• Inability to disable SSL/TLS certificate verification
• Multiline JSON array parsing in body:JSON
• Scrollbars unexpectedly appearing based on system preferences
• Status bar styling and themes

Highlights in this release include:

• The 10.05.1 patch release addresses:

  • An overflow issue in Freetype on platforms where long is a 4 byte (rather than 8 byte) type (Microsoft Windows, for example) causing corrupted glyph rendering at higher resolutions

  • An issue with embedded files, affecting Zugferd format PDF creation.

  • Broken logic in PDF Optional Content processing

  • Potential slow down due to searching for identifiable font files

  • A small number of extreme edge case segmentation faults.

• This release addresses CVEs: CVE-2025-27835, CVE-2025-27832, CVE-2025-27831, CVE-2025-27836, CVE-2025-27830, CVE-2025-27833, CVE-2025-27837, CVE-2025-27834, CVE-2025-46646

• The 10.05.1 release deprecates the non-standard operator "selectdevice", all code should now be using the standard "setpagedevice" operator. "selectdevice" will be removed in the 10.06.0 release.

• We now support production of PDF/X-1a and PDF/X-4a in addition to the existing support for PDF/X-3

• Our efforts in code hygiene and maintainability continue.

• The usual round of bug fixes, compatibility changes, and incremental improvements.

• (9.53.0) We have added the capability to build with the Tesseract OCR engine. In such a build, new devices are available (pdfocr8/pdfocr24/pdfocr32) which render the output file to an image, OCR that image, and output the image "wrapped" up as a PDF file, with the OCR generated text information included as "invisible" text (in PDF terms, text rendering mode 3).

  Mainly due to time constraints, we only support including Tesseract from source included in our release packages, and not linking to Tesseract/Leptonica shared libraries. Whether we add this capability will be largely dependent on community demand for the feature.

  See Enabling OCR for more details.

For a list of open issues, or to report problems, please visit bugs.ghostscript.com.

Incompatible changes

Included below are incompatible changes from recent releases (the specific release in question is listed in parentheses). We include these, for now, as we are aware that not everyone upgrades with every release.

• (10.05.1) The 10.05.1 release deprecates the non-standard operator "selectdevice", all code should now be using the standard "setpagedevice" operator. "selectdevice" will be removed in the 10.06.0 release.

• IMPORTANT: (10.04.0) we added protection for device selection from PostScript input. This will mean that, by default, only the device specified on the command line will be permitted. Similar to the file permissions, there will be a "--permit-devices=" allowing a comma separation list of allowed devices. This will also take a single wildcard "*" allowing any device.

  Any application which relies on allowing PostScript to change devices during a job will have to be aware, and take action to deal with this change.

  The exception is "nulldevice", switching to that requires no special action.

• (10.03.1) Almost all the "internal" PostScript procedures defined during the interpreter startup are now "executeonly", further reducing the attack surface of the interpreter.

  The nature of these procedures means there should be no impact for legitimate usage, but it is possible it will impact uses which abuse the previous accessibility (even for legitimate reasons). Such cases may now require "DELAYBIND", See DELAYBIND

• (10.03.1) The "makeimagedevice" non-standard operator has been removed. It allowed low level access to the graphics library in a way that was, essentially impossible to secure.

• (10.03.1) The "putdeviceprops", "getdeviceprops", "finddevice", "copydevice", "findprotodevice" non-standard operators have all been removed. They provided functionality that is either accessible through standard operators, or should not be used by user PostScript.

• (10.03.1) The process of "tidying" the PostScript namespace should have removed only non-standard and undocumented operators. Nevertheless, it is possible that any integrations or utilities that rely on those non-standard and undocumented operators may stop working or may change behaviour.

  If you encounter such a case, please contact us (Discord, #ghostscript IRC channel, or the gs-devel mailing list would be best), and we'll work with you to either find an alternative solution or return the previous functionality, if there is genuinely no other option.

• (9.55.0) Changes to the device API. This will affect developers and maintainers of Ghostscript devices. Firstly, and most importantly, the way device-specific "procs" are specified has been rewritten to make it (we think!) clearer and less confusing. See The Interface between Ghostscript and Device Drivers and The Great Device Rework Of 2021 for more details.

• (9.55.0) The command line options -sGraphicsICCProfile=___, -dGraphicsIntent=#, -dGraphicsBlackPt=#, -dGraphicsKPreserve=# have been changed to -sVectorICCProfile=___, -dVectorIntent=#, -dVectorBlackPt=#, -dVectorKPreserve=#.

• (9.53.0) As of 9.53.0, we have (re-)introduced the patch level to the version number, this helps facilitate a revised policy on handling security-related issues.

  Note for GSView Users: The patch level addition breaks GSView 5 (it is hardcoded to check for versions 704-999. It is possible, but not guaranteed that a GSView update might be forthcoming to resolve this.

