• ci: remove labeler and simplify change detection by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9751
• test: align GraphQL health check retries with gRPC pattern by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9752
• build(jemalloc): patch jemalloc 5.3.1 source for libstdc++ 16+ ABI removal by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9740
• dgraphtest: add WithStartupArg for arbitrary Alpha flags by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9741
• test: poll for HNSW index readiness instead of fixed sleeps by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9739
• fix: S390x compatibility by @navaneeswar1011 in https://github.com/dgraph-io/dgraph/pull/9746
• fix(security): compare poorman's auth token in constant time by @alhudz in https://github.com/dgraph-io/dgraph/pull/9736
• edgraph: add AlterNoAuth for trusted in-process schema callers by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9748
• x,edgraph,worker: add a reserved-namespace plugin registry by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9753
• x,edgraph: harden reserved-namespace registration and value-lock delete coverage by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9754
• alpha: add public extensibility hooks for the gRPC server and CLI flags by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9742

• @navaneeswar1011 made their first contribution in https://github.com/dgraph-io/dgraph/pull/9746
• @alhudz made their first contribution in https://github.com/dgraph-io/dgraph/pull/9736

Full Changelog: https://github.com/dgraph-io/dgraph/compare/v25.3.5...v25.3.6

• ci: remove labeler and simplify change detection by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9751
• test: align GraphQL health check retries with gRPC pattern by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9752
• build(jemalloc): patch jemalloc 5.3.1 source for libstdc++ 16+ ABI removal by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9740
• dgraphtest: add WithStartupArg for arbitrary Alpha flags by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9741
• test: poll for HNSW index readiness instead of fixed sleeps by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9739
• fix: S390x compatibility by @navaneeswar1011 in https://github.com/dgraph-io/dgraph/pull/9746
• fix(security): compare poorman's auth token in constant time by @alhudz in https://github.com/dgraph-io/dgraph/pull/9736
• edgraph: add AlterNoAuth for trusted in-process schema callers by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9748
• x,edgraph,worker: add a reserved-namespace plugin registry by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9753
• x,edgraph: harden reserved-namespace registration and value-lock delete coverage by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9754
• alpha: add public extensibility hooks for the gRPC server and CLI flags by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9742

• @navaneeswar1011 made their first contribution in https://github.com/dgraph-io/dgraph/pull/9746
• @alhudz made their first contribution in https://github.com/dgraph-io/dgraph/pull/9736

Full Changelog: https://github.com/dgraph-io/dgraph/compare/v25.3.5...v25.3.6

• Re-fix 1xx handling by @matthoffman in https://github.com/Netflix/zuul/pull/2149

Full Changelog: https://github.com/Netflix/zuul/compare/v3.6.14...v3.6.15

This is a security release.

• (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
• (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
• (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
• (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
• (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
• (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
• (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
• (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
• (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
• (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
• (CVE-2026-48936) permission: guard pipe open and chmod with net scope (RafaelGSS) – Low

• [98fbc89211] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878
• [110840f2c7] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890
• [8d36d522b2] - deps: update undici to 8.5.0 (Node.js GitHub Bot) #63903
• [2e6d03993a] - deps: update undici to 8.4.0 (Node.js GitHub Bot) #63779
• [5a17d5b07a] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #63820
• [362725d4e5] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #63820
• [bd1214ab01] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868
• [bc0b53813e] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846
• [87d847bc70] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855
• [9308084fcb] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867
• [a67dd46891] - (CVE-2026-48936) permission: guard pipe open and chmod with net scope (RafaelGSS) nodejs-private/node-private#885
• [7057c3f16c] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873
• [6bc17a6b51] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870
• [c8668beff8] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854
• [d1be630415] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854
• [a14c158bb3] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857
• [ebda73470d] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869

This is a security release.

• (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
• (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
• (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
• (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
• (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
• (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
• (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
• (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
• (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
• (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
• (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

• [9e4dfc7bba] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878
• [cb2aed980c] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890
• [a8a0d12875] - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 (Tim Perry) #62891
• [66e6203c1c] - (SEMVER-MAJOR) deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #62891
• [dd627ced27] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #63820
• [684bae568f] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #63820
• [3a631e7f83] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #62656
• [cf44df3996] - deps: update undici to 7.28.0 (Node.js GitHub Bot) #63703
• [138c70294b] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868
• [be7e719c3f] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846
• [cc7c11b4d1] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855
• [9224427b92] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867
• [cf85d54839] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873
• [a1bbc24f96] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870
• [e3723ff2d6] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854
• [a77af4867b] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854
• [31beb4f707] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857
• [8e75c73f91] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869

This is a security release.

