feat: SG-42145: Common dependency updates (aja, atomic_ops, gc, openjph, pcre2 and spdlog)

[mcoliver]

Summarize your change.

Created a script to check common dependencies against their most recent releases. Useful for seeing if there are updates to dependency packages. I used that script to identify a few that were behind on bug fixes, security updates, and features. None are breaking changes.

Describe the reason for the change.

There were quite a few dependencies that were running old versions. Newer versions fix bugs and security issues along with exposing new features that can be harnessed for future performance optimizations and feature extensions.

Fixes:
#1096
#1097
#1098
#1099
#1100
#1102
#1103
#1104
#1106
#1108
#1105
#1110
#1111

Describe what you have tested and on which operating system.

builds locally. Will monitor CICD on the PR. Tested various images and videos affected by the packages that were updated with success (jpeg, webp, png, libraw, etc..)

Add a list of changes, and note any that might need special attention during the review.

I linked out to each changelog and commit diff for the various dependencies. I made a best effort to ensure there are no breaking changes and stuck to minor version updates.

One thing to note: Libraw does deprecate some older cameras but also adds support for a bunch of new ones along with other new features. Feels like a worthwhile tradeoff but should be noted. https://github.com/LibRaw/LibRaw/blob/d20315b6e7b0162d3b0d7820dcbaf4de716b3e77/Changelog.txt#L50

If possible, provide screenshots.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: mcoliver / name: Michael Oliver (121b9e6, 143ecc1, 165ca81, 2a64ced, 33dd79b, 36022b5, 3acd88f, 3af701c, 3f4cb38, 4a6c394, 4d05310, 5314d9c, 76f2b22, 7a61a24, 7fac095, 80c05ad, 89838fa, 9339e85, 94627f3, 964f54d, 9a67375, 9d52904, 9d9f7d0, 9eb8494, a5799a6, a702adc, b1d7e3d, b23bc2a, c7df307, cb66a8f, e38529d, eaaf248, f3e4638, f5b29cb)

[mcoliver]

pre-commit.ci autofix

[mcoliver]

@cedrik-fuoco-adsk apologies for all the ci/cd build runs to iron out the kinks. Setting up all the dev envs to build locally is not possible for me at the moment. I just pushed the last one that should fix the debug windows build name for openjph. That should be the last one

[mcoliver]

@cedrik-fuoco-adsk would it be helpful for me to break this into separate PR's per dependency? I know it's a lot of upgrades all at once.

[cedrik-fuoco-adsk]

I think it's ok @mcoliver. They all do different things. Having a single build with everything should help with the testing. The two main one that really need testing are AJA and OIIO.

[Copilot]

Pull request overview

This PR updates several third-party dependency versions used by the CMake dependency build system and adds a helper script to compare the pinned versions in CYCOMMON.cmake against upstream Git tags.

Changes:

• Bump multiple common dependency versions/hashes in cmake/defaults/CYCOMMON.cmake (e.g., spdlog, pcre2, gc, openjpeg/openjph, libpng, libraw, webp, dav1d, etc.).
• Adjust several dependency build recipes (download artifacts switched to .tar.gz in a few places; OpenJPH naming updated for Debug postfix handling; Windows /utf-8 flags added for spdlog/OIIO).
• Add check_dependency_versions.py to scan CYCOMMON.cmake and report latest upstream tags.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
cmake/dependencies/spdlog.cmake	Switch spdlog download to tarball; add Windows UTF-8 compile flag handling.
cmake/dependencies/pcre2.cmake	Switch PCRE2 download artifact from zip to tarball.
cmake/dependencies/openjph.cmake	Update OpenJPH library naming for Debug postfix (notably on Windows).
cmake/dependencies/oiio.cmake	Add Windows UTF-8 compile flag handling for OIIO consumers/build.
cmake/dependencies/gc.cmake	Switch bdwgc download artifact from zip to tarball.
cmake/dependencies/atomic_ops.cmake	Update atomic_ops download URL to tagged release under bdwgc repo.
cmake/dependencies/aja.cmake	Adjust Windows Debug naming selection and force mbedtls runtime setting in Debug.
cmake/defaults/CYCOMMON.cmake	Central version/hash bumps for common dependencies.
check_dependency_versions.py	New script to compare pinned dependency versions vs latest upstream tags.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cedrik-fuoco-adsk]

Hi @mcoliver,

Do you mind splitting libpng in other PR?