• (9.52) -dALLOWPSTRANSPARENCY: The transparency compositor (and related features), whilst we are improving it, remains sensitive to being driven correctly, and incorrect use can have unexpected/undefined results. Hence, as part of improving security, we limited access to these operators, originally using the -dSAFER feature. As we made "SAFER" the default mode, that became unacceptable, hence the new option -dALLOWPSTRANSPARENCY which enables access to the operators.

• (9.50) There are a couple of subtle incompatibilities between the old and new SAFER implementations. Firstly, as mentioned in the 9.50 release notes, SAFER now leaves standard PostScript functionality unchanged (except for the file access limitations). Secondly, the interaction with save/restore operations has changed. See SAFER.

  Important Note for Windows Users:
  The file/path pattern matching is case-sensitive, even on Windows. This is a change in behaviour compared to the old code which, on Windows, was case insensitive. This is in recognition of changes in Windows behaviour, in that it now supports (although does not enforce) case sensitivity.

Notable Changes

• (CVE-2025-27209) HashDoS in V8 with new RapidHash algorithm
• (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()

Commits

• [c33223f1a5] - (CVE-2025-27209) deps: V8: revert rapidhash commits (Michaël Zasso) nodejs-private/node-private#713
• [56f9db2aaa] - (CVE-2025-27210) lib: handle all windows reserved driver name (RafaelGSS) nodejs-private/node-private#721

2025-07-24 - Added support for Debian Bookworm.
2025-07-17 - Agent now allows configuring minimum and maximum supported TLS versions.
2025-07-17 - [Critical Fix] Agent now allows enforcing mTLS certificate validation.

This release merges up the fixes that appear in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, and v2.49.1 to address the following CVEs: CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386. See the release notes for v2.43.7 for details.

17.5 - https://www.postgresql.org/docs/release/17.5/
16.9 - https://www.postgresql.org/docs/release/16.9/
15.13 - https://www.postgresql.org/docs/release/15.13/
14.18 - https://www.postgresql.org/docs/release/14.18/
13.21 - https://www.postgresql.org/docs/release/13.21/

• Fixed json schema issues with version validation (#12376)
• Fixed bump-after-update triggering after an update --lock, which makes no sense (#12371)
• Fixed zip bomb false positives when unpacking using ZipArchive (#12409)
• Fixed creation of empty archives (#12408)
• Removed output of script being run when running via composer  (#12383)

All detailed changelogs are here

https://mariadb.com/docs/release-notes/mariadb-community-server-release-notes/changelogs

This release includes a fix for a YJIT bug related to local variables and addresses a build issue on Windows when using GCC 15. It was released ahead of schedule to make these fixes available as soon as possible. A few other bug fixes are also included.

Please see the release notes on GitHub for further details.

Release Schedule

We intend to release the latest stable Ruby version (currently Ruby 3.4) every two months following the most recent release. Following this release (3.4.4), Ruby 3.4.5 is scheduled for July, 3.4.6 for September, 3.4.7 for November, and 3.4.8 for January.

If a change arises that significantly affects users, a release may occur earlier than planned, and the subsequent schedule may shift accordingly.

Change log not available

24.3.0 Notable Changes

• [841609ac1c] - doc: add islandryu to collaborators (Shima Ryuhei) #58714
• [839964ece8] - (SEMVER-MINOR) fs: allow correct handling of burst in fs-events with AsyncIterator (Philipp Dunkel) #58490
• [9b28f40834] - (SEMVER-MINOR) module: remove experimental warning from type stripping (Marco Ippolito) #58643
• [7cdda927fa] - test: fix test-timeout-flag after revert of auto subtest wait (Pietro Marchini) #58282
• [dce1995c55] - Revert "test_runner: remove promises returned by t.test()" (Romain Menke) #58282
• [8b0c5edbb6] - Revert "test_runner: remove promises returned by test()" (Romain Menke) #58282
• [713fbad7b6] - (SEMVER-MINOR) test_runner: support object property mocking (Idan Goshen) #58438
• [ef0230abaf] - (SEMVER-MINOR) url: add fileURLToPathBuffer API (James M Snell) #58700

22.17.0 Notable Changes

⚠️ Deprecations

Instantiating node:http classes without new

Constructing classes like IncomingMessage or ServerResponse without the new
keyword is now discouraged. This clarifies API expectations and aligns with standard
JavaScript behavior. It may warn or error in future versions.

Contributed by Yagiz Nizipli in #58518.

options.shell = "" in node:child_process

Using an empty string for shell previously had undefined behavior. This change
encourages explicit choices (e.g., shell: true or a shell path) and avoids
relying on implementation quirks.

Contributed by Antoine du Hamel and Renegade334 #58564.

HTTP/2 priority signaling

The HTTP/2 prioritization API (e.g., stream.priority) is now deprecated due to
poor real-world support. Applications should avoid using priority hints and expect future removal.

Contributed by Matteo Collina and Antoine du Hamel #58313.

✅ Features graduated to stable

assert.partialDeepStrictEqual()

This method compares only a subset of properties in deep object comparisons,
useful for flexible test assertions. Its stabilization means it's now safe for
general use and won't change unexpectedly in future releases.

Contributed by Ruben Bridgewater in #57370.

Miscellaneous