diff --git a/lib/derivations.nix b/lib/derivations.nix index 053625a2be0e..15c3495163a8 100644 --- a/lib/derivations.nix +++ b/lib/derivations.nix @@ -6,7 +6,6 @@ let isString mapAttrs removeAttrs - throwIfNot ; showMaybeAttrPosPre = @@ -108,18 +107,18 @@ in # attrset spine returned by lazyDerivation does not depend on it. # Instead, the individual derivation attributes do depend on it. checked = - throwIfNot (derivation.type or null == "derivation") "lazyDerivation: input must be a derivation." - throwIfNot - # NOTE: Technically we could require our outputs to be a subset of the - # actual ones, or even leave them unchecked and fail on a lazy basis. - # However, consider the case where an output is added in the underlying - # derivation, such as dev. lazyDerivation would remove it and cause it - # to fail as a buildInputs item, without any indication as to what - # happened. Hence the more stringent condition. We could consider - # adding a flag to control this behavior if there's a valid case for it, - # but the documentation must have a note like this. - (derivation.outputs == outputs) - '' + if derivation.type or null != "derivation" then + throw "lazyDerivation: input must be a derivation." + # NOTE: Technically we could require our outputs to be a subset of the + # actual ones, or even leave them unchecked and fail on a lazy basis. + # However, consider the case where an output is added in the underlying + # derivation, such as dev. lazyDerivation would remove it and cause it + # to fail as a buildInputs item, without any indication as to what + # happened. Hence the more stringent condition. We could consider + # adding a flag to control this behavior if there's a valid case for it, + # but the documentation must have a note like this. + else if derivation.outputs != outputs then + throw '' lib.lazyDerivation: The derivation ${derivation.name or ""} has outputs that don't match the assumed outputs. Assumed outputs passed to lazyDerivation${showMaybeAttrPosPre ",\n at " "outputs" args}: @@ -142,6 +141,7 @@ in If none of the above works for you, replace the lib.lazyDerivation call by the expression in the derivation argument. '' + else derivation; in { diff --git a/lib/fetchers.nix b/lib/fetchers.nix index 0f4192cc6822..24f257a1f883 100644 --- a/lib/fetchers.nix +++ b/lib/fetchers.nix @@ -22,7 +22,6 @@ let concatMapStringsSep head length - throwIf ; inherit (lib.attrsets) attrsToList @@ -130,7 +129,7 @@ rec { hashesAsNVPairs = attrsToList (intersectAttrs hashSet args); in if hashesAsNVPairs == [ ] then - throwIf required "fetcher called without `hash`" null + if required then throw "fetcher called without `hash`" else null else if length hashesAsNVPairs != 1 then throw "fetcher called with mutually-incompatible arguments: ${ concatMapStringsSep ", " (a: a.name) hashesAsNVPairs diff --git a/lib/generators.nix b/lib/generators.nix index 0e15a56db312..d20abb6264ab 100644 --- a/lib/generators.nix +++ b/lib/generators.nix @@ -24,7 +24,6 @@ let inherit (lib) addErrorContext any - assertMsg attrNames attrValues concatLists @@ -64,7 +63,6 @@ let reverseList splitString tail - toList ; inherit (lib.strings) @@ -849,7 +847,7 @@ rec { _type == "lua-inline"; generatedBindings = - assert assertMsg (badVarNames == [ ]) "Bad Lua var names: ${toPretty { } badVarNames}"; + assert badVarNames == [ ] || throw "Bad Lua var names: ${toPretty { } badVarNames}"; concatStrings (mapAttrsToList (key: value: "${indent}${key} = ${toLua innerArgs value}\n") v); # https://en.wikibooks.org/wiki/Lua_Programming/variable#Variable_names diff --git a/lib/gvariant.nix b/lib/gvariant.nix index f64808347ee8..d47d5120ef9a 100644 --- a/lib/gvariant.nix +++ b/lib/gvariant.nix @@ -191,10 +191,15 @@ rec { mkArray = elems: let - vs = map mkValue (lib.throwIf (elems == [ ]) "Please create empty array with mkEmptyArray." elems); - elemType = lib.throwIfNot (lib.all (t: (head vs).type == t) ( - map (v: v.type) vs - )) "Elements in a list should have same type." (head vs).type; + vs = map mkValue ( + if elems == [ ] then throw "Please create empty array with mkEmptyArray." else elems + ); + firstType = (head vs).type; + elemType = + if lib.any (v: v.type != firstType) vs then + throw "Elements in a list should have same type." + else + firstType; in mkPrimitive (type.arrayOf elemType) vs // { diff --git a/lib/lists.nix b/lib/lists.nix index a5ee7c5a880d..e2e24244ff28 100644 --- a/lib/lists.nix +++ b/lib/lists.nix @@ -1848,7 +1848,7 @@ rec { */ last = list: - assert lib.assertMsg (list != [ ]) "lists.last: list must not be empty!"; + assert list != [ ] || throw "lists.last: list must not be empty!"; elemAt list (length list - 1); /** @@ -1881,7 +1881,7 @@ rec { */ init = list: - assert lib.assertMsg (list != [ ]) "lists.init: list must not be empty!"; + assert list != [ ] || throw "lists.init: list must not be empty!"; genList (elemAt list) (length list - 1); /** @@ -2157,7 +2157,8 @@ rec { */ replaceElemAt = list: idx: newElem: - assert lib.assertMsg (idx >= 0 && idx < length list) - "'lists.replaceElemAt' called with index ${toString idx} on a list of size ${toString (length list)}"; + assert + idx >= 0 && idx < length list + || throw "'lists.replaceElemAt' called with index ${toString idx} on a list of size ${toString (length list)}"; genList (i: if i == idx then newElem else elemAt list i) (length list); } diff --git a/lib/meta.nix b/lib/meta.nix index 5697b915061c..1defd305abc0 100644 --- a/lib/meta.nix +++ b/lib/meta.nix @@ -12,7 +12,6 @@ let all isDerivation getBin - assertMsg ; inherit (lib.attrsets) mapAttrs' filterAttrs; inherit (builtins) @@ -571,12 +570,15 @@ rec { */ getExe' = x: y: - assert assertMsg (isDerivation x) - "lib.meta.getExe': The first argument is of type ${typeOf x}, but it should be a derivation instead."; - assert assertMsg (isString y) - "lib.meta.getExe': The second argument is of type ${typeOf y}, but it should be a string instead."; - assert assertMsg (match ".*/.*" y == null) - "lib.meta.getExe': The second argument \"${y}\" is a nested path with a \"/\" character, but it should just be the name of the executable instead."; + assert + isDerivation x + || throw "lib.meta.getExe': The first argument is of type ${typeOf x}, but it should be a derivation instead."; + assert + isString y + || throw "lib.meta.getExe': The second argument is of type ${typeOf y}, but it should be a string instead."; + assert + match ".*/.*" y == null + || throw "lib.meta.getExe': The second argument \"${y}\" is a nested path with a \"/\" character, but it should just be the name of the executable instead."; "${getBin x}/bin/${y}"; /** diff --git a/lib/modules.nix b/lib/modules.nix index c5c935144ea6..a206ed6ed8e2 100644 --- a/lib/modules.nix +++ b/lib/modules.nix @@ -46,7 +46,6 @@ let setAttrByPath substring take - throwIfNot trace typeOf types @@ -680,8 +679,11 @@ let config = addFreeformType (addMeta (m.config or { })); } else - # shorthand syntax - throwIfNot (isAttrs m) "module ${file} (${key}) does not look like a module." { + # shorthand syntax + if !isAttrs m then + throw "module ${file} (${key}) does not look like a module." + else + { _file = toString m._file or file; _class = m._class or null; key = toString m.key or key; diff --git a/lib/network/internal.nix b/lib/network/internal.nix index adda711444fd..d22b2739c3f4 