From d7c0b19df27ef7951010f5d16df235638e98af83 Mon Sep 17 00:00:00 2001 From: whispers Date: Mon, 11 May 2026 17:42:53 -0400 Subject: [PATCH 01/97] expat: 2.8.0 -> 2.8.1 Changelog: https://github.com/libexpat/libexpat/blob/R_2_8_1/expat/Changes Diff: https://github.com/libexpat/libexpat/compare/R_2_8_0...R_2_8_1 Fixes: CVE-2026-45186 (cherry picked from commit fe1ca2c575fa37169ccb114ffc9a5581aa44860d) --- pkgs/by-name/ex/expat/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ex/expat/package.nix b/pkgs/by-name/ex/expat/package.nix index cf55e71a2037..78ff9e9253b0 100644 --- a/pkgs/by-name/ex/expat/package.nix +++ b/pkgs/by-name/ex/expat/package.nix @@ -18,7 +18,7 @@ # files. let - version = "2.8.0"; + version = "2.8.1"; tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}"; in stdenv.mkDerivation (finalAttrs: { @@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: { url = with finalAttrs; "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz"; - hash = "sha256-o3v64KqXdb2FIevYXcRW1Ibw/zETj2yR/ZAupzJiRUI="; + hash = "sha256-ELGV7ngWCpCDiBgKj+NgPU6aEvR1X79fOBayOp11DaA="; }; strictDeps = true; From d4e0d2f759a3c7c0065fa9f28a8b113b72a1bb11 Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Tue, 12 May 2026 13:40:54 +0200 Subject: [PATCH 02/97] woodpecker-{agent,cli,server}: 3.14.0 -> 3.14.1 (cherry picked from commit e2ba981d086ec77e5117b9aac9df2500e9626e5a) --- .../tools/continuous-integration/woodpecker/common.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/continuous-integration/woodpecker/common.nix b/pkgs/development/tools/continuous-integration/woodpecker/common.nix index 66ececb749ba..51869f9e65cb 100644 --- a/pkgs/development/tools/continuous-integration/woodpecker/common.nix +++ b/pkgs/development/tools/continuous-integration/woodpecker/common.nix @@ -1,6 +1,6 @@ { lib, fetchFromGitHub }: let - version = "3.14.0"; + version = "3.14.1"; vendorHash = "sha256-fibx+Ky2cfP71tPzeiDybx+0f/+XvZbDXC7PAWQMRIY="; nodeModulesHash = "sha256-wQUOUB5uhWbdEP1nP02ihRZf3F1sEvQeZTDxOa5P1lQ="; in @@ -11,7 +11,7 @@ in owner = "woodpecker-ci"; repo = "woodpecker"; tag = "v${version}"; - hash = "sha256-FFGNjQa4W6T1BmbNh3rD1m7vtJFBWmgxocRV+OO5ZfA="; + hash = "sha256-D9AC9D8O3n420yvEzYhV7ev7dLZULAZ55iUWDmla4z0="; }; postInstall = '' From e682a0e50ac6a972e00b2347abfdc0d907e5e433 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Tue, 12 May 2026 18:27:09 +0200 Subject: [PATCH 03/97] Revert "groff: only apply the latest patch on linux for now" This reverts commit 37a9427fd325fd4f815f4717a6280a7b076a173f. (cherry picked from commit b2e8b0c6028f84faa0cf2b959732f30591c7f18f) --- pkgs/by-name/gr/groff/package.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkgs/by-name/gr/groff/package.nix b/pkgs/by-name/gr/groff/package.nix index a824d9a82f02..083b1493dcf6 100644 --- a/pkgs/by-name/gr/groff/package.nix +++ b/pkgs/by-name/gr/groff/package.nix @@ -48,8 +48,7 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-dOKBl5W2r/QxrqyYPWOpyJaO6roqLrp9+LpMe0Hnz9g="; }; - patches = lib.optionals stdenv.isLinux [ - # TODO: apply everywhere on rebuild + patches = [ # This revert a upstream refactor in continuous rendering mode, but this # causes a big performance regression for big manpages like # `man 5 configuration.nix`. From 5aece021f4b248331fa6813c13255bab33dfa220 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Tue, 12 May 2026 22:44:31 +0200 Subject: [PATCH 04/97] audit: 4.1.2-unstable-2025-09-06 -> 4.1.4 Upstream diff: https://github.com/linux-audit/audit-userspace/compare/cb13fe75ee2c36d5c525ed9de22aae10dbc8caf4...v4.1.4 Adds support for io_uring and syscalls of Linux 7.0 kernels. (cherry picked from commit 2b8ed1fe219eb6783afc4081e3ab62e8ee99ee39) --- pkgs/by-name/au/audit/package.nix | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix index 197df3501597..3b2389e7843c 100644 --- a/pkgs/by-name/au/audit/package.nix +++ b/pkgs/by-name/au/audit/package.nix @@ -30,13 +30,13 @@ }: stdenv.mkDerivation (finalAttrs: { pname = "audit"; - version = "4.1.2-unstable-2025-09-06"; # fixes to non-static builds right after 4.1.2 release + version = "4.1.4"; src = fetchFromGitHub { owner = "linux-audit"; repo = "audit-userspace"; - rev = "cb13fe75ee2c36d5c525ed9de22aae10dbc8caf4"; - hash = "sha256-NX0TWA+LtcZgbM9aQfokWv2rGNAAb3ksGqAH8URAkYM="; + tag = "v${finalAttrs.version}"; + hash = "sha256-GdJ9nzlDAdOazOHH/YWuEoELrJh+G5ZJUKwIqAKAzpo="; }; postPatch = '' @@ -132,10 +132,6 @@ stdenv.mkDerivation (finalAttrs: { # Instead, we load audit rules in a dedicated module. postFixup = '' moveToOutput bin/augenrules $scripts - substituteInPlace $scripts/bin/augenrules \ - --replace-fail "/sbin/auditctl -R" "$bin/bin/auditctl -R" \ - --replace-fail "auditctl -s" "$bin/bin/auditctl -s" \ - --replace-fail "/bin/ls" "ls" wrapProgram $scripts/bin/augenrules \ --prefix PATH : ${ lib.makeBinPath [ From c6eddcf80ad012ce92537c3191f65ccf52b66495 Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Fri, 1 May 2026 21:53:30 +0200 Subject: [PATCH 05/97] libressl_4_3: init at 4.3.1 I also added expiration date comments on all of them, because I always spend some time chasing what the support dates are, and it would save maintainer time to be able to see what to do with these branches. (cherry picked from commit feb7c9ff7812521077ce8ac75c0cdc8f5de31152) --- pkgs/by-name/li/libressl/default.nix | 13 +++++++++++++ pkgs/top-level/all-packages.nix | 1 + 2 files changed, 14 insertions(+) diff --git a/pkgs/by-name/li/libressl/default.nix b/pkgs/by-name/li/libressl/default.nix index 7a266936f6c4..7a7408243433 100644 --- a/pkgs/by-name/li/libressl/default.nix +++ b/pkgs/by-name/li/libressl/default.nix @@ -111,13 +111,17 @@ let identifiers.cpeParts = lib.meta.cpeFullVersionWithVendor "openbsd" version; }; }; + # https://github.com/libressl/portable/pull/1206 + # This got merged in February 2026 and is included as of LibreSSL 4.3.0. common-cmake-install-full-dirs-patch = fetchpatch { url = "https://github.com/libressl/portable/commit/a15ea0710398eaeed3be53cf643e80a1e80c981d.patch"; hash = "sha256-Mlf4SrGCCqALQicbGtmVGdkdfcE8DEGYkOuVyG2CozM="; }; in { + # 4.1 was released April 2025 and became unsupported on April 28, 2026, + # one year after the release of OpenBSD 7.7. libressl_4_1 = generic { version = "4.1.2"; hash = "sha256-+6Ti+ip/UjBt96OJlwoQ6YuX6w7bKZqf252/SZmcYeE="; @@ -137,6 +141,8 @@ in ]; }; + # 4.2 was released October 2025 and will become unsupported on October 22, + # 2026, one year after the release of OpenBSD 7.8. libressl_4_2 = generic { version = "4.2.1"; hash = "sha256-bVwvWFg1iOp5H0yGRQBAcdAN+lVKW/eIoAbKHrWr1ws="; @@ -144,4 +150,11 @@ in common-cmake-install-full-dirs-patch ]; }; + + # 4.3 was released April 2026 and will become unsupported one year after the + # release of OpenBSD 7.9. + libressl_4_3 = generic { + version = "4.3.1"; + hash = "sha256-wttCrOFOfVQZgm+rNadC7G5NEnJaBRpR0M6jwQug+lA="; + }; } diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 893992d7ac21..c875435d59d6 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -6955,6 +6955,7 @@ with pkgs; inherit (callPackages ../by-name/li/libressl { }) libressl_4_1 libressl_4_2 + libressl_4_3 ; openssl = openssl_3_6; From 8953025b909e821bfa97037abac04271b8554f9b Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Fri, 1 May 2026 22:07:13 +0200 Subject: [PATCH 06/97] libressl_4_1: delete unsupported package LibreSSL branches are supported for one year after the OpenBSD release in which they are included. LibreSSL 4.1 was part of OpenBSD 7.7, which was released on April 28, 2025, so it's end of life now. (cherry picked from commit 0bfe3de9edd95a12bd7049dcd03055d796124a31) --- pkgs/by-name/li/libressl/default.nix | 21 --------------------- pkgs/top-level/all-packages.nix | 1 - 2 files changed, 22 deletions(-) diff --git a/pkgs/by-name/li/libressl/default.nix b/pkgs/by-name/li/libressl/default.nix index 7a7408243433..8d6f40f61c01 100644 --- a/pkgs/by-name/li/libressl/default.nix +++ b/pkgs/by-name/li/libressl/default.nix @@ -120,27 +120,6 @@ let }; in { - # 4.1 was released April 2025 and became unsupported on April 28, 2026, - # one year after the release of OpenBSD 7.7. - libressl_4_1 = generic { - version = "4.1.2"; - hash = "sha256-+6Ti+ip/UjBt96OJlwoQ6YuX6w7bKZqf252/SZmcYeE="; - # Fixes build on loongarch64 - # https://github.com/libressl/portable/pull/1184 - postPatch = '' - mkdir -p include/arch/loongarch64 - cp ${ - fetchurl { - url = "https://github.com/libressl/portable/raw/refs/tags/v4.1.0/include/arch/loongarch64/opensslconf.h"; - hash = "sha256-68dw5syUy1z6GadCMR4TR9+0UQX6Lw/CbPWvjHGAhgo="; - } - } include/arch/loongarch64/opensslconf.h - ''; - patches = [ - common-cmake-install-full-dirs-patch - ]; - }; - # 4.2 was released October 2025 and will become unsupported on October 22, # 2026, one year after the release of OpenBSD 7.8. libressl_4_2 = generic { diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index c875435d59d6..fef7b4b6658b 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -6953,7 +6953,6 @@ with pkgs; zunclient = with python313Packages; toPythonApplication python-zunclient; inherit (callPackages ../by-name/li/libressl { }) - libressl_4_1 libressl_4_2 libressl_4_3 ; From 6fd22ccf4c3bea1f931d26a48425eb01e0c07414 Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Fri, 1 May 2026 22:08:40 +0200 Subject: [PATCH 07/97] libressl: add ruuda as maintainer I've been keeping this package up to date over the past few years, since I run a webserver that depends on it. I'd be happy to be co-maintainer for it, and hopefully reduce the load on others. (cherry picked from commit 16656233905ab0ff2fa329c86593cb925094b1e7) --- pkgs/by-name/li/libressl/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/by-name/li/libressl/default.nix b/pkgs/by-name/li/libressl/default.nix index 8d6f40f61c01..fba1c17d5180 100644 --- a/pkgs/by-name/li/libressl/default.nix +++ b/pkgs/by-name/li/libressl/default.nix @@ -96,6 +96,7 @@ let maintainers = with lib.maintainers; [ thoughtpolice fpletz + ruuda ]; inherit knownVulnerabilities; From 6fbc1e2a1d6115826542176da8629c43638c4ae4 Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Fri, 1 May 2026 22:51:35 +0200 Subject: [PATCH 08/97] libressl: enable strictDeps and __structuredAttrs (cherry picked from commit c74cade494dc95a74dd75099bf700e9bab5deb35) --- pkgs/by-name/li/libressl/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/by-name/li/libressl/default.nix b/pkgs/by-name/li/libressl/default.nix index fba1c17d5180..a4ac4000d452 100644 --- a/pkgs/by-name/li/libressl/default.nix +++ b/pkgs/by-name/li/libressl/default.nix @@ -23,6 +23,9 @@ let pname = "libressl"; inherit version; + strictDeps = true; + __structuredAttrs = true; + src = fetchurl { url = "mirror://openbsd/LibreSSL/libressl-${version}.tar.gz"; inherit hash; From 4248c5fd7a9c28e2fd27a865686fe864fcded34d Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Tue, 12 May 2026 19:03:20 +0200 Subject: [PATCH 09/97] libressl_4_3: backport executable stack fix And also add an additional check to preCheck that will enable us to catch executable stack issues earlier next time. (cherry picked from commit 5198c49a5a58932c1a782aee9ad2fd6509f935e1) --- pkgs/by-name/li/libressl/default.nix | 29 ++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/pkgs/by-name/li/libressl/default.nix b/pkgs/by-name/li/libressl/default.nix index a4ac4000d452..4ccc79407ba7 100644 --- a/pkgs/by-name/li/libressl/default.nix +++ b/pkgs/by-name/li/libressl/default.nix @@ -61,6 +61,22 @@ let doCheck = !(stdenv.hostPlatform.isPower64 || stdenv.hostPlatform.isRiscV); preCheck = '' + # Bail if any shared object has executable stack enabled. This can + # happen when an object produced from an assmbly file in libcrypto is + # missing a .note.GNU-stack section. An executable stack is dangerous + # and unintentional, but without this check the derivation will build + # and even run if W^X is not enforced; it would fail dangerously. + objdump -p **/*.so | awk ' + BEGIN { res = 0 } + /file format/ { file = $1 } + /STACK/ { stack = 1; next } + stack { + if ($0 ~ /flags.*x/) { print file " has executable stack"; res = 1 } + stack = 0 + } + END { exit res } + ' + export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName} export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)" ''; @@ -139,5 +155,18 @@ in libressl_4_3 = generic { version = "4.3.1"; hash = "sha256-wttCrOFOfVQZgm+rNadC7G5NEnJaBRpR0M6jwQug+lA="; + patches = [ + # Fix for https://github.com/libressl/portable/issues/1278, where LibreSSL + # 4.3 started requiring executable stack because some objects were missing + # a .note.GNU-stack section; will probably be included in the next release. + (fetchpatch { + url = "https://raw.githubusercontent.com/libressl/portable/4dae91d056c6c75ba5cf2bc5e6148b8e02239119/patches/gnu-stack.patch"; + hash = "sha256-Q1oWL4N8w5Zmjfq5QkTJR53NgZ4GqChSDaBicli5G2I="; + # This patch is written to be applied with -p0, with no leading path + # component, but Nix applies with -p1 by default, so we add it to not + # break compatibility with how other patches must be applied. + decode = "sed 's|^--- |--- a/|; s|^+++ |+++ b/|'"; + }) + ]; }; } From 34b3da5050e8e4c26efe67418533e587063230fd Mon Sep 17 00:00:00 2001 From: Hythera <87016780+Hythera@users.noreply.github.com> Date: Sun, 10 May 2026 15:19:19 +0200 Subject: [PATCH 10/97] openexr: 3.4.10 -> 3.4.11 changelog: https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.11 diff: https://github.com/AcademySoftwareFoundation/openexr/compare/v3.4.10...v3.4.11 (cherry picked from commit 32f67f000b22d422e36befbbabd36279e2a660a2) --- pkgs/development/libraries/openexr/3.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/openexr/3.nix b/pkgs/development/libraries/openexr/3.nix index 11d5c376c025..f81d46c321ef 100644 --- a/pkgs/development/libraries/openexr/3.nix +++ b/pkgs/development/libraries/openexr/3.nix @@ -13,13 +13,13 @@ stdenv.mkDerivation rec { pname = "openexr"; - version = "3.4.10"; + version = "3.4.11"; src = fetchFromGitHub { owner = "AcademySoftwareFoundation"; repo = "openexr"; rev = "v${version}"; - hash = "sha256-jXio+PvagKTR8NjcYIQ/j8LOMNc/0sQBuaixKk/0V3k="; + hash = "sha256-5dx2tag6XyuJfNfJgc68X+VWKXaHOL3M7ZJEQbQwFDA="; }; outputs = [ From ce58349f07ce81aa3d1562ace68ad03a6d841438 Mon Sep 17 00:00:00 2001 From: Hythera <87016780+Hythera@users.noreply.github.com> Date: Tue, 28 Apr 2026 21:53:45 +0200 Subject: [PATCH 11/97] openapv: 0.2.1.2 -> 0.2.1.3 changelog: https://github.com/AcademySoftwareFoundation/openapv/releases/tag/v0.2.1.3-fix diff: https://github.com/AcademySoftwareFoundation/openapv/compare/v0.2.1.2...v0.2.1.3-fix (cherry picked from commit 02d2fdd686118eed0091ea82b41310dc74e571fd) --- pkgs/by-name/op/openapv/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/op/openapv/package.nix b/pkgs/by-name/op/openapv/package.nix index b153552d6f17..27d31127a004 100644 --- a/pkgs/by-name/op/openapv/package.nix +++ b/pkgs/by-name/op/openapv/package.nix @@ -12,13 +12,13 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "openapv"; - version = "0.2.1.2"; + version = "0.2.1.3"; src = fetchFromGitHub { owner = "AcademySoftwareFoundation"; repo = "openapv"; - tag = "v${finalAttrs.version}"; - hash = "sha256-wxncN7j5p0GXpWhOx4Ix0oTgGK2sIrfJgQ45fFwmQBI="; + tag = "v${finalAttrs.version}-fix"; # Remove the `-fix` suffix after the next version + hash = "sha256-lc/x2dWh6T8c63siHB32ka+SPVYTTyaO4YrQ12EbGqw="; }; postPatch = '' From aea1edbd625ce6297297b665a8d3a645dbceeb26 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 19 May 2026 16:13:05 +0200 Subject: [PATCH 12/97] python3Packages.aiodns: 4.0.0 -> 4.0.3 https://github.com/saghul/aiodns/releases/tag/v4.0.1 https://github.com/saghul/aiodns/releases/tag/v4.0.2 https://github.com/saghul/aiodns/releases/tag/v4.0.3 (cherry picked from commit 78f51bc5bcc5037966c06d952debc2e3c05f65ba) --- pkgs/development/python-modules/aiodns/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/aiodns/default.nix b/pkgs/development/python-modules/aiodns/default.nix index 54b67a88be19..1a147d54fa04 100644 --- a/pkgs/development/python-modules/aiodns/default.nix +++ b/pkgs/development/python-modules/aiodns/default.nix @@ -8,14 +8,14 @@ buildPythonPackage (finalAttrs: { pname = "aiodns"; - version = "4.0.0"; + version = "4.0.3"; pyproject = true; src = fetchFromGitHub { owner = "saghul"; repo = "aiodns"; tag = "v${finalAttrs.version}"; - hash = "sha256-/iYkhzN01+NaUfMXaM39IvlEKfoKc29+f0S4y0y3GG8="; + hash = "sha256-a26n8n/nxq/LxgPCQJNFjU4yVSCL7YK1lBkiDdVDo2w="; }; build-system = [ setuptools ]; From 3a7535469af279b4c0b5a0a2b0268c120d0fe510 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 19 May 2026 16:13:19 +0200 Subject: [PATCH 13/97] python3Packages.xmltodict: 1.0.2 -> 1.0.4 https://github.com/martinblech/xmltodict/blob/v1.0.4/CHANGELOG.md (cherry picked from commit 70d339f357ec9f39f6afb6cdeab341b48f21aac7) --- pkgs/development/python-modules/xmltodict/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/xmltodict/default.nix b/pkgs/development/python-modules/xmltodict/default.nix index 9d1c01842a42..bd22bc108bbe 100644 --- a/pkgs/development/python-modules/xmltodict/default.nix +++ b/pkgs/development/python-modules/xmltodict/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "xmltodict"; - version = "1.0.2"; + version = "1.0.4"; pyproject = true; src = fetchFromGitHub { owner = "martinblech"; repo = "xmltodict"; tag = "v${version}"; - hash = "sha256-gnTNkh0GLfRmjMsLhfvpNrewfinNOhem0i3wzIZvKpA="; + hash = "sha256-G7hVtS6toUJC0YY1AXBOJSc3wnAZyWilLnT/5vvFRRw="; }; build-system = [ setuptools ]; From 0b9b29e4218a3fa46d0fe9c9866b6fba675f4828 Mon Sep 17 00:00:00 2001 From: K900 Date: Thu, 21 May 2026 11:38:44 +0300 Subject: [PATCH 14/97] qt5: 5.15.18 -> 5.15.19 (cherry picked from commit 52afc5fa587029d9eb09757b68199aea80226062) --- .../libraries/qt-5/5.15/srcs-generated.json | 160 +++++++++--------- pkgs/development/libraries/qt-5/5.15/srcs.nix | 2 +- 2 files changed, 81 insertions(+), 81 deletions(-) diff --git a/pkgs/development/libraries/qt-5/5.15/srcs-generated.json b/pkgs/development/libraries/qt-5/5.15/srcs-generated.json index fd5fcefbff34..57473c4f5a29 100644 --- a/pkgs/development/libraries/qt-5/5.15/srcs-generated.json +++ b/pkgs/development/libraries/qt-5/5.15/srcs-generated.json @@ -1,202 +1,202 @@ { "qt3d": { "url": "https://invent.kde.org/qt/qt/qt3d.git", - "rev": "208f5835e6c2415c9dc5cbe92bba83aa28bab7ea", - "sha256": "0zqvdq5y25b1w7agx5wlr16p1wrx54086r0xcdfg9wx8dayhh1md" + "rev": "c3892c3ee3c0a2b8a050d0a1532f34806636eade", + "sha256": "0y3f4pr0vr7cpwmjxqspv79p7rljgc913fl8nqpv8y2aw8i5r4ly" }, "qtactiveqt": { "url": "https://invent.kde.org/qt/qt/qtactiveqt.git", - "rev": "e4c93bc7cac45bac6bccda3310947e8fe026a9ed", - "sha256": "1qq6jvqkl4ff7sw20pi1mawh5pypv7vxmj56d38z6p06r1azkvls" + "rev": "e85773764374878adc197b6a45ae8ec3ff44dafa", + "sha256": "1sbayayxgjj8jfi3apxw6m8qsmkba0gph2rm1wsnzjsa80zr17ia" }, "qtandroidextras": { "url": "https://invent.kde.org/qt/qt/qtandroidextras.git", - "rev": "4928bd58dbc1cdcf44a7e454e3d4654c3c2016f1", - "sha256": "02rsh60lyl6bn2jhx0ajn43safbi904nhwvdpikanrmdbg0z6dpp" + "rev": "14a14b137f0d794278947e980d99c47e6929e5e2", + "sha256": "0nvyxjm5qfq7sk22rp9hxrf8gvs6jq4i3kww1s0i8lsr69fl9biz" }, "qtbase": { "url": "https://invent.kde.org/qt/qt/qtbase.git", - "rev": "bebdfd54917e25d1c100e6bd9f5dd53c2e645fd8", - "sha256": "0bg36lxngkq2k11bhqdyfvbc1qyqaghwsi446zfn67vxvyxya3hx" + "rev": "fbed962c3195ab3952fa54d40e012ad1a4fdc42b", + "sha256": "1gnbgs7kh0vxjh3spv5g5zaaj1z1b0h8752pqi4lqg6jd1js2bpl" }, "qtcharts": { "url": "https://invent.kde.org/qt/qt/qtcharts.git", - "rev": "1093fb53ced126100d14af30a8adffd29b7ef855", - "sha256": "0cnlg59l743milkki8mjbrfd4cx5ycbqw73apcrnrsag9dqdbw41" + "rev": "16e9aff210cd4de7192adfc6cd91cdd44ba45a3d", + "sha256": "02virkb7h8hhkdsqpv2qg3lly4msf648f7421z10acxhin6ypw5i" }, "qtconnectivity": { "url": "https://invent.kde.org/qt/qt/qtconnectivity.git", - "rev": "f1be05c8efeb65b77a8bfd21763ab55bb5c04906", - "sha256": "1vl7wfw9sd8qfl8ixzl5wz4v5km5zdf9bii53q3pw4f2lplsralq" + "rev": "7e29434e06372efbb2127d0ef41538ff9aec1597", + "sha256": "1wv9bh13rq6mnnzsh6g88a2kj2j4nfv83vqpbdxmyavdf349pwdj" }, "qtdatavis3d": { "url": "https://invent.kde.org/qt/qt/qtdatavis3d.git", - "rev": "d9b988d3c5f9f34b97f3a9ac1347bfb55464cd60", - "sha256": "09jk32kw7wgcrd117a9lsm5w7jszsdhdslk10qn631wz203zbs4i" + "rev": "b52063032fda9af894ca0e582774364ce8caf0f8", + "sha256": "1zbfx7hqh1ydi2vx8pj6dxlrrc7wf8sqcwxzx8acphdyj66zcmch" }, "qtdeclarative": { "url": "https://invent.kde.org/qt/qt/qtdeclarative.git", - "rev": "1189557a50f11e7bc5716467a149cd09987a9f88", - "sha256": "0cd89d8i8chy1j1yanp1cq5s7467qr24b9c7cx9qw0nb0rf6f8qr" + "rev": "5bc1ac07b2d2c7839368084a4bb97e4c67eb8294", + "sha256": "0xpq0xjiscx72dcyg0lpr90ag5q7gypzcqnwbsnh401jrxn2pll1" }, "qtdoc": { "url": "https://invent.kde.org/qt/qt/qtdoc.git", - "rev": "ddb2afda6f713259fc8d95fb22a1c96bb448c36a", - "sha256": "0nk2vwl0ppix794xzj8nqrhsc333v8v4vr1rmwddymwlrdqlqd5d" + "rev": "385efd460ec13a465765fc30dd11217ae46d1846", + "sha256": "0djflkibfgjp8gr16hiv6nipj4q4xyclgv84f3d951dj2q7779v6" }, "qtgamepad": { "url": "https://invent.kde.org/qt/qt/qtgamepad.git", - "rev": "269fc0731f6838a1c02877a83c0ada23659c69fc", - "sha256": "06jhby671yzbj753yb0lnk4bv2r0nxxibq7fq1yljxdms0rc72iz" + "rev": "9b69ae558f0f9feffe30b0aa8993e270dfcc81ff", + "sha256": "056b39r4jsag5d7f5m04vmpydvnwpfs5mcynsdx717qdginlmiam" }, "qtgraphicaleffects": { "url": "https://invent.kde.org/qt/qt/qtgraphicaleffects.git", - "rev": "dfb2e7b2c98a9b7185c300d0b92b4048f5d89ba5", - "sha256": "1sn46lmq0y56mw0q11sgaijr2vg1wpp6lj237finp6vr3bji2816" + "rev": "551732fb1d963e53af437e3982a010f69eb76253", + "sha256": "1pyjb66nhlhin6ysm4005ng4m2ak857ai761rqx8l2h4fscgwvhf" }, "qtimageformats": { "url": "https://invent.kde.org/qt/qt/qtimageformats.git", - "rev": "c91e4c63c1eaf1e23806d9df10e3d5a9ae353c1d", - "sha256": "0q0vcymiqfyz8sfs9wdkhhwff55acj2rsmrb8w6yikmwcmcxp2a3" + "rev": "4076e38d68f05f5e1bcdedb79442d9008f18702c", + "sha256": "1kgvs3jgs2qysrx2kr4vn68h9gjv6ir1nd4hg0m2fbsjk644aa8w" }, "qtlocation": { "url": "https://invent.kde.org/qt/qt/qtlocation.git", - "rev": "ba48a8b5cedd157d972c08d371ac2581db166bf7", - "sha256": "00kwv405qq9q8fcwar33s2wvs1dm10fb8plxbz1q0jqcjs2ips6x" + "rev": "81f560be2274958011c255efa1d2d573874bed11", + "sha256": "1lpxngppxkhych9pkkcvw7ypw02cd324pw0z9hd9kqcd803p2017" }, "qtlottie": { "url": "https://invent.kde.org/qt/qt/qtlottie.git", - "rev": "27ed5a3c95a0810a96fac2a8661ea94d8ea3c44e", - "sha256": "04ivyxnn8d3pkjsbx0gwyj3f5if4m4cih6wyavm8bd2m2kkszx35" + "rev": "5f1be885cf4ee0f1eb5400bf0c5d138818fc01d0", + "sha256": "01880y8r2acnzfg09qm031kx99vp3zjv3zi38sh17shgcipx1fxp" }, "qtmacextras": { "url": "https://invent.kde.org/qt/qt/qtmacextras.git", - "rev": "fc7e9f41d9cec2df05c1d38d6e55d3a0d501dd25", - "sha256": "07q1arvdjwmbrayp2b213b8gqm4psczhx9z1m83invwmbs8iqj07" + "rev": "722060e4edff268feb2dda1298a7837c90f6262f", + "sha256": "1fqw1p6vx3gqw1sf1yk4cz1cb3d1xrbjq0p22gi0pspll314c8x0" }, "qtmultimedia": { "url": "https://invent.kde.org/qt/qt/qtmultimedia.git", - "rev": "ff83d119c75cd8406f73ccc08958fe36747e7390", - "sha256": "09jadnvphilcxxy85dlsr8a6x5w32r1c2hrbh93qbvvf9zlg60ld" + "rev": "8ddc44103baf166525d6650c842d7f08f651e7bb", + "sha256": "0akj2d8b6kdy125ggs9cd7pra3vm47frqpn6p756jafsxylkqwbh" }, "qtnetworkauth": { "url": "https://invent.kde.org/qt/qt/qtnetworkauth.git", - "rev": "510687fa4fdee84dd3d6d166e8f080c484016199", - "sha256": "0a8abmql94wxpfvdj5a1rnh3xsd49c5z8x93hm311sgjkd0aajx7" + "rev": "d1ce24a72122c315e3d190c9ebc26ed603b90057", + "sha256": "1wcw26x38k619xavrwav21w0vrzb24bn6ncxllcwd9bdn7vvn1wr" }, "qtpurchasing": { "url": "https://invent.kde.org/qt/qt/qtpurchasing.git", - "rev": "8e9a5ec9f68639162c85c198b28e072e7150883c", - "sha256": "04pmwqnw907dg0hpas0pdrh2fxcqn2mvqz82b1vkviksg8ny3saw" + "rev": "b471c6ca3edfa5ba459b8694622825b9e776bed6", + "sha256": "1plwpxasiw2sx76a294i4i92vk5g5gaigjfy284jpmaargxsyd7k" }, "qtquick3d": { "url": "https://invent.kde.org/qt/qt/qtquick3d.git", - "rev": "47a325358078b72016081a86be628411df2728a9", - "sha256": "18h309g6ni6y4bcss930g04z8ymhl2nfm3sv5s4h2fz3dl0xsqwr" + "rev": "4e85bd063c726f015dc8afb05834de7a71bf6a1b", + "sha256": "0k6wjkr2jyc1v6xrm34dnlbbdnippiph5jxzjxawlxijzzvmgcp5" }, "qtquickcontrols": { "url": "https://invent.kde.org/qt/qt/qtquickcontrols.git", - "rev": "0c3c18bf8bdac1ef1afdb8aade903edb5c2bc041", - "sha256": "0h8bhrbgfcf7nbfppah8lxnhvygc09983qrvp935r5sw7251km4d" + "rev": "af7fc486c8910b51733e1c7e758d50ca1a158b36", + "sha256": "1nbgpnz2qi8g24cmli25a9319vgqmk9vgngb12q2j8c8k3nlhhfs" }, "qtquickcontrols2": { "url": "https://invent.kde.org/qt/qt/qtquickcontrols2.git", - "rev": "e464888c53a641ee44a34ff2350cfb156c8ed59f", - "sha256": "08lnqz6v48j1hi6dpll7a052p6r5qfb32md16fppqzn6g5jg9ir2" + "rev": "5b808e0995d018c6de9f075d4a61f58d3641c11b", + "sha256": "1a65j06nzlxl1hmdh5li1gglcrqms0g560c2cj9vqzqm551krdj8" }, "qtquicktimeline": { "url": "https://invent.kde.org/qt/qt/qtquicktimeline.git", - "rev": "43130f2681b76a8d743a04704465b716b6b2faee", - "sha256": "1z1avxxq9d9nzqyxy5pq5maj73cf6dvsn5k83p3sf5kq3x0y75cj" + "rev": "ea9d6c4d5a0a172b4778e8f37d694d02aab83f37", + "sha256": "0170n0mcrf8phh3nsg2f904p8vxwmw8lks48zkpnbvyrj4gzqcr2" }, "qtremoteobjects": { "url": "https://invent.kde.org/qt/qt/qtremoteobjects.git", - "rev": "b2740a7c7f5b6ac810240404a947ca5cff9de5f7", - "sha256": "1jxlwc2y165fxdalcr4iqq55gsg5x4nxqd8wdq3dc1824yfnzm6i" + "rev": "48d10f341279e08c1bc4abb764c2d3ab9a259a51", + "sha256": "0523n172f96w474y804sanppfx2zkgsm342vwa6ailrcfkjw8v58" }, "qtscxml": { "url": "https://invent.kde.org/qt/qt/qtscxml.git", - "rev": "57491f554bc53bd020978b5744437b7ac7e56a27", - "sha256": "00mvwgb3xr116nl7649zq7ai2074clzw760c140sy91zqgqkjsx4" + "rev": "edc6f0dd5e806cced1937b2b853717f588e14fd2", + "sha256": "1072slgrvy910mxxqsvf7fgi237mjnbd2b8amw1srqzqj2bmnsj3" }, "qtsensors": { "url": "https://invent.kde.org/qt/qt/qtsensors.git", - "rev": "50a61b360877e7c1300df76b5aabf8d75554a398", - "sha256": "0giqwn4grg9999y31avh7ajsv9gkcfzf0xndx8bvv79si0wp59g6" + "rev": "8c6d11df60d4d783869c2d81568e3178f5ae75ce", + "sha256": "18jc5nncmpmbf758mcj9wj6dfn87hl51zp0ihqcvk6k6a8ra6l7p" }, "qtserialbus": { "url": "https://invent.kde.org/qt/qt/qtserialbus.git", - "rev": "c23069351ec31563c9ea9fcdce42ccdba95ea518", - "sha256": "1qgxlgnl53gabrfqihxwygdbdiqjvn2hfajmwb3h44srpq0srk33" + "rev": "6734222bccc5541f9527281c810c6b5f8fdd092f", + "sha256": "0ragq01wdwqwqp9720i3xan3a4xnkkvgc8gjy1wgwmdrs0mlb49z" }, "qtserialport": { "url": "https://invent.kde.org/qt/qt/qtserialport.git", - "rev": "b64a7eeda9b6a65b5ed01b1b40b07177f0aa4c0f", - "sha256": "134mn0njfvmzgrf325bikazkiq4xdn5wjhj56kxh1hhaz3q25hyp" + "rev": "ca1f2486527e7acf87d466062c035845f9774573", + "sha256": "0xdywglxh9sxs2s60shwf6c4m5w20h77l9d58rganqwpbrh49vkj" }, "qtspeech": { "url": "https://invent.kde.org/qt/qt/qtspeech.git", - "rev": "aa2376f9b1302222edcd16b4641bbd7004318c00", - "sha256": "0vcxgkymzhaw01f26zlny4bka9k829rwzkwk95rr3dfq7wlyxshz" + "rev": "a384f0d4fb8a2d0743d5dfdf12e40f6d76f8714c", + "sha256": "0imn7jskjvz30xnbg1z8wxkcw82hb6v92xls327385wxxj0a5i6r" }, "qtsvg": { "url": "https://invent.kde.org/qt/qt/qtsvg.git", - "rev": "b74f7291f343dcbcb487b020868f042d8fe83098", - "sha256": "1n0sjn8h5k2sh8p2a85cxdpqbnd63gz4rf9wwbshhd13w623f9s8" + "rev": "d2abfb9cb1f036446e5913fadb0f065dab9f0159", + "sha256": "048lbk25rbfbd2c8pbsifdxjcxb2003hi04lfsmgh7xr27x55gch" }, "qttools": { "url": "https://invent.kde.org/qt/qt/qttools.git", - "rev": "fa40a2d3373b89be0cd0a43fe0c1d047e3d34058", - "sha256": "06kr88gmwc7xh1whdbcg84y1naak5rv99jkscjbhzyz3z91xy7hl" + "rev": "3e3ab58b40734a1b9bbb7e72b2969d1f752351b1", + "sha256": "18dmmw1r13in7h90y3637jw3sc2pvv33bfr1bs11dyp951spw8d3" }, "qttranslations": { "url": "https://invent.kde.org/qt/qt/qttranslations.git", - "rev": "3cbcceb8e3e2e63a4022f1be946c7118c527a83e", - "sha256": "15lw5snqfkwwcsazh02lhiia39gy08nfijdpkzvll2qvg4b58zkn" + "rev": "388e4f32ed4b28d92bd61b917ba0e6b910e2784d", + "sha256": "1k76zl5c1x9q8kid3sjv4d66wy9ryl24fyiabrg32c7nbn53pbd4" }, "qtvirtualkeyboard": { "url": "https://invent.kde.org/qt/qt/qtvirtualkeyboard.git", - "rev": "859d2a6ee329cc08414410b2ef8c0af77a6853d3", - "sha256": "06sdpcanzp1a71d99rjivrbjp780mvwssc4w1sap2gskcmmgkwbs" + "rev": "4fc9919ee3fad1d520d0921ba3069dca3c34ff78", + "sha256": "12kn69l34s1r6s9w7cw9l5524kwrx8xrxwbx4hw059jns1pqac0d" }, "qtwayland": { "url": "https://invent.kde.org/qt/qt/qtwayland.git", - "rev": "df49b9f3badce793a0a9ea850cf1a02cc5bafef6", - "sha256": "01xm2r1pv7kxb4aj72ldfzmax6d799h6bj4h2xhpcii812wf5lda" + "rev": "605b8bc942ab263b9d1892af33a81b408f522ccc", + "sha256": "09vrd62ikxzjpv6awi7n34pswg4w5yvmac5ckc6ma6rqvps7mbip" }, "qtwebchannel": { "url": "https://invent.kde.org/qt/qt/qtwebchannel.git", - "rev": "2a157921861e651f43456cb7941b250c89feb736", - "sha256": "1w58b602f20mppd0zfr9yvfdn1xwfkfclnjs0p5mgymq6d946dyk" + "rev": "6a20afaeba182ce6e3faee592e1e85a0d3ec0fc6", + "sha256": "18jfxpasn47qd4glkgvps7nzm07dag6w9jbkq9l7fzbkpcbnqykb" }, "qtwebglplugin": { "url": "https://invent.kde.org/qt/qt/qtwebglplugin.git", - "rev": "b9aaac72d0853ba48f6bfd710a43df94d83d4701", - "sha256": "07zx55f52jgk31bm6c68iydknrih245ndnvz714l6kxw66fv4rjq" + "rev": "2a8ce0a61b4b9e892d948948182d935fa6792a1b", + "sha256": "10n50frndssj3vmmhghlw48dn0c9b26zgkgjvkza8x234j9dijv2" }, "qtwebsockets": { "url": "https://invent.kde.org/qt/qt/qtwebsockets.git", - "rev": "0f910acb737cefc889ce1088fc60d15bc18efe9c", - "sha256": "1ba9ll28hznd6qpjjiqvc2z6gaz2qgq7105dd0w810xpbaiixy0a" + "rev": "10eb706b24aa05f4ee69c2f2fec99b21994dfe2b", + "sha256": "1k01s4qkpzsjy7lygb0nhniym6g7yinih3sc16l3kljkabw44rx0" }, "qtwebview": { "url": "https://invent.kde.org/qt/qt/qtwebview.git", - "rev": "34342073a59f3a27ef3de02f6b21337c4f8db6cf", - "sha256": "1h6n7dkd6mjclxllyw2brz8wv4d68dx2ykckbwb3bkxyd6rmg1f6" + "rev": "043cb7c0eaf8d1bcee56a62d6a102f727a22fcbc", + "sha256": "0ha0ksbxm21hj37z7yk3f09ncgchw78cpcrxv56a205i2f04370d" }, "qtwinextras": { "url": "https://invent.kde.org/qt/qt/qtwinextras.git", - "rev": "5e5ae2b77078dbe51fb798743de606e6f9a5e19d", - "sha256": "04x8ax197z0dr01nxrb6bh4q8c077ny5n812fx5mq56l54v2m1ks" + "rev": "0704d01ff1218c2f32a194e38005e625c579222c", + "sha256": "0fsfrs770cia9i9ijvx1jyh0mjiza1cn1l7fm1a877h2qbd20l9f" }, "qtx11extras": { "url": "https://invent.kde.org/qt/qt/qtx11extras.git", - "rev": "c44c4fa86fa0794c25baef4ee1f6272aca8c511a", - "sha256": "0287cvs9wqlzz6gnj81gi8rp50s2rdnigcmld3fgddsg8f3v7hdj" + "rev": "6695a3df4460577b3fcb5546b45a0c5cb3addac4", + "sha256": "1xjdicq8kf6816hgnz4hc7ykcfngispm8xzv3bxacf98zicmy9rm" }, "qtxmlpatterns": { "url": "https://invent.kde.org/qt/qt/qtxmlpatterns.git", - "rev": "0b644263abca66503db1ce8a4e126cf358a34685", - "sha256": "1b1zzglvcdp7wvlpgk1gj8gmyy2r21yi6p8xiyvbccq5bbjpn0hw" + "rev": "ed3b333aa56ac193e969725e3c34be9070441271", + "sha256": "0s0z9dbivrq5pva6psfcfclw4816zb1rlr9ns03lf286iy196368" } } diff --git a/pkgs/development/libraries/qt-5/5.15/srcs.nix b/pkgs/development/libraries/qt-5/5.15/srcs.nix index 87a7bb97707d..ec5fdc9d5646 100644 --- a/pkgs/development/libraries/qt-5/5.15/srcs.nix +++ b/pkgs/development/libraries/qt-5/5.15/srcs.nix @@ -5,7 +5,7 @@ }: let - version = "5.15.18"; + version = "5.15.19"; mk = name: args: { inherit version; From ab31c6a2289e966d48b61035e6fb03e683244bcd Mon Sep 17 00:00:00 2001 From: ElXreno Date: Sat, 25 Apr 2026 16:00:45 +0300 Subject: [PATCH 15/97] openldap: skip flaky syncreplication tests (cherry picked from commit 63147b12a5831e23ce5e88f5f9a35fe8997e9978) --- pkgs/by-name/op/openldap/package.