docker-compose: Update to version 5.0.1

Release notes:
https://github.com/docker/compose/releases/tag/v5.0.1

Signed-off-by: Javier Marcet <javier@marcet.info>

treewide: remove FTP usage

Drop obsolete protocol usage.
Use HTTPS (if possible) or HTTP instead.

Signed-off-by: Yanase Yuki <dev@zpc.st>

treewide: fix spelling and grammar in Makefiles

Fix spelling and grammar in package definitions, configs, comments and
other strings.

Signed-off-by: George Sapkin <george@sapk.in>

tcpreplay: add libxdp as dependency

If libxdp is built before tcpreplay, it will pick it up.
So, might as well just add it as a dependency (for now).

Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>

coredns: replace wgsd-coredns to full 1.13.2

- Add coredns package 1.13.2
- Make wgsd-coredns package transitional to coredns with wgsd plugin enabled
- Make coredns plugin list configurable, disable heavy plugins by
  default and add wgsd plugin
- Place the service into ujail
- Add netbox plugin

Co-authored-by: Tianling Shen <cnsztl@gmail.com>
Signed-off-by: Vladimir Ermakov <vooon341@gmail.com>

treewide: remove Home Assistant dependencies

I previously attempted to package Home Assistant for OpenWrt.
 However, given the announcement that Home Assistant will
primarily be supported via containers (e.g., Docker) or HA OS [1],
these specific Python package dependencies [2] are no longer needed.

I no longer maintain these packages, I don't use them, and there
 are no other internal dependencies on them. Removing them will
result in slightly faster build times since they no longer require compilation.

[1] https://www.home-assistant.io/blog/2025/05/22/deprecating-core-and-supervised-installation-methods-and-32-bit-systems/
[2] https://github.com/home-assistant/core/blob/dev/pyproject.toml

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>

lighttpd: 1.4.82-2

release 1.4.82-2 with patches

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

lighttpd: mbedtls 3.x EC certs require drbg init

EC certs require drbg init with mbedtls >= 3.0.0
in addition to MBEDTLS_USE_PSA_CRYPTO requiring drbg init

x-ref:
  "mbedtls error with ec certificates"
  https://redmine.lighttpd.net/boards/2/topics/12097
  "mod_mbedtls: ECDSA OpenSSL certificates do not work with lighttpd + mbedTLS/PSA (MBEDTLS_USE_PSA_CRYPTO)"
  https://redmine.lighttpd.net/issues/3288

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

lighttpd: fix plugin malformed dependencies

Dependencies for plugin authn_gssapi, authn_ldap, authn_pam, authn_dbi
and authn_sasl are not correctly written.

This cause lighttpd package to always compile krb5-libs, libopenldap and
libpam, even if not selected

Before the fix:

grep -e libpam -e krb5-libs -e libopenldap .config
\# CONFIG_PACKAGE_libpam is not set
\# CONFIG_PACKAGE_libopenldap is not set
\# CONFIG_PACKAGE_krb5-libs is not set

make | grep -e libpam -e krb5 -e ldap
make[3] -C feeds/packages/net/krb5 compile
make[3] -C feeds/packages/libs/libpam compile
make[3] -C feeds/packages/libs/openldap compile

With the fix:

make | grep -e libpam -e krb5 -e ldap
"nothing compiled"

Check that fix works when mod-authn tokens are
selected (select lighttpd-mod-authn_xxx):

grep lighttpd-mod-authn .config
CONFIG_PACKAGE_lighttpd-mod-authn_file=y
CONFIG_PACKAGE_lighttpd-mod-authn_gssapi=m
CONFIG_PACKAGE_lighttpd-mod-authn_ldap=m
CONFIG_PACKAGE_lighttpd-mod-authn_pam=y

make | grep -e libpam -e krb5 -e ldap
make[3] -C feeds/packages/net/krb5 compile
make[3] -C feeds/packages/libs/libpam compile
make[3] -C feeds/packages/libs/openldap compile

x-ref:
  "lighttpd: Malformed dependencies cause unselected packages to be compiled"
  https://github.com/openwrt/packages/pull/28157

github: closes #28157

Signed-off-by: Alarcon Laurent <laurent.alarcon@sagemcom.com>
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

prometheus-node-exporter-lua: remove bmx6 leftovers

It looks like I forgot to remove this file while dropping
package prometheus-node-exporter-lua-bmx6.

Fixes: 9c2bf859005ada11c17835f74826b356cdb0fb7b ("prometheus-node-exporter-lua: drop bmx6 package")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>

uspot: move and format EXTRA_DEPENDS

Sort EXTRA_DEPENDS after DEPENDS and remove whitespace in the version requirement.

