2025-10-03 07:08:19 +00:00
4833 changed files with 327992 additions and 645009 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -10,16 +10,13 @@ btest_jobs: &BTEST_JOBS 4
 btest_retries: &BTEST_RETRIES 2
 memory: &MEMORY 16GB
-config: &CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror -D FETCHCONTENT_FULLY_DISCONNECTED:BOOL=ON
+config: &CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install --ccache
-no_spicy_config: &NO_SPICY_CONFIG --build-type=release --disable-broker-tests --disable-spicy --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
+no_spicy_config: &NO_SPICY_CONFIG --build-type=release --disable-broker-tests --disable-spicy --prefix=$CIRRUS_WORKING_DIR/install --ccache
-static_config: &STATIC_CONFIG --build-type=release --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
+static_config: &STATIC_CONFIG --build-type=release --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install --ccache
-binary_config: &BINARY_CONFIG --prefix=$CIRRUS_WORKING_DIR/install --libdir=$CIRRUS_WORKING_DIR/install/lib --binary-package --enable-static-broker --enable-static-binpac --disable-broker-tests --build-type=Release --ccache --enable-werror
+asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --disable-spicy --ccache
-spicy_ssl_config: &SPICY_SSL_CONFIG --build-type=release --disable-broker-tests --enable-spicy-ssl --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
+ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --disable-spicy --ccache
-asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --ccache --enable-werror
+tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --disable-spicy --ccache
-ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --ccache --enable-werror
+openssl30_config: &OPENSSL30_CONFIG --build-type=release --disable-broker-tests --with-openssl=/opt/openssl --prefix=$CIRRUS_WORKING_DIR/install --ccache
 tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --ccache --enable-werror
 macos_config: &MACOS_CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror --with-krb5=/opt/homebrew/opt/krb5
 clang_tidy_config: &CLANG_TIDY_CONFIG --build-type=debug --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror --enable-clang-tidy
 resources_template: &RESOURCES_TEMPLATE
  cpu: *CPUS
@ -35,11 +32,11 @@ macos_environment: &MACOS_ENVIRONMENT
    ZEEK_CI_BTEST_JOBS: 12
    # No permission to write to default location of /zeek
    CIRRUS_WORKING_DIR: /tmp/zeek
    ZEEK_CI_CONFIGURE_FLAGS: *MACOS_CONFIG
 freebsd_resources_template: &FREEBSD_RESOURCES_TEMPLATE
  cpu: 8
-  memory: *MEMORY
+  # Not allowed to request less than 8GB for an 8 CPU FreeBSD VM.
  memory: 8GB
  # For greediness, see https://medium.com/cirruslabs/introducing-greedy-container-instances-29aad06dc2b4
  greedy: true
@ -48,108 +45,41 @@ freebsd_environment: &FREEBSD_ENVIRONMENT
    ZEEK_CI_CPUS: 8
    ZEEK_CI_BTEST_JOBS: 8
-only_if_pr_master_release: &ONLY_IF_PR_MASTER_RELEASE
+builds_only_if_template: &BUILDS_ONLY_IF_TEMPLATE
  # Rules for skipping builds:
  # - Do not run builds for anything that's cron triggered
  # - Don't do darwin builds on zeek-security repo because they use up a ton of compute credits.
  # - Always build PRs, but not if they come from dependabot
  # - Always build master and release/* builds from the main repo
  only_if: >
    ( $CIRRUS_CRON == '' ) &&
    ( $CIRRUS_REPO_NAME != 'zeek-security' || $CIRRUS_OS != "darwin" ) &&
    ( ( $CIRRUS_PR != '' && $CIRRUS_BRANCH !=~ 'dependabot/.*' ) ||
    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
-      ( $CIRRUS_CRON != 'weekly' ) &&
+      (
      ( $CIRRUS_PR != '' ||
      $CIRRUS_BRANCH == 'master' ||
      $CIRRUS_BRANCH =~ 'release/.*'
      )
-    )
+    ) )
-only_if_pr_master_release_nightly: &ONLY_IF_PR_MASTER_RELEASE_NIGHTLY
+skip_task_on_pr: &SKIP_TASK_ON_PR
  # Skip this task on PRs if it does not have the fullci label,
  # it continues to run for direct pushes to master/release.
  skip: >
    ($CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ '.*fullci.*')
 benchmark_only_if_template: &BENCHMARK_ONLY_IF_TEMPLATE
  # only_if condition for cron-triggered benchmarking tests.
  # These currently do not run for release/.*
  only_if: >
-    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
+    ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
-      ( $CIRRUS_CRON != 'weekly' ) &&
+    ( $CIRRUS_CRON == 'benchmark-nightly' ||
-      ( $CIRRUS_PR != '' ||
+      $CIRRUS_PR_LABELS =~ '.*fullci.*' ||
-        $CIRRUS_BRANCH == 'master' ||
+      $CIRRUS_PR_LABELS =~ '.*benchmark.*' )
        $CIRRUS_BRANCH =~ 'release/.*' ||
        ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
      )
    )
 only_if_pr_release_and_nightly: &ONLY_IF_PR_RELEASE_AND_NIGHTLY
  only_if: >
    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
      ( $CIRRUS_CRON != 'weekly' ) &&
      ( $CIRRUS_PR != '' ||
        $CIRRUS_BRANCH =~ 'release/.*' ||
        ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
      )
    )
 only_if_pr_nightly: &ONLY_IF_PR_NIGHTLY
  only_if: >
    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
      ( $CIRRUS_CRON != 'weekly' ) &&
      ( $CIRRUS_PR != '' ||
        ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
      )
    )
 only_if_release_tag_nightly: &ONLY_IF_RELEASE_TAG_NIGHTLY
  only_if: >
    ( ( $CIRRUS_REPO_NAME == 'zeek' ) &&
      ( $CIRRUS_CRON != 'weekly' ) &&
      ( ( $CIRRUS_BRANCH =~ 'release/.*' && $CIRRUS_TAG =~ 'v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$' ) ||
        ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
      )
    )
 only_if_nightly: &ONLY_IF_NIGHTLY
  only_if: >
    ( ( $CIRRUS_REPO_NAME == 'zeek' ) &&
      ( $CIRRUS_CRON == 'nightly' && $CIRRUS_BRANCH == 'master' )
    )
 only_if_weekly: &ONLY_IF_WEEKLY
  only_if: >
    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
      ( $CIRRUS_CRON == 'weekly' && $CIRRUS_BRANCH == 'master' )
    )
 skip_if_pr_skip_all: &SKIP_IF_PR_SKIP_ALL
  skip: >
    ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
 skip_if_pr_not_full_ci: &SKIP_IF_PR_NOT_FULL_CI
  skip: >
    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: Full.*") ||
      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
    )
 skip_if_pr_not_full_or_benchmark: &SKIP_IF_PR_NOT_FULL_OR_BENCHMARK
  skip: >
    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|Benchmark).*" ) ||
      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
    )
 skip_if_pr_not_full_or_cluster_test: &SKIP_IF_PR_NOT_FULL_OR_CLUSTER_TEST
  skip: >
    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|Cluster Test).*" ) ||
      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
    )
 skip_if_pr_not_full_or_zam: &SKIP_IF_PR_NOT_FULL_OR_ZAM
  skip: >
    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|ZAM).*" ) ||
      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
    )
 skip_if_pr_not_full_or_zeekctl: &SKIP_IF_PR_NOT_FULL_OR_ZEEKCTL
  skip: >
    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|Zeekctl).*" ) ||
      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
    )
 skip_if_pr_not_full_or_windows: &SKIP_IF_PR_NOT_FULL_OR_WINDOWS
  skip: >
    ( ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*CI: (Full|Windows).*" ) ||
      ( $CIRRUS_PR_LABELS =~ ".*CI: Skip All.*" )
    )
 ci_template: &CI_TEMPLATE
  << : *BUILDS_ONLY_IF_TEMPLATE
  # Default timeout is 60 minutes, Cirrus hard limit is 120 minutes for free
  # tasks, so may as well ask for full time.
  timeout_in: 120m
@ -193,7 +123,6 @@ ci_template: &CI_TEMPLATE
 env:
  CIRRUS_WORKING_DIR: /zeek
  CIRRUS_LOG_TIMESTAMP: true
  ZEEK_CI_CPUS: *CPUS
  ZEEK_CI_BTEST_JOBS: *BTEST_JOBS
  ZEEK_CI_BTEST_RETRIES: *BTEST_RETRIES
@ -238,106 +167,104 @@ env:
 # Linux EOL timelines: https://linuxlifecycle.com/
 # Fedora (~13 months): https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle
-fedora42_task:
+fedora38_task:
  container:
-    # Fedora 42 EOL: Around May 2026
+    # Fedora 38 EOL: Around May 2024
-    dockerfile: ci/fedora-42/Dockerfile
+    dockerfile: ci/fedora-38/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_SKIP_ALL
  env:
    ZEEK_CI_CONFIGURE_FLAGS: *BINARY_CONFIG
-fedora41_task:
+fedora37_task:
  container:
-    # Fedora 41 EOL: Around Nov 2025
+    # Fedora 37 EOL: Around Dec 2024
-    dockerfile: ci/fedora-41/Dockerfile
+    dockerfile: ci/fedora-37/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
+  << : *SKIP_TASK_ON_PR
  << : *SKIP_IF_PR_NOT_FULL_CI
 centosstream9_task:
  container:
-    # Stream 9 EOL: 31 May 2027
+    # Stream 9 EOL: Around Dec 2027
    dockerfile: ci/centos-stream-9/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_NOT_FULL_CI
-centosstream10_task:
+centosstream8_task:
  container:
-    # Stream 10 EOL: 01 January 2030
+    # Stream 8 EOL: May 31, 2024
-    dockerfile: ci/centos-stream-10/Dockerfile
+    dockerfile: ci/centos-stream-8/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
+  << : *SKIP_TASK_ON_PR
  << : *SKIP_IF_PR_NOT_FULL_CI
-debian13_task:
+centos7_task:
  container:
-    # Debian 13 (trixie) EOL: TBD
+    # CentOS 7 EOL: June 30, 2024
-    dockerfile: ci/debian-13/Dockerfile
+    dockerfile: ci/centos-7/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
+  << : *SKIP_TASK_ON_PR
  << : *SKIP_IF_PR_NOT_FULL_CI
 arm_debian13_task:
  arm_container:
    # Debian 13 (trixie) EOL: TBD
    dockerfile: ci/debian-13/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_SKIP_ALL
 debian13_static_task:
  container:
    # Just use a recent/common distro to run a static compile test.
    # Debian 13 (trixie) EOL: TBD
    dockerfile: ci/debian-13/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_NOT_FULL_CI
  env:
-    ZEEK_CI_CONFIGURE_FLAGS: *STATIC_CONFIG
+    ZEEK_CI_CONFIGURE_FLAGS: *NO_SPICY_CONFIG
 debian13_binary_task:
  container:
    # Just use a recent/common distro to run binary mode compile test.
    # As of 2024-03, the used configure flags are equivalent to the flags
    # that we use to create binary packages.
    # Just use a recent/common distro to run a static compile test.
    # Debian 13 (trixie) EOL: TBD
    dockerfile: ci/debian-13/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_NOT_FULL_CI
  env:
    ZEEK_CI_CONFIGURE_FLAGS: *BINARY_CONFIG
 debian12_task:
  container:
-    # Debian 12 (bookworm) EOL: TBD
+    # Debian 12 (bookworm) EOL: (not yet released)
    dockerfile: ci/debian-12/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
+  << : *SKIP_TASK_ON_PR
  << : *SKIP_IF_PR_NOT_FULL_CI
-opensuse_leap_15_6_task:
+debian11_task:
  container:
-    # Opensuse Leap 15.6 EOL: ~Dec 2025
+    # Debian 11 EOL: June 2026
-    dockerfile: ci/opensuse-leap-15.6/Dockerfile
+    dockerfile: ci/debian-11/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
 arm_debian11_task:
  arm_container:
    # Debian 11 EOL: June 2026
    dockerfile: ci/debian-11/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  env:
    ZEEK_CI_CONFIGURE_FLAGS: *NO_SPICY_CONFIG
 debian11_static_task:
  container:
    # Just use a recent/common distro to run a static compile test.
    # Debian 11 EOL: June 2026
    dockerfile: ci/debian-11/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *SKIP_TASK_ON_PR
  env:
    ZEEK_CI_CONFIGURE_FLAGS: *STATIC_CONFIG
 debian10_task:
  container:
    # Debian 10 EOL: June 2024
    dockerfile: ci/debian-10/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
 opensuse_leap_15_4_task:
  container:
    # Opensuse Leap 15.4 EOL: ~Nov 2023
    dockerfile: ci/opensuse-leap-15.4/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *SKIP_TASK_ON_PR
  env:
    ZEEK_CI_CONFIGURE_FLAGS: *NO_SPICY_CONFIG
 opensuse_leap_15_5_task:
  container:
    # Opensuse Leap 15.5 EOL: ~Dec 2024
    dockerfile: ci/opensuse-leap-15.5/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_NOT_FULL_CI
 opensuse_tumbleweed_task:
  container:
@ -346,140 +273,72 @@ opensuse_tumbleweed_task:
    << : *RESOURCES_TEMPLATE
  prepare_script: ./ci/opensuse-tumbleweed/prepare.sh
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
+#  << : *SKIP_TASK_ON_PR
  << : *SKIP_IF_PR_NOT_FULL_CI
-weekly_current_gcc_task:
+ubuntu23_task:
  container:
-    # Opensuse Tumbleweed has no EOL
+    # Ubuntu 23.04 EOL: January 2024
-    dockerfile: ci/opensuse-tumbleweed/Dockerfile
+    dockerfile: ci/ubuntu-23.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  prepare_script: ./ci/opensuse-tumbleweed/prepare-weekly.sh
  << : *CI_TEMPLATE
  << : *ONLY_IF_WEEKLY
  env:
    ZEEK_CI_COMPILER: gcc
 weekly_current_clang_task:
  container:
    # Opensuse Tumbleweed has no EOL
    dockerfile: ci/opensuse-tumbleweed/Dockerfile
    << : *RESOURCES_TEMPLATE
  prepare_script: ./ci/opensuse-tumbleweed/prepare-weekly.sh
  << : *CI_TEMPLATE
  << : *ONLY_IF_WEEKLY
  env:
    ZEEK_CI_COMPILER: clang
 ubuntu25_04_task:
  container:
    # Ubuntu 25.04 EOL: 2026-01-31
    dockerfile: ci/ubuntu-25.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_NOT_FULL_CI
-ubuntu24_04_task:
+ubuntu22_task:
  container:
-    # Ubuntu 24.04 EOL: Jun 2029
+    # Ubuntu 22.04 EOL: April 2027
-    dockerfile: ci/ubuntu-24.04/Dockerfile
+    dockerfile: ci/ubuntu-22.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_SKIP_ALL
  env:
    ZEEK_CI_CREATE_ARTIFACT: 1
  upload_binary_artifacts:
    path: build.tgz
  benchmark_script: ./ci/benchmark.sh
  # Run on PRs, merges to master and release/.* and benchmark-nightly cron.
  only_if: >
    ( $CIRRUS_PR != '' && $CIRRUS_BRANCH !=~ 'dependabot/.*' ) ||
    ( ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
        $CIRRUS_BRANCH == 'master' ||
        $CIRRUS_BRANCH =~ 'release/.*' ||
        $CIRRUS_CRON == 'benchmark-nightly' )
-# Same as above, but running the ZAM tests instead of the regular tests.
+ubuntu22_spicy_task:
 ubuntu24_04_zam_task:
  container:
-    # Ubuntu 24.04 EOL: Jun 2029
+    # Ubuntu 22.04 EOL: April 2027
-    dockerfile: ci/ubuntu-24.04/Dockerfile
+    dockerfile: ci/ubuntu-22.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_NOT_FULL_OR_ZAM
  env:
    ZEEK_CI_SKIP_UNIT_TESTS: 1
    ZEEK_CI_SKIP_EXTERNAL_BTESTS: 1
    ZEEK_CI_BTEST_EXTRA_ARGS: -a zam
    # Use a lower number of jobs due to OOM issues with ZAM tasks
    ZEEK_CI_BTEST_JOBS: 3
 # Same as above, but using Clang and libc++
 ubuntu24_04_clang_libcpp_task:
  container:
    # Ubuntu 24.04 EOL: Jun 2029
    dockerfile: ci/ubuntu-24.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_NOT_FULL_CI
  env:
    CC: clang-19
    CXX: clang++-19
    CXXFLAGS: -stdlib=libc++
 ubuntu24_04_clang_tidy_task:
  container:
    # Ubuntu 24.04 EOL: Jun 2029
    dockerfile: ci/ubuntu-24.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_NOT_FULL_CI
  env:
    CC: clang-19
    CXX: clang++-19
    ZEEK_CI_CONFIGURE_FLAGS: *CLANG_TIDY_CONFIG
 # Also enable Spicy SSL for this
 ubuntu24_04_spicy_task:
  container:
    # Ubuntu 24.04 EOL: Jun 2029
    dockerfile: ci/ubuntu-24.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_NOT_FULL_OR_BENCHMARK
  env:
    ZEEK_CI_CREATE_ARTIFACT: 1
-    ZEEK_CI_CONFIGURE_FLAGS: *SPICY_SSL_CONFIG
+  test_script: true  # Don't run tests, these are redundant.
  spicy_install_analyzers_script: ./ci/spicy-install-analyzers.sh
  upload_binary_artifacts:
    path: build.tgz
  benchmark_script: ./ci/benchmark.sh
  << : *BENCHMARK_ONLY_IF_TEMPLATE
-ubuntu24_04_spicy_head_task:
+ubuntu22_spicy_head_task:
  container:
-    # Ubuntu 24.04 EOL: Jun 2029
+    # Ubuntu 22.04 EOL: April 2027
-    dockerfile: ci/ubuntu-24.04/Dockerfile
+    dockerfile: ci/ubuntu-22.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE_NIGHTLY
  << : *SKIP_IF_PR_NOT_FULL_OR_BENCHMARK
  env:
    ZEEK_CI_CREATE_ARTIFACT: 1
    ZEEK_CI_CONFIGURE_FLAGS: *SPICY_SSL_CONFIG
    # Pull auxil/spicy to the latest head version. May or may not build.
    ZEEK_CI_PREBUILD_COMMAND: 'cd auxil/spicy && git fetch && git reset --hard origin/main && git submodule update --init --recursive'
  spicy_install_analyzers_script: ./ci/spicy-install-analyzers.sh
  upload_binary_artifacts:
    path: build.tgz
  benchmark_script: ./ci/benchmark.sh
  << : *BENCHMARK_ONLY_IF_TEMPLATE
-ubuntu22_04_task:
+ubuntu20_task:
  container:
-    # Ubuntu 22.04 EOL: June 2027
+    # Ubuntu 20.04 EOL: April 2025
-    dockerfile: ci/ubuntu-22.04/Dockerfile
+    dockerfile: ci/ubuntu-20.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
+  << : *SKIP_TASK_ON_PR
  << : *SKIP_IF_PR_NOT_FULL_CI
 alpine_task:
  container:
@ -489,141 +348,105 @@ alpine_task:
    dockerfile: ci/alpine/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_NOT_FULL_CI
-# Cirrus only supports the following macos runner currently, selecting
+# Apple doesn't publish official long-term support timelines.
-# anything else automatically upgrades to this one.
+# We aim to support both the current and previous macOS release.
-#
+macos_ventura_task:
 #    ghcr.io/cirruslabs/macos-runner:sequoia
 #
 # See also: https://cirrus-ci.org/guide/macOS/
 macos_sequoia_task:
  macos_instance:
-    image: ghcr.io/cirruslabs/macos-runner:sequoia
+    image: ghcr.io/cirruslabs/macos-ventura-base:latest
  prepare_script: ./ci/macos/prepare.sh
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_SKIP_ALL
  << : *MACOS_ENVIRONMENT
 macos_monterey_task:
  macos_instance:
    image: ghcr.io/cirruslabs/macos-monterey-base:latest
  prepare_script: ./ci/macos/prepare.sh
  << : *CI_TEMPLATE
  << : *MACOS_ENVIRONMENT
  << : *SKIP_TASK_ON_PR
 # FreeBSD EOL timelines: https://www.freebsd.org/security/#sup
 freebsd14_task:
  freebsd_instance:
-    # FreeBSD 14 EOL: Nov 30 2028
+    # We don't support FreeBSD 14 yet, this is a purely informative task
-    image_family: freebsd-14-2
+    image_family: freebsd-14-0-snap
    allow_failures: true
    skip_notification: true
    << : *FREEBSD_RESOURCES_TEMPLATE
  prepare_script: ./ci/freebsd/prepare.sh
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_SKIP_ALL
  << : *FREEBSD_ENVIRONMENT
 freebsd13_task:
  freebsd_instance:
    # FreeBSD 13 EOL: January 31, 2026
-    image_family: freebsd-13-4
+    image_family: freebsd-13-2
    << : *FREEBSD_RESOURCES_TEMPLATE
  prepare_script: ./ci/freebsd/prepare.sh
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE
+  << : *SKIP_TASK_ON_PR
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *FREEBSD_ENVIRONMENT
 freebsd12_task:
  freebsd_instance:
    # FreeBSD 12 EOL: June 30, 2024
    image_family: freebsd-12-2
    << : *FREEBSD_RESOURCES_TEMPLATE
  prepare_script: ./ci/freebsd/prepare.sh
  << : *CI_TEMPLATE
  << : *SKIP_TASK_ON_PR
  << : *FREEBSD_ENVIRONMENT
 asan_sanitizer_task:
  container:
    # Just uses a recent/common distro to run memory error/leak checks.
-    dockerfile: ci/ubuntu-24.04/Dockerfile
+    dockerfile: ci/ubuntu-20.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_SKIP_ALL
  test_fuzzers_script: ./ci/test-fuzzers.sh
  coverage_script: ./ci/upload-coverage.sh
  env:
    CXXFLAGS: -DZEEK_DICT_DEBUG
    ZEEK_CI_CONFIGURE_FLAGS: *ASAN_SANITIZER_CONFIG
-    ASAN_OPTIONS: detect_leaks=1:detect_odr_violation=0
+    ZEEK_CI_DISABLE_SCRIPT_PROFILING: 1
-    # Use absolute paths for coverage files.
+    ASAN_OPTIONS: detect_leaks=1
    CCACHE_BASEDIR:
 # ASAN task executing btests with zam alternative.
 asan_sanitizer_zam_task:
  container:
    dockerfile: ci/ubuntu-24.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_NIGHTLY
  << : *SKIP_IF_PR_NOT_FULL_OR_ZAM
  env:
    ZEEK_CI_CONFIGURE_FLAGS: *ASAN_SANITIZER_CONFIG
    ASAN_OPTIONS: detect_leaks=1:detect_odr_violation=0
    ZEEK_CI_SKIP_UNIT_TESTS: 1
    ZEEK_CI_SKIP_EXTERNAL_BTESTS: 1
    ZEEK_CI_BTEST_EXTRA_ARGS: -a zam
    # Use a lower number of jobs due to OOM issues with ZAM tasks
    ZEEK_CI_BTEST_JOBS: 3
 ubsan_sanitizer_task:
  container:
    # Just uses a recent/common distro to run undefined behavior checks.
-    dockerfile: ci/ubuntu-24.04/Dockerfile
+    dockerfile: ci/ubuntu-20.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
-  << : *ONLY_IF_PR_NIGHTLY
+  << : *SKIP_TASK_ON_PR
  << : *SKIP_IF_PR_NOT_FULL_CI
  test_fuzzers_script: ./ci/test-fuzzers.sh
  env:
    CC: clang-19
    CXX: clang++-19
    CXXFLAGS: -DZEEK_DICT_DEBUG
    ZEEK_CI_CONFIGURE_FLAGS: *UBSAN_SANITIZER_CONFIG
    ZEEK_TAILORED_UB_CHECKS: 1
    UBSAN_OPTIONS: print_stacktrace=1
 ubsan_sanitizer_zam_task:
  container:
    dockerfile: ci/ubuntu-24.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_NIGHTLY
  << : *SKIP_IF_PR_NOT_FULL_OR_ZAM
  env:
    CC: clang-19
    CXX: clang++-19
    ZEEK_CI_CONFIGURE_FLAGS: *UBSAN_SANITIZER_CONFIG
    ZEEK_TAILORED_UB_CHECKS: 1
    UBSAN_OPTIONS: print_stacktrace=1
    ZEEK_CI_SKIP_UNIT_TESTS: 1
    ZEEK_CI_SKIP_EXTERNAL_BTESTS: 1
    ZEEK_CI_BTEST_EXTRA_ARGS: -a zam
    # Use a lower number of jobs due to OOM issues with ZAM tasks
    ZEEK_CI_BTEST_JOBS: 3
 tsan_sanitizer_task:
  container:
    # Just uses a recent/common distro to run memory error/leak checks.
    dockerfile: ci/ubuntu-24.04/Dockerfile
    << : *RESOURCES_TEMPLATE
  << : *CI_TEMPLATE
  << : *ONLY_IF_PR_NIGHTLY
  << : *SKIP_IF_PR_NOT_FULL_CI
  env:
    CC: clang-19
    CXX: clang++-19
    ZEEK_CI_CONFIGURE_FLAGS: *TSAN_SANITIZER_CONFIG
    ZEEK_CI_DISABLE_SCRIPT_PROFILING: 1
-    # If this is defined directly in the environment, configure fails to find
+    ZEEK_TAILORED_UB_CHECKS: 1
-    # OpenSSL. Instead we define it with a different name and then give it
+    UBSAN_OPTIONS: print_stacktrace=1
-    # the correct name in the testing scripts.