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/by-name/op/openldap/package.nix b/pkgs/by-name/op/openldap/package.nix index e40648724340..9e1457ef6572 100644 --- a/pkgs/by-name/op/openldap/package.nix +++ b/pkgs/by-name/op/openldap/package.nix @@ -122,6 +122,8 @@ stdenv.mkDerivation (finalAttrs: { # https://bugs.openldap.org/show_bug.cgi?id=8623 rm -f tests/scripts/test022-ppolicy + rm -f tests/scripts/test*-sync* + rm -f tests/scripts/test063-delta-multiprovider # https://bugs.openldap.org/show_bug.cgi?id=10009 From 252225814ab5f11143a02e8aad9459c2d9f498cd Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Thu, 21 May 2026 15:20:19 +0200 Subject: [PATCH 16/97] nodejs_24: 24.15.0 -> 24.16.0 (cherry picked from commit e9b7cf21331391509ae684ab5530fd43373dbd0c) --- pkgs/development/web/nodejs/v24.nix | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/pkgs/development/web/nodejs/v24.nix b/pkgs/development/web/nodejs/v24.nix index 69004825bea2..914ab1479370 100644 --- a/pkgs/development/web/nodejs/v24.nix +++ b/pkgs/development/web/nodejs/v24.nix @@ -23,8 +23,8 @@ let [ ]; in buildNodejs { - version = "24.15.0"; - sha256 = "a4f653d79ed140aaad921e8c22a3b585ca85cfdab80d4030f6309e4663a8a1c8"; + version = "24.16.0"; + sha256 = "2ff84a6de70b6165290111b0fc656ded1ad207a799816fe720cc7c31232df30f"; patches = ( if (stdenv.hostPlatform.emulatorAvailable buildPackages) then @@ -56,13 +56,6 @@ buildNodejs { ./use-correct-env-in-tests.patch ./bin-sh-node-run-v22.patch ./use-nix-codesign.patch - # https://github.com/NixOS/nixpkgs/pull/507974#issuecomment-4249433124 - # OpenSSL reports different errors - # https://github.com/nodejs/node/pull/62629 - (fetchpatch2 { - url = "https://github.com/nodejs/node/commit/dd25d8f29d3ddadcf5a5ebfdf98ece55f9df96c6.patch?full_index=1"; - hash = "sha256-6cxRN7TyWmJgUZt3jp2YXbVIjrDb2BNep5LxBOtT3Q0="; - }) # Patch for nghttp2 1.69 support (fetchpatch2 { From 71959781635822ba5e52066008b014781350fb5a Mon Sep 17 00:00:00 2001 From: Sefa Eyeoglu Date: Thu, 21 May 2026 09:28:33 +0200 Subject: [PATCH 17/97] unbound: 1.25.0 -> 1.25.1 Signed-off-by: Sefa Eyeoglu (cherry picked from commit 0c98395be2ba98874b055e6ed709c385446bfe06) --- pkgs/by-name/un/unbound/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/un/unbound/package.nix b/pkgs/by-name/un/unbound/package.nix index 45cdc57ff0a8..935818521103 100644 --- a/pkgs/by-name/un/unbound/package.nix +++ b/pkgs/by-name/un/unbound/package.nix @@ -57,13 +57,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "unbound"; - version = "1.25.0"; + version = "1.25.1"; src = fetchFromGitHub { owner = "NLnetLabs"; repo = "unbound"; tag = "release-${finalAttrs.version}"; - hash = "sha256-BAqGNi5lfYYTQd7CPH0lssLc5/AkeuKSVEFcrF/cNyc="; + hash = "sha256-1PXnxCPxoB5IrVBQIsrxiWAq+IoH7Ma9T1TTJsoTJc4="; }; outputs = [ From 5010b8e892a3e3d0a514051904f89e330c7252f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 19 May 2026 20:09:22 -0700 Subject: [PATCH 18/97] python3Packages.python-multipart: 0.0.22 -> 0.0.29 Diff: https://github.com/Kludex/python-multipart/compare/0.0.22...0.0.29 Changelog: https://github.com/Kludex/python-multipart/blob/0.0.29/CHANGELOG.md (cherry picked from commit 83594b903142a5f02015987a98b706416e4161ec) --- .../python-modules/python-multipart/default.nix | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/pkgs/development/python-modules/python-multipart/default.nix b/pkgs/development/python-modules/python-multipart/default.nix index 4781d391f0a2..ed476d568dd8 100644 --- a/pkgs/development/python-modules/python-multipart/default.nix +++ b/pkgs/development/python-modules/python-multipart/default.nix @@ -2,10 +2,8 @@ lib, buildPythonPackage, fetchFromGitHub, - fetchpatch, hatchling, pytestCheckHook, - mock, pyyaml, # for passthru.tests @@ -18,32 +16,22 @@ buildPythonPackage (finalAttrs: { pname = "python-multipart"; - version = "0.0.22"; + version = "0.0.29"; pyproject = true; src = fetchFromGitHub { owner = "Kludex"; repo = "python-multipart"; tag = finalAttrs.version; - hash = "sha256-UegnwGxiXQalbp18t1dl2JOQH6BY975cpBa9uo3SOuk="; + hash = "sha256-1aV7gWLuulINesm3L8Wm3+prmeD9+OY/ihm36rtQPRs="; }; - patches = [ - (fetchpatch { - name = "CVE-2026-40347-part-1.patch"; - url = "https://github.com/Kludex/python-multipart/commit/6a7b76dd2653d99d8e5981d7ff09a4a047750b37.patch"; - hash = "sha256-W1nyYMMoaf+lsNze3ppPeAXN+swG1dScDibazePSt+k="; - }) - ./CVE-2026-40347-part-2.patch - ]; - build-system = [ hatchling ]; pythonImportsCheck = [ "python_multipart" ]; nativeCheckInputs = [ pytestCheckHook - mock pyyaml ]; From b928e51eac5a88edf9dca5f35e4dfeb341a21ecf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 19 May 2026 20:11:39 -0700 Subject: [PATCH 19/97] python3Packages.asgi-csrf: mark broken (cherry picked from commit 1355d225b662faa1bb9bdbbfce935c416e2a17a0) --- pkgs/development/python-modules/asgi-csrf/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/python-modules/asgi-csrf/default.nix b/pkgs/development/python-modules/asgi-csrf/default.nix index f3ec2670d6f8..9c36730fd74c 100644 --- a/pkgs/development/python-modules/asgi-csrf/default.nix +++ b/pkgs/development/python-modules/asgi-csrf/default.nix @@ -49,6 +49,8 @@ buildPythonPackage rec { pythonImportsCheck = [ "asgi_csrf" ]; meta = { + # https://github.com/simonw/asgi-csrf/issues/38 + broken = lib.versionAtLeast python-multipart.version "0.0.26"; description = "ASGI middleware for protecting against CSRF attacks"; license = lib.licenses.asl20; homepage = "https://github.com/simonw/asgi-csrf"; From 4316ed9b28fad64bd73607646972215dc975c7c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Wed, 20 May 2026 09:17:04 -0700 Subject: [PATCH 20/97] python3Packages.frictionless: exclude datasette from nativeCheckInputs Datasette depends on asgi-csrf which was broken by updating python-multipart past version 0.0.26. (cherry picked from commit ba2df560b675f7f17843675cfce3422fb758745f) --- pkgs/development/python-modules/frictionless/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/frictionless/default.nix b/pkgs/development/python-modules/frictionless/default.nix index 80013e731fd4..68edce923de3 100644 --- a/pkgs/development/python-modules/frictionless/default.nix +++ b/pkgs/development/python-modules/frictionless/default.nix @@ -195,7 +195,8 @@ buildPythonPackage rec { openpyxl xlrd ] - ++ lib.concatAttrValues optional-dependencies; + # datasette is transitively broken by asgi-csrf + ++ lib.concatAttrValues (lib.removeAttrs optional-dependencies [ "datasette" ]); disabledTestPaths = [ # Requires optional dependencies that have not been packaged (commented out above) From 25498003f382192bd8446d9029918dc794be9875 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Fri, 22 May 2026 08:00:28 +0200 Subject: [PATCH 21/97] gtk4: make patch unconditional The condition was just to avoid rebuilds at that moment. (cherry picked from commit ace84983c415e2f4c20bcb3e561f1bde840ae5e6) --- pkgs/by-name/gt/gtk4/package.nix | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/pkgs/by-name/gt/gtk4/package.nix b/pkgs/by-name/gt/gtk4/package.nix index 28fd6efc8850..9b7807508a35 100644 --- a/pkgs/by-name/gt/gtk4/package.nix +++ b/pkgs/by-name/gt/gtk4/package.nix @@ -95,11 +95,13 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-Ub2fYMfSOmZaVWxzZMIfsuTiglZrPn4JJFXo+RAzCJM="; }; - patches = lib.optional stdenv.hostPlatform.is32bit (fetchpatch { - name = "fix-32bit-VkImage-null.patch"; - url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/10d43de8f4f942cb591ada3103474bd7213425f1.patch"; - hash = "sha256-DJIL6M3XcsjBoMO77OxNi84d1DxAphAfot3N7Nq1QqQ="; - }); + patches = [ + (fetchpatch { + name = "fix-32bit-VkImage-null.patch"; + url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/10d43de8f4f942cb591ada3103474bd7213425f1.patch"; + hash = "sha256-DJIL6M3XcsjBoMO77OxNi84d1DxAphAfot3N7Nq1QqQ="; + }) + ]; depsBuildBuild = [ pkg-config From 9f696b0f32204635b875e247700f475dea6f2240 Mon Sep 17 00:00:00 2001 From: Linus Karl Date: Fri, 22 May 2026 21:37:49 +0200 Subject: [PATCH 22/97] linuxKernel.kernels.linux_zen: 7.0.9-zen1 -> 7.0.9-zen2 (cherry picked from commit 12f94ebc9f13187ed82569bfe011673146bdbdae) --- pkgs/os-specific/linux/kernel/zen-kernels.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/zen-kernels.nix b/pkgs/os-specific/linux/kernel/zen-kernels.nix index 6ab5cfa0a397..8b5c32e2af86 100644 --- a/pkgs/os-specific/linux/kernel/zen-kernels.nix +++ b/pkgs/os-specific/linux/kernel/zen-kernels.nix @@ -12,7 +12,7 @@ let # override options if they need using lib.mkForce (that has 50 priority) mkKernelOverride = lib.mkOverride 90; - suffix = "zen1"; + suffix = "zen2"; in buildLinux ( @@ -27,7 +27,7 @@ buildLinux ( owner = "zen-kernel"; repo = "zen-kernel"; rev = "v${version}-${suffix}"; - sha256 = "vu6rRldDBp/N6kkMzZEgz9aMsGa/VWPdnkZTCF/Yobo="; + sha256 = "1x2s9pv8frq77fish833mnwrrdglxssbqrsjnnizj3ayylw41qkd"; }; # This is based on the following source: From 10cf133bbf1f994932c9544c80c0efd62be8203e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Fri, 22 May 2026 11:05:40 -0700 Subject: [PATCH 23/97] python3Packages.aiodns: 4.0.3 -> 4.0.4 Diff: https://github.com/saghul/aiodns/compare/v4.0.3...v4.0.4 Changelog: https://github.com/saghul/aiodns/releases/tag/v4.0.4 (cherry picked from commit a53c6a389758b5517c67c2481d49656191a20880) --- pkgs/development/python-modules/aiodns/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/aiodns/default.nix b/pkgs/development/python-modules/aiodns/default.nix index 1a147d54fa04..21251500362e 100644 --- a/pkgs/development/python-modules/aiodns/default.nix +++ b/pkgs/development/python-modules/aiodns/default.nix @@ -8,14 +8,14 @@ buildPythonPackage (finalAttrs: { pname = "aiodns"; - version = "4.0.3"; + version = "4.0.4"; pyproject = true; src = fetchFromGitHub { owner = "saghul"; repo = "aiodns"; tag = "v${finalAttrs.version}"; - hash = "sha256-a26n8n/nxq/LxgPCQJNFjU4yVSCL7YK1lBkiDdVDo2w="; + hash = "sha256-TLiiSRhZaEbHeyrQPk8uvj10VEttRanYEgkBy7DxH4Y="; }; build-system = [ setuptools ]; From 7a4e6649b6583df4d70a99c27c50e06ae5a12f6f Mon Sep 17 00:00:00 2001 From: K900 Date: Sat, 23 May 2026 14:53:37 +0300 Subject: [PATCH 24/97] kdePackages.plasma-workspace: backport patch for Qt 6.11.1 regression (cherry picked from commit 66adfb9dab823f579f9d45ee241731a10fb4e7eb) --- pkgs/kde/plasma/plasma-workspace/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkgs/kde/plasma/plasma-workspace/default.nix b/pkgs/kde/plasma/plasma-workspace/default.nix index 0a02c8e424cd..195fc3c9183d 100644 --- a/pkgs/kde/plasma/plasma-workspace/default.nix +++ b/pkgs/kde/plasma/plasma-workspace/default.nix @@ -24,6 +24,7 @@ libqalculate, pipewire, gpsd, + fetchpatch, }: mkKdeDerivation { pname = "plasma-workspace"; @@ -41,6 +42,12 @@ mkKdeDerivation { # stop accidentally duplicating fontconfig configs ./fontconfig.patch + + # backport qt 6.11.1 regression workaround + (fetchpatch { + url = "https://invent.kde.org/plasma/plasma-workspace/-/commit/31a64dfa1a71ab1b6a495f2f44132c86858acb8f.diff"; + hash = "sha256-j+AEdDlutDuXmYdK8BJH8bgDF9gieCkbFJK8di+9nxk="; + }) ]; outputs = [ From abe60ca22f7620d763522c84b796e98d1ba5a9e0 Mon Sep 17 00:00:00 2001 From: K900 Date: Sat, 23 May 2026 14:53:51 +0300 Subject: [PATCH 25/97] qt6: 6.11.0 -> 6.11.1 (cherry picked from commit 1b3320b2d9c665aa4689ea2661221a7753afb974) --- pkgs/development/libraries/qt-6/fetch.sh | 2 +- .../libraries/qt-6/modules/qtbase/default.nix | 5 - .../qt-6/modules/qtdeclarative/default.nix | 6 + .../libraries/qt-6/modules/qtmqtt.nix | 4 +- pkgs/development/libraries/qt-6/srcs.nix | 336 +++++++++--------- 5 files changed, 177 insertions(+), 176 deletions(-) diff --git a/pkgs/development/libraries/qt-6/fetch.sh b/pkgs/development/libraries/qt-6/fetch.sh index 73d170689480..bd94b3ae2c48 100644 --- a/pkgs/development/libraries/qt-6/fetch.sh +++ b/pkgs/development/libraries/qt-6/fetch.sh @@ -1 +1 @@ -WGET_ARGS=( https://download.qt.io/official_releases/qt/6.11/6.11.0/submodules/ -A '*.tar.xz' ) +WGET_ARGS=( https://download.qt.io/official_releases/qt/6.11/6.11.1/submodules/ -A '*.tar.xz' ) diff --git a/pkgs/development/libraries/qt-6/modules/qtbase/default.nix b/pkgs/development/libraries/qt-6/modules/qtbase/default.nix index a340abb9ed00..425a17b56234 100644 --- a/pkgs/development/libraries/qt-6/modules/qtbase/default.nix +++ b/pkgs/development/libraries/qt-6/modules/qtbase/default.nix @@ -246,11 +246,6 @@ stdenv.mkDerivation { # don't pass qtbase's QML directory to qmlimportscanner if it's empty ./skip-missing-qml-directory.patch - # backport crash fix - (fetchpatch { - url = "https://github.com/qt/qtbase/commit/1466f88633b2c29a6159a0c2eacd0c0d6601aa5e.diff"; - hash = "sha256-ubDAXF47SYagRAJ5SYyBxXl2PiHjAZo3xlYPDz1jRYM="; - }) # another crash fix (fetchpatch { url = "https://github.com/qt/qtbase/commit/515cbbacfba9f4259c9c3b0714a31222c2b4c879.diff"; diff --git a/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix b/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix index 786229c5651b..2f19e06a67fa 100644 --- a/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix +++ b/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix @@ -43,6 +43,12 @@ qtModule { hash = "sha256-ESy35OlmsvI4yFQ/rFT8oelOUBCwCmlcbQJvwcTrCig="; revert = true; }) + + # backport fix recommended by KDE + (fetchpatch { + url = "https://github.com/qt/qtdeclarative/commit/8a2c82be6ad90e3f2a0760d8bab1e3a8cdb2473a.diff"; + hash = "sha256-3KbyoQPAiRyCwGnwwYV3y0yz2i6UAJcX70EPsXV0ZZM="; + }) ]; cmakeFlags = [ diff --git a/pkgs/development/libraries/qt-6/modules/qtmqtt.nix b/pkgs/development/libraries/qt-6/modules/qtmqtt.nix index effea1d03ab4..c70d2cbd1f88 100644 --- a/pkgs/development/libraries/qt-6/modules/qtmqtt.nix +++ b/pkgs/development/libraries/qt-6/modules/qtmqtt.nix @@ -6,13 +6,13 @@ qtModule rec { pname = "qtmqtt"; - version = "6.11.0"; + version = "6.11.1"; src = fetchFromGitHub { owner = "qt"; repo = "qtmqtt"; tag = "v${version}"; - hash = "sha256-7X+HWAftWHn40RPFQD3/f+bp00LQk8Vsb871WfxdZSE="; + hash = "sha256-GWaF4iCPtATL1mJkPHVY0rom8R2FMNWGahE3KWBlfV8="; }; propagatedBuildInputs = [ qtbase ]; diff --git a/pkgs/development/libraries/qt-6/srcs.nix b/pkgs/development/libraries/qt-6/srcs.nix index 73067dc5fd5c..93c206858d18 100644 --- a/pkgs/development/libraries/qt-6/srcs.nix +++ b/pkgs/development/libraries/qt-6/srcs.nix @@ -4,339 +4,339 @@ { qt3d = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qt3d-everywhere-src-6.11.0.tar.xz"; - sha256 = "086xpissihbil51ryl83dlcpkpv3pp3ryj0712x9k9z6756j7ks0"; - name = "qt3d-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qt3d-everywhere-src-6.11.1.tar.xz"; + sha256 = "01q11bs7vjz1s5wdrdjq904dgl2m6l7r8d3vd2kyf7lx0j78qvd6"; + name = "qt3d-everywhere-src-6.11.1.tar.xz"; }; }; qt5compat = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qt5compat-everywhere-src-6.11.0.tar.xz"; - sha256 = "0gn6sj136y8yl1c00nbm81rmhws0mgx35ny7llx74j97ddj58ag6"; - name = "qt5compat-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qt5compat-everywhere-src-6.11.1.tar.xz"; + sha256 = "06qndy534rzabxk9yq07dsl8fj1vd72lmck11r5xbajil3d9zjyg"; + name = "qt5compat-everywhere-src-6.11.1.tar.xz"; }; }; qtactiveqt = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtactiveqt-everywhere-src-6.11.0.tar.xz"; - sha256 = "1kbqa0gx41s097281g4zym9jmjs2ffc75p3rgkbs6bvnlrvl0h89"; - name = "qtactiveqt-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtactiveqt-everywhere-src-6.11.1.tar.xz"; + sha256 = "05hcnhxkajry4ha7ykmqr83p16qjipspwxid8l2rxgz80wy6aadv"; + name = "qtactiveqt-everywhere-src-6.11.1.tar.xz"; }; }; qtbase = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtbase-everywhere-src-6.11.0.tar.xz"; - sha256 = "0pkmrd8ypw1v21cx0890gc6z4v0xr5qip2jnr56r2kc6g5cxh6i3"; - name = "qtbase-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtbase-everywhere-src-6.11.1.tar.xz"; + sha256 = "1b616gr7k8byfr2ns4vczs4kj3sznhlrlw9inpb3m8la48qllnfr"; + name = "qtbase-everywhere-src-6.11.1.tar.xz"; }; }; qtcanvaspainter = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtcanvaspainter-everywhere-src-6.11.0.tar.xz"; - sha256 = "1gmgzmh81wrnj81xsmilqwhc1wv7j2avg91mww8jlrv5rplzynjl"; - name = "qtcanvaspainter-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtcanvaspainter-everywhere-src-6.11.1.tar.xz"; + sha256 = "1l08zp68q3wcr9v5hh82kw6jqvc1wmnrjn7h9959psx520dwcdly"; + name = "qtcanvaspainter-everywhere-src-6.11.1.tar.xz"; }; }; qtcharts = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtcharts-everywhere-src-6.11.0.tar.xz"; - sha256 = "1dcldlw24qd9swynxcdsxnk8haiv442wx323j7qgfwjp13a9nh5c"; - name = "qtcharts-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtcharts-everywhere-src-6.11.1.tar.xz"; + sha256 = "0p2icmrwb6am7x2kgk9pnpa8ypi7jiscyaawgi0x31iaihqyvqrz"; + name = "qtcharts-everywhere-src-6.11.1.tar.xz"; }; }; qtconnectivity = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtconnectivity-everywhere-src-6.11.0.tar.xz"; - sha256 = "0fhrqqz58h3smkksfgnax73bmsiz7q9a1w9vhwd83vs9r0jc3w60"; - name = "qtconnectivity-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtconnectivity-everywhere-src-6.11.1.tar.xz"; + sha256 = "14g5h0wixqy981cnn5f8gkjbji804f18gfjkzbanxd0lljg2h191"; + name = "qtconnectivity-everywhere-src-6.11.1.tar.xz"; }; }; qtdatavis3d = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdatavis3d-everywhere-src-6.11.0.tar.xz"; - sha256 = "1jr3bkvp4wj1jdafc64ziq4raxbya6jk6s0d4mq0w2kr7zpqrggf"; - name = "qtdatavis3d-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdatavis3d-everywhere-src-6.11.1.tar.xz"; + sha256 = "1b4kcqfq5q79lm70f08qiksxl36laa9dgx9ladjk2xwl1af7n6hy"; + name = "qtdatavis3d-everywhere-src-6.11.1.tar.xz"; }; }; qtdeclarative = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdeclarative-everywhere-src-6.11.0.tar.xz"; - sha256 = "1sgxxmg49flana7mylyz4c5mf5hr00kzl8nkwwj87pqx8dlybv2f"; - name = "qtdeclarative-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdeclarative-everywhere-src-6.11.1.tar.xz"; + sha256 = "193ar0fcfzjjr7mi8i2622vip95qrr3qry949d9lyc5hf3v71rjj"; + name = "qtdeclarative-everywhere-src-6.11.1.tar.xz"; }; }; qtdoc = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdoc-everywhere-src-6.11.0.tar.xz"; - sha256 = "1wwl2vr1qs2lqmz45iqpkzkxqp97g0yzfmz0kb5wpi8sys7c07bx"; - name = "qtdoc-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdoc-everywhere-src-6.11.1.tar.xz"; + sha256 = "1hd5z6prx2sbr3wxzkynrn2iyjllvkids505l2xg3p272j4b5306"; + name = "qtdoc-everywhere-src-6.11.1.tar.xz"; }; }; qtgraphs = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtgraphs-everywhere-src-6.11.0.tar.xz"; - sha256 = "0nxifvs5042pzyd5syhgpmxzsq07fhpbbm57ckwzsn55q14cnvyz"; - name = "qtgraphs-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtgraphs-everywhere-src-6.11.1.tar.xz"; + sha256 = "0qh43qxqg4biyrrsd78nmi4dm3dnbswa95cq8db2k3lans517cc4"; + name = "qtgraphs-everywhere-src-6.11.1.tar.xz"; }; }; qtgrpc = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtgrpc-everywhere-src-6.11.0.tar.xz"; - sha256 = "0yd8jjxigaynv386f3cs1i743nm7yngciw346xqfil3chd8wpvcx"; - name = "qtgrpc-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtgrpc-everywhere-src-6.11.1.tar.xz"; + sha256 = "0l52w91hd2crq6zyh5a8arv07yixnwcr2pya74bxpk2hqpq08ys3"; + name = "qtgrpc-everywhere-src-6.11.1.tar.xz"; }; }; qthttpserver = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qthttpserver-everywhere-src-6.11.0.tar.xz"; - sha256 = "16wqglm8ws63qs7i769xy94bygwbhkz7hjfw27hnps7d4yirb41b"; - name = "qthttpserver-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qthttpserver-everywhere-src-6.11.1.tar.xz"; + sha256 = "01p7li9fvwnz2shx3d9wj9nnnnipya2q0whchyvgjqb8yzy71gq4"; + name = "qthttpserver-everywhere-src-6.11.1.tar.xz"; }; }; qtimageformats = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtimageformats-everywhere-src-6.11.0.tar.xz"; - sha256 = "1j0cjj7gxjbprszw349janl3zk38rkby1bmxil329zp2qlmb1bfk"; - name = "qtimageformats-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtimageformats-everywhere-src-6.11.1.tar.xz"; + sha256 = "04y4pa5krrpyiqn039d6m8bzcxj6pa1m850rz3bmw5xc8ml6rgxj"; + name = "qtimageformats-everywhere-src-6.11.1.tar.xz"; }; }; qtlanguageserver = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlanguageserver-everywhere-src-6.11.0.tar.xz"; - sha256 = "1gq5yjvk6iyg606pgpxkb136qlz9hpb7ngll81nhiyb1ym1y9j0v"; - name = "qtlanguageserver-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlanguageserver-everywhere-src-6.11.1.tar.xz"; + sha256 = "1vwavpi8swgs88pfjfddnb9cmsb4k1sjcgywp2rsnm6ay8vqa02h"; + name = "qtlanguageserver-everywhere-src-6.11.1.tar.xz"; }; }; qtlocation = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlocation-everywhere-src-6.11.0.tar.xz"; - sha256 = "1vxb6n8xf98zcg2bw29gsaqa74sg6jn9ilzs8c5b9q79i9m3if49"; - name = "qtlocation-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlocation-everywhere-src-6.11.1.tar.xz"; + sha256 = "06z4hbiqki5chhmph131s71czyrjpnjvy3rxb4560vwy55vwx49p"; + name = "qtlocation-everywhere-src-6.11.1.tar.xz"; }; }; qtlottie = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlottie-everywhere-src-6.11.0.tar.xz"; - sha256 = "02ndplkk4bq01b0fh9l2ykw09v0k5nbsayrs9wcjwrdwg5law8rg"; - name = "qtlottie-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlottie-everywhere-src-6.11.1.tar.xz"; + sha256 = "0y969gp64imwh49d5zbnw0wi2yva9fsp6qn58617rs9kvkdzml70"; + name = "qtlottie-everywhere-src-6.11.1.tar.xz"; }; }; qtmultimedia = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtmultimedia-everywhere-src-6.11.0.tar.xz"; - sha256 = "0h30l8zflkla7rcshgs0jfjbjwvq9rqx0wq83f6vd0x9lz0cmi4h"; - name = "qtmultimedia-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtmultimedia-everywhere-src-6.11.1.tar.xz"; + sha256 = "02lvq1jk6m67m6z0w7vdzxhzmi441j8avvp79mfclfpfvm98w3rr"; + name = "qtmultimedia-everywhere-src-6.11.1.tar.xz"; }; }; qtnetworkauth = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtnetworkauth-everywhere-src-6.11.0.tar.xz"; - sha256 = "1mqly8had79f54dlygh42jr0c0jfiv4j4w2rbr0s7qx9nk9ig342"; - name = "qtnetworkauth-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtnetworkauth-everywhere-src-6.11.1.tar.xz"; + sha256 = "0gan2qjv97d1387jqaiis2gigm6lz5jbk1k10x13w0yc5kr5n7cz"; + name = "qtnetworkauth-everywhere-src-6.11.1.tar.xz"; }; }; qtopenapi = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtopenapi-everywhere-src-6.11.0.tar.xz"; - sha256 = "1h2pcq6i72yic0r7ns36vj678d1xqy291jamqd6b6jkjddmj1hlg"; - name = "qtopenapi-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtopenapi-everywhere-src-6.11.1.tar.xz"; + sha256 = "0nzl95w5pbfd6mfb6rzv6arz09pcm6siz1n07pgm9rrdr6z083a4"; + name = "qtopenapi-everywhere-src-6.11.1.tar.xz"; }; }; qtpositioning = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtpositioning-everywhere-src-6.11.0.tar.xz"; - sha256 = "1scnnz65qyfg0nl9vjkqcss8xsw3yf91w71d9p1kwlfybscd07yn"; - name = "qtpositioning-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtpositioning-everywhere-src-6.11.1.tar.xz"; + sha256 = "1xbq1xjjbhb41lfp9mli8a5rgqf5pniswv0161v6wa5f04cbkrnm"; + name = "qtpositioning-everywhere-src-6.11.1.tar.xz"; }; }; qtquick3d = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquick3d-everywhere-src-6.11.0.tar.xz"; - sha256 = "1549gdb3yxj1bpl54kgnkkhzjx0zxqi71ssp4rj6qnz56fxh085l"; - name = "qtquick3d-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquick3d-everywhere-src-6.11.1.tar.xz"; + sha256 = "0vs5bcz62r32gin0g4lb6wdmqrv0ypzar1s9wsza98la7zg8asy7"; + name = "qtquick3d-everywhere-src-6.11.1.tar.xz"; }; }; qtquick3dphysics = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquick3dphysics-everywhere-src-6.11.0.tar.xz"; - sha256 = "0dcx9913xss435cijx5bzckvsn66qfi6c39rx0gyv9iiys76qym5"; - name = "qtquick3dphysics-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquick3dphysics-everywhere-src-6.11.1.tar.xz"; + sha256 = "1bvrmjb6m0ynq00ybdghvkbmwm237vff23ng8n4njysf05pns26i"; + name = "qtquick3dphysics-everywhere-src-6.11.1.tar.xz"; }; }; qtquickeffectmaker = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquickeffectmaker-everywhere-src-6.11.0.tar.xz"; - sha256 = "05fpv497rmx2lw7gx05sxyxjwx8gq8fbbnkzhnw73pk2xqzq20mc"; - name = "qtquickeffectmaker-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquickeffectmaker-everywhere-src-6.11.1.tar.xz"; + sha256 = "0sqk8hkkdibv0ayxrvpcbgj3dcwfngpd6qjp2xm15pcbx1q3xrng"; + name = "qtquickeffectmaker-everywhere-src-6.11.1.tar.xz"; }; }; qtquicktimeline = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquicktimeline-everywhere-src-6.11.0.tar.xz"; - sha256 = "1micycw7m25gw0bgbfq7bnr7cg7qrjj2r69320rglc8lak6f3nq6"; - name = "qtquicktimeline-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquicktimeline-everywhere-src-6.11.1.tar.xz"; + sha256 = "09wcx83yxif8r4v81h2jfj3wlj60wnc9k4dsp7hlah4yzm1zclxg"; + name = "qtquicktimeline-everywhere-src-6.11.1.tar.xz"; }; }; qtremoteobjects = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtremoteobjects-everywhere-src-6.11.0.tar.xz"; - sha256 = "15yykbaxqc6v2flgjvn92w7gwfvi820dg4cxkjxcfhpix2m21571"; - name = "qtremoteobjects-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtremoteobjects-everywhere-src-6.11.1.tar.xz"; + sha256 = "06hiiyjpcgn8dp9jmgxj30nlrw73rqb869f0m63scccmqsarhqj0"; + name = "qtremoteobjects-everywhere-src-6.11.1.tar.xz"; }; }; qtscxml = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtscxml-everywhere-src-6.11.0.tar.xz"; - sha256 = "1rylchpvzldy7hhr3icr85w8m4hf7wch17yqh368yrn3q19klf3c"; - name = "qtscxml-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtscxml-everywhere-src-6.11.1.tar.xz"; + sha256 = "0gr0j09isxgii3aivfvr35x40d9n0kj0g2icc7g7bzniwm2m4jcf"; + name = "qtscxml-everywhere-src-6.11.1.tar.xz"; }; }; qtsensors = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtsensors-everywhere-src-6.11.0.tar.xz"; - sha256 = "1iy33w7gjp06xi4342si979q9w84cvbbk90kxmk2gx69icjjja21"; - name = "qtsensors-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtsensors-everywhere-src-6.11.1.tar.xz"; + sha256 = "13ygry3lybkgci6gkrd7k081l01icavzkiyy4g82drbvv9i70q93"; + name = "qtsensors-everywhere-src-6.11.1.tar.xz"; }; }; qtserialbus = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtserialbus-everywhere-src-6.11.0.tar.xz"; - sha256 = "1qfs9zqvz3hf16w8gg6nlwxcv6sz72546pds02dabhkcw47nqvmh"; - name = "qtserialbus-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtserialbus-everywhere-src-6.11.1.tar.xz"; + sha256 = "02pj4jnxc4afl5ymv7w8asggpg0hdj3dbnwwcqd305b8il69qv64"; + name = "qtserialbus-everywhere-src-6.11.1.tar.xz"; }; }; qtserialport = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtserialport-everywhere-src-6.11.0.tar.xz"; - sha256 = "111pmva70mcffhq09q2h1gcr03fivs9j2ywx4ib00pbyxfvr4ii6"; - name = "qtserialport-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtserialport-everywhere-src-6.11.1.tar.xz"; + sha256 = "0x1r5l3kx7riprf0b2api0bcg0z755fq9vbgmx7px6pxiy4imwws"; + name = "qtserialport-everywhere-src-6.11.1.tar.xz"; }; }; qtshadertools = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtshadertools-everywhere-src-6.11.0.tar.xz"; - sha256 = "0jp1sb9pl7y821awln7rpk0hz7d5ipwnkqhy51caich9i2pb2g74"; - name = "qtshadertools-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtshadertools-everywhere-src-6.11.1.tar.xz"; + sha256 = "1z42r414jid12jmhm1yf5kw44j886w01igav0kggkg13kcphax90"; + name = "qtshadertools-everywhere-src-6.11.1.tar.xz"; }; }; qtspeech = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtspeech-everywhere-src-6.11.0.tar.xz"; - sha256 = "08fv8v6rvcv0pa6r52kr2na2rcpjr3yk556ksinnh6aslv8qbid9"; - name = "qtspeech-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtspeech-everywhere-src-6.11.1.tar.xz"; + sha256 = "051z4yf22hkqhy3pkgxq8s77x06k4cd70i9jcmd8f99004cc6df0"; + name = "qtspeech-everywhere-src-6.11.1.tar.xz"; }; }; qtsvg = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtsvg-everywhere-src-6.11.0.tar.xz"; - sha256 = "1rih59jsn0wq12gq5gbs1cz9by27x2x4wjpd0ya7s207pr9xda6z"; - name = "qtsvg-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtsvg-everywhere-src-6.11.1.tar.xz"; + sha256 = "154adaicyy5wyz6yc95g3lm4iw9v2zdsd7l5qp107gr490pz0g3z"; + name = "qtsvg-everywhere-src-6.11.1.tar.xz"; }; }; qttasktree = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttasktree-everywhere-src-6.11.0.tar.xz"; - sha256 = "0kxkm3qvzw5i5x2ads6skpz8z6shbn2msznmr614yvsdgiga4yjr"; - name = "qttasktree-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttasktree-everywhere-src-6.11.1.tar.xz"; + sha256 = "1mjdwy3i24ggn2g82z5pg3grzhnaxmq7nmvdc7ba8dsdixzvjam2"; + name = "qttasktree-everywhere-src-6.11.1.tar.xz"; }; }; qttools = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttools-everywhere-src-6.11.0.tar.xz"; - sha256 = "0xpwv483zrw3jkajhv9sbr7bm95qahxg770vn1jqk10hg8yrkcfg"; - name = "qttools-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttools-everywhere-src-6.11.1.tar.xz"; + sha256 = "03gmr9zpf0raqcvqk2cpw9lblw907hsl5cb5c2fgm4wwcxd86qcf"; + name = "qttools-everywhere-src-6.11.1.tar.xz"; }; }; qttranslations = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttranslations-everywhere-src-6.11.0.tar.xz"; - sha256 = "0mpy3y76n1jw2prhad9rqyn48miqlmqg3581jgzr4s1iwhpqpx2l"; - name = "qttranslations-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttranslations-everywhere-src-6.11.1.tar.xz"; + sha256 = "0xsnxhiqc3ybwvyn1jbhdf1sjmcf7v4mma6w9sxwg535420jrh1p"; + name = "qttranslations-everywhere-src-6.11.1.tar.xz"; }; }; qtvirtualkeyboard = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtvirtualkeyboard-everywhere-src-6.11.0.tar.xz"; - sha256 = "11p6m1s7r7q2y6a2ak5lyzfd2907s2skfa630snf64x32cblp2nq"; - name = "qtvirtualkeyboard-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtvirtualkeyboard-everywhere-src-6.11.1.tar.xz"; + sha256 = "073y02qmpwxxdqc4pkm6k9frghsjg1zppg2hip5b4hv269xrdim1"; + name = "qtvirtualkeyboard-everywhere-src-6.11.1.tar.xz"; }; }; qtwayland = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwayland-everywhere-src-6.11.0.tar.xz"; - sha256 = "0dsdv1d4p1wf0sqd26cmj486bvwlprmqzmjddsw24agrc3kyc477"; - name = "qtwayland-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwayland-everywhere-src-6.11.1.tar.xz"; + sha256 = "1cyr5frhglp2krxvpnqk9q426rgp6nr34ngnxpa42m7p0ajqly4m"; + name = "qtwayland-everywhere-src-6.11.1.tar.xz"; }; }; qtwebchannel = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebchannel-everywhere-src-6.11.0.tar.xz"; - sha256 = "097vm6pxh18bil9ld9cxg50v861nyhaha4f6bjfjqph1icx18ip9"; - name = "qtwebchannel-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebchannel-everywhere-src-6.11.1.tar.xz"; + sha256 = "10ld2nh6gd1v2ssbgqlf6w0lsjlqkjdfwqv85mn5krnnf45vbyv9"; + name = "qtwebchannel-everywhere-src-6.11.1.tar.xz"; }; }; qtwebengine = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebengine-everywhere-src-6.11.0.tar.xz"; - sha256 = "0dk72k92zp19jkph1vl88l2dyrh105v6cycsxln1anfxnb423fb3"; - name = "qtwebengine-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebengine-everywhere-src-6.11.1.tar.xz"; + sha256 = "10vhcvw8j60n0mf38bi3fjcx5v1i0cbfyn4wbqhzqn61qv66d737"; + name = "qtwebengine-everywhere-src-6.11.1.tar.xz"; }; }; qtwebsockets = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebsockets-everywhere-src-6.11.0.tar.xz"; - sha256 = "0cnh67ncfh0gvpqfiqhr0cpmswq9zysza130axlmh69mzg8i17sn"; - name = "qtwebsockets-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebsockets-everywhere-src-6.11.1.tar.xz"; + sha256 = "1gvgci383dfm4sljqlapdiva7jhks1i2z2ayck0wbj1436hklgi4"; + name = "qtwebsockets-everywhere-src-6.11.1.tar.xz"; }; }; qtwebview = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebview-everywhere-src-6.11.0.tar.xz"; - sha256 = "1cy4x331h0f4d5l8c18xrvdq6hwz7r16qd1xhr8gdm8j9bcsw3nb"; - name = "qtwebview-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebview-everywhere-src-6.11.1.tar.xz"; + sha256 = "0g8k4xs7b0s474x00ds4i8q9b164icdgrdg8ngln10nmf3pwhqld"; + name = "qtwebview-everywhere-src-6.11.1.tar.xz"; }; }; } From e0c442323becde6dc2d34c92f932bb1dd0470856 Mon Sep 17 00:00:00 2001 From: zowoq <59103226+zowoq@users.noreply.github.com> Date: Sat, 9 May 2026 12:06:55 +1000 Subject: [PATCH 26/97] glibc: 2.42-61 -> 2.42-67 (cherry picked from commit 4a8e8392a42c9668f1ba0af081b4f6195f2341cb) --- .../libraries/glibc/2.42-master.patch | 759 ++++++++++++++++++ pkgs/development/libraries/glibc/common.nix | 6 +- 2 files changed, 762 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/glibc/2.42-master.patch b/pkgs/development/libraries/glibc/2.42-master.patch index 47ed7dd1183b..a7bdf93961db 100644 --- a/pkgs/development/libraries/glibc/2.42-master.patch +++ b/pkgs/development/libraries/glibc/2.42-master.patch @@ -7154,3 +7154,762 @@ index 00181cfefb..e83ea2b939 100644 TEST_VERIFY (ret != 0); TEST_COMPARE (errno, EBUSY); } + +commit f13c1bb0f97fbc12a6ba1ab5669ce561ea32b80a +Author: Florian Weimer +Date: Thu Apr 16 19:13:43 2026 +0200 + + Use pending character state in IBM1390, IBM1399 character sets (CVE-2026-4046) + + Follow the example in iso-2022-jp-3.c and use the __count state + variable to store the pending character. This avoids restarting + the conversion if the output buffer ends between two 4-byte UCS-4 + code points, so that the assert reported in the bug can no longer + happen. + + Even though the fix is applied to ibm1364.c, the change is only + effective for the two HAS_COMBINED codecs for IBM1390, IBM1399. + + The test case was mostly auto-generated using + claude-4.6-opus-high-thinking, and composer-2-fast shows up in the + log as well. During review, gpt-5.4-xhigh flagged that the original + version of the test case was not exercising the new character + flush logic. + + This fixes bug 33980. + + Assisted-by: LLM + Reviewed-by: Carlos O'Donell + (cherry picked from commit d6f08d1cf027f4eb2ba289a6cc66853722d4badc) + +diff --git a/iconvdata/Makefile b/iconvdata/Makefile +index 5a2abeea24..cc689f63e9 100644 +--- a/iconvdata/Makefile ++++ b/iconvdata/Makefile +@@ -76,7 +76,7 @@ tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ + tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ + bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \ + bug-iconv13 bug-iconv14 bug-iconv15 \ +- tst-iconv-iso-2022-cn-ext ++ tst-iconv-iso-2022-cn-ext tst-bug33980 + ifeq ($(have-thread-library),yes) + tests += bug-iconv3 + endif +@@ -333,6 +333,8 @@ $(objpfx)bug-iconv15.out: $(addprefix $(objpfx), $(gconv-modules)) \ + $(addprefix $(objpfx),$(modules.so)) + $(objpfx)tst-iconv-iso-2022-cn-ext.out: $(addprefix $(objpfx), $(gconv-modules)) \ + $(addprefix $(objpfx),$(modules.so)) ++$(objpfx)tst-bug33980.out: $(addprefix $(objpfx), $(gconv-modules)) \ ++ $(addprefix $(objpfx),$(modules.so)) + + $(objpfx)iconv-test.out: run-iconv-test.sh \ + $(addprefix $(objpfx), $(gconv-modules)) \ +diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c +index 45c62acee5..244c61ad7a 100644 +--- a/iconvdata/ibm1364.c ++++ b/iconvdata/ibm1364.c +@@ -67,12 +67,29 @@ + + /* Since this is a stateful encoding we have to provide code which resets + the output state to the initial state. This has to be done during the +- flushing. */ ++ flushing. For the to-internal direction (FROM_DIRECTION is true), ++ there may be a pending character that needs flushing. */ + #define EMIT_SHIFT_TO_INIT \ + if ((data->__statep->__count & ~7) != sb) \ + { \ + if (FROM_DIRECTION) \ +- data->__statep->__count &= 7; \ ++ { \ ++ uint32_t ch = data->__statep->__count >> 7; \ ++ if (__glibc_unlikely (ch != 0)) \ ++ { \ ++ if (__glibc_unlikely (outend - outbuf < 4)) \ ++ status = __GCONV_FULL_OUTPUT; \ ++ else \ ++ { \ ++ put32 (outbuf, ch); \ ++ outbuf += 4; \ ++ /* Clear character and db bit. */ \ ++ data->__statep->__count &= 7; \ ++ } \ ++ } \ ++ else \ ++ data->__statep->__count &= 7; \ ++ } \ + else \ + { \ + /* We are not in the initial state. To switch back we have \ +@@ -99,11 +116,13 @@ + *curcsp = save_curcs + + +-/* Current codeset type. */ ++/* Current codeset type. The bit is stored in the __count variable of ++ the conversion state. If the db bit is set, bit 7 and above store ++ a pending UCS-4 code point if non-zero. */ + enum + { +- sb = 0, +- db = 64 ++ sb = 0, /* Single byte mode. */ ++ db = 64 /* Double byte mode. */ + }; + + +@@ -119,21 +138,29 @@ enum + } \ + else \ + { \ +- /* This is a combined character. Make sure we have room. */ \ +- if (__glibc_unlikely (outptr + 8 > outend)) \ +- { \ +- result = __GCONV_FULL_OUTPUT; \ +- break; \ +- } \ +- \ + const struct divide *cmbp \ + = &DB_TO_UCS4_COMB[ch - __TO_UCS4_COMBINED_MIN]; \ + assert (cmbp->res1 != 0 && cmbp->res2 != 0); \ + \ + put32 (outptr, cmbp->res1); \ + outptr += 4; \ +- put32 (outptr, cmbp->res2); \ +- outptr += 4; \ ++ \ ++ /* See whether we have room for the second character. */ \ ++ if (outend - outptr >= 4) \ ++ { \ ++ put32 (outptr, cmbp->res2); \ ++ outptr += 4; \ ++ } \ ++ else \ ++ { \ ++ /* Otherwise store only the first character now, and \ ++ put the second one into the queue. */ \ ++ curcs |= cmbp->res2 << 7; \ ++ inptr += 2; \ ++ /* Tell the caller why we terminate the loop. */ \ ++ result = __GCONV_FULL_OUTPUT; \ ++ break; \ ++ } \ + } \ + } + #else +@@ -153,7 +180,20 @@ enum + #define LOOPFCT FROM_LOOP + #define BODY \ + { \ +- uint32_t ch = *inptr; \ ++ uint32_t ch; \ ++ \ ++ ch = curcs >> 7; \ ++ if (__glibc_unlikely (ch != 0)) \ ++ { \ ++ put32 (outptr, ch); \ ++ outptr += 4; \ ++ /* Remove the pending character, but preserve state bits. */ \ ++ curcs &= (1 << 7) - 1; \ ++ continue; \ ++ } \ ++ \ ++ /* Otherwise read the next input byte. */ \ ++ ch = *inptr; \ + \ + if (__builtin_expect (ch, 0) == SO) \ + { \ +diff --git a/iconvdata/tst-bug33980.c b/iconvdata/tst-bug33980.c +new file mode 100644 +index 0000000000..c9693e0efe +--- /dev/null ++++ b/iconvdata/tst-bug33980.c +@@ -0,0 +1,153 @@ ++/* Test for bug 33980: combining characters in IBM1390/IBM1399. ++ Copyright (C) 2026 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* Run iconv in a loop with a small output buffer of OUTBUFSIZE bytes ++ starting at OUTBUF. OUTBUF should be right before an unmapped page ++ so that writing past the end will fault. Skip SHIFT bytes at the ++ start of the input and output, to exercise different buffer ++ alignment. TRUNCATE indicates skipped bytes at the end of ++ input (0 and 1 a valid). */ ++static void ++test_one (const char *encoding, unsigned int shift, unsigned int truncate, ++ char *outbuf, size_t outbufsize) ++{ ++ /* In IBM1390 and IBM1399, the DBCS code 0xECB5 expands to two ++ Unicode code points when translated. */ ++ static char input[] = ++ { ++ /* 8 letters X. */ ++ 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, ++ /* SO, 0xECB5, SI: shift to DBCS, special character, shift back. */ ++ 0x0e, 0xec, 0xb5, 0x0f ++ }; ++ ++ /* Expected output after UTF-8 conversion. */ ++ static char expected[] = ++ { ++ 'X', 'X', 'X', 'X', 'X', 'X', 'X', 'X', ++ /* U+304B (HIRAGANA LETTER KA). */ ++ 0xe3, 0x81, 0x8b, ++ /* U+309A (COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK). */ ++ 0xe3, 0x82, 0x9a ++ }; ++ ++ iconv_t cd = iconv_open ("UTF-8", encoding); ++ TEST_VERIFY_EXIT (cd != (iconv_t) -1); ++ ++ char result_storage[64]; ++ struct alloc_buffer result_buf ++ = alloc_buffer_create (result_storage, sizeof (result_storage)); ++ ++ char *inptr = &input[shift]; ++ size_t inleft = sizeof (input) - shift - truncate; ++ ++ while (inleft > 0) ++ { ++ char *outptr = outbuf; ++ size_t outleft = outbufsize; ++ size_t inleft_before = inleft; ++ ++ size_t ret = iconv (cd, &inptr, &inleft, &outptr, &outleft); ++ size_t produced = outptr - outbuf; ++ alloc_buffer_copy_bytes (&result_buf, outbuf, produced); ++ ++ if (ret == (size_t) -1 && errno == E2BIG) ++ { ++ if (produced == 0 && inleft == inleft_before) ++ { ++ /* Output buffer too small to make progress. This is ++ expected for very small output buffer sizes. */ ++ TEST_VERIFY_EXIT (outbufsize < 3); ++ break; ++ } ++ continue; ++ } ++ if (ret == (size_t) -1) ++ FAIL_EXIT1 ("%s (outbufsize %zu): iconv: %m", encoding, outbufsize); ++ break; ++ } ++ ++ /* Flush any pending state (e.g. a buffered combined character). ++ With outbufsize < 3, we could not store the first character, so ++ the second character did not become pending, and there is nothing ++ to flush. */ ++ { ++ char *outptr = outbuf; ++ size_t outleft = outbufsize; ++ ++ size_t ret = iconv (cd, NULL, NULL, &outptr, &outleft); ++ TEST_VERIFY_EXIT (ret == 0); ++ size_t produced = outptr - outbuf; ++ alloc_buffer_copy_bytes (&result_buf, outbuf, produced); ++ ++ /* Second flush does not provide more data. */ ++ outptr = outbuf; ++ outleft = outbufsize; ++ ret = iconv (cd, NULL, NULL, &outptr, &outleft); ++ TEST_VERIFY_EXIT (ret == 0); ++ TEST_VERIFY (outptr == outbuf); ++ } ++ ++ TEST_VERIFY_EXIT (!alloc_buffer_has_failed (&result_buf)); ++ size_t result_used ++ = sizeof (result_storage) - alloc_buffer_size (&result_buf); ++ ++ if (outbufsize >= 3) ++ { ++ TEST_COMPARE (inleft, 0); ++ TEST_COMPARE (result_used, sizeof (expected) - shift); ++ TEST_COMPARE_BLOB (result_storage, result_used, ++ &expected[shift], sizeof (expected) - shift); ++ } ++ else ++ /* If the buffer is too small, only the leading X could be converted. */ ++ TEST_COMPARE (result_used, 8 - shift); ++ ++ TEST_VERIFY_EXIT (iconv_close (cd) == 0); ++} ++ ++static int ++do_test (void) ++{ ++ struct support_next_to_fault ntf ++ = support_next_to_fault_allocate (8); ++ ++ for (int shift = 0; shift <= 8; ++shift) ++ for (int truncate = 0; truncate < 2; ++truncate) ++ for (size_t outbufsize = 1; outbufsize <= 8; outbufsize++) ++ { ++ char *outbuf = ntf.buffer + ntf.length - outbufsize; ++ test_one ("IBM1390", shift, truncate, outbuf, outbufsize); ++ test_one ("IBM1399", shift, truncate, outbuf, outbufsize); ++ } ++ ++ support_next_to_fault_free (&ntf); ++ return 0; ++} ++ ++#include + +commit 12feedaf67e11c4618dc50c6aab4dbfd1e6d9531 +Author: DJ Delorie +Date: Mon Jan 26 22:24:42 2026 -0500 + + include: isolate __O_CLOEXEC flag for sys/mount.h and fcntl.h + + Including sys/mount.h should not implicitly include fcntl.h + as that causes namespace pollution and conflicts with kernel + headers. It only needs O_CLOEXEC for OPEN_TREE_CLOEXEC + (although it shouldn't need that, but it's defined that way) + so we provide that define (via a private version) separately. + + Reviewed-by: Adhemerval Zanella + Tested-by: Florian Weimer + (cherry picked from commit 419245719ccbc7dad6a97f24465e7f09c090327a) + +diff --git a/io/fcntl.c b/io/fcntl.c +index e88e28664c..b7dab1bb39 100644 +--- a/io/fcntl.c ++++ b/io/fcntl.c +@@ -18,6 +18,10 @@ + #include + #include + ++#ifndef __O_CLOEXEC ++# error __O_CLOEXEC not defined by fcntl.h/cloexec.h ++#endif ++ + /* Perform file control operations on FD. */ + int + __fcntl (int fd, int cmd, ...) +diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile +index c47cbdf428..053041f256 100644 +--- a/sysdeps/unix/sysv/linux/Makefile ++++ b/sysdeps/unix/sysv/linux/Makefile +@@ -129,6 +129,7 @@ CFLAGS-test-errno-linux.c += $(no-fortify-source) + + sysdep_headers += \ + bits/a.out.h \ ++ bits/cloexec.h \ + bits/epoll.h \ + bits/eventfd.h \ + bits/inotify.h \ +diff --git a/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h b/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h +new file mode 100644 +index 0000000000..f381f28a53 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 010000000 +diff --git a/sysdeps/unix/sysv/linux/bits/cloexec.h b/sysdeps/unix/sysv/linux/bits/cloexec.h +new file mode 100644 +index 0000000000..3059fb6473 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 02000000 +diff --git a/sysdeps/unix/sysv/linux/bits/fcntl-linux.h b/sysdeps/unix/sysv/linux/bits/fcntl-linux.h +index f425a4bf22..98954feaca 100644 +--- a/sysdeps/unix/sysv/linux/bits/fcntl-linux.h ++++ b/sysdeps/unix/sysv/linux/bits/fcntl-linux.h +@@ -81,9 +81,7 @@ + #ifndef __O_NOFOLLOW + # define __O_NOFOLLOW 0400000 + #endif +-#ifndef __O_CLOEXEC +-# define __O_CLOEXEC 02000000 +-#endif ++#include + #ifndef __O_DIRECT + # define __O_DIRECT 040000 + #endif +diff --git a/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h b/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h +new file mode 100644 +index 0000000000..f381f28a53 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 010000000 +diff --git a/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h b/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h +new file mode 100644 +index 0000000000..6706eaa7d5 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 0x400000 +diff --git a/sysdeps/unix/sysv/linux/sys/mount.h b/sysdeps/unix/sysv/linux/sys/mount.h +index b549e75148..365da1c296 100644 +--- a/sysdeps/unix/sysv/linux/sys/mount.h ++++ b/sysdeps/unix/sysv/linux/sys/mount.h +@@ -21,7 +21,6 @@ + #ifndef _SYS_MOUNT_H + #define _SYS_MOUNT_H 1 + +-#include + #include + #include + #include +@@ -266,6 +265,11 @@ enum fsconfig_command + + /* open_tree flags. */ + #define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */ ++#ifndef O_CLOEXEC ++# include ++# define O_CLOEXEC __O_CLOEXEC ++#endif ++#undef OPEN_TREE_CLOEXEC + #define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */ + + +diff --git a/sysdeps/unix/sysv/linux/tst-mount.c b/sysdeps/unix/sysv/linux/tst-mount.c +index 40913c7082..78a2772b2f 100644 +--- a/sysdeps/unix/sysv/linux/tst-mount.c ++++ b/sysdeps/unix/sysv/linux/tst-mount.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include /* For AT_ constants. */ + #include + + _Static_assert (sizeof (struct mount_attr) == MOUNT_ATTR_SIZE_VER0, + +commit 3ecfa68561d723564a1fb565366182eb4acb3e8f +Author: Florian Weimer +Date: Wed Mar 4 18:32:36 2026 +0100 + + Linux: Only define OPEN_TREE_* macros in if undefined (bug 33921) + + There is a conditional inclusion of earlier in the file. + If that defines the macros, do not redefine them. This addresses build + problems as the token sequence used by the UAPI macro definitions + changes between Linux versions. + + Reviewed-by: Adhemerval Zanella + (cherry picked from commit d12b017cddfeb9fe9920ba054ae3dfcb8e9238b8) + +diff --git a/sysdeps/unix/sysv/linux/sys/mount.h b/sysdeps/unix/sysv/linux/sys/mount.h +index 365da1c296..30ba56c1e8 100644 +--- a/sysdeps/unix/sysv/linux/sys/mount.h ++++ b/sysdeps/unix/sysv/linux/sys/mount.h +@@ -264,14 +264,16 @@ enum fsconfig_command + #define FSOPEN_CLOEXEC 0x00000001 + + /* open_tree flags. */ +-#define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */ ++#ifndef OPEN_TREE_CLONE ++# define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */ ++#endif + #ifndef O_CLOEXEC + # include + # define O_CLOEXEC __O_CLOEXEC + #endif +-#undef OPEN_TREE_CLOEXEC +-#define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */ +- ++#ifndef OPEN_TREE_CLOEXEC ++# define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */ ++#endif + + __BEGIN_DECLS + + +commit 3e87cf9be93acf19d685e8003fc649cdb052a891 +Author: H.J. Lu +Date: Mon Apr 13 10:46:42 2026 +0800 + + abilist.awk: Handle weak unversioned defined symbols + + After + + commit f685e3953f9a38a41bbd0a597f9882870cee13d5 + Author: H.J. Lu + Date: Wed Oct 29 09:49:57 2025 +0800 + + elf: Don't set its DT_VERSYM entry for unversioned symbol + + ld no longer assigns version index 1 to unversioned defined symbol. + For libmachuser.so, "objdump --dynamic-syms" reports: + + 0000dd30 w DF .text 000000f8 processor_start + + instead of + + 0000dd30 w DF .text 000000f8 (Base) processor_start + + Also allow NF == 6 for weak unversioned dynamic symbols. This fixes BZ + 33650. + + Signed-off-by: H.J. Lu + Reviewed-by: Sam James + (cherry picked from commit ee5d1db2a81468413fbf7c82779ffa782f429d1a) + +diff --git a/scripts/abilist.awk b/scripts/abilist.awk +index 6cc7af6ac8..7ea1edf8c0 100644 +--- a/scripts/abilist.awk ++++ b/scripts/abilist.awk +@@ -38,7 +38,7 @@ $4 == "*UND*" { next } + $2 == "l" { next } + + # If the target uses ST_OTHER, it will be output before the symbol name. +-$2 == "g" || $2 == "w" && (NF == 7 || NF == 8) { ++$2 == "g" || $2 == "w" && (NF == 6 || NF == 7 || NF == 8) { + type = $3; + size = $5; + sub(/^0*/, "", size); + +commit b4bca35ab9e76890504c4dbdd5eaf15a93514580 +Author: Rocket Ma +Date: Fri May 1 20:39:07 2026 -0700 + + libio: Fix ungetwc operating on byte stream [BZ #33998] + + * libio/wgenops.c: When _IO_wdefault_pbackfail attempts to push back one + character, it accidently compare the wchar to push back with the last + char from byte stream, instead of wide stream. Under specific coding, + attacker may exploit this to leak information. This commit fix bug + 33998, or CVE-2026-5928. + + Signed-off-by: Rocket Ma + Reviewed-by: Carlos O'Donell + (cherry picked from commit ef3bfb5f910011f3780cb06aa47e730035f53285) + +diff --git a/libio/Makefile b/libio/Makefile +index f020f8ec4d..fa2b8ae791 100644 +--- a/libio/Makefile ++++ b/libio/Makefile +@@ -83,6 +83,7 @@ tests = \ + bug-ungetwc1 \ + bug-ungetwc2 \ + bug-wfflush \ ++ bug-wgenops-bz33998 \ + bug-wmemstream1 \ + bug-wsetpos \ + test-fmemopen \ +diff --git a/libio/bug-wgenops-bz33998.c b/libio/bug-wgenops-bz33998.c +new file mode 100644 +index 0000000000..cc4067da99 +--- /dev/null ++++ b/libio/bug-wgenops-bz33998.c +@@ -0,0 +1,54 @@ ++/* Regression test for ungetwc operating on byte stream (BZ #33998) ++ Copyright (C) 2026 The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include "support/temp_file.h" ++#include "support/xstdio.h" ++#include "support/xunistd.h" ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ char *filename; ++ int fd = create_temp_file ("tst-bz33998-", &filename); ++ TEST_VERIFY (fd != -1); ++ xwrite (fd, "A", sizeof ("A")); // write "A\0" by design ++ xclose (fd); ++ ++ FILE *fp = xfopen (filename, "r+"); ++ TEST_COMPARE (getwc (fp), L'A'); ++ /* If the bug is fixed, then ungetwc should not touch byte stream. ++ If the bug is not fixed, ungetwc firstly match last read char, L'A', ++ failed, then the pbackfail branch, matching last read char in byte ++ stream, that is, '\0' (initialized when setup wide stream). */ ++ char *old_read_ptr = fp->_IO_read_ptr; ++ TEST_COMPARE (ungetwc (L'\0', fp), L'\0'); ++ TEST_VERIFY (fp->_IO_read_ptr == old_read_ptr); ++ ++ xfclose (fp); ++ free (filename); ++ ++ return 0; ++} ++ ++#include +diff --git a/libio/wgenops.c b/libio/wgenops.c +index 0a11d1b1de..9e0b2c00ea 100644 +--- a/libio/wgenops.c ++++ b/libio/wgenops.c +@@ -108,8 +108,8 @@ _IO_wdefault_pbackfail (FILE *fp, wint_t c) + { + if (fp->_wide_data->_IO_read_ptr > fp->_wide_data->_IO_read_base + && !_IO_in_backup (fp) +- && (wint_t) fp->_IO_read_ptr[-1] == c) +- --fp->_IO_read_ptr; ++ && (wint_t) fp->_wide_data->_IO_read_ptr[-1] == c) ++ --fp->_wide_data->_IO_read_ptr; + else + { + /* Need to handle a filebuf in write mode (switch to read mode). FIXME!