Fixes missing version during building:
```
uspot fused dependencies: ucode (>=, libc,..
uspotfilter fused dependencies: ucode (>=, libc,...
```

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>

python-pyfuse3: update to version 3.4.1

Release notes:
https://github.com/libfuse/pyfuse3/releases/tag/3.4.1

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>

jq: refactor variants and fix PROVIDES

Refactor package variants definition to be cleaner and more robust.
E.g.:
- Remove redundant PROVIDES:=jq from the main 'jq' package (it provides
  itself automatically).
- Keep PROVIDES:=jq only on the 'jq-full' variant so it can serve as a
  drop-in replacement.
- Use $(CP) macro rather than $(INSTALL_BIN) to preserve symlinks on shared objects
INSTALL_BIN turns all of the symlinks to files, increasing size.

Fixes: 711a19c4b23f3517ece5296d323c8f0220a0ff4e ("jq: provide regex support in additional package jq-full")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>

tree-wide: remove obsolete SDK in conditionals

Obsolete use of $(SDK) in configure conditionals can result in
dependency errors when building a subset of packages for packages which
have multiple sub-packages.

The reason it causes dependency issues is that (using libdbi-drivers as
an example) lines like:

ifneq ($(SDK)$(CONFIG_PACKAGE_libdbd-sqlite3),)

always evaluate to true if you are compiling in the SDK. So for a user
compiling from the SDK, the configure arguments are always added to the package build.

In the case of libdbi-drivers:

CONFIGURE_ARGS += \
  --with-sqlite3 \
  --with-sqlite3-incdir=$(STAGING_DIR)/usr/include \
  -with-sqlite3-libdir=$(STAGING_DIR)/usr/lib

is always added even if PACKAGE_libdbd-sqlite3 is deselected. When
libdbd-sqlite3 is deselected, this dependency:

DEPENDS:=libdbi +libsqlite3

is not present, so when configure tries to find sqlite3 it fails.

Closes #28173 "tree-wide: obsolete $(SDK) in conditionals"

See also:

* "include: remove SDK exception from package install targets"
  openwrt/openwrt@28f44a4

Performed tree-wide to ease revert if necessary, per:
https://github.com/openwrt/packages/issues/28173#issuecomment-3694615980

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>

python-bcrypt: update to version 5.0.0

Release notes:
https://github.com/pyca/bcrypt/releases/tag/5.0.0

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>

python3-bottle: update to version 0.13.4

Release notes:
https://github.com/bottlepy/bottle/releases/tag/0.13.4

Add setuptools to PKG_BUILD_DEPENDS to fix:
```
pyproject_hooks._impl.BackendUnavailable: Cannot import 'setuptools.build_meta'
```

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>

libopen62541: preserve symlinks on install

$(INSTALL_BIN) follows symlinks, causing the .so to be copied multiple times.
Use $(CP) instead to preserve symlinks and cut package size by ~2/3.
OpenWrt libraries don’t need to be executable, so $(INSTALL_BIN) isn’t required.

Signed-off-by: Jordan Ngako <jordanfalken@gmx.de>

ruby: update to 4.0.0

Ruby 4.0 introduces "Ruby Box" and "ZJIT", and adds many improvements.
- Introduce experimental ZJIT compiler
- Improve YJIT performance and memory usage
- Add experimental Ruby Boxes object layout optimization
- VM and GC performance improvements
- Ractor runtime and scheduling enhancements
- Update language syntax and semantics (*nil behavior, logical operator parsing)
- Add Array#rfind and optimized Array#find
- Improve Binding API and implicit parameter access
- Extend Enumerator.produce with size keyword
- Enhance ArgumentError diagnostics with caller/callee context
- Add Fiber#raise(cause:)
- IO.select accepts Float::INFINITY timeout
- Improve Kernel#inspect extensibility
- Add Math.log1p and Math.expm1
- Promote Pathname and Set to core classes
- Extend Ractor API (join, value, lifecycle helpers)
- Fix endless and infinite Range behavior
- Define new top-level Ruby module
- Update Unicode to 17.0 and extend String strip methods
- Update bundled gems (RubyGems, Bundler, IRB, etc.)

Packaging changes:
- Include license files for all packages
- As ruby set moved into core, ruby-set is gone.
  ruby-setsubclasscompact was added to include the set subclass
  compatible layer
- Added conditional libatomic dependency for libruby
- YJIT and ZJIT are not built when cross-compiling (almost always for
  openwrt, even when archs matches). However, the Makefile is ready for
  both when upstream adds that feature. Config entries are marked as
  BROKEN for now.

