in #14856 detect central package version scheme by @brettfo in #14927 allow insecure feeds if explicitly requested by @brettfo in #14891 don't warn on deprecated framework …
-
Verdaccio releases v6.6.2
6.6.2 Patch Changes 7f7bbde : chore: bump up package test (testing publish provenance )
-
Helm releases Helm v3.21.0
Helm v3.21.0 is a feature release. Users are encouraged to upgrade for the best experience. Warning Helm v3 is approaching end-of-life. Please update to Helm v4. The community keeps growing, and we'd love to see you there! Join the discussion in Kubernetes Slack : for questions and just to hang out for discussing PRs, code, and bugs Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom Test, debug, and contribute charts: ArtifactHub/packages Notable Changes Kubernetes client li…
-
Docker Engine releases v2.0.0-beta.13
v2.0.0-beta.13
-
Composer releases 2.9.8
Security: Fixed GitHub token validation and disclosure ( GHSA-f9f8-rm49-7jv2 / CVE-2026-45793 ) Full Changelog : 2.9.7...2.9.8
-
Composer releases 1.10.28
Security: Fixed GitHub token validation and disclosure ( GHSA-f9f8-rm49-7jv2 / CVE-2026-45793 )
-
Composer releases 2.2.28
Security: Fixed GitHub token validation and disclosure ( GHSA-f9f8-rm49-7jv2 / CVE-2026-45793 ) Full Changelog : 2.2.27...2.2.28
-
Helm releases Helm v4.2.0
Helm v4.2.0 is a feature release. Users are encouraged to upgrade for the best experience. The community keeps growing, and we'd love to see you there! Join the discussion in Kubernetes Slack : for questions and just to hang out for discussing PRs, code, and bugs Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom Test, debug, and contribute charts: ArtifactHub/packages Notable Changes Switch to goreleaser for release builds Kubernetes client libraries to v1.36 Add mustToToml…
Wed 13 May 2026
-
Chocolatey releases 2.7.2
Read our blog post about this release. As part of this release we had 2 issues closed. Dependency Changes Upgrade log4net to 3.3.1. See #3887 by corbob , resolved in !3886 by corbob . Update bundled 7zip executables to v26.01. See #3888 by corbob . Contributors 1 contributors made this release possible.
-
Chocolatey releases 1.4.6
Read our blog post about this release. As part of this release we had 1 issue closed. Dependency Change Update support branch bundled 7zip executables to v26.01. See #3889 by corbob resolved in !3892 by corbob . Contributors 1 contributors made this release possible.
-
Docker Engine releases v25.0.16
v25.0.16
-
Mamba releases 2.6.1
Bug fixes: [libmamba] fix: Support local install without explicit path by @jjerphan in #4273 [micromamba, libmamba] fix: Free-threaded builds location on Windows by @jjerphan in #4268 [libmamba] fix: Do not use python for platform detection by @jjerphan in #4257 [libmamba] fix: Adapt Sharded Repodata TTL update logic by @jjerphan in #4269 [libmamba] fix: Adaptations for vcpkg's distribution of zlib 1.3.2 on Windows by @jjerphan in #4260 [libmamba] fix: Normalize MatchSpec package names to lower…
-
Please immediately update Composer to version 2.9.8 or 2.2.28 (LTS) by running composer.phar self-update . The new releases fix a vulnerability where Composer leaks the full contents of GitHub Actions issued GITHUB_TOKEN s or GitHub App installation tokens to the GitHub Actions logs. GitHub introduced
-
Bun releases Bun v1.3.14
To install Bun v1.3.14 curl -fsSL https://bun.sh/install | bash # or you can use npm # npm install -g bun Windows: powershell -c " irm bun.sh/install.ps1|iex " To upgrade to Bun v1.3.14: bun upgrade Read Bun v1.3.14's release notes on Bun's blog Thanks to 11 contributors! @190n @alii @carlsmedstad @cirospaciari @coleleavitt @djs5008 @dylan-conway @ig-ant @Jarred-Sumner @robobun @sosukesuzuki
Tue 12 May 2026
-
Athens releases v0.17.1
What's Changed fix: use default config for config files by @nrwiersma in #2108 fix: support external_account workload identity, add tests by @DrPsychick in #2120 chinese translations of design by @sufu777 in #2110 New Contributors @sufu777 made their first contribution in #2110 Full Changelog : v0.17.0...v0.17.1
-
uv releases 0.11.14
Release Notes Released on 2026-05-12. Enhancements Add Astral mirror URL override ( #19206 ) Ignore top_level.txt entries in uninstall that are not valid Python identifiers ( #19340 ) Bug fixes Avoid applying .env files in parent process ( #19343 ) Filter ANSI codes in logging output ( #19311 ) Fix uv tree showing extra-conditional deps for packages required without extras ( #19332 ) Respect build options (e.g., --no-build ) during lock validation ( #19366 ) Install uv 0.11.14 Install prebuilt …
-
DNF5 releases 5.4.2.1
Update translations from weblate Move system-repo.lock to /var/lib/dnf/system-repo.lock dnfdaemon: Document interactive option in D-Bus API dnfdaemon: Add repo_key_imported informational signal dnfdaemon: Avoid timeout on repo key import dnfdaemon: Pass interactive parameter to repo key import callback refactor(download): preallocate memory in DownloadCommand::configure Fix list --installed-from-repo to imply --installed Fix typos in docs, comments, and user-facing strings dnf5.8.rst: s/sytem/s…
-
Gradle releases 9.5.1
The Gradle team is excited to announce Gradle 9.5.1. Here are the highlights of this release: Task provenance in reports and failure messages Type-safe accessors for precompiled Kotlin Settings plugins Read the Release Notes We would like to thank the following community members for their contributions to this release of Gradle: atm1020 , mataha , Adam , Attila Kelemen , Benedikt Ritter , Björn Kautler , Caro Silva Rode , CHANHAN , Dmitry Nezavitin , Eng Zer Jun , KugelLibelle , Madalin Valcele…
-
pub.dev releases 20260512t124000-all
Deployment at 2026-05-12T12:40:18.344790Z.
