Log message:
nginx: update lua-nginx-module to 0.10.28

Log message:
www/nginx: security update from 1.26.2 to 1.26.3

<ChangeLog>

*) Security: insufficient check in virtual servers handling with TLSv1.3
   SNI allowed to reuse SSL sessions in a different virtual server, to
   bypass client SSL certificates verification (CVE-2025-23419).

*) Bugfix: in the ngx_http_mp4_module.
   Thanks to Nils Bars.

*) Workaround: "gzip filter failed to use preallocated memory" alerts
   appeared in logs when using zlib-ng.

*) Bugfix: nginx could not build libatomic library using the library
   sources if the --with-libatomic=DIR option was used.

*) Bugfix: nginx now ignores QUIC version negotiation packets from
   clients.

*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
   ngx_http_v3_module.

*) Bugfixes in HTTP/3.

</ChangeLog>

Log message:
*/*: update NGINX JavaScript 0.8.8 -> 0.8.9

Bump PKGREVISIONs for www/nginx, www/nginx-devel, www/unit.

<ChangeLog>

nginx modules:

*) Bugfix: removed extra VM creation per server.
   Previously, when js_import was declared in http or stream blocks,
   an extra copy of the VM instance was created for each server
   block. This was not needed and consumed a lot of memory for
   configurations with many server blocks.

  This issue was introduced in 9b674412 (0.8.6) and was partially
  fixed for location blocks only in 685b64f0 (0.8.7).

Core:

*) Feature: added fs module for QuickJS engine.

</ChangeLog>

Log message:
www/nginx*: update third-party nchan module, 1.3.6 -> 1.3.7

Bump PKGREVISIONs.

<ChangeLog>

fix: repeated DELETE requests can leave unresponsive subscribers connected to a \ 
channel
fix: channel info subscriber count incorrect when using Redis following unclean \ 
worker exit
     (Thanks, Steven Green)
feature: manually set Redis server roles to master or slave
fix: Redis server blacklist was only applied in cluster mode
     (Thanks, piotr-lwks)
fix: Nchan may fail to connect to non-cluster Redis if more than 1 server is \ 
specified
     (Thanks, Mike Baroukh)
fix: Some invalid message IDs may result in a worker crash
fix: Nchan may fail to reconnect ro a Redis cluster when using many workers due \ 
to a race condition
     (Thanks, Fabio Urquiza)
fix: subscriber info may be incorrect for Redis version >=7
fix: Redis cluster may fail to reconnect to a cluster without consensus
     (Thanks, Fabio Urquiza)

</ChangeLog>

Log message:
*/*: update NGINX JavaScript 0.8.7 -> 0.8.8

Bump PKGREVISION for www/nginx, www/nginx-devel.

<ChangeLog>

nginx modules:

*) Feature: implemented shared dictionary for QuickJS engine.

*) Improvement: js_preload_object is refactored.

*) Bugfix: fixed limit rated output.

*) Bugfix: optimized use of SSL contexts for
   js_fetch_trusted_certificate directive.

Core:

*) Feature: implemented process object for QuickJS engine.

*) Feature: implemented process.kill() method.

*) Bugfix: fixed tests with libxml2 2.13 and later.

*) Bugfix: fixed promise resolving when Promise is inherited.

*) Bugfix: fixed absolute scope in cloned VMs.

</ChangeLog>

Log message:
www/nginx: update third-party lua module

While I'm here fix build when third-party naxsi module is enabled.

Bump PKGREVISION.

Log message:
*: recursive bump for perl 5.40

Log message:
*: recursive bump for icu 76 shlib major version bump

Log message:
nginx: prefix all options with 'nginx-' since they're package-specific

Log message:
nginx: Put back NAXSI_SUBDIR.

Could do with a way to indicate to pkglint that this is actually required.