+
-    ZEEK_TSAN_OPTIONS: suppressions=/zeek/ci/tsan_suppressions.txt
+# tsan_sanitizer_task:
 #   container:
 #     # Just uses a recent/common distro to run memory error/leak checks.
 #     dockerfile: ci/ubuntu-22.04/Dockerfile
 #     << : *RESOURCES_TEMPLATE
 #   << : *CI_TEMPLATE
 #   << : *SKIP_TASK_ON_PR
 #   env:
 #     ZEEK_CI_CONFIGURE_FLAGS: *TSAN_SANITIZER_CONFIG
 #     ZEEK_CI_DISABLE_SCRIPT_PROFILING: 1
 #     # If this is defined directly in the environment, configure fails to find
 #     # OpenSSL. Instead we define it with a different name and then give it
 #     # the correct name in the testing scripts.
 #     ZEEK_TSAN_OPTIONS: suppressions=/zeek/ci/tsan_suppressions.txt
 windows_task:
  # 2 hour timeout just for potential of building Docker image taking a while
@ -638,12 +461,11 @@ windows_task:
  prepare_script: ci/windows/prepare.cmd
  build_script: ci/windows/build.cmd
  test_script: ci/windows/test.cmd
  << : *ONLY_IF_PR_MASTER_RELEASE
  << : *SKIP_IF_PR_NOT_FULL_OR_WINDOWS
  env:
    ZEEK_CI_CPUS: 8
    # Give verbose error output on a test failure.
    CTEST_OUTPUT_ON_FAILURE: 1
  << : *BUILDS_ONLY_IF_TEMPLATE
 # Container images
@ -724,18 +546,22 @@ arm64_container_image_docker_builder:
  env:
    CIRRUS_ARCH: arm64
  << : *DOCKER_BUILD_TEMPLATE
-  << : *ONLY_IF_RELEASE_TAG_NIGHTLY
+  << : *SKIP_TASK_ON_PR
 amd64_container_image_docker_builder:
  env:
    CIRRUS_ARCH: amd64
  << : *DOCKER_BUILD_TEMPLATE
-  << : *ONLY_IF_PR_MASTER_RELEASE_NIGHTLY
+  << : *SKIP_TASK_ON_PR
  << : *SKIP_IF_PR_NOT_FULL_OR_CLUSTER_TEST
 container_image_manifest_docker_builder:
  cpu: 1
-  << : *ONLY_IF_RELEASE_TAG_NIGHTLY
+  # Push master builds to zeek/zeek-dev, or tagged release branches to zeek/zeek
  only_if: >
    ( $CIRRUS_CRON == '' ) &&
    ( $CIRRUS_REPO_FULL_NAME == 'zeek/zeek' &&
      ( $CIRRUS_BRANCH == 'master' ||
        $CIRRUS_TAG =~ 'v[0-9]+\.[0-9]+\.[0-9]+$' ) )
  env:
    DOCKER_USERNAME: ENCRYPTED[!505b3dee552a395730a7e79e6aab280ffbe1b84ec62ae7616774dfefe104e34f896d2e20ce3ad701f338987c13c33533!]
    DOCKER_PASSWORD: ENCRYPTED[!6c4b2f6f0e5379ef1091719cc5d2d74c90cfd2665ac786942033d6d924597ffb95dbbc1df45a30cc9ddeec76c07ac620!]
@ -744,7 +570,7 @@ container_image_manifest_docker_builder:
  login_script: |
    docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
    AWS_ACCESS_KEY_ID=$AWS_ECR_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY=$AWS_ECR_SECRET_ACCESS_KEY aws ecr-public get-login-password --region us-east-1 | \
-        docker login --username AWS --password-stdin public.ecr.aws
+        docker login --username AWS $AWS_ECR_USERNAME --password-stdin public.ecr.aws
  set_image_tag_script: |
    # If we have a CIRRUS_TAG, use the value in VERSION to push the multiarch
    # images, otherwise use latest. Basically we push the arch images as
@ -754,12 +580,8 @@ container_image_manifest_docker_builder:
    # for tags, or zeek/zeek-dev:latest for pushes to master.
    set -x
    if [ -n "${CIRRUS_TAG}" ]; then
      echo "IMAGE_NAME=zeek"  >> $CIRRUS_ENV
      echo "IMAGE_TAG=$(cat VERSION)" >> $CIRRUS_ENV
-      if [ "${CIRRUS_TAG}" != "v$(cat VERSION)" ]; then
+      echo "IMAGE_NAME=zeek"  >> $CIRRUS_ENV
        echo "CIRRUS_TAG '${CIRRUS_TAG}' and VERSION '$(cat VERSION)' inconsistent!" >&2
        exit 1
      fi
    elif [ "${CIRRUS_BRANCH}" = "master" ]; then
      echo "IMAGE_NAME=zeek-dev"  >> $CIRRUS_ENV
      echo "IMAGE_TAG=latest" >> $CIRRUS_ENV
@ -786,7 +608,31 @@ container_image_manifest_docker_builder:
        '+refs/heads/release/*:refs/remotes/origin/release/*' \
        '+refs/heads/master:refs/remotes/origin/master'
-    ./ci/container-images-addl-tags.sh "${CIRRUS_TAG}" | tee -a $CIRRUS_ENV
+    # Find current versions for lts and feature depending on branches and
    # tags in the repo. sed for escaping the dot in the version for using
    # it in the regex below to match against CIRRUS_TAG.
    lts_ver=$(./ci/find-current-version.sh lts)
    lts_pat="^v$(echo $lts_ver | sed 's,\.,\\.,g')\.[0-9]+\$"
    feature_ver=$(./ci/find-current-version.sh feature)
    feature_pat="^v$(echo $feature_ver | sed 's,\.,\\.,g')\.[0-9]+\$"
    # Construct additional tags for the image. At most this will
    # be "lts x.0 feature" for an lts branch x.0 that is currently
    # also the latest feature branch.
    ADDL_MANIFEST_TAGS=
    if echo "${CIRRUS_TAG}" | grep -E "${lts_pat}"; then
        ADDL_MANIFEST_TAGS="${ADDL_MANIFEST_TAGS} lts ${lts_ver}"
    fi
    if echo "${CIRRUS_TAG}" | grep -E "${feature_pat}"; then
        ADDL_MANIFEST_TAGS="${ADDL_MANIFEST_TAGS} latest"
        if [ "${feature_ver}" != "${lts_ver}" ]; then
          ADDL_MANIFEST_TAGS="${ADDL_MANIFEST_TAGS} ${feature_ver}"
        fi
    fi
    # Let downstream know about it.
    echo "ADDITIONAL_MANIFEST_TAGS=${ADDL_MANIFEST_TAGS}" >> $CIRRUS_ENV
  # These should've been populated by the previous jobs
  zeek_image_arm64_cache:
@ -814,7 +660,8 @@ container_image_manifest_docker_builder:
 # images from the public ECR repository to stay within free-tier bounds.
 public_ecr_cleanup_docker_builder:
  cpu: 1
-  << : *ONLY_IF_NIGHTLY
+  only_if: >
    $CIRRUS_CRON == '' && $CIRRUS_REPO_FULL_NAME == 'zeek/zeek' && $CIRRUS_BRANCH == 'master'
  env:
    AWS_ACCESS_KEY_ID: ENCRYPTED[!eff52f6442e1bc78bce5b15a23546344df41bf519f6201924cb70c7af12db23f442c0e5f2b3687c2d856ceb11fcb8c49!]
    AWS_SECRET_ACCESS_KEY: ENCRYPTED[!748bc302dd196140a5fa8e89c9efd148882dc846d4e723787d2de152eb136fa98e8dea7e6d2d6779d94f72dd3c088228!]
@ -848,29 +695,33 @@ cluster_testing_docker_builder:
  test_script:
    # Invoke btest directly here. This mirrors ci/test.sh, ensures we don't
    # accidentally build a Docker image, and enables console-level output:
-    - cd testing/external/zeek-testing-cluster && ../../../auxil/btest/btest -A -d -b -j ${ZEEK_CI_BTEST_JOBS}
+    - cd testing/external/zeek-testing-cluster && ../../../auxil/btest/btest -d -b -j ${ZEEK_CI_BTEST_JOBS}
  on_failure:
    upload_cluster_testing_artifacts:
      path: "testing/external/zeek-testing-cluster/.tmp/**"
  depends_on:
    - amd64_container_image
-  << : *ONLY_IF_PR_RELEASE_AND_NIGHTLY
+  << : *SKIP_TASK_ON_PR
  << : *SKIP_IF_PR_NOT_FULL_OR_CLUSTER_TEST
 # Test zeekctl upon master and release pushes and also when
-# a PR has a "CI: Zeekctl" or "CI: Full" label.
+# a PR has a zeekctlci or fullci label.
 #
 # Also triggers on CIRRUS_CRON == 'zeekctl-nightly' if that is configured
 # through the Cirrus Web UI.
-zeekctl_debian12_task:
+zeekctl_debian11_task:
  cpu: *CPUS
  memory: *MEMORY
-  << : *ONLY_IF_PR_MASTER_RELEASE
+  only_if: >
-  << : *SKIP_IF_PR_NOT_FULL_OR_ZEEKCTL
+    ( $CIRRUS_CRON == 'zeekctl-nightly' ) ||
    ( $CIRRUS_PR != '' && $CIRRUS_PR_LABELS =~ '.*(zeekctlci|fullci).*' ) ||
    ( $CIRRUS_REPO_NAME == 'zeek' && (
        $CIRRUS_BRANCH == 'master' ||
        $CIRRUS_BRANCH =~ 'release/.*' )
    )
  container:
-    # Debian 13 (trixie) EOL: TBD
+    # Debian 11 EOL: June 2026
-    dockerfile: ci/debian-13/Dockerfile
+    dockerfile: ci/debian-11/Dockerfile
    << : *RESOURCES_TEMPLATE
  sync_submodules_script: git submodule update --recursive --init
  always:
@ -884,46 +735,31 @@ zeekctl_debian12_task:
  build_script:
    - cd auxil/zeekctl/testing && ./Scripts/build-zeek
  test_script:
-    - cd auxil/zeekctl/testing && ../../btest/btest -A -d -j ${ZEEK_CI_BTEST_JOBS}
+    - cd auxil/zeekctl/testing && ../../btest/btest -A -d -j ${BTEST_JOBS}
  on_failure:
    upload_zeekctl_testing_artifacts:
      path: "auxil/zeekctl/testing/.tmp/**"
-include_plugins_debian12_task:
+# Test building Zeek with builtin plugins available in
 # testing/builtin-plugins/Files/
 include_plugins_debian11_task:
  cpu: *CPUS
  memory: *MEMORY
  container:
-    # Debian 13 (trixie) EOL: TBD
+    # Debian 11 EOL: June 2026
-    dockerfile: ci/debian-13/Dockerfile
+    dockerfile: ci/debian-11/Dockerfile
    << : *RESOURCES_TEMPLATE
  sync_submodules_script: git submodule update --recursive --init
  fetch_external_plugins_script:
    - cd /zeek/testing/builtin-plugins/external && git clone https://github.com/zeek/zeek-perf-support.git
    - cd zeek-perf-support && echo "Cloned $(git rev-parse HEAD) for $(basename $(pwd))"
    - cd /zeek/testing/builtin-plugins/external && git clone https://github.com/zeek/zeek-more-hashes.git
    - cd zeek-more-hashes && echo "Cloned $(git rev-parse HEAD) for $(basename $(pwd))"
    - cd /zeek/testing/builtin-plugins/external && git clone https://github.com/zeek/zeek-cluster-backend-nats.git
    - cd zeek-cluster-backend-nats && echo "Cloned $(git rev-parse HEAD) for $(basename $(pwd))"
    - cd /zeek/testing/builtin-plugins/external && git clone https://github.com/SeisoLLC/zeek-kafka.git
    - cd zeek-kafka && echo "Cloned $(git rev-parse HEAD) for $(basename $(pwd))"
  always:
    ccache_cache:
      folder: /tmp/ccache
      fingerprint_script: echo builtin-plugins-ccache-$ZEEK_CCACHE_EPOCH-$CIRRUS_TASK_NAME-$CIRRUS_OS
      reupload_on_changes: true
-  build_script: ZEEK_CI_CONFIGURE_FLAGS="${ZEEK_CI_CONFIGURE_FLAGS} --include-plugins='/zeek/testing/builtin-plugins/Files/protocol-plugin;/zeek/testing/builtin-plugins/Files/py-lib-plugin;/zeek/testing/builtin-plugins/Files/zeek-version-plugin;/zeek/testing/builtin-plugins/external/zeek-perf-support;/zeek/testing/builtin-plugins/external/zeek-more-hashes;/zeek/testing/builtin-plugins/external/zeek-cluster-backend-nats;/zeek/testing/builtin-plugins/external/zeek-kafka'" ./ci/build.sh
+  build_script: ZEEK_CI_CONFIGURE_FLAGS="${ZEEK_CI_CONFIGURE_FLAGS} --include-plugins='/zeek/testing/builtin-plugins/Files/protocol-plugin;/zeek/testing/builtin-plugins/Files/py-lib-plugin;/zeek/testing/builtin-plugins/Files/zeek-version-plugin'" ./ci/build.sh
  test_script:
    - cd testing/builtin-plugins && ../../auxil/btest/btest -d -b -j ${ZEEK_CI_BTEST_JOBS}
  test_external_plugins_script: |
    . /zeek/build/zeek-path-dev.sh
    set -ex
    # For now, just check if the external plugins are available.
    zeek -N Zeek::PerfSupport
    zeek -N Zeek::MoreHashes
    zeek -N Zeek::Cluster_Backend_NATS
    zeek -N Seiso::Kafka
  on_failure:
    upload_include_plugins_testing_artifacts:
      path: "testing/builtin-plugins/.tmp/**"
-  << : *ONLY_IF_PR_MASTER_RELEASE
+  << : *BUILDS_ONLY_IF_TEMPLATE
-  << : *SKIP_IF_PR_NOT_FULL_CI
+  << : *SKIP_TASK_ON_PR
--- a/.clang-format
+++ b/.clang-format
@ -1,66 +1,74 @@
-# See the file "COPYING" in the main distribution directory for copyright.
+# Clang-format configuration for Zeek. This configuration requires
 # at least clang-format 12.0.1 to format correctly.
 ---
 Language: Cpp
 Standard: c++17
 BreakBeforeBraces: Whitesmiths
 # BraceWrapping:
 #   AfterCaseLabel: true
 #   AfterClass: false
 #   AfterControlStatement: Always
 #   AfterEnum: false
 #   AfterFunction: true
 #   AfterNamespace: false
 #   AfterStruct: false
 #   AfterUnion: false
 #   AfterExternBlock: false
 #   BeforeCatch: true
 #   BeforeElse: true
 #   BeforeWhile: false
 #   IndentBraces: true
 #   SplitEmptyFunction: false
 #   SplitEmptyRecord: false
 #   SplitEmptyNamespace: false
 AccessModifierOffset: -4
 AlignAfterOpenBracket: Align
-AlignConsecutiveAssignments: false
+AlignTrailingComments: false
-AlignConsecutiveDeclarations: false
+AllowShortBlocksOnASingleLine: Empty
-AlignEscapedNewlines: Right
+AllowShortEnumsOnASingleLine: true
-AlignOperands:   true
+AllowShortFunctionsOnASingleLine: Inline
 AlignTrailingComments: true
 AllowAllParametersOfDeclarationOnNextLine: false
 AllowShortBlocksOnASingleLine: false
 AllowShortCaseLabelsOnASingleLine: true
 AllowShortFunctionsOnASingleLine: true
 AllowShortIfStatementsOnASingleLine: false
 AllowShortLambdasOnASingleLine: Empty
 AllowShortLoopsOnASingleLine: false
 AlwaysBreakAfterDefinitionReturnType: None
 AlwaysBreakAfterReturnType: None
 AlwaysBreakBeforeMultilineStrings: true
 AlwaysBreakTemplateDeclarations: Yes
 BinPackArguments: true
 BinPackParameters: true
 BraceWrapping:
  AfterClass:      false
  AfterControlStatement: false
  AfterEnum:       false
  AfterFunction:   false
  AfterNamespace:  false
  AfterObjCDeclaration: false
  AfterStruct:     false
  AfterUnion:      false
  AfterExternBlock: false
  BeforeCatch:     false
  BeforeElse:      true
  IndentBraces:    false
  SplitEmptyFunction: false
  SplitEmptyRecord: false
  SplitEmptyNamespace: false
 BreakBeforeBinaryOperators: None
 BreakBeforeBraces: Custom
 BreakBeforeInheritanceComma: false
 BreakInheritanceList: BeforeColon
 BreakBeforeTernaryOperators: false
 BreakConstructorInitializersBeforeComma: false
 BreakConstructorInitializers: BeforeColon
-BreakAfterJavaFieldAnnotations: false
+BreakInheritanceList: BeforeColon
-BreakStringLiterals: true
+ColumnLimit: 100
-ColumnLimit:     120
+ConstructorInitializerAllOnOneLineOrOnePerLine: false
-CommentPragmas:  'NOLINT'
+FixNamespaceComments: false
-CompactNamespaces: false
+IndentCaseLabels: true
-ConstructorInitializerAllOnOneLineOrOnePerLine: true
+IndentCaseBlocks: false
-ConstructorInitializerIndentWidth: 4
+IndentExternBlock: NoIndent
-ContinuationIndentWidth: 4
+IndentPPDirectives: None
-Cpp11BracedListStyle: true
+IndentWidth: 4
-DerivePointerAlignment: false
+NamespaceIndentation: None
-DisableFormat:   false
+PointerAlignment: Left
-ExperimentalAutoDetectBinPacking: false
+SpaceAfterCStyleCast: false
-FixNamespaceComments: true
+SpaceAfterLogicalNot: true
-ForEachMacros:
+SpaceBeforeAssignmentOperators: true
-  - foreach
+SpaceBeforeCpp11BracedList: false
-  - Q_FOREACH
+SpaceBeforeCtorInitializerColon: true
-  - BOOST_FOREACH
+SpaceBeforeInheritanceColon: true
 SpaceBeforeParens: ControlStatements
 SpaceBeforeRangeBasedForLoopColon: true
 SpaceInEmptyBlock: true
 SpaceInEmptyParentheses: false
 SpacesInAngles: false
 SpacesInConditionalStatement: true
 SpacesInContainerLiterals: false
 SpacesInParentheses: false
 TabWidth: 4
 UseTab: AlignWithSpaces
 # Setting this to a high number causes clang-format to prefer breaking somewhere else
 # over breaking after the assignment operator in a line that's over the column limit
 PenaltyBreakAssignment: 100
 IncludeBlocks: Regroup
 # Include categories go like this:
@ -71,7 +79,6 @@ IncludeBlocks: Regroup
 # 4: any header that starts with "zeek/"
 # 5: everything else, which should catch any of the auto-generated code from the
 #    build directory as well
 # 6: third party doctest header
 #
 # Sections 0-1 and 2-3 get grouped together in their respective blocks
 IncludeCategories:
@ -87,63 +94,7 @@ IncludeCategories:
  - Regex: '^<[[:print:]]+>'
    Priority: 2
    SortPriority: 3
  - Regex: '^"zeek/3rdparty/doctest.h'
    Priority: 6
  - Regex: '^"zeek/'
    Priority: 4
  - Regex: '.*'
    Priority: 5
 IncludeIsMainRegex: '$'
 IndentCaseLabels: true
 IndentPPDirectives: None
 IndentWidth:     4
 IndentWrappedFunctionNames: false
 JavaScriptQuotes: Leave
 JavaScriptWrapImports: true
 KeepEmptyLinesAtTheStartOfBlocks: false
 MacroBlockBegin: '^BEGIN_'
 MacroBlockEnd:   '^END_'
 MaxEmptyLinesToKeep: 2
 NamespaceIndentation: None
 ObjCBinPackProtocolList: Auto
 ObjCBlockIndentWidth: 2
 ObjCSpaceAfterProperty: false
 ObjCSpaceBeforeProtocolList: true
 PenaltyBreakAssignment: 2
 PenaltyBreakBeforeFirstCallParameter: 500
 PenaltyBreakComment: 300
 PenaltyBreakFirstLessLess: 120
 PenaltyBreakString: 1000
 PenaltyBreakTemplateDeclaration: 10
 PenaltyExcessCharacter: 1000000
 PenaltyReturnTypeOnItsOwnLine: 1000
 PointerAlignment: Left
 ReflowComments:  true
 SortIncludes:    true
 SortUsingDeclarations: true
 SpaceAfterCStyleCast: false
 SpaceAfterTemplateKeyword: false
 SpaceAfterLogicalNot: true
 SpaceBeforeAssignmentOperators: true
 SpaceBeforeCpp11BracedList: false
 SpaceBeforeCtorInitializerColon: true
 SpaceBeforeInheritanceColon: true
 SpaceBeforeParens: ControlStatements
 SpaceBeforeRangeBasedForLoopColon: true
 SpaceInEmptyParentheses: false
 SpacesBeforeTrailingComments: 1
 SpacesInAngles:  false
 SpacesInContainerLiterals: true
 SpacesInCStyleCastParentheses: false
 SpacesInParentheses: false
 SpacesInSquareBrackets: false
 SpacesInConditionalStatement: true
 Standard:        Cpp11
 StatementMacros:
  - STANDARD_OPERATOR_1
 TabWidth:        4
 UseTab:          Never
 ---
 Language: Json
 ...
--- a/.clang-tidy
+++ b/.clang-tidy
@ -1,76 +1,5 @@
-Checks: [-*,
+Checks: '-*,
         bugprone-*,
         performance-*,
         modernize-*,
         readability-isolate-declaration,
         readability-container-contains,
         # Enable a very limited number of the cppcoreguidelines checkers.
         # See the notes for some of the rest of them below.
         cppcoreguidelines-macro-usage,
         cppcoreguidelines-misleading-capture-default-by-value,
         cppcoreguidelines-virtual-class-destructor,
         # Skipping these temporarily because they are very noisy
         -bugprone-forward-declaration-namespace,
         -bugprone-narrowing-conversions,
         -bugprone-unchecked-optional-access,
         -performance-unnecessary-value-param,
         -modernize-use-equals-default,
         -modernize-use-integer-sign-comparison,
         # The following cause either lots of pointless or advisory warnings
 	 -bugprone-easily-swappable-parameters,
-         -bugprone-nondeterministic-pointer-iteration-order,
+         clang-analyzer-*,
-
+         performance-*'
         # bifcl generates a lot of code with double underscores in their name.
         # ZAM uses a few identifiers that start with underscores or have
         # double-underscores in the name.
         -bugprone-reserved-identifier,
         # bifcl generates almost every switch statement without a default case
         # and so this one generates a lot of warnings.
         -bugprone-switch-missing-default-case,
         # These report warnings that are rather difficult to fix or are things
         # we simply don't want to fix.
         -bugprone-undefined-memory-manipulation,
         -bugprone-pointer-arithmetic-on-polymorphic-object,
         -bugprone-empty-catch,
         -bugprone-exception-escape,
         -bugprone-suspicious-include,
         -modernize-avoid-c-arrays,
         -modernize-concat-nested-namespaces,
         -modernize-raw-string-literal,
         -modernize-use-auto,
         -modernize-use-nodiscard,
         -modernize-use-trailing-return-type,
         -modernize-use-designated-initializers,
         # This one returns a bunch of findings in DFA and the sqlite library.
         # We're unlikely to fix either of them.
         -performance-no-int-to-ptr,
         # These cppcoreguidelines checkers are things we should investigate
         # and possibly fix, but there are so many findings that we're holding
         # off doing it for now.
         #cppcoreguidelines-init-variables,
         #cppcoreguidelines-prefer-member-initializer,
         #cppcoreguidelines-pro-type-member-init,
         #cppcoreguidelines-pro-type-cstyle-cast,
         #cppcoreguidelines-pro-type-static-cast-downcast,
         #cppcoreguidelines-special-member-functions,
         # These are features in newer version of C++ that we don't have
         # access to yet.
         -modernize-use-std-format,
         -modernize-use-std-print,
 ]
 HeaderFilterRegex: '.h'
 ExcludeHeaderFilterRegex: '.*(auxil|3rdparty)/.*'
 SystemHeaders: false
 CheckOptions:
    - key: modernize-use-default-member-init.UseAssignment
      value: 'true'
 WarningsAsErrors: '*'
--- a/.cmake-format.json
+++ b/.cmake-format.json
@ -72,23 +72,10 @@
 		    "SOURCES": "*",
 		    "MODULES": "*"
 		}
      },
      "zeek_add_plugin": {
        "kwargs": {
          "INCLUDE_DIRS": "*",
          "DEPENDENCIES": "*",
          "SOURCES": "*",
          "BIFS": "*",
          "PAC": "*"
        }
 	    }
 	}
    },
    "format": {
    "always_wrap": [
      "spicy_add_analyzer",
      "zeek_add_plugin"
    ],
 	"line_width": 100,
 	"tab_size": 4,
 	"separate_ctrl_name_with_space": true,
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@ -24,15 +24,3 @@ e97c14add5b04aedc7f3f9dba59f665cbad793af
