Bump locutus from 2.0.39 to 3.0.25

[dependabot]

Bumps locutus from 2.0.39 to 3.0.25.

Release notes

Sourced from locutus's releases.

v3.0.25

Released: 2026-03-25. Diff. Version rationale: patch for runtime security fixes plus maintainer/workflow hardening without import-model or runtime floor changes.

Security

• Hardened php/var/unserialize against __proto__ / constructor / prototype key injection by defining those keys as plain own properties instead of letting them mutate the returned object's prototype.
• Hardened php/strings/parse_str against dangerous key-path prototype pollution without relying on RegExp.prototype.test, so __proto__ and constructor[prototype] payloads are skipped even if regex guards are tampered with earlier in the process.

Inventory

• Added a separate canonical upstream-surface scope manifest and made enumeration/checking fail on missing expected namespaces, unexpected namespaces, and source-ref drift before triage policy is applied.
• Upgraded canonical namespace discovery from a bare name list into a self-describing namespace-catalog contract, so scope audit now validates namespace names, target version, source kind, and source ref together.
• Added an explicit enumerate:upstream-surface maintainer flow that materializes the full tracked catalog across runtime, docs/source, and manual snapshots, while keeping refresh:upstream-surface as the live-discovery-only alias.
• Broadened canonical namespace-audit coverage across the runtime-backed languages by adding catalog discovery for Go, Julia, R, Elixir, Ruby, PHP, and Tcl, and made the maintainer flow treat docs/upstream-surface-scope.yml as the planning source of truth before new expansion work begins.
• Made runtime catalog discovery safer and more reliable by excluding Python's side-effectful antigravity module from canonical scope and by batching Go package discovery inside one container run with a larger Docker output buffer.
• Broadened the upstream-surface inventory beyond the first curated slice, adding new tracked namespaces for Python, Ruby, Elixir, Lua, Tcl, and Perl while keeping the catalog at untriaged: 0.
• Added language-level scope notes and tracked-namespace counts to the website inventory panel so language pages no longer imply they cover an entire upstream language when they still track a deliberate subset.
• Added Python builtins, Tcl dict and standalone value commands, PowerShell System.Math, Rust std::cmp, Julia Statistics, R stats, the remaining Lua core libraries, and Perl List::Util / Scalar::Util to the tracked upstream catalog so the language pages now reflect a much broader and more honest core-runtime roadmap.
• Continued broadening the same inventory in-flight with Python heapq / textwrap, Ruby Integer / Float, Go slices, Elixir Tuple, PowerShell System.Char, and Rust primitive char, plus a Go generic-symbol normalization fix so those inventories stay clean and comparable.
• Closed the last structural gaps in the current project surface by adding upstream tracking for Haskell list, Kotlin collections / text, and Swift String, so every language/category currently shipped under src/ is now represented in the upstream inventory.
• Continued the same breadth wave toward official core/stdlib scope with Python cmath / collections / decimal / random / unicodedata, Ruby Comparable / Range / Regexp / Symbol / Time, Elixir Base / Date / Keyword / NaiveDateTime / URI, PowerShell System.Convert / System.Array, Rust primitive f32 / f64, Kotlin comparisons / math / ranges, and Swift Array / Character.
• Continued broadening toward official core/stdlib scope with Python base64 / calendar / html / json / urllib.parse, Go bytes / cmp / maps / unicode / utf8, Tcl's broader core command and ensemble surface, R recommended packages (utils, graphics, grDevices, methods, stats4, tools), Julia Random / Printf / Unicode, Elixir DateTime / MapSet / Regex / Time / Version, and additional docs-backed Haskell, Perl, PowerShell, Rust, and Swift core namespaces.
• Continued the same breadth push with Python csv / hashlib / hmac, Ruby Dir / File / MatchData / Numeric, Go encoding/base64 / encoding/hex / math / math/bits, R compiler / grid / parallel / splines, Julia DelimitedFiles / LinearAlgebra, Clojure walk / zip, and more docs-backed core namespaces for PowerShell, Rust, Swift, Kotlin, Haskell, and Perl while dropping empty runtime-only catalogs like R datasets.
• Extended the same R breadth wave across the official recommended packages with class, cluster, foreign, KernSmooth, lattice, MASS, Matrix, mgcv, nlme, nnet, rpart, spatial, and survival, keeping the policy sparse through namespace defaults rather than per-function bookkeeping.
• Tightened the discovery contract again so every supported language now exposes both a canonical namespace catalog and a deterministic discover() path, with enumerate:upstream-surface running one unified codepath across runtime-backed and snapshot-backed languages instead of silently bypassing the latter.
• Replaced the last snapshot-reuse discovery paths with real canonical extraction for AWK, C, Perl, PowerShell, Rust, Haskell, Kotlin, and Swift, so checked-in upstream snapshots are now discovery artifacts rather than hidden inputs.
• Patched the website build dependency tree against open fast-xml-parser advisories by overriding Hexo feed generation's transitive fast-xml-parser dependency to 5.5.9, keeping the fix scoped to the website-only build surface.
• Hardened the GitHub Actions workflow so PR validation runs with read-only repository permissions, while npm release and website deploy now happen in separate write-scoped jobs only on tags or main.

