|
| 1 | +### v2.2.4 - 29/03/2026 |
| 2 | + |
| 3 | +| # | Severity | Finding | Status | |
| 4 | +| --- | -------- | ------------------------------------------------------------------------------------------------------- | ------- | |
| 5 | +| 1 | High | Missing branch name validation for patch repos could allow command injection via malformed URLs | Fixed | |
| 6 | +| 2 | Medium | C++ standard configuration dynamically resolved with Floor/Ceiling limits (`_set_cxx_standard`) | Added | |
| 7 | +| 3 | Medium | `_apply_patches` only permitted single `url` files; now sequentially loops multiple patch lines | Fixed | |
| 8 | +| 4 | Medium | Unhandled iteration over multiple remote repositories assigned in `qbt_patches_url` | Fixed | |
| 9 | +| 5 | Medium | `_semantic_version` `master`/`latest` tags did not resolve accurately against highest C++ floors | Fixed | |
| 10 | +| 6 | Medium | Libtorrent CMake configuration triggers deprecation issues and missed `webtorrent=ON` for v2.1+ | Fixed | |
| 11 | +| 7 | Medium | `iconv` retention logic bypassed reliable checks and incorrectly peristed on some non-v1 setups | Fixed | |
| 12 | +| 8 | Low | `python-numpy` and `python-numpy-dev` package inclusion caused resolution conflicts | Fixed | |
| 13 | +| 9 | Low | Libtorrent `version_str` fallback in `version.hpp` not parsed when missing `LIBTORRENT_VERSION` | Fixed | |
| 14 | +| 10 | Info | OS max capability capping limits introduced to cleanly prevent incompatible `c++` compilations | Added | |
| 15 | +| 11 | Info | `-std=c++${qbt_standard}` format dynamically merged into `CXXFLAGS`/`QMAKE_CXXFLAGS` internally | Updated | |
| 16 | +| 12 | High | `cxx_os_cap` fallback for unlisted OS defaulted to `23` instead of `17` circumventing compiler safety | Fixed | |
| 17 | +| 13 | High | ABI Mismatch Check added to strictly prevent mixing `c++14` targeted projects with `c++17` | Added | |
| 18 | +| 14 | Medium | `_set_cxx_standard` resolved lowest requirement instead of intersecting highest safe capable standard | Fixed | |
| 19 | +| 15 | Low | `_download` Shellcheck `SC2015` warnings related to unsafe short-circuit evaluation logic | Fixed | |
| 20 | +| 16 | Low | GitHub API JSON parsing in `_download_directory_contents` made robust against `null` types | Fixed | |
| 21 | +| 17 | Medium | Manual `Jamfile` overrides correctly preserved during external patch directory synchronization | Fixed | |
| 22 | +| 18 | Medium | Temporary patch files in `_process_local_patches` processed safely to avoid duplicate merge conflicts | Fixed | |
| 23 | + |
1 | 24 | ### v2.2.3 - 21/03/2026 |
2 | 25 |
|
3 | 26 | No breaking changes. Some work towards Libtorrent RC_2_1 support but mostly bugs fixes. |
@@ -37,7 +60,7 @@ No breaking changes. Some work towards Libtorrent RC_2_1 support but mostly bugs |
37 | 60 | | 31 | Low | `sub_dir` global variable leaks between modules if bootstrap does not unset it | Fixed | |
38 | 61 | | 32 | Low | `_boost` runs `sed -i` on `build.sh` without checking file exists or pattern matches | Fixed | |
39 | 62 | | 33 | Low | `_cache_dirs_qbt_env` calls `exit 1` from inside download hot path — confusing failure context | Fixed | |
40 | | -| 34 | Low | `_download_directory_contents` grep-based JSON parsing fragile against API format changes | Open | |
| 63 | +| 34 | Low | `_download_directory_contents` grep-based JSON parsing fragile against API format changes | Fixed | |
41 | 64 | | 35 | Low | `_fix_multiarch_static_links` ignores its argument, uses global `qbt_cross_host` directly | Fixed | |
42 | 65 | | 36 | Low | `_icu_host_deps` second `make` call uses `_tee` without `-a` — overwrites configure log | Fixed | |
43 | 66 | | 37 | Low | `_installation_modules` regex over `${!qbt_modules_install[*]}` fragile with non-default IFS | Open | |
|
0 commit comments