curl (8.19.0-3) unstable; urgency=medium
 .
   * debian/rules: revert parallel tests multiplier to 4.
curl (8.19.0-2) unstable; urgency=medium
 .
   [ Samuel Henrique ]
   * debian/rules: Don't skip any tests and increase parallel factor to 7.
 .
   [ Carlos Henrique Lima Melara ]
   * debian/patches/test459-switch-to-mode-warn-for-stderr-check.patch:
     cherry-pick from upstream. (Closes: #1131157)
curl (8.19.0-1+exp1) experimental; urgency=medium
 .
   * Enable experimental features: HTTPS RR and SSL session import/export
   * d/rules: Don't skip any tests and increase parallel factor to 7

golang-github-google-cel-go (0.27.0+ds-3) unstable; urgency=medium
 .
   * Team upload.
   * Fix missing cast in 32bit patch
golang-github-google-cel-go (0.27.0+ds-2) unstable; urgency=medium
 .
   * Team upload.
   * Fix build on 32bit architectures, closes: #1131386
golang-github-google-cel-go (0.27.0+ds-1) unstable; urgency=medium
 .
   * Team upload.
   * debian/control: cherry-pick changes for newer golang-gopkg-yaml.v3.
     (Closes: #1127870)
   * debian/control: sync dependency from build-deps.
   * Upload to unstable. (Closes: #1127705)
golang-github-google-cel-go (0.27.0+ds-1~exp1) experimental; urgency=medium
 .
   * Team upload.
   * New upstream version 0.27.0. (Closes: #1127705)
   * Drop 0002-Disable-tests-breaks-on-32bit-architectures.patch: bug
     closed upstream.
   * Drop revert-antlr4.11.patch: packaged golang-github-antlr4-go-antlr
     instead.
   * Update in missing sources from upstream.
   * debian/patches/golang-golang-x-text.patch: refreshed.
   * debian/control: build-deps on golang-cel-expr-dev.
   * debian/control: build-deps on golang-github-antlr4-go-antlr-dev
     instead of revert early upstream commit for the path change.
   * debian/rules: workaroud conflict registration in tests.
   * debian/rules: install cel/templates/authoring.tmpl.
   * debian/rules: append conformance to DH_GOLANG_EXCLUDES.
   * debian/rules: cleanup non-exist path in DH_GOLANG_EXCLUDES.
   * debian/control: drop golang-github-stoewer-go-strcase-dev dependency.
   * Update dependency to golang-google-protobuf-dev.
   * debian/control: build-deps on golang-gopkg-yaml.v3-dev.
   * Upload to experimental due to awaiting build-deps from NEW queue.

hugo (0.159.1-1) unstable; urgency=medium
 .
   * New upstream version 0.159.1
     - Update versioned Build-Depends on golang-github-tdewolff-minify-dev
   * Add ppc64 to list of failing architectures for WebP test

jquery-ui-themes (1.14.2+dfsg-1) unstable; urgency=medium
 .
   * Team upload
   * Declare compliance with policy 4.7.3
   * Drop "Priority: optional"
   * Add debian/gbp.conf
   * debian/watch version 5
   * New upstream version 1.14.2+dfsg

libclone-perl (0.50-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 0.50.
   * Add SECURITY.md to docs.

liblocale-codes-perl (3.88-1) unstable; urgency=medium
 .
   * Team upload.
   * Import upstream version 3.88.
   * Update years of upstream copyright.
   * Declare compliance with Debian Policy 4.7.3.

node-postcss (8.5.8+~cs9.3.30-1) unstable; urgency=medium
 .
   * Team upload
   * Declare compliance with policy 4.7.3
   * Drop "Rules-Requires-Root: no"
   * Drop "Priority: optional"
   * New upstream version 8.5.8+~cs9.3.30
   * Refresh patches

node-yaml (2.8.3+~cs0.4.0-1) unstable; urgency=medium
 .
   * Team upload
   * Declare compliance with policy 4.7.3
   * Drop "Rules-Requires-Root: no"
   * Drop "Priority: optional"
   * New upstream version (Closes: #1132040, CVE-2026-33532)