v3.0.24

Released: 2026-03-16. Diff. Version rationale: patch for a large additive Python math expansion plus the upstream-inventory groundwork that now drives broader namespace harvests.

Inventory

• Reworked the upstream-surface inventory into a compact triage model with namespace defaults and wildcard rules, so we can classify large upstream catalogs without per-function noise.
• Drove the checked-in upstream inventory to untriaged: 0 across all current languages and namespaces, and surfaced the resulting keep/skip/wanted state more clearly on the website.

Expansion

• Added a first python/math harvest focused on trigonometric and angle-conversion helpers: acos, acosh, asin, asinh, atan, atan2, atanh, copysign, cos, cosh, degrees, expm1, hypot, radians, sin, sinh, tan, and tanh.

v3.0.23

Released: 2026-03-16. Diff. Version rationale: patch for scoped PHP runtime-correctness fixes aligned to the PHP 8.3 parity target.

Fixes

... (truncated)

Changelog

Sourced from locutus's changelog.

v3.0.25

Released: 2026-03-25. Diff. Version rationale: patch for runtime security fixes plus maintainer/workflow hardening without import-model or runtime floor changes.

Security

• Hardened php/var/unserialize against __proto__ / constructor / prototype key injection by defining those keys as plain own properties instead of letting them mutate the returned object's prototype.
• Hardened php/strings/parse_str against dangerous key-path prototype pollution without relying on RegExp.prototype.test, so __proto__ and constructor[prototype] payloads are skipped even if regex guards are tampered with earlier in the process.