We would like to merge libpng faster because the new version fixes a CVE.
If you don't have time, I can create another PR for libpng.

[mcoliver]

@cedrik-fuoco-adsk I pulled the AJA stuff out

Hi @mcoliver,

Do you mind splitting libpng in other PR?

We would like to merge libpng faster because the new version fixes a CVE. If you don't have time, I can create another PR for libpng.

@cedrik-fuoco-adsk I can but a lot of these other dependency updates also have CVE fixes. Would be great to get them all in. I pulled out the AJA update which seemed to be the last hang up for a clean build. What do you think about merging this one? If not I'll put some effort in to pull out the libpng one and make a new pr. Also sorry for the delay on this. I have had some things going on but have time this week to help out with openrv so will be more responsive.

[cedrik-fuoco-adsk]

Hi @mcoliver,

The main issue we’re running into is the QA time bottleneck. Each dependency update requires validation to ensure nothing regresses, and bundling them all into a single PR significantly increases the turnaround time. It would be much more manageable to split this into smaller PRs, ideally one per dependency.

Here are the current priorities:

• libPNG: I’ve opened a PR with the latest version, including the CVE fix: build: SG-42121: Update libPNG to 1.6.55 to address CVE-2026-25646 #1149

• OpenImageIO 3.x: There are a few issues in your PR that still need to be addressed: feat: SG-42131 - Migrate to OpenImageIO 3.x and build it with OpenColorIO #1087

• AJA: We’ll need to open a new PR for this one

In parallel, I’m working on refactoring the staging code and preparing the infrastructure to support find_package in OpenRV. Having smaller, dependency-specific PRs will also help reduce file conflicts as that work progresses.

I realize this means extra effort on your side, but smaller PRs will make reviews, QA, and integration smoother for everyone.

One possible grouping would be:

All the following dependencies in a single PR:

• ATOMIC_OPS
• DOCTEST
• EXPAT
• PCRE2
• SPDLOG
• GC

Separate PRs for these:

• DAV1D
• OPENJPEG
• OPENJPH
• LIBRAW
• WEBP

Let me know if you’d like me to help split these up or take on some of them.

[eloisebrosseau]

@mcoliver FYI, I have the AJA update in another branch for something else I am working on, so you don't need to create a new PR to fix the issues you are experiencing with it!

[mcoliver]

Hi @mcoliver,

The main issue we’re running into is the QA time bottleneck. Each dependency update requires validation to ensure nothing regresses, and bundling them all into a single PR significantly increases the turnaround time. It would be much more manageable to split this into smaller PRs, ideally one per dependency.

Here are the current priorities:

• libPNG: I’ve opened a PR with the latest version, including the CVE fix: build: SG-42121: Update libPNG to 1.6.55 to address CVE-2026-25646 #1149
• OpenImageIO 3.x: There are a few issues in your PR that still need to be addressed: feat: Migrate to OpenImageIO 3.x and build it with OpenColorIO #1087
• AJA: We’ll need to open a new PR for this one

In parallel, I’m working on refactoring the staging code and preparing the infrastructure to support find_package in OpenRV. Having smaller, dependency-specific PRs will also help reduce file conflicts as that work progresses.

I realize this means extra effort on your side, but smaller PRs will make reviews, QA, and integration smoother for everyone.

One possible grouping would be:

All the following dependencies in a single PR:

• ATOMIC_OPS
• DOCTEST
• EXPAT
• PCRE2
• SPDLOG
• GC

Separate PRs for these:

• DAV1D
• OPENJPEG
• OPENJPH
• LIBRAW
• WEBP

Let me know if you’d like me to help split these up or take on some of them.

Thanks @cedrik-fuoco-adsk I'll submit smaller PR's. On the homebrew front I have a working setup that allows me to build with homebrew packages. Need to clean a few things up but will submit for your review if you have not started yet on your own effort there.

[mcoliver]

Separate PR's submitted for each dependency. Closing this PR.