Changelog: https://github.com/ruby/ruby/compare/v3_4_0...v4.0.0
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>

boost: updates package to version 1.90.0

This commit updates boost to version 1.90.0

New libraries in this release:
* OpenMethod [2]: Open-(multi-)methods in C++17 and above, from
                  Jean-Louis Leroy.

More info about Boost 1.90.0 can be found at the usual place [1].

[1]: https://www.boost.org/users/history/version_1_90_0.html
[2]: https://www.boost.org/libs/openmethod

Signed-off-by: Carlos Miguel Ferreira <carlosmf.pt@gmail.com>

tcpreplay: add libbpf dependency

Since compiling tcpbridge requires linking libbpf.so.1, compiling tcpbridge first may result in compilation failure, like:
Package tcpbridge is missing dependencies for the following libraries: libbpf.so.1

The simplest way to solve it is to add libbpf dependency in Makefile

Signed-off-by: TeleostNaCl Dai <teleostnacl@gmail.com>

luajit2: add riscv64 support

This adds support RISC-V64 to luajit2 by backporting
https://redirect.github.com/openresty/luajit2/pull/236

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>

openlist: Update to 4.1.8

Release note: https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.8

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>

monit: update to 5.35.2

Changelog: https://mmonit.com/monit/changes/

Signed-off-by: Yaroslav Petrov <info@lank.me>

sing-box: update to 1.12.14

changelog: https://github.com/SagerNet/sing-box/releases/tag/v1.12.14

Signed-off-by: xiao bo <peterwillcn@gmail.com>

python-aio-mqtt-mod: update to 0.4.0

Add support of building against python 3.12+
Replace imp module with importlib

Full changelog:
https://github.com/devbis/aio-mqtt/compare/0.3.4...0.4.0

Signed-off-by: Ivan Belokobylskiy <belokobylskij@gmail.com>

tree: add LICENSE and LICENSE files

Add license information and the upstream project URL.

Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>

dnslookup: Update to 1.11.2

Release note: https://github.com/ameshkov/dnslookup/releases/tag/v1.11.2

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>

libmodbus: update to 3.1.11

fixes float endianness issues in 3.1.8.

I use a small, custom application to convert data from my
electricity meter into Modbus format for my inverter and wallbox.
I developed this program against an earlier version of libmodbus
on x86, and it ran flawlessly on my ath79 router (big endian).
After migrating to a Mediatek router (little endian), the program
only outputted huge, meaningless values. However, it ran perfectly
fine on my x86 system (little endian), which is running Fedora
with libmodbus v3.1.11.

I then found several bug reports and the changelogs for libmodbus 3.1.11
that described and resolved my problem. So update openwrt to 3.1.11.

Signed-off-by: Stefan Hellermann <stefan@the2masters.de>

softethervpn5: rearrange patches

Provide space for upstream/pending patches.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>

coreutils: update to 9.9

Release notes:
https://lists.gnu.org/archive/html/coreutils-announce/2025-09/msg00000.html
https://lists.gnu.org/archive/html/coreutils-announce/2025-11/msg00000.html

- Drop chcon and runcon as they require SELinux support and cannot be built from
  coreutils 9.9 when configured with --without-selinux.
- Add libgmp dependency for coreutils-basenc to fix missing libgmp.so.10.
- Switch to -std=gnu17 to avoid build failure.
  ```
  lib/openat-die.c: In function 'openat_save_fail':
  lib/openat-die.c:37:3: error: format not a string literal and no format arguments [-Werror=format-security]
     37 |   error (exit_failure, errnum,
        |   ^~~~~
  lib/openat-die.c: In function 'openat_restore_fail':
  lib/openat-die.c:56:3: error: format not a string literal and no format arguments [-Werror=format-security]
     56 |   error (exit_failure, errnum,
        |   ^~~~~
  ```
- Refresh patch.

Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>

coreutils: clean up Makefile

- Update copyright year.
- Sort DEPENDS lexicographically.
- Switch URL to HTTPS.
- Drop invalid configure option --enable-install-program=su.
  ```
  configure: WARNING: 'su' is not an optionally-installable program
  ```
- Drop unrecognized configure option --with-gmp.
  ```
  configure: WARNING: unrecognized options: --with-gmp
  ```

Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>

krant: drop maintainership

Signed-off-by: Aleksey Vasilenko <aleksey.vasilenko@gmail.com>

freeradius3: bump to 3.2.8

Closes #28161

Resolves runtime openssl error

Patches refreshed

Signed-off-by: Paul Donald <newtwen+github@gmail.com>

ci: switch formal to an external action

Switch formal to use HyperStickler directly to test it in packages,
before introducing it into the main actions repo.