 # Remove trailing whitespace from script files
 a6378531dbc5c357926d98fe785bb719cc70e1b4
 # clang-format: Reformat Zeek in Spicy style
 f5a76c1aedc7f8886bc6abef0dfaa8065684b1f6
 # clang-format: Bump pre-commit hooks.
 26d04fd9fca0868d9c81e02fbffb6f81a00b56e5
 # clang-format: Format JSON with clang-format
 e6256446ddef5c5d5240eefff974556f2e12ac46
 # analyzer/protocol: Reformat with spicy-format
 d70bcd07b9b26036b16092fe950eca40e2f5a032
--- a/.github/workflows/coverity-scan.yml
+++ b/.github/workflows/coverity-scan.yml
@ -10,10 +10,10 @@ permissions:
 jobs:
  scan:
    if: github.repository == 'zeek/zeek'
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
        with:
          submodules: "recursive"
@ -21,71 +21,58 @@ jobs:
        run: |
          sudo apt-get update
          sudo apt-get -y install \
            bison \
            bsdmainutils \
            cmake \
            curl \
            flex \
            g++ \
            gcc \
            git \
-            jq \
+            cmake \
-            libfl-dev \
+            make \
-            libfl2 \
+            gcc \
-            libkrb5-dev \
+            g++ \
-            libmaxminddb-dev \
+            flex \
            bison \
            libpcap-dev \
            libssl-dev \
            libzmq3-dev \
            make \
            python3 \
            python3-dev \
            python3-pip \
            sqlite3 \
            swig \
-            zlib1g-dev
+            zlib1g-dev \
            libmaxminddb-dev \
            libkrb5-dev \
            bsdmainutils \
            sqlite3 \
            curl \
            wget
      - name: Configure
-        run: ./configure --build-type=debug --disable-broker-tests
+        run: ./configure --build-type=debug --disable-broker-tests --disable-spicy
      - name: Fetch Coverity Tools
        env:
          COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }}
        run: |
-          curl \
+          wget \
-            -o coverity_tool.tgz \
+            -nv https://scan.coverity.com/download/cxx/linux64 \
-            -d token=${COVERITY_TOKEN} \
+            --post-data "token=${COVERITY_TOKEN}&project=Bro" \
-            -d project=Bro \
+            -O coverity_tool.tgz
            https://scan.coverity.com/download/cxx/linux64
          tar xzf coverity_tool.tgz
          rm coverity_tool.tgz
          mv cov-analysis* coverity-tools
      - name: Build
        run: |
-          export PATH=$(pwd)/coverity-tools/bin:$PATH
+          export PATH=`pwd`/coverity-tools/bin:$PATH
-          ( cd build && cov-build --dir cov-int make -j "$(nproc)" )
+          ( cd build && cov-build --dir cov-int make -j $(nproc) )
          cat build/cov-int/build-log.txt
      - name: Submit
        env:
          COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }}
        run: |
-          ( cd build && tar czf myproject.tgz cov-int )
+          cd build
-          curl -X POST \
+          tar czf myproject.tgz cov-int
-            -d version=$(cat VERSION) \
+          curl \
-            -d description=$(git rev-parse HEAD) \
+            --form token=${COVERITY_TOKEN} \
-            -d email=zeek-commits-internal@zeek.org \
+            --form email=zeek-commits-internal@zeek.org \
-            -d token=${COVERITY_TOKEN} \
+            --form file=@myproject.tgz \
-            -d file_name=myproject.tgz \
+            --form "version=`cat ../VERSION`" \
-            -o response \
+            --form "description=`git rev-parse HEAD`" \
-            https://scan.coverity.com/projects/641/builds/init
+            https://scan.coverity.com/builds?project=Bro
          upload_url=$(jq -r '.url' response)
          build_id=$(jq -r '.build_id' response)
          curl -X PUT \
            --header 'Content-Type: application/json' \
            --upload-file build/myproject.tgz \
            ${upload_url}
          curl -X PUT \
            -d token=${COVERITY_TOKEN} \
            https://scan.coverity.com/projects/641/builds/${build_id}/enqueue
--- a/.github/workflows/generate-docs.yml
+++ b/.github/workflows/generate-docs.yml
@ -16,20 +16,20 @@ jobs:
  generate:
    permissions:
      contents: write  # for Git to git push
-    if: "github.repository == 'zeek/zeek' && contains(github.event.pull_request.labels.*.name, 'CI: Skip All') == false"
+    if: github.repository == 'zeek/zeek'
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      # We only perform a push if the action was triggered via a schedule
      # event, so we only need to authenticate in that case. Use
      # unauthenticated access otherwise so this action can e.g., also run from
      # clones.
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
        if: github.event_name == 'schedule'
        with:
          submodules: "recursive"
          token: ${{ secrets.ZEEK_BOT_TOKEN }}
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
        if: github.event_name != 'schedule'
        with:
          submodules: "recursive"
@ -51,16 +51,13 @@ jobs:
            bsdmainutils \
            ccache \
            cmake \
            cppzmq-dev \
            flex \
            g++ \
            gcc \
            git \
            libhiredis-dev \
            libfl-dev \
            libfl2 \
            libkrb5-dev \
            libnode-dev \
            libpcap-dev \
            libssl-dev \
            make \
@ -70,10 +67,11 @@ jobs:
            sqlite3 \
            swig \
            zlib1g-dev
-          python3 -m venv ci-docs-venv
+          # Many distros adhere to PEP 394's recommendation for `python` =
-          source ci-docs-venv/bin/activate
+          # `python2` so this is a simple workaround until we drop Python 2
-          pip3 install -r doc/requirements.txt
+          # support and explicitly use `python3` for all invocations.
-          pip3 install pre-commit
+          sudo ln -sf /usr/bin/python3 /usr/local/bin/python
          sudo pip3 install -r doc/requirements.txt
      - name: ccache
        uses: hendrikmuhs/ccache-action@v1.2
@ -81,48 +79,25 @@ jobs:
          key: 'docs-gen-${{ github.job }}'
          max-size: '2000M'
      # Github runners have node installed on them by default in /usr/local. This
      # causes problems with configure finding the version from the apt package,
      # plus gcc using it by default if we pass the right cmake variables to
      # configure. The easiest solution is to move the directory away prior to
      # running our build. It's moved back after just in case some workflow action
      # expects it to exist.
      - name: Move default node install to backup
        run: sudo mv /usr/local/include/node /usr/local/include/node.bak
      - name: Configure
        run: ./configure --disable-broker-tests --disable-cpp-tests --ccache
      - name: Build
        run: cd build && make -j $(nproc)
      - name: Move default node install to original location
        run: sudo mv /usr/local/include/node.bak /usr/local/include/node
      - name: Check Spicy docs
        run: cd doc && make check-spicy-docs
      # Cache pre-commit environment for reuse.
      - uses: actions/cache@v4
        with:
          path: ~/.cache/pre-commit
          key: doc-pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('doc/.pre-commit-config.yaml') }}
      - name: Generate Docs
        run: |
          source ci-docs-venv/bin/activate
          git config --global user.name zeek-bot
          git config --global user.email info@zeek.org
          echo "*** Generating Zeekygen Docs ***"
          ./ci/update-zeekygen-docs.sh || exit 1
          cd doc
          echo "*** Running pre-commit ***"
          pre-commit run -a --show-diff-on-failure --color=always
          echo "*** Generating Sphinx Docs ***"
          cd doc
          make > make.out 2>&1
          make_status=$?
          echo "*** Sphinx Build Output ***"
@ -139,8 +114,8 @@ jobs:
          git add scripts/ script-reference/
          git status
          # git commit errors when there's nothing to commit, so guard it
-          # with a check that detects whether there's anything staged.
+          # with a check that detects whether there's anything to commit/push.
-          git diff-index --cached --quiet HEAD || { git commit -m "Generate docs" && git push; }
+          git diff-index --quiet HEAD || { git commit -m "Generate docs" && git push; }
      - name: Update zeek-docs Submodule
        if: github.event_name == 'schedule'
@ -150,13 +125,13 @@ jobs:
          git add doc
          git status
          # Similar logic here: proceed only if there's a change in the submodule.
-          git diff-index --cached --quiet HEAD || { git commit -m 'Update doc submodule [nomail] [skip ci]' && git push; }
+          git diff-index --quiet HEAD || { git commit -m 'Update doc submodule [nomail] [skip ci]' && git push; }
      - name: Send email
        # Only send notifications for scheduled runs. Runs from pull requests
        # show failures in the GitHub UI.
        if: failure() && github.event_name == 'schedule'
-        uses: dawidd6/action-send-mail@v3.12.0
+        uses: dawidd6/action-send-mail@v3.7.0
        with:
          server_address: ${{secrets.SMTP_HOST}}
          server_port: ${{secrets.SMTP_PORT}}
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@ -7,8 +7,8 @@ on:
 jobs:
  pre-commit:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@v4
-    - uses: pre-commit/action@v3.0.1
+    - uses: pre-commit/action@v3.0.0
--- a/.gitignore
+++ b/.gitignore
@ -19,17 +19,11 @@ cmake-build-*
 # clangd
 .cache
 out/
 # Visual Studio
 .vs/
 .vscode/
 out/
 CMakeSettings.json
 # Emacs temporary files
 *~
 # Vim temporary files
 *.swp
 *.swo
 src/include
--- a/.gitmodules
+++ b/.gitmodules
@ -1,6 +1,9 @@
 [submodule "auxil/zeek-aux"]
 	path = auxil/zeek-aux
 	url = https://github.com/zeek/zeek-aux
 [submodule "auxil/binpac"]
 	path = auxil/binpac
 	url = https://github.com/zeek/binpac
 [submodule "auxil/zeekctl"]
 	path = auxil/zeekctl
 	url = https://github.com/zeek/zeekctl
@ -10,12 +13,18 @@
 [submodule "cmake"]
 	path = cmake
 	url = https://github.com/zeek/cmake
 [submodule "src/3rdparty"]
 	path = src/3rdparty
 	url = https://github.com/zeek/zeek-3rdparty
 [submodule "auxil/broker"]
 	path = auxil/broker
 	url = https://github.com/zeek/broker
 [submodule "auxil/netcontrol-connectors"]
 	path = auxil/netcontrol-connectors
 	url = https://github.com/zeek/zeek-netcontrol
 [submodule "auxil/bifcl"]
 	path = auxil/bifcl
 	url = https://github.com/zeek/bifcl
 [submodule "doc"]
 	path = doc
 	url = https://github.com/zeek/zeek-docs
@ -30,13 +39,19 @@
 	url = https://github.com/zeek/libkqueue
 [submodule "auxil/highwayhash"]
 	path = auxil/highwayhash
-	url = https://github.com/google/highwayhash
+	url = https://github.com/zeek/highwayhash
 [submodule "auxil/zeek-archiver"]
 	path = auxil/zeek-archiver
 	url = https://github.com/zeek/zeek-archiver
 [submodule "auxil/package-manager"]
 	path = auxil/package-manager
 	url = https://github.com/zeek/package-manager
 [submodule "auxil/zeek-client"]
 	path = auxil/zeek-client
 	url = https://github.com/zeek/zeek-client
 [submodule "auxil/gen-zam"]
 	path = auxil/gen-zam
 	url = https://github.com/zeek/gen-zam
 [submodule "auxil/c-ares"]
 	path = auxil/c-ares
 	url = https://github.com/c-ares/c-ares
@ -46,24 +61,15 @@
 [submodule "auxil/spicy"]
 	path = auxil/spicy
 	url = https://github.com/zeek/spicy
 [submodule "auxil/filesystem"]
 	path = auxil/filesystem
 	url = https://github.com/gulrak/filesystem.git
 [submodule "auxil/zeek-af_packet-plugin"]
 	path = auxil/zeek-af_packet-plugin
 	url = https://github.com/zeek/zeek-af_packet-plugin.git
 [submodule "auxil/libunistd"]
 	path = auxil/libunistd
 	url = https://github.com/zeek/libunistd
 [submodule "auxil/zeekjs"]
 	path = auxil/zeekjs
 	url = https://github.com/corelight/zeekjs.git
 [submodule "auxil/vcpkg"]
 	path = auxil/vcpkg
 	url = https://github.com/microsoft/vcpkg
 [submodule "auxil/prometheus-cpp"]
 	path = auxil/prometheus-cpp
 	url = https://github.com/zeek/prometheus-cpp
 [submodule "src/cluster/backend/zeromq/auxil/cppzmq"]
 	path = src/cluster/backend/zeromq/auxil/cppzmq
 	url = https://github.com/zeromq/cppzmq
 [submodule "src/cluster/websocket/auxil/IXWebSocket"]
 	path = src/cluster/websocket/auxil/IXWebSocket
 	url = https://github.com/machinezone/IXWebSocket
 [submodule "auxil/expected-lite"]
 	path = auxil/expected-lite
 	url = https://github.com/martinmoene/expected-lite.git
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -2,58 +2,30 @@
 # See https://pre-commit.com/hooks.html for more hooks
 #
 repos:
 - repo: local
  hooks:
  - id: license
    name: Check for license headers
    entry: ./ci/license-header.py
    language: python
    files: '\.(h|c|cpp|cc|spicy|evt)$'
    types: [file]
    exclude: '^(testing/btest/(Baseline|plugins|spicy|scripts)/.*|testing/builtin-plugins/.*|src/3rdparty/.*)$'
  - id: btest-command-commented
    name: Check that all BTest command lines are commented out
    entry: '^\s*@TEST-'
    language: pygrep
    files: '^testing/btest/.*$'
 - repo: https://github.com/pre-commit/mirrors-clang-format
-  rev: v20.1.8
+  rev: 'v13.0.0'
  hooks:
  - id: clang-format
    types_or:
      - "c"
      - "c++"
      - "json"
    exclude: '^src/3rdparty/.*'
 - repo: https://github.com/maxwinterstein/shfmt-py
-  rev: v3.12.0.1
+  rev: v3.7.0.1
  hooks:
    - id: shfmt
      args: ["-w", "-i", "4", "-ci"]
- repo: https://github.com/astral-sh/ruff-pre-commit
+- repo: https://github.com/google/yapf
-  rev: v0.12.8
+  rev: v0.40.0
  hooks:
-    - id: ruff-check
+  - id: yapf
      args: ["--fix"]
    - id: ruff-format
 - repo: https://github.com/cheshirekow/cmake-format-precommit
  rev: v0.6.13
  hooks:
  - id: cmake-format
    exclude: '^auxil/.*$'
 - repo: https://github.com/crate-ci/typos
-  rev: v1.35.3
+  rev: v1.16.8
  hooks:
    - id: typos
-      exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES|scripts/base/protocols/ssl/mozilla-ca-list.zeek|src/3rdparty/.*)$'
+      exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES)$'
 - repo: https://github.com/bbannier/spicy-format
  rev: v0.26.0
  hooks:
    - id: spicy-format
      exclude: '^testing/.*'
--- a/.style.yapf
+++ b/.style.yapf
@ -0,0 +1,2 @@
 [style]
 column_limit=100
--- a/.typos.toml
+++ b/.typos.toml
@ -6,9 +6,8 @@ extend-ignore-re = [
    # ALLO is a valid FTP command
    "\"ALLO\".*200",
    "des-ede3-cbc-Env-OID",
-    "mis-aliasing of",
+    "Remove in v6.1.*SupressWeird",
-    "mis-indexing",
+    "max_repititions:.*Remove in v6.1",
    "compilability",
    # On purpose
    "\"THE NETBIOS NAM\"",
    # NFS stuff.
@ -20,25 +19,16 @@ extend-ignore-re = [
    "ot->Tag\\(\\) == TYPE_.*",
    "auto.* ot =",
    "ot = OP_.*",
    "ot\\[",
    "ot.size",
    "ot.empty",
    "ot_i",
    "ot.c_str",
    "have_ot",
    "if \\( ot == OP_.*",
    "ot->Yield\\(\\)->InternalType\\(\\)",
    "switch \\( ot \\)",
    "\\(ZAMOpType ot\\)",
    "exat", # Redis expire at
    "EXAT",
    # News stuff
    "SupressWeirds.*deprecated",
    "\"BaR\"",
    "\"xFoObar\"",
    "\"FoO\"",
    "Smoot",
 ]
 extend-ignore-identifiers-re = [
@ -50,17 +40,6 @@ extend-ignore-identifiers-re = [
    "ND_ROUTER_.*",
    "ND_NEIGHBOR_.*",
    ".*_ND_option.*",
    "bck", # Used with same length as `fwd`
    "pn", # Use for `PoolNode` variables
    "ffrom_[ip|port|mac]", # Used in netcontrol.
    "complte_flag", # Existing use in exported record in base.
    "VidP(n|N)", # In SMB.
    "iin", # In DNP3.
    "SCN[dioux]", # sccanf fixed-width identifiers
    "(ScValidatePnPService|ScSendPnPMessage)", # In DCE-RPC.
    "snet", # Used as shorthand for subnet in base scripts.
    "typ",
    "(e|i)it", # Used as name for some iterators.
 ]
 [default.extend-identifiers]
@ -73,7 +52,7 @@ ND_REDIRECT = "ND_REDIRECT"
 NED_ACK = "NED_ACK"
 NFS3ERR_ACCES = "NFS3ERR_ACCES"
 NO_SEH = "NO_SEH"
-OP_SWITCHS_Vii = "OP_SWITCHS_Vii"
+OP_SWITCHS_VVV = "OP_SWITCHS_VVV"
 O_WRONLY = "O_WRONLY"
 RPC_NT_CALL_FAILED_DNE = "RPC_NT_CALL_FAILED_DNE"
 RpcAddPrintProvidor = "RpcAddPrintProvidor"
@ -84,9 +63,6 @@ have_2nd = "have_2nd"
 ot1 = "ot1"
 ot2 = "ot2"
 uses_seh = "uses_seh"
 ect0 = "ect0"
 ect1 = "ect1"
 tpe = "tpe"
 [default.extend-words]
 caf = "caf"
--- a/10153
+++ b/10153
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -5,33 +5,6 @@ cmake_minimum_required(VERSION 3.15.0 FATAL_ERROR)
 if (WIN32)
    # Enable usage of CMAKE_MSVC_RUNTIME_LIBRARY variable
    cmake_policy(SET CMP0091 NEW)
    # I tried to just use CMAKE_SOURCE_DIR and CMAKE_CURRENT_SOURCE_DIR
    # but it's not setting the path correctly and so the toolchain
    # variable doesn't get passed down to submodules like libkqueue
    # correctly. Instead get the absolute path to the vcpkg.cmake file
    # and use that.
    get_filename_component(_toolchain ./auxil/vcpkg/scripts/buildsystems/vcpkg.cmake ABSOLUTE)
    # This needs to happen before the project() call below so that it
    # doesn't need to be manually passed on the command line.
    set(CMAKE_TOOLCHAIN_FILE ${_toolchain} CACHE STRING "Vcpkg toolchain file")
 endif ()
 if (APPLE AND CMAKE_VERSION VERSION_GREATER_EQUAL 4.0.0 AND NOT CMAKE_OSX_SYSROOT)
    # Spicy needs having CMAKE_OSX_SYSROOT point to the macOS SDK
    # path, but starting with CMake 4.0 CMAKE_OSX_SYSROOT is not set
    # automatically anymore. So we follow the guidance from the CMake 4.0
    # release notes here:
    #
    #    Builds targeting macOS no longer choose any SDK or pass an "-isysroot"
    #    flag to the compiler by default. [...] users must now specify
    #    "-DCMAKE_OSX_SYSROOT=macosx" when configuring their build.
    #
    # Note that this needs to happen before the project() call below, meaning
    # we cannot rely on the corresponding code inside the Spicy CMake
    # configuration.
    set(CMAKE_OSX_SYSROOT "macosx")
 endif ()
 project(Zeek C CXX)
@ -59,17 +32,15 @@ option(ENABLE_DEBUG "Build Zeek with additional debugging support." ${ENABLE_DEB
 option(ENABLE_JEMALLOC "Link against jemalloc." OFF)
 option(ENABLE_PERFTOOLS "Build with support for Google perftools." OFF)
 option(ENABLE_ZEEK_UNIT_TESTS "Build the C++ unit tests." ON)
 option(ENABLE_IWYU "Enable include-what-you-use for the main Zeek target." OFF)
 option(ENABLE_CLANG_TIDY "Enable clang-tidy for the main Zeek target." OFF)
 option(INSTALL_AUX_TOOLS "Install additional tools from auxil." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_BTEST "Install btest alongside Zeek." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_BTEST_PCAPS "Install pcap files for testing." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_ZEEKCTL "Install zeekctl." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_ZEEK_ARCHIVER "Install the zeek-archiver." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_ZEEK_CLIENT "Install the zeek-client." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(INSTALL_ZKG "Install zkg." ${ZEEK_INSTALL_TOOLS_DEFAULT})
 option(PREALLOCATE_PORT_ARRAY "Pre-allocate all ports for zeek::Val." ON)
-option(ZEEK_STANDALONE "Build Zeek as stand-alone binary." ON)
+option(ZEEK_STANDALONE "Build Zeek as stand-alone binary?" ON)
 option(ZEEK_ENABLE_FUZZERS "Build Zeek fuzzing targets." OFF)
 # Non-boolean options.
 if (NOT WIN32)
@ -90,14 +61,14 @@ set(ZEEK_ETC_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/etc"
 set(CMAKE_EXPORT_COMPILE_COMMANDS ON CACHE INTERNAL
                                           "Whether to write a JSON compile commands database")
 set(ZEEK_CXX_STD cxx_std_17 CACHE STRING "The C++ standard to use.")
 set(ZEEK_SANITIZERS "" CACHE STRING "Sanitizers to use when building.")
 set(CPACK_SOURCE_IGNORE_FILES "" CACHE STRING "Files to be ignored by CPack")
 set(ZEEK_INCLUDE_PLUGINS "" CACHE STRING "Extra plugins to add to the build.")
 set(ZEEK_VERSION_LOCAL "" CACHE STRING "Custom version string.")
 # Look into the build tree for additional CMake modules.
 list(APPEND CMAKE_MODULE_PATH ${CMAKE_BINARY_DIR})
 list(APPEND CMAKE_PREFIX_PATH ${CMAKE_BINARY_DIR})
@ -148,26 +119,33 @@ if (MSVC)
    set(OPENSSL_USE_STATIC_LIBS true)
    set(OPENSSL_MSVC_STATIC_RT true)
-    # Set PCAP_ROOT_DIR to point at the installation from vcpkg. A later call
+    if (ZEEK_STANDALONE)
-    # to FindPCAP.cmake will fill in the rest of the necessary variables.
+        include(${CMAKE_SOURCE_DIR}/cmake/conan.cmake)
        conan_cmake_autodetect(settings)
        # Install packages from conanfile
        conan_cmake_install(PATH_OR_REFERENCE ${CMAKE_SOURCE_DIR}/ci/windows/conanfile_windows.txt
                            BUILD missing SETTINGS ${settings})
    endif ()
    # Set LibPCAP to point to libpcap binaries.
    if (NOT PCAP_ROOT_DIR)
-        set(PCAP_ROOT_DIR ${VCPKG_INSTALLED_DIR}/${VCPKG_TARGET_TRIPLET})
+        find_package(libpcap)
-    else ()
+        set(PCAP_ROOT_DIR "${libpcap_LIB_DIRS}/../")
-        unset(PCAP_INCLUDE_DIR CACHE)
+        set(PCAP_INCLUDE_DIR ${libpcap_INCLUDES})
-        unset(PCAP_LIBRARY CACHE)
+        set(PCAP_LIBRARY ${libpcap_LIBS})
    endif ()
    set(LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER false)
-    # Find zlib installed by vcpkg.
+    # Set ZLib to point at the right variable.
    find_package(ZLIB)
-    set(ZLIB_LIBRARY ZLIB::ZLIB)
+    set(ZLIB_LIBRARY ${ZLIB_LIBRARIES})
-    # Find c-ares installed by vcpkg.
+    # Set CAres
    find_package(c-ares)
    set(HAVE_CARES true) # Disable FindCAres cmake file
    include_directories(BEFORE ${c-ares_INCLUDE_DIRS})
-    set(zeekdeps ${zeekdeps} c-ares::cares)
+    set(zeekdeps ${zeekdeps} ${c-ares_LIBRARIES})
    add_definitions(-DCARES_STATICLIB)
    add_subdirectory(auxil/libunistd)
@ -187,58 +165,16 @@ if (MSVC)
    # Disable Spicy as it is not yet supported in Windows.
    set(DISABLE_SPICY true)
    if (BUILD_WITH_WERROR)
        # TODO: This is disabled for now because there a bunch of known
        # compiler warnings on Windows that we don't have good fixes for.
        #set(WERROR_FLAG "/WX")
        #set(WNOERROR_FLAG "/WX:NO")
    endif ()
    # Always build binpac in static mode if building on Windows
    set(BUILD_STATIC_BINPAC true)
 else ()
    include(GNUInstallDirs)
    if (BUILD_WITH_WERROR)
        set(WERROR_FLAG "-Werror")
        set(WNOERROR_FLAG "-Wno-error")
        # With versions >=13.0 GCC gained `-Warray-bounds` which reports false
        # positives, see e.g., https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111273.
        if (CMAKE_COMPILER_IS_GNUCXX AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 13.0)
            list(APPEND WERROR_FLAG "-Wno-error=array-bounds")
        endif ()
        # With versions >=11.0 GCC is returning false positives for -Wrestrict. See
        # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100366. It's more prevalent
        # building with -std=c++20.
        if (CMAKE_COMPILER_IS_GNUCXX AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 11.0)
            list(APPEND WERROR_FLAG "-Wno-error=restrict")
        endif ()
    endif ()
 endif ()
 include(cmake/CommonCMakeConfig.cmake)
 include(cmake/FindClangTidy.cmake)
 include(cmake/CheckCompilerArch.cmake)
 include(cmake/RequireCXXStd.cmake)
 string(TOLOWER ${CMAKE_BUILD_TYPE} CMAKE_BUILD_TYPE_LOWER)
 if (ENABLE_IWYU)
    find_program(ZEEK_IWYU_PATH NAMES include-what-you-use iwyu)
    if (NOT ZEEK_IWYU_PATH)
        message(FATAL_ERROR "Could not find the program include-what-you-use")
    endif ()
 endif ()
 if (ENABLE_CLANG_TIDY)
    find_program(ZEEK_CLANG_TIDY_PATH NAMES clang-tidy)
    if (NOT ZEEK_CLANG_TIDY_PATH)
        message(FATAL_ERROR "Could not find the program clang-tidy")
    endif ()
 endif ()
 # ##############################################################################
 # Main targets and utilities.
@ -250,7 +186,7 @@ set(ZEEK_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}")
 # zeek-plugin-create-package.sh. Needed by ZeekPluginConfig.cmake.in.
 set(ZEEK_PLUGIN_SCRIPTS_PATH "${PROJECT_SOURCE_DIR}/cmake")
-# Our C++ base target for propagating compiler and linker flags. Note: for
+# Our C++17 base target for propagating compiler and linker flags. Note: for
 # now, we only use it for passing library dependencies around.
 add_library(zeek_internal INTERFACE)
 add_library(Zeek::Internal ALIAS zeek_internal)
@ -283,10 +219,9 @@ if (ZEEK_STANDALONE)
    endif ()
    # Tell zeek_target_link_libraries to add library dependencies as PRIVATE.
    set(zeek_exe_access PRIVATE)
-
+    # Also build the static library when asked for via Conan.