*/ + +commit 4ebd33dd77eabe8d4c45232bed4b42a31d2f9edc +Author: Rocket Ma +Date: Fri Apr 17 23:48:41 2026 -0700 + + stdio-common: Fix buffer overflow in scanf %mc [BZ #34008] + + * stdio-common/vfscanf-internal.c: When enlarging allocated buffer with + format %mc or %mC, glibc allocates one byte less, leading to + user-controlled one byte overflow. This commit fixes BZ #34008, or + CVE-2026-5450. + + Reviewed-by: Carlos O'Donell + Signed-off-by: Rocket Ma + Reviewed-by: H.J. Lu + (cherry picked from commit 839898777226a3ed88c0859f25ffe712519b4ead) + +diff --git a/stdio-common/Makefile b/stdio-common/Makefile +index 64b3575acb..e52c333808 100644 +--- a/stdio-common/Makefile ++++ b/stdio-common/Makefile +@@ -347,6 +347,7 @@ tests := \ + tst-vfprintf-user-type \ + tst-vfprintf-width-i18n \ + tst-vfprintf-width-prec-alloc \ ++ tst-vfscanf-bz34008 \ + tst-wc-printf \ + tstdiomisc \ + tstgetln \ +@@ -562,6 +563,9 @@ tst-printf-bz18872-ENV = MALLOC_TRACE=$(objpfx)tst-printf-bz18872.mtrace \ + tst-vfprintf-width-prec-ENV = \ + MALLOC_TRACE=$(objpfx)tst-vfprintf-width-prec.mtrace \ + LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so ++tst-vfscanf-bz34008-ENV = \ ++ MALLOC_CHECK_=3 \ ++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so + tst-printf-bz25691-ENV = \ + MALLOC_TRACE=$(objpfx)tst-printf-bz25691.mtrace \ + LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so +diff --git a/stdio-common/tst-vfscanf-bz34008.c b/stdio-common/tst-vfscanf-bz34008.c +new file mode 100644 +index 0000000000..48371c8a3d +--- /dev/null ++++ b/stdio-common/tst-vfscanf-bz34008.c +@@ -0,0 +1,48 @@ ++/* Regression test for vfscanf %Nmc out-of-bound write (BZ #34008) ++ Copyright (C) 2026 The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include "malloc/mcheck.h" ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#define WIDTH 0x410 ++#define SCANFSTR "%1040mc" ++static int ++do_test (void) ++{ ++ mcheck_pedantic (NULL); ++ char *input = malloc (WIDTH + 1); ++ TEST_VERIFY (input != NULL); ++ memset (input, 'A', WIDTH); ++ input[WIDTH] = '\0'; ++ ++ char *buf = NULL; ++ TEST_VERIFY (sscanf (input, SCANFSTR, &buf) != -1); ++ TEST_VERIFY (buf != NULL); ++ ++ free (buf); ++ free (input); ++ return 0; ++} ++ ++#include +diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c +index 86ae5019a6..17b5565d0f 100644 +--- a/stdio-common/vfscanf-internal.c ++++ b/stdio-common/vfscanf-internal.c +@@ -853,8 +853,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, + { + /* Enlarge the buffer. */ + size_t newsize +- = strsize +- + (strsize >= width ? width - 1 : strsize); ++ = strsize + (strsize >= width ? width : strsize); + + str = (char *) realloc (*strptr, newsize); + if (str == NULL) +@@ -925,7 +924,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, + && wstr == (wchar_t *) *strptr + strsize) + { + size_t newsize +- = strsize + (strsize > width ? width - 1 : strsize); ++ = strsize + (strsize >= width ? width : strsize); + /* Enlarge the buffer. */ + wstr = (wchar_t *) realloc (*strptr, + newsize * sizeof (wchar_t)); +@@ -980,7 +979,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, + && wstr == (wchar_t *) *strptr + strsize) + { + size_t newsize +- = strsize + (strsize > width ? width - 1 : strsize); ++ = strsize + (strsize >= width ? width : strsize); + /* Enlarge the buffer. */ + wstr = (wchar_t *) realloc (*strptr, + newsize * sizeof (wchar_t)); diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index a013a2db2f0c..b6c6a6c86445 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -51,7 +51,7 @@ let version = "2.42"; - patchSuffix = "-61"; + patchSuffix = "-67"; sha256 = "sha256-0XdeMuRijmTvkw9DW2e7Y691may2viszW58Z8WUJ8X8="; in @@ -68,8 +68,8 @@ stdenv.mkDerivation ( patches = [ /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping. - $ git fetch --all -p && git checkout origin/release/2.40/master && git describe - glibc-2.42-61-ga56a2943d2 + $ git fetch --all -p && git checkout origin/release/2.42/master && git describe + glibc-2.42-67-g4ebd33dd77 $ git show --minimal --reverse glibc-2.42.. ':!ADVISORIES' > 2.42-master.patch To compare the archive contents zdiff can be used. From be6ec59922761c1318c13a9721e1dcd8ef9655ec Mon Sep 17 00:00:00 2001 From: Guilhem Saurel Date: Wed, 29 Apr 2026 14:51:08 +0200 Subject: [PATCH 27/97] doctest: 2.5.0 -> 2.5.2 Diff: https://github.com/doctest/doctest/compare/v2.5.0...v2.5.2 Changelog: https://github.com/doctest/doctest/releases/tag/v2.5.2 (cherry picked from commit 7bd3d8daf2081be2a6a0aa44b54f0df58f95c7d4) --- pkgs/by-name/do/doctest/package.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/do/doctest/package.nix b/pkgs/by-name/do/doctest/package.nix index f6ffd1b9e559..cbea1dcba749 100644 --- a/pkgs/by-name/do/doctest/package.nix +++ b/pkgs/by-name/do/doctest/package.nix @@ -7,13 +7,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "doctest"; - version = "2.5.0"; + version = "2.5.2"; src = fetchFromGitHub { owner = "doctest"; repo = "doctest"; tag = "v${finalAttrs.version}"; - hash = "sha256-7t/eknv7VtHoBgcuJmI07x//HIyqzE9HUuH5u2y7X8A="; + hash = "sha256-4jW6xPFCFxk1l47EkSUVojhycrtluPhOc5Adf/25R7M="; }; nativeBuildInputs = [ cmake ]; @@ -27,6 +27,7 @@ stdenv.mkDerivation (finalAttrs: { doCheck = true; meta = { + changelog = "https://github.com/doctest/doctest/releases/tag/${finalAttrs.src.tag}"; homepage = "https://github.com/doctest/doctest"; description = "Fastest feature-rich C++11/14/17/20 single-header testing framework"; platforms = lib.platforms.all; From f5ae9c36bfc691af8af70232640a43b0a703e067 Mon Sep 17 00:00:00 2001 From: znaniye Date: Thu, 16 Oct 2025 14:28:11 -0300 Subject: [PATCH 28/97] python3Packages.paramiko: invoke is a required dependency (cherry picked from commit 9088b3d1674994911e0d24c851fb46cca48871a0) --- pkgs/development/python-modules/paramiko/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/paramiko/default.nix b/pkgs/development/python-modules/paramiko/default.nix index 156fae9d96d0..6350ba2e5a8a 100644 --- a/pkgs/development/python-modules/paramiko/default.nix +++ b/pkgs/development/python-modules/paramiko/default.nix @@ -30,6 +30,7 @@ buildPythonPackage rec { dependencies = [ bcrypt cryptography + invoke pynacl ]; @@ -39,7 +40,6 @@ buildPythonPackage rec { gssapi ]; ed25519 = [ ]; - invoke = [ invoke ]; }; nativeCheckInputs = [ From 747ba2d3768790a11db05c5fd33706e238f6f4e1 Mon Sep 17 00:00:00 2001 From: znaniye Date: Thu, 16 Oct 2025 15:43:36 -0300 Subject: [PATCH 29/97] duplicity: remove invoke from dependencies invoke is not a required dependency of duplicity. It does not appear in upstream's requirements.txt nor pyproject.toml: - https://gitlab.com/duplicity/duplicity/-/blob/dev/requirements.txt - https://gitlab.com/duplicity/duplicity/-/blob/dev/pyproject.toml (cherry picked from commit b6254c48df9b757515242f80d7f78a598333b941) --- pkgs/by-name/du/duplicity/package.nix | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/pkgs/by-name/du/duplicity/package.nix b/pkgs/by-name/du/duplicity/package.nix index 7cdb8eff47f2..8e7b8698a1a4 100644 --- a/pkgs/by-name/du/duplicity/package.nix +++ b/pkgs/by-name/du/duplicity/package.nix @@ -75,20 +75,17 @@ let glib ]; - pythonPath = - with python3.pkgs; - [ - b2sdk - boto3 - idna - pygobject3 - fasteners - paramiko - pexpect - # Currently marked as broken. - # pydrive2 - ] - ++ paramiko.optional-dependencies.invoke; + pythonPath = with python3.pkgs; [ + b2sdk + boto3 + idna + pygobject3 + fasteners + paramiko + pexpect + # Currently marked as broken. + # pydrive2 + ]; nativeCheckInputs = [ gnupg # Add 'gpg' to PATH. From c0e4b6b891525ce5bb2ace1fb2f277277e8edaba Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Sat, 11 Apr 2026 21:47:48 +0100 Subject: [PATCH 30/97] simdjson: 4.6.0 -> 4.6.4 Changes: - https://github.com/simdjson/simdjson/releases/tag/v4.6.1 - https://github.com/simdjson/simdjson/releases/tag/v4.6.2 - https://github.com/simdjson/simdjson/releases/tag/v4.6.3 - https://github.com/simdjson/simdjson/releases/tag/v4.6.4 (cherry picked from commit 3803be5263c98b9e52d0e6f791272137f5e1e193) --- pkgs/by-name/si/simdjson/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/si/simdjson/package.nix b/pkgs/by-name/si/simdjson/package.nix index e1cc6c566ebb..44942f163cab 100644 --- a/pkgs/by-name/si/simdjson/package.nix +++ b/pkgs/by-name/si/simdjson/package.nix @@ -7,13 +7,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "simdjson"; - version = "4.6.0"; + version = "4.6.4"; src = fetchFromGitHub { owner = "simdjson"; repo = "simdjson"; tag = "v${finalAttrs.version}"; - hash = "sha256-VGErBWAHk63XMv8yC+Na+gXHByhYhtIEMSBySwIDlXk="; + hash = "sha256-8oQzsR7DSaNTN9su1uI9tRQ9HvOwXShPwSrnQj8+lGM="; }; nativeBuildInputs = [ cmake ]; From dd411ee50591dd1784732c29082a384bac99a166 Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Sun, 17 May 2026 21:16:45 -0400 Subject: [PATCH 31/97] libass: remove libiconv dependency on darwin This is already in stdenv. (cherry picked from commit f6172a101fe458c28e6d70de9e530b2699693d0d) --- pkgs/by-name/li/libass/package.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkgs/by-name/li/libass/package.nix b/pkgs/by-name/li/libass/package.nix index 61b8611327f0..045b0d926bdb 100644 --- a/pkgs/by-name/li/libass/package.nix +++ b/pkgs/by-name/li/libass/package.nix @@ -44,9 +44,7 @@ stdenv.mkDerivation (finalAttrs: { fribidi harfbuzz ] - ++ lib.optional fontconfigSupport fontconfig - # TODO: remove dep after branchoff (in darwin stdenv) - ++ lib.optional stdenv.hostPlatform.isDarwin libiconv.out; + ++ lib.optional fontconfigSupport fontconfig; meta = { description = "Portable ASS/SSA subtitle renderer"; From cfdafe68e00b10563e924aaf36d03363cb7ff6e3 Mon Sep 17 00:00:00 2001 From: Hythera <87016780+Hythera@users.noreply.github.com> Date: Fri, 1 May 2026 13:58:01 +0200 Subject: [PATCH 32/97] assimp: 6.0.4 -> 6.0.5 changelog: https://github.com/assimp/assimp/blob/master/CHANGES.md diff: https://github.com/assimp/assimp/compare/v6.0.4...v6.0.5 (cherry picked from commit b0af552236ff2e10d2fd7c3de4819079062c8055) --- pkgs/by-name/as/assimp/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/as/assimp/package.nix b/pkgs/by-name/as/assimp/package.nix index 717fd1a0746f..24769c4a231c 100644 --- a/pkgs/by-name/as/assimp/package.nix +++ b/pkgs/by-name/as/assimp/package.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "assimp"; - version = "6.0.4"; + version = "6.0.5"; outputs = [ "out" "lib" @@ -20,7 +20,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "assimp"; repo = "assimp"; tag = "v${finalAttrs.version}"; - hash = "sha256-ryTgsN0z9BZBz7i9aUMKuneN5oqfxpduwJlb+Q0q3Mk="; + hash = "sha256-QWBi1pl5C76UtPhB6SmFipm9oEdnfhELMT3MqfV6oxg="; }; postPatch = '' From 8513d19d4f92c99ec7403755360bbb225d681aa7 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Tue, 12 May 2026 13:58:14 +0200 Subject: [PATCH 33/97] libcaca: apply patch for CVE-2026-42046 Fixes https://github.com/NixOS/nixpkgs/issues/519387 (cherry picked from commit 00cd8e646c7da669125ae26acf4b47079826e1f0) --- pkgs/by-name/li/libcaca/package.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/by-name/li/libcaca/package.nix b/pkgs/by-name/li/libcaca/package.nix index 689257d7ff8e..d233cdabfe87 100644 --- a/pkgs/by-name/li/libcaca/package.nix +++ b/pkgs/by-name/li/libcaca/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchFromGitHub, + fetchpatch, autoreconfHook, imlib2, libxext, @@ -23,6 +24,14 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-N0Lfi0d4kjxirEbIjdeearYWvStkKMyV6lgeyNKXcVw="; }; + patches = [ + (fetchpatch { + name = "CVE-2026-42046.patch"; + url = "https://github.com/cacalabs/libcaca/commit/fb77acff9ba6bb01d53940da34fb10f20b156a23.patch"; + hash = "sha256-AdpiE5Gw/CVET//7TTYZCb0glW5HY+T8xZkYs1XCBvY="; + }) + ]; + nativeBuildInputs = [ autoreconfHook pkg-config From 3a60965e1736cb336b6e1b9d0405b13409153fd0 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Sun, 3 May 2026 06:56:18 +0000 Subject: [PATCH 34/97] freetype: 2.14.2 -> 2.14.3 (cherry picked from commit 21622bac70c240e85777be65c5b65bac6c3f3553) --- pkgs/by-name/fr/freetype/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/fr/freetype/package.nix b/pkgs/by-name/fr/freetype/package.nix index 6146ce0d8cc1..fcace2938756 100644 --- a/pkgs/by-name/fr/freetype/package.nix +++ b/pkgs/by-name/fr/freetype/package.nix @@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "freetype"; - version = "2.14.2"; + version = "2.14.3"; src = let @@ -47,7 +47,7 @@ stdenv.mkDerivation (finalAttrs: { in fetchurl { url = "mirror://savannah/freetype/freetype-${version}.tar.xz"; - sha256 = "sha256-S2Lcq0ySChqGA2mTMiGBQ2LmmeJvVXklFtZx5v9VteE="; + sha256 = "sha256-NrxPHMQTM1No7mVsQq/KZcWjmH6HaMwozxG6d154Wl8="; }; propagatedBuildInputs = [ From a14161da713e1511cdffa409d62ee71adc34c509 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 20 May 2026 02:10:28 +0000 Subject: [PATCH 35/97] libde265: 1.0.18 -> 1.0.19 (cherry picked from commit 8aa7c75b47254ac38ee2470c3ad42a7d6af5bb99) --- pkgs/by-name/li/libde265/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libde265/package.nix b/pkgs/by-name/li/libde265/package.nix index 51e24c6ed5ac..65121864428c 100644 --- a/pkgs/by-name/li/libde265/package.nix +++ b/pkgs/by-name/li/libde265/package.nix @@ -15,14 +15,14 @@ }: stdenv.mkDerivation (finalAttrs: { - version = "1.0.18"; + version = "1.0.19"; pname = "libde265"; src = fetchFromGitHub { owner = "strukturag"; repo = "libde265"; tag = "v${finalAttrs.version}"; - hash = "sha256-N6K82ElrzrMSNKfPTDsc5onrxucIJ8niwFgbaEPPd2I="; + hash = "sha256-77OIclR2TwOigo/k5ps9S0TrDNvEjf290PqZyqBcydo="; }; nativeBuildInputs = [ From a416d0dc4ff922c0ba1f72c0d5ed53bef01f4ed7 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 26 May 2026 13:01:50 +0200 Subject: [PATCH 36/97] python3Packages.starlette: 0.52.1 -> 1.1.0 https://www.starlette.io/release-notes/#110 https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr Fixes: CVE-2026-48710 (cherry picked from commit 83ece5c3a1e6340a1d9b9b40db3d5c50e9e05672) --- pkgs/development/python-modules/starlette/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/starlette/default.nix b/pkgs/development/python-modules/starlette/default.nix index 219ce1e8b7a7..e66a5cf7a80d 100644 --- a/pkgs/development/python-modules/starlette/default.nix +++ b/pkgs/development/python-modules/starlette/default.nix @@ -27,14 +27,14 @@ buildPythonPackage rec { pname = "starlette"; - version = "0.52.1"; + version = "1.1.0"; pyproject = true; src = fetchFromGitHub { owner = "encode"; repo = "starlette"; tag = version; - hash = "sha256-XPAeRnh9a0A1/5VGZzzGQBhlBsih1VR8QmFdkxG5cQE="; + hash = "sha256-9iQXlpA1VDGw1c7X1zJPmJ3Dub46PwqrVIX1+fWOZ7M="; }; build-system = [ hatchling ]; From bab01dc06d12e17407068fc3ebba0ac81947592b Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 26 May 2026 13:06:41 +0200 Subject: [PATCH 37/97] python3Packages.fastapi: 0.135.3 -> 0.136.3 https://github.com/fastapi/fastapi/releases/tag/0.136.0 https://github.com/fastapi/fastapi/releases/tag/0.136.1 https://github.com/fastapi/fastapi/releases/tag/0.136.2 https://github.com/fastapi/fastapi/releases/tag/0.136.3 (cherry picked from commit b481729faf5004e2da0fa3b932a6f2696b4cc98c) --- pkgs/development/python-modules/fastapi/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/fastapi/default.nix b/pkgs/development/python-modules/fastapi/default.nix index 9d5aea8559e5..3e29f81a9da2 100644 --- a/pkgs/development/python-modules/fastapi/default.nix +++ b/pkgs/development/python-modules/fastapi/default.nix @@ -45,14 +45,14 @@ buildPythonPackage rec { pname = "fastapi"; - version = "0.135.3"; + version = "0.136.3"; pyproject = true; src = fetchFromGitHub { owner = "tiangolo"; repo = "fastapi"; tag = version; - hash = "sha256-sE5d+MgmP9L+MUosRBsR+KSJkcC9i2EOOtKHq0sXjRM="; + hash = "sha256-lfmk8ZveKPukEEfwWq2mKtWmOHAtVzGuE5BsOskDzh0="; }; build-system = [ pdm-backend ]; From 8a4a1651c8181e34353562de2817c730c8a8fbd7 Mon Sep 17 00:00:00 2001 From: r-vdp Date: Wed, 20 May 2026 19:40:45 +0200 Subject: [PATCH 38/97] switch-to-configuration-ng: honour X-* directives in user-unit migration pass The post-activation pass added in 5cc82c4922f8 to handle units migrating from a per-user manager (home-manager) to NixOS unconditionally restarts or starts any candidate. dbus-broker.service explicitly opts out of restarts via reloadIfChanged because restarting the session bus kills running clients; the second pass ignored that and restarted it anyway. Apply the same X-ReloadIfChanged / X-RestartIfChanged / RefuseManualStop / RefuseManualStart / X-OnlyManualStart checks that handle_modified_unit performs, so a migrated unit is reloaded, skipped, restarted or started as its directives require. Covered by new switch-test specialisations for reloadIfChanged and restartIfChanged = false. (cherry picked from commit 76c8d4509934c8d32a8203a62c36df5aadf7de43) --- nixos/tests/switch-test.nix | 39 ++++ .../sw/switch-to-configuration-ng/src/main.rs | 216 ++++++++++++++++-- 2 files changed, 238 insertions(+), 17 deletions(-) diff --git a/nixos/tests/switch-test.nix b/nixos/tests/switch-test.nix index 480d284ada1d..e83e43430fae 100644 --- a/nixos/tests/switch-test.nix +++ b/nixos/tests/switch-test.nix @@ -739,6 +739,22 @@ in ''; }; + # As above, but with reloadIfChanged: pass 2 must reload, not + # restart. + userServiceMigratedToNixosReloadOnly.configuration = { + imports = [ userServiceMigratedToNixosNoStop.configuration ]; + systemd.user.services.migrated = { + reloadIfChanged = true; + serviceConfig.ExecReload = "${pkgs.coreutils}/bin/true"; + }; + }; + + # As above, but with restartIfChanged = false: pass 2 must skip it. + userServiceMigratedToNixosNoRestart.configuration = { + imports = [ userServiceMigratedToNixosNoStop.configuration ]; + systemd.user.services.migrated.restartIfChanged = false; + }; + no_inhibitors.configuration.system.switch.inhibitors = lib.mkForce { }; inhibitors.configuration.system.switch.inhibitors = lib.mkForce { @@ -1818,6 +1834,29 @@ in out = machine.succeed(f"sudo -u usertest {user_env} cat /run/user/1001/migrated-owner") assert_contains(out, "nixos") + # Pass 2 must honour reloadIfChanged. + switch_to_specialisation("${machine}", "") + machine.fail(f"sudo -u usertest {user_env} systemctl --user is-active migrated.service") + seed_home_unit() + out = switch_to_specialisation("${machine}", "userServiceMigratedToNixosReloadOnly") + assert_lacks(out, "restarting (post-activation) the following user units: migrated.service") + assert_contains(out, "reloading (post-activation) the following user units: migrated.service") + user_systemctl("is-active migrated.service") + # Reloaded only, so the home ExecStart never re-ran. + out = machine.succeed(f"sudo -u usertest {user_env} cat /run/user/1001/migrated-owner") + assert_contains(out, "home") + + # Pass 2 must honour restartIfChanged = false. + switch_to_specialisation("${machine}", "") + machine.fail(f"sudo -u usertest {user_env} systemctl --user is-active migrated.service") + seed_home_unit() + out = switch_to_specialisation("${machine}", "userServiceMigratedToNixosNoRestart") + assert_lacks(out, "\nrestarting (post-activation) the following user units: migrated.service") + assert_contains(out, "NOT restarting (post-activation) the following user units: migrated.service") + user_systemctl("is-active migrated.service") + out = machine.succeed(f"sudo -u usertest {user_env} cat /run/user/1001/migrated-owner") + assert_contains(out, "home") + # Units that remain shadowed by ~/.config must be left alone in both # passes even though /etc now also defines them. switch_to_specialisation("${machine}", "") diff --git a/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs b/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs index d9568c7b5464..6046d3437ae0 100644 --- a/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs +++ b/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs @@ -688,12 +688,7 @@ fn handle_modified_unit( let reload_list = scope.reload_list_file(); let use_restart_as_stop_and_start = new_unit_info.is_none(); - if matches!( - unit, - "sysinit.target" | "basic.target" | "multi-user.target" | "graphical.target" - ) || unit.ends_with(".unit") - || unit.ends_with(".slice") - { + if cannot_be_restarted_directly(unit) { // Do nothing. These cannot be restarted directly. // Slices and Paths don't have to be restarted since properties (resource limits and @@ -940,6 +935,17 @@ fn parse_fstab(fstab: impl BufRead) -> (HashMap, HashMap bool { + matches!( + unit, + "sysinit.target" | "basic.target" | "multi-user.target" | "graphical.target" + ) || unit.ends_with(".path") + || unit.ends_with(".slice") +} + // Returns a HashMap containing the same contents as the passed in `units`, minus the units in // `units_to_filter`. fn filter_units( @@ -957,6 +963,50 @@ fn filter_units( res } +/// Action to take on a unit that migrated to NixOS ownership during the +/// post-activation pass. Honours the same X-* directives as +/// `handle_modified_unit`. +#[derive(Debug, PartialEq)] +enum MigrationAction { + Skip, + Reload, + Restart, + Start, +} + +impl MigrationAction { + /// Action to take on a migrated unit that is still active. + fn for_active_unit(unit: &str, new_unit_info: &UnitInfo) -> Self { + if cannot_be_restarted_directly(unit) { + return Self::Skip; + } + + if parse_systemd_bool(Some(new_unit_info), "Service", "X-ReloadIfChanged", false) { + return Self::Reload; + } + + if !parse_systemd_bool(Some(new_unit_info), "Service", "X-RestartIfChanged", true) + || parse_systemd_bool(Some(new_unit_info), "Unit", "RefuseManualStop", false) + || parse_systemd_bool(Some(new_unit_info), "Unit", "X-OnlyManualStart", false) + { + return Self::Skip; + } + + Self::Restart + } + + /// Action to take on a migrated unit that the previous owner stopped. + fn for_stopped_unit(new_unit_info: &UnitInfo) -> Self { + if parse_systemd_bool(Some(new_unit_info), "Unit", "RefuseManualStart", false) + || parse_systemd_bool(Some(new_unit_info), "Unit", "X-OnlyManualStart", false) + { + return Self::Skip; + } + + Self::Start + } +} + fn unit_is_active(conn: &LocalConnection, unit: &str) -> Result { let unit_object_path = conn .with_proxy( @@ -1510,29 +1560,40 @@ fn do_user_switch(parent_exe: String) -> anyhow::Result<()> { let active_after = get_active_units(&systemd)?; + let mut to_reload = HashMap::new(); let mut to_restart = HashMap::new(); let mut to_start = HashMap::new(); + let mut to_skip = HashMap::new(); for unit in &migration_candidates { - match active_after.get(unit) { + // Honour X-* directives so reloadIfChanged/restartIfChanged hold. + let new_unit_file = new_unit_dir.join(unit); + let new_unit_info = parse_unit(&new_unit_file, &new_unit_file)?; + + let action = match active_after.get(unit) { Some(unit_state) => { + // Only act if /etc now wins (i.e. the higher-priority + // copy is gone). Read errors are treated as "leave alone". let now_etc = unit_state .proxy .get("org.freedesktop.systemd1.Unit", "FragmentPath") .map(|p: String| p.starts_with(fragment_prefix)) .unwrap_or(false); - if now_etc { - // Still running with the previous manager's binary; - // restart so the /etc definition takes effect. - to_restart.insert(unit.clone(), ()); + if !now_etc { + // Still shadowed (or read error); leave it alone. + continue; } - // else: still shadowed by ~/.config, leave it alone. + MigrationAction::for_active_unit(unit, &new_unit_info) } - None => { - // Stopped by the previous manager; start the /etc copy. - to_start.insert(unit.clone(), ()); - } - } + // Stopped by the previous manager; start the /etc copy. + None => MigrationAction::for_stopped_unit(&new_unit_info), + }; + match action { + MigrationAction::Skip => to_skip.insert(unit.clone(), ()), + MigrationAction::Reload => to_reload.insert(unit.clone(), ()), + MigrationAction::Restart => to_restart.insert(unit.clone(), ()), + MigrationAction::Start => to_start.insert(unit.clone(), ()), + }; } // Re-start active targets so any other newly-unmasked dependencies are @@ -1543,6 +1604,24 @@ fn do_user_switch(parent_exe: String) -> anyhow::Result<()> { } } + if !to_skip.is_empty() { + print_units("NOT restarting (post-activation)", &to_skip); + } + + print_units("reloading (post-activation)", &to_reload); + for unit in to_reload.keys() { + match systemd.reload_unit(unit, "replace") { + Ok(job_path) => { + submitted_jobs.borrow_mut().insert(job_path, Job::Reload); + } + Err(err) => { + eprintln!("Failed to reload user unit {unit}: {err}"); + exit_code = 4; + } + } + } + block_on_jobs(&dbus_conn, &submitted_jobs); + print_units("restarting (post-activation)", &to_restart); for unit in to_restart.keys() { match systemd.restart_unit(unit, "replace") { @@ -2863,4 +2942,107 @@ After=dev-disk-by\x2dlabel-root.device ); } } + + fn unit_info( + sections: &[(&str, &[(&str, &str)])], + ) -> HashMap>> { + sections + .iter() + .map(|(section, kvs)| { + ( + section.to_string(), + kvs.iter() + .map(|(k, v)| (k.to_string(), vec![v.to_string()])) + .collect(), + ) + }) + .collect() + } + + #[test] + fn migration_action_for_active_unit() { + use super::MigrationAction; + + // Plain service: restart. + assert_eq!( + MigrationAction::for_active_unit("foo.service", &unit_info(&[])), + MigrationAction::Restart + ); + + // reloadIfChanged must reload, not restart. + assert_eq!( + MigrationAction::for_active_unit( + "foo.service", + &unit_info(&[("Service", &[("X-ReloadIfChanged", "true")])]) + ), + MigrationAction::Reload + ); + + // X-RestartIfChanged=false (restartIfChanged = false) must skip. + assert_eq!( + MigrationAction::for_active_unit( + "foo.service", + &unit_info(&[("Service", &[("X-RestartIfChanged", "false")])]) + ), + MigrationAction::Skip + ); + + // RefuseManualStop must skip. + assert_eq!( + MigrationAction::for_active_unit( + "foo.service", + &unit_info(&[("Unit", &[("RefuseManualStop", "yes")])]) + ), + MigrationAction::Skip + ); + + // X-OnlyManualStart must skip. + assert_eq!( + MigrationAction::for_active_unit( + "foo.service", + &unit_info(&[("Unit", &[("X-OnlyManualStart", "yes")])]) + ), + MigrationAction::Skip + ); + + // Units that cannot be restarted directly must skip. + for unit in [ + "sysinit.target", + "basic.target", + "multi-user.target", + "graphical.target", + "foo.path", + "bar.slice", + ] { + assert_eq!( + MigrationAction::for_active_unit(unit, &unit_info(&[])), + MigrationAction::Skip, + "{unit}" + ); + } + } + + #[test] + fn migration_action_for_stopped_unit() { + use super::MigrationAction; + + assert_eq!( + MigrationAction::for_stopped_unit(&unit_info(&[])), + MigrationAction::Start + ); + assert_eq!( + MigrationAction::for_stopped_unit(&unit_info(&[( + "Unit", + &[("RefuseManualStart", "true")] + )])), + MigrationAction::Skip + ); + assert_eq!