From 7ef880d57f04733bc705028028c7462197702ab2 Mon Sep 17 00:00:00 2001
From: HCL-JasonR <jason.riendeau@hcl-software.com>
Date: Wed, 1 Apr 2026 12:56:51 -0400
Subject: [PATCH 1/5] Update libpng.py to 1.6.56

This fixes two High CVEs.
https://www.cve.org/CVERecord?id=CVE-2026-33416
https://www.cve.org/CVERecord?id=CVE-2026-33636
---
 tools/ports/libpng.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tools/ports/libpng.py b/tools/ports/libpng.py
index 7da6231c17f06..34e2e71fefd87 100644
--- a/tools/ports/libpng.py
+++ b/tools/ports/libpng.py
@@ -6,8 +6,8 @@
 import os
 import shutil
 
-TAG = '1.6.55'
-HASH = '45d3c4c3bd3d22dd93026e1bdff8df8133459a2903fb70be178899a55d256bab55bb5c4220d790202fce578e346c040c5c00e1f004cf5c4dcbf387a30d43e701'
+TAG = '1.6.56'
+HASH = 'e9b7c90e5b29d877e0c0888fe35e5498ae513619943728d7a05269b261786c476808df06de460ec27f6d045cf7193a5e3656b95c553539b4edcdd2fd0c5fa422'
 
 deps = ['zlib']
 variants = {
@@ -32,6 +32,8 @@ def get_lib_name(settings):
 
 def get(ports, settings, shared):
   # This is an emscripten-hosted mirror of the libpng repo from Sourceforge.
+  # Reviewer - please add libpng-1.6.56 binary to storage
+  # https://sourceforge.net/projects/libpng/files/libpng16/1.6.56/libpng-1.6.56.tar.gz/download
   ports.fetch_project('libpng', f'https://storage.googleapis.com/webassembly/emscripten-ports/libpng-{TAG}.tar.gz', sha512hash=HASH)
 
   def create(final):

From 69c6c0fd2cb6542542853f659c586fc67d4ec397 Mon Sep 17 00:00:00 2001
From: HCL-JasonR <jason.riendeau@hcl-software.com>
Date: Wed, 1 Apr 2026 13:41:07 -0400
Subject: [PATCH 2/5] Removing review comment

---
 tools/ports/libpng.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tools/ports/libpng.py b/tools/ports/libpng.py
index 34e2e71fefd87..5737caba3fb90 100644
--- a/tools/ports/libpng.py
+++ b/tools/ports/libpng.py
@@ -32,8 +32,6 @@ def get_lib_name(settings):
 
 def get(ports, settings, shared):
   # This is an emscripten-hosted mirror of the libpng repo from Sourceforge.
-  # Reviewer - please add libpng-1.6.56 binary to storage
-  # https://sourceforge.net/projects/libpng/files/libpng16/1.6.56/libpng-1.6.56.tar.gz/download
   ports.fetch_project('libpng', f'https://storage.googleapis.com/webassembly/emscripten-ports/libpng-{TAG}.tar.gz', sha512hash=HASH)
 
   def create(final):

From a11da50c68b0bf9663b69890a01d0aa5ff1240e4 Mon Sep 17 00:00:00 2001
From: HCL-JasonR <jason.riendeau@hcl-software.com>
Date: Wed, 1 Apr 2026 13:41:56 -0400
Subject: [PATCH 3/5] Update ChangeLog.md

---
 ChangeLog.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ChangeLog.md b/ChangeLog.md
index b4a9bab199aa3..117c3b4d8eb69 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -27,6 +27,7 @@ See docs/process.md for more on how version tagging works.
   `--experimental-wasm-bulk-memory` flags when used with versions of node older
   than v16. (#26560)
 - SDL3 port updated from 3.2.30 to 3.4.2 (#26572)
+- libpng port updated from 1.6.55 to 1.6.56. (#26592)
 
 5.0.4 - 03/23/26
 ----------------

From b5d4f6882c955ca23d680ec66754e5e5dd9289c0 Mon Sep 17 00:00:00 2001
From: HCL-JasonR <jason.riendeau@hcl-software.com>
Date: Thu, 7 May 2026 16:34:06 -0400
Subject: [PATCH 4/5] Update libpng version test

---
 test/third_party/libpng/pngtest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/third_party/libpng/pngtest.c b/test/third_party/libpng/pngtest.c
index 8ec13956bfac6..fa918dd0548da 100644
--- a/test/third_party/libpng/pngtest.c
+++ b/test/third_party/libpng/pngtest.c
@@ -2028,4 +2028,4 @@ main(void)
 #endif
 
 /* Generate a compiler error if there is an old png.h in the search path. */
-typedef png_libpng_version_1_6_55 Your_png_h_is_not_version_1_6_55;
+typedef png_libpng_version_1_6_56 Your_png_h_is_not_version_1_6_56;

From 0096d7f411ab879478d03d1ea370875dc79b8273 Mon Sep 17 00:00:00 2001
From: HCL-JasonR <jason.riendeau@hcl-software.com>
Date: Fri, 8 May 2026 08:21:18 -0400
Subject: [PATCH 5/5] Move libpng update to right place in Changelog

---
 ChangeLog.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ChangeLog.md b/ChangeLog.md
index 2029c3bd34966..2ae3d8452691e 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -31,6 +31,7 @@ See docs/process.md for more on how version tagging works.
   emscripten.  If you still need to support extremely old browsers, you can
   manually transpile the output of emscripten (e.g. using babel for JS and
   binaryen for wasm). (#26677)
+- libpng port updated from 1.6.55 to 1.6.56. (#26592)
 
 5.0.7 - 04/30/26
 ----------------
@@ -77,7 +78,6 @@ See docs/process.md for more on how version tagging works.
   `--experimental-wasm-bulk-memory` flags when used with versions of node older
   than v16. (#26560)
 - SDL3 port updated from 3.2.30 to 3.4.2 (#26572)
-- libpng port updated from 1.6.55 to 1.6.56. (#26592)
 - Fixed a race condition in syscall proxying that caused some hangs and ASan
   errors (#26582)