-    if (${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
+    if (CONAN_EXPORTED)
-        target_link_libraries(zeek_exe PRIVATE /usr/lib/libutil.so)
+        add_library(zeek_lib STATIC)
        target_link_libraries(zeek_exe PRIVATE procstat)
    endif ()
 else ()
    add_library(zeek_lib STATIC)
@ -297,17 +232,11 @@ if (TARGET zeek_lib)
    add_dependencies(zeek_lib zeek_autogen_files)
    set_target_properties(zeek_lib PROPERTIES RUNTIME_OUTPUT_NAME libzeek)
    if (NOT CMAKE_LIBRARY_OUTPUT_DIRECTORY)
-        set_target_properties(zeek_lib PROPERTIES LIBRARY_OUTPUT_DIRECTORY src)
+        set_target_properties(zeek_lie PROPERTIES LIBRARY_OUTPUT_DIRECTORY src)
    endif ()
    install(TARGETS zeek_lib LIBRARY DESTINATION lib)
    # Tell zeek_target_link_libraries to add library dependencies as PRIVATE.
    set(zeek_lib_access PRIVATE)
    if (${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
        target_link_libraries(zeek_lib PRIVATE /usr/lib/libutil.so)
        target_link_libraries(zeek_lib PRIVATE procstat)
    endif ()
 endif ()
 # When building our fuzzers, we also need one extra top-level target that
@ -325,7 +254,6 @@ endif ()
 foreach (name zeek_exe zeek_lib zeek_fuzzer_shared)
    if (TARGET ${name})
        target_compile_definitions(${name} PRIVATE ZEEK_CONFIG_SKIP_VERSION_H)
        target_compile_options(${name} PRIVATE ${WERROR_FLAG})
    endif ()
 endforeach ()
@ -338,16 +266,6 @@ function (zeek_target_link_libraries lib_target)
    endforeach ()
 endfunction ()
 function (zeek_target_add_linters lib_target)
    if (ZEEK_IWYU_PATH)
        set_target_properties(${lib_target} PROPERTIES CXX_INCLUDE_WHAT_YOU_USE ${ZEEK_IWYU_PATH})
    endif ()
    if (ZEEK_CLANG_TIDY_PATH)
        set_target_properties(${lib_target} PROPERTIES CXX_CLANG_TIDY ${ZEEK_CLANG_TIDY_PATH})
    endif ()
 endfunction ()
 function (zeek_include_directories)
    foreach (name zeek_exe zeek_lib zeek_fuzzer_shared)
        if (TARGET ${name})
@ -365,17 +283,17 @@ function (zeek_add_dependencies dep)
    endforeach ()
 endfunction ()
 # Used by library zeek_dynamic_plugin_base and for sanitizer builds.
 find_package(Threads REQUIRED)
 # Interface library for propagating extra flags and include paths to dynamically
-# loaded plugins. Also propagates include paths and c++ standard mode on the install
+# loaded plugins. Also propagates include paths and C++17 mode on the install
 # interface.
 add_library(zeek_dynamic_plugin_base INTERFACE)
 target_include_directories(
    zeek_dynamic_plugin_base
    INTERFACE $<INSTALL_INTERFACE:include> $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>
              $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/src>)
 if (OPENSSL_INCLUDE_DIR)
    target_include_directories(zeek_dynamic_plugin_base INTERFACE "${OPENSSL_INCLUDE_DIR}")
 endif ()
 target_link_libraries(zeek_dynamic_plugin_base INTERFACE Threads::Threads)
 add_library(Zeek::DynamicPluginBase ALIAS zeek_dynamic_plugin_base)
 set_target_properties(zeek_dynamic_plugin_base PROPERTIES EXPORT_NAME DynamicPluginBase)
@ -396,20 +314,19 @@ endfunction ()
 add_zeek_dynamic_plugin_build_interface_include_directories(
    ${PROJECT_SOURCE_DIR}/src/include
-    ${PROJECT_SOURCE_DIR}/tools/binpac/lib
+    ${PROJECT_SOURCE_DIR}/auxil/binpac/lib
-    ${PROJECT_SOURCE_DIR}/auxil/broker/libbroker
+    ${PROJECT_SOURCE_DIR}/auxil/broker/include
    ${PROJECT_SOURCE_DIR}/auxil/paraglob/include
-    ${PROJECT_SOURCE_DIR}/auxil/prometheus-cpp/core/include
+    ${PROJECT_SOURCE_DIR}/auxil/rapidjson/include
    ${PROJECT_SOURCE_DIR}/auxil/expected-lite/include
    ${CMAKE_BINARY_DIR}/src
    ${CMAKE_BINARY_DIR}/src/include
-    ${CMAKE_BINARY_DIR}/tools/binpac/lib
+    ${CMAKE_BINARY_DIR}/auxil/binpac/lib
-    ${CMAKE_BINARY_DIR}/auxil/broker/libbroker
+    ${CMAKE_BINARY_DIR}/auxil/broker/include)
    ${CMAKE_BINARY_DIR}/auxil/prometheus-cpp/core/include)
-target_include_directories(
+# threading/formatters/JSON.h includes rapidjson headers and may be used
-    zeek_dynamic_plugin_base SYSTEM
+# by external plugins, extend the include path.
-    INTERFACE $<INSTALL_INTERFACE:include/zeek/3rdparty/prometheus-cpp/include>)
+target_include_directories(zeek_dynamic_plugin_base SYSTEM
                           INTERFACE $<INSTALL_INTERFACE:include/zeek/3rdparty/rapidjson/include>)
 # Convenience function for adding an OBJECT library that feeds directly into the
 # main target(s).
@ -432,7 +349,7 @@ function (zeek_add_subdir_library name)
    target_compile_definitions(${target_name} PRIVATE ZEEK_CONFIG_SKIP_VERSION_H)
    add_dependencies(${target_name} zeek_autogen_files)
    target_link_libraries(${target_name} PRIVATE $<BUILD_INTERFACE:zeek_internal>)
-    target_compile_options(${target_name} PRIVATE ${WERROR_FLAG})
+    add_clang_tidy_files(${FN_ARGS_SOURCES})
    # Take care of compiling BIFs.
    if (FN_ARGS_BIFS)
@ -455,9 +372,6 @@ function (zeek_add_subdir_library name)
    # Feed into the main Zeek target(s).
    zeek_target_link_libraries(${target_name})
    # Add IWYU and clang-tidy to the target if enabled.
    zeek_target_add_linters(${target_name})
 endfunction ()
 # ##############################################################################
@ -653,20 +567,10 @@ set(VERSION_C_IDENT "${ZEEK_VERSION_FULL}_plugin_${API_VERSION}")
 string(REGEX REPLACE "-[0-9]*$" "_git" VERSION_C_IDENT "${VERSION_C_IDENT}")
 string(REGEX REPLACE "[^a-zA-Z0-9_\$]" "_" VERSION_C_IDENT "${VERSION_C_IDENT}")
 set(ZEEK_VERSION_FULL_LOCAL "${ZEEK_VERSION_FULL}")
 if (NOT ZEEK_VERSION_LOCAL STREQUAL "")
    if (ZEEK_VERSION_LOCAL MATCHES "-")
        message(FATAL_ERROR "ZEEK_VERSION_LOCAL can not contain dashes: ${ZEEK_VERSION_LOCAL}")
    endif ()
    set(ZEEK_VERSION_FULL_LOCAL "${ZEEK_VERSION_FULL_LOCAL}-${ZEEK_VERSION_LOCAL}")
    set(VERSION_C_IDENT "${VERSION_C_IDENT}_${ZEEK_VERSION_LOCAL}")
 endif ()
 if (ENABLE_DEBUG)
    set(VERSION_C_IDENT "${VERSION_C_IDENT}_debug")
    target_compile_definitions(zeek_internal INTERFACE DEBUG)
    target_compile_definitions(zeek_dynamic_plugin_base INTERFACE DEBUG)
    set(SPICYZ_FLAGS "-d" CACHE STRING "Additional flags to pass to spicyz for builtin analyzers")
 endif ()
 if (NOT BINARY_PACKAGING_MODE)
@ -701,6 +605,11 @@ if (NOT BINARY_PACKAGING_MODE)
 endif ()
 if (ZEEK_SANITIZERS)
    # Check the thread library info early as setting compiler flags seems to
    # interfere with the detection and cause CMAKE_THREAD_LIBS_INIT to not include
    # -lpthread when it should.
    find_package(Threads)
    string(REPLACE "," " " _sanitizer_args "${ZEEK_SANITIZERS}")
    separate_arguments(_sanitizer_args)
    set(ZEEK_SANITIZERS "")
@ -835,13 +744,16 @@ if (NOT SED_EXE)
    endif ()
 endif ()
-set(ZEEK_PYTHON_MIN 3.9.0)
+set(ZEEK_PYTHON_MIN 3.5.0)
 set(Python_FIND_UNVERSIONED_NAMES FIRST)
 find_package(Python ${ZEEK_PYTHON_MIN} REQUIRED COMPONENTS Interpreter)
 find_package(FLEX REQUIRED)
 find_package(BISON 2.5 REQUIRED)
 find_package(PCAP REQUIRED)
 find_package(OpenSSL REQUIRED)
 if (NOT MSVC)
    find_package(BIND REQUIRED)
 endif ()
 find_package(ZLIB REQUIRED)
 if (NOT BINARY_PACKAGING_MODE)
@ -883,35 +795,46 @@ endif ()
 set(PY_MOD_INSTALL_DIR ${py_mod_install_dir} CACHE STRING "Installation path for Python modules"
                                                   FORCE)
-# BinPAC uses the same 'ENABLE_STATIC_ONLY' variable to define whether
+if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/auxil/binpac/CMakeLists.txt)
-# to build statically. Save a local copy so it can be set based on the
+
 # configure flag before we add the subdirectory.
    set(ENABLE_STATIC_ONLY_SAVED ${ENABLE_STATIC_ONLY})
    if (MSVC)
        set(BUILD_STATIC_BINPAC true)
    endif ()
    if (BUILD_STATIC_BINPAC)
        set(ENABLE_STATIC_ONLY true)
    endif ()
-add_subdirectory(tools/binpac)
+    add_subdirectory(auxil/binpac)
    set(ENABLE_STATIC_ONLY ${ENABLE_STATIC_ONLY_SAVED})
    # FIXME: avoid hard-coding a path for multi-config generator support. See the
    # TODO in ZeekPluginConfig.cmake.in.
-set(BINPAC_EXE_PATH "${CMAKE_BINARY_DIR}/tools/binpac/src/binpac${CMAKE_EXECUTABLE_SUFFIX}")
+    set(BINPAC_EXE_PATH "${CMAKE_BINARY_DIR}/auxil/binpac/src/binpac${CMAKE_EXECUTABLE_SUFFIX}")
-set(_binpac_exe_path "included")
+endif ()
 # Need to call find_package so it sets up the include paths used by plugin builds.
 find_package(BinPAC REQUIRED)
 # Add an alias (used by our plugin setup).
 add_executable(Zeek::BinPAC ALIAS binpac)
-add_subdirectory(tools/bifcl)
+if (NOT BIFCL_EXE_PATH)
    add_subdirectory(auxil/bifcl)
    add_executable(Zeek::BifCl ALIAS bifcl)
    # FIXME: avoid hard-coding a path for multi-config generator support. See the
    # TODO in ZeekPluginConfig.cmake.in.
-set(BIFCL_EXE_PATH "${CMAKE_BINARY_DIR}/tools/bifcl/bifcl${CMAKE_EXECUTABLE_SUFFIX}")
+    set(BIFCL_EXE_PATH "${CMAKE_BINARY_DIR}/auxil/bifcl/bifcl${CMAKE_EXECUTABLE_SUFFIX}")
    set(_bifcl_exe_path "included")
 else ()
    add_executable(Zeek::BifCl IMPORTED)
    set_property(TARGET Zeek::BifCl PROPERTY IMPORTED_LOCATION "${BIFCL_EXE_PATH}")
    set(_bifcl_exe_path "BIFCL_EXE_PATH")
 endif ()
-add_subdirectory(tools/gen-zam)
+if (NOT GEN_ZAM_EXE_PATH)
    add_subdirectory(auxil/gen-zam)
 endif ()
 if (ENABLE_JEMALLOC)
    if (${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
@ -969,8 +892,8 @@ else ()
        list(APPEND zeekdeps broker)
    endif ()
-    set(broker_includes ${CMAKE_CURRENT_SOURCE_DIR}/auxil/broker/libbroker
+    set(broker_includes ${CMAKE_CURRENT_SOURCE_DIR}/auxil/broker/include
-                        ${CMAKE_CURRENT_BINARY_DIR}/auxil/broker/libbroker)
+                        ${CMAKE_CURRENT_BINARY_DIR}/auxil/broker/include)
    if (BUILD_STATIC_BROKER)
        set(ZEEK_HAS_STATIC_BROKER ON)
@ -1016,7 +939,6 @@ if (NOT DISABLE_SPICY)
            set(Python3_EXECUTABLE ${Python_EXECUTABLE} CACHE STRING "Python3_EXECUTABLE hint")
        endif ()
        set(SPICY_ENABLE_TESTS OFF)
        add_subdirectory(auxil/spicy)
        include(ConfigureSpicyBuild) # set some options different for building Spicy
@ -1028,16 +950,8 @@ if (NOT DISABLE_SPICY)
        # instead explicitly branch on `BINARY_PACKAGING_MODE` here.
        if (BINARY_PACKAGING_MODE)
            hilti_link_object_libraries_in_tree(zeek_exe PRIVATE)
            spicy_link_object_libraries_in_tree(zeek_exe PRIVATE)
        else ()
            if (TARGET zeek_exe)
            hilti_link_libraries_in_tree(zeek_exe PRIVATE)
                spicy_link_libraries_in_tree(zeek_exe PRIVATE)
            endif ()
            if (TARGET zeek_lib)
                hilti_link_libraries_in_tree(zeek_lib PRIVATE)
                spicy_link_libraries_in_tree(zeek_lib PRIVATE)
            endif ()
        endif ()
        set(HAVE_SPICY yes)
@ -1055,24 +969,21 @@ include(BuiltInSpicyAnalyzer)
 include_directories(BEFORE ${PCAP_INCLUDE_DIR} ${BIND_INCLUDE_DIR} ${BinPAC_INCLUDE_DIR}
                    ${ZLIB_INCLUDE_DIR} ${JEMALLOC_INCLUDE_DIR})
-install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/auxil/prometheus-cpp/core/include/prometheus
+install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/auxil/rapidjson/include/rapidjson
-        DESTINATION include/zeek/3rdparty/prometheus-cpp/include)
+        DESTINATION include/zeek/3rdparty/rapidjson/include)
-install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/auxil/prometheus-cpp/core/include/prometheus
+install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/auxil/filesystem/include/ghc
        DESTINATION include/zeek/3rdparty/prometheus-cpp/include)
 install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/auxil/expected-lite/include/nonstd
        DESTINATION include/zeek/3rdparty/)
 # Create 3rdparty/ghc within the build directory so that the include for
 # "zeek/3rdparty/ghc/filesystem.hpp" works within the build tree.
 execute_process(COMMAND "${CMAKE_COMMAND}" -E make_directory
                        "${CMAKE_CURRENT_BINARY_DIR}/3rdparty/")
 # Do the same for nonstd.
 execute_process(
    COMMAND
        "${CMAKE_COMMAND}" -E create_symlink
-        "${CMAKE_CURRENT_SOURCE_DIR}/auxil/expected-lite/include/nonstd"
+        "${CMAKE_CURRENT_SOURCE_DIR}/auxil/filesystem/include/ghc"
-        "${CMAKE_CURRENT_BINARY_DIR}/3rdparty/nonstd")
+        "${CMAKE_CURRENT_BINARY_DIR}/3rdparty/ghc")
 # Optional Dependencies
@ -1080,17 +991,19 @@ set(USE_GEOIP false)
 find_package(LibMMDB)
 if (LIBMMDB_FOUND)
    set(USE_GEOIP true)
-    include_directories(BEFORE SYSTEM ${LibMMDB_INCLUDE_DIR})
+    include_directories(BEFORE ${LibMMDB_INCLUDE_DIR})
    list(APPEND OPTLIBS ${LibMMDB_LIBRARY})
 endif ()
 set(USE_KRB5 false)
 if (${CMAKE_SYSTEM_NAME} MATCHES Linux)
    find_package(LibKrb5)
    if (LIBKRB5_FOUND)
        set(USE_KRB5 true)
-    include_directories(BEFORE SYSTEM ${LibKrb5_INCLUDE_DIR})
+        include_directories(BEFORE ${LibKrb5_INCLUDE_DIR})
        list(APPEND OPTLIBS ${LibKrb5_LIBRARY})
    endif ()
 endif ()
 set(HAVE_PERFTOOLS false)
 set(USE_PERFTOOLS_DEBUG false)
@ -1121,7 +1034,7 @@ endif ()
 # dependencies which tend to be in standard system locations and thus cause the
 # system OpenSSL headers to still be picked up even if one specifies
 # --with-openssl (which may be common).
-include_directories(BEFORE SYSTEM ${OPENSSL_INCLUDE_DIR})
+include_directories(BEFORE ${OPENSSL_INCLUDE_DIR})
 # Determine if libfts is external to libc, i.e. musl
 find_package(FTS)
@ -1165,17 +1078,9 @@ include(PCAPTests)
 include(OpenSSLTests)
 include(CheckNameserCompat)
 include(GetArchitecture)
 # On platforms without a native libkqueue, c-ares is using the existing
 # value for HAVE_KQUEUE that was set during the libkqueue setup. We don't
 # pass the libkqueue information down to the c-ares cmake run so it won't
 # have the paths or library when it builds.
 include(FindCAres)
 include(FindKqueue)
-
+include(FindCAres)
 include(FindPrometheusCpp)
 include_directories(BEFORE "auxil/out_ptr/include")
 include_directories(BEFORE "auxil/expected-lite/include")
 if ((OPENSSL_VERSION VERSION_EQUAL "1.1.0") OR (OPENSSL_VERSION VERSION_GREATER "1.1.0"))
    set(ZEEK_HAVE_OPENSSL_1_1 true CACHE INTERNAL "" FORCE)
@ -1187,7 +1092,16 @@ endif ()
 # Tell the plugin code that we're building as part of the main tree.
 set(ZEEK_PLUGIN_INTERNAL_BUILD true CACHE INTERNAL "" FORCE)
-set(ZEEK_HAVE_JAVASCRIPT no)
+if (${CMAKE_SYSTEM_NAME} MATCHES Linux)
    if (NOT DISABLE_AF_PACKET)
        if (NOT AF_PACKET_PLUGIN_PATH)
            set(AF_PACKET_PLUGIN_PATH ${CMAKE_SOURCE_DIR}/auxil/zeek-af_packet-plugin)
        endif ()
        list(APPEND ZEEK_INCLUDE_PLUGINS ${AF_PACKET_PLUGIN_PATH})
    endif ()
 endif ()
 if (NOT DISABLE_JAVASCRIPT)
    set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} ${PROJECT_SOURCE_DIR}/auxil/zeekjs/cmake)
    find_package(Nodejs)
@ -1198,15 +1112,17 @@ if (NOT DISABLE_JAVASCRIPT)
                STATUS
                    "Node.js version ${NODEJS_VERSION} is too old, need 16.13 or later. Not enabling JavaScript support."
            )
            set(ZEEK_HAVE_JAVASCRIPT no)
        else ()
            set(ZEEKJS_PLUGIN_PATH ${CMAKE_SOURCE_DIR}/auxil/zeekjs)
            list(APPEND ZEEK_INCLUDE_PLUGINS ${ZEEKJS_PLUGIN_PATH})
            set(ZEEK_HAVE_JAVASCRIPT yes)
        endif ()
    else ()
        set(ZEEK_HAVE_JAVASCRIPT no)
    endif ()
 endif ()
 set(ZEEK_HAVE_AF_PACKET no CACHE INTERNAL "Zeek has AF_PACKET support")
 set(ZEEK_HAVE_JAVASCRIPT ${ZEEK_HAVE_JAVASCRIPT} CACHE INTERNAL "Zeek has JavaScript support")
 set(DEFAULT_ZEEKPATH_PATHS
@ -1225,7 +1141,11 @@ endif ()
 include_directories(BEFORE ${CMAKE_CURRENT_BINARY_DIR})
 execute_process(COMMAND "${CMAKE_COMMAND}" -E create_symlink "." "${CMAKE_CURRENT_BINARY_DIR}/zeek")
 if (BinPAC_ROOT_DIR)
    set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${BinPAC_ROOT_DIR})
 else ()
    set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${ZEEK_ROOT_DIR})
 endif ()
 if (BROKER_ROOT_DIR)
    set(ZEEK_CONFIG_BROKER_ROOT_DIR ${BROKER_ROOT_DIR})
@ -1363,6 +1283,7 @@ checkoptionalbuildsources(auxil/btest BTest INSTALL_BTEST)
 checkoptionalbuildsources(auxil/package-manager ZKG INSTALL_ZKG)
 checkoptionalbuildsources(auxil/zeekctl ZeekControl INSTALL_ZEEKCTL)
 checkoptionalbuildsources(auxil/zeek-aux Zeek-Aux INSTALL_AUX_TOOLS)
 checkoptionalbuildsources(auxil/zeek-archiver ZeekArchiver INSTALL_ZEEK_ARCHIVER)
 checkoptionalbuildsources(auxil/zeek-client ZeekClient INSTALL_ZEEK_CLIENT)
 # Generate Spicy helper scripts referenced in e.g., `zeek-path-dev.*`. These
@ -1443,6 +1364,11 @@ else ()
    set(_install_btest_tools_msg "no pcaps")
 endif ()
 set(_binpac_exe_path "included")
 if (BINPAC_EXE_PATH)
    set(_binpac_exe_path ${BINPAC_EXE_PATH})
 endif ()
 set(_gen_zam_exe_path "included")
 if (GEN_ZAM_EXE_PATH)
    set(_gen_zam_exe_path ${GEN_ZAM_EXE_PATH})
@ -1472,118 +1398,56 @@ if (ZEEK_LEGACY_ANALYZERS OR ZEEK_SKIPPED_ANALYZERS)
    )
 endif ()
-set(_zeek_builtin_plugins "${ZEEK_BUILTIN_PLUGINS}")
+message(
-if (NOT ZEEK_BUILTIN_PLUGINS)
+    "\n====================|  Zeek Build Summary  |===================="
-    set(_zeek_builtin_plugins "none")
+    "\n"
-endif ()
+    "\nBuild type:        ${CMAKE_BUILD_TYPE}"
-
+    "\nBuild dir:         ${PROJECT_BINARY_DIR}"
-set(_zeek_fuzzing_engine "${ZEEK_FUZZING_ENGINE}")
+    "\n"
-if (NOT ZEEK_FUZZING_ENGINE)
+    "\nInstall prefix:    ${CMAKE_INSTALL_PREFIX}"
-    if (ZEEK_ENABLE_FUZZERS)
+    "\nConfig file dir:   ${ZEEK_ETC_INSTALL_DIR}"
-        # The default fuzzer used by gcc and clang is libFuzzer. This is if you
+    "\nLog dir:           ${ZEEK_LOG_DIR}"
-        # simply pass '-fsanitize=fuzzer' to the compiler.
+    "\nPlugin dir:        ${ZEEK_PLUGIN_DIR}"
-        set(_zeek_fuzzing_engine "libFuzzer")
+    "\nPython module dir: ${PY_MOD_INSTALL_DIR}"
-    endif ()
+    "\nScript dir:        ${ZEEK_SCRIPT_INSTALL_PATH}"
-endif ()
+    "\nSpool dir:         ${ZEEK_SPOOL_DIR}"
-
+    "\nState dir:         ${ZEEK_STATE_DIR}"
-## Utility method for outputting status information for features that just have a
+    "\nSpicy modules dir: ${ZEEK_SPICY_MODULE_PATH}"
-## string representation. This can also take an optional second argument that is a
+    "\n"
-## value string to print.
+    "\nDebug mode:        ${ENABLE_DEBUG}"
-function (output_summary_line what)
+    "\nUnit tests:        ${ENABLE_ZEEK_UNIT_TESTS}"
-    if ("${ARGV1}" MATCHES "^$")
+    "\nBuiltin Plugins:   ${ZEEK_BUILTIN_PLUGINS}"
-        message("${what}:")
+    "\n"
-        return()
+    "\nCC:                ${CMAKE_C_COMPILER}"
-    endif ()
+    "\nCFLAGS:            ${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS_${BuildType}}"
-
+    "\nCXX:               ${CMAKE_CXX_COMPILER}"
-    set(_spaces "                                        ")
+    "\nCXXFLAGS:          ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}"
-    string(LENGTH ${what} _what_length)
+    "\nCPP:               ${CMAKE_CXX_COMPILER}"
-    math(EXPR _num_spaces "25 - ${_what_length}")
+    "\n"
-    string(SUBSTRING ${_spaces} 0 ${_num_spaces} _spacing)
+    "\nzeek-client:       ${INSTALL_ZEEK_CLIENT}"
-    message("${what}:${_spacing}${ARGV1}")
+    "\nZeekControl:       ${INSTALL_ZEEKCTL}"
-endfunction ()
+    "\nAux. Tools:        ${INSTALL_AUX_TOOLS}"
-
+    "\nBifCL:             ${_bifcl_exe_path}"
-## Utility method for outputting status information for features that have an ON/OFF
+    "\nBinPAC:            ${_binpac_exe_path}"
-## state.