( + MigrationAction::for_stopped_unit(&unit_info(&[( + "Unit", + &[("X-OnlyManualStart", "true")] + )])), + MigrationAction::Skip + ); + } } From 1cc051d86d415945c6350ea0606a465b1b6b92fa Mon Sep 17 00:00:00 2001 From: r-vdp Date: Wed, 20 May 2026 19:46:27 +0200 Subject: [PATCH 39/97] switch-to-configuration-ng: rework user-unit migration candidate selection The previous "FragmentPath not under /etc" deny-list swept up units that were never managed by a per-user manager (e.g. dbus-broker, whose FragmentPath systemd reports under /run/current-system/sw/share via systemd.packages) and missed nothing it should have caught, but for the wrong reason. Make the intent explicit. A unit is a migration candidate iff it is active, the new generation defines it in /etc/systemd/user, and either * its FragmentPath is under $XDG_CONFIG_HOME/systemd/user (the home-manager case; ~/.config shadows /etc, so we must wait for sd-switch to remove the copy), or * its FragmentPath is anywhere else outside /etc and the previous generation did not have it in /etc (package-shipped units found via $XDG_DATA_HOME / $XDG_DATA_DIRS, e.g. ~/.nix-profile/share; /etc outranks these so it wins on daemon-reload). The "previous generation did not have it" guard keeps units that have always been in /etc, but whose FragmentPath systemd reports elsewhere, out of the candidate set, and the existing now_etc check verifies /etc actually won before acting. Compare FragmentPath by parent directory instead of string prefix while here. Covered by a new switch-test case that seeds a unit in ~/.local/share/systemd/user. (cherry picked from commit 6ced06a1b337cdf403b1e53407cac9cb156b856b) --- nixos/tests/switch-test.nix | 39 +++++++++ .../sw/switch-to-configuration-ng/src/main.rs | 85 +++++++++++++++---- 2 files changed, 108 insertions(+), 16 deletions(-) diff --git a/nixos/tests/switch-test.nix b/nixos/tests/switch-test.nix index e83e43430fae..4126645f59e0 100644 --- a/nixos/tests/switch-test.nix +++ b/nixos/tests/switch-test.nix @@ -826,6 +826,15 @@ in RemainAfterExit=true ExecStart=${pkgs.runtimeShell} -c 'echo home > %t/migrated-owner' ''; + + # Unit file placed in ~/.local/share/systemd/user (lower priority than + # /etc) to simulate a package-shipped unit. + dataMigratedUnit = pkgs.writeText "migrated.service" '' + [Service] + Type=oneshot + RemainAfterExit=true + ExecStart=${pkgs.runtimeShell} -c 'echo data > %t/migrated-owner' + ''; in # python '' @@ -1857,6 +1866,36 @@ in out = machine.succeed(f"sudo -u usertest {user_env} cat /run/user/1001/migrated-owner") assert_contains(out, "home") + # Migration from a lower-priority search-path entry ($XDG_DATA_HOME + # here, standing in for ~/.nix-profile/share etc.). /etc outranks + # these, so pass 2 must restart onto the /etc definition. + switch_to_specialisation("${machine}", "") + machine.fail(f"sudo -u usertest {user_env} systemctl --user is-active migrated.service") + machine.succeed( + "sudo -u usertest mkdir -p ~usertest/.local/share/systemd/user", + "sudo -u usertest cp ${dataMigratedUnit} ~usertest/.local/share/systemd/user/migrated.service", + ) + user_systemctl("daemon-reload") + user_systemctl("start migrated.service") + user_systemctl("is-active migrated.service") + out = machine.succeed(f"sudo -u usertest {user_env} cat /run/user/1001/migrated-owner") + assert_contains(out, "data") + out = user_systemctl("show -p FragmentPath migrated.service") + assert_contains(out, "/.local/share/systemd/user/migrated.service") + out = switch_to_specialisation("${machine}", "userServiceMigratedShadowed") + assert_contains(out, "restarting (post-activation) the following user units: migrated.service") + user_systemctl("is-active migrated.service") + out = user_systemctl("show -p FragmentPath migrated.service") + assert_contains(out, "/etc/systemd/user/migrated.service") + out = machine.succeed(f"sudo -u usertest {user_env} cat /run/user/1001/migrated-owner") + assert_contains(out, "nixos") + # Switching again must NOT touch it: /etc already had it, so it is + # not a candidate even though the lower-priority copy is still there. + out = switch_to_specialisation("${machine}", "userServiceMigratedShadowed") + assert_lacks(out, "migrated.service") + machine.succeed("sudo -u usertest rm -rf ~usertest/.local/share/systemd") + user_systemctl("daemon-reload") + # Units that remain shadowed by ~/.config must be left alone in both # passes even though /etc now also defines them. switch_to_specialisation("${machine}", "") diff --git a/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs b/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs index 6046d3437ae0..bebf3c46a4bf 100644 --- a/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs +++ b/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs @@ -1395,26 +1395,79 @@ fn do_user_switch(parent_exe: String) -> anyhow::Result<()> { let current_active_units = get_active_units(&systemd)?; + let old_unit_dir = old_toplevel.join(scope.etc_dir()); let new_unit_dir = toplevel.join(scope.etc_dir()); - let fragment_prefix = scope - .current_dir() - .to_str() - .expect("scope dir is valid UTF-8"); + let fragment_dir = scope.current_dir(); - // Units that are currently running from a non-/etc location (typically - // ~/.config/systemd/user, i.e. home-manager) but that the new NixOS - // configuration also defines. Pass 1 will skip these because of the - // FragmentPath filter; if the per-user activation (sd-switch) later drops - // its copy, we need a second pass to bring the NixOS-owned definition up. + // Determine $XDG_CONFIG_HOME/systemd/user from the user manager's own + // environment (we are spawned with env_clear()). + let user_config_unit_dir: Option = match systemd.environment() { + Err(err) => { + log::debug!("Failed to read user manager environment: {err}"); + None + } + Ok(env) => { + let lookup = |key: &str| { + env.iter().find_map(|kv| { + kv.strip_prefix(key) + .and_then(|rest| rest.strip_prefix('=')) + .filter(|v| Path::new(v).is_absolute()) + .map(PathBuf::from) + }) + }; + let config_home = + lookup("XDG_CONFIG_HOME").or_else(|| lookup("HOME").map(|h| h.join(".config"))); + if config_home.is_none() { + log::debug!( + "Neither $XDG_CONFIG_HOME nor $HOME is set in the user manager's environment" + ); + } + config_home.map(|config_home| config_home.join("systemd/user")) + } + }; + + if user_config_unit_dir.is_none() { + log::debug!( + "Could not determine $XDG_CONFIG_HOME/systemd/user; \ + units shadowed by ~/.config will not be considered for migration" + ); + } + + // Units active from a non-/etc location that the new generation defines + // in /etc/systemd/user. Pass 1 skips these (FragmentPath filter); pass 2 + // brings the /etc definition into effect once /etc has won. Two cases: + // * ~/.config/systemd/user (home-manager): shadows /etc, so wait for + // the per-user activation (sd-switch) to remove its copy. + // * anywhere else outside /etc ($XDG_DATA_HOME, $XDG_DATA_DIRS, ...): + // /etc outranks these, so only act when /etc is gaining the unit; + // if the previous generation already had it, leave it alone. + // Pass 2's `now_etc` check verifies /etc actually won before acting. let migration_candidates: Vec = current_active_units .iter() .filter(|(unit, _)| new_unit_dir.join(unit).exists()) - .filter(|(_, unit_state)| { - !unit_state + .filter(|(unit, unit_state)| { + let Ok(fragment_path) = unit_state .proxy - .get("org.freedesktop.systemd1.Unit", "FragmentPath") - .map(|p: String| p.starts_with(fragment_prefix)) - .unwrap_or(false) + .get::("org.freedesktop.systemd1.Unit", "FragmentPath") + else { + return false; + }; + let fragment_parent = Path::new(&fragment_path).parent(); + + // Already in /etc: handled by pass 1. + if fragment_parent == Some(fragment_dir) { + return false; + } + + // Loaded from ~/.config/systemd/user, which shadows /etc. + if let Some(dir) = &user_config_unit_dir { + if fragment_parent == Some(dir.as_path()) { + return true; + } + } + + // Elsewhere: only act if /etc is gaining the unit this switch. + !old_unit_dir.join(unit).exists() }) .map(|(unit, _)| unit.clone()) .collect(); @@ -1422,7 +1475,7 @@ fn do_user_switch(parent_exe: String) -> anyhow::Result<()> { collect_unit_changes( &toplevel, scope, - &old_toplevel.join(scope.etc_dir()), + &old_unit_dir, &new_unit_dir, ¤t_active_units, &mut units_to_stop, @@ -1577,7 +1630,7 @@ fn do_user_switch(parent_exe: String) -> anyhow::Result<()> { let now_etc = unit_state .proxy .get("org.freedesktop.systemd1.Unit", "FragmentPath") - .map(|p: String| p.starts_with(fragment_prefix)) + .map(|p: String| Path::new(&p).parent() == Some(fragment_dir)) .unwrap_or(false); if !now_etc { // Still shadowed (or read error); leave it alone. From 1303411c1e8b10c8d5baccc39f3a00ebb2fc59c5 Mon Sep 17 00:00:00 2001 From: r-vdp Date: Sat, 23 May 2026 12:50:06 +0200 Subject: [PATCH 40/97] nixos/activation: run user nixos-activation.service exactly once per switch stc-ng starts every active target (including default.target) and then explicitly restarts nixos-activation.service. As a Type=oneshot without RemainAfterExit the unit is inactive after login, so the default.target start job re-runs it via Wants=, and the explicit restart runs it again (or, depending on ordering, SIGTERMs the currently running script and re-runs it). Set RemainAfterExit=yes so target starts are a no-op for an already-run activation, and restartIfChanged=false so the unit-diff pass leaves it alone when the script changes. The explicit restart in stc-ng remains the single trigger per switch. Print that restart so it is visible in the switch output, and drop it from the "NOT restarting" list. Extend the user-activation-scripts test to assert the activation is only run once, and never killed. (cherry picked from commit 663a59e0b6d7575d7465ea0f03b6fa66f6298038) --- nixos/modules/system/activation/activation-script.nix | 3 +++ nixos/tests/switch-test.nix | 7 ++++--- nixos/tests/user-activation-scripts.nix | 8 ++++++++ pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs | 4 ++++ 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index 8fd274276a61..338fc1911c01 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -322,6 +322,9 @@ in description = "Run user-specific NixOS activation"; script = config.system.userActivationScripts.script; unitConfig.ConditionUser = "!@system"; + # switch-to-configuration restarts this explicitly on every switch. + restartIfChanged = false; + serviceConfig.RemainAfterExit = true; serviceConfig.Type = "oneshot"; wantedBy = [ "default.target" ]; }; diff --git a/nixos/tests/switch-test.nix b/nixos/tests/switch-test.nix index 4126645f59e0..256c25108593 100644 --- a/nixos/tests/switch-test.nix +++ b/nixos/tests/switch-test.nix @@ -1754,9 +1754,10 @@ in out = switch_to_specialisation("${machine}", "simpleUserService") user_systemctl("is-active usertest.service") - # No-op switch does nothing + # No-op switch leaves the test unit alone. out = switch_to_specialisation("${machine}", "simpleUserService") - assert_lacks(out, "user units:") + assert_lacks(out, "usertest.service") + assert_contains(out, "restarting the following user units: nixos-activation.service") # Modifying the unit stop-starts it (default stopIfChanged=true) out = switch_to_specialisation("${machine}", "simpleUserServiceModified") @@ -1773,7 +1774,7 @@ in # reloadIfChanged=true reloads instead out = switch_to_specialisation("${machine}", "simpleUserServiceReload") assert_lacks(out, "stopping the following user units:") - assert_lacks(out, "restarting the following user units:") + assert_lacks(out, "restarting the following user units: usertest.service") assert_contains(out, "reloading the following user units: usertest.service") user_systemctl("is-active usertest.service") diff --git a/nixos/tests/user-activation-scripts.nix b/nixos/tests/user-activation-scripts.nix index e8ea2d05c465..8e29a0ab3ae1 100644 --- a/nixos/tests/user-activation-scripts.nix +++ b/nixos/tests/user-activation-scripts.nix @@ -13,6 +13,7 @@ isNormalUser = true; }; systemd.user.tmpfiles.users.alice.rules = [ "r %h/file-to-remove" ]; + specialisation.changed.configuration.system.userActivationScripts.bar = "true"; }; testScript = '' @@ -36,5 +37,12 @@ machine.succeed("/run/current-system/bin/switch-to-configuration test") verify_user_activation_run_count(2) machine.succeed("[[ ! -f /home/alice/file-to-remove ]] || false") + # Activation must not be killed while running. + machine.fail("journalctl -b _SYSTEMD_USER_UNIT=nixos-activation.service | grep -q 'code=killed'") + + # Changed activation script: still exactly one run. + machine.succeed("/run/current-system/specialisation/changed/bin/switch-to-configuration test") + verify_user_activation_run_count(3) + machine.fail("journalctl -b _SYSTEMD_USER_UNIT=nixos-activation.service | grep -q 'code=killed'") ''; } diff --git a/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs b/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs index bebf3c46a4bf..20c80a50baa5 100644 --- a/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs +++ b/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs @@ -1486,6 +1486,9 @@ fn do_user_switch(parent_exe: String) -> anyhow::Result<()> { &mut units_to_filter, )?; + // Restarted unconditionally below; don't list it as skipped. + units_to_skip.remove("nixos-activation.service"); + let print_units = |verb: &str, units: &HashMap| { if units.is_empty() { return; @@ -1586,6 +1589,7 @@ fn do_user_switch(parent_exe: String) -> anyhow::Result<()> { // Toplevels with system.activatable = false do not ship this unit; mirror // the system scope's tolerance for a missing activate script. if new_unit_dir.join("nixos-activation.service").exists() { + eprintln!("restarting the following user units: nixos-activation.service"); match systemd.restart_unit("nixos-activation.service", "replace") { Ok(_) => { log::debug!("waiting for nixos activation to finish"); From 5b3d86380af47150cb635f84f73a8b26893c6729 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sat, 16 May 2026 18:06:33 +0200 Subject: [PATCH 41/97] nixos/user-activation-scripts: refactor assert By using unittest's assertEqual you actually see how often the activation script was being run, i.e. the expected value. (cherry picked from commit 864a84d3e9dff8cbc24ebdadfd8fbae2d2b5e3b7) (cherry picked from commit b1a881edb95a7caa4b9afbf8114fa718e106dbe1) --- nixos/tests/user-activation-scripts.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nixos/tests/user-activation-scripts.nix b/nixos/tests/user-activation-scripts.nix index 8e29a0ab3ae1..f43332af033f 100644 --- a/nixos/tests/user-activation-scripts.nix +++ b/nixos/tests/user-activation-scripts.nix @@ -18,8 +18,9 @@ testScript = '' def verify_user_activation_run_count(n): - machine.succeed( - '[[ "$(find /home/alice/ -name user-activation-ran.\\* | wc -l)" == %s ]]' % n + t.assertEqual( + n, + int(machine.succeed('find /home/alice/ -name user-activation-ran.\\* | wc -l').rstrip()) ) From 6c3ff740324716f92fba901032bd2511dd9af7f5 Mon Sep 17 00:00:00 2001 From: Paul Grandperrin Date: Tue, 26 May 2026 21:21:06 +0200 Subject: [PATCH 42/97] systemd: fix tmpfiles errors when mount is noatime fixes #520485 (cherry picked from commit d28f57cdff13598302f9cbebf024a02530893d03) --- pkgs/os-specific/linux/systemd/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index e589188a6099..a6dd663aef3c 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -5,6 +5,7 @@ pkgsCross, testers, fetchFromGitHub, + fetchpatch, buildPackages, makeBinaryWrapper, ninja, @@ -237,6 +238,13 @@ stdenv.mkDerivation (finalAttrs: { ./0003-add-rootprefix-to-lookup-dir-paths.patch ./0004-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch ./0005-core-don-t-taint-on-unmerged-usr.patch + + # TODO: remove the following patch when systemd v261 is released. + # see upstream PR: https://github.com/systemd/systemd/pull/41232 + (fetchpatch { + url = "https://github.com/systemd/systemd/commit/df45055942330fcd2b77389e449905e7f6ca34ec.patch"; + hash = "sha256-PDh4mP9rYGCglp25346nExU2v6P0WYPfLZgu+YwzZ9c="; + }) ] ++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isGnu) [ ./0006-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch From af26b2500da6c199b3eaebfbafe25d7227b430d8 Mon Sep 17 00:00:00 2001 From: Liam Murphy Date: Sun, 26 Apr 2026 12:09:41 +1000 Subject: [PATCH 43/97] openblas: 0.3.32 -> 0.3.33 This release fixes build failures for linbox on aarch64 (https://hydra.nixos.org/build/327030681, https://hydra.nixos.org/build/327030680); see https://github.com/OpenMathLib/OpenBLAS/issues/5763. (cherry picked from commit 2ba029a78e1fc8804152a62e4202215264554b6c) --- .../libraries/science/math/openblas/default.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pkgs/development/libraries/science/math/openblas/default.nix b/pkgs/development/libraries/science/math/openblas/default.nix index 6274578cfcdf..716d330c28e3 100644 --- a/pkgs/development/libraries/science/math/openblas/default.nix +++ b/pkgs/development/libraries/science/math/openblas/default.nix @@ -170,7 +170,7 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "openblas"; - version = "0.3.32"; + version = "0.3.33"; outputs = [ "out" @@ -181,7 +181,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "OpenMathLib"; repo = "OpenBLAS"; rev = "v${finalAttrs.version}"; - hash = "sha256-D0Wu5Ew72aTqSjj970yOfAwPg1T4Qm6zmpaGlQ/5Q1k="; + hash = "sha256-EArf0K2Gs+w8IRD5wkMOQv79e8yMoTgQfa9kzjXKn3Y="; }; patches = [ @@ -190,13 +190,13 @@ stdenv.mkDerivation (finalAttrs: { # INCLUDEDIR already fixed in upstream HEAD & significant refactor # to config gen so not PRing changes ./cmake-include-fixes.patch - # Fix build on LoongArch (error: '_Float16' is not supported on this target) + # This was an attempted fix for the below commit but still leaves some scipy tests failing. (fetchpatch { - url = "https://github.com/OpenMathLib/OpenBLAS/commit/7086a1b075ca317e12cfe79d40a32ad342a30496.patch"; - hash = "sha256-pA3HK2f2MJr/+h/uale7edIYk/KH194EscYFcsujPXY="; + url = "https://github.com/OpenMathLib/OpenBLAS/commit/e3ce4623c299068bbd47c35ee87aab334bac73b1.patch"; + revert = true; + hash = "sha256-WrP3RCDk/EbpqVOw9XGLnFI+6/bBGJTIrt2TRYGLVQ4="; }) # This commit led to miscompilation of certain ASIMD extensions code paths. - # There was an attempted fix in upstream but this still leaves some scipy tests failing. (fetchpatch { url = "https://github.com/OpenMathLib/OpenBLAS/commit/3f6e928d34aca977bd5d4191e6d2c2338a342.patch"; revert = true; From 5f1133b2f1e36b654119f042b8eaf9f16aff706c Mon Sep 17 00:00:00 2001 From: whispers Date: Tue, 26 May 2026 19:54:52 -0400 Subject: [PATCH 44/97] cargo: add patches for CVE-2026-5222 and CVE-2026-5223 Upstream pull request: https://github.com/rust-lang/cargo/pull/17031 Fixes: CVE-2026-5222, https://blog.rust-lang.org/2026/05/25/cve-2026-5222/ Fixes: CVE-2026-5223, https://blog.rust-lang.org/2026/05/25/cve-2026-5223/ Not-cherry-picked-because: master will get these fixes via the rust 1.96 upgrade on 2026-05-28 --- pkgs/development/compilers/rust/cargo.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/pkgs/development/compilers/rust/cargo.nix b/pkgs/development/compilers/rust/cargo.nix index a86e4a3d186d..7c3d4eb2a5e0 100644 --- a/pkgs/development/compilers/rust/cargo.nix +++ b/pkgs/development/compilers/rust/cargo.nix @@ -3,6 +3,7 @@ stdenv, pkgsHostHost, pkgsBuildBuild, + fetchpatch, file, curl, pkg-config, @@ -26,6 +27,23 @@ rustPlatform.buildRustPackage.override pname = "cargo"; inherit (rustc.unwrapped) version src; + patches = [ + (fetchpatch { + name = "CVE-2026-5222.patch"; + url = "https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997f.patch"; + stripLen = 1; + extraPrefix = "src/tools/cargo/"; + hash = "sha256-YG7xtC308z+o1xVzrV81qqWov1121GVouyAXKflyBF8="; + }) + (fetchpatch { + name = "CVE-2026-5223.patch"; + url = "https://github.com/rust-lang/cargo/commit/285cebf58911eca5b7f177f5d0b1c53e1f646577.patch"; + stripLen = 1; + extraPrefix = "src/tools/cargo/"; + hash = "sha256-DbmPQ31N4AIYZEBiwwGAn59hgPsFEVTzA6PrI071LXE="; + }) + ]; + # the rust source tarball already has all the dependencies vendored, no need to fetch them again cargoVendorDir = "vendor"; buildAndTestSubdir = "src/tools/cargo"; From 8d7f1c326fedc792e8e3cb12345f1cba1625537f Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 22 May 2026 01:30:05 +0000 Subject: [PATCH 45/97] libaec: 1.1.6 -> 1.1.7 (cherry picked from commit 6a792a71bfd22611ad167767298bee9244d5c339) --- pkgs/by-name/li/libaec/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libaec/package.nix b/pkgs/by-name/li/libaec/package.nix index c9824823b669..3b7b1768c93b 100644 --- a/pkgs/by-name/li/libaec/package.nix +++ b/pkgs/by-name/li/libaec/package.nix @@ -7,13 +7,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "libaec"; - version = "1.1.6"; + version = "1.1.7"; src = fetchFromGitHub { owner = "Deutsches-Klimarechenzentrum"; repo = "libaec"; tag = "v${finalAttrs.version}"; - hash = "sha256-cxDP+JNwokxgzH9hO2zw+rIcz8XG7E8ujbAbWpgUEW8="; + hash = "sha256-aBm+CXCq7sdJb6Qq9sNuTzNj0nRwTJI20HsqUg1Qi/8="; }; nativeBuildInputs = [ From 4940e8201b0b1a632f629256a28637d89764f39f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Mon, 25 May 2026 15:59:29 -0700 Subject: [PATCH 46/97] e2fsprogs: 1.47.3 -> 1.47.4 Changelog: https://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.47.4 (cherry picked from commit ec681ffc8f0d1277b5f5a19ad844c5a7d3fda2b1) --- pkgs/by-name/e2/e2fsprogs/package.nix | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/pkgs/by-name/e2/e2fsprogs/package.nix b/pkgs/by-name/e2/e2fsprogs/package.nix index ceb394b1c433..970ea64682c5 100644 --- a/pkgs/by-name/e2/e2fsprogs/package.nix +++ b/pkgs/by-name/e2/e2fsprogs/package.nix @@ -3,7 +3,6 @@ stdenv, buildPackages, fetchurl, - fetchpatch, pkg-config, libuuid, gettext, @@ -20,25 +19,15 @@ stdenv.mkDerivation rec { pname = "e2fsprogs"; - version = "1.47.3"; + version = "1.47.4"; __structuredAttrs = true; src = fetchurl { url = "mirror://kernel/linux/kernel/people/tytso/e2fsprogs/v${version}/e2fsprogs-${version}.tar.xz"; - hash = "sha256-hX5u+AD+qiu0V4+8gQIUvl08iLBy6lPFOEczqWVzcyk="; + hash = "sha256-/VvziMvb4Aaj07MY2YOylIOCRArMhah/Hn0QhlPo2ws="; }; - patches = [ - # Upstream patch that fixes musl build (and probably others). - # Should be included in next release after 1.47.3. - (fetchpatch { - name = "stdio-portability.patch"; - url = "https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/patch/?id=f79abd8554e600eacc2a7c864a8332b670c9e262"; - hash = "sha256-zZ7zmSMTwGyS3X3b/D/mVG0bV2ul5xtY5DJx9YUvQO8="; - }) - ]; - # fuse2fs adds 14mb of dependencies outputs = [ "bin" From 27504c8f0df600820cc88797834ab8c8a1011309 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 24 May 2026 19:24:27 -0700 Subject: [PATCH 47/97] libadwaita: 1.9.0 -> 1.9.1 Diff: https://gitlab.gnome.org/GNOME/libadwaita/-/compare/1.9.0...1.9.1 Changelog: https://gitlab.gnome.org/GNOME/libadwaita/-/blob/1.9.1/NEWS (cherry picked from commit d2a5f7f0cafe93df429883d62a6365ec7f4db78c) --- pkgs/by-name/li/libadwaita/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libadwaita/package.nix b/pkgs/by-name/li/libadwaita/package.nix index 0d1ed0da7e85..8f289c6e4977 100644 --- a/pkgs/by-name/li/libadwaita/package.nix +++ b/pkgs/by-name/li/libadwaita/package.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "libadwaita"; - version = "1.9.0"; + version = "1.9.1"; outputs = [ "out" @@ -37,7 +37,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "GNOME"; repo = "libadwaita"; tag = finalAttrs.version; - hash = "sha256-JAKP8CjLCKGZvHoB26ih/J3xAru4wiVf/ObG0L8r4pY="; + hash = "sha256-Oy3WcsymNbbmAacm5hEOrorI1wKXjSp063mh4jCJRAE="; }; depsBuildBuild = [ From 99cd697f9ff2c21f137236bf26955f510bd93b10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 26 May 2026 09:46:24 -0700 Subject: [PATCH 48/97] imagemagick: 7.1.2-23 -> 7.1.2-24 Diff: https://github.com/ImageMagick/ImageMagick/compare/7.1.2-23...7.1.2-24 Changelog: https://github.com/ImageMagick/Website/blob/main/ChangeLog.md (cherry picked from commit 4a101f0ce85487c821f8cd07e0a9715e4a1389d6) --- pkgs/by-name/im/imagemagick/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/im/imagemagick/package.nix b/pkgs/by-name/im/imagemagick/package.nix index bbf070eaac05..27f0acd0d16f 100644 --- a/pkgs/by-name/im/imagemagick/package.nix +++ b/pkgs/by-name/im/imagemagick/package.nix @@ -88,13 +88,13 @@ in stdenv.mkDerivation (finalAttrs: { pname = "imagemagick"; - version = "7.1.2-23"; + version = "7.1.2-24"; src = fetchFromGitHub { owner = "ImageMagick"; repo = "ImageMagick"; tag = finalAttrs.version; - hash = "sha256-zYk75q+EyWq5g/AHFU6v8a7gye0aDAEe/ZZvjqR9ZTc="; + hash = "sha256-oSH0dsQ3cuFNYJIIr6LHbv82FbFxxcmkjQ5csTNsYCA="; }; outputs = [ From 9ea380a822df127898e92ebe6c5af1b8c8cff4e0 Mon Sep 17 00:00:00 2001 From: Doron Behar Date: Tue, 26 May 2026 20:58:30 +0300 Subject: [PATCH 49/97] curl: set structuredAttrs (cherry picked from commit 160ca6558e44577004c7660a41e6cf50557d7661) --- pkgs/by-name/cu/curlMinimal/package.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/by-name/cu/curlMinimal/package.nix b/pkgs/by-name/cu/curlMinimal/package.nix index 3bc05f122f6e..37ebfe7398bf 100644 --- a/pkgs/by-name/cu/curlMinimal/package.nix +++ b/pkgs/by-name/cu/curlMinimal/package.nix @@ -115,6 +115,7 @@ stdenv.mkDerivation (finalAttrs: { enableParallelBuilding = true; strictDeps = true; + __structuredAttrs = true; env = { CXX = "${stdenv.cc.targetPrefix}c++"; From 546ea47450680b3f5aa4947632d7937d6997d873 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 26 May 2026 14:10:04 -0700 Subject: [PATCH 50/97] fftw: 3.3.10 -> 3.3.11 Changelog: https://github.com/FFTW/fftw3/blob/fftw-3.3.11/NEWS (cherry picked from commit 07e44fb25f474a24adf65c976ff72677ad637a4a) --- pkgs/by-name/ff/fftw/package.nix | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/pkgs/by-name/ff/fftw/package.nix b/pkgs/by-name/ff/fftw/package.nix index 0d9736335f68..a706799bf693 100644 --- a/pkgs/by-name/ff/fftw/package.nix +++ b/pkgs/by-name/ff/fftw/package.nix @@ -1,6 +1,5 @@ { fetchurl, - fetchpatch, stdenv, lib, gfortran, @@ -22,24 +21,16 @@ assert lib.elem precision [ stdenv.mkDerivation (finalAttrs: { pname = "fftw-${precision}"; - version = "3.3.10"; + version = "3.3.11"; src = fetchurl { urls = [ "https://fftw.org/fftw-${finalAttrs.version}.tar.gz" "ftp://ftp.fftw.org/pub/fftw/fftw-${finalAttrs.version}.tar.gz" ]; - hash = "sha256-VskyVJhSzdz6/as4ILAgDHdCZ1vpIXnlnmIVs0DiZGc="; + hash = "sha256-VjDCTN6zOxMWEvfrSxqZNCNHVPnziP+GF0WNC+byOaE="; }; - patches = [ - (fetchpatch { - name = "remove_missing_FFTW3LibraryDepends.patch"; - url = "https://github.com/FFTW/fftw3/pull/338/commits/f69fef7aa546d4477a2a3fd7f13fa8b2f6c54af7.patch"; - hash = "sha256-lzX9kAHDMY4A3Td8necXwYLcN6j8Wcegi3A7OIECKeU="; - }) - ]; - outputs = [ "out" "dev" @@ -107,6 +98,7 @@ stdenv.mkDerivation (finalAttrs: { __structuredAttrs = true; meta = { + changelog = "https://github.com/FFTW/fftw3/blob/fftw-${finalAttrs.version}/NEWS"; description = "Fastest Fourier Transform in the West library"; homepage = "https://www.fftw.org/"; license = lib.licenses.gpl2Plus; From 9b7ecc0f419bbf49100a5388f3eab9451c599c1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 24 May 2026 01:44:16 +0200 Subject: [PATCH 51/97] glfw3: add dev output to get rid of libglvnd dev output (cherry picked from commit f1e4abfccd1b56d11e14dc7b3420756fc4d121d1) --- pkgs/by-name/gl/glfw3/package.