blogs.perl.org

Reproduce the vulnerability CVE-2025-40909 in an isolated Docker container running Perl v5.34.0.

I don't know everyone who is involved in maintaining MetaCPAN and I don't know all the details of the performance related issues that have been an ongoing challenge (I believe they have been related to relentless bots?).

In any case, this last week MetaCPAN seems to have been running flawlessly!

So rather than burying a thanks note in a github issue, I wanted to put a public thanks here to all the volunteers and sponsors that keep MetaCPAN (and CPAN) running.

The CFP is closed, but in order to attend the PCC virtually, please follow this link, https://www.meetup.com/austin-perl-mongers/events/305855419/.

We are asking for a $30 donation at sign-up, but you may email science@perlcommunity.org to inquire about a discounted or free code we have for non-profits and those in between jobs.

To sign up for our low-volume email list to get information about upcoming events, click here.

All three of us attended.

• The release is imminent while Chris Williams, who usually releases Module::CoreList, is temporarily absent. We were not all sure whether this would require any additional coordination. Phillipe had sent mail to clarify the situation. We concluded that there is no issue because CoreList is an outlier: it is not upstream-CPAN but neither is it upstream-blead, while nevertheless being maintained in core. A lagging CPAN release won’t be a problem, even though that’s not the usual sequence. In the event, Chris responded to the mail with assurance that he is available enough anyway.
• We coordinated further about the release, which is coming up the following week.
• Release blocker triage this week ended as it began: with no blockers.

[P5P posting of this summary]

Caching with Redis/Valkey using Perl.
Please check out the link for more information:
https://theweeklychallenge.org/blog/caching-in-perl

I had the pleasure of attending The Perl & Raku Conference (TPRC) 2025 in Greenville, SC as a volunteer. As always, opinions are my own.

The Conference

The conference went quite well. Unfortunately, a major weather event disrupted flights across the US, particularly around Atlanta, causing travel issues for some attendees and speakers. This led to a few talk cancellations.

We adopted it by consolidating the two talk tracks into one. There was still a diverse range of topics, and judging by the audience reactions, some of the talks were very well received.

The conference was attended by 40-50 people.

Main Room

The Venue

The event was hosted at a Holiday Inn Express in Greenville, which turned out to be an excellent choice. The hotel was clean, recently renovated (following flood repairs last year), and very reasonably priced: $139 + tax per night for a suite. The staff were quite friendly and accommodating. It also proved to be a great low-cost venue for hosting a conference - more on that below.

I had created the library in C as part of a bigger project to create a multithreaded and hardware (GPU, and soon TPU) accelerated library to manipulate fingerprints for text. At some point, I figured one can have fun vibe coding the interface to Perl. The first post in the series just dropped ; it provides the background, rationale, the prompt and the first output by Claude 3.7. Subsequent posts will critique the solution and document subsequent interactions with the chatbot.
Part 2 will be about the alienfile (a task that botched by the LLM). Suggestions for subsequent prompts welcome ; as I said this is a project whose C backend (except the TPU part) is nearly complete, so I am just having fun with the Perl part.

Paper and talk submissions will be accepted until July 01, 2025 18:59 CDT

• https://www.papercall.io/perlcommunity
• https://www.papercall.io/cfps/6270/submissions/new

In particular I'd like to invite anyone who regrets not submitting a talk to the TPRC or who has gotten bit by the speaking bug. You are welcome to give your talk remotely.

Comparative analysis of Storable and Sereal using Perl.
Please check out the link for more information:
https://theweeklychallenge.org/blog/serialisation-in-perl

Graham couldn’t make it, so only Aristotle and Philippe this week.

• We discussed the structure of the feature.pm documentation and how unfeatures should be covered. Philippe has provided a first patch which extends the description of each unfeature with a note stating from which feature bundle onward it is disabled.
• Relesae blocker triage continues. The meeting began without any unresolved blockers and ended the same way.
• Philippe plans to ship 5.42.0-RC1 as soon as the last missing perldelta entries are in.

[P5P posting of this summary]

Remember! Click Continue Reading to see all the text.

I am selling my villa unit and downsizing, probably in a month or so.
There may be a period when I am off-line.
In Australia villa unit means (usually) a stand-alone building in a small block of units.
I have 2-bedroom unit and am moving into a retirement (Yikes!) village to a 1-bedroom unit.
The are various reasons but one is this month I turned 75, much to my amazement and horror.
I still live independently, drive, have 2 miniature dogs, manage my own medicine, etc. So - all good ATM.
And yes, I am still programming. I more-or-less monthly release https://savage.net.au/misc/Perl.Wiki.html,
my curated compendium of Perl module, and I am slowly automating the creation of this wiki.
The next step will be to output the wiki as a jsTree (https://www.jstree.com/),
but moving - as you might know - consumes a lot of time.....