+    "\nBTest:             ${INSTALL_BTEST}"
-function (output_summary_bool what state)
+    "\nBTest tooling:     ${_install_btest_tools_msg}"
-    if (${state})
+    "\nGen-ZAM:           ${_gen_zam_exe_path}"
-        output_summary_line("${what}" "ON")
+    "\nzkg:               ${INSTALL_ZKG}"
-    else ()
+    "\nSpicy:             ${_spicy}"
-        output_summary_line("${what}" "OFF")
+    "\nSpicy analyzers:   ${USE_SPICY_ANALYZERS}"
-    endif ()
+    "\nJavaScript:        ${ZEEK_HAVE_JAVASCRIPT}"
-endfunction ()
+    "\n"
-
+    "\nlibmaxminddb:      ${USE_GEOIP}"
-message("\n====================|  Zeek Build Summary  |====================\n")
+    "\nKerberos:          ${USE_KRB5}"
-
+    "\ngperftools found:  ${HAVE_PERFTOOLS}"
-output_summary_line("Build type" "${CMAKE_BUILD_TYPE}")
+    "\n  - tcmalloc:      ${USE_PERFTOOLS_TCMALLOC}"
-output_summary_line("Build dir" "${PROJECT_BINARY_DIR}")
+    "\n  - debugging:     ${USE_PERFTOOLS_DEBUG}"
-message("")
+    "\njemalloc:          ${ENABLE_JEMALLOC}"
-
+    "\n"
-output_summary_line("Install prefix" "${CMAKE_INSTALL_PREFIX}")
+    "\nFuzz Targets:      ${ZEEK_ENABLE_FUZZERS}"
-output_summary_line("Config file dir" "${ZEEK_ETC_INSTALL_DIR}")
+    "\nFuzz Engine:       ${ZEEK_FUZZING_ENGINE}"
-output_summary_line("Log dir" "${ZEEK_LOG_DIR}")
+    "${_analyzer_warning}"
-output_summary_line("Plugin dir" "${ZEEK_PLUGIN_DIR}")
+    "\n"
-output_summary_line("Python module dir" "${PY_MOD_INSTALL_DIR}")
+    "\n================================================================\n")
 output_summary_line("Script dir" "${ZEEK_SCRIPT_INSTALL_PATH}")
 output_summary_line("Spool dir" "${ZEEK_SPOOL_DIR}")
 output_summary_line("State dir" "${ZEEK_STATE_DIR}")
 output_summary_line("Spicy modules dir" "${ZEEK_SPICY_MODULE_PATH}")
 message("")
 output_summary_bool("Debug mode" ${ENABLE_DEBUG})
 output_summary_bool("Unit tests" ${ENABLE_ZEEK_UNIT_TESTS})
 message("")
 output_summary_line("Builtin Plugins" "${_zeek_builtin_plugins}")
 message("")
 output_summary_line("CC" "${CMAKE_C_COMPILER}")
 output_summary_line("CFLAGS" "${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS_${BuildType}}")
 output_summary_line("CXX" "${CMAKE_CXX_COMPILER}")
 output_summary_line("CXXFLAGS" "${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}")
 output_summary_line("CPP" "${CMAKE_CXX_COMPILER}")
 message("")
 output_summary_bool("AF_PACKET" ${ZEEK_HAVE_AF_PACKET})
 output_summary_bool("Aux. Tools" ${INSTALL_AUX_TOOLS})
 output_summary_bool("BTest" ${INSTALL_BTEST})
 output_summary_line("BTest tooling" ${_install_btest_tools_msg})
 output_summary_bool("JavaScript" ${ZEEK_HAVE_JAVASCRIPT})
 output_summary_line("Spicy" ${_spicy})
 output_summary_bool("Spicy analyzers" ${USE_SPICY_ANALYZERS})
 output_summary_bool("zeek-client" ${INSTALL_ZEEK_CLIENT})
 output_summary_bool("ZeekControl" ${INSTALL_ZEEKCTL})
 output_summary_bool("zkg" ${INSTALL_ZKG})
 message("")
 output_summary_bool("libmaxminddb" ${USE_GEOIP})
 output_summary_bool("Kerberos" ${USE_KRB5})
 output_summary_bool("gperftools" ${HAVE_PERFTOOLS})
 output_summary_bool("  - tcmalloc" ${USE_PERFTOOLS_TCMALLOC})
 output_summary_bool("  - debugging" ${USE_PERFTOOLS_DEBUG})
 output_summary_bool("jemalloc" ${ENABLE_JEMALLOC})
 message("")
 output_summary_line("Cluster backends")
 output_summary_bool("  - Broker" ON)
 output_summary_bool("  - ZeroMQ" ${ENABLE_CLUSTER_BACKEND_ZEROMQ})
 message("")
 output_summary_line("Storage backends")
 output_summary_bool("  - SQLite" ON)
 output_summary_bool("  - Redis" ${ENABLE_STORAGE_BACKEND_REDIS})
 message("")
 output_summary_bool("Fuzz Targets" ${ZEEK_ENABLE_FUZZERS})
 output_summary_line("Fuzz Engine" "${_zeek_fuzzing_engine}")
 message("")
 output_summary_line("External Tools/Linters")
 output_summary_bool("  - Include What You Use" ${ENABLE_IWYU})
 output_summary_bool("  - Clang-Tidy" ${ENABLE_CLANG_TIDY})
 if (${_analyzer_warning})
    message("${_analyzer_warning}\n")
 endif ()
 message("\n================================================================")
 include(UserChangedWarning)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -1 +0,0 @@
 Our code of conduct is published at https://zeek.org/community-code-of-conduct/
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,3 +0,0 @@
 Our contribution guide is available at https://github.com/zeek/zeek/wiki/Contribution-Guide.
 More information about contributing is also available at https://docs.zeek.org/en/master/devel/contributors.html.
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-Copyright (c) 1995-now, The Regents of the University of California
+Copyright (c) 1995-2023, The Regents of the University of California
 through the Lawrence Berkeley National Laboratory and the
 International Computer Science Institute. All rights reserved.
--- a/456
+++ b/456
@ -533,6 +533,32 @@ POSSIBILITY OF SUCH DAMAGE.
 ==============================================================================
 %%% auxil/filesystem
 ==============================================================================
 Copyright (c) 2018, Steffen Schümann <s.schuemann@pobox.com>
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 ==============================================================================
 %%% auxil/highwayhash
 ==============================================================================
@ -756,433 +782,3 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 ==============================================================================
 %%% auxil/c-ares
 ==============================================================================
 MIT License
 Copyright (c) 1998 Massachusetts Institute of Technology
 Copyright (c) 2007 - 2023 Daniel Stenberg with many contributors, see AUTHORS
 file.
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in
 the Software without restriction, including without limitation the rights to
 use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 the Software, and to permit persons to whom the Software is furnished to do so,
 subject to the following conditions:
 The above copyright notice and this permission notice (including the next
 paragraph) shall be included in all copies or substantial portions of the
 Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 ==============================================================================
 %%% auxil/expected-lite
 ==============================================================================
 Boost Software License - Version 1.0 - August 17th, 2003
 Permission is hereby granted, free of charge, to any person or organization
 obtaining a copy of the software and accompanying documentation covered by
 this license (the "Software") to use, reproduce, display, distribute,
 execute, and transmit the Software, and to prepare derivative works of the
 Software, and to permit third-parties to whom the Software is furnished to
 do so, all subject to the following:
 The copyright notices in the Software and this entire statement, including
 the above license grant, this restriction and the following disclaimer,
 must be included in all copies of the Software, in whole or in part, and
 all derivative works of the Software, unless such copies or derivative
 works are solely in the form of machine-executable object code generated by
 a source language processor.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT
 SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE
 FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE,
 ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
 DEALINGS IN THE SOFTWARE.
 ==============================================================================
 %%% auxil/out_ptr
 ==============================================================================
                         Copyright ⓒ 2018-2021 ThePhD.
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
 ==============================================================================
 %%% auxil/prometheus-cpp
 ==============================================================================
 MIT License
 Copyright (c) 2016-2021 Jupp Mueller
 Copyright (c) 2017-2022 Gregor Jasny
 And many contributors, see
 https://github.com/jupp0r/prometheus-cpp/graphs/contributors
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 ==============================================================================
 %%% auxil/rapidjson
 ==============================================================================
 Tencent is pleased to support the open source community by making RapidJSON available.
 Copyright (C) 2015 THL A29 Limited, a Tencent company, and Milo Yip.  All rights reserved.
 If you have downloaded a copy of the RapidJSON binary from Tencent, please note that the RapidJSON binary is licensed under the MIT License.
 If you have downloaded a copy of the RapidJSON source code from Tencent, please note that RapidJSON source code is licensed under the MIT License, except for the third-party components listed below which are subject to different license terms.  Your integration of RapidJSON into your own projects may require compliance with the MIT License, as well as the other licenses applicable to the third-party components included within RapidJSON. To avoid the problematic JSON license in your own projects, it's sufficient to exclude the bin/jsonchecker/ directory, as it's the only code under the JSON license.
 A copy of the MIT License is included in this file.
 Other dependencies and licenses:
 Open Source Software Licensed Under the BSD License:
 --------------------------------------------------------------------
 The msinttypes r29
 Copyright (c) 2006-2013 Alexander Chemeris
 All rights reserved.
 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
 * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
 * Neither the name of  copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS AND CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 Open Source Software Licensed Under the JSON License:
 --------------------------------------------------------------------
 json.org
 Copyright (c) 2002 JSON.org
 All Rights Reserved.
 JSON_checker
 Copyright (c) 2002 JSON.org
 All Rights Reserved.
 Terms of the JSON License:
 ---------------------------------------------------
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 The Software shall be used for Good, not Evil.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 Terms of the MIT License:
 --------------------------------------------------------------------
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 ==============================================================================
 %%% auxil/vcpkg
 ==============================================================================
 MIT License
 Copyright (c) Microsoft Corporation
 Permission is hereby granted, free of charge, to any person obtaining a copy of this
 software and associated documentation files (the "Software"), to deal in the Software
 without restriction, including without limitation the rights to use, copy, modify,
 merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
 permit persons to whom the Software is furnished to do so, subject to the following
 conditions:
 The above copyright notice and this permission notice shall be included in all copies
 or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
 INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
 PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
 HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
 CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
 OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 ==============================================================================
 %%% src/cluster/websocket/auxil/IXWebSocket
 ==============================================================================
 Copyright (c) 2018 Machine Zone, Inc. All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
 met:
 1. Redistributions of source code must retain the above copyright
   notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
   notice, this list of conditions and the following disclaimer in the
   documentation and/or other materials provided with the
   distribution.
 3. Neither the name of the copyright holder nor the names of its
   contributors may be used to endorse or promote products derived
   from this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 ==============================================================================
 %%% src/cluster/backend/zeromq/auxil/cppzmq
 ==============================================================================
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to
 deal in the Software without restriction, including without limitation the
 rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
 sell copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in
 all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
 IN THE SOFTWARE.
--- a/2
+++ b/2
@ -9,7 +9,7 @@ BUILD=build
 REPO=$$(cd $(CURDIR) && basename $$(git config --get remote.origin.url | sed 's/^[^:]*://g'))
 VERSION_FULL=$(REPO)-$$(cd $(CURDIR) && cat VERSION)
 GITDIR=$$(test -f .git && echo $$(cut -d" " -f2 .git) || echo .git)
-REALPATH=$$($$(realpath --relative-to=$(shell pwd) . >/dev/null 2>&1) && echo 'realpath' || echo 'grealpath')
+REALPATH=$$($$(realpath --relative-to=$(pwd) . >/dev/null 2>&1) && echo 'realpath' || echo 'grealpath')
 all: configured
 	$(MAKE) -C $(BUILD) $@
--- a/1516
+++ b/1516
--- a/2
+++ b/2
@ -3,7 +3,7 @@ The Zeek Network Security Monitor
 =================================
 Zeek is a powerful framework for network traffic analysis and security
-monitoring.
+monitoring. Follow us on Twitter at @zeekurity.
 Key Features
 ============
--- a/README.md
+++ b/README.md
@ -15,15 +15,14 @@ traffic analysis and security monitoring.
 [_Development_](#development) —
 [_License_](#license)
 Follow us on Twitter at [@zeekurity](https://twitter.com/zeekurity).
 [![Coverage Status](https://coveralls.io/repos/github/zeek/zeek/badge.svg?branch=master)](https://coveralls.io/github/zeek/zeek?branch=master)
 [![Build Status](https://img.shields.io/cirrus/github/zeek/zeek)](https://cirrus-ci.com/github/zeek/zeek)
 [![Slack](https://img.shields.io/badge/slack-@zeek-brightgreen.svg?logo=slack)](https://zeek.org/slack)
 [![Discourse](https://img.shields.io/discourse/status?server=https%3A%2F%2Fcommunity.zeek.org)](https://community.zeek.org)
 [![Mastodon](https://img.shields.io/badge/mastodon-@zeek@infosec.exchange-brightgreen.svg?logo=mastodon)](https://infosec.exchange/@zeek)
 [![Bluesky](https://img.shields.io/badge/bluesky-@zeek-brightgreen.svg?logo=bluesky)](https://bsky.app/profile/zeek.org)
 </h4>
@ -52,7 +51,7 @@ Getting Started
 The best place to find information about getting started with Zeek is
 our web site [www.zeek.org](https://www.zeek.org), specifically the
-[documentation](https://docs.zeek.org/en/stable/index.html) section
+[documentation](https://www.zeek.org/documentation/index.html) section
 there. On the web site you can also find downloads for stable
 releases, tutorials on getting Zeek set up, and many other useful
 resources.
@ -105,9 +104,9 @@ you might find
 [these](https://github.com/zeek/zeek/labels/good%20first%20issue)
 to be a good place to get started. More information on Zeek's
 development can be found
-[here](https://docs.zeek.org/en/current/devel/index.html), and information
+[here](https://www.zeek.org/development/index.html), and information
 about its community and mailing lists (which are fairly active) can be
-found [here](https://www.zeek.org/community/).
+found [here](https://www.zeek.org/community/index.html).
 License
 -------
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,5 +0,0 @@
 # Security Policy
 Zeek's Security Policy is defined on our website at https://zeek.org/security-reporting/
 Our Security Release Process is further clarified at https://github.com/zeek/zeek/wiki/Security-Release-Process
--- a/2
+++ b/2
@ -1 +1 @@
-8.1.0-dev.626
+6.2.0-dev.0
--- a/auxil/bifcl
+++ b/auxil/bifcl
@ -0,0 +1 @@
 Subproject commit c7bf54c587439d3bcb16d53b0d77a702e48d2526
--- a/auxil/binpac
+++ b/auxil/binpac
@ -0,0 +1 @@
 Subproject commit 84b730fdcc5b983c65c6226ec092aee66c486680
--- a/auxil/broker
+++ b/auxil/broker
@ -1 +1 @@
-Subproject commit 06d491943f4bee6c2d1e17a5c7c31836d725273d
+Subproject commit f9af5f0ed2b87e01790fe06a0658cc54f1c32974
--- a/auxil/btest
+++ b/auxil/btest
@ -1 +1 @@
-Subproject commit 8c0fbfd74325b6c9be022a98bcd414b6f103d09e
+Subproject commit 46f982cd6fafd34639c2f97628a57f1457f7e56a
--- a/auxil/c-ares
+++ b/auxil/c-ares
@ -1 +1 @@
-Subproject commit d3a507e920e7af18a5efb7f9f1d8044ed4750013
+Subproject commit 2aa086f822aad5017a6f2061ef656f237a62d0ed
--- a/auxil/expected-lite
+++ b/auxil/expected-lite
@ -1 +0,0 @@
 Subproject commit f339d2f73730f8fee4412f5e4938717866ecef48
--- a/auxil/filesystem
+++ b/auxil/filesystem
@ -0,0 +1 @@
 Subproject commit 72a76d774e4c7c605141fd6d11c33cc211209ed9
--- a/auxil/gen-zam
+++ b/auxil/gen-zam
@ -0,0 +1 @@
 Subproject commit cbba05dbaa58fdabe863f4e8a122ca92809b52d6
--- a/auxil/highwayhash
+++ b/auxil/highwayhash
@ -1 +1 @@
-Subproject commit 5ad3bf8444cfc663b11bf367baaa31f36e7ff7c8
+Subproject commit c13d28517a4db259d738ea4886b1f00352a3cc33
--- a/auxil/libkqueue
+++ b/auxil/libkqueue
@ -1 +1 @@
-Subproject commit ea30540c77679ced3ce7886199384e8743628921
+Subproject commit 10d93cff9fd6c8d8c3e0bae58312aed470843ff8
--- a/auxil/libunistd
+++ b/auxil/libunistd
@ -1 +1 @@
-Subproject commit 7e3670aa1f6ab7623a87ff1e770f7f6b5a1c59f1
+Subproject commit b38e9c8ebff08959a712a5663ba25e0624a3af00
--- a/auxil/package-manager
+++ b/auxil/package-manager
@ -1 +1 @@
-Subproject commit ad301651ad0a7426757f8bc94cfc8e8cd98451a8
+Subproject commit b6149ba03253bbf79dce573d5b2a2a34511b5bd9
--- a/auxil/paraglob
+++ b/auxil/paraglob
@ -1 +1 @@
-Subproject commit 4505c4323283b56ea59935210e105da26ab7bb0b
+Subproject commit 45ce017874aac9ffabac0ddc4d016f1747804234
--- a/auxil/prometheus-cpp
+++ b/auxil/prometheus-cpp
@ -1 +0,0 @@
 Subproject commit ad99e21f4706193670c42b36c9824dc997f4c475
--- a/auxil/rapidjson
+++ b/auxil/rapidjson
@ -1 +1 @@
-Subproject commit 6089180ecb704cb2b136777798fa1be303618975
+Subproject commit 06d58b9e848c650114556a23294d0b6440078c61
--- a/auxil/spicy
+++ b/auxil/spicy
@ -1 +1 @@
-Subproject commit 7635e113080be6fc20cb308636c8c38565c95c8a
+Subproject commit eda2373bdf56914e0d4c56ecdda76cb85d39ea94
--- a/auxil/vcpkg
+++ b/auxil/vcpkg
@ -1 +0,0 @@
 Subproject commit ce613c41372b23b1f51333815feb3edd87ef8a8b
--- a/auxil/zeek-af_packet-plugin
+++ b/auxil/zeek-af_packet-plugin
@ -0,0 +1 @@
 Subproject commit a3fe59b3f1ded5c3461995134b66c6db182fa56f
--- a/auxil/zeek-archiver
+++ b/auxil/zeek-archiver
@ -0,0 +1 @@
 Subproject commit e36862b3a6e70bf8557885e12e74cbc91507a693
--- a/auxil/zeek-aux
+++ b/auxil/zeek-aux
@ -1 +1 @@
-Subproject commit 9a51ce1940a808aaad253077905c2b34f15f1e08
+Subproject commit f9f5dcb5b3808137c2086d9b7415e7e32bb91063
--- a/auxil/zeek-client
+++ b/auxil/zeek-client
@ -1 +1 @@
-Subproject commit 16849ca3ec2f8637e3f8ef8ee27e2c279724387f
+Subproject commit 6c8cb3e1c475424880eae968f812805fdbd95cea
--- a/auxil/zeekctl
+++ b/auxil/zeekctl
@ -1 +1 @@
-Subproject commit 485abcad45daeea6d09680e5fc7d29e97d2e3fbe
+Subproject commit 81e8c48fea6171d49e66e371ae46437c7ee63a74
--- a/auxil/zeekjs
+++ b/auxil/zeekjs
@ -1 +1 @@
-Subproject commit e5985abfffc1ef5ead3a0bab196fa5d86bc5276f
+Subproject commit b3e5de0aa5fb386318709c81eb364e81c696af14
--- a/ci/alpine/Dockerfile
+++ b/ci/alpine/Dockerfile
@ -2,7 +2,7 @@ FROM alpine:latest
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230823
 RUN apk add --no-cache \
  bash \
@ -10,20 +10,16 @@ RUN apk add --no-cache \
  bsd-compat-headers \
  ccache \
  cmake \
  cppzmq \
  curl \
  diffutils \
  dnsmasq \
  flex-dev \
  musl-fts-dev \
  g++ \
  git \
  jq \
  libpcap-dev \
  linux-headers \
  make \
  openssh-client \
  openssl \
  openssl-dev \
  procps \
  py3-pip \
@ -32,4 +28,4 @@ RUN apk add --no-cache \
  swig \
  zlib-dev
-RUN pip3 install --break-system-packages websockets junit2html
+RUN pip3 install websockets junit2html
--- a/ci/centos-7/Dockerfile
+++ b/ci/centos-7/Dockerfile
@ -0,0 +1,68 @@
 FROM centos:7
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
 ENV DOCKERFILE_VERSION 20230807
 ENV FLEX_VERSION=2.6.4
 ENV FLEX_DIR=/opt/flex
 # Disabled lookup of fastest mirror since the list seems to be outdated and no valid mirror can be detected.
 RUN sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
 # The version of git in the standard repos is 1.8 and CI needs 2.3+
 # for the use of GIT_SSH_COMMAND when cloning private repos.
 RUN yum -y install \
    https://repo.ius.io/ius-release-el7.rpm \
    https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm \
  && yum -y install git236 ccache \
  && yum clean all && rm -rf /var/cache/yum
 RUN yum -y install \
    epel-release \
  && yum clean all && rm -rf /var/cache/yum
 RUN yum -y install \
    centos-release-scl \
  && yum clean all && rm -rf /var/cache/yum
 RUN yum -y install \
    devtoolset-8 \
  && yum clean all && rm -rf /var/cache/yum
 RUN yum -y install \
    bison \
    cmake3 \
    curl \
    findutils \
    libpcap-devel \
    make \
    openssl \
    openssl-devel \
    rh-python38 \
    rh-python38-devel \
    rh-python38-python-devel \
    rh-python38-pip \
    sqlite \
    swig \
    which \
    zlib-devel \
  && yum clean all && rm -rf /var/cache/yum
 # Install a recent flex for Spicy.
 RUN curl -sSL "https://github.com/westes/flex/releases/download/v${FLEX_VERSION}/flex-${FLEX_VERSION}.tar.gz" | tar xzf - -C /tmp \
 && (cd /tmp/flex-${FLEX_VERSION} \
     && ./configure --prefix=${FLEX_DIR} \
     && make -j`nproc` install) \
 && rm -rf /tmp/flex-${FLEX_VERSION}
 RUN pip3 install websockets junit2html
 RUN echo 'unset BASH_ENV PROMPT_COMMAND ENV' > /usr/bin/zeek-ci-env && \
    echo 'source /opt/rh/devtoolset-8/enable' >> /usr/bin/zeek-ci-env && \
    echo 'source /opt/rh/rh-python38/enable' >> /usr/bin/zeek-ci-env && \
    echo 'export PATH=${PATH}:${FLEX_DIR}/bin' >> /usr/bin/zeek-ci-env
 ENV BASH_ENV="/usr/bin/zeek-ci-env" \
    ENV="/usr/bin/zeek-ci-env" \
    PROMPT_COMMAND=". /usr/bin/zeek-ci-env"
--- a/ci/centos-stream-10/Dockerfile
+++ b/ci/centos-stream-10/Dockerfile
@ -1,49 +0,0 @@
 FROM quay.io/centos/centos:stream10
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
 ENV DOCKERFILE_VERSION=20250905
 # dnf config-manager isn't available at first, and
 # we need it to install the CRB repo below.
 RUN dnf -y install 'dnf-command(config-manager)'
 # What used to be powertools is now called "CRB".
 # We need it for some of the packages installed below.
 # https://docs.fedoraproject.org/en-US/epel/
 RUN dnf config-manager --set-enabled crb
 RUN dnf -y install \
    https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
 # The --nobest flag is hopefully temporary. Without it we currently hit
 # package versioning conflicts around OpenSSL.
 RUN dnf -y --nobest install \
    bison \
    ccache \
    cmake \
    cppzmq-devel \
    diffutils \
    flex \
    gcc \
    gcc-c++ \
    git \
    jq \
    libpcap-devel \
    make \
    openssl \
    openssl-devel \
    procps-ng \
    python3 \
    python3-devel \
    python3-pip\
    sqlite \
    swig \
    tar \
    which \
    zlib-devel \
  && dnf clean all && rm -rf /var/cache/dnf
 # Set the crypto policy to allow SHA-1 certificates - which we have in our tests
 RUN dnf -y --nobest install crypto-policies-scripts && update-crypto-policies --set LEGACY
 RUN pip3 install websockets junit2html
--- a/ci/centos-stream-8/Dockerfile
+++ b/ci/centos-stream-8/Dockerfile
@ -0,0 +1,33 @@
 FROM quay.io/centos/centos:stream8
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
 ENV DOCKERFILE_VERSION 20230801
 RUN dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
 RUN dnf config-manager --set-enabled powertools
 RUN dnf -y install \
    bison \
    ccache \
    cmake \
    diffutils \
    flex \
    gcc \
    gcc-c++ \
    git \
    libpcap-devel \
    make \
    openssl \
    openssl-devel \
    procps-ng \
    python38 \
    python38-devel \
    python38-pip\
    sqlite \
    swig \
    which \
    zlib-devel \
  && dnf clean all && rm -rf /var/cache/dnf
 RUN pip3 install websockets junit2html
--- a/ci/centos-stream-9/Dockerfile
+++ b/ci/centos-stream-9/Dockerfile
@ -2,7 +2,7 @@ FROM quay.io/centos/centos:stream9
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801
 # dnf config-manager isn't available at first, and
 # we need it to install the CRB repo below.
@ -22,21 +22,19 @@ RUN dnf -y --nobest install \
    bison \
    ccache \
    cmake \
    cppzmq-devel \
    diffutils \
    flex \
    gcc \
    gcc-c++ \
    git \
    jq \
    libpcap-devel \
    make \
    openssl \
    openssl-devel \
    procps-ng \
-    python3.13 \
+    python3 \
-    python3.13-devel \
+    python3-devel \
-    python3.13-pip\
+    python3-pip\
    sqlite \
    swig \
    tar \
@ -47,8 +45,4 @@ RUN dnf -y --nobest install \
 # Set the crypto policy to allow SHA-1 certificates - which we have in our tests
 RUN dnf -y --nobest install crypto-policies-scripts && update-crypto-policies --set LEGACY
 # Override the default python3.9 installation paths with 3.13
 RUN alternatives --install /usr/bin/python3 python3 /usr/bin/python3.13 10
 RUN alternatives --install /usr/bin/pip3 pip3 /usr/bin/pip3.13 10
 RUN pip3 install websockets junit2html
--- a/ci/collect-repo-info.py
+++ b/ci/collect-repo-info.py
@ -12,8 +12,8 @@ import argparse
 import copy
 import json
 import logging
 import os
 import pathlib
 import os
 import subprocess
 import sys
@ -38,22 +38,14 @@ def git_available():
 def git_is_repo(d: pathlib.Path):
    try:
-        git(
+        git("-C", str(d), "rev-parse", "--is-inside-work-tree", stderr=subprocess.DEVNULL)
            "-C",
            str(d),
            "rev-parse",
            "--is-inside-work-tree",
            stderr=subprocess.DEVNULL,
        )
        return True
    except subprocess.CalledProcessError:
        return False
 def git_is_dirty(d: pathlib.Path):
-    return (
+    return (len(git("-C", str(d), "status", "--untracked=no", "--short").splitlines()) > 0)
        len(git("-C", str(d), "status", "--untracked=no", "--short").splitlines()) > 0
    )
 def git_generic_info(d: pathlib.Path):
@ -119,9 +111,7 @@ def collect_git_info(zeek_dir: pathlib.Path):
    info["name"] = "zeek"
    info["version"] = (zeek_dir / "VERSION").read_text().strip()
    info["submodules"] = collect_submodule_info(zeek_dir)
-    info["branch"] = git(
+    info["branch"] = git("-C", str(zeek_dir), "rev-parse", "--abbrev-ref", "HEAD").strip()
        "-C", str(zeek_dir), "rev-parse", "--abbrev-ref", "HEAD"
    ).strip()
    info["source"] = "git"
    return info
@ -166,13 +156,14 @@ def main():
        for p in [p.strip() for p in v.split(";") if p.strip()]:
            yield pathlib.Path(p)
-    parser.add_argument(
+    parser.add_argument("included_plugin_dirs",
-        "included_plugin_dirs", default="", nargs="?", type=included_plugin_dir_conv
+                        default="",
-    )
+                        nargs="?",
                        type=included_plugin_dir_conv)
    parser.add_argument("--dir", default=".")