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/by-name/gl/glfw3/package.nix b/pkgs/by-name/gl/glfw3/package.nix index 31eb1b0af49e..711406030b70 100644 --- a/pkgs/by-name/gl/glfw3/package.nix +++ b/pkgs/by-name/gl/glfw3/package.nix @@ -34,6 +34,11 @@ stdenv.mkDerivation { pname = "glfw${lib.optionalString withMinecraftPatch "-minecraft"}"; inherit version; + outputs = [ + "out" + "dev" + ]; + src = fetchFromGitHub { owner = "glfw"; repo = "GLFW"; From 87aae16c78154ea23b8021d3c38538b8288de95b Mon Sep 17 00:00:00 2001 From: Lisanna Dettwyler Date: Fri, 6 Mar 2026 11:06:41 -0500 Subject: [PATCH 52/97] rsync: skip chgrp test This test fails when built in a chroot store. Signed-off-by: Lisanna Dettwyler (cherry picked from commit 9d229c780ed441cda7dcf943718cc8aa3aa53492) --- pkgs/applications/networking/sync/rsync/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/applications/networking/sync/rsync/default.nix b/pkgs/applications/networking/sync/rsync/default.nix index ddfb056d101c..ab771e3c5057 100644 --- a/pkgs/applications/networking/sync/rsync/default.nix +++ b/pkgs/applications/networking/sync/rsync/default.nix @@ -80,6 +80,11 @@ stdenv.mkDerivation rec { passthru.tests = { inherit (nixosTests) rsyncd; }; + # Test fails when built in a chroot store + preCheck = '' + rm testsuite/chgrp.test + ''; + doCheck = true; __darwinAllowLocalNetworking = true; From 70c873b54906f9d82f329a6f6e5679ca180e0933 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 3 May 2026 11:17:29 -0700 Subject: [PATCH 53/97] python3Packages.mistune: 3.2.0 -> 3.2.1 Diff: https://github.com/lepture/mistune/compare/v3.2.0...v3.2.1 Changelog: https://github.com/lepture/mistune/blob/v3.2.1/docs/changes.rst (cherry picked from commit efdf5458bd1bbff0bb38dba4b05ac1766ecd9590) --- pkgs/development/python-modules/mistune/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/mistune/default.nix b/pkgs/development/python-modules/mistune/default.nix index a130857e1a71..8cdfa4023ded 100644 --- a/pkgs/development/python-modules/mistune/default.nix +++ b/pkgs/development/python-modules/mistune/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "mistune"; - version = "3.2.0"; + version = "3.2.1"; pyproject = true; src = fetchFromGitHub { owner = "lepture"; repo = "mistune"; tag = "v${version}"; - hash = "sha256-rUEZNVuMT5+GsMakrkK6rshKSKtTTN72kK92AmQ8bl8="; + hash = "sha256-8AEEh/SWAk/Esq0jAoZGLw1FIQUw6C5Xq8CgnI2fjv0="; }; build-system = [ setuptools ]; From b63badda2293d801ec9e59867c4db91458b90a61 Mon Sep 17 00:00:00 2001 From: dish Date: Wed, 20 May 2026 09:46:01 -0400 Subject: [PATCH 54/97] rsync: 3.4.1 -> 3.4.3 https://download.samba.org/pub/rsync/NEWS.html#3.4.2 https://download.samba.org/pub/rsync/NEWS.html#3.4.3 (cherry picked from commit 6f04e4e7027cb6ecb7d696cacc31ef785a142021) --- .../networking/sync/rsync/default.nix | 22 ++++---- .../rsync/fix-tests-in-darwin-sandbox.patch | 56 ------------------- 2 files changed, 10 insertions(+), 68 deletions(-) delete mode 100644 pkgs/applications/networking/sync/rsync/fix-tests-in-darwin-sandbox.patch diff --git a/pkgs/applications/networking/sync/rsync/default.nix b/pkgs/applications/networking/sync/rsync/default.nix index ab771e3c5057..e6f2fba8748d 100644 --- a/pkgs/applications/networking/sync/rsync/default.nix +++ b/pkgs/applications/networking/sync/rsync/default.nix @@ -1,10 +1,10 @@ { lib, stdenv, - fetchpatch, fetchurl, updateAutotoolsGnuConfigScriptsHook, perl, + python3, libiconv, zlib, popt, @@ -23,23 +23,17 @@ stdenv.mkDerivation rec { pname = "rsync"; - version = "3.4.1"; + version = "3.4.3"; src = fetchurl { # signed with key 9FEF 112D CE19 A0DC 7E88 2CB8 1BB2 4997 A853 5F6F url = "mirror://samba/rsync/src/rsync-${version}.tar.gz"; - hash = "sha256-KSS8s6Hti1UfwQH3QLnw/gogKxFQJ2R89phQ1l/YjFI="; + hash = "sha256-xy5jyjAhy8gLqG7DAQJ3P0xWMfvEkrUudzs5WPgqU9M="; }; - patches = [ - # See: - ./fix-tests-in-darwin-sandbox.patch - # fix compilation with gcc15 - (fetchpatch { - url = "https://github.com/RsyncProject/rsync/commit/a4b926dcdce96b0f2cc0dc7744e95747b233500a.patch"; - hash = "sha256-UiEQJ+p2gtIDYNJqnxx4qKgItKIZzCpkHnvsgoxBmSE="; - }) - ]; + preBuild = '' + patchShebangs ./runtests.py + ''; nativeBuildInputs = [ updateAutotoolsGnuConfigScriptsHook @@ -80,6 +74,10 @@ stdenv.mkDerivation rec { passthru.tests = { inherit (nixosTests) rsyncd; }; + nativeCheckInputs = [ + python3 + ]; + # Test fails when built in a chroot store preCheck = '' rm testsuite/chgrp.test diff --git a/pkgs/applications/networking/sync/rsync/fix-tests-in-darwin-sandbox.patch b/pkgs/applications/networking/sync/rsync/fix-tests-in-darwin-sandbox.patch deleted file mode 100644 index d9209a97c1ed..000000000000 --- a/pkgs/applications/networking/sync/rsync/fix-tests-in-darwin-sandbox.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 9b104ed9859f17b6ed4c4ad01806c75a0c197dd7 Mon Sep 17 00:00:00 2001 -From: Emily -Date: Tue, 5 Aug 2025 15:55:24 +0100 -Subject: [PATCH] Allow `ls(1)` to fail in test setup - -This can happen when the tests are unable to `stat(2)` some files in -`/etc`, `/bin`, or `/`, due to Unix permissions or other sandboxing. We -still guard against serious errors, which use exit code 2. ---- - testsuite/longdir.test | 4 ++-- - testsuite/rsync.fns | 8 ++++---- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/testsuite/longdir.test b/testsuite/longdir.test -index 8d66bb5f..26747292 100644 ---- a/testsuite/longdir.test -+++ b/testsuite/longdir.test -@@ -16,9 +16,9 @@ makepath "$longdir" || test_skipped "unable to create long directory" - touch "$longdir/1" || test_skipped "unable to create files in long directory" - date > "$longdir/1" - if [ -r /etc ]; then -- ls -la /etc >"$longdir/2" -+ ls -la /etc >"$longdir/2" || [ $? -eq 1 ] - else -- ls -la / >"$longdir/2" -+ ls -la / >"$longdir/2" || [ $? -eq 1 ] - fi - checkit "$RSYNC --delete -avH '$fromdir/' '$todir'" "$fromdir/" "$todir" - -diff --git a/testsuite/rsync.fns b/testsuite/rsync.fns -index 2ab97b69..f7da363f 100644 ---- a/testsuite/rsync.fns -+++ b/testsuite/rsync.fns -@@ -195,15 +195,15 @@ hands_setup() { - echo some data > "$fromdir/dir/subdir/foobar.baz" - mkdir "$fromdir/dir/subdir/subsubdir" - if [ -r /etc ]; then -- ls -ltr /etc > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" -+ ls -ltr /etc > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" || [ $? -eq 1 ] - else -- ls -ltr / > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" -+ ls -ltr / > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" || [ $? -eq 1 ] - fi - mkdir "$fromdir/dir/subdir/subsubdir2" - if [ -r /bin ]; then -- ls -lt /bin > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" -+ ls -lt /bin > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" || [ $? -eq 1 ] - else -- ls -lt / > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" -+ ls -lt / > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" || [ $? -eq 1 ] - fi - - # echo testing head: --- -2.50.1 - From 0c2c70f0f3d87322253d3c9ed1912e0465397144 Mon Sep 17 00:00:00 2001 From: Jakob Klepp <1183303+truh@users.noreply.github.com> Date: Wed, 27 May 2026 17:02:22 +0200 Subject: [PATCH 55/97] nixos-rebuild-ng: use hash token in ControlPath Previously used token %n refers to the hostname which can be `too long for Unix domain socket` (cherry picked from commit da38ab0e39b94e1db1247cda2451946005ce9bf3) --- pkgs/by-name/ni/nixos-rebuild-ng/src/nixos_rebuild/process.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/by-name/ni/nixos-rebuild-ng/src/nixos_rebuild/process.py b/pkgs/by-name/ni/nixos-rebuild-ng/src/nixos_rebuild/process.py index 9f6baaa178a9..567cb87c429c 100644 --- a/pkgs/by-name/ni/nixos-rebuild-ng/src/nixos_rebuild/process.py +++ b/pkgs/by-name/ni/nixos-rebuild-ng/src/nixos_rebuild/process.py @@ -19,7 +19,7 @@ SSH_DEFAULT_OPTS: Final = [ "-o", "ControlMaster=auto", "-o", - f"ControlPath={tmpdir.TMPDIR_PATH / 'ssh-%n'}", + f"ControlPath={tmpdir.TMPDIR_PATH / 'ssh-%C'}", "-o", "ControlPersist=60", ] From 97dc0a920b756d88ce0d3d37ed8376eb8bdd2e25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 24 May 2026 21:34:13 -0700 Subject: [PATCH 56/97] at-spi2-core: 2.60.1 -> 2.60.4 (cherry picked from commit eb99a699438577d486d66e3d860c3ba67facbb1b) --- pkgs/by-name/at/at-spi2-core/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/at/at-spi2-core/package.nix b/pkgs/by-name/at/at-spi2-core/package.nix index dd5e8f9e4ce1..c20443184374 100644 --- a/pkgs/by-name/at/at-spi2-core/package.nix +++ b/pkgs/by-name/at/at-spi2-core/package.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "at-spi2-core"; - version = "2.60.1"; + version = "2.60.4"; outputs = [ "out" @@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "mirror://gnome/sources/at-spi2-core/${lib.versions.majorMinor finalAttrs.version}/at-spi2-core-${finalAttrs.version}.tar.xz"; - hash = "sha256-+ZuH48FnT1+8QXzJwdniYcDymqsFUK1jaYBQMdEvaFI="; + hash = "sha256-Gh9bqYBZF/QfxqpoI9z4h6KR1gekJ+LVr7a136ZQcMc="; }; nativeBuildInputs = [ From e5b3e52db386c03161a45b145328eb84dc5eb2bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 26 May 2026 13:41:00 -0700 Subject: [PATCH 57/97] ffmpeg_8: 8.1 -> 8.1.1 Changelog: https://github.com/FFmpeg/FFmpeg/blob/n8.1.1/Changelog (cherry picked from commit 91518f18f5de0f58d3cd532a8eeb227d78b5159f) --- pkgs/development/libraries/ffmpeg/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/ffmpeg/default.nix b/pkgs/development/libraries/ffmpeg/default.nix index cd003aecd13e..ca123f87b955 100644 --- a/pkgs/development/libraries/ffmpeg/default.nix +++ b/pkgs/development/libraries/ffmpeg/default.nix @@ -30,8 +30,8 @@ let hash = "sha256-1w4OSlz88D2pnZVXQcI4uyX+triNK0NXzlsyt7GGSLU="; }; v8 = { - version = "8.1"; - hash = "sha256-FdKhhCveEo5UodEoyUh3aBHABv3OT2VXmwBXE1ce3p0="; + version = "8.1.1"; + hash = "sha256-WPGfjTZjsgpR5QiANRWF4g6LF2ejGzFQUrLjhzw9cfQ="; }; in From 4b965d7e22e3f82c9e9c77dd51bdd70679f0a904 Mon Sep 17 00:00:00 2001 From: Marcin Serwin Date: Thu, 28 May 2026 17:22:46 +0200 Subject: [PATCH 58/97] nodejs: pin icu to newer version Not-cherry-picked-because: icu will be advanced globally on the unstable branch by https://github.com/NixOS/nixpkgs/pull/520553 Signed-off-by: Marcin Serwin --- pkgs/development/web/nodejs/nodejs.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/web/nodejs/nodejs.nix b/pkgs/development/web/nodejs/nodejs.nix index edcfdcae34a4..2c8f015391e4 100644 --- a/pkgs/development/web/nodejs/nodejs.nix +++ b/pkgs/development/web/nodejs/nodejs.nix @@ -47,7 +47,7 @@ uvwasi, zlib, zstd, - icu, + icu78, bash, ninja, pkgconf, @@ -274,7 +274,7 @@ let # that use bash wrappers, e.g. polaris-web. buildInputs = [ bash - icu + icu78 ] ++ builtins.attrValues sharedLibDeps; From 09c98d00a43ad8ed5420af2885ecc846fe71c9b1 Mon Sep 17 00:00:00 2001 From: Hythera <87016780+Hythera@users.noreply.github.com> Date: Mon, 25 May 2026 16:48:01 +0200 Subject: [PATCH 59/97] valkey: 9.0.4 -> 9.1.0 changelog: https://github.com/valkey-io/valkey/releases/tag/9.1.0 diff: https://github.com/valkey-io/valkey/compare/9.0.4...9.1.0 (cherry picked from commit 51f6d0a44cbf2051f267b101abd331b4fd372915) --- pkgs/by-name/va/valkey/package.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/by-name/va/valkey/package.nix b/pkgs/by-name/va/valkey/package.nix index 5898430b732d..b0b0c1065f4e 100644 --- a/pkgs/by-name/va/valkey/package.nix +++ b/pkgs/by-name/va/valkey/package.nix @@ -2,7 +2,6 @@ lib, stdenv, fetchFromGitHub, - fetchpatch, lua, jemalloc, pkg-config, @@ -25,13 +24,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "valkey"; - version = "9.0.4"; + version = "9.1.0"; src = fetchFromGitHub { owner = "valkey-io"; repo = "valkey"; rev = finalAttrs.version; - hash = "sha256-FDm6i6G6h9WapMTj7ke4YtOjZ4rwIJZGONunQi0v7CE="; + hash = "sha256-RMZz83fycpOTPWB1dIXU0/hdh4ZGC+6JhCws8htAQ5E="; }; patches = lib.optional useSystemJemalloc ./use_system_jemalloc.patch; @@ -94,13 +93,14 @@ stdenv.mkDerivation (finalAttrs: { fi # Skip some more flaky tests. - # Skip test requiring custom jemalloc (unit/memefficiency). + # Skip test requiring custom jemalloc (unit/memefficiency, unit/type/string). ./runtest \ --no-latency \ --timeout 2000 \ --clients "$CLIENTS" \ --tags -leaks \ --skipunit unit/memefficiency \ + --skipunit unit/type/string \ --skipunit integration/failover \ --skipunit integration/aof-multi-part From b8a547de99897e9ca171f207cfe9da97dadd5f87 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 28 May 2026 21:59:59 +0200 Subject: [PATCH 60/97] rust-cbindgen: 0.29.2 -> 0.29.3 https://github.com/mozilla/cbindgen/blob/v0.29.3/CHANGES (cherry picked from commit a2e41bb76c7f3b1fca68f135e4029254225c5aa9) --- pkgs/by-name/ru/rust-cbindgen/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/ru/rust-cbindgen/package.nix b/pkgs/by-name/ru/rust-cbindgen/package.nix index 14374532ff52..88bb855e800b 100644 --- a/pkgs/by-name/ru/rust-cbindgen/package.nix +++ b/pkgs/by-name/ru/rust-cbindgen/package.nix @@ -14,16 +14,16 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "rust-cbindgen"; - version = "0.29.2"; + version = "0.29.3"; src = fetchFromGitHub { owner = "mozilla"; repo = "cbindgen"; rev = "v${finalAttrs.version}"; - hash = "sha256-P2A+XSLrcuYsI48gnZSNNs5qX+EatiuEJSEJbMvMSxg="; + hash = "sha256-d0rY7Sk37s8HEZlQq9Sbjj1P+DgygD0Yjx8cXlFKEIA="; }; - cargoHash = "sha256-DbmlpjiOraLWPh5RgJqCIGIYzE1h82MH2S6gpLH+CIQ="; + cargoHash = "sha256-UeierkQpfCiB5ES9ZW9hO+0AcI9Ip8qSJ/Nd+I1xrmQ="; nativeCheckInputs = [ cmake From 379e54dd196bfd9aa89c5566cbc0878aa6e9cdca Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Mon, 18 May 2026 09:19:18 +0000 Subject: [PATCH 61/97] publicsuffix-list: 0-unstable-2026-03-26 -> 0-unstable-2026-05-13 (cherry picked from commit 963f597bc3ffcf2c03004e6df66537a0741b5036) --- pkgs/by-name/pu/publicsuffix-list/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/pu/publicsuffix-list/package.nix b/pkgs/by-name/pu/publicsuffix-list/package.nix index 72c500777df2..ea3f3d9fa1e4 100644 --- a/pkgs/by-name/pu/publicsuffix-list/package.nix +++ b/pkgs/by-name/pu/publicsuffix-list/package.nix @@ -7,13 +7,13 @@ stdenvNoCC.mkDerivation { pname = "publicsuffix-list"; - version = "0-unstable-2026-03-26"; + version = "0-unstable-2026-05-13"; src = fetchFromGitHub { owner = "publicsuffix"; repo = "list"; - rev = "d333b72b39575da1ce6932b01d7c421a4107c620"; - hash = "sha256-LWnvQrIyj+iq96T1u9WEq+HGOZ5sJYN5nCintEr6sBk="; + rev = "e452c7058d6946bd76952b128c12f5ce87a5acb8"; + hash = "sha256-5D4RZAyJOL4hMU32Rmp3SYmjgqEtF36mZJr4YBG0k7E="; }; dontBuild = true; From bd4354a482ba98e5912e25686242d4c99736bcc3 Mon Sep 17 00:00:00 2001 From: kuflierl <41301536+kuflierl@users.noreply.github.com> Date: Fri, 22 May 2026 01:28:43 +0200 Subject: [PATCH 62/97] libheif: 1.21.2 -> 1.22.2 (cherry picked from commit fd4f3737156ff8f2aa524f07771581c3b29ca103) --- pkgs/by-name/li/libheif/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libheif/package.nix b/pkgs/by-name/li/libheif/package.nix index 7d4912e77598..a24d7986b884 100644 --- a/pkgs/by-name/li/libheif/package.nix +++ b/pkgs/by-name/li/libheif/package.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "libheif"; - version = "1.21.2"; + version = "1.22.2"; outputs = [ "bin" @@ -38,7 +38,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "strukturag"; repo = "libheif"; rev = "v${finalAttrs.version}"; - hash = "sha256-odkJ0wZSGoZ7mX9fkaNREDpMvQuQA9HKaf3so1dYrbc="; + hash = "sha256-z5vTfZATfwDn8Zwqt3piS7PaOQQ3UG+u20sR6j+dsUg="; }; nativeBuildInputs = [ From 37bd922bf9ef88c748c37e1080bf458d861d110c Mon Sep 17 00:00:00 2001 From: kuflierl <41301536+kuflierl@users.noreply.github.com> Date: Thu, 28 May 2026 10:48:35 +0200 Subject: [PATCH 63/97] python3Packages.pillow-heif: disable tests that abuse spec and break in libheif 1.22.0, disable version check for libheif (cherry picked from commit 37ff020c2fefcccc4a354c0f8a193da9b700aea0) --- .../python-modules/pillow-heif/default.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkgs/development/python-modules/pillow-heif/default.nix b/pkgs/development/python-modules/pillow-heif/default.nix index eea442596817..cc00832bb662 100644 --- a/pkgs/development/python-modules/pillow-heif/default.nix +++ b/pkgs/development/python-modules/pillow-heif/default.nix @@ -77,6 +77,17 @@ buildPythonPackage rec { disabledTests = [ # Time sensitive speed test, not reproducible "test_decode_threads" + # Tests failing with libheif 1.22.0. To be removed in the next release + # https://github.com/bigcat88/pillow_heif/issues/424 + # these check what happens when the ispe is not valid + "test_numpy_array_invalid_ispe" + "test_allow_incorrect_headers" + "test_invalid_ispe_ok" + "test_invalid_ispe_allow" + "test_invalid_ispe_stride" + "test_invalid_ispe_stride_pillow" + # disable version check for libheif + "test_libheif_info" ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ # https://github.com/bigcat88/pillow_heif/issues/89 From 99edca13d244d3020cf906c5bf0a1cf5ff7e53a6 Mon Sep 17 00:00:00 2001 From: Sefa Eyeoglu Date: Thu, 21 May 2026 10:42:50 +0200 Subject: [PATCH 64/97] curl: backport performance patch https://github.com/curl/curl/commit/2a2104f3cff44bb28bb570a093be52bbeeed8f23 See https://curl.se/mail/distros-2026-05/0000.html Signed-off-by: Sefa Eyeoglu (cherry picked from commit 06028a8aa5018ac8e70ae8edaff5c7397143e08c) --- .../curlMinimal/fix-wakeup-consumption.patch | 32 +++++++++++++++++++ pkgs/by-name/cu/curlMinimal/package.nix | 7 ++++ 2 files changed, 39 insertions(+) create mode 100644 pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch diff --git a/pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch b/pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch new file mode 100644 index 000000000000..0bc04b60bb87 --- /dev/null +++ b/pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch @@ -0,0 +1,32 @@ +From 2a2104f3cff44bb28bb570a093be52bbeeed8f23 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Mon, 11 May 2026 14:56:04 +0200 +Subject: [PATCH] event: fix wakeup consumption + +The events on a multi wakeup socketpair were only consumed via +curl_multi_poll()/curl_multi_wait() but not in event based processing on +a curl_multi_socket() call. That led to busy loops as reported in + +Fixes #21547 +Reported-by: Earnestly on github +Closes #21549 +--- + lib/multi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/multi.c b/lib/multi.c +index be32740a7097..5e84133f13fd 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -2703,6 +2703,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + Curl_uint32_bset_remove(&multi->dirty, data->mid); + + if(data == multi->admin) { ++#ifdef ENABLE_WAKEUP ++ /* Consume any pending wakeup signals before processing. ++ * This is necessary for event based processing. See #21547 */ ++ (void)Curl_wakeup_consume(multi->wakeup_pair, TRUE); ++#endif + #ifdef USE_RESOLV_THREADED + Curl_async_thrdd_multi_process(multi); + #endif diff --git a/pkgs/by-name/cu/curlMinimal/package.nix b/pkgs/by-name/cu/curlMinimal/package.nix index 37ebfe7398bf..dc50ca16529f 100644 --- a/pkgs/by-name/cu/curlMinimal/package.nix +++ b/pkgs/by-name/cu/curlMinimal/package.nix @@ -96,6 +96,13 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-Y/4twUi6DOromSLvg49+XJRicsLni3xZ+rS3nTziuJY="; }; + patches = [ + # https://github.com/curl/curl/commit/2a2104f3cff44bb28bb570a093be52bbeeed8f23 + # According to , this fixes + # a performance regression, causing high CPU usage + ./fix-wakeup-consumption.patch + ]; + # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion # necessary for FreeBSD code path in configure postPatch = '' From cebcbaab7a6e5fc72132855f96f3f81ebd567df5 Mon Sep 17 00:00:00 2001 From: Michael Daniels Date: Fri, 29 May 2026 21:35:29 -0400 Subject: [PATCH 65/97] gnupatch: disable flaky test Fixes #525260 (cherry picked from commit 64ae7d0e374a774bb78520e6b0f320e804317d70) --- pkgs/tools/text/gnupatch/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/text/gnupatch/default.nix b/pkgs/tools/text/gnupatch/default.nix index 99a801c4cc8e..188ac323543f 100644 --- a/pkgs/tools/text/gnupatch/default.nix +++ b/pkgs/tools/text/gnupatch/default.nix @@ -15,8 +15,10 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-+Hzuae7CtPy/YKOWsDCtaqNBXxkqpffuhMrV4R9/WuM="; }; - # This test is filesystem-dependent - observed failing on ZFS - postPatch = lib.optionalString stdenv.hostPlatform.isFreeBSD '' + # This test is filesystem-dependent - observed failing on ZFS. + # It is also just plain flaky: it has been observed failing about 10% + # of the time on btrfs and ext4 too. + postPatch = '' sed -E -i -e '/bad-filenames/d' tests/Makefile.am ''; From dd4bec621ddd03146588e9c9f10af9da36486ad9 Mon Sep 17 00:00:00 2001 From: Marcus Ramberg Date: Sat, 30 May 2026 17:00:51 +0200 Subject: [PATCH 66/97] perlPackages.HTTPDaemon: 6.16 -> 6.17 (cherry picked from commit 6faf86656418e44e9936417490163cb95b3c45e5) --- pkgs/top-level/perl-packages.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index 78b55a3f2817..d6da2712c7d7 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -16650,12 +16650,12 @@ with self; }; }; - HTTPDaemon = buildPerlPackage { + HTTPDaemon = buildPerlModule { pname = "HTTP-Daemon"; - version = "6.16"; + version = "6.17"; src = fetchurl { - url = "mirror://cpan/authors/id/O/OA/OALDERS/HTTP-Daemon-6.16.tar.gz"; - hash = "sha256-s40JJyXm+k4MTcKkfhVwcEkbr6Db4Wx4o1joBqp+Fz0="; + url = "mirror://cpan/authors/id/O/OA/OALDERS/HTTP-Daemon-6.17.tar.gz"; + hash = "sha256-FigVgMQOIxCNAoQ0aYtdfVNje/kEyd+CJIHiU8vskgw="; }; buildInputs = [ ModuleBuildTiny From 6910e98a97602753d814b6a3f0877baa9bd7561c Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Sun, 31 May 2026 21:03:00 +0100 Subject: [PATCH 67/97] sdl3: 3.4.8 -> 3.4.10 Changes: https://github.com/libsdl-org/SDL/releases/tag/release-3.4.10 (cherry picked from commit 29533d61c20a8014b1a24f002441ade41cad28b8) --- pkgs/by-name/sd/sdl3/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/sd/sdl3/package.nix b/pkgs/by-name/sd/sdl3/package.nix index 033f865c4708..8d6aae36cf64 100644 --- a/pkgs/by-name/sd/sdl3/package.nix +++ b/pkgs/by-name/sd/sdl3/package.nix @@ -70,7 +70,7 @@ assert lib.assertMsg (ibusSupport -> dbusSupport) "SDL3 requires dbus support to stdenv.mkDerivation (finalAttrs: { pname = "sdl3"; - version = "3.4.8"; + version = "3.4.10"; outputs = [ "lib" @@ -83,7 +83,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "libsdl-org"; repo = "SDL"; tag = "release-${finalAttrs.version}"; - hash = "sha256-uBGyGxrUVx642Ku8qhR2sTy2JagcSioIhh/5RsXVAIM="; + hash = "sha256-6Dph2eLiJUmpQzPWe8EuY5LrWhrFwde2f2dwfgCcWNw="; }; postPatch = From 5787be340983685f7490e1b46bdca5896ae1746d Mon Sep 17 00:00:00 2001 From: winston Date: Mon, 1 Jun 2026 02:49:17 +0200 Subject: [PATCH 68/97] sdl3: increase test timeout for testrwlock (cherry picked from commit 07bc3407475405b03836980665277d31bfcb4b75) --- pkgs/by-name/sd/sdl3/package.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkgs/by-name/sd/sdl3/package.nix b/pkgs/by-name/sd/sdl3/package.nix index 033f865c4708..f2a18f9f6590 100644 --- a/pkgs/by-name/sd/sdl3/package.nix +++ b/pkgs/by-name/sd/sdl3/package.nix @@ -87,10 +87,17 @@ stdenv.mkDerivation (finalAttrs: { }; postPatch = - # Tests timeout on Darwin lib.optionalString (finalAttrs.finalPackage.doCheck) '' + # Tests timeout on Darwin substituteInPlace test/CMakeLists.txt \ --replace-fail 'set(noninteractive_timeout 10)' 'set(noninteractive_timeout 30)' + + # intermittent test failure + # https://github.com/libsdl-org/SDL/issues/15346 + substituteInPlace test/CMakeLists.txt \ + --replace-fail \ + 'add_sdl_test_executable(testrwlock SOURCES testrwlock.c NONINTERACTIVE NONINTERACTIVE_TIMEOUT 20)' \ + 'add_sdl_test_executable(testrwlock SOURCES testrwlock.c NONINTERACTIVE NONINTERACTIVE_TIMEOUT 300)' '' + lib.optionalString waylandSupport '' substituteInPlace src/dialog/unix/SDL_zenitymessagebox.c \ From 570daf3d1c3b06ee4b9d96afc01536596b78d34a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Silva?= Date: Fri, 29 May 2026 10:01:50 +0100 Subject: [PATCH 69/97] rustPlatform.fetchCargoVendor: remove duplicate fetcher (cherry picked from commit ddda3ed831d0d9f26f2fb446f8986b2c2fae4bc2) --- .../rust/fetch-cargo-vendor-util-v2.py | 416 ------------------ .../rust/fetch-cargo-vendor-util.py | 5 +- .../build-support/rust/fetch-cargo-vendor.nix | 39 +- 3 files changed, 18 insertions(+), 442 deletions(-) delete mode 100644 pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py diff --git a/pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py b/pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py deleted file mode 100644 index 5dc789c93ad9..000000000000 --- a/pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py +++ /dev/null @@ -1,416 +0,0 @@ -import functools -import hashlib -import json -import multiprocessing as mp -import re -import shutil -import subprocess -import sys -import tomllib -from os.path import islink, realpath -from pathlib import Path -from typing import Any, TypedDict, cast -from urllib.parse import unquote - -import requests -import tomli_w -from requests.adapters import HTTPAdapter, Retry - -eprint = functools.partial(print, file=sys.stderr) - - -def load_toml(path: Path) -> dict[str, Any]: - with open(path, "rb") as f: - return tomllib.load(f) - - -def get_lockfile_version(cargo_lock_toml: dict[str, Any]) -> int: - # lockfile v1 and v2 don't have the `version` key, so assume v2 - version = cargo_lock_toml.get("version", 2) - - # TODO: add logic for differentiating between v1 and v2 - - return version - - -def create_http_session() -> requests.Session: - retries = Retry( - total=5, - backoff_factor=0.5, - status_forcelist=[500, 502, 503, 504] - ) - session = requests.Session() - session.headers["User-Agent"] = "nixpkgs-fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs)" - session.mount('http://', HTTPAdapter(max_retries=retries)) - session.mount('https://', HTTPAdapter(max_retries=retries)) - return session - - -def download_file_with_checksum(session: requests.Session, url: str, destination_path: Path) -> str: - sha256_hash = hashlib.sha256() - with session.get(url, stream=True) as response: - if not response.ok: - raise Exception(f"Failed to fetch file from {url}. Status code: {response.status_code}") - with open(destination_path, "wb") as file: - for chunk in response.iter_content(1024): # Download in chunks - if chunk: # Filter out keep-alive chunks - file.write(chunk) - sha256_hash.update(chunk) - - # Compute the final checksum - checksum = sha256_hash.hexdigest() - return checksum - - -def get_download_url_for_tarball(pkg: dict[str, Any]) -> str: - # TODO: support other registries - # maybe fetch config.json from the registry root and get the dl key - # See: https://doc.rust-lang.org/cargo/reference/registry-index.html#index-configuration - if pkg["source"] != "registry+https://github.com/rust-lang/crates.io-index": - raise Exception("Only the default crates.io registry is supported.") - - # Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec - # rate limit on the API servers. - return f"https://static.crates.io/crates/{pkg["name"]}/{pkg["version"]}/download" - - -def download_tarball(session: requests.Session, pkg: dict[str, Any], out_dir: Path) -> None: - - url = get_download_url_for_tarball(pkg) - filename = f"{pkg["name"]}-{pkg["version"]}.tar.gz" - - # TODO: allow legacy checksum specification, see importCargoLock for example - # also, don't forget about the other usage of the checksum - expected_checksum = pkg["checksum"] - - tarball_out_dir = out_dir / "tarballs" / filename - eprint(f"Fetching {url} -> tarballs/{filename}") - - calculated_checksum = download_file_with_checksum(session, url, tarball_out_dir) - - if calculated_checksum != expected_checksum: - raise Exception(f"Hash mismatch! File fetched from {url} had checksum {calculated_checksum}, expected {expected_checksum}.") - - -def download_git_tree(url: str, git_sha_rev: str, out_dir: Path) -> None: - - tree_out_dir = out_dir / "git" / git_sha_rev - eprint(f"Fetching {url}#{git_sha_rev} -> git/{git_sha_rev}") - - cmd = ["nix-prefetch-git", "--builder", "--quiet", "--fetch-submodules", "--url", url, "--rev", git_sha_rev, "--out", str(tree_out_dir)] - subprocess.check_output(cmd) - - -GIT_SOURCE_REGEX = re.compile("git\\+(?P[^?]+)(\\?(?Prev|tag|branch)=(?P.*))?#(?P.