nodejs (22.22.2+dfsg+~cs22.19.15-1) unstable; urgency=medium
 .
   * New upstream version 22.22.2+dfsg+~cs22.19.15
   * Security fixes:
     + CVE-2026-21637: wrap SNICallback invocation in
       try/catch (Matteo Collina) - High
     + CVE-2026-21710: use null prototype for
       headersDistinct/trailersDistinct (Matteo Collina) - High
     + CVE-2026-21713: use timing-safe comparison
       in Web Cryptography HMAC (Filip Skokan) - Medium
     + CVE-2026-21714: handle NGHTTP2_ERR_FLOW_CONTROL
       error code (RafaelGSS) - Medium
     + CVE-2026-21717: test array index hash collision (Joyee Cheung) - Medium
     + CVE-2026-21715: add permission check to realpath.native (RafaelGSS) - Low
     + CVE-2026-21716: include permission check on lib/fs/promises (RafaelGSS) - Low

openvpn-auth-oauth2 (1.27.1-1) unstable; urgency=medium
 .
   * Moving dh-golang builddirectory to debian/_build.
   * Harmonizing watch file.
   * Merging upstream version 1.27.1.
   * Updating year in copyright for 2026.
openvpn-auth-oauth2 (1.27.0-2) unstable; urgency=medium
 .
   * Passing location of the cache directory to fix FTBFS when manually
     building the plugin after the daemon (Closes: #1127974).
openvpn-auth-oauth2 (1.27.0-1) unstable; urgency=medium
 .
   * Merging upstream version 1.27.0.
   * Removing files-excluded in copyright, not needed anymore.
   * Removing exclude-favicon.patch, not needed anymore.
   * Removing httpmux.patch, not needed anymore.
   * Renumbering patches.
   * Adding new build-depends to golang-github-google-cel-go.
openvpn-auth-oauth2 (1.26.4+dfsg-6) unstable; urgency=medium
 .
   * Using dh_golang install extra variable rather than manually copying
     files into build directory, thanks to Andrew Lee <ajqlee@debian.org>.
   * Building experimental openvpn native plugin.
openvpn-auth-oauth2 (1.26.4+dfsg-5) unstable; urgency=medium
 .
   * Starting openvpn-auth-oauth2 services only when configs exist.
   * Moving default config file to examples, so openvpn-auth-oauth2 doesn't
     start by default.
openvpn-auth-oauth2 (1.26.4+dfsg-4) unstable; urgency=medium
 .
   * Updating httpmux.patch description.
   * Updating to standards version 4.7.3.
   * Wrap and sorting debian files.
   * Updating years in copyright for 2026.
   * Removing defaults file in favour of daemon specific configuration
     consistency.
   * Adding patch to update executable paths in systemd service file for
     dynamic compiling, thanks to Joanand Kuharajasekaram
     <joanand.kuharajasekaram@bfh.ch>.
   * Adding systemd service template, thanks to Joanand Kuharajasekaram
     <joanand.kuharajasekaram@bfh.ch> and Andrew Lee <ajqlee@debian.org>.
openvpn-auth-oauth2 (1.26.4+dfsg-3) unstable; urgency=medium
 .
   * Adding patch to disable httmux golang 1.21 compat mode, thanks to
     Andrew Lee <ajqlee@debian.org>.
openvpn-auth-oauth2 (1.26.4+dfsg-2) unstable; urgency=medium
 .
   * Adding newly added openvpn-plugin.h to copyright, thanks to Andrew Lee
     <ajqlee@debian.org>.
openvpn-auth-oauth2 (1.26.4+dfsg-1) unstable; urgency=medium
 .
   * Merging upstream version 1.26.4+dfsg.
   * Building with golang-1.25 due to usage of new waitGroup functions.
openvpn-auth-oauth2 (1.26.2+dfsg-1) unstable; urgency=medium
 .
   * Initial upload to sid (Closes: #1118276).
   * Rebuilding upstream tarball without sourceless favicon.png.

ruby-bcrypt (3.1.22-1) unstable; urgency=medium
 .
   * Team upload.
   * Upgrade the watch file to version 5.
   * New upstream release.
     - Fixes CVE-2026-33306.
   * Drop Rules-Requires-Root field, it is now redundant.
   * Refresh the copyright file.