-    parser.add_argument(
+    parser.add_argument("--only-git",
-        "--only-git", action="store_true", help="Do not try repo-info.json fallback"
+                        action="store_true",
-    )
+                        help="Do not try repo-info.json fallback")
    args = parser.parse_args()
    logging.basicConfig(format="%(levelname)s: %(message)s")
@ -219,9 +210,7 @@ def main():
    zkg_provides_info = copy.deepcopy(included_plugins_info)
    # Hardcode the former spicy-plugin so that zkg knows Spicy is available.
-    zkg_provides_info.append(
+    zkg_provides_info.append({"name": "spicy-plugin", "version": info["version"].split("-")[0]})
        {"name": "spicy-plugin", "version": info["version"].split("-")[0]}
    )
    info["zkg"] = {"provides": zkg_provides_info}
    json_str = json.dumps(info, indent=2, sort_keys=True)
--- a/ci/container-images-addl-tags.sh
+++ b/ci/container-images-addl-tags.sh
@ -1,44 +0,0 @@
 #!/bin/bash
 #
 # This script produces output in the form of
 #
 #     $ REMOTE=awelzel ./ci/container-images-addl-tags.sh v7.0.5
 #     ADDITIONAL_MANIFEST_TAGS= lts 7.0 latest
 #
 # This scripts expects visibility to all tags and release branches
 # to work correctly. See the find-current-version.sh for details.
 set -eu
 dir="$(cd "$(dirname "$0")" && pwd)"
 if [ $# -ne 1 ] || [ -z "${1}" ]; then
    echo "Usage: $0 <tag>" >&2
    exit 1
 fi
 TAG="${1}"
 # Find current versions for lts and feature depending on branches and
 # tags in the repo. sed for escaping the dot in the version for using
 # it in the regex below to match against TAG.
 lts_ver=$(${dir}/find-current-version.sh lts)
 lts_pat="^v$(echo $lts_ver | sed 's,\.,\\.,g')\.[0-9]+\$"
 feature_ver=$(${dir}/find-current-version.sh feature)
 feature_pat="^v$(echo $feature_ver | sed 's,\.,\\.,g')\.[0-9]+\$"
 # Construct additional tags for the image. At most this will
 # be "lts x.0 feature" for an lts branch x.0 that is currently
 # also the latest feature branch.
 ADDL_MANIFEST_TAGS=
 if echo "${TAG}" | grep -q -E "${lts_pat}"; then
    ADDL_MANIFEST_TAGS="${ADDL_MANIFEST_TAGS} lts ${lts_ver}"
 fi
 if echo "${TAG}" | grep -q -E "${feature_pat}"; then
    ADDL_MANIFEST_TAGS="${ADDL_MANIFEST_TAGS} latest"
    if [ "${feature_ver}" != "${lts_ver}" ]; then
        ADDL_MANIFEST_TAGS="${ADDL_MANIFEST_TAGS} ${feature_ver}"
    fi
 fi
 echo "ADDITIONAL_MANIFEST_TAGS=${ADDL_MANIFEST_TAGS}"
--- a/ci/debian-10/Dockerfile
+++ b/ci/debian-10/Dockerfile
@ -0,0 +1,42 @@
 FROM debian:10
 ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
 ENV DOCKERFILE_VERSION 20230801
 ENV CMAKE_DIR "/opt/cmake"
 ENV CMAKE_VERSION "3.19.1"
 ENV PATH "${CMAKE_DIR}/bin:${PATH}"
 RUN apt-get update && apt-get -y install \
    bison \
    bsdmainutils \
    ccache \
    curl \
    flex \
    g++ \
    gcc \
    git \
    libkrb5-dev \
    libpcap-dev \
    libssl-dev \
    make \
    procps \
    python3 \
    python3-dev \
    python3-pip\
    sqlite3 \
    swig \
    wget \
    xz-utils \
    zlib1g-dev \
  && apt autoclean \
  && rm -rf /var/lib/apt/lists/*
 # Install a recent CMake to build Spicy.
 RUN mkdir -p "${CMAKE_DIR}" \
  && curl -sSL "https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}-Linux-x86_64.tar.gz" | tar xzf - -C "${CMAKE_DIR}" --strip-components 1
 RUN pip3 install websockets junit2html
--- a/ci/debian-11/Dockerfile
+++ b/ci/debian-11/Dockerfile
@ -0,0 +1,36 @@
 FROM debian:11
 ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
 ENV DOCKERFILE_VERSION 20230801
 RUN apt-get update && apt-get -y install \
    bison \
    bsdmainutils \
    ccache \
    cmake \
    curl \
    flex \
    g++ \
    gcc \
    git \
    libkrb5-dev \
    libnode-dev \
    libpcap-dev \
    libssl-dev \
    libuv1-dev \
    make \
    python3 \
    python3-dev \
    python3-pip\
    sqlite3 \
    swig \
    wget \
    xz-utils \
    zlib1g-dev \
  && apt autoclean \
  && rm -rf /var/lib/apt/lists/*
 RUN pip3 install websockets junit2html
--- a/ci/debian-12/Dockerfile
+++ b/ci/debian-12/Dockerfile
@ -4,32 +4,28 @@ ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801
 RUN apt-get update && apt-get -y install \
    bison \
    bsdmainutils \
    ccache \
    cmake \
    cppzmq-dev \
    curl \
    dnsmasq \
    flex \
    g++ \
    gcc \
    git \
    jq \
    libkrb5-dev \
    libnats-dev \
    libnode-dev \
    libpcap-dev \
    librdkafka-dev \
    libssl-dev \
    libuv1-dev \
    make \
    python3 \
    python3-dev \
    python3-pip\
    python3-websockets \
    sqlite3 \
    swig \
    wget \
@ -40,4 +36,4 @@ RUN apt-get update && apt-get -y install \
 # Debian bookworm really doesn't like using pip to install system wide stuff, but
 # doesn't seem there's a python3-junit2html package, so not sure what we'd break.
-RUN pip3 install --break-system-packages websockets junit2html
+RUN pip3 install --break-system-packages junit2html
--- a/ci/fedora-37/Dockerfile
+++ b/ci/fedora-37/Dockerfile
@ -1,21 +1,19 @@
-FROM fedora:41
+FROM fedora:37
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801
 RUN dnf -y install \
    bison \
    ccache \
    cmake \
    cppzmq-devel \
    diffutils \
    findutils \
    flex \
    gcc \
    gcc-c++ \
    git \
    jq \
    libpcap-devel \
    make \
    nodejs-devel \
@ -29,7 +27,6 @@ RUN dnf -y install \
    swig \
    which \
    zlib-devel \
    crypto-policies-scripts \
  && dnf clean all && rm -rf /var/cache/dnf
 RUN pip3 install websockets junit2html
--- a/ci/fedora-38/Dockerfile
+++ b/ci/fedora-38/Dockerfile
@ -1,22 +1,19 @@
-FROM fedora:42
+FROM fedora:38
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801
 RUN dnf -y install \
    bison \
    ccache \
    cmake \
    cppzmq-devel \
    diffutils \
    findutils \
    flex \
    gawk \
    gcc \
    gcc-c++ \
    git \
    jq \
    libpcap-devel \
    make \
    nodejs-devel \
@ -30,7 +27,6 @@ RUN dnf -y install \
    swig \
    which \
    zlib-devel \
    crypto-policies-scripts \
  && dnf clean all && rm -rf /var/cache/dnf
 RUN pip3 install websockets junit2html
--- a/ci/fedora-38/Dockerfile~
+++ b/ci/fedora-38/Dockerfile~
@ -0,0 +1,31 @@
 FROM fedora:36
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
 ENV DOCKERFILE_VERSION 20220614
 RUN dnf -y install \
    bison \
    ccache \
    cmake \
    diffutils \
    findutils \
    flex \
    gcc \
    gcc-c++ \
    git \
    libpcap-devel \
    make \
    openssl \
    openssl-devel \
    procps-ng \
    python3 \
    python3-devel \
    python3-pip\
    sqlite \
    swig \
    which \
    zlib-devel \
  && dnf clean all && rm -rf /var/cache/dnf
 RUN pip3 install websockets junit2html
--- a/ci/freebsd/prepare.sh
+++ b/ci/freebsd/prepare.sh
@ -6,7 +6,7 @@ set -e
 set -x
 env ASSUME_ALWAYS_YES=YES pkg bootstrap
-pkg install -y bash cppzmq git cmake swig bison python3 base64 flex ccache jq dnsmasq krb5
+pkg install -y bash git cmake swig bison python3 base64 flex ccache
 pkg upgrade -y curl
 pyver=$(python3 -c 'import sys; print(f"py{sys.version_info[0]}{sys.version_info[1]}")')
 pkg install -y $pyver-sqlite3
@ -17,6 +17,3 @@ python -m pip install websockets junit2html
 # Spicy detects whether it is run from build directory via `/proc`.
 echo "proc /proc procfs rw,noauto 0 0" >>/etc/fstab
 mount /proc
 # dnsmasq is in /usr/local/sbin and that's not in the PATH by default
 ln -s /usr/local/sbin/dnsmasq /usr/local/bin/dnsmasq
--- a/ci/init-external-repos.sh
+++ b/ci/init-external-repos.sh
@ -51,9 +51,9 @@ if [[ -n "${CIRRUS_CI}" ]] && [[ "${CIRRUS_REPO_OWNER}" == "zeek" ]] && [[ ! -d
    banner "Trying to clone zeek-testing-private git repo"
    echo "${ZEEK_TESTING_PRIVATE_SSH_KEY}" >cirrus_key.b64
-    if [[ "${CIRRUS_TASK_NAME}" =~ ^macos_ ]]; then
+    if [ "${CIRRUS_TASK_NAME}" == "macos_ventura" ]; then
-        # The base64 command provided with macOS requires an argument
+        # The base64 command provided with macOS Ventura requires an argument
-        # to pass the input filename, while -i elsewhere is "ignore garbage".
+        # to pass the input filename
        base64 -d -i cirrus_key.b64 >cirrus_key
    else
        base64 -d cirrus_key.b64 >cirrus_key
--- a/ci/license-header.py
+++ b/ci/license-header.py
@ -1,33 +0,0 @@
 #!/usr/bin/env python3
 import re
 import sys
 exit_code = 0
 copyright_pat = re.compile(
    r"See the file \"COPYING\" in the main distribution directory for copyright."
 )
 def match_line(line):
    m = copyright_pat.search(line)
    if m is not None:
        return True
    return False
 for f in sys.argv[1:]:
    has_license_header = False
    with open(f) as fp:
        for line in fp:
            line = line.strip()
            if has_license_header := match_line(line):
                break
    if not has_license_header:
        print(f"{f}:does not seem to contain a license header", file=sys.stderr)
        exit_code = 1
 sys.exit(exit_code)
--- a/ci/macos/prepare.sh
+++ b/ci/macos/prepare.sh
@ -7,9 +7,13 @@ set -x
 brew update
 brew upgrade cmake
-brew install cppzmq openssl@3 python@3 swig bison flex ccache libmaxminddb dnsmasq krb5
+brew install openssl@3 swig bison flex ccache
 python3 -m pip install --user websockets
-which python3
+# Brew doesn't create the /opt/homebrew/opt/openssl symlink if you install
-python3 --version
+# openssl@1.1, only with 3.0. Create the symlink if it doesn't exist.
-
+#if [ ! -e /opt/homebrew/opt/openssl ]; then
-python3 -m pip install --user --break-system-packages websockets
+#    if [ -d /opt/homebrew/opt/openssl@1.1 ]; then
 #        ln -s /opt/homebrew/opt/openssl@1.1 /opt/homebrew/opt/openssl
 #    fi
 #fi
--- a/ci/opensuse-leap-15.4/Dockerfile
+++ b/ci/opensuse-leap-15.4/Dockerfile
@ -0,0 +1,38 @@
 FROM opensuse/leap:15.4
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
 ENV DOCKERFILE_VERSION 20230801
 RUN zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.4:Update/standard/openSUSE:Leap:15.4:Update.repo \
 && zypper refresh \
 && zypper in -y \
    bison \
    ccache \
    cmake \
    curl \
    flex \
    gcc10 \
    gcc10-c++ \
    git \
    gzip \
    libopenssl-devel \
    libpcap-devel \
    make \
    python39 \
    python39-devel \
    python39-pip \
    swig \
    tar \
    which \
    zlib-devel \
  && rm -rf /var/cache/zypp
 RUN update-alternatives --install /usr/bin/pip3 pip3 /usr/bin/pip3.9 100
 RUN update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 100
 RUN update-alternatives --install /usr/bin/python3-config python3-config /usr/bin/python3.9-config 100
 RUN pip3 install websockets junit2html
 RUN update-alternatives --install /usr/bin/cc cc /usr/bin/gcc-10 100
 RUN update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++-10 100
--- a/ci/opensuse-leap-15.5/Dockerfile
+++ b/ci/opensuse-leap-15.5/Dockerfile
@ -1,41 +1,36 @@
-FROM opensuse/leap:15.6
+FROM opensuse/leap:15.5
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230905
-RUN zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.6:Update/standard/openSUSE:Leap:15.6:Update.repo \
+RUN zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.5:Update/standard/openSUSE:Leap:15.5:Update.repo \
 && zypper refresh \
 && zypper in -y \
    bison \
    ccache \
    cmake \
    cppzmq-devel \
    curl \
    dnsmasq \
    flex \
    gcc12 \
    gcc12-c++ \
    git \
    gzip \
    jq \
    libopenssl-devel \
    libpcap-devel \
    make \
-    openssh \
+    python311 \
-    procps \
+    python311-devel \
-    python312 \
+    python311-pip \
    python312-devel \
    python312-pip \
    swig \
    tar \
    which \
    zlib-devel \
  && rm -rf /var/cache/zypp
-RUN update-alternatives --install /usr/bin/pip3 pip3 /usr/bin/pip3.12 100
+RUN update-alternatives --install /usr/bin/pip3 pip3 /usr/bin/pip3.11 100
-RUN update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.12 100
+RUN update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 100
-RUN update-alternatives --install /usr/bin/python3-config python3-config /usr/bin/python3.12-config 100
+RUN update-alternatives --install /usr/bin/python3-config python3-config /usr/bin/python3.11-config 100
 RUN pip3 install websockets junit2html
--- a/ci/opensuse-tumbleweed/Dockerfile
+++ b/ci/opensuse-tumbleweed/Dockerfile
@ -2,7 +2,7 @@ FROM opensuse/tumbleweed
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801
 # Remove the repo-openh264 repository, it caused intermittent issues
 # and we should not be needing any packages from it.
@ -10,25 +10,20 @@ RUN zypper modifyrepo --disable repo-openh264 || true
 RUN zypper refresh \
 && zypper in -y \
    awk \
    bison \
    ccache \
    cmake \
    cppzmq-devel \
    curl \
    diffutils \
    dnsmasq \
    findutils \
    flex \
    gcc \
    gcc-c++ \
    git \
    gzip \
    jq \
    libopenssl-devel \
    libpcap-devel \
    make \
    openssh \
    python3 \
    python3-devel \
    python3-pip \
@ -39,4 +34,4 @@ RUN zypper refresh \
    zlib-devel \
  && rm -rf /var/cache/zypp
-RUN pip3 install --break-system-packages websockets junit2html
+RUN pip3 install websockets junit2html
--- a/ci/opensuse-tumbleweed/prepare-weekly.sh
+++ b/ci/opensuse-tumbleweed/prepare-weekly.sh
@ -1,27 +0,0 @@
 #!/bin/sh
 zypper refresh
 zypper patch -y --with-update --with-optional
 LATEST_VERSION=$(zypper search -n ${ZEEK_CI_COMPILER} |
    awk -F "|" "match(\$2, / ${ZEEK_CI_COMPILER}([0-9]{2})[^-]/, a) {print a[1]}" |
    sort | tail -1)
 echo "Installing ${ZEEK_CI_COMPILER} ${LATEST_VERSION}"
 zypper install -y "${ZEEK_CI_COMPILER}${LATEST_VERSION}"
 if [ "${ZEEK_CI_COMPILER}" == "gcc" ]; then
    zypper install -y "${ZEEK_CI_COMPILER}${LATEST_VERSION}-c++"
 fi
 update-alternatives --install /usr/bin/cc cc "/usr/bin/${ZEEK_CI_COMPILER}-${LATEST_VERSION}" 100
 update-alternatives --set cc "/usr/bin/${ZEEK_CI_COMPILER}-${LATEST_VERSION}"
 if [ "${ZEEK_CI_COMPILER}" == "gcc" ]; then
    update-alternatives --install /usr/bin/c++ c++ "/usr/bin/g++-${LATEST_VERSION}" 100
    update-alternatives --set c++ "/usr/bin/g++-${LATEST_VERSION}"
 else
    update-alternatives --install /usr/bin/c++ c++ "/usr/bin/clang++-${LATEST_VERSION}" 100
    update-alternatives --set c++ "/usr/bin/clang++-${LATEST_VERSION}"
 fi
--- a/ci/test.sh
+++ b/ci/test.sh
@ -7,13 +7,6 @@
 result=0
 BTEST=$(pwd)/auxil/btest/btest
 # Due to issues with DNS lookups on macOS, one of the Cirrus support people recommended we
 # run our tests as root. See https://github.com/cirruslabs/cirrus-ci-docs/issues/1302 for
 # more details.
 if [[ "${CIRRUS_OS}" == "darwin" ]]; then
    BTEST="sudo ${BTEST}"
 fi
 if [[ -z "${CIRRUS_CI}" ]]; then
    # Set default values to use in place of env. variables set by Cirrus CI.
    ZEEK_CI_CPUS=1
@ -47,15 +40,10 @@ function banner {
 }
 function run_unit_tests {
    if [[ ${ZEEK_CI_SKIP_UNIT_TESTS} -eq 1 ]]; then
        printf "Skipping unit tests as requested by task configuration\n\n"
        return 0
    fi
    banner "Running unit tests"
    pushd build
-    (. ./zeek-path-dev.sh && TZ=UTC zeek --test --no-skip) || result=1
+    (. ./zeek-path-dev.sh && zeek --test --no-skip) || result=1
    popd
    return 0
 }
@ -71,8 +59,14 @@ function run_btests {
    pushd testing/btest
-    ZEEK_PROFILER_FILE=$(pwd)/.tmp/script-coverage/XXXXXX \
+    # Commenting out this line in btest.cfg causes the script profiling/coverage
-        ${BTEST} -z ${ZEEK_CI_BTEST_RETRIES} -d -A -x btest-results.xml -j ${ZEEK_CI_BTEST_JOBS} ${ZEEK_CI_BTEST_EXTRA_ARGS} || result=1
+    # to be disabled. We do this for the sanitizer build right now because of a
    # fairly significant performance bug when running tests.
    if [ "${ZEEK_CI_DISABLE_SCRIPT_PROFILING}" = "1" ]; then
        sed -i 's/^ZEEK_PROFILER_FILE/#ZEEK_PROFILER_FILE/g' btest.cfg
    fi
    ${BTEST} -z ${ZEEK_CI_BTEST_RETRIES} -d -A -x btest-results.xml -j ${ZEEK_CI_BTEST_JOBS} || result=1
    make coverage
    prep_artifacts
    popd
@ -80,16 +74,19 @@ function run_btests {
 }
 function run_external_btests {
-    if [[ ${ZEEK_CI_SKIP_EXTERNAL_BTESTS} -eq 1 ]]; then
+    # Commenting out this line in btest.cfg causes the script profiling/coverage
-        printf "Skipping external tests as requested by task configuration\n\n"
+    # to be disabled. We do this for the sanitizer build right now because of a
-        return 0
+    # fairly significant performance bug when running tests.
    if [ "${ZEEK_CI_DISABLE_SCRIPT_PROFILING}" = "1" ]; then
        pushd testing/external
        sed -i 's/^ZEEK_PROFILER_FILE/#ZEEK_PROFILER_FILE/g' subdir-btest.cfg
        popd
    fi
    local zeek_testing_pid=""
    local zeek_testing_pid_private=""
    pushd testing/external/zeek-testing
-    ZEEK_PROFILER_FILE=$(pwd)/.tmp/script-coverage/XXXXXX \
+    ${BTEST} -d -A -x btest-results.xml -j ${ZEEK_CI_BTEST_JOBS} >btest.out 2>&1 &
        ${BTEST} -d -A -x btest-results.xml -j ${ZEEK_CI_BTEST_JOBS} ${ZEEK_CI_BTEST_EXTRA_ARGS} >btest.out 2>&1 &
    zeek_testing_pid=$!
    popd
@ -97,7 +94,6 @@ function run_external_btests {
        pushd testing/external/zeek-testing-private
        # Note that we don't use btest's "-d" flag or generate/upload any
        # artifacts to prevent leaking information about the private pcaps.
        ZEEK_PROFILER_FILE=$(pwd)/.tmp/script-coverage/XXXXXX \
        ${BTEST} -A -j ${ZEEK_CI_BTEST_JOBS} >btest.out 2>&1 &
        zeek_testing_private_pid=$!