100644 --- a/lib/network/internal.nix +++ b/lib/network/internal.nix @@ -104,9 +104,9 @@ let */ parseExpandedIpv6 = addr: - assert lib.assertMsg ( + assert length addr == ipv6Pieces - ) "parseExpandedIpv6: expected list of integers with ${ipv6Pieces} elements"; + || throw "parseExpandedIpv6: expected list of integers with ${ipv6Pieces} elements"; let u16FromHexStr = hex: diff --git a/lib/path/default.nix b/lib/path/default.nix index 60c56948d68e..9cefcaa07314 100644 --- a/lib/path/default.nix +++ b/lib/path/default.nix @@ -32,10 +32,6 @@ let substring ; - inherit (lib.asserts) - assertMsg - ; - inherit (lib.path.subpath) isValid ; @@ -238,11 +234,14 @@ in path: # The subpath string to append subpath: - assert assertMsg (isPath path) - "lib.path.append: The first argument is of type ${builtins.typeOf path}, but a path was expected"; - assert assertMsg (isValid subpath) '' - lib.path.append: Second argument is not a valid subpath string: - ${subpathInvalidReason subpath}''; + assert + isPath path + || throw "lib.path.append: The first argument is of type ${builtins.typeOf path}, but a path was expected"; + assert + isValid subpath + || throw '' + lib.path.append: Second argument is not a valid subpath string: + ${subpathInvalidReason subpath}''; path + ("/" + subpath); /** @@ -285,21 +284,25 @@ in */ hasPrefix = path1: - assert assertMsg (isPath path1) - "lib.path.hasPrefix: First argument is of type ${typeOf path1}, but a path was expected"; + assert + isPath path1 + || throw "lib.path.hasPrefix: First argument is of type ${typeOf path1}, but a path was expected"; let path1Deconstructed = deconstructPath path1; in path2: - assert assertMsg (isPath path2) - "lib.path.hasPrefix: Second argument is of type ${typeOf path2}, but a path was expected"; + assert + isPath path2 + || throw "lib.path.hasPrefix: Second argument is of type ${typeOf path2}, but a path was expected"; let path2Deconstructed = deconstructPath path2; in - assert assertMsg (path1Deconstructed.root == path2Deconstructed.root) '' - lib.path.hasPrefix: Filesystem roots must be the same for both paths, but paths with different roots were given: - first argument: "${toString path1}" with root "${toString path1Deconstructed.root}" - second argument: "${toString path2}" with root "${toString path2Deconstructed.root}"''; + assert + path1Deconstructed.root == path2Deconstructed.root + || throw '' + lib.path.hasPrefix: Filesystem roots must be the same for both paths, but paths with different roots were given: + first argument: "${toString path1}" with root "${toString path1Deconstructed.root}" + second argument: "${toString path2}" with root "${toString path2Deconstructed.root}"''; take (length path1Deconstructed.components) path2Deconstructed.components == path1Deconstructed.components; @@ -344,15 +347,17 @@ in */ removePrefix = path1: - assert assertMsg (isPath path1) - "lib.path.removePrefix: First argument is of type ${typeOf path1}, but a path was expected."; + assert + isPath path1 + || throw "lib.path.removePrefix: First argument is of type ${typeOf path1}, but a path was expected."; let path1Deconstructed = deconstructPath path1; path1Length = length path1Deconstructed.components; in path2: - assert assertMsg (isPath path2) - "lib.path.removePrefix: Second argument is of type ${typeOf path2}, but a path was expected."; + assert + isPath path2 + || throw "lib.path.removePrefix: Second argument is of type ${typeOf path2}, but a path was expected."; let path2Deconstructed = deconstructPath path2; success = take path1Length path2Deconstructed.components == path1Deconstructed.components; @@ -362,10 +367,12 @@ in else throw ''lib.path.removePrefix: The first path argument "${toString path1}" is not a component-wise prefix of the second path argument "${toString path2}".''; in - assert assertMsg (path1Deconstructed.root == path2Deconstructed.root) '' - lib.path.removePrefix: Filesystem roots must be the same for both paths, but paths with different roots were given: - first argument: "${toString path1}" with root "${toString path1Deconstructed.root}" - second argument: "${toString path2}" with root "${toString path2Deconstructed.root}"''; + assert + path1Deconstructed.root == path2Deconstructed.root + || throw '' + lib.path.removePrefix: Filesystem roots must be the same for both paths, but paths with different roots were given: + first argument: "${toString path1}" with root "${toString path1Deconstructed.root}" + second argument: "${toString path2}" with root "${toString path2Deconstructed.root}"''; joinRelPath components; /** @@ -422,8 +429,9 @@ in splitRoot = # The path to split the root off of path: - assert assertMsg (isPath path) - "lib.path.splitRoot: Argument is of type ${typeOf path}, but a path was expected"; + assert + isPath path + || throw "lib.path.splitRoot: Argument is of type ${typeOf path}, but a path was expected"; let deconstructed = deconstructPath path; in @@ -494,14 +502,15 @@ in let deconstructed = deconstructPath path; in - assert assertMsg (isPath path) - "lib.path.hasStorePathPrefix: Argument is of type ${typeOf path}, but a path was expected"; - assert assertMsg + assert + isPath path + || throw "lib.path.hasStorePathPrefix: Argument is of type ${typeOf path}, but a path was expected"; + assert # This function likely breaks or needs adjustment if used with other filesystem roots, if they ever get implemented. # Let's try to error nicely in such a case, though it's unclear how an implementation would work even and whether this could be detected. # See also https://github.com/NixOS/nix/pull/6530#discussion_r1422843117 - (deconstructed.root == /. && toString deconstructed.root == "/") - "lib.path.hasStorePathPrefix: Argument has a filesystem root (${toString deconstructed.root}) that's not /, which is currently not supported."; + deconstructed.root == /. && toString deconstructed.root == "/" + || throw "lib.path.hasStorePathPrefix: Argument has a filesystem root (${toString deconstructed.root}) that's not /, which is currently not supported."; componentsHaveStorePathPrefix deconstructed.components; /** @@ -702,9 +711,11 @@ in subpath.components = # The subpath string to split into components subpath: - assert assertMsg (isValid subpath) '' - lib.path.subpath.components: Argument is not a valid subpath string: - ${subpathInvalidReason subpath}''; + assert + isValid subpath + || throw '' + lib.path.subpath.components: Argument is not a valid subpath string: + ${subpathInvalidReason subpath}''; splitRelPath subpath; /** @@ -799,9 +810,11 @@ in subpath.normalise = # The subpath string to normalise subpath: - assert assertMsg (isValid subpath) '' - lib.path.subpath.normalise: Argument is not a valid subpath string: - ${subpathInvalidReason subpath}''; + assert + isValid subpath + || throw '' + lib.path.subpath.normalise: Argument is not a valid subpath string: + ${subpathInvalidReason subpath}''; joinRelPath (splitRelPath subpath); } diff --git a/lib/strings.nix b/lib/strings.nix index b81a04a6666b..59a458aecf80 100644 --- a/lib/strings.nix +++ b/lib/strings.nix @@ -1589,15 +1589,14 @@ rec { */ toSentenceCase = str: - lib.throwIfNot (isString str) - "toSentenceCase does only accepts string values, but got ${typeOf str}" - ( - let - firstChar = substring 0 1 str; - rest = substring 1 (-1) str; # -1 takes till the end