Link: https://github.com/marketplace/actions/hyperstickler
Signed-off-by: George Sapkin <george@sapk.in>

luci-app-watchcat: revert unnecessary quoting in init script

The quoting added in r18 for pinghosts is not needed. Multi-host support
remains fully functional, but the extra quotes caused inconsistent argument
handling between /etc/init.d/watchcat and /usr/bin/watchcat.sh,
especially for single-IP configurations.

This revert removes the unnecessary quoting in the init script and LUCI,
restoring consistent behavior while keeping multiple ping hosts supported.

Fixes: #28100 (watchcat: error if only one address is specified in pinghosts)
Signed-off-by: Ivan Diaz <diaz.it@icloud.com>

curl: enable wrongly disabled HTTP_AUTH

commit ea66e463cffc0811757eedee80889323ff66191c added a new config
option LIBCURL_HTTP_AUTH to enable or disable HTTP_AUTH support in
cURL. It defaulted the option to n (disabled).

However, prior to this change HTTP_AUTH was enabled for cURL, as the
configure script defaults to HTTP_AUTH enabled when it is not
explicitly disabled.

This impacts any consumer of cURL that uses HTTP_AUTH, including
authentication by username and password in the URL. (Confirmed via
run testing).

So we set the default for the option to y (enabled).

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>

zabbix: tweak frontend dependencies

For zabbix-server-frontend, the absence of php8-mod-filter results in
many of the frontend's pages failing to render.  Therefore add this
module as a frontend dependency.

Without php8-mod-openssl the frontend fails with:

[13-Dec-2025 18:47:25 UTC] PHP Fatal error:  Uncaught Error: Call to
undefined function openssl_random_pseudo_bytes() in
/www/zabbix/include/classes/helpers/CEncryptHelper.php:89
Stack trace:
CEncryptHelper::generateKey()
  thrown in /www/zabbix/include/classes/helpers/CEncryptHelper.php on
  line 89

Therefore add php8-mod-openssl as a frontend dependency.

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>

ddns-scripts: add beget.com api support

The Beget API provider was implemented according to https://beget.com/en/kb/api/dns-administration-functions

Signed-off-by: Vladimir Tkachev <awesome149712@gmail.com>

vim: fix depends configuration

Due to the incorrect DEPENDS configuration, the vim-full and vim-fuller
packages won't show up in menuconfig if the vim-runtime package is not
selected. This happens because these packages depend on vim-runtime.

To fix this, add the '+' symbol to the DEPENDS line. This ensures that
when either vim-full or vim-fuller is selected, the vim-runtime package
(which is a dependency) will also be selected automatically.

Fixes: d1351b3 ("vim: fix config and runtime")
Signed-off-by: TeleostNaCl Dai <teleostnacl@gmail.com>

etebase: switch to nginx

All nginx variants provide ssl so switch from nginx-ssl to nginx.

Signed-off-by: George Sapkin <george@sapk.in>

nginx: fix provides

nginx modules must not provide nginx which causes them to not be able
to be installed alongside nginx due to the new apk provide fixes.

Remove PROVIDES from modules.

Remove nginx-ssl from PROVIDES as there is no non-ssl variant, i.e. all
version provide ssl.

Set nginx-ssl as the default variant.

Remove non-existent config value.

Signed-off-by: George Sapkin <george@sapk.in>

miniupnpd: update to 2.3.9 to fix issues, refresh building

- Update daemon to 2.3.9 to fix removal of nftables rules in
  `upnp_forward` and return the correct internal port; also resulted in
  the excessive opening of new ports. Accept interface names starting
  with digits
- Build from GitHub releases to get a reliable HTTPS server, as the
  HTTP-only/HTTPS mirror were only available ~85%/77% over 3 months
  https://redirect.github.com/miniupnp/miniupnp/issues/770
  https://stats.uptimerobot.com/DwGDxUB914
- Build daemon with `--disable-pppconn` to remove the old/IGDv1-only
  extra WANPPPConnection SSDP announcements workaround not included in
  other implementations since >15y
- Build daemon with `--vendorcfg` to allow customisation of the
  router/friendly name (+5 potential options) displayed in Windows
  Explorer, 384 bytes extra required on ARMv7 (binary)
- Remove old (iptables variant only) patches, as no longer needed
- Remove `clean_ruleset_interval/threshold` UCI config options as not
  standard/working since OpenWrt 22.03, as nftables not supported