        popd
--- a/ci/tsan_suppressions.txt
+++ b/ci/tsan_suppressions.txt
@ -42,20 +42,3 @@ race:zeek::threading::InputMessage<zeek::threading::MsgThread>::Object
 mutex:zeek::threading::Queue<zeek::threading::BasicInputMessage*>::Put
 mutex:zeek::threading::Queue<zeek::threading::BasicInputMessage*>::LocksForAllQueues
 deadlock:zeek::threading::Queue<zeek::threading::BasicInputMessage*>::LocksForAllQueues
 # This only happens at shutdown. It was supposedly fixed in civetweb, but has cropped
 # up again. See https://github.com/civetweb/civetweb/issues/861 for details.
 race:mg_stop
 # Uninstrumented library.
 #
 # We'd need to build zmq with TSAN enabled, without it reports data races
 # as it doesn't see the synchronization done [1], but also there's reports
 # that ZeroMQ uses non-standard synchronization that may be difficult for
 # TSAN to see.
 #
 # [1] https://groups.google.com/g/thread-sanitizer/c/7UZqM02yMYg/m/KlHOv2ckr9sJ
 # [2] https://github.com/zeromq/libzmq/issues/3919
 #
 called_from_lib:libzmq.so.5
 called_from_lib:libzmq.so
--- a/ci/ubuntu-20.04/Dockerfile
+++ b/ci/ubuntu-20.04/Dockerfile
@ -1,27 +1,22 @@
-FROM ubuntu:25.04
+FROM ubuntu:20.04
 ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801
 RUN apt-get update && apt-get -y install \
    bc \
    bison \
    bsdmainutils \
    ccache \
    clang-18 \
    clang++-18 \
    cmake \
    cppzmq-dev \
    curl \
    dnsmasq \
    flex \
    g++ \
    gcc \
    git \
    jq \
    lcov \
    libkrb5-dev \
    libmaxminddb-dev \
@ -37,10 +32,8 @@ RUN apt-get update && apt-get -y install \
    unzip \
    wget \
    zlib1g-dev \
    libc++-dev \
    libc++abi-dev \
  && apt autoclean \
  && rm -rf /var/lib/apt/lists/*
-RUN pip3 install --break-system-packages websockets junit2html
+RUN pip3 install websockets junit2html
 RUN gem install coveralls-lcov
--- a/ci/ubuntu-22.04/Dockerfile
+++ b/ci/ubuntu-22.04/Dockerfile
@ -4,7 +4,7 @@ ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801
 RUN apt-get update && apt-get -y install \
    bc \
@ -17,13 +17,11 @@ RUN apt-get update && apt-get -y install \
    g++ \
    gcc \
    git \
    jq \
    lcov \
    libkrb5-dev \
    libmaxminddb-dev \
    libpcap-dev \
    libssl-dev \
    libzmq3-dev \
    make \
    python3 \
    python3-dev \
--- a/ci/ubuntu-23.04/Dockerfile
+++ b/ci/ubuntu-23.04/Dockerfile
@ -1,44 +1,38 @@
-FROM debian:13
+FROM ubuntu:23.04
 ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230828
 RUN apt-get update && apt-get -y install \
    bc \
    bison \
    bsdmainutils \
    ccache \
    cmake \
    cppzmq-dev \
    curl \
    dnsmasq \
    flex \
    g++ \
    gcc \
    git \
    jq \
    libkrb5-dev \
-    libnats-dev \
+    libmaxminddb-dev \
    libnode-dev \
    libpcap-dev \
    librdkafka-dev \
    libssl-dev \
    libuv1-dev \
    make \
    python3 \
    python3-dev \
    python3-pip \
    python3-websockets \
    ruby \
    sqlite3 \
    swig \
    unzip \
    wget \
    xz-utils \
    zlib1g-dev \
  && apt autoclean \
  && rm -rf /var/lib/apt/lists/*
 # Debian trixie really doesn't like using pip to install system wide stuff, but
 # doesn't seem there's a python3-junit2html package, so not sure what we'd break.
 RUN pip3 install --break-system-packages junit2html
--- a/ci/ubuntu-24.04/Dockerfile
+++ b/ci/ubuntu-24.04/Dockerfile
@ -1,77 +0,0 @@
 FROM ubuntu:24.04
 ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
 ENV DOCKERFILE_VERSION=20250905
 RUN apt-get update && apt-get -y install \
    bc \
    bison \
    bsdmainutils \
    ccache \
    clang-19 \
    clang++-19 \
    clang-tidy-19 \
    cmake \
    cppzmq-dev \
    curl \
    dnsmasq \
    flex \
    g++ \
    gcc \
    git \
    jq \
    lcov \
    libkrb5-dev \
    libhiredis-dev \
    libmaxminddb-dev \
    libpcap-dev \
    libssl-dev \
    make \
    python3 \
    python3-dev \
    python3-git \
    python3-pip \
    python3-semantic-version \
    redis-server \
    ruby \
    sqlite3 \
    swig \
    unzip \
    wget \
    zlib1g-dev \
    libc++-dev \
    libc++abi-dev \
  && apt autoclean \
  && rm -rf /var/lib/apt/lists/*
 RUN pip3 install --break-system-packages websockets junit2html
 RUN gem install coveralls-lcov
 # Ubuntu installs clang versions with the binaries having the version number
 # appended. Create a symlink for clang-tidy so cmake finds it correctly.
 RUN update-alternatives --install /usr/bin/clang-tidy clang-tidy /usr/bin/clang-tidy-19 1000
 # Download a newer pre-built ccache version that recognizes -fprofile-update=atomic
 # which is used when building with --coverage.
 #
 # This extracts the tarball into /opt/ccache-<version>-<platform> and
 # symlinks the executable to /usr/local/bin/ccache.
 #
 # See: https://ccache.dev/download.html
 ENV CCACHE_VERSION=4.10.2
 ENV CCACHE_PLATFORM=linux-x86_64
 ENV CCACHE_URL=https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-${CCACHE_PLATFORM}.tar.xz
 ENV CCACHE_SHA256=80cab87bd510eca796467aee8e663c398239e0df1c4800a0b5dff11dca0b4f18
 RUN cd /opt \
    && if [ "$(uname -p)" != "x86_64" ]; then echo "cannot use ccache pre-built for x86_64!" >&2; exit 1 ; fi \
    && curl -L --fail --max-time 30 $CCACHE_URL -o ccache.tar.xz \
    && sha256sum ./ccache.tar.xz >&2 \
    && echo "${CCACHE_SHA256} ccache.tar.xz" | sha256sum -c - \
    && tar xvf ./ccache.tar.xz \
    && ln -s $(pwd)/ccache-${CCACHE_VERSION}-${CCACHE_PLATFORM}/ccache /usr/local/bin/ccache \
    && test "$(command -v ccache)" = "/usr/local/bin/ccache" \
    && test "$(ccache --print-version)" = "${CCACHE_VERSION}" \
    && rm ./ccache.tar.xz
--- a/ci/update-zeekygen-docs.sh
+++ b/ci/update-zeekygen-docs.sh
@ -28,7 +28,7 @@ cd $build_dir
 export ZEEK_SEED_FILE=$source_dir/testing/btest/random.seed
 function run_zeek {
-    ZEEK_ALLOW_INIT_ERRORS=1 zeek -X $conf_file zeekygen
+    ZEEK_ALLOW_INIT_ERRORS=1 zeek -X $conf_file zeekygen >/dev/null
    if [ $? -ne 0 ]; then
        echo "Failed running zeek with zeekygen config file $conf_file" >&2
--- a/ci/upload-coverage.sh
+++ b/ci/upload-coverage.sh
@ -11,6 +11,11 @@ if [ "${CIRRUS_REPO_FULL_NAME}" != "zeek/zeek" ]; then
    exit 0
 fi
 if [ "${CIRRUS_BRANCH}" != "master" ]; then
    echo "Coverage upload skipped for non-master branches"
    exit 0
 fi
 cd testing/coverage
 make coverage
 make coveralls
--- a/ci/windows/Dockerfile
+++ b/ci/windows/Dockerfile
@ -5,7 +5,7 @@ SHELL [ "powershell" ]
 # A version field to invalidatea Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION=20250905
+ENV DOCKERFILE_VERSION 20230801
 RUN Set-ExecutionPolicy Unrestricted -Force
@ -14,13 +14,15 @@ RUN [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePoin
    iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
 # Install prerequisites
-RUN choco install -y --no-progress visualstudio2022buildtools --version=117.14.1
+RUN choco install -y --no-progress visualstudio2019buildtools --version=16.11.11.0
-RUN choco install -y --no-progress visualstudio2022-workload-vctools --version=1.0.0 --package-parameters '--add Microsoft.VisualStudio.Component.VC.ATLMFC'
+RUN choco install -y --no-progress visualstudio2019-workload-vctools --version=1.0.0 --package-parameters '--add Microsoft.VisualStudio.Component.VC.ATLMFC'
 # Pin conan to 1.58.0 until conan.cmake is updated to support 2.0
 RUN choco install -y --no-progress conan --version=1.58.0
 RUN choco install -y --no-progress sed
 RUN choco install -y --no-progress winflexbison3
 RUN choco install -y --no-progress msysgit
 RUN choco install -y --no-progress python
-RUN choco install -y --no-progress openssl --version=3.1.1
+RUN choco install -y --no-progress openssl
 # Set working environment.
 SHELL [ "cmd", "/c" ]
@ -30,4 +32,4 @@ RUN mkdir C:\build
 WORKDIR C:\build
 # This entry point starts the developer command prompt and launches the PowerShell shell.
-ENTRYPOINT ["C:\\Program Files (x86)\\Microsoft Visual Studio\\2022\\BuildTools\\Common7\\Tools\\VsDevCmd.bat", "-arch=x64", "&&", "powershell.exe", "-NoLogo", "-ExecutionPolicy", "Unrestricted"]
+ENTRYPOINT ["C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\Common7\\Tools\\VsDevCmd.bat", "-arch=x64", "&&", "powershell.exe", "-NoLogo", "-ExecutionPolicy", "Unrestricted"]
--- a/ci/windows/build.cmd
+++ b/ci/windows/build.cmd
@ -2,10 +2,10 @@
 :: cmd current shell. This path is hard coded to the one on the CI image, but
 :: can be adjusted if running builds locally. Unfortunately, the initial path
 :: isn't in the environment so we have to hardcode the whole path.
-call "c:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64
+call "c:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64
 mkdir build
 cd build
-cmake.exe .. -DCMAKE_BUILD_TYPE=release -DVCPKG_TARGET_TRIPLET="x64-windows-static" -DENABLE_ZEEK_UNIT_TESTS=yes -G Ninja
+cmake.exe .. -DCMAKE_BUILD_TYPE=release -DENABLE_ZEEK_UNIT_TESTS=yes -G Ninja
 cmake.exe --build .
--- a/ci/windows/conanfile_windows.txt
+++ b/ci/windows/conanfile_windows.txt
@ -0,0 +1,8 @@
 [requires]
 zlib/1.2.11
 libpcap/1.10.1
 c-ares/1.18.1
 [generators]
 cmake_find_package
 cmake
--- a/ci/windows/test.cmd
+++ b/ci/windows/test.cmd
@ -1,5 +1,5 @@
 :: See build.cmd for documentation on this call.
-call "c:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64
+call "c:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64
 cd build
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit d51c6990446cf70cb9c01bca17dad171a1db05d3
+Subproject commit cc923365ead6b827354e70d4a03d531fe3f5e9d3
--- a/cmake_templates/hilti-cxx-include-dirs.in
+++ b/cmake_templates/hilti-cxx-include-dirs.in
@ -15,6 +15,6 @@ PATHS=$PATHS:@CMAKE_BINARY_DIR@/src
 PATHS=$PATHS:@CMAKE_BINARY_DIR@/src/include
 PATHS=$PATHS:@CMAKE_SOURCE_DIR@/src
 PATHS=$PATHS:@CMAKE_SOURCE_DIR@/src/include
-PATHS=$PATHS:@CMAKE_SOURCE_DIR@/auxil/broker/libbroker
+PATHS=$PATHS:@CMAKE_SOURCE_DIR@/auxil/broker/include/
 echo $PATHS
--- a/cmake_templates/zeek-config-paths.h.in
+++ b/cmake_templates/zeek-config-paths.h.in
@ -2,9 +2,10 @@
 #pragma once
-constexpr char ZEEK_SCRIPT_INSTALL_PATH[] = "@ZEEK_SCRIPT_INSTALL_PATH@";
+#define ZEEK_SCRIPT_INSTALL_PATH "@ZEEK_SCRIPT_INSTALL_PATH@"
-constexpr char ZEEK_PLUGIN_INSTALL_PATH[] = "@ZEEK_PLUGIN_DIR@";
+#define BRO_PLUGIN_INSTALL_PATH "@ZEEK_PLUGIN_DIR@"
-constexpr char DEFAULT_ZEEKPATH[] = "@DEFAULT_ZEEKPATH@";
+#define ZEEK_PLUGIN_INSTALL_PATH "@ZEEK_PLUGIN_DIR@"
-constexpr char ZEEK_SPICY_MODULE_PATH[] = "@ZEEK_SPICY_MODULE_PATH@";
+#define DEFAULT_ZEEKPATH "@DEFAULT_ZEEKPATH@"
-constexpr char ZEEK_SPICY_LIBRARY_PATH[] = "@ZEEK_SPICY_LIBRARY_PATH@";
+#define ZEEK_SPICY_MODULE_PATH "@ZEEK_SPICY_MODULE_PATH@"
-constexpr char ZEEK_SPICY_DATA_PATH[] = "@ZEEK_SPICY_DATA_PATH@";
+#define ZEEK_SPICY_LIBRARY_PATH "@ZEEK_SPICY_LIBRARY_PATH@"
 #define ZEEK_SPICY_DATA_PATH "@ZEEK_SPICY_DATA_PATH@"
--- a/cmake_templates/zeek-config.h.in
+++ b/cmake_templates/zeek-config.h.in
@ -1,6 +1,4 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 // NOLINTBEGIN(modernize-macro-to-enum)
 // NOLINTBEGIN(cppcoreguidelines-macro-usage)
 #pragma once
@ -243,12 +241,6 @@
 /* Spicy analyzers built in. */
 #cmakedefine01 USE_SPICY_ANALYZERS
 /* Enable/disable ZAM profiling capability */
 #cmakedefine ENABLE_ZAM_PROFILE
 /* Enable/disable the Spicy SSL analyzer */
 #cmakedefine ENABLE_SPICY_SSL
 /* String with host architecture (e.g., "linux-x86_64") */
 #define HOST_ARCHITECTURE "@HOST_ARCHITECTURE@"
@ -308,6 +300,3 @@
 /* compiled with Spicy support */
 #cmakedefine HAVE_SPICY
 // NOLINTEND(cppcoreguidelines-macro-usage)
 // NOLINTEND(modernize-macro-to-enum)
--- a/cmake_templates/zeek-config.in
+++ b/cmake_templates/zeek-config.in
@ -6,9 +6,6 @@ btest_tools_dir="@ZEEK_CONFIG_BTEST_TOOLS_DIR@"
 build_type="@CMAKE_BUILD_TYPE_LOWER@"
 cmake_dir="@ZEEK_CMAKE_CONFIG_DIR@"
 config_dir="@ZEEK_ETC_INSTALL_DIR@"
 have_af_packet="@ZEEK_HAVE_AF_PACKET@"
 have_geoip="@USE_GEOIP@"
 have_javascript="@ZEEK_HAVE_JAVASCRIPT@"
 have_spicy="@USE_SPICY_ANALYZERS@"
 include_dir="@CMAKE_INSTALL_PREFIX@/include"
 lib_dir="@CMAKE_INSTALL_FULL_LIBDIR@"
@ -17,22 +14,10 @@ prefix="@CMAKE_INSTALL_PREFIX@"
 python_dir="@PY_MOD_INSTALL_DIR@"
 script_dir="@ZEEK_SCRIPT_INSTALL_PATH@"
 site_dir="@ZEEK_SCRIPT_INSTALL_PATH@/site"
-version="@ZEEK_VERSION_FULL_LOCAL@"
+version="@ZEEK_VERSION_FULL@"
 zeek_dist="@ZEEK_DIST@"
 zeekpath="@DEFAULT_ZEEKPATH@"
 report_feature() {
    # $1: cmake feature flag value
    input=$(echo "$1" | tr '[:lower:]' '[:upper:]')
    if [ "$input" = "1" ] || [ "$input" = "ON" ] || [ "$input" = "YES" ] || [ "$input" = "TRUE" ] || [ "$input" = "Y" ]; then
        echo "yes"
        exit 0
    fi
    echo "no"
    exit 1
 }
 add_path() {
    # $1: existing path
    # $2: path to add
@ -82,12 +67,9 @@ Toplevel installation directories for third-party components:
  --binpac_root         BinPAC compiler
  --broker_root         Broker communication framework
-Feature tests (prints 'yes' if supported; exit code reflects result):
+Feature tests:
-  --have-af-packet        Native AF_PACKET support
+  --have-spicy-analyzers  Prints 'yes' if built-in Spicy analyzers are available; exit code reflects result
  --have-geoip            IP address geolocation & AS lookups
  --have-javascript       JavaScript support
  --have-spicy-analyzers  built-in Spicy analyzers
 "
 }
@ -127,17 +109,14 @@ while [ $# -ne 0 ]; do
        --config_dir)
            echo $config_dir
            ;;
        --have-af-packet)
            report_feature "$have_af_packet"
            ;;
        --have-geoip)
            report_feature "$have_geoip"
            ;;
        --have-javascript)
            report_feature "$have_javascript"
            ;;
        --have-spicy-analyzers)
-            report_feature "$have_spicy"
+            if [ "$have_spicy" = "yes" ]; then
                echo "yes"
                exit 0
            else
                echo "no"
                exit 1
            fi
            ;;
        --include_dir)
            echo $include_dir
--- a/cmake_templates/zeek-version.h.in
+++ b/cmake_templates/zeek-version.h.in
@ -3,7 +3,7 @@
 #pragma once
 /* Version number of package */
-#define VERSION "@ZEEK_VERSION_FULL_LOCAL@"
+#define VERSION "@ZEEK_VERSION_FULL@"
 // Zeek version number.
 // This is the result of (major * 10000 + minor * 100 + patch)
--- a/102
+++ b/102
@ -33,9 +33,6 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
    --sanitizers=LIST           comma-separated list of sanitizer names to enable
    --include-plugins=PATHS     paths containing plugins to build directly into Zeek
                                (semicolon delimited and quoted when multiple)
    --localversion=version      version contains an additional, custom version string
                                that is appended to the standard Zeek version string,
                                with a dash [-] separating the two.
  Installation Directories:
    --prefix=PREFIX        installation directory [/usr/local/zeek]
@ -67,21 +64,13 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
    --enable-perftools-debug use Google's perftools for debugging
    --enable-static-binpac build binpac statically (ignored if --with-binpac is specified)
    --enable-static-broker build Broker statically (ignored if --with-broker is specified)
    --enable-werror        build with -Werror
    --enable-ZAM-profiling build with ZAM profiling enabled (--enable-debug implies this)
    --enable-spicy-ssl     build with spicy SSL/TLS analyzer (conflicts with --disable-spicy)
    --enable-iwyu          build with include-what-you-use enabled for the main Zeek target.
                           Requires include-what-you-use binary to be in the PATH.
    --enable-clang-tidy    build with clang-tidy enabled for the main Zeek target.
                           Requires clang-tidy binary to be in the PATH.
    --disable-af-packet    don't include native AF_PACKET support (Linux only)
    --disable-archiver     don't build or install zeek-archiver tool
    --disable-auxtools     don't build or install auxiliary tools
    --disable-broker-tests don't try to build Broker unit tests
    --disable-btest        don't install BTest
    --disable-btest-pcaps  don't install Zeek's BTest input pcaps
    --disable-cluster-backend-zeromq don't build Zeek's ZeroMQ cluster backend
    --disable-cpp-tests    don't build Zeek's C++ unit tests
    --disable-javascript   don't build Zeek's JavaScript support
    --disable-port-prealloc disable pre-allocating the PortVal array in ValManager
    --disable-python       don't try to build python bindings for Broker
    --disable-spicy        don't include Spicy
@ -90,9 +79,16 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
    --disable-zkg          don't install zkg
  Required Packages in Non-Standard Locations:
    --with-bifcl=PATH      path to Zeek BIF compiler executable
                           (useful for cross-compiling)
    --with-bind=PATH       path to BIND install root
    --with-binpac=PATH     path to BinPAC executable
                           (useful for cross-compiling)
    --with-bison=PATH      path to bison executable
    --with-broker=PATH     path to Broker install root
                           (Zeek uses an embedded version by default)
    --with-gen-zam=PATH    path to Gen-ZAM code generator
                           (Zeek uses an embedded version by default)
    --with-flex=PATH       path to flex executable
    --with-libkqueue=PATH  path to libkqueue install root
                           (Zeek uses an embedded version by default)
@ -134,8 +130,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
 sourcedir="$(cd "$(dirname "$0")" && pwd)"
-if [ ! -e "$sourcedir/cmake/COPYING" ]; then
+if [ ! -e "$sourcedir/cmake/COPYING" ] && [ -d "$sourcedir/.git" ]; then
    if [ -d "$sourcedir/.git" ]; then
    echo "\
 You seem to be missing the content of the cmake directory.
@ -144,23 +139,6 @@ Zeek. To check out the required subdirectories, please execute:
  ( cd $sourcedir && git submodule update --recursive --init )
 " >&2
    else
        echo "\
 You seem to be missing the content of the cmake directory.
 This typically means that you downloaded a non-release archive from github.
 These archives do not contain all required files.
 If you want to download the current release of Zeek, please download a full
 archive using one of the links at https://zeek.org/get-zeek/.
 If you want to get the current development version of Zeek, please use git to
 clone our repository.
 See https://docs.zeek.org/en/master/install.html#retrieving-the-sources for
 instructions.
 " >&2
    fi
    exit 1
 fi
@ -177,7 +155,6 @@ append_cache_entry() {
 builddir=build
 CMakeCacheEntries=""
 display_cmake=0
 has_disable_archiver=0
 # parse arguments
 while [ $# -ne 0 ]; do
@ -231,9 +208,6 @@ while [ $# -ne 0 ]; do
        --include-plugins=*)
            append_cache_entry ZEEK_INCLUDE_PLUGINS STRING \"$optarg\"
            ;;
        --localversion=*)
            append_cache_entry ZEEK_VERSION_LOCAL STRING \"$optarg\"
            ;;
        --prefix=*)
            append_cache_entry CMAKE_INSTALL_PREFIX PATH $optarg
            ;;
@ -278,11 +252,9 @@ while [ $# -ne 0 ]; do
        --enable-coverage)
            append_cache_entry ENABLE_COVERAGE BOOL true
            append_cache_entry ENABLE_DEBUG BOOL true
            append_cache_entry ENABLE_ZAM_PROFILE BOOL true
            ;;
        --enable-debug)
            append_cache_entry ENABLE_DEBUG BOOL true
            append_cache_entry ENABLE_ZAM_PROFILE BOOL true
            ;;
        --enable-fuzzers)
            append_cache_entry ZEEK_ENABLE_FUZZERS BOOL true
@ -303,24 +275,12 @@ while [ $# -ne 0 ]; do
        --enable-static-broker)
            append_cache_entry BUILD_STATIC_BROKER BOOL true
            ;;
        --enable-werror)
            append_cache_entry BUILD_WITH_WERROR BOOL true
            ;;
        --enable-ZAM-profiling)
            append_cache_entry ENABLE_ZAM_PROFILE BOOL true
            ;;
        --enable-spicy-ssl)
            append_cache_entry ENABLE_SPICY_SSL BOOL true
            ;;
        --enable-iwyu)
            append_cache_entry ENABLE_IWYU BOOL true
            ;;
        --enable-clang-tidy)
            append_cache_entry ENABLE_CLANG_TIDY BOOL true
            ;;
        --disable-af-packet)
            append_cache_entry DISABLE_AF_PACKET BOOL true
            ;;
        --disable-archiver)
            append_cache_entry INSTALL_ZEEK_ARCHIVER BOOL false
            ;;
        --disable-auxtools)
            append_cache_entry INSTALL_AUX_TOOLS BOOL false
            ;;
@ -334,9 +294,6 @@ while [ $# -ne 0 ]; do
        --disable-btest-pcaps)
            append_cache_entry INSTALL_BTEST_PCAPS BOOL false
            ;;
        --disable-cluster-backend-zeromq)
            append_cache_entry ENABLE_CLUSTER_BACKEND_ZEROMQ BOOL false
            ;;
        --disable-cpp-tests)
            append_cache_entry ENABLE_ZEEK_UNIT_TESTS BOOL false
            ;;
@ -361,9 +318,15 @@ while [ $# -ne 0 ]; do
        --disable-zkg)
            append_cache_entry INSTALL_ZKG BOOL false
            ;;
        --with-bifcl=*)
            append_cache_entry BIFCL_EXE_PATH PATH $optarg
            ;;
        --with-bind=*)
            append_cache_entry BIND_ROOT_DIR PATH $optarg
            ;;
        --with-binpac=*)
            append_cache_entry BINPAC_EXE_PATH PATH $optarg
            ;;
        --with-bison=*)
            append_cache_entry BISON_EXECUTABLE PATH $optarg
            ;;
@ -376,6 +339,9 @@ while [ $# -ne 0 ]; do
        --with-flex=*)
            append_cache_entry FLEX_EXECUTABLE PATH $optarg
            ;;
        --with-gen-zam=*)
            append_cache_entry GEN_ZAM_EXE_PATH PATH $optarg
            ;;
        --with-geoip=*)
            append_cache_entry LibMMDB_ROOT_DIR PATH $optarg
            ;;
@ -457,19 +423,6 @@ if [ -z "$CMakeCommand" ]; then
    fi
 fi
 echo "Using $(cmake --version | head -1)"
 echo
 if [ -n "$CMakeGenerator" ]; then
    cmake="${CMakeCommand} -G ${CMakeGenerator} ${CMakeCacheEntries} ${sourcedir}"
 else
    cmake="${CMakeCommand} ${CMakeCacheEntries} ${sourcedir}"
 fi
 if [ "${display_cmake}" = 1 ]; then
    echo "${cmake}"
    exit 0
 fi
 if [ -d $builddir ]; then
    # If build directory exists, check if it has a CMake cache
    if [ -f $builddir/CMakeCache.txt ]; then
@ -486,6 +439,19 @@ echo "Build Directory : $builddir"
 echo "Source Directory: $sourcedir"
 cd $builddir
 echo "Using $(cmake --version | head -1)"
 echo
 if [ -n "$CMakeGenerator" ]; then
    cmake="${CMakeCommand} -G ${CMakeGenerator} ${CMakeCacheEntries} ${sourcedir}"
 else
    cmake="${CMakeCommand} ${CMakeCacheEntries} ${sourcedir}"
 fi
 if [ "${display_cmake}" = 1 ]; then
    echo "${cmake}"
    exit 0
 fi
 eval ${cmake} 2>&1
 echo "# This is the command used to configure this build" >config.status
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit f28baefb4dbd8a9606f952471d625de8c1c3c658
+Subproject commit 1873d6a4c601751635c9b40c1309005da39ae480
--- a/docker/Makefile
+++ b/docker/Makefile
@ -1,12 +1,6 @@
 # See the file "COPYING" in the main distribution directory for copyright.
 VERSION := $(shell cat ../VERSION)
 LOCALVERSION ?= ""
 LOCAL_VERSION_FLAG = ""
 ifneq ($(LOCALVERSION), "")
 	VERSION := $(VERSION)-$(LOCALVERSION)
 	LOCAL_VERSION_FLAG := --localversion=$(LOCALVERSION)
 endif
 BUILD_IMAGE := zeek-builder:$(VERSION)
 BUILD_CONTAINER := zeek-builder-container-$(VERSION)
 ZEEK_IMAGE ?= zeek:$(VERSION)
@ -17,7 +11,7 @@ ZEEK_CONFIGURE_FLAGS ?= \
 	--build-type=Release \
 	--disable-btest-pcaps \
 	--disable-broker-tests \
-	--disable-cpp-tests $(LOCAL_VERSION_FLAG)
+	--disable-cpp-tests
 .PHONY: all
--- a/docker/builder.Dockerfile
+++ b/docker/builder.Dockerfile
@ -1,7 +1,7 @@
 # See the file "COPYING" in the main distribution directory for copyright.
 # Layer to build Zeek.
-FROM debian:13-slim
+FROM debian:bookworm-slim
 # Make the shell split commands in the log so we can determine reasons for
 # failures more easily.
@ -16,13 +16,11 @@ RUN echo 'Acquire::https::timeout "180";' >> /etc/apt/apt.conf.d/99-timeouts
 # Configure system for build.
 RUN apt-get -q update \
 && apt-get upgrade -q -y \
 && apt-get install -q -y --no-install-recommends \
     bind9 \
     bison \
     ccache \
     cmake \
     cppzmq-dev \
     flex \
     g++ \
     gcc \
@ -37,7 +35,7 @@ RUN apt-get -q update \
     libz-dev \
     make \
     python3-minimal \
-     python3-dev \
+     python3.11-dev \
     swig \
     ninja-build \
     python3-pip \
--- a/docker/final.Dockerfile
+++ b/docker/final.Dockerfile
@ -1,7 +1,7 @@
 # See the file "COPYING" in the main distribution directory for copyright.
 # Final layer containing all artifacts.
-FROM debian:13-slim
+FROM debian:bookworm-slim
 # Make the shell split commands in the log so we can determine reasons for
 # failures more easily.
@ -15,23 +15,18 @@ RUN echo 'Acquire::http::timeout "180";' > /etc/apt/apt.conf.d/99-timeouts
 RUN echo 'Acquire::https::timeout "180";' >> /etc/apt/apt.conf.d/99-timeouts
 RUN apt-get -q update \
 && apt-get upgrade -q -y \
 && apt-get install -q -y --no-install-recommends \
     ca-certificates \
     git \
     jq \
     libmaxminddb0 \
-     libnode115 \
+     libnode108 \
     libpython3.11 \
     libpcap0.8 \
     libpython3.13 \
     libssl3 \
     libuv1 \
     libz1 \
     libzmq5 \
     net-tools \
     procps \
     python3-git \
     python3-minimal \
     python3-git \
     python3-semantic-version \
     python3-websocket \
 && apt-get clean \
@ -39,5 +34,5 @@ RUN apt-get -q update \
 # Copy over Zeek installation from build
 COPY --from=zeek-build /usr/local/zeek /usr/local/zeek
-ENV PATH="/usr/local/zeek/bin:${PATH}"
+ENV PATH "/usr/local/zeek/bin:${PATH}"
-ENV PYTHONPATH="/usr/local/zeek/lib/zeek/python:${PYTHONPATH}"
+ENV PYTHONPATH "/usr/local/zeek/lib/zeek/python:${PYTHONPATH}"
--- a/ruff.toml
+++ b/ruff.toml
@ -1,8 +0,0 @@
 target-version = "py39"
 # Skip anything in the auxil directory. This includes pysubnetree which
 # should be handled separately.
 exclude = ["auxil"]
 [lint]
 select = ["C4", "F", "I", "ISC", "UP"]
--- a/scripts/base/files/extract/main.zeek
+++ b/scripts/base/files/extract/main.zeek
@ -8,8 +8,8 @@ export {
 	const prefix = "./extract_files/" &redef;
 	## The default max size for extracted files (they won't exceed this
-	## number of bytes). A value of zero means unlimited. Defaults to 100MB.