Inventory

• Added a separate canonical upstream-surface scope manifest and made enumeration/checking fail on missing expected namespaces, unexpected namespaces, and source-ref drift before triage policy is applied.
• Upgraded canonical namespace discovery from a bare name list into a self-describing namespace-catalog contract, so scope audit now validates namespace names, target version, source kind, and source ref together.
• Added an explicit enumerate:upstream-surface maintainer flow that materializes the full tracked catalog across runtime, docs/source, and manual snapshots, while keeping refresh:upstream-surface as the live-discovery-only alias.
• Broadened canonical namespace-audit coverage across the runtime-backed languages by adding catalog discovery for Go, Julia, R, Elixir, Ruby, PHP, and Tcl, and made the maintainer flow treat docs/upstream-surface-scope.yml as the planning source of truth before new expansion work begins.
• Made runtime catalog discovery safer and more reliable by excluding Python's side-effectful antigravity module from canonical scope and by batching Go package discovery inside one container run with a larger Docker output buffer.
• Broadened the upstream-surface inventory beyond the first curated slice, adding new tracked namespaces for Python, Ruby, Elixir, Lua, Tcl, and Perl while keeping the catalog at untriaged: 0.
• Added language-level scope notes and tracked-namespace counts to the website inventory panel so language pages no longer imply they cover an entire upstream language when they still track a deliberate subset.
• Added Python builtins, Tcl dict and standalone value commands, PowerShell System.Math, Rust std::cmp, Julia Statistics, R stats, the remaining Lua core libraries, and Perl List::Util / Scalar::Util to the tracked upstream catalog so the language pages now reflect a much broader and more honest core-runtime roadmap.
• Continued broadening the same inventory in-flight with Python heapq / textwrap, Ruby Integer / Float, Go slices, Elixir Tuple, PowerShell System.Char, and Rust primitive char, plus a Go generic-symbol normalization fix so those inventories stay clean and comparable.
• Closed the last structural gaps in the current project surface by adding upstream tracking for Haskell list, Kotlin collections / text, and Swift String, so every language/category currently shipped under src/ is now represented in the upstream inventory.
• Continued the same breadth wave toward official core/stdlib scope with Python cmath / collections / decimal / random / unicodedata, Ruby Comparable / Range / Regexp / Symbol / Time, Elixir Base / Date / Keyword / NaiveDateTime / URI, PowerShell System.Convert / System.Array, Rust primitive f32 / f64, Kotlin comparisons / math / ranges, and Swift Array / Character.
• Continued broadening toward official core/stdlib scope with Python base64 / calendar / html / json / urllib.parse, Go bytes / cmp / maps / unicode / utf8, Tcl's broader core command and ensemble surface, R recommended packages (utils, graphics, grDevices, methods, stats4, tools), Julia Random / Printf / Unicode, Elixir DateTime / MapSet / Regex / Time / Version, and additional docs-backed Haskell, Perl, PowerShell, Rust, and Swift core namespaces.
• Continued the same breadth push with Python csv / hashlib / hmac, Ruby Dir / File / MatchData / Numeric, Go encoding/base64 / encoding/hex / math / math/bits, R compiler / grid / parallel / splines, Julia DelimitedFiles / LinearAlgebra, Clojure walk / zip, and more docs-backed core namespaces for PowerShell, Rust, Swift, Kotlin, Haskell, and Perl while dropping empty runtime-only catalogs like R datasets.
• Extended the same R breadth wave across the official recommended packages with class, cluster, foreign, KernSmooth, lattice, MASS, Matrix, mgcv, nlme, nnet, rpart, spatial, and survival, keeping the policy sparse through namespace defaults rather than per-function bookkeeping.
• Tightened the discovery contract again so every supported language now exposes both a canonical namespace catalog and a deterministic discover() path, with enumerate:upstream-surface running one unified codepath across runtime-backed and snapshot-backed languages instead of silently bypassing the latter.
• Replaced the last snapshot-reuse discovery paths with real canonical extraction for AWK, C, Perl, PowerShell, Rust, Haskell, Kotlin, and Swift, so checked-in upstream snapshots are now discovery artifacts rather than hidden inputs.
• Patched the website build dependency tree against open fast-xml-parser advisories by overriding Hexo feed generation's transitive fast-xml-parser dependency to 5.5.9, keeping the fix scoped to the website-only build surface.
• Hardened the GitHub Actions workflow so PR validation runs with read-only repository permissions, while npm release and website deploy now happen in separate write-scoped jobs only on tags or main.

v3.0.24

Released: 2026-03-16. Diff. Version rationale: patch for a large additive Python math expansion plus the upstream-inventory groundwork that now drives broader namespace harvests.

Inventory

• Reworked the upstream-surface inventory into a compact triage model with namespace defaults and wildcard rules, so we can classify large upstream catalogs without per-function noise.
• Drove the checked-in upstream inventory to untriaged: 0 across all current languages and namespaces, and surfaced the resulting keep/skip/wanted state more clearly on the website.

Expansion

• Added a first python/math harvest focused on trigonometric and angle-conversion helpers: acos, acosh, asin, asinh, atan, atan2, atanh, copysign, cos, cosh, degrees, expm1, hypot, radians, sin, sinh, tan, and tanh.

v3.0.23

Released: 2026-03-16. Diff. Version rationale: patch for scoped PHP runtime-correctness fixes aligned to the PHP 8.3 parity target.

... (truncated)

Commits

• 0d2402b Release v3.0.25
• ccd6320 docs: prepare v3.0.25 release
• 345a621 fix: harden php prototype pollution sinks (#597)
• 9922b77 fix: harden ci advisory surface (#596)
• 2313643 docs: add security gh commands
• e67018b docs: add security triage to maintainer cycle
• becbd66 fix: patch website fast-xml-parser alert (#595)
• dfa6f6b docs: second full core-stdlib triage wave (#594)
• 7c5c9e9 feat: add namespace-family upstream triage (#593)
• 0cee1eb feat: complete canonical upstream discovery pass (#592)
• Additional commits viewable in compare view

[bobvandevijver]

@dependabot recreate