opam 2.5.1 releaseOn , by
Feedback on this post is welcomed on Discuss!
We are pleased to announce the release of opam 2.5.1 fixing a security issue (OSEC-2026-03) and other minor things.
We advise everyone to upgrade. Please read on for installation and upgrade instructions.
Security fix
OSEC-2026-03: Invalidate .install fields containing destination filepath trying to escape their scope. Thanks to @andrew for reporting this issue. (#6897)
Distributions maintainers that have not already done so, are invited to either upgrade their opam package to 2.5.1 or backport the fix. For any questions please send an email to the authors of this here blog post as listed above.
Other changes
Fix a string injection from the depexts field to nix-build, when
os-family=nixos. Thanks to @RyanGibb for this contribution and @andrew for the report. (#6894)Restore the distribution detection on Gentoo. (#6887)
Add support for single-quoted values of the
/etc/os-releasefile. (#6887)Fix rare potential GC corruptions. Thanks to @avsm for the contribution and @andrew for the report. (#6882, #6880)
Try it!
The upgrade instructions are unchanged:
- Either from binaries: run
For Unix systems
bash -c "sh <(curl -fsSL https://opam.ocaml.org/install.sh) --version 2.5.1"or from PowerShell for Windows systems
Invoke-Expression "& { $(Invoke-RestMethod https://opam.ocaml.org/install.ps1) } -Version 2.5.1"or download manually from the Github "Releases" page to your PATH.
- Or from source, manually: see the instructions in the README.
You should then run:
opam init --reinit -niPlease report any issues to the bug-tracker.
Happy hacking!
