Top FreeBSD Package Updates Q1 2026

Top FreeBSD Package Updates Q1 2026

The first quarter of 2026 brought significant updates across the FreeBSD ports tree. This post covers the most impactful version bumps, security patches, newly added ports, and deprecations from January through March 2026. Whether you run servers, desktops, or embedded systems, at least a few of these changes affect your stack.

How to Stay Current

Before diving into specific updates, here is how to keep your FreeBSD system updated:

sh
# Update the package repository catalog
pkg update

# Upgrade all installed packages
pkg upgrade

# Check for known vulnerabilities in installed packages
pkg audit -F

For ports users:

sh
# Update the ports tree
portsnap fetch update
# Or if using git:
git -C /usr/ports pull

# Check for outdated ports
pkg version -vIL=

Major Version Bumps

PostgreSQL 17.2

PostgreSQL 17.2 landed in the ports tree in January 2026, bringing the latest point release to FreeBSD. Key improvements over 16.x:

• Improved query planning for complex joins
• Incremental backup support with pg_basebackup
• JSON_TABLE function for SQL/JSON path queries
• Better VACUUM performance for large tables

sh
pkg install postgresql17-server postgresql17-client

If upgrading from PostgreSQL 16, a pg_upgrade is required:

sh
pg_upgrade --old-datadir /var/db/postgres/data16 \
           --new-datadir /var/db/postgres/data17 \
           --old-bindir /usr/local/bin \
           --new-bindir /usr/local/bin

Python 3.13

Python 3.13 became the default Python 3 version in FreeBSD ports during Q1 2026. The transition from 3.12 was smoother than previous version bumps thanks to better ABI stability.

Notable changes:

• Experimental free-threaded build available (no GIL)
• Improved error messages continue to get better
• Performance improvements averaging 5-10% over 3.12

sh
pkg install python313

The free-threaded build is available as a separate port for those who want to experiment:

sh
cd /usr/ports/lang/python313
make config  # Enable FREE_THREADING option
make install

Rust 1.84

Rust updated to 1.84 in the ports tree. This matters because an increasing number of FreeBSD ports depend on Rust for compilation, including Firefox, Thunderbird, and numerous system utilities.

Build times for Rust-dependent ports remain painful. On a 4-core system, building Firefox from ports takes 2-4 hours. The binary package is strongly recommended:

sh
pkg install firefox

LLVM/Clang 19

LLVM 19 arrived in ports, though the base system compiler in FreeBSD 14.x remains Clang 18. The ports version is used by packages that need newer language features or bug fixes.

sh
pkg install llvm19

PHP 8.4

PHP 8.4 entered the ports tree with several improvements relevant to web hosting environments:

• Property hooks (getter/setter syntax)
• Asymmetric visibility for properties
• New array_find() and array_any() functions
• Deprecated implicit nullable types

sh
pkg install php84 php84-extensions

PHP 8.1 reached end-of-life. If you are still running 8.1, upgrade immediately -- it no longer receives security fixes.

Ruby 3.4

Ruby 3.4 was added to ports in February 2026. The YJIT JIT compiler continues to improve, with benchmarks showing 15-20% performance improvement over Ruby 3.3 for Rails workloads.

sh
pkg install ruby34

Node.js 22 LTS

Node.js 22 became the active LTS release and is now the default Node.js version in FreeBSD ports.

sh
pkg install node22 npm-node22

Node.js 18 reached end-of-life in April 2025. Remove it if still installed and migrate to 20 or 22.

Nginx 1.27

Nginx mainline 1.27 arrived with HTTP/3 (QUIC) support enabled by default. Previous versions required building with custom flags.

sh
pkg install nginx

If you were using custom builds for QUIC support, the standard package now covers this:

sh
# Verify HTTP/3 support
nginx -V 2>&1 | grep -o "http_v3_module"

OpenZFS 2.3

The OpenZFS 2.3 update brought several features relevant to FreeBSD storage administrators:

• Block cloning (dedup without the memory overhead)
• RAIDZ expansion (add disks to existing RAIDZ vdevs)
• Improved send/receive performance
• Better ARC memory management

For FreeBSD 14.2 users, ZFS is part of the base system and updates come through freebsd-update. The ports ZFS is for users who want bleeding-edge features before they land in a FreeBSD release.

Security Updates

OpenSSL 3.0.16

A security update to OpenSSL landed in February fixing CVE-2025-xxxxx (a moderate-severity bug in X.509 certificate verification). FreeBSD's base system OpenSSL was patched through security advisories.

sh
# Check your OpenSSL version
openssl version

# Apply security patches
freebsd-update fetch install

curl 8.12

curl received multiple security updates through Q1 2026, fixing several CVEs related to cookie handling and redirect processing. The ports version tracks upstream closely.

sh
pkg upgrade curl

Sudo 1.9.16

A privilege escalation fix in sudo made this a critical update. If you use sudo (and most systems do), update immediately:

sh
pkg upgrade sudo

Expat 2.7

The XML parsing library received fixes for multiple buffer overflow vulnerabilities. Many packages depend on expat, so this update triggers rebuilds across the tree.

sh
pkg upgrade expat

Chromium and Firefox

Both browsers received regular security updates throughout Q1:

• Firefox: Updated to 134.x with multiple CVE fixes
• Chromium: Updated to 131.x with matching security patches

sh
pkg upgrade firefox chromium

Browser updates should be applied as soon as they are available. These packages receive more security patches than almost anything else in the tree.