Fixes: https://github.com/openwrt/openwrt/issues/18011
Fixes: https://github.com/openwrt/luci/issues/7759
Fixes: https://github.com/openwrt/packages/issues/26352
Signed-off-by: Self-Hosting-Group <selfhostinggroup-git+openwrt@shost.ing>
[update fixes tag]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>

sing-box: update to 1.12.13

changelog: https://github.com/SagerNet/sing-box/releases/tag/v1.12.13

Signed-off-by: xiao bo <peterwillcn@gmail.com>

v4l2loopback: bump to 0.15.3

This is needed in order to build against the 6.18 kernel

Signed-off-by: John Audia <therealgraysky@proton.me>

openvpn: add missing options

Add missing options taken from the OpenVPN 2.6 manual.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>

openvpn: remove vanished options

These options are no longer available in openvpn 2.6.x.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>

unixodbc: re-enable autoreconf to fix host path leak

Without it the build fails for me with:
  /usr/lib/libltdl.so: file not recognized: file format not recognized

Signed-off-by: Aleksey Vasilenko <aleksey.vasilenko@gmail.com>

mstflint: update to 4.34.1-2

This commit updates the mstflint package
to the latest 4.34.1-2 release.

Release notes:
https://github.com/Mellanox/mstflint/releases/tag/v4.34.1-2

Signed-off-by: Til Kaiser <mail@tk154.de>

php8: update to 8.4.16

This fixes:
    - CVE-2025-14177
    - CVE-2025-14178
    - CVE-2025-14180

Upstream changelog:
https://www.php.net/ChangeLog-8.php#8.4.16

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

tar: fix circular dependency on xz

tar depended both on xz and xz-utils which xz already depended on.
Coupled with if PACKAGE_tar check it caused all packages that depended
on tar to have a circular Kconfig dependency. Remove the check and
dependency on xz-utils and leave xz one only.

Move libzstd dependency into DEPENDS.

Fixes: ad82c17 ("tar: fix EXTRA_DEPENDS")
Fixes: https://github.com/openwrt/packages/issues/28141
Signed-off-by: George Sapkin <george@sapk.in>

chicken-scheme: bump to 5.4.0

A patch is included in order to get the compiler (csc) to work properly
on the target device (comment in the OpenWRT package Makefile). csc,
chicken-install, chicken-status have been verified to work. What the
patch does is to remove -fmacro-prefix-map and -ldl in the strings that
are passed to gcc when the Scheme compiler runs. Without that, the
compiler will not run on the router. A longer description is in the
patch header.

Co-authored-by: George Sapkin <george@sapk.in>
Signed-off-by: Jeronimo Pellegrini <j_p@aleph0.info>

chicken-scheme: split library and refactor

Split library into a separate package and refactor Makefile.

Strip all executable binaries without stripping the library that's
used by the compiler.

Add SPDX license identifier.

Signed-off-by: George Sapkin <george@sapk.in>

chicken-scheme: add CI test script

Check csi version and check if csc can compile a simple s-expression.

Co-authored-by: George Sapkin <george@sapk.in>
Signed-off-by: Jeronimo Pellegrini <j_p@aleph0.info>

poemgr: Install default PSX10 + PSX28 configuration

The Plasma Cloud PSX10 and Plasma Cloud PSX28 are officially supported by
upstream main. Install their default configuration files to be able to use
poemgr on these devices out of the box.

Signed-off-by: Sven Eckelmann <se@simonwunderlich.de>

chicken-scheme: fix EXTRA_DEPENDS

EXTRA_DEPENDS should be used for version constraints. Change to DEPENDS.

Fixes: 6a559a9 ("chicken-scheme: version 5.2.0; include compiler")
Signed-off-by: George Sapkin <george@sapk.in>

tar: fix EXTRA_DEPENDS

EXTRA_DEPENDS should be used for version constraints. Change to DEPENDS.

Fixes: 488be84 ("utils/tar: Make compression, acl, and xattr support configuration options")
Fixes: 7a49296 ("utils/tar: Fix defaulting to selecting dependencies")
Signed-off-by: George Sapkin <george@sapk.in>

rlwrap: add package

rlwrap is a 'readline wrapper', a small utility that uses the GNU
Readline library to allow the editing of keyboard input for any
command.
The input history is preserved even across different invocations,
history search and completion are supported

Co-authored-by: George Sapkin <george@sapk.in>
Signed-off-by: Jeronimo Pellegrini <j_p@aleph0.info>

2to3: remove package

This package is only used by `fail2ban`. After updating `fail2ban` to
`1.1.0` (2a202b2091336cd04d58d797021e278ba9d3f5ae), the `2to3` package
is no longer needed. If required, anyone can reintroduce the package.