*)") - - -class GitSourceInfo(TypedDict): - url: str - type: str | None - value: str | None - git_sha_rev: str - - -def parse_git_source(source: str, lockfile_version: int) -> GitSourceInfo: - match = GIT_SOURCE_REGEX.match(source) - if match is None: - raise Exception(f"Unable to process git source: {source}.") - - source_info = cast(GitSourceInfo, match.groupdict(default=None)) - - # the source URL is URL-encoded in lockfile_version >=4 - # since we just used regex to parse it we have to manually decode the escaped branch/tag name - if lockfile_version >= 4 and source_info["value"] is not None: - source_info["value"] = unquote(source_info["value"]) - - return source_info - - -def create_vendor_staging(lockfile_path: Path, out_dir: Path) -> None: - cargo_lock_toml = load_toml(lockfile_path) - lockfile_version = get_lockfile_version(cargo_lock_toml) - - git_packages: list[dict[str, Any]] = [] - registry_packages: list[dict[str, Any]] = [] - - for pkg in cargo_lock_toml["package"]: - # ignore local dependenices - if "source" not in pkg.keys(): - eprint(f"Skipping local dependency: {pkg["name"]}") - continue - source = pkg["source"] - - if source.startswith("git+"): - git_packages.append(pkg) - elif source.startswith("registry+"): - registry_packages.append(pkg) - else: - raise Exception(f"Can't process source: {source}.") - - git_sha_rev_to_url: dict[str, str] = {} - for pkg in git_packages: - source_info = parse_git_source(pkg["source"], lockfile_version) - git_sha_rev_to_url[source_info["git_sha_rev"]] = source_info["url"] - - out_dir.mkdir(exist_ok=True) - shutil.copy(lockfile_path, out_dir / "Cargo.lock") - - # fetch git trees sequentially, since fetching concurrently leads to flaky behaviour - if len(git_packages) != 0: - (out_dir / "git").mkdir() - for git_sha_rev, url in git_sha_rev_to_url.items(): - download_git_tree(url, git_sha_rev, out_dir) - - # run tarball download jobs in parallel, with at most 5 concurrent download jobs - with mp.Pool(min(5, mp.cpu_count())) as pool: - if len(registry_packages) != 0: - (out_dir / "tarballs").mkdir() - session = create_http_session() - tarball_args_gen = ((session, pkg, out_dir) for pkg in registry_packages) - pool.starmap(download_tarball, tarball_args_gen) - - -def get_manifest_metadata(manifest_path: Path) -> dict[str, Any]: - cmd = ["cargo", "metadata", "--format-version", "1", "--no-deps", "--manifest-path", str(manifest_path)] - output = subprocess.check_output(cmd) - return json.loads(output) - - -def try_get_crate_manifest_path_from_manifest_path(manifest_path: Path, crate_name: str) -> Path | None: - try: - metadata = get_manifest_metadata(manifest_path) - except subprocess.CalledProcessError: - eprint(f"Warning: cargo metadata failed for {manifest_path}, skipping") - return None - - for pkg in metadata["packages"]: - if pkg["name"] == crate_name: - return Path(pkg["manifest_path"]) - - return None - - -def find_crate_manifest_in_tree(tree: Path, crate_name: str) -> Path: - # Scan all Cargo.toml files; sort by depth/path to make ordering deterministic - # and prefer less-nested manifests first. - manifest_paths = sorted( - tree.glob("**/Cargo.toml"), - key=lambda path: (len(path.parts), str(path)), - ) - - for manifest_path in manifest_paths: - res = try_get_crate_manifest_path_from_manifest_path(manifest_path, crate_name) - if res is not None: - return res - - raise Exception(f"Couldn't find manifest for crate {crate_name} inside {tree}.") - - -def copy_and_patch_git_crate_subtree(git_tree: Path, crate_name: str, crate_out_dir: Path) -> None: - - # This function will get called by copytree to decide which entries of a directory should be copied - # We'll copy everything except symlinks that are invalid - def ignore_func(dir_str: str, path_strs: list[str]) -> list[str]: - ignorelist: list[str] = [] - - dir = Path(realpath(dir_str, strict=True)) - - for path_str in path_strs: - path = dir / path_str - if not islink(path): - continue - - # Filter out cyclic symlinks and symlinks pointing at nonexistant files - try: - target_path = Path(realpath(path, strict=True)) - except OSError: - ignorelist.append(path_str) - eprint(f"Failed to resolve symlink, ignoring: {path}") - continue - - # Filter out symlinks that point outside of the current crate's base git tree - # This can be useful if the nix build sandbox is turned off and there is a symlink to a common absolute path - if not target_path.is_relative_to(git_tree): - ignorelist.append(path_str) - eprint(f"Symlink points outside of the crate's base git tree, ignoring: {path} -> {target_path}") - continue - - return ignorelist - - crate_manifest_path = find_crate_manifest_in_tree(git_tree, crate_name) - crate_tree = crate_manifest_path.parent - - eprint(f"Copying to {crate_out_dir}") - shutil.copytree(crate_tree, crate_out_dir, ignore=ignore_func) - crate_out_dir.chmod(0o755) - - with open(crate_manifest_path, "r") as f: - manifest_data = f.read() - - if "workspace" in manifest_data: - crate_manifest_metadata = get_manifest_metadata(crate_manifest_path) - workspace_root = Path(crate_manifest_metadata["workspace_root"]) - - root_manifest_path = workspace_root / "Cargo.toml" - manifest_path = crate_out_dir / "Cargo.toml" - - manifest_path.chmod(0o644) - eprint(f"Patching {manifest_path}") - - cmd = ["replace-workspace-values", str(manifest_path), str(root_manifest_path)] - subprocess.check_output(cmd) - - -def extract_crate_tarball_contents(tarball_path: Path, crate_out_dir: Path) -> None: - eprint(f"Unpacking to {crate_out_dir}") - crate_out_dir.mkdir() - cmd = ["tar", "xf", str(tarball_path), "-C", str(crate_out_dir), "--strip-components=1"] - subprocess.check_output(cmd) - - -def make_git_source_selector(source_info: GitSourceInfo) -> dict[str, str]: - selector = {} - selector["git"] = source_info["url"] - if source_info["type"] is not None: - selector[source_info["type"]] = source_info["value"] - return selector - - -def make_registry_source_selector(source: str) -> dict[str, str]: - registry = source[9:] if source.startswith("registry+") else source - selector = {} - selector["registry"] = registry - return selector - - -def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: - lockfile_path = vendor_staging_dir / "Cargo.lock" - out_dir.mkdir(exist_ok=True) - shutil.copy(lockfile_path, out_dir / "Cargo.lock") - - cargo_lock_toml = load_toml(lockfile_path) - lockfile_version = get_lockfile_version(cargo_lock_toml) - - source_to_ind: dict[str, str] = {} - source_config = {} - next_registry_ind = 0 - next_git_ind = 0 - - def add_source_replacement( - orig_key: str, - orig_selector: dict[str, str], - vendored_key: str, - vendored_dir: str - ) -> None: - source_config[vendored_key] = {} - source_config[vendored_key]["directory"] = vendored_dir - source_config[orig_key] = orig_selector - source_config[orig_key]["replace-with"] = vendored_key - - # we reserve registry index 0 for crates-io - source_to_ind["registry+https://github.com/rust-lang/crates.io-index"] = "registry-0" - source_to_ind["sparse+https://index.crates.io/"] = "registry-0" - add_source_replacement( - orig_key="crates-io", - orig_selector={}, # there is an internal selector defined for the `crates-io` source - vendored_key="vendored-source-registry-0", - vendored_dir="@vendor@/source-registry-0" - ) - next_registry_ind += 1 - - for pkg in cargo_lock_toml["package"]: - # ignore local dependencies - if "source" not in pkg.keys(): - continue - source: str = pkg["source"] - if source in source_to_ind: - continue - - if source.startswith("git+"): - ind = f"git-{next_git_ind}" - next_git_ind += 1 - source_info = parse_git_source(source, lockfile_version) - selector = make_git_source_selector(source_info) - elif source.startswith("registry+") or source.startswith("sparse+"): - ind = f"registry-{next_registry_ind}" - next_registry_ind += 1 - selector = make_registry_source_selector(source) - else: - raise Exception(f"Can't process source: {source}.") - - source_to_ind[source] = ind - add_source_replacement( - orig_key=f"original-source-{ind}", - orig_selector=selector, - vendored_key=f"vendored-source-{ind}", - vendored_dir=f"@vendor@/source-{ind}" - ) - - config_path = out_dir / ".cargo" / "config.toml" - config_path.parent.mkdir() - - with open(config_path, "wb") as config_file: - tomli_w.dump({"source": source_config}, config_file) - - for pkg in cargo_lock_toml["package"]: - - # ignore local dependenices - if "source" not in pkg.keys(): - continue - - source: str = pkg["source"] - source_ind = source_to_ind[source] - crate_dir_name = f"{pkg["name"]}-{pkg["version"]}" - source_dir_name = f"source-{source_ind}" - crate_out_dir = out_dir / source_dir_name / crate_dir_name - crate_out_dir.parent.mkdir(exist_ok=True) - - if source.startswith("git+"): - - source_info = parse_git_source(source, lockfile_version) - - git_sha_rev = source_info["git_sha_rev"] - git_tree = vendor_staging_dir / "git" / git_sha_rev - - copy_and_patch_git_crate_subtree(git_tree, pkg["name"], crate_out_dir) - - # git based crates allow having no checksum information - with open(crate_out_dir / ".cargo-checksum.json", "w") as f: - json.dump({"files": {}}, f) - - elif source.startswith("registry+") or source.startswith("sparse+"): - filename = f"{pkg["name"]}-{pkg["version"]}.tar.gz" - - # TODO: change this when non-crates-io registries are supported - dir_name = "tarballs" - - tarball_path = vendor_staging_dir / dir_name / filename - - extract_crate_tarball_contents(tarball_path, crate_out_dir) - - # non-git based crates need the package checksum at minimum - with open(crate_out_dir / ".cargo-checksum.json", "w") as f: - json.dump({"files": {}, "package": pkg["checksum"]}, f) - - else: - raise Exception(f"Can't process source: {source}.") - - -def main() -> None: - subcommand = sys.argv[1] - - subcommand_func_dict = { - "create-vendor-staging": lambda: create_vendor_staging(lockfile_path=Path(sys.argv[2]), out_dir=Path(sys.argv[3])), - "create-vendor": lambda: create_vendor(vendor_staging_dir=Path(sys.argv[2]), out_dir=Path(sys.argv[3])) - } - - subcommand_func = subcommand_func_dict.get(subcommand) - - if subcommand_func is None: - raise Exception(f"Unknown subcommand: '{subcommand}'. Must be one of {list(subcommand_func_dict.keys())}") - - subcommand_func() - - -if __name__ == "__main__": - main() diff --git a/pkgs/build-support/rust/fetch-cargo-vendor-util.py b/pkgs/build-support/rust/fetch-cargo-vendor-util.py index 3bee7e150c8e..5dc789c93ad9 100644 --- a/pkgs/build-support/rust/fetch-cargo-vendor-util.py +++ b/pkgs/build-support/rust/fetch-cargo-vendor-util.py @@ -40,6 +40,7 @@ def create_http_session() -> requests.Session: status_forcelist=[500, 502, 503, 504] ) session = requests.Session() + session.headers["User-Agent"] = "nixpkgs-fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs)" session.mount('http://', HTTPAdapter(max_retries=retries)) session.mount('https://', HTTPAdapter(max_retries=retries)) return session @@ -68,7 +69,9 @@ def get_download_url_for_tarball(pkg: dict[str, Any]) -> str: if pkg["source"] != "registry+https://github.com/rust-lang/crates.io-index": raise Exception("Only the default crates.io registry is supported.") - return f"https://crates.io/api/v1/crates/{pkg["name"]}/{pkg["version"]}/download" + # Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec + # rate limit on the API servers. + return f"https://static.crates.io/crates/{pkg["name"]}/{pkg["version"]}/download" def download_tarball(session: requests.Session, pkg: dict[str, Any], out_dir: Path) -> None: diff --git a/pkgs/build-support/rust/fetch-cargo-vendor.nix b/pkgs/build-support/rust/fetch-cargo-vendor.nix index 2802bf9e73f1..8d554a8dc3e2 100644 --- a/pkgs/build-support/rust/fetch-cargo-vendor.nix +++ b/pkgs/build-support/rust/fetch-cargo-vendor.nix @@ -37,29 +37,18 @@ let "hash" ]; - mkFetchCargoVendorUtil = - name: src: - writers.writePython3Bin name { - libraries = - with python3Packages; - [ - requests - tomli-w - ] - ++ requests.optional-dependencies.socks; # to support socks proxy envs like ALL_PROXY in requests - flakeIgnore = [ - "E501" - ]; - } (builtins.readFile src); - - # Separate util used only by the FOD `vendorStaging` stage below. Kept - # distinct from fetchCargoVendorUtil so that changes to the network-facing - # bits (User-Agent, download URL) don't invalidate the input-addressed - # `-vendor` stage and force a mass rebuild of every Rust package in nixpkgs. - # vendorStaging is an FOD, so swapping its util is free for consumers. - # TODO: unify with fetchCargoVendorUtil on the next `staging` cycle. - fetchCargoVendorUtilV2 = mkFetchCargoVendorUtil "fetch-cargo-vendor-util-v2" ./fetch-cargo-vendor-util-v2.py; - fetchCargoVendorUtil = mkFetchCargoVendorUtil "fetch-cargo-vendor-util" ./fetch-cargo-vendor-util.py; + fetchCargoVendorUtil = writers.writePython3Bin "fetch-cargo-vendor-util" { + libraries = + with python3Packages; + [ + requests + tomli-w + ] + ++ requests.optional-dependencies.socks; # to support socks proxy envs like ALL_PROXY in requests + flakeIgnore = [ + "E501" + ]; + } (builtins.readFile ./fetch-cargo-vendor-util.py); in { @@ -79,7 +68,7 @@ let impureEnvVars = lib.fetchers.proxyImpureEnvVars; nativeBuildInputs = [ - fetchCargoVendorUtilV2 + fetchCargoVendorUtil cacert nix-prefetch-git' ] @@ -92,7 +81,7 @@ let cd "$cargoRoot" fi - fetch-cargo-vendor-util-v2 create-vendor-staging ./Cargo.lock "$out" + fetch-cargo-vendor-util create-vendor-staging ./Cargo.lock "$out" runHook postBuild ''; From 96b8fd4e618c2249400bea96e8b9ebdbb8b2d7b4 Mon Sep 17 00:00:00 2001 From: kuflierl <41301536+kuflierl@users.noreply.github.com> Date: Tue, 2 Jun 2026 15:07:04 +0200 Subject: [PATCH 70/97] libheif: 1.22.2 -> 1.23.0 changelog: https://github.com/strukturag/libheif/releases/tag/v1.23.0 (cherry picked from commit 536f85e8fc0b8bcf2a341b973d2c1eb4c20077cd) --- pkgs/by-name/li/libheif/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libheif/package.nix b/pkgs/by-name/li/libheif/package.nix index a24d7986b884..42171d469f5a 100644 --- a/pkgs/by-name/li/libheif/package.nix +++ b/pkgs/by-name/li/libheif/package.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "libheif"; - version = "1.22.2"; + version = "1.23.0"; outputs = [ "bin" @@ -38,7 +38,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "strukturag"; repo = "libheif"; rev = "v${finalAttrs.version}"; - hash = "sha256-z5vTfZATfwDn8Zwqt3piS7PaOQQ3UG+u20sR6j+dsUg="; + hash = "sha256-+LbYwDSxixy4TaraUCN2LiCnn32dkMppCA8EOFXbvtg="; }; nativeBuildInputs = [ From 2f092df439722bc95d790d0a2c734e637ff08006 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 31 May 2026 15:34:33 -0700 Subject: [PATCH 71/97] bzip2: patch CVE-2026-42250 (cherry picked from commit a7b6fa34c1c4955920c50349475f41c2581981b8) --- pkgs/tools/compression/bzip2/default.nix | 3 ++ .../bzip2/patches/CVE-2026-42250.patch | 34 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix index de15b36aef1c..11d964fd2f06 100644 --- a/pkgs/tools/compression/bzip2/default.nix +++ b/pkgs/tools/compression/bzip2/default.nix @@ -30,6 +30,9 @@ stdenv.mkDerivation ( patchFlags = [ "-p0" ]; patches = [ + # https://sourceware.org/cgit/bzip2/patch/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 + ./patches/CVE-2026-42250.patch + ./patches/bzip2-1.0.6.2-autoconfiscated.patch ]; # Fix up hardcoded version from the above patch, e.g. seen in bzip2.pc or libbz2.so.1.0.N diff --git a/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch b/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch new file mode 100644 index 000000000000..db16326cdeb7 --- /dev/null +++ b/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch @@ -0,0 +1,34 @@ +From 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Thu, 28 May 2026 16:15:45 +0200 +Subject: bzip2recover: Make sure to not process more than + BZ_MAX_HANDLED_BLOCKS + +There is an off-by-one in the check before calling tooManyBlocks. This +causes the scanning loop to run one more time and cause a possible +read or write one past the global bStart, bEnd, rbStart and rbEnd +buffers. There are no known exploits of this issue and you will need +to compile with something like gcc -fsanitize=address (ASAN +AddressSanitizer) to observe the faulty read/write. + +This has been assigned CVE-2026-42250. +--- + bzip2recover.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git bzip2recover.c bzip2recover.c +index a8131e0..4b1c219 100644 +--- bzip2recover.c ++++ bzip2recover.c +@@ -402,7 +402,7 @@ Int32 main ( Int32 argc, Char** argv ) + rbEnd[rbCtr] = bEnd[currBlock]; + rbCtr++; + } +- if (currBlock >= BZ_MAX_HANDLED_BLOCKS) ++ if (currBlock >= BZ_MAX_HANDLED_BLOCKS - 1) + tooManyBlocks(BZ_MAX_HANDLED_BLOCKS); + currBlock++; + +-- +cgit + From 9949740ce0d49f0a55b2792143306b661fe6e873 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 2 Jun 2026 10:45:38 -0700 Subject: [PATCH 72/97] bzip2_1_1: mark insecure (cherry picked from commit ced25ca9a913c9238668f049d813626393d805e0) --- pkgs/tools/compression/bzip2/1_1.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/tools/compression/bzip2/1_1.nix b/pkgs/tools/compression/bzip2/1_1.nix index d62ad11e3ec4..b61f81480d6b 100644 --- a/pkgs/tools/compression/bzip2/1_1.nix +++ b/pkgs/tools/compression/bzip2/1_1.nix @@ -50,5 +50,8 @@ stdenv.mkDerivation (finalAttrs: { pkgConfigModules = [ "bz2" ]; platforms = lib.platforms.all; maintainers = [ ]; + knownVulnerabilities = [ + "CVE-2026-42250" + ]; }; }) From 06e92ebb26ee4aff0b2caf02b7b3c213a4847d82 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Tue, 2 Jun 2026 23:46:58 +0000 Subject: [PATCH 73/97] direwolf-unstable: 1.8.1-unstable-2026-03-18 -> 1.8.1-unstable-2026-05-27 (cherry picked from commit f6d53dbfe34e1ff94f74a54189f4057d0b861cca) --- pkgs/by-name/di/direwolf-unstable/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/di/direwolf-unstable/package.nix b/pkgs/by-name/di/direwolf-unstable/package.nix index bfcc33889a8f..13d4858ccc86 100644 --- a/pkgs/by-name/di/direwolf-unstable/package.nix +++ b/pkgs/by-name/di/direwolf-unstable/package.nix @@ -12,13 +12,13 @@ inherit hamlibSupport gpsdSupport extraScripts; }).overrideAttrs (oldAttrs: { - version = "1.8.1-unstable-2026-03-18"; + version = "1.8.1-unstable-2026-05-27"; src = fetchFromGitHub { owner = "wb2osz"; repo = "direwolf"; - rev = "78d6559c67b94568b2f093fc9b4d4965749387ae"; - hash = "sha256-sSXvDTnrOHplmg86kZ+ppPD0Y6JuhHBfrXZToK8EqmY="; + rev = "d6151874ecf202cbb401a671a90b15d0fab92fa9"; + hash = "sha256-t19AjQzjkpteqwfRVI/tM5wCVNeFceWPHjq0UtdevXg="; }; dontVersionCheck = true; From 3cfb42b48e77a9ae29b846f9146402dc47692ced Mon Sep 17 00:00:00 2001 From: whispers Date: Fri, 22 May 2026 21:28:20 -0400 Subject: [PATCH 74/97] libgcrypt: 1.11.2 -> 1.12.2 1.12.0: https://dev.gnupg.org/T7643, https://lists.gnupg.org/pipermail/gnupg-announce/2026q1/000502.html 1.12.1: https://dev.gnupg.org/T8067 1.12.2: https://dev.gnupg.org/T8114, https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html (cherry picked from commit 5131deab4ec023f576cd4e6b0519c282dab8206d) --- pkgs/by-name/li/libgcrypt/package.nix | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/pkgs/by-name/li/libgcrypt/package.nix b/pkgs/by-name/li/libgcrypt/package.nix index 9317da7494fd..08fa5886de73 100644 --- a/pkgs/by-name/li/libgcrypt/package.nix +++ b/pkgs/by-name/li/libgcrypt/package.nix @@ -17,11 +17,11 @@ assert enableCapabilities -> stdenv.hostPlatform.isLinux; stdenv.mkDerivation rec { pname = "libgcrypt"; - version = "1.11.2"; + version = "1.12.2"; src = fetchurl { url = "mirror://gnupg/libgcrypt/${pname}-${version}.tar.bz2"; - hash = "sha256-a6Wd0ZInDowdIt20GgfZXc28Hw+wLQPEtUsjWBQzCqw="; + hash = "sha256-fOM8JJIiGgQ2+WqFACFenz49y1/SanV81BXnqEO6vV4="; }; outputs = [ @@ -73,17 +73,6 @@ stdenv.mkDerivation rec { postConfigure = '' sed -i configure \ -e 's/NOEXECSTACK_FLAGS=$/NOEXECSTACK_FLAGS="-Wa,--noexecstack"/' - '' - # The cipher/simd-common-riscv.h wasn't added to the release tarball, please remove this hack on next version update - # https://dev.gnupg.org/T7647 - + lib.optionalString stdenv.hostPlatform.isRiscV '' - cp ${ - fetchurl { - url = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob_plain;f=cipher/simd-common-riscv.h;h=8381000f9ac148c60a6963a1d9ec14a3fee1c576;hb=81ce5321b1b79bde6dfdc3c164efb40c13cf656b"; - hash = "sha256-Toe15YLAOYULnLc2fGMMv/xzs/q1t3LsyiqtL7imc+8="; - name = "simd-common-riscv.h"; - } - } cipher/simd-common-riscv.h ''; enableParallelBuilding = true; From f16209a21ec4da1743f1137e02a62b93c4fe10cd Mon Sep 17 00:00:00 2001 From: Leon Klingele Date: Tue, 2 Jun 2026 22:41:39 +0200 Subject: [PATCH 75/97] go_1_26: 1.26.3 -> 1.26.4 (cherry picked from commit b359a44a033e0c805540f60c26d9834357ba341c) --- pkgs/development/compilers/go/1.26.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/compilers/go/1.26.nix b/pkgs/development/compilers/go/1.26.nix index 01704593ad77..242fa4c91de8 100644 --- a/pkgs/development/compilers/go/1.26.nix +++ b/pkgs/development/compilers/go/1.26.nix @@ -25,11 +25,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "go"; - version = "1.26.3"; + version = "1.26.4"; src = fetchurl { url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz"; - hash = "sha256-HGRoddCqh5kTMYTtV895/yS97+jIggRwYCqdPW2Rkrg="; + hash = "sha256-T2aKMvv8ETLmqIH7lowvHa2mMUkqM5IRc1+7JVpCYC0="; }; strictDeps = true; From 35e7bdb1f4f22d136664d22e742b10994635443d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 31 May 2026 15:01:48 -0700 Subject: [PATCH 76/97] python3Packages.pyjwt: 2.12.1 -> 2.13.0 Diff: https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0 Changelog: https://github.com/jpadilla/pyjwt/blob/2.13.0/CHANGELOG.rst (cherry picked from commit 3b6cda4e40f81fada80e9cc10e040d59a2826a20) --- pkgs/development/python-modules/pyjwt/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/pyjwt/default.nix b/pkgs/development/python-modules/pyjwt/default.nix index 1d18045a863c..74754630a145 100644 --- a/pkgs/development/python-modules/pyjwt/default.nix +++ b/pkgs/development/python-modules/pyjwt/default.nix @@ -13,14 +13,14 @@ buildPythonPackage rec { pname = "pyjwt"; - version = "2.12.1"; + version = "2.13.0"; pyproject = true; src = fetchFromGitHub { owner = "jpadilla"; repo = "pyjwt"; tag = version; - hash = "sha256-wgOa5JhQT82ppoad6s8gPH7tGRNbbVWmJaaDF84d+r0="; + hash = "sha256-q4ynXCJVDsyZh70439dloyWgRTLVm+elDOahUVOT5vA="; }; outputs = [ From 32ff989879ca372003d44ee8421d81f3353c8ac0 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 4 Jun 2026 01:51:51 +0200 Subject: [PATCH 77/97] python3Packages.django_5: 5.2.14 -> 5.2.15 https://docs.djangoproject.com/en/5.2/releases/5.2.15/ https://www.djangoproject.com/weblog/2026/jun/03/security-releases/ Fixes: CVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193, CVE-2026-48587 (cherry picked from commit 3b5d44bff532312e311282d9768c5204fc8d601a) --- pkgs/development/python-modules/django/5.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/django/5.nix b/pkgs/development/python-modules/django/5.nix index 3a7274793a2b..273b61da19c9 100644 --- a/pkgs/development/python-modules/django/5.nix +++ b/pkgs/development/python-modules/django/5.nix @@ -41,14 +41,14 @@ buildPythonPackage rec { pname = "django"; - version = "5.2.14"; + version = "5.2.15"; pyproject = true; src = fetchFromGitHub { owner = "django"; repo = "django"; tag = version; - hash = "sha256-gb/4WL2VLoqRucpXuKyPsMSwKZ6gaxy5JA7QTeeazjk="; + hash = "sha256-K9yFHr3IkVNMqoeumESszVlju2fW2r8hS8z6M2OdVpE="; }; patches = [ From 128add25cfb35e89a5e101480ce15aaef73a6f43 Mon Sep 17 00:00:00 2001 From: whispers Date: Tue, 2 Jun 2026 11:02:48 -0400 Subject: [PATCH 78/97] xvfb: 21.1.22 -> 21.1.23, drop rebuild avoidance xorg announcement: https://lists.x.org/archives/xorg-announce/2026-June/003703.html xorg advisory: https://lists.x.org/archives/xorg-announce/2026-June/003702.html (cherry picked from commit 8310c133b7c8dfd173a135bdb9ac0b7a7fc6b5e6) --- pkgs/by-name/xv/xvfb/package.nix | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/pkgs/by-name/xv/xvfb/package.nix b/pkgs/by-name/xv/xvfb/package.nix index d14e35338776..934fade5a795 100644 --- a/pkgs/by-name/xv/xvfb/package.nix +++ b/pkgs/by-name/xv/xvfb/package.nix @@ -38,13 +38,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "xvfb"; - # TODO: rebuild avoidance. revert on staging. - # inherit (xorg-server) src version; - version = "21.1.22"; - src = fetchurl { - url = "mirror://xorg/individual/xserver/xorg-server-${finalAttrs.version}.tar.xz"; - hash = "sha256-GiQsiRfEm6KczB9gIWE9iiuYBd0NJxpmrp0J9LC7BrM="; - }; + inherit (xorg-server) src version; strictDeps = true; From cab7cf2acdb2294def13bbce083d9807dd95530b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 31 May 2026 12:59:26 -0700 Subject: [PATCH 79/97] ghostscript: 10.07.0 -> 10.07.1 Changelog: https://ghostscript.readthedocs.io/en/gs10.07.1/News.html (cherry picked from commit 6f5cb5357ce5f049e4571c5fe16afbdb3644e971) --- pkgs/by-name/gh/ghostscript/package.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/gh/ghostscript/package.nix b/pkgs/by-name/gh/ghostscript/package.nix index 36b9ced6f56b..6cd7c4b18ed1 100644 --- a/pkgs/by-name/gh/ghostscript/package.nix +++ b/pkgs/by-name/gh/ghostscript/package.nix @@ -67,13 +67,13 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "ghostscript${lib.optionalString x11Support "-with-X"}"; - version = "10.07.0"; + version = "10.07.1"; src = fetchurl { url = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${ lib.replaceStrings [ "." ] [ "" ] finalAttrs.version }/ghostscript-${finalAttrs.version}.tar.xz"; - hash = "sha256-3azk4XIflnpVA5uv9WSEAiXguqHU9UMiR8oczRRzt8E="; + hash = "sha256-HNt2bejbjx5YnIF/CcWFXqX2XfyFQORlpprBTBhBYCU="; }; patches = [ @@ -233,6 +233,7 @@ stdenv.mkDerivation (finalAttrs: { meta = { homepage = "https://www.ghostscript.com/"; + changelog = "https://ghostscript.readthedocs.io/en/gs${finalAttrs.version}/News.html"; description = "PostScript interpreter (mainline version)"; longDescription = '' Ghostscript is the name of a set of tools that provides (i) an From 8981bd36a7893b59577d0a4ae1de03f7a81e3609 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 27 May 2026 10:06:49 +0000 Subject: [PATCH 80/97] systemd: 260.1 -> 260.2 (cherry picked from commit d08a97a02625f300a3c12da8fc5e5f7579cf38d8) --- pkgs/os-specific/linux/systemd/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index a6dd663aef3c..43c90214fcea 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -202,13 +202,13 @@ let in stdenv.mkDerivation (finalAttrs: { inherit pname; - version = "260.1"; + version = "260.2"; src = fetchFromGitHub { owner = "systemd"; repo = "systemd"; rev = "v${finalAttrs.version}"; - hash = "sha256-FUKj3lvjz8TIsyu8NyJYtiNele+1BhdJPdw7r7nW6as="; + hash = "sha256-NXmmSV7/9WIW6C8wjdOwaerCy4v7Zcrd8+XDzcS8rEk="; }; # PATCH POLICY From 9bcbc7814a0b2a5515fdf6449c12a055712328d8 Mon Sep 17 00:00:00 2001 From: r-vdp Date: Sun, 31 May 2026 11:43:03 +0300 Subject: [PATCH 81/97] systemd: drop upstreamed tmpfiles noatime patch (cherry picked from commit 3dbcb86c1f33d575b16b78d576a16d4d3a2f0608) --- pkgs/os-specific/linux/systemd/default.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 43c90214fcea..15f0fc9f1a79 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -5,7 +5,6 @@ pkgsCross, testers, fetchFromGitHub, - fetchpatch, buildPackages, makeBinaryWrapper, ninja, @@ -238,13 +237,6 @@ stdenv.mkDerivation (finalAttrs: { ./0003-add-rootprefix-to-lookup-dir-paths.patch ./0004-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch ./0005-core-don-t-taint-on-unmerged-usr.patch - - # TODO: remove the following patch when systemd v261 is released. - # see upstream PR: https://github.com/systemd/systemd/pull/41232 - (fetchpatch { - url = "https://github.com/systemd/systemd/commit/df45055942330fcd2b77389e449905e7f6ca34ec.patch"; - hash = "sha256-PDh4mP9rYGCglp25346nExU2v6P0WYPfLZgu+YwzZ9c="; - }) ] ++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isGnu) [ ./0006-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch From ca8d5775de348f1505ae1f84c3c08c5ca01dbf98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Mon, 1 Jun 2026 22:25:35 -0700 Subject: [PATCH 82/97] libde265: 1.0.19 -> 1.1.0 Diff: https://github.com/strukturag/libde265/compare/v1.0.19...v1.1.0 Changelog: https://github.com/strukturag/libde265/releases/tag/v1.1.0 (cherry picked from commit eb64ffdbce253915ec1e43f6f055cfbbab87d586) --- pkgs/by-name/li/libde265/package.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libde265/package.nix b/pkgs/by-name/li/libde265/package.nix index 65121864428c..80293886a1e1 100644 --- a/pkgs/by-name/li/libde265/package.nix +++ b/pkgs/by-name/li/libde265/package.nix @@ -15,14 +15,14 @@ }: stdenv.mkDerivation (finalAttrs: { - version = "1.0.19"; + version = "1.1.0"; pname = "libde265"; src = fetchFromGitHub { owner = "strukturag"; repo = "libde265"; tag = "v${finalAttrs.version}"; - hash = "sha256-77OIclR2TwOigo/k5ps9S0TrDNvEjf290PqZyqBcydo="; + hash = "sha256-QhBi23HttVdIJCueSeKj3ZKwqX1iFcuAX7GmnMRCyN8="; }; nativeBuildInputs = [ @@ -43,6 +43,7 @@ stdenv.mkDerivation (finalAttrs: { meta = { homepage = "https://github.com/strukturag/libde265"; + changelog = "https://github.com/strukturag/libde265/releases/tag/${finalAttrs.src.tag}"; description = "Open h.265 video codec implementation"; mainProgram = "dec265"; license = lib.licenses.lgpl3; From b3a92ec281d998f0b947846c19956752ad275bfc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Mon, 1 Jun 2026 11:38:44 -0700 Subject: [PATCH 83/97] krb5: 1.22.1 -> 1.22.2 Changelog: https://web.mit.edu/Kerberos/krb5-1.22/ (cherry picked from commit 5a913250424c829e00c300968eefb71f5865d852) --- pkgs/by-name/kr/krb5/package.