The Dancer Core Team is excitedly preparing a major release of Dancer2, 2.0.0. In advance of this, I'd like to give you all a preview of what to expect:

• A handful of bug fixes

• Customizable scrubber/censor engine (when dumping errors, etc. - a long requested feature)

• Remove Template::Tiny fork from core (Template::Tiny support remains, but ether graciously merged our customizations into Template::Tiny)

• Remove Dancer2::Template::Simple from the core of Dancer2

• New documentation, courtesy of a TPRF grant

• Removal of deprecated code (according to our deprecation policy)

• Official support for Perl 5.22 and newer

The following features are possible, but not likely for 2.0.0 (but maybe soon thereafter):

• Bring your own config engine (TOML, JSON, etc.)

• Using Throwable to produce errors

I'm estimating a release in the next 2-4 weeks. There are still a few bikesheds to paint, cats to herd, and yaks to shave.

If you have questions or feedback, we'd love to hear from you! Until then, keep Dancing, then Dance a little happier! :)

Jason/CromeDome

Quick introduction to AWS Lambda using CLI, Python and Perl.
Please check out the link for more information:
https://theweeklychallenge.org/blog/aws-lambda

In the past, it took two years to merge my first PAUSE on Plack branch into the master and three years to merge the next PAUSE on Mojolicious (actually, two years to deploy and another year to merge). Now the question was: how long would it take to merge the next big thing, multifactor authentication for PAUSE? Two years, three years, or maybe four years this time? I already had a two-year-old draft branch and initially wished to merge it this year. However, things went differently.

All three of us attended.

• Release blocker triage yielded no new blockers. We followed up on the issues we were already tracking.
• The security release made some progress this week, but has been held up by the lack of a perldelta entry.

[P5P posting of this summary]

With help from the community a development release of DBD::Oracle has been released to the CPAN.

This release includes a number of important changes that we hope will improve stability with threaded Perl.

If you are using DBD::Oracle I would ask that you try it out in your non-production environments initially and perhaps if you are confident there after, in your production environments.

The branch for it is here on github. I am personally grateful for people spending time and sending in pull requests , there is no monetary support for this driver although Oracle's open source community manager is actively engaged in discussions on issues and pull requests.

Github actions are configured on the repo and the quite thorough library of unit tests are run against Oracle XE on Ubuntu. This provides good signal but with extremely limited coverage of operating systems and database versions.

Due to the lack of variety in automated testing on Github - and the business critical nature of most Oracle databases - my recommendation is to mirror the Github repo in to your organization's repos and configure CI testing against your specific combination of Oracle versions, operating systems, and settings. The Github actions can be adapted to Gitlab reasonably quickly and give you a very high level of confidence before trialing new versions in production.

Lexical Method in the latest release Perl v5.42 RC1. For more details, follow the link: https://theweeklychallenge.org/blog/lexical-method-v542

Over the past year, I’ve been self-studying XS and have now decided to share my learning journey through a series of blog posts. This tenth post introduces you to what I call closures in XS.

All three of us attended.

• Release blocker triage continues. Several more blockers have been resolved. We identified no blockers among new tickets but did consider #23346 and may ship it even if we do not consider it a blocker.
• We discussed some feedback regarding the fix for CVE-2025-40909 and requested that the patch be amended. A perldelta entry is also missing before we can ship the security releases.
• We discussed who will do then stable release and when. RC1 will be published by Philippe Bruhat on June 20th.
• We went over the scalar-context pair constructor proposal. Changing the fat arrow in general is out of the question and we don’t think any other proposal is likely to work.
• We went over the 2-arg open proposal. It seems mostly trivial to do and worthwhile as well, but the real complexity is in the implicit open done by readline. We will outline our thoughts on the thread.

[P5P posting of this summary]

Datastar is a new-ish entry in the world of hypermedia-oriented ,htmx alternatives, with a distinct focus on Server-Sent Events. It describes itself thus:

Datastar brings the functionality provided by libraries like Alpine.js (frontend reactivity) and htmx (backend reactivity) together, into one cohesive solution. It's a lightweight, extensible framework that allows you to:

1. Manage state and build reactivity into your frontend using HTML attributes.
2. Modify the DOM and state by sending events from your backend.

I added Perl for Datastar with Datastar::SSE, for the backend reactivity bits.