• (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
• (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
• (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
• (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
• (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
• (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
• (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
• (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
• (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
• (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
• (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

• [38b4c5ed51] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878
• [ad8a10c1bb] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890
• [ca825a87cc] - deps: update undici to 6.27.0 (aduh95) #63711
• [a1a5bb9683] - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 (Tim Perry) #62891
• [0f48583512] - (SEMVER-MAJOR) deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #62891
• [38c869fc05] - deps: update nghttp2 to 1.68.0 (nodejs-github-bot) #61136
• [290667c84f] - deps: update nghttp2 to 1.67.1 (nodejs-github-bot) #59790
• [c9f3da76aa] - deps: update nghttp2 to 1.66.0 (Node.js GitHub Bot) #58786
• [60890be563] - deps: update nghttp2 to 1.65.0 (Node.js GitHub Bot) #57269
• [5024c7d5d8] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #63820
• [7f4eb5af2e] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #63820
• [ebb4ec78a8] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #62656
• [5763d40826] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #63045
• [c551a51d0c] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868
• [0a22d40180] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846
• [c79968e108] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855
• [0c37bff2ff] - http2: fix DEP0194 message (KaKa) #58669
• [ea5dc6b529] - (SEMVER-MAJOR) http2: remove support for priority signaling (Matteo Collina) #58293
• [9b6af26132] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867
• [28dcd38864] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873
• [2f62693801] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870
• [1662a3ea09] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854
• [718d5d0e2c] - test: skip test-fs-utimes-y2K38 on armv7 (Richard Lau) #63836
• [041185b61f] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #62238
• [fd890ba01d] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854
• [39d1d09684] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857
• [2197a47144] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869

Apache Superset is a modern, enterprise-ready business intelligence web application

nginx-1.30.3 stable version has been released, with fixes for buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module (CVE-2026-42055), and buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-48142).

See official CHANGES-1.30 on nginx.org.

Below is a release summary generated by GitHub.

• Nginx 1.30.3 with security fixes by @arut in https://github.com/nginx/nginx/pull/1475

Full Changelog: https://github.com/nginx/nginx/compare/release-1.30.2...release-1.30.3

nginx-1.31.2 mainline version has been released, with fixes for use-after-free vulnerability in the ngx_http_v3_module (CVE-2026-42530), buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module (CVE-2026-42055), and buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-48142).

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

• Use SipHash to speed up $request_id generation by @jimf5 in https://github.com/nginx/nginx/pull/1392
• SSL: add $ssl_sigalgs variable by @VadimZhestikov in https://github.com/nginx/nginx/pull/1361
• Xslt: fixed handle vsnprintf return value by @afonot in https://github.com/nginx/nginx/pull/747
• GH: remove the set-creation-date.yaml workflow by @ac000 in https://github.com/nginx/nginx/pull/1435
• Split clients: improved calculation of range boundaries by @pluknet in https://github.com/nginx/nginx/pull/1334
• Style by @pluknet in https://github.com/nginx/nginx/pull/1440
• GH: Fix the whitespace checker workflow by @ac000 in https://github.com/nginx/nginx/pull/1453
• Secure link: Compare hashes in constant time by @sbhowmikf5 in https://github.com/nginx/nginx/pull/1433
• Access log: Fix "request_length" format length by @nitin9977 in https://github.com/nginx/nginx/pull/1432
• Updated OpenSSL used for win32 builds by @pluknet in https://github.com/nginx/nginx/pull/1469
• Nginx 1.31.2 with security fixes (HTTP/2 proxy, grpc, HTTP/3, charset) by @arut in https://github.com/nginx/nginx/pull/1474

• @afonot made their first contribution in https://github.com/nginx/nginx/pull/747
• @sbhowmikf5 made their first contribution in https://github.com/nginx/nginx/pull/1433
• @nitin9977 made their first contribution in https://github.com/nginx/nginx/pull/1432

Full Changelog: https://github.com/nginx/nginx/compare/release-1.31.1...release-1.31.2

See the release notes at https://prestodb.io/docs/current/release/release-0.298.1.html