Signed-off-by: Wesley Gimenes <wehagy@proton.me>

php8: fix dependency of php8-mod-xmlreader to php8-mod-dom

When PHP8_DOM is enabled then xmlreader automatically gains a
dependency to php8-mod-dom, not only when the dom module
is actually built.

So fix it by declaring this dependency.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

netbird: update to 0.60.8 (breaking change)

Changelog: https://github.com/netbirdio/netbird/releases/tag/v0.60.8

This is the first `netbird` release that introduces a breaking change[1].
Therefore, versions after the `0.60.x` will not be backported to
OpenWrt 24.10. They will be backported to OpenWrt 25.12, because that
release has not been officially launched yet.

By default netbird now creates/updates[2]
`/etc/ssh/ssh_config.d/99-netbird.conf` for use with `openssh-client`.
OpenWrt uses `dropbear`, and this behavior may cause storage wear.
This behavior has been disabled with `NB_DISABLE_SSH_CONFIG="1"`[3] in the
init file.

[1]: https://forum.netbird.io/t/netbird-v0-60-0-released/334#p-610-upgrade-compatibility-notes-4
[2]: https://docs.netbird.io/manage/peers/ssh#native-ssh-clients-open-ssh
[3]: https://github.com/netbirdio/netbird/blob/v0.60.8/client/ssh/config/manager.go#L167-L172

Signed-off-by: Wesley Gimenes <wehagy@proton.me>

netbird: update to 0.59.13

Changelog: https://github.com/netbirdio/netbird/releases/tag/v0.59.13

Signed-off-by: Wesley Gimenes <wehagy@proton.me>

gstreamer1: fix compilation on armeb

The build fails on xscale because the dependency to libatomic.so.1 is
missing.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

jool: fix build for 6.18

Add backport to fix build against 6.18 kernel.

Signed-off-by: John Audia <therealgraysky@proton.me>

go2rtc: update to 1.9.13

- Update version
- No patch refresh needed

Changelog: https://github.com/AlexxIT/go2rtc/releases/tag/v1.9.13
Signed-off-by: Vladimir Ermakov <vooon341@gmail.com>

grep: update to 3.12

Changelog: https://lists.gnu.org/archive/html/info-gnu/2025-04/msg00008.html

Also skip building doc, tests, and gnulib-tests.

Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>

uw-imap: drop package

Project URL doesn't load and the source hasn't received any updates in 7
years.

Fixes: https://github.com/openwrt/packages/issues/17097
Fixes: https://github.com/openwrt/packages/issues/28101
Signed-off-by: George Sapkin <george@sapk.in>

zabbix: transfer maintenance to myself

With previous maintainer's blessing:
https://github.com/openwrt/packages/pull/28041#issuecomment-3650645784

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>

zabbix: update to 7.0.21 (lts)

Updates Zabbix to 7.0.21-r1 (latest 7.0 LTS version)

Note that for the frontend, clearing browser cache, cookies and other
site data for the zabbix frontend server may be necessary.

Security fixes compared to 7.0.12 (most are frontend only):

* CVE-2025-27238: API hostprototype.get lists data to users with
  insufficient authorization https://support.zabbix.com/browse/ZBX-26988
* CVE-2025-27236: User information disclosure via api_jsonrpc.php on
  method user.get with param search:
  https://support.zabbix.com/browse/ZBX-27060
* CVE-2025-27231: LDAP 'Bind password' field value can be leaked by a
  Zabbix Super Admin: https://support.zabbix.com/browse/ZBX-27062
* CVE-2025-49641: Insufficient permission check for the
  problem.view.refresh action:
  https://support.zabbix.com/browse/ZBX-27063
* CVE-2025-49643: Frontend DoS vulnerability due to asymmetric
  resource consumption: https://support.zabbix.com/browse/ZBX-27284

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>

tailscale: update to 1.92.3

Changelog: https://tailscale.com/changelog#2025-12-16
Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>

vim: add SPDX license identifier

Replace license header with SPDX license identifier.

Update copyright.