-
pub.dev releases 20260512t100400-all
Deployment at 2026-05-12T10:04:08.298757Z.
Mon 11 May 2026
-
Docker Engine releases v2.0.0-beta.12
v2.0.0-beta.12
-
Homebrew releases 5.1.11
What's Changed info: list installed dependents with --verbose by @HaraldNordgren in #22163 bundle/checker: enable typed: strict by @bittoby in #22157 Supports in repository patch files by @rexmhall09 in #22144 bundle/commands/exec: enable typed: strict by @bittoby in #22167 dev-cmd/tests: remove obsolete HOMEBREW_REALLY_USE_INTERNAL_API cleanup by @bittoby in #22168 docs: formula-cookbook remove deprecated string replacement instructions by @GunniBusch in #22169 Test bare cask macOS dependencie…
-
Harbor releases v2.14.4
What's Changed Component updates ⬆️ [CHERRY_PICK] fix(session): fix SessionRegenerate save args and lifetime by @chlins in #22882 [CHERRY-PICK] feat(session): prevent background polling from renewing session TTL by @chlins in #23098 (cherry-pick) Fix issue related to scanner API by @stonezdj in #23109 (cherry-pick) Call /v2/auth/token api to get bearer token for dockerhub adapter by @stonezdj in #23208 bump Go to 1.25.9 and use goharbor/photon:5.0 base images by @stonezdj in #23204 Bump up the …
-
uv releases 0.11.13
Release Notes Released on 2026-05-10. Bug fixes Include data files in editable builds ( #19312 ) Respect --require-hashes when installing from pylock.toml files ( #19334 ) Python Add CPython 3.14.5 Install uv 0.11.13 Install prebuilt binaries via shell script curl --proto ' =https ' --tlsv1.2 -LsSf https://releases.astral.sh/github/uv/releases/download/0.11.13/uv-installer.sh | sh Install prebuilt binaries via powershell script powershell -ExecutionPolicy Bypass -c " irm https://releases.astral…
-
pnpm Blog pnpm 11.1
pnpm 11.1 adds a few new commands — pnpm audit signatures, pnpm bugs, and pnpm owner — alongside support for installing from arbitrary named registries (including a built-in alias for the GitHub Packages npm registry), the ability to skip runtime installation in CI, and several fixes.
Sun 10 May 2026
-
Verdaccio releases v6.6.0
What's Changed feat: update core dependencies by @juanpicado in #5832 chore(deps): update yarn to v4.14.1 (6.x) by @renovate [bot] in #5866 fix(deps): update core verdaccio dependencies (6.x) by @renovate [bot] in #5865 fix: migrate to run server internally by @juanpicado in #5868 fix: tarball might fail #5829 by @juanpicado in #5869 fix(deps): update dependency semver to v7.8.0 (6.x) by @renovate [bot] in #5867 Full Changelog : v6.5.2...v6.6.0
-
PDM releases 2.26.9
Features & Improvements Support exclude-newer in pyproject.toml in the [tool.pdm.resolution] table ( #3776 ) Bug Fixes Preserve pylock package markers when refreshing lockfile hashes. ( #3773 ) What's Changed Remove dead code by @duriantaco in #3774 [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci [bot] in #3780 chore(deps): bump the actions group with 5 updates by @dependabot [bot] in #3778 fix: update pdm_scheme to set pep582_base in sysconfig and add corresponding test by @frostming i…
-
Harbor releases v2.14.4-rc1
What's Changed Component updates ⬆️ [CHERRY_PICK] fix(session): fix SessionRegenerate save args and lifetime by @chlins in #22882 [CHERRY-PICK] feat(session): prevent background polling from renewing session TTL by @chlins in #23098 (cherry-pick) Fix issue related to scanner API by @stonezdj in #23109 (cherry-pick) Call /v2/auth/token api to get bearer token for dockerhub adapter by @stonezdj in #23208 bump Go to 1.25.9 and use goharbor/photon:5.0 base images by @stonezdj in #23204 Bump up the …
Sat 9 May 2026
-
Verdaccio releases @verdaccio/[email protected]
@verdaccio/[email protected]
-
Verdaccio releases @verdaccio/[email protected]
@verdaccio/[email protected]
-
Verdaccio releases @verdaccio/[email protected]
@verdaccio/[email protected]
-
Verdaccio releases @verdaccio/[email protected]
@verdaccio/[email protected]
-
Verdaccio releases @verdaccio/[email protected]
@verdaccio/[email protected]
-
Poetry releases 2.4.1
Changed Re-allow installer==0.7.0 ( #10887 ). Fixed Fix an issue where poetry update <package> failed when <package> was a transitive dependency ( #10885 ).
-
Gradle releases v9.6.0-M2
Run smoke-ide-tests with GProfiler ( #37800 )
Fri 8 May 2026
-
uv releases 0.11.12
Release Notes Released on 2026-05-08. Python Add CPython 3.15.0b1 Enhancements Add --no-editable support to uv pip install ( #19306 ) Require git refs in URLs to be percent-encoded ( #19320 ) Bug fixes Respect --no-dev over UV_DEV=1 ( #19313 ) Don't suggest non-existent --no-frozen flag ( #19290 ) ( #19294 ) Documentation Fix bug from inconsistent workflow name in GHA-PyPI guide example ( #19309 ) Install uv 0.11.12 Install prebuilt binaries via shell script curl --proto ' =https ' --tlsv1.2 -L…