New Ports Added

Interesting Additions

Several notable new ports were added to the tree in Q1 2026:

Helix Editor (editors/helix) -- A post-modern terminal text editor written in Rust. Kakoune-inspired, with built-in LSP support. Already popular on Linux, now officially in FreeBSD ports.

sh
pkg install helix

Zed Editor (editors/zed) -- A fast, collaborative code editor from the creators of Atom. The FreeBSD port was added after community demand. Requires a GUI environment.

sh
pkg install zed

Atuin (shells/atuin) -- Shell history replacement that syncs across machines and provides advanced search. Replaces your shell's built-in history with a SQLite-backed, encrypted solution.

sh
pkg install atuin

Mise (sysutils/mise) -- Successor to asdf for managing runtime versions (Python, Node, Ruby, etc.). A single tool to replace nvm, pyenv, rbenv, and similar.

sh
pkg install mise

Incus (sysutils/incus) -- System container and VM manager forked from LXD. While primarily a Linux technology, the client tools are useful for managing remote Incus servers from FreeBSD.

Zellij (sysutils/zellij) -- Terminal multiplexer written in Rust. An alternative to tmux with a more modern UI and plugin system.

sh
pkg install zellij

Deprecations and Removals

PHP 8.1

PHP 8.1 was removed from the ports tree following its end-of-life upstream. Migrate to 8.3 or 8.4.

Python 3.10

Python 3.10 reached end-of-life and was removed. The minimum supported version in ports is now Python 3.11, with 3.13 as the default.

MySQL 5.7

MySQL 5.7 was fully removed. It has been end-of-life since October 2023, but some ports still referenced it. All MySQL-dependent ports now require 8.0 or newer.

X.Org Server 1.20

The X.Org Server 1.20 port was deprecated in favor of 21.x. Systems still running the older server should upgrade:

sh
pkg upgrade xorg-server

GCC 11

GCC 11 was removed from the ports tree. GCC 12 is the minimum, with GCC 13 and 14 available for ports requiring newer features.

Ports Infrastructure Changes

Flavors Expansion

More ports adopted the FLAVORS framework in Q1 2026, reducing the number of separate port directories for Python and Ruby version variants. This means fewer Makefiles to maintain and faster portsnap updates.

Package Signing

The FreeBSD package building infrastructure upgraded its signing keys in February 2026. If you see signature verification errors after updating, refresh your keys:

sh
pkg bootstrap -f

Quarterly vs Latest

A reminder on FreeBSD's two package branches:

• Quarterly: Updated every three months. More stable, fewer surprises. Default for FreeBSD releases.
• Latest: Rolling updates. Newest versions but occasional breakage.

Check which branch you are on:

sh
cat /etc/pkg/FreeBSD.conf
# or
pkg -vv | grep url

To switch to latest:

sh
mkdir -p /usr/local/etc/pkg/repos
cat > /usr/local/etc/pkg/repos/FreeBSD.conf << 'EOF'
FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
}
EOF
pkg update -f

What to Watch in Q2 2026

Looking ahead to the next quarter:

• FreeBSD 14.3-RELEASE is expected, which will update the base system compiler to Clang 19 and bring OpenZFS improvements.
• KDE Plasma 6.3 is being tested in ports and should land in the quarterly branch.
• Go 1.24 is expected in ports, which matters because an increasing number of system tools (Prometheus, Grafana, CockroachDB) are written in Go.
• LLVM 20 development releases are being tracked and will likely arrive in ports by mid-Q2.

Practical Upgrade Tips

Before Upgrading

sh
# Create a boot environment snapshot (ZFS users)
bectl create pre-upgrade-$(date +%Y%m%d)

# Check for packages that will be affected
pkg upgrade -n  # Dry run

# Back up your package database
pkg backup -d /root/pkg-backup-$(date +%Y%m%d).tar

After Upgrading

sh
# Check for broken shared library dependencies
pkg check -d -a

# Remove orphaned packages
pkg autoremove

# Verify no packages have known vulnerabilities
pkg audit -F

# Check for config file updates
etcupdate  # For base system

Handling Build Failures (Ports Users)

If you build from ports and encounter failures after tree updates:

sh
# Clean the port's work directory
make -C /usr/ports/category/portname clean

# Rebuild with updated dependencies
make -C /usr/ports/category/portname reinstall

# Nuclear option: rebuild everything
portmaster -af  # Only if desperate

FAQ

How do I know which packages have security vulnerabilities?

Run pkg audit -F. This downloads the latest vulnerability database and checks all installed packages against it. Run this at least weekly.

Should I use quarterly or latest packages?

Use quarterly for production servers. Use latest for desktops and development machines where you want newer versions and can tolerate occasional breakage.

A package I depend on was removed from ports. What do I do?

Check if it was replaced by a successor (common for language runtime versions). Search the ports mailing list archives for the removal commit message, which usually explains the reason and suggests alternatives. You can also build from a local copy of the port's Makefile if needed.

How long after an upstream release does a package appear in FreeBSD ports?

It varies widely. Major packages like Firefox, Chromium, and PostgreSQL typically appear within 1-2 weeks. Smaller ports depend on maintainer availability and can take weeks to months. You can check the port's MAINTAINER field and contact them if an update is overdue.

Will pkg automatically handle major version upgrades (e.g., Python 3.12 to 3.13)?

Yes, for the default Python version. When the ports tree changes the default, pkg upgrade will handle the transition. However, pip-installed packages in your user environment will need to be reinstalled for the new Python version.

How do I pin a package to a specific version?

Use pkg lock packagename to prevent a package from being upgraded. However, this can cause dependency conflicts over time. A better approach for production is to run your own poudriere build server with the versions you want.