Signed-off-by: George Sapkin <george@sapk.in>

vim: fix config and runtime

- Install shared runtime for both full and fuller.
- Switch big to huge as big is just an alias to normal.
- Fix default config path for tiny variant.
- Use upstream default config for both full and fuller.
- Don't mark default config files for backup.
- Don't mix variant files.
- Mark fuller variant config files for backup.
- Update configure arguments and remove deprecated ones.
- Remove deprecated configuration variables.
- Improve descriptions.
- Fix the following error by installing the missing runtime files for
  full and correctly installing the default config for tiny:

  E1187: Failed to source defaults.vim

- Fix the following fuller error by installing the missing directory in
  runtime:

  Error detected while processing /usr/share/vim/vim91/plugin/netrwPlugin.vim:
  line    7:
  E919: Directory not found in 'packpath': "pack/*/opt/netrw"

Fixes: https://github.com/openwrt/packages/issues/20203
Fixes: https://github.com/openwrt/packages/issues/28104
Signed-off-by: George Sapkin <george@sapk.in>

docker-compose: update to version 5.0.0

Release notes:
https://github.com/docker/compose/releases/tag/v5.0.0

Signed-off-by: Javier Marcet <javier@marcet.info>

netwhere: remove package

It seems this software is no longer maintained.
The last upstream commit is 8 years ago.

Signed-off-by: Yanase Yuki <dev@zpc.st>

shairport-sync: enable Airplay 2 for -openssl only

https://github.com/mikebrady/shairport-sync/blob/master/
CONFIGURATION%20FLAGS.md#cryptography states that only the OpenSSL
cryptography backend is suitable for Airplay 2.

Further investigation revealed that the pair_ap module within
shairport-sync, which is needed for Airplay 2, does not have an Mbed TLS
backend.

Accordingly, this commit enables Airplay 2 only for the OpenSSL build.

This has the nice side effect that for Airplay 1 the -mini or -mbedtls
versions can be used without pulling in 6 MB of ffmepg libs.

Signed-off-by: Christian Beier <info@christianbeier.net>

ruby: update to 3.4.8

This release is a routine update that includes bug fixes.

Changelog: https://github.com/ruby/ruby/releases/tag/v3_4_8
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>

irqbalance: Revert "irqbalance: update to 1.9.5"

This reverts commit 65d83de7f8b6969f1aa04895ddf20cc7ba690248.
Seems to cause trouble at least in ipq806x/R7800, so let's revert
for cautionary reasons.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

ddns-scripts: remove minimum 5 minute wait

To check if the update was successful.

Not all DDNS implementations have such huge latencies updating their services.

nsupdate for example, updates immediately and the update is immediately checkable.

Add new check_interval_min value to be able to set a check interval lower than the
previously hard-coded 5 minutes.

Fixes: #20564
Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>

tailscale: update to 1.92.2

Changelog: https://tailscale.com/changelog#2025-12-10

Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>

ruby: update to 3.4.7

This release includes some general fixes and a uri gem security fix:

- CVE-2025-61594: URI Credential Leakage Bypass previous fixes

Changelog: https://github.com/ruby/ruby/releases/tag/v3_4_7
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>

eza: update to 0.23.4

Changelogs:
0.23.1: https://github.com/eza-community/eza/releases/tag/v0.23.1
0.23.2: https://github.com/eza-community/eza/releases/tag/v0.23.2
0.23.3: https://github.com/eza-community/eza/releases/tag/v0.23.3
0.23.4: https://github.com/eza-community/eza/releases/tag/v0.23.4

Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>

croc: update to 10.3.1

Changelogs:
10.2.3: https://github.com/schollz/croc/releases/tag/v10.2.3
10.2.4: https://github.com/schollz/croc/releases/tag/v10.2.4
10.2.5: https://github.com/schollz/croc/releases/tag/v10.2.5
10.2.6: https://github.com/schollz/croc/releases/tag/v10.2.6
10.2.7: https://github.com/schollz/croc/releases/tag/v10.2.7
10.3.0: https://github.com/schollz/croc/releases/tag/v10.3.0
10.3.1: https://github.com/schollz/croc/releases/tag/v10.3.1

Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>

adblock: update 4.4.5-2

* fixed f_uci function
* fixed f_switch function, reported in the turris forum

Signed-off-by: Dirk Brenken <dev@brenken.org>

mstflint: update to 4.34.1-1

This commit updates the mstflint package
to the latest 4.34.1-1 release.

Signed-off-by: Til Kaiser <mail@tk154.de>

strongswan: update to 6.0.4

No significant functional changes.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

oor: remove package

It seems this software is no longer maintained.
- The latest upstream commit is 5 years ago.
- Official domain name has been suspended.

No packages depend on this.

