Update 3p dependencies

[bennettgoble]

Second Life's dependencies are in a sorry state: many of them contain CVEs, are 5+ years out of date, and many are not packaged for all platforms (linux.) Let's get these dependencies updated!

Dependencies

🚧 Under Construction

Library	Viewer	Viewer date	Newest	Newest date	Breaking?	Since 2024	Notes
zlib-ng	2.2.1	2024/07	2.2.1	2024/07	No	😊<1 year	#2250
SDL	2.30.6	2024/08	2.30.6	2024/08	No	😊<1 year	SDL2 used in many viewer forks, #2246
apr_suite	1.7.4	2023/04	1.7.4	2023/04	No	🙂 1 year	#2214
boost	1.81.0	2022/12	1.84.0	2023/12	No	🙂 1.5 years
colladadom	2.3.5	10+ years	2.5.1	2017	No	💀14 years	Unmaintained upstream
curl	7.54.1	2017/06	8.7.1	2024/03	No	7 years
freetype	2.13.2	2023/08	2.13.2	2023/08	No	🙂 1 year	#2250
expat	2.6.2	2024/03	2.6.2	2024/03	No	🙂 1 year	#2214
kdu	7.10.4	2018?				🤔 6 years
libhunspell	1.7.2	2022/12	1.7.2	2022/12	No	🙂 2 years	#2175
libndofdev
libpng	1.6.43	2024/02	1.6.43	2024/02	No	😊<1 year	#2250
libxml2	2.13.3	2024/07	2.13.3	2024/07	No	😊<1 year	#2250
minizip_ng	4.0.7	2024/06				😊<1 year	#2250
nghttp2	1.62.1	2019/05				🤔 5 years	CVE-2020-11080, #2250
nvapi	352.0.0	2015?				💀 9 years
ogg_vorbis	1.3.5-1.3.7	2020				🤔 4 years	#2186
openal-soft	1.23.1	2023				🙂 1 year
openjpeg	2.5.0	2022				🙂 2 years
openssl	1.1.1w	2023/09				🙂 1 year	#870, #2250
tracy	0.11	2024				😊 <1 year	#2282
uriparser	0.9.4	2020				🤔 4 years
vlc	3.0.16	2021				🤔 3 years
jpegencoderbasic	1	2009
threejs	0.132.2	2021
glext	68	2010
havok_source	2012.1-2	2012
meshoptimizer	0.16	2021
bugsplat	4.0.3	2017
cubemaptoequirectangular	1.1.0	2017
tinygltf	2.9.3	2024/08				😊 <1 year	#2250
libjpeg-turbo	3.0.3	2024/05				😊 <1 year	#2173
xxhash	0.8.2	2023				🙂 1 year	#2217

Dependencies we should replace or remove

Where appropriate, dependencies could be removed or replaced with other dependencies we already have available:

Library	Viewer	Viewer date	Newest	Newest date	Breaking?	Since 2024	Notes
jsoncpp	0.5.0	2010				💀 14 years	Replace with boost.json
pcre	8.35	2014				💀 10 years	Replace with boost.regex
xmlrpc_epi	0.54.1	2009				💀 15 years	Replace with basic HTTP call, this is only used in a couple places. CVE-2016-6296
googlemock							Remove. No longer used.

Tasks

Preview Give feedback

1. zlib-ng 2.1.6 3p-zlib-ng#6
   +0
2. libpng 1.6.43 3p-libpng#9
   +0
3. Bump zlib-ng, libpng 3p-freetype#10
   +0
4. libexpat 2.6.2 3p-expat#4
   +0
5. Rebuild with libexpat 2.6.2 3p-apr_suite#5
   +0
6. Remove xmlrpc-epi #1111
   maint-pe team:viewer tech-debt +3
7. [Contribution] Replace uriparser with boost::url #2139
   enhancement team:viewer +2

[akleshchev]

openal | 1.12.854

We use openal-soft, not openal, and update to v1.23.1-18e315c was here:
be5a6e6

openssl

Has critical issues, but update has to start server side.
#870

[AiraYumi]

QUIC support has been enhanced in openssl 3.3.0.
Is there any benefit to changing nghttp2 to nghttp3?

[AiraYumi]

tinygltf update require?

[AiraYumi]

slvoice is the Linux version and uses version 3.2, so I would like it to be updated.

[akleshchev]

Boost gets an update:
#2135 (review)

If everything goes well, uriparser will go away too #2136

[marchcat]

Update to libhunspell 1.7.2-r1 - #2175

[marchcat]

Update SDL2 to 2.30.6 - #2246

[bennettgoble]

🎊 The vast majority of these packages have been updated. A huge thanks to @RyeMutt and @AiraYumi for their help.

Let's call this closed and track anything that remains independently.