+	## number of bytes). A value of zero means unlimited.
-	option default_limit = 104857600;
+	option default_limit = 0;
 	## This setting configures if the file extract limit is inclusive
 	## of missing bytes. By default, missing bytes do count towards the
--- a/scripts/base/files/pe/main.zeek
+++ b/scripts/base/files/pe/main.zeek
@ -60,13 +60,13 @@ const pe_mime_types = { "application/x-dosexec" };
 event zeek_init() &priority=5
 	{
 	Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types);
-	Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_pe, $path="pe", $policy=log_policy));
+	Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe", $policy=log_policy]);
 	}
 hook set_file(f: fa_file) &priority=5
 	{
 	if ( ! f?$pe )
-		f$pe = PE::Info($ts=f$info$ts, $id=f$id);
+		f$pe = [$ts=network_time(), $id=f$id];
 	}
 event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
--- a/scripts/base/files/x509/log-ocsp.zeek
+++ b/scripts/base/files/x509/log-ocsp.zeek
@ -40,7 +40,7 @@ export {
 event zeek_init() &priority=5
 	{
-	Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_ocsp, $path="ocsp", $policy=log_policy));
+	Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp", $policy=log_policy]);
 	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
 	}
--- a/scripts/base/files/x509/main.zeek
+++ b/scripts/base/files/x509/main.zeek
@ -105,29 +105,6 @@ export {
 	## Event for accessing logged records.
 	global log_x509: event(rec: Info);
 	## The maximum number of bytes that a single string field can contain when
 	## logging. If a string reaches this limit, the log output for the field will be
 	## truncated. Setting this to zero disables the limiting.
 	##
 	## .. zeek:see:: Log::default_max_field_string_bytes
 	const default_max_field_string_bytes = Log::default_max_field_string_bytes &redef;
 	## The maximum number of elements a single container field can contain when
 	## logging. If a container reaches this limit, the log output for the field will
 	## be truncated. Setting this to zero disables the limiting.
 	##
 	## .. zeek:see:: Log::default_max_field_container_elements
 	const default_max_field_container_elements = 500 &redef;
 	## The maximum total number of container elements a record may log. This is the
 	## sum of all container elements logged for the record. If this limit is reached,
 	## all further containers will be logged as empty containers. If the limit is
 	## reached while processing a container, the container will be truncated in the
 	## output. Setting this to zero disables the limiting.
 	##
 	## .. zeek:see:: Log::default_max_total_container_elements
 	const default_max_total_container_elements = 1500 &redef;
 }
 global known_log_certs_with_broker: set[LogCertHash] &create_expire=relog_known_certificates_after &backend=Broker::MEMORY;
@ -140,12 +117,7 @@ redef record Files::Info += {
 event zeek_init() &priority=5
 	{
-	# x509 can have some very large certificates and very large sets of URIs. Expand the log size filters
+	Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509", $policy=log_policy]);
 	# so that we're not truncating those.
 	Log::create_stream(X509::LOG, Log::Stream($columns=Info, $ev=log_x509, $path="x509", $policy=log_policy,
 	                                          $max_field_string_bytes=X509::default_max_field_string_bytes,
 	                                          $max_field_container_elements=X509::default_max_field_container_elements,
 	                                          $max_total_container_elements=X509::default_max_total_container_elements));
 	# We use MIME types internally to distinguish between user and CA certificates.
 	# The first certificate in a connection always gets tagged as user-cert, all
@ -195,7 +167,7 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
 	{
 	local der_cert = x509_get_certificate_string(cert_ref);
 	local fp = hash_function(der_cert);
-	f$info$x509 = X509::Info($ts=f$info$ts, $fingerprint=fp, $certificate=cert, $handle=cert_ref);
+	f$info$x509 = [$ts=f$info$ts, $fingerprint=fp, $certificate=cert, $handle=cert_ref];
 	if ( f$info$mime_type == "application/x-x509-user-cert" )
 		f$info$x509$host_cert = T;
 	if ( f$is_orig )
@ -253,3 +225,4 @@ event file_state_remove(f: fa_file) &priority=5
 	Log::write(LOG, f$info$x509);
 	}
--- a/scripts/base/frameworks/analyzer/dpd.zeek
+++ b/scripts/base/frameworks/analyzer/dpd.zeek
@ -1,33 +1,61 @@
-##! Disables analyzers if protocol violations occur, and adds service information
+##! Activates port-independent protocol detection and selectively disables
-##! to connection log.
+##! analyzers if protocol violations occur.
@load ./main
 module DPD;
 export {
-	## Analyzers which you don't want to remove on violations.
+	## Add the DPD logging stream identifier.
 	redef enum Log::ID += { LOG };
 	## A default logging policy hook for the stream.
 	global log_policy: Log::PolicyHook;
 	## The record type defining the columns to log in the DPD logging stream.
 	type Info: record {
 		## Timestamp for when protocol analysis failed.
 		ts:             time            &log;
 		## Connection unique ID.
 		uid:            string          &log;
 		## Connection ID containing the 4-tuple which identifies endpoints.
 		id:             conn_id         &log;
 		## Transport protocol for the violation.
 		proto:          transport_proto &log;
 		## The analyzer that generated the violation.
 		analyzer:       string          &log;
 		## The textual reason for the analysis failure.
 		failure_reason: string          &log;
 	};
 	## Ongoing DPD state tracking information.
 	type State: record {
 		## Current number of protocol violations seen per analyzer instance.
 		violations: table[count] of count;
 	};
 	## Number of protocol violations to tolerate before disabling an analyzer.
 	option max_violations: table[Analyzer::Tag] of count = table() &default = 5;
 	## Analyzers which you don't want to throw
 	option ignore_violations: set[Analyzer::Tag] = set();
 	## Ignore violations which go this many bytes into the connection.
 	## Set to 0 to never ignore protocol violations.
 	option ignore_violations_after = 10 * 1024;
 	## Change behavior of service field in conn.log:
 	## Failed services are no longer removed. Instead, for a failed
 	## service, a second entry with a "-" in front of it is added.
 	## E.g. a http connection with a violation would be logged as
 	## "http,-http".
 	option track_removed_services_in_connection = F;
 }
 redef record connection += {
-	## The set of prototol analyzers that were removed due to a protocol
+	dpd: Info &optional;
-	## violation after the same analyzer had previously been confirmed.
+	dpd_state: State &optional;
-	failed_analyzers: set[string] &default=set() &ordered;
+	## The set of services (analyzers) for which Zeek has observed a
 	## violation after the same service had previously been confirmed.
 	service_violation: set[string] &default=set();
 };
-# Add confirmed protocol analyzers to conn.log service field
+event zeek_init() &priority=5
 	{
 	Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd", $policy=log_policy]);
 	}
 event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=10
 	{
 	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
@ -41,11 +69,9 @@ event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirm
 	add c$service[analyzer];
 	}
-# Remove failed analyzers from service field and add them to c$failed_analyzers
+event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=10
 # Low priority to allow other handlers to check if the analyzer was confirmed
 event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=-5
 	{
-	if ( ! is_protocol_analyzer(atype) )
+	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
 		return;
 	if ( ! info?$c )
@ -53,32 +79,38 @@ event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolatio
 	local c = info$c;
 	local analyzer = Analyzer::name(atype);
-	# If the service hasn't been confirmed yet, or already failed,
+	# If the service hasn't been confirmed yet, don't generate a log message
-	# don't generate a log message for the protocol violation.
+	# for the protocol violation.
 	if ( analyzer !in c$service )
 		return;
 	# If removed service tracking is active, don't delete the service here.
 	if ( ! track_removed_services_in_connection )
 	delete c$service[analyzer];
 	add c$service_violation[analyzer];
-	# if statement is separate, to allow repeated removal of service, in case there are several
+	local dpd: Info;
-	# confirmation and violation events
+	dpd$ts = network_time();
-	if ( analyzer !in c$failed_analyzers )
+	dpd$uid = c$uid;
-		add c$failed_analyzers[analyzer];
+	dpd$id = c$id;
 	dpd$proto = get_port_transport_proto(c$id$orig_p);
 	dpd$analyzer = analyzer;
-	# add "-service" to the list of services on removal due to violation, if analyzer was confirmed before
+	# Encode data into the reason if there's any as done for the old
-	if ( track_removed_services_in_connection && Analyzer::name(atype) in c$service )
+	# analyzer_violation event, previously.
 	local reason = info$reason;
 	if ( info?$data )
 		{
-		local rname = cat("-", Analyzer::name(atype));
+		local ellipsis = |info$data| > 40 ? "..." : "";
-		if ( rname !in c$service )
+		local data = info$data[0:40];
-			add c$service[rname];
+		reason = fmt("%s [%s%s]", reason, data, ellipsis);
 		}
 	dpd$failure_reason = reason;
 	c$dpd = dpd;
 	}
 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=5
 	{
-	if ( ! is_protocol_analyzer(atype) )
+	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
 		return;
 	if ( ! info?$c || ! info?$aid )
@ -93,17 +125,37 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
 	if ( ignore_violations_after > 0 && size > ignore_violations_after )
 		return;
-	# analyzer already was removed or connection finished
+	if ( ! c?$dpd_state )
 	# let's still log this.
 	if ( lookup_connection_analyzer_id(c$id, atype) == 0 )
 		{
-		event analyzer_failed(network_time(), atype, info);
+		local s: State;
 		c$dpd_state = s;
 		}
 	if ( aid in c$dpd_state$violations )
 		++c$dpd_state$violations[aid];
 	else
 		c$dpd_state$violations[aid] = 1;
 	if ( c?$dpd || c$dpd_state$violations[aid] > max_violations[atype] )
 		{
 		# Disable an analyzer we've previously confirmed, but is now in
 		# violation, or else any analyzer in excess of the max allowed
 		# violations, regardless of whether it was previously confirmed.
 		disable_analyzer(c$id, aid, F);
 		}
 	}
 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=-5
 	{
 	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
 		return;
 		}
-	local disabled = disable_analyzer(c$id, aid, F);
+	if ( ! info?$c )
 		return;
-	# If analyzer was disabled, send failed event
+	if ( info$c?$dpd )
-	if ( disabled )
+		{
-		event analyzer_failed(network_time(), atype, info);
+		Log::write(DPD::LOG, info$c$dpd);
 		delete info$c$dpd;
 		}
 	}
--- a/scripts/base/frameworks/analyzer/logging.zeek
+++ b/scripts/base/frameworks/analyzer/logging.zeek
@ -1,6 +1,8 @@
-##! Logging analyzer  violations into analyzer.log
+##! Logging analyzer confirmations and violations into analyzer.log
@load base/frameworks/config
@load base/frameworks/logging
@load ./main
 module Analyzer::Logging;
@ -9,10 +11,16 @@ export {
 	## Add the analyzer logging stream identifier.
 	redef enum Log::ID += { LOG };
 	## A default logging policy hook for the stream.
 	global log_policy: Log::PolicyHook;
 	## The record type defining the columns to log in the analyzer logging stream.
 	type Info: record {
-		## Timestamp of the violation.
+		## Timestamp of confirmation or violation.
 		ts:             time              &log;
 		## What caused this log entry to be produced. This can
 		## currently be "violation" or "confirmation".
 		cause:          string            &log;
 		## The kind of analyzer involved. Currently "packet", "file"
 		## or "protocol".
 		analyzer_kind:  string            &log;
@ -23,58 +31,98 @@ export {
 		uid:            string            &log &optional;
 		## File UID if available.
 		fuid:           string            &log &optional;
-		## Connection identifier if available.
+		## Connection identifier if available
 		id:             conn_id           &log &optional;
-		## Transport protocol for the violation, if available.
+
 		proto:          transport_proto   &log &optional;
 		## Failure or violation reason, if available.
-		failure_reason: string            &log;
+		failure_reason: string            &log &optional;
 		## Data causing failure or violation if available. Truncated
 		## to :zeek:see:`Analyzer::Logging::failure_data_max_size`.
 		failure_data:   string            &log &optional;
 	};
 	## Enable logging of analyzer violations and optionally confirmations
 	## when :zeek:see:`Analyzer::Logging::include_confirmations` is set.
 	option enable = T;
 	## Enable analyzer_confirmation. They are usually less interesting
 	## outside of development of analyzers or troubleshooting scenarios.
 	## Setting this option may also generated multiple log entries per
 	## connection, minimally one for each conn.log entry with a populated
 	## service field.
 	option include_confirmations = F;
 	## If a violation contains information about the data causing it,
 	## include at most this many bytes of it in the log.
 	option failure_data_max_size = 40;
-	## An event that can be handled to access the :zeek:type:`Analyzer::Logging::Info`
+	## Set of analyzers for which to not log confirmations or violations.
-	## record as it is sent on to the logging framework.
+	option ignore_analyzers: set[AllAnalyzers::Tag] = set();
 	global log_analyzer: event(rec: Info);
 	## A default logging policy hook for the stream.
 	global log_policy: Log::PolicyHook;
 }
 event zeek_init() &priority=5
 	{
-	Log::create_stream(LOG, Log::Stream($columns=Info, $path="analyzer", $ev=log_analyzer, $policy=log_policy));
+	Log::create_stream(LOG, [$columns=Info, $path="analyzer", $policy=log_policy,
 	                         $event_groups=set("Analyzer::Logging")]);
 	local enable_handler = function(id: string, new_value: bool): bool {
 		if ( new_value )
 		    Log::enable_stream(LOG);
 		else
 		    Log::disable_stream(LOG);
 		return new_value;
 	};
 	Option::set_change_handler("Analyzer::Logging::enable", enable_handler);
 	local include_confirmations_handler = function(id: string, new_value: bool): bool {
 		if ( new_value )
 		    enable_event_group("Analyzer::Logging::include_confirmations");
 		else
 		    disable_event_group("Analyzer::Logging::include_confirmations");
 		return new_value;
 	};
 	Option::set_change_handler("Analyzer::Logging::include_confirmations",
 	                           include_confirmations_handler);
 	# Call the handlers directly with the current values to avoid config
 	# framework interactions like creating entries in config.log.
 	enable_handler("Analyzer::Logging::enable", Analyzer::Logging::enable);
 	include_confirmations_handler("Analyzer::Logging::include_confirmations",
 	                              Analyzer::Logging::include_confirmations);
 	}
-function log_analyzer_failure(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
+function analyzer_kind(atype: AllAnalyzers::Tag): string
 	{
-	local rec = Info(
+	if ( is_protocol_analyzer(atype) )
-		$ts=ts,
+		return "protocol";
-		$analyzer_kind=Analyzer::kind(atype),
+	else if ( is_packet_analyzer(atype) )
-		$analyzer_name=Analyzer::name(atype),
+		return "packet";
-		$failure_reason=info$reason
+	else if ( is_file_analyzer(atype) )
-	);
+		return "file";
-	if ( info?$c )
+	Reporter::warning(fmt("Unknown kind of analyzer %s", atype));
-		{
+	return "unknown";
 		rec$id = info$c$id;
 		rec$uid = info$c$uid;
 		rec$proto = get_port_transport_proto(info$c$id$orig_p);
 	}
-	if ( info?$f )
+function populate_from_conn(rec: Info, c: connection)
 	{
-		rec$fuid = info$f$id;
+	rec$id = c$id;
 	rec$uid = c$uid;
 	}
 function populate_from_file(rec: Info, f: fa_file)
 	{
 	rec$fuid = f$id;
 	# If the confirmation didn't have a connection, but the
-		# fa_file object has exactly one, use it.
+	# fa_file object has has exactly one, use it.
-		if ( ! rec?$uid && info$f?$conns && |info$f$conns| == 1 )
+	if ( ! rec?$uid && f?$conns && |f$conns| == 1 )
 		{
-			for ( _, c in info$f$conns )
+		for ( _, c in f$conns )
 			{
 			rec$id = c$id;
 			rec$uid = c$uid;
@ -82,6 +130,46 @@ function log_analyzer_failure(ts: time, atype: AllAnalyzers::Tag, info: Analyzer
 		}
 	}
 event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &group="Analyzer::Logging::include_confirmations"
 	{
 	if ( atype in ignore_analyzers )
 		return;
 	local rec = Info(
 		$ts=network_time(),
 		$cause="confirmation",
 		$analyzer_kind=analyzer_kind(atype),
 		$analyzer_name=Analyzer::name(atype),
 	);
 	if ( info?$c )
 		populate_from_conn(rec, info$c);
 	if ( info?$f )
 		populate_from_file(rec, info$f);
 	Log::write(LOG, rec);
 	}
 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
 	{
 	if ( atype in ignore_analyzers )
 		return;
 	local rec = Info(
 		$ts=network_time(),
 		$cause="violation",
 		$analyzer_kind=analyzer_kind(atype),
 		$analyzer_name=Analyzer::name(atype),
 		$failure_reason=info$reason,
 	);
 	if ( info?$c )
 		populate_from_conn(rec, info$c);
 	if ( info?$f )
 		populate_from_file(rec, info$f);
 	if ( info?$data )
 		{
 		if ( failure_data_max_size > 0 )
@ -92,32 +180,3 @@ function log_analyzer_failure(ts: time, atype: AllAnalyzers::Tag, info: Analyzer
 	Log::write(LOG, rec);
 	}
 # event currently is only raised for protocol analyzers; we do not fail packet and file analyzers
 event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
 	{
 	if ( ! is_protocol_analyzer(atype) )
 		return;
 	if ( ! info?$c )
 		return;
 	# log only for previously confirmed service that did not already log violation
 	# note that analyzers can fail repeatedly in some circumstances - e.g. when they
 	# are re-attached by the dynamic protocol detection due to later data.
 	local analyzer_name = Analyzer::name(atype);
 	if ( analyzer_name !in info$c$service || analyzer_name in info$c$failed_analyzers )
 		return;
 	log_analyzer_failure(ts, atype, info);
 	}
 # log packet and file analyzers here separately
 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo )
 	{
 	if ( is_protocol_analyzer(atype) )
 		return;
 	log_analyzer_failure(network_time(), atype, info);
 	}
--- a/scripts/base/frameworks/analyzer/main.zeek
+++ b/scripts/base/frameworks/analyzer/main.zeek
@ -88,15 +88,6 @@ export {
 	## Returns: The analyzer name corresponding to the tag.
 	global name: function(tag: Analyzer::Tag) : string;
 	## Translates an analyzer type to a string with the analyzer's type.
 	##
 	## Possible values are "protocol", "packet", "file", or "unknown".
 	##
 	## tag: The analyzer tag.
 	##
 	## Returns: The analyzer kind corresponding to the tag.
 	global kind: function(tag: Analyzer::Tag) : string;
 	## Check whether the given analyzer name exists.
 	##
 	## This can be used before calling :zeek:see:`Analyzer::get_tag` to
@ -109,10 +100,6 @@ export {
 	## Translates an analyzer's name to a tag enum value.
 	##
 	## The analyzer is assumed to exist; call
 	## :zeek:see:`Analyzer::has_tag` first to verify that name is a
 	## valid analyzer name.
 	##
 	## name: The analyzer name.
 	##
 	## Returns: The analyzer tag corresponding to the name.
@ -172,23 +159,6 @@ export {
 	##
 	## This set can be added to via :zeek:see:`redef`.
 	global requested_analyzers: set[AllAnalyzers::Tag] = {} &redef;
 	## Event that is raised when an analyzer raised a service violation and was
 	## removed.
 	##
 	## The event is also raised if the analyzer already was no longer active by
 	## the time that the violation was handled - so if it happens at the very
 	## end of a connection.
 	##
 	## Currently this event is only raised for protocol analyzers, as packet
 	## and file analyzers are never actively removed/disabled.
 	##
 	## ts: time at which the violation occurred
 	##
 	## atype: atype: The analyzer tag, such as ``Analyzer::ANALYZER_HTTP``.
 	##
 	##info: Details about the violation. This record should include a :zeek:type:`connection`
 	global analyzer_failed: event(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo);
 }
@load base/bif/analyzer.bif
@ -272,19 +242,6 @@ function name(atype: AllAnalyzers::Tag) : string
 	return __name(atype);
 	}
 function kind(atype: AllAnalyzers::Tag): string
 	{
 	if ( is_protocol_analyzer(atype) )
 		return "protocol";
 	else if ( is_packet_analyzer(atype) )
 		return "packet";
 	else if ( is_file_analyzer(atype) )
 		return "file";
 	Reporter::warning(fmt("Unknown kind of analyzer %s", atype));
 	return "unknown";
 	}
 function has_tag(name: string): bool
 	{
 	return __has_tag(name);
--- a/Show more
+++ b/Show more
		`@ -1 +0,0 @@`
			`Our code of conduct is published at https://zeek.org/community-code-of-conduct/`
		`@ -1,3 +0,0 @@`
			`Our contribution guide is available at https://github.com/zeek/zeek/wiki/Contribution-Guide.`

			`More information about contributing is also available at https://docs.zeek.org/en/master/devel/contributors.html.`
		`@ -0,0 +1 @@`
							`Subproject commit c7bf54c587439d3bcb16d53b0d77a702e48d2526`
		`@ -0,0 +1 @@`
							`Subproject commit 84b730fdcc5b983c65c6226ec092aee66c486680`
		`@ -1 +1 @@`
			`Subproject commit 06d491943f4bee6c2d1e17a5c7c31836d725273d`				`Subproject commit f9af5f0ed2b87e01790fe06a0658cc54f1c32974`
		`@ -1 +1 @@`
			`Subproject commit 8c0fbfd74325b6c9be022a98bcd414b6f103d09e`				`Subproject commit 46f982cd6fafd34639c2f97628a57f1457f7e56a`
		`@ -1 +1 @@`
			`Subproject commit d3a507e920e7af18a5efb7f9f1d8044ed4750013`				`Subproject commit 2aa086f822aad5017a6f2061ef656f237a62d0ed`
		`@ -1 +0,0 @@`
			`Subproject commit f339d2f73730f8fee4412f5e4938717866ecef48`
		`@ -0,0 +1 @@`
							`Subproject commit 72a76d774e4c7c605141fd6d11c33cc211209ed9`
		`@ -0,0 +1 @@`
							`Subproject commit cbba05dbaa58fdabe863f4e8a122ca92809b52d6`