of the string - in - toUpper firstChar + toLower rest - ); + if !isString str then + throw "toSentenceCase does only accepts string values, but got ${typeOf str}" + else + let + firstChar = substring 0 1 str; + rest = substring 1 (-1) str; # -1 takes till the end of the string + in + toUpper firstChar + toLower rest; /** Converts a string to camelCase. Handles snake_case, PascalCase, @@ -1633,7 +1632,9 @@ rec { */ toCamelCase = str: - lib.throwIfNot (isString str) "toCamelCase does only accepts string values, but got ${typeOf str}" ( + if !isString str then + throw "toCamelCase does only accepts string values, but got ${typeOf str}" + else let separators = splitStringBy ( prev: curr: @@ -1653,8 +1654,7 @@ rec { first = if length parts > 0 then toLower (head parts) else ""; rest = if length parts > 1 then map toSentenceCase (tail parts) else [ ]; in - concatStrings ([ first ] ++ rest) - ); + concatStrings ([ first ] ++ rest); /** Appends string context from string like object `src` to `target`. @@ -2532,8 +2532,9 @@ rec { strw = lib.stringLength str; reqWidth = width - (lib.stringLength filler); in - assert lib.assertMsg (strw <= width) - "fixedWidthString: requested string length (${toString width}) must not be shorter than actual length (${toString strw})"; + assert + strw <= width + || throw "fixedWidthString: requested string length (${toString width}) must not be shorter than actual length (${toString strw})"; if strw == width then str else filler + fixedWidthString reqWidth filler str; /** diff --git a/lib/types.nix b/lib/types.nix index f9ae3c82a172..e7a8763983a1 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -21,7 +21,6 @@ let isString substring sort - throwIf toDerivation toList types @@ -408,7 +407,7 @@ rec { betweenDesc = lowest: highest: "${toString lowest} and ${toString highest} (both inclusive)"; between = lowest: highest: - assert lib.assertMsg (lowest <= highest) "ints.between: lowest must be smaller than highest"; + assert lowest <= highest || throw "ints.between: lowest must be smaller than highest"; addCheck int (x: x >= lowest && x <= highest) // { name = "intBetween"; @@ -495,7 +494,7 @@ rec { { between = lowest: highest: - assert lib.assertMsg (lowest <= highest) "numbers.between: lowest must be smaller than highest"; + assert lowest <= highest || throw "numbers.between: lowest must be smaller than highest"; addCheck number (x: x >= lowest && x <= highest) // { name = "numberBetween"; @@ -660,10 +659,10 @@ rec { inStore ? null, absolute ? null, }: - throwIf (inStore != null && absolute != null && inStore && !absolute) - "In pathWith, inStore means the path must be absolute" - mkOptionType - { + if inStore != null && absolute != null && inStore && !absolute then + throw "In pathWith, inStore means the path must be absolute" + else + mkOptionType { name = "path"; description = ( (if absolute == null then "" else (if absolute then "absolute " else "relative ")) @@ -1079,8 +1078,8 @@ rec { builtins.addErrorContext "while checking that attrTag tag ${lib.strings.escapeNixIdentifier n} is an option with a type${inAttrPosSuffix tags_ n}" ( - throwIf (opt._type or null != "option") - "In attrTag, each tag value must be an option, but tag ${lib.strings.escapeNixIdentifier n} ${ + if opt._type or null != "option" then + throw "In attrTag, each tag value must be an option, but tag ${lib.strings.escapeNixIdentifier n} ${ if opt ? _type then if opt._type == "option-type" then "was a bare type, not wrapped in mkOption." @@ -1089,23 +1088,24 @@ rec { else "was not." }" + else opt - // { - declarations = - opt.declarations or ( - let - pos = builtins.unsafeGetAttrPos n tags_; - in - if pos == null then [ ] else [ pos.file ] - ); - declarationPositions = - opt.declarationPositions or ( - let - pos = builtins.unsafeGetAttrPos n tags_; - in - if pos == null then [ ] else [ pos ] - ); - } + // { + declarations = + opt.declarations or ( + let + pos = builtins.unsafeGetAttrPos n tags_; + in + if pos == null then [ ] else [ pos.file ] + ); + declarationPositions = + opt.declarationPositions or ( + let + pos = builtins.unsafeGetAttrPos n tags_; + in + if pos == null then [ ] else [ pos ] + ); + } ) ) tags_; choicesStr = concatMapStringsSep ", " lib.strings.escapeNixIdentifier (attrNames tags); @@ -1728,9 +1728,9 @@ rec { # converted to `finalType` using `coerceFunc`. coercedTo = coercedType: coerceFunc: finalType: - assert lib.assertMsg ( + assert coercedType.getSubModules == null - ) "coercedTo: coercedType must not have submodules (it’s a ${coercedType.description})"; + || throw "coercedTo: coercedType must not have submodules (it’s a ${coercedType.description})"; mkOptionType rec { name = "coercedTo"; description = "${optionDescriptionPhrase (class: class == "noun") finalType} or ${ diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 0d290c3857f2..13a23dfae38d 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -625,6 +625,7 @@ in flannel = runTestOn [ "x86_64-linux" ] ./flannel.nix; flap-alerted = runTest ./flap-alerted.nix; flaresolverr = runTest ./flaresolverr.nix; + flarum = runTest ./flarum.nix; flood = runTest ./flood.nix; fluent-bit = runTest ./fluent-bit.nix; fluentd = runTest ./fluentd.nix; diff --git a/nixos/tests/flarum.nix b/nixos/tests/flarum.nix new file mode 100644 index 000000000000..17c7df02f44c --- /dev/null +++ b/nixos/tests/flarum.nix @@ -0,0 +1,52 @@ +{ lib, ... }: +{ + name = "flarum"; + + meta = { + maintainers = with lib.maintainers; [ + fsagbuya + jasonodoom + ]; + }; + + nodes.machine = + { ... }: + { + # Flarum installs and migrates the database on first boot and runs a + # MariaDB server alongside PHP-FPM and nginx, so give the VM some headroom. + virtualisation.memorySize = 2048; + + services.flarum = { + enable = true; + forumTitle = "NixOS Flarum Test Forum"; + domain = "localhost"; + baseUrl = "http://localhost"; + + # Run `flarum install` against the locally provisioned MariaDB. Safe here + # because the VM always starts from a fresh, empty database. + createDatabaseLocally = true; + + adminUser = "admin"; + adminEmail = "admin@example.com"; + # Flarum rejects admin passwords shorter than 8 characters. + initialAdminPassword = "flarum-admin-password"; + }; + }; + + testScript = '' + start_all() + + # PHP-FPM is ordered after the oneshot installer (Type=oneshot, no + # RemainAfterExit), so waiting on it implies the install/migrate finished. + machine.wait_for_unit("phpfpm-flarum.service") + machine.wait_for_unit("nginx.service") + machine.wait_for_open_port(80) + + # The forum front page is server-rendered and embeds the configured title. + machine.wait_until_succeeds("curl -sf http://localhost/ -o /dev/null") + machine.succeed("curl -sf http://localhost/ | grep -F 'NixOS Flarum Test Forum'") + + # The admin API endpoint should respond, confirming the app booted cleanly. + machine.succeed("curl -sf http://localhost/api -o /dev/null") + ''; +} diff --git a/nixos/tests/victoriametrics/external-promscrape-config.nix b/nixos/tests/victoriametrics/external-promscrape-config.nix index f645b8c839b9..15b8c9bde157 100644 --- a/nixos/tests/victoriametrics/external-promscrape-config.nix +++ b/nixos/tests/victoriametrics/external-promscrape-config.nix @@ -29,8 +29,8 @@ in ]; }; - nodes = { - victoriametrics = + containers = { + vmserver = { pkgs, ... }: { environment.systemPackages = [ pkgs.jq ]; @@ -55,14 +55,14 @@ in node.wait_for_unit("prometheus-node-exporter") node.wait_for_open_port(${toString nodeExporterPort}) - victoriametrics.wait_for_unit("victoriametrics") - victoriametrics.wait_for_open_port(8428) + vmserver.wait_for_unit("victoriametrics") + vmserver.wait_for_open_port(8428) - promscrape_config = victoriametrics.succeed("journalctl -u victoriametrics -o cat | grep 'promscrape.config'") + promscrape_config = vmserver.succeed("journalctl -u victoriametrics -o cat | grep 'promscrape.config'") assert '${toString promscrapeConfigYaml}' in promscrape_config - victoriametrics.wait_until_succeeds( + vmserver.wait_until_succeeds( "curl -sf 'http://localhost:8428/api/v1/query?query=node_exporter_build_info\{instance=\"node:9100\"\}' | " + "jq '.data.result[0].value[1]' | grep '\"1\"'" ) diff --git a/nixos/tests/victoriametrics/remote-write.nix b/nixos/tests/victoriametrics/remote-write.nix index 1788c9d8747c..721c4822c1d0 100644 --- a/nixos/tests/victoriametrics/remote-write.nix +++ b/nixos/tests/victoriametrics/remote-write.nix @@ -14,8 +14,8 @@ in ]; }; - nodes = { - victoriametrics = + containers = { + vmserver = { pkgs, ... }: { environment.systemPackages = [ pkgs.jq ]; @@ -34,7 +34,7 @@ in services.vmagent = { enable = true; remoteWrite = { - url = "http://victoriametrics:8428/api/v1/write"; + url = "http://vmserver:8428/api/v1/write"; basicAuthUsername = username; basicAuthPasswordFile = toString passwordFile; }; @@ -71,13 +71,13 @@ in node.wait_for_unit("prometheus-node-exporter") node.wait_for_open_port(9100) - victoriametrics.wait_for_unit("victoriametrics") - victoriametrics.wait_for_open_port(8428) + vmserver.wait_for_unit("victoriametrics") + vmserver.wait_for_open_port(8428) vmagent.wait_for_unit("vmagent") # check remote write - victoriametrics.wait_until_succeeds( + vmserver.wait_until_succeeds( "curl --user '${username}:${password}' -sf 'http://localhost:8428/api/v1/query?query=node_exporter_build_info\{instance=\"node:9100\"\}' | " + "jq '.data.result[0].value[1]' | grep '\"1\"'" ) diff --git a/nixos/tests/victoriametrics/vmalert.nix b/nixos/tests/victoriametrics/vmalert.nix index e6a0ab5d4e52..684b60d0a605 100644 --- a/nixos/tests/victoriametrics/vmalert.nix +++ b/nixos/tests/victoriametrics/vmalert.nix @@ -9,8 +9,8 @@ ]; }; - nodes = { - victoriametrics = + containers = { + vmserver = { config, pkgs, ... }: { environment.systemPackages = [ pkgs.jq ]; @@ -27,7 +27,7 @@ static_configs = [ { targets = [ - "alertmanager:${toString config.services.prometheus.alertmanager.port}" + "alert:${toString config.services.prometheus.alertmanager.port}" ]; } ]; @@ -51,7 +51,7 @@ settings = { "datasource.url" = "http://localhost:8428"; # victoriametrics' api "notifier.url" = [ - "http://alertmanager:${toString config.services.prometheus.alertmanager.port}" + "http://alert:${toString config.services.prometheus.alertmanager.port}" ]; # alertmanager's api rule = [ (pkgs.writeText "instance-down.yml" '' @@ -71,7 +71,7 @@ }; }; - alertmanager = { + alert = { services.prometheus.alertmanager = { enable = true; openFirewall = true; @@ -115,33 +115,33 @@ }; testScript = '' - alertmanager.wait_for_unit("alertmanager") - alertmanager.wait_for_open_port(9093) - alertmanager.wait_until_succeeds("curl -s http://127.0.0.1:9093/-/ready") + alert.wait_for_unit("alertmanager") + alert.wait_for_open_port(9093) + alert.wait_until_succeeds("curl -s http://127.0.0.1:9093/-/ready") logger.wait_for_unit("alertmanager-webhook-logger") logger.wait_for_open_port(6725) - victoriametrics.wait_for_unit("victoriametrics") - victoriametrics.wait_for_unit("vmalert") - victoriametrics.wait_for_open_port(8428) + vmserver.wait_for_unit("victoriametrics") + vmserver.wait_for_unit("vmalert") + vmserver.wait_for_open_port(8428) - victoriametrics.wait_until_succeeds( + vmserver.wait_until_succeeds( "curl -sf 'http://127.0.0.1:8428/api/v1/query?query=count(up\{job=\"alertmanager\"\}==1)' | " + "jq '.data.result[0].value[1]' | grep '\"1\"'" ) - victoriametrics.wait_until_succeeds( + vmserver.wait_until_succeeds( "curl -sf 'http://127.0.0.1:8428/api/v1/query?query=sum(alertmanager_build_info)%20by%20(version)' | " + "jq '.data.result[0].metric.version' | grep '\"${pkgs.prometheus-alertmanager.version}\"'" ) - victoriametrics.wait_until_succeeds( + vmserver.wait_until_succeeds( "curl -sf 'http://127.0.0.1:8428/api/v1/query?query=count(up\{job=\"node\"\}!=1)' | " + "jq '.data.result[0].value[1]' | grep '\"1\"'" ) - victoriametrics.wait_until_succeeds( + vmserver.wait_until_succeeds( "curl -sf 'http://127.0.0.1:8428/api/v1/query?query=alertmanager_notifications_total\{integration=\"webhook\"\}' | " + "jq '.data.result[0].value[1]' | grep -v '\"0\"'" ) @@ -152,6 +152,6 @@ logger.log(logger.succeed("systemd-analyze security alertmanager-webhook-logger.service | grep -v '✓'")) - alertmanager.log(alertmanager.succeed("systemd-analyze security alertmanager.service | grep -v '✓'")) + alert.log(alert.succeed("systemd-analyze security alertmanager.service | grep -v '✓'")) ''; } diff --git a/pkgs/applications/networking/cluster/terraform-providers/providers.json b/pkgs/applications/networking/cluster/terraform-providers/providers.json index 59451136a9d6..a0ef1151b227 100644 --- a/pkgs/applications/networking/cluster/terraform-providers/providers.json +++ b/pkgs/applications/networking/cluster/terraform-providers/providers.json @@ -355,11 +355,11 @@ "vendorHash": null }, "dopplerhq_doppler": { - "hash": "sha256-vYLNRSk8U9Ez5+LrC9cr6Ux32p7n93WOJaM4lY7ghE0=", + "hash": "sha256-SS2S4JGG1Xu0p4k6lVlTr173Xanwc6hZ0A3osEWGdEg=", "homepage": "https://registry.terraform.io/providers/DopplerHQ/doppler", "owner": "DopplerHQ", "repo": "terraform-provider-doppler", - "rev": "v1.21.3", + "rev": "v1.21.4", "spdx": "Apache-2.0", "vendorHash": "sha256-B8mYLd4VdADWoQLWiCM85VQrBfDdlYQ0wkCp9eUBQ4U=" }, @@ -968,13 +968,13 @@ "vendorHash": "sha256-OAd8SeTqTrH0kMoM2LsK3vM2PI23b3gl57FaJYM9hM0=" }, "newrelic_newrelic": { - "hash": "sha256-sUawDMMhwCo2xqnPNiaRMGKo3rRxNGjLEl2NYwfVuMk=", + "hash": "sha256-/y3BdJAwmmR9FHzbYh+2EBAae+WQp5+wubPEh6Tw98s=", "homepage": "https://registry.terraform.io/providers/newrelic/newrelic", "owner": "newrelic", "repo": "terraform-provider-newrelic", - "rev": "v3.93.2", + "rev": "v3.94.0", "spdx": "MPL-2.0", - "vendorHash": "sha256-fCdwTWYbwuJUh+9WeVN5WmpPxdop49oHZ2cUm3K5w6w=" + "vendorHash": "sha256-gbkuHyFBc1WUbtDFXnyzUlYdIvyFPwBHd+gg7VPenb4=" }, "ns1-terraform_ns1": { "hash": "sha256-6w0r6QXm16h4I4PFj80dJhTDbF4FPMjJalO0TfXGBEA=", diff --git a/pkgs/by-name/ac/acli/sources.json b/pkgs/by-name/ac/acli/sources.json index ebc68bc98fb4..bd8c679ff957 100644 --- a/pkgs/by-name/ac/acli/sources.json +++ b/pkgs/by-name/ac/acli/sources.json @@ -1,21 +1,21 @@ { - "version": "1.3.20-stable", + "version": "1.3.21-stable", "sources": { "aarch64-darwin": { - "url": "https://acli.atlassian.com/darwin/1.3.20-stable/acli_1.3.20-stable_darwin_arm64.tar.gz", - "sha256": "5fca5f021b8202f77f60ecc0ded293fb4af67afdb462ed20dce990cfedc49517" + "url": "https://acli.atlassian.com/darwin/1.3.21-stable/acli_1.3.21-stable_darwin_arm64.tar.gz", + "sha256": "39687d1c18054736f7264d76d33ceb89e8ebf480fbbba9541d9fefdda94ded66" }, "aarch64-linux": { - "url": "https://acli.atlassian.com/linux/1.3.20-stable/acli_1.3.20-stable_linux_arm