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/kr/krb5/package.nix b/pkgs/by-name/kr/krb5/package.nix index 0b504c6dc8a6..3c402ff11721 100644 --- a/pkgs/by-name/kr/krb5/package.nix +++ b/pkgs/by-name/kr/krb5/package.nix @@ -34,13 +34,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "krb5"; - version = "1.22.1"; + version = "1.22.2"; __structuredAttrs = true; src = fetchurl { url = "https://kerberos.org/dist/krb5/${lib.versions.majorMinor finalAttrs.version}/krb5-${finalAttrs.version}.tar.gz"; - hash = "sha256-GogyuMrZI+u/E5T2fi789B46SfRgKFpm41reyPoAU68="; + hash = "sha256-MkP/vI6k1Kwi3cfdKh3FTFeHTEBki2D/lwCXY1VOrxM="; }; patches = lib.optionals stdenv.hostPlatform.isFreeBSD [ @@ -170,6 +170,7 @@ stdenv.mkDerivation (finalAttrs: { ]; meta = { + changelog = "https://web.mit.edu/Kerberos/krb5-${lib.versions.majorMinor finalAttrs.version}/"; description = "MIT Kerberos 5"; homepage = "http://web.mit.edu/kerberos/"; license = lib.licenses.mit; From 3cff9ef0a777a198dcd45125284696f528522ab0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Thu, 4 Jun 2026 09:47:51 -0700 Subject: [PATCH 84/97] krb5: patch CVE-2026-40355 and CVE-2026-40356 (cherry picked from commit a42608a7a8c0d84c9ef80ab8acb05507052e6bbb) --- .../CVE-2026-40355-and-CVE-2026-40356.patch | 61 +++++++++++++++++++ pkgs/by-name/kr/krb5/package.nix | 6 +- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch diff --git a/pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch b/pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch new file mode 100644 index 000000000000..fe37f894fdc4 --- /dev/null +++ b/pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch @@ -0,0 +1,61 @@ +From acea6182e46fff3d1d64a3172cdff307b07ca441 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 8 Apr 2026 17:57:59 -0400 +Subject: [PATCH] Fix two NegoEx parsing vulnerabilities + +In parse_nego_message(), check the result of the second call to +vector_base() before dereferencing it. In parse_message(), check for +a short header_len to prevent an integer underflow when calculating +the remaining message length. + +Reported by Cem Onat Karagun. + +CVE-2026-40355: + +In MIT krb5 release 1.18 and later, if an application calls +gss_accept_sec_context() on a system with a NegoEx mechanism +registered in /etc/gss/mech, an unauthenticated remote attacker can +trigger a null pointer dereference, causing the process to terminate. + +CVE-2026-40356: + +In MIT krb5 release 1.18 and later, if an application calls +gss_accept_sec_context() on a system with a NegoEx mechanism +registered in /etc/gss/mech, an unauthenticated remote attacker can +trigger a read overrun of up to 52 bytes, possibly causing the process +to terminate. Exfiltration of the bytes read does not appear +possible. + +(cherry picked from commit 2e75f0d9362fb979f5fc92829431a590a130929f) + +ticket: 9205 +version_fixed: 1.22.3 +--- + lib/gssapi/spnego/negoex_util.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c +index edc5462e844..a65238e5730 100644 +--- a/lib/gssapi/spnego/negoex_util.c ++++ b/lib/gssapi/spnego/negoex_util.c +@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in, + offset = k5_input_get_uint32_le(in); + count = k5_input_get_uint16_le(in); + p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len); ++ if (p == NULL) { ++ *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; ++ return GSS_S_DEFECTIVE_TOKEN; ++ } + for (i = 0; i < count; i++) { + extension_type = load_32_le(p + i * EXTENSION_LENGTH); + if (extension_type & EXTENSION_FLAG_CRITICAL) { +@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in, + msg_len = k5_input_get_uint32_le(in); + conv_id = k5_input_get_bytes(in, GUID_LENGTH); + +- if (in->status || msg_len > token_remaining || header_len > msg_len) { ++ if (in->status || msg_len > token_remaining || ++ header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) { + *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; + return GSS_S_DEFECTIVE_TOKEN; + } diff --git a/pkgs/by-name/kr/krb5/package.nix b/pkgs/by-name/kr/krb5/package.nix index 3c402ff11721..c4e35061d41a 100644 --- a/pkgs/by-name/kr/krb5/package.nix +++ b/pkgs/by-name/kr/krb5/package.nix @@ -43,7 +43,11 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-MkP/vI6k1Kwi3cfdKh3FTFeHTEBki2D/lwCXY1VOrxM="; }; - patches = lib.optionals stdenv.hostPlatform.isFreeBSD [ + patches = [ + # https://github.com/krb5/krb5/pull/1506 + ./CVE-2026-40355-and-CVE-2026-40356.patch + ] + ++ lib.optionals stdenv.hostPlatform.isFreeBSD [ (fetchpatch { name = "fix-missing-ENODATA.patch"; url = "https://cgit.freebsd.org/ports/plain/security/krb5-122/files/patch-lib_krad_packet.c?id=0501f716c4aff7880fde56e42d641ef504593b7d"; From 2c2c8a3587fd408f44570b009d5b25e2abb14a68 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Wed, 3 Jun 2026 13:36:13 +0200 Subject: [PATCH 85/97] libxml2: 2.15.2 -> 2.15.3 Changelog: https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.15.3/NEWS Fixes CVE-2026-6732 Other security issues fixed here seem to not have CVEs assigned (yet) (cherry picked from commit efef7d2661da0fe1a31640df138cedeeb746b165) --- pkgs/development/libraries/libxml2/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix index 52a3ab58ad61..015688e4474b 100644 --- a/pkgs/development/libraries/libxml2/default.nix +++ b/pkgs/development/libraries/libxml2/default.nix @@ -46,13 +46,13 @@ let }; }; libxml2 = callPackage ./common.nix { - version = "2.15.2"; + version = "2.15.3"; src = fetchFromGitLab { domain = "gitlab.gnome.org"; owner = "GNOME"; repo = "libxml2"; tag = "v${packages.libxml2.version}"; - hash = "sha256-k5dZ75D/BOouYAjrof9Jm2lY29XZhOqS1kudDGmGY9Q="; + hash = "sha256-fDntZDyITs223by8n7ueOXiO7yyzshtANoWbY0+yeqo="; }; extraMeta = { maintainers = with lib.maintainers; [ From 5613fd0d417095f6e8bf247b23ec19b0ee210a92 Mon Sep 17 00:00:00 2001 From: Stig Palmquist Date: Thu, 4 Jun 2026 17:38:16 +0200 Subject: [PATCH 86/97] perl: backport security fixes Perl ships with some CPAN modules vendored as "dual-life", this commit inject updated versions certain modules directly from CPAN rather than applying patches from upstream, as they can be tricky to maintain. It also includes a patch for CVE-2026-8376 which affects 32-bit platforms. - perl: CVE-2026-8376 https://github.com/Perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c - HTTP-Tiny 0.094: CVE-2026-7010 https://metacpan.org/release/HAARG/HTTP-Tiny-0.094/changes - Compress-Raw-Zlib 2.222: CVE-2026-3381, CVE-2026-4176 https://metacpan.org/release/PMQS/Compress-Raw-Zlib-2.222/changes - Compress-Raw-Bzip2 2.218 https://metacpan.org/release/PMQS/Compress-Raw-Bzip2-2.218/changes - IO-Compress 2.220: CVE-2026-48959, CVE-2026-48961, CVE-2026-48962 https://metacpan.org/release/PMQS/IO-Compress-2.220/changes - Archive-Tar 3.12: CVE-2026-42496, CVE-2026-42497, CVE-2026-9538 https://metacpan.org/release/BINGOS/Archive-Tar-3.12/changes Assisted-by: Codex (OpenAI) Signed-off-by: Stig Palmquist (cherry picked from commit d59aeb80e50481c69e9535b6421c84a4a398531f) --- .../interpreters/perl/CVE-2026-8376.patch | 20 ++++++ .../interpreters/perl/interpreter.nix | 65 +++++++++++++++++-- 2 files changed, 81 insertions(+), 4 deletions(-) create mode 100644 pkgs/development/interpreters/perl/CVE-2026-8376.patch diff --git a/pkgs/development/interpreters/perl/CVE-2026-8376.patch b/pkgs/development/interpreters/perl/CVE-2026-8376.patch new file mode 100644 index 000000000000..c8ad72298178 --- /dev/null +++ b/pkgs/development/interpreters/perl/CVE-2026-8376.patch @@ -0,0 +1,20 @@ +Targeted patch for CVE-2026-8376, based on 5e7f119eb2bb1181be908701f22bf7068e722f1c but avoids changes to t/re/pat_psycho.t as they do not apply cleanly. + +diff --git a/regcomp_study.c b/regcomp_study.c +index b513454a4258..1602663f4b26 100644 +--- a/regcomp_study.c ++++ b/regcomp_study.c +@@ -2784,6 +2784,13 @@ Perl_study_chunk(pTHX_ + (U8 *) SvEND(data->last_found)) + - (U8*)s; + l -= old; ++ ++ if (l > 0 && ++ (mincount >= SSize_t_MAX / (SSize_t)l ++ || old > SSize_t_MAX - mincount * (SSize_t)l)) { ++ FAIL("Regexp out of space"); ++ } ++ + /* Get the added string: */ + last_str = newSVpvn_utf8(s + old, l, UTF); + last_chrs = UTF ? utf8_length((U8*)(s + old), diff --git a/pkgs/development/interpreters/perl/interpreter.nix b/pkgs/development/interpreters/perl/interpreter.nix index fce8e1c9e0f0..cdb03912b517 100644 --- a/pkgs/development/interpreters/perl/interpreter.nix +++ b/pkgs/development/interpreters/perl/interpreter.nix @@ -36,6 +36,8 @@ let commonPatches = [ # Do not look in /usr etc. for dependencies. ./no-sys-dirs.patch + + ./CVE-2026-8376.patch ] # Fix build on Solaris on x86_64 @@ -79,6 +81,61 @@ let # Some more details: https://arsv.github.io/perl-cross/modules.html ++ lib.optional crossCompiling ./cross.patch; + # Inject fixed CPAN releases for bundled dual-life distributions until the + # next perl maintenance release includes them. + vendoredPerlDistributions = [ + { + # CVE-2026-7010 + path = "cpan/HTTP-Tiny"; + src = fetchurl { + url = "mirror://cpan/authors/id/H/HA/HAARG/HTTP-Tiny-0.094.tar.gz"; + hash = "sha256-poQemfwbVdFd6VlHzL17dnvsxRxxAhl/qPBE333cB0M="; + }; + } + { + # CVE-2026-3381, CVE-2026-4176 + path = "cpan/Compress-Raw-Zlib"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/Compress-Raw-Zlib-2.222.tar.gz"; + hash = "sha256-Hf19URplVifIGBXTDTurwo+luIRV/wP4sECZ3LUShrg="; + }; + } + { + # Runtime dependency of IO-Compress 2.220. + path = "cpan/Compress-Raw-Bzip2"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/Compress-Raw-Bzip2-2.218.tar.gz"; + hash = "sha256-iRU+ai69pSNJSTsHT6S3VJ/x+QU952E8GKXgXFtBX6g="; + }; + } + { + # CVE-2026-48962, CVE-2026-48961, CVE-2026-48959 + path = "cpan/IO-Compress"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/IO-Compress-2.220.tar.gz"; + hash = "sha256-nZbqKR8sVO82fHOWuFfZO6GsHEsvG84T7Yo+Xz7rtic="; + }; + } + { + # CVE-2026-42496, CVE-2026-42497, CVE-2026-9538 + path = "cpan/Archive-Tar"; + src = fetchurl { + url = "mirror://cpan/authors/id/B/BI/BINGOS/Archive-Tar-3.12.tar.gz"; + hash = "sha256-ARTvObZfSfiWgoOrR3Gdfoj5jXNg/jZJvjMcf1PVgyw="; + }; + } + ]; + + replaceVendoredPerlDistributions = lib.concatMapStringsSep "\n" (d: '' + rm -rf ${d.path} + mkdir -p ${d.path} + + tar --strip-components=1 -C ${d.path} -xf ${d.src} + + # Remove executable bits to make t/porting/exec-bit.t happy. + find ${d.path} -type f -exec chmod a-x {} + + '') vendoredPerlDistributions; + libc = if stdenv.cc.libc or null != null then stdenv.cc.libc else "/usr"; libcInc = lib.getDev libc; libcLib = lib.getLib libc; @@ -136,10 +193,10 @@ stdenv.mkDerivation ( --replace "/bin/pwd" "$(type -P pwd)" '' ) - + - # Perl's build system uses the src variable, and its value may end up in - # the output in some cases (when cross-compiling) - '' + + replaceVendoredPerlDistributions + + '' + # Perl's build system uses the src variable, and its value may end up in + # the output in some cases (when cross-compiling). unset src ''; From 2d355d1abaa61f5d60dc524c3645c4d6cbb980be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Fri, 5 Jun 2026 12:52:54 +0200 Subject: [PATCH 87/97] libpng: 1.6.56 -> 1.6.58 Fixes: CVE-2026-34757 and CVE-2026-40930 (#528286) (cherry picked from commit 316db7c96c1096ae2bf0a40bdec1fc630e1498a2) --- pkgs/by-name/li/libpng/package.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/by-name/li/libpng/package.nix b/pkgs/by-name/li/libpng/package.nix index d533f3ed56bb..7d52bcffb378 100644 --- a/pkgs/by-name/li/libpng/package.nix +++ b/pkgs/by-name/li/libpng/package.nix @@ -11,10 +11,10 @@ assert zlib != null; let - patchVersion = "1.6.56"; + patchVersion = "1.6.58"; patch_src = fetchurl { url = "mirror://sourceforge/libpng-apng/libpng-${patchVersion}-apng.patch.gz"; - hash = "sha256-nOMtSidjoqxfJYcmui9J6QETJ8HujDCGKjLQ8wiJ++g="; + hash = "sha256-7ufeoi7VAoaAF5cchsY8TtHmCF3guuv9zD0zIvAPPrA="; }; whenPatched = lib.optionalString apngSupport; @@ -24,11 +24,11 @@ let in stdenv'.mkDerivation (finalAttrs: { pname = "libpng" + whenPatched "-apng"; - version = "1.6.56"; + version = "1.6.58"; src = fetchurl { url = "mirror://sourceforge/libpng/libpng-${finalAttrs.version}.tar.xz"; - hash = "sha256-99i/FgG3gE9YOiVKs0OmVJymzyfSVcMCxHry2dNqbxg="; + hash = "sha256-KOtAP1Hw90BSSRMs7P6C6lwO+X8bMsWmWCiBSuDTR3U="; }; postPatch = whenPatched "gunzip < ${patch_src} | patch -Np1" From 28fe7e5b4d263e339b52c304e1aa34a3e06b1cef Mon Sep 17 00:00:00 2001 From: Cathal Mullan Date: Sat, 21 Mar 2026 16:08:18 +0000 Subject: [PATCH 88/97] rustPlatform.fetchCargoVendor: de-duplicate git sources by selector (cherry picked from commit 100e23324c871a3b9210bd50c59d4f22e6cc452c) --- .../rust/fetch-cargo-vendor-util.py | 28 +++++++++++++------ 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/pkgs/build-support/rust/fetch-cargo-vendor-util.py b/pkgs/build-support/rust/fetch-cargo-vendor-util.py index 5dc789c93ad9..825f07b175ee 100644 --- a/pkgs/build-support/rust/fetch-cargo-vendor-util.py +++ b/pkgs/build-support/rust/fetch-cargo-vendor-util.py @@ -292,6 +292,7 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: lockfile_version = get_lockfile_version(cargo_lock_toml) source_to_ind: dict[str, str] = {} + selector_to_ind: dict[tuple, str] = {} source_config = {} next_registry_ind = 0 next_git_ind = 0 @@ -327,24 +328,35 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: continue if source.startswith("git+"): - ind = f"git-{next_git_ind}" - next_git_ind += 1 source_info = parse_git_source(source, lockfile_version) selector = make_git_source_selector(source_info) + selector_key = (source_info["url"], source_info["type"], source_info["value"]) + if selector_key in selector_to_ind: + ind = selector_to_ind[selector_key] + else: + ind = f"git-{next_git_ind}" + next_git_ind += 1 + selector_to_ind[selector_key] = ind + add_source_replacement( + orig_key=f"original-source-{ind}", + orig_selector=selector, + vendored_key=f"vendored-source-{ind}", + vendored_dir=f"@vendor@/source-{ind}" + ) elif source.startswith("registry+") or source.startswith("sparse+"): ind = f"registry-{next_registry_ind}" next_registry_ind += 1 selector = make_registry_source_selector(source) + add_source_replacement( + orig_key=f"original-source-{ind}", + orig_selector=selector, + vendored_key=f"vendored-source-{ind}", + vendored_dir=f"@vendor@/source-{ind}" + ) else: raise Exception(f"Can't process source: {source}.") source_to_ind[source] = ind - add_source_replacement( - orig_key=f"original-source-{ind}", - orig_selector=selector, - vendored_key=f"vendored-source-{ind}", - vendored_dir=f"@vendor@/source-{ind}" - ) config_path = out_dir / ".cargo" / "config.toml" config_path.parent.mkdir() From ff252bdb2913aa7a371e51f665cded93345ecb7c Mon Sep 17 00:00:00 2001 From: whispers Date: Fri, 5 Jun 2026 22:16:08 -0400 Subject: [PATCH 89/97] freetype: add patches for four vulnerabilities from project zero - https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1419 / https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1420 - https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1421 - https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1423 - https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1425 (cherry picked from commit a06fb593b6facc51ec4348cfb4f105536e319739) --- pkgs/by-name/fr/freetype/package.nix | 48 ++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/pkgs/by-name/fr/freetype/package.nix b/pkgs/by-name/fr/freetype/package.nix index fcace2938756..af05cc8c897a 100644 --- a/pkgs/by-name/fr/freetype/package.nix +++ b/pkgs/by-name/fr/freetype/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchurl, + fetchpatch, buildPackages, pkgsHostHost, pkg-config, @@ -69,6 +70,53 @@ stdenv.mkDerivation (finalAttrs: { patches = [ ./enable-table-validation.patch + + # https://project-zero.issues.chromium.org/issues/505355061 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1419 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1420 + (fetchpatch { + name = "truetype-shz-limit-heap-buffer-overflow-part1.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/1803559c4ee407d0bcbf2a67dbe96690cee869d2.patch"; + hash = "sha256-zxtJ2pJz8pNofgYrJ6c8/eZqRvxTotanF2IdU9ckpM4="; + }) + (fetchpatch { + name = "truetype-shz-limit-heap-buffer-overflow-part2.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/7d600a022e1d813e85a8c94ffd395f6135872267.patch"; + hash = "sha256-aHE11C9Cr23D2lqNmTVUDA5E07xxUm+AcYdWJG9zLFs="; + }) + + # https://project-zero.issues.chromium.org/issues/505357209 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1421 + (fetchpatch { + name = "truetype-iup-integer-overflow.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/7974be74d8b5a2fbf99aa88f0461d1f80af51cee.patch"; + hash = "sha256-b5Px0ALsnC5K1+601YioAjCLkLVXNnvTIZ1aQtCeNoQ="; + }) + + # https://project-zero.issues.chromium.org/issues/506902245 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1423 + # https://gitlab.freedesktop.org/freetype/freetype/-/merge_requests/428 + (fetchpatch { + name = "truetype-variation-handling-signednes-mismatch.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/0d45c7f1911bc6db0bf072eea0c8cdccd77bc6b3.patch"; + hash = "sha256-bw/9O86sZQa+vwdgx2MTqxWi6vjMcRTyC42ba9CaZ3I="; + }) + + # prerequisite for the below to apply, since this changes formatting of + # affected code. + (fetchpatch { + name = "ftobjs-formatting.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/590b77014bd920d0bdf64c039fddbce89a288b83.patch"; + hash = "sha256-govOzLBzQMAjSKABVFryDnSn2by2f/W9BgGG3o+qSuE="; + }) + + # https://project-zero.issues.chromium.org/issues/507321912 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1425 + (fetchpatch { + name = "sub-byte-bitmaps-heap-buffer-over-read.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/cbe12767ea73d1006edc75fcd61c0b0d2a88f34e.patch"; + hash = "sha256-jMeqY9uX7Ryfdd8icGDT4kEKl6aGRWafSN8GzOhGW7g="; + }) ] ++ lib.optional useEncumberedCode ./enable-subpixel-rendering.patch; From 1706cb9fb147f760580d6cb50bd77da6e5abef63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 7 Jun 2026 09:25:39 -0700 Subject: [PATCH 90/97] libde265: 1.1.0 -> 1.1.1 Diff: https://github.com/strukturag/libde265/compare/v1.1.0...v1.1.1 Changelog: https://github.com/strukturag/libde265/releases/tag/v1.1.1 (cherry picked from commit 80edf6a63022180fcf57ad25c4255dfefda2f65c) --- pkgs/by-name/li/libde265/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libde265/package.nix b/pkgs/by-name/li/libde265/package.nix index 80293886a1e1..771b9e336634 100644 --- a/pkgs/by-name/li/libde265/package.nix +++ b/pkgs/by-name/li/libde265/package.nix @@ -15,14 +15,14 @@ }: stdenv.mkDerivation (finalAttrs: { - version = "1.1.0"; + version = "1.1.1"; pname = "libde265"; src = fetchFromGitHub { owner = "strukturag"; repo = "libde265"; tag = "v${finalAttrs.version}"; - hash = "sha256-QhBi23HttVdIJCueSeKj3ZKwqX1iFcuAX7GmnMRCyN8="; + hash = "sha256-ZHfPC86oylqt2bwWMJRWVjdMEEmX6UOKR7XkR0HPyok="; }; nativeBuildInputs = [ From a97ae27e15acefdb3a2374b27a16db0e9d46545a Mon Sep 17 00:00:00 2001 From: Leona Maroni Date: Mon, 8 Jun 2026 16:42:44 +0200 Subject: [PATCH 91/97] rsync: 3.4.3 -> 3.4.4 https://github.com/RsyncProject/rsync/releases/tag/v3.4.4 (cherry picked from commit ff0334da83c1a0e1ecb3864fcb84dd24dbcaecc5) --- pkgs/by-name/rs/rsync/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/rs/rsync/package.nix b/pkgs/by-name/rs/rsync/package.nix index c8137c8cf3c3..a6d869ad44da 100644 --- a/pkgs/by-name/rs/rsync/package.nix +++ b/pkgs/by-name/rs/rsync/package.nix @@ -28,12 +28,12 @@ stdenv.mkDerivation (finalAttrs: { pname = "rsync"; - version = "3.4.3"; + version = "3.4.4"; src = fetchurl { # signed with key 9FEF 112D CE19 A0DC 7E88 2CB8 1BB2 4997 A853 5F6F url = "mirror://samba/rsync/src/rsync-${finalAttrs.version}.tar.gz"; - hash = "sha256-xy5jyjAhy8gLqG7DAQJ3P0xWMfvEkrUudzs5WPgqU9M="; + hash = "sha256-vYjPgvplPaMjFPsikTZAfFyQ+A0XWNj0sJF2eHfY+pY="; }; preBuild = '' From c10ba493e0f242454a78fdde32fce0956065222c Mon Sep 17 00:00:00 2001 From: Leona Maroni Date: Wed, 10 Jun 2026 09:21:32 +0200 Subject: [PATCH 92/97] rsync: fix test failure on darwin Not-cherry-picked-because: Guarded to darwin, will remove guard on staging/staging-26.05 --- pkgs/by-name/rs/rsync/package.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/pkgs/by-name/rs/rsync/package.nix b/pkgs/by-name/rs/rsync/package.nix index a6d869ad44da..a102ff36cc15 100644 --- a/pkgs/by-name/rs/rsync/package.nix +++ b/pkgs/by-name/rs/rsync/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchurl, + fetchpatch, updateAutotoolsGnuConfigScriptsHook, perl, @@ -36,6 +37,17 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-vYjPgvplPaMjFPsikTZAfFyQ+A0XWNj0sJF2eHfY+pY="; }; + patches = lib.optionals (stdenv.hostPlatform.isDarwin) [ + # Fixes test failure on darwin + (fetchpatch { + url = "https://github.com/RsyncProject/rsync/commit/e1c5f0e93a75dd45f32f3b92ba221ef158ac2e5f.patch"; + hash = "sha256-pg65K9BCTq/WvS5icK6KT28ARccFKedp2445wLYdRsE="; + excludes = [ + ".github/workflows/cygwin-build.yml" + ]; + }) + ]; + preBuild = '' patchShebangs ./runtests.py ''; From ffc75d7b6e066c3d06fc8e07c4ef19cbb6faba9b Mon Sep 17 00:00:00 2001 From: Michael Daniels Date: Sun, 7 Jun 2026 20:34:11 -0400 Subject: [PATCH 93/97] libressl: fix Darwin build https://hydra.nixos.org/build/331199232 (cherry picked from commit 3b6967c20926a7c6423ebd9875a6cd18a7f254d5) --- pkgs/by-name/li/libressl/default.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/li/libressl/default.nix b/pkgs/by-name/li/libressl/default.nix index 4ccc79407ba7..4bf139efc381 100644 --- a/pkgs/by-name/li/libressl/default.nix +++ b/pkgs/by-name/li/libressl/default.nix @@ -61,6 +61,10 @@ let doCheck = !(stdenv.hostPlatform.isPower64 || stdenv.hostPlatform.isRiscV); preCheck = '' + export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName} + export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)" + '' + + lib.optionalString stdenv.hostPlatform.isElf '' # Bail if any shared object has executable stack enabled. This can # happen when an object produced from an assmbly file in libcrypto is # missing a .note.GNU-stack section. An executable stack is dangerous @@ -76,9 +80,6 @@ let } END { exit res } ' - - export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName} - export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)" ''; postCheck = '' export ${ldLibPathEnvName}=$PREVIOUS_${ldLibPathEnvName} From 653b43f22f8c9c1bc452eedaa19c234313f00212 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 15 Jun 2026 15:24:45 +0200 Subject: [PATCH 94/97] python3Packages.valkey: fix valkey 9.1 compat (cherry picked from commit 28e20e77fc5109649ddd16d7ad5aa459dba93186) --- pkgs/development/python-modules/valkey/default.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/valkey/default.nix b/pkgs/development/python-modules/valkey/default.nix index 5674542e9016..dcccacb7d569 100644 --- a/pkgs/development/python-modules/valkey/default.nix +++ b/pkgs/development/python-modules/valkey/default.nix @@ -40,11 +40,20 @@ buildPythonPackage rec { }; patches = [ + # valkey 9.0 compat (fetchpatch { - # valkey 9.0 compat url = "https://github.com/valkey-io/valkey-py/commit/c01505e547f614f278b882a016557b6ed652bb9f.patch"; hash = "sha256-rvA65inIioqdc+QV4KaaUv1I/TMZUq0TWaFJcJiy8NU="; }) + # valkey 9.1 compat + (fetchpatch { + url = "https://github.com/valkey-io/valkey-py/commit/df5c44903dc8e2dda733e5576324ba0ff8c4c6a0.patch"; + hash = "sha256-0wsWuaOYWBgf6BjlJuciZYRbugYfchTU2khQX7rtRJg="; + }) + (fetchpatch { + url = "https://github.com/valkey-io/valkey-py/commit/046c7fb9e8260c2d69d05141b1519903c4e40efe.patch"; + hash = "sha256-/yN1y0hbmBR6o6ab4h0qkn/qhU6jASOIeqWhxUi5w/I="; + }) ]; build-system = [ setuptools ]; From eb643cb18ca43227504637f5c5d6e93234510abb Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 19 Jun 2026 03:24:57 +0200 Subject: [PATCH 95/97] python3Packages.cnf-lint: disable failing tests Bisected to 252225814ab5f11143a02e8aad9459c2d9f498cd. --- pkgs/development/python-modules/cfn-lint/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkgs/development/python-modules/cfn-lint/default.nix b/pkgs/development/python-modules/cfn-lint/default.nix index db06eac38155..70a2968acfe8 100644 --- a/pkgs/development/python-modules/cfn-lint/default.nix +++ b/pkgs/development/python-modules/cfn-lint/default.nix @@ -69,6 +69,13 @@ buildPythonPackage rec { "test_update_docs" ]; + disabledTestPaths = [ + # unexpected exit code afer nodejs_24 24.16.0 update + "test/integration/test_quickstart_templates.py::TestQuickStartTemplates::test_templates" + "test/integration/test_quickstart_templates_non_strict.py::TestQuickStartTemplates::test_module_integration" + "test/integration/test_quickstart_templates_non_strict.py::TestQuickStartTemplates::test_templates" + ]; + pythonImportsCheck = [ "cfnlint" ]; meta = { From 6b4d4a8d1a5fcde4c3949ae9197163b8ce94dfab Mon Sep 17 00:00:00 2001 From: Ryan Burns Date: Wed, 17 Jun 2026 17:03:20 -0700 Subject: [PATCH 96/97] python3.pkgs.fakeredis: 2.35.1 -> 2.36.2 Diff: https://github.com/cunla/fakeredis-py/compare/v2.35.1...v2.36.2 Changelog: https://github.com/cunla/fakeredis-py/releases/tag/v2.36.2 (cherry picked from commit 03de0e4314265000c794a6998114ff2b283f54c3) --- pkgs/development/python-modules/fakeredis/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/fakeredis/default.nix b/pkgs/development/python-modules/fakeredis/default.nix index 74e0f892129b..533136eef735 100644 --- a/pkgs/development/python-modules/fakeredis/default.nix +++ b/pkgs/development/python-modules/fakeredis/default.nix @@ -20,14 +20,14 @@ buildPythonPackage (finalAttrs: { pname = "fakeredis"; - version = "2.35.1"; + version = "2.36.2"; pyproject = true; src = fetchFromGitHub { owner = "cunla"; repo = "fakeredis-py"; tag = "v${finalAttrs.version}"; - hash = "sha256-euhWKXFERpRoXX7G81ffAygt5e1mt7uy9Y9zAGacu38="; + hash = "sha256-vOQBezPsgcjSUigCiW7Q+VueUTtQm3Y7hhB0mTstwKM="; }; build-system = [ hatchling ]; From 18a1ef95cd42d379ffc937dc9a68c7a12f59d16d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sun, 21 Jun 2026 09:48:15 +0200 Subject: [PATCH 97/97] python3Packages.fasthtml: 0.12.48 -> 0.13.3 .starlette upgrade in 83ece5c3a1e broke compatibility: https://hydra.nixos.org/build/331250021/nixlog/6/tail Upstream fixes that v0.13.0 and updating past 0.13.3 would need resolving - fastcore>=1.12.41 not satisfied by version 1.12.39 (which isn't great approach for stable 26.05 which motivates this commit) https://github.com/AnswerDotAI/fasthtml/releases (cherry picked from commit 6a56b38c1324b2a4cb755210ea9caa77fca88035) (from PR https://github.com/NixOS/nixpkgs/pull/533848 ) --- pkgs/development/python-modules/fasthtml/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/fasthtml/default.nix b/pkgs/development/python-modules/fasthtml/default.nix index 3f47dd2ce5a7..12b9b77c0435 100644 --- a/pkgs/development/python-modules/fasthtml/default.nix +++ b/pkgs/development/python-modules/fasthtml/default.nix @@ -31,14 +31,14 @@ buildPythonPackage (finalAttrs: { pname = "fasthtml"; - version = "0.12.48"; + version = "0.13.3"; pyproject = true; src = fetchFromGitHub { owner = "AnswerDotAI"; repo = "fasthtml"; tag = finalAttrs.version; - hash = "sha256-lMAuIw4sMkS3XSG/0Bs0iQPSjMusbmjUKv0w4cINwas="; + hash = "sha256-PS5HGegC6pG/bJAGrKDsRYguBnNS9EDrZIjWvjErO4M="; }; build-system = [