Signed-off-by: Yanase Yuki <dev@zpc.st>

python3-speedtest-cli: remove package

It seems this software is no longer maintained.
The last upstream commit is 4 years ago, and
this software only supports obsolete setup.py.

Users should use supported similar softwares, such
as speedtest-go in packages repo.

Signed-off-by: Yanase Yuki <dev@zpc.st>

c-ares: bump to 1.34.6

This is a security release.

Security:
* CVE-2025-31498. A use-after-free bug has been uncovered in read_answers() that was introduced in v1.32.3. Please see GHSA-6hxc-62jh-p29v
* CVE-2025-62408. A use-after-free bug has been uncovered in read_answers() that
was introduced in v1.32.3. Please see GHSA-jq53-42q6-pqr5

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>

tang: make sure output and errors are logged to system log

Currently, there is no logging at all, causing difficulties with
troubleshooting. Edit originally proposed by @q-b #26076
(comment) and implemented by @rugk #27401

Signed-off-by: Thomas Winkler <tewinkler86@gmail.com>

php8: bump PKG_RELEASE

Bump PKG_RELEASE for previous two commits

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>

php8: xml modules affect others

As with gettext modules described in #28078 and #28075, xml and dom
related module selection affects the dependencies of other packages.

Therefore, we invert the dependency logic:

PHP8_LIBXML and PHP8_DOM are are enabled by default and packages
which depend on libxml2 and --enable-dom=shared are not shown (and
the related configure args are disabled) if the config options are
not enabled.

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>

php8: module selection affects other sub-packages

Fixes: php8: global package dependency changes based on module
selection

Fixes: #28078
As described in #28078 and #28075,

Some binaries gain a dependency on libstdcpp when mod-gettext is included
in the build, however this was not explicitly declared, so packaging
fails with (e.g.):

Package php8-cgi is missing dependencies for the following libraries:
libstdc++.so.6

In contrast to #28075, this commit takes the approach:

* Make use of --with-gettext depend on a configure flag (enabled by
  default, since that matches current full build behaviour)
* Make sub-packages which require --with-gettext depend on the
  configure flag

This means that e.g. php-cgi would not have gettext support if the
configure flag was disabled, and e.g. php-mod-gettext and php-mod-intl
would not be selectable.

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>

zerotier: apply upstream license change to `MPL-2.0`

Upstream changed license to `MPL-2.0` for all except `nonfree/`. Building with `ZT_NONFREE=1` excludes these non-free code, make the result effectively under `MPL-2.0`. Read more at https://github.com/zerotier/ZeroTierOne/blob/1.16.0/RELEASE-NOTES.md#2025-08-21----version-1160

Signed-off-by: Mai Thanh Minh <thanhminh.mr@gmail.com>

net-snmp: fix literal string test in snmpd_sink_add

The function snmpd_sink_add() has a guard clause that tests the literal
string "section", not the variable value "$section".

The test `[ -n "section" ]` always evaluates to true because the string
literal "section" is non-empty, making the check useless.

This function is only called internally with hardcoded arguments, so the
bug has no actual impact currently. For the same reason, this change
should not break existing configurations. However, I think it should be
fixed so future callers do not have a false sense of security.

Signed-off-by: Eric McDonald <librick-openwrt@proton.me>

irqbalance: update to 1.9.5

Update irqbalance to version 1.9.5

* drop the original local meson patch, as meson is now properly adopted
  by upstream. But patch meson.build to keep glib2 library statically
  linked in order to avoid a dependency and indirect size increase.

* disable unnecessary functions via meson features settings
  (capng, numa, systemd, thermal, ui)

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

qemu: update to 10.1.3

- Update version
- No patch refresh needed

Changelog: https://www.mail-archive.com/qemu-devel@nongnu.org/msg1156310.html

Signed-off-by: Vladimir Ermakov <vooon341@gmail.com>

yq: Update to 4.50.1

Release note: https://github.com/mikefarah/yq/releases/tag/v4.50.1

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>

xray-core: Update to 25.12.8

Release note: https://github.com/XTLS/Xray-core/releases/tag/v25.12.8

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>

dnsproxy: Update to 0.78.2

Release note: https://github.com/AdguardTeam/dnsproxy/releases/tag/v0.78.2

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>

rclone: Update to 1.72.1

Release note: https://github.com/rclone/rclone/releases/tag/v1.72.1

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>

ci: add more labels

Add 'Add package' label when a new Makefile is added or 'Drop package'
when a Makefile is deleted.

Label PRs to OpenWrt 25.12 branch.

Label CI-related PRs.

Signed-off-by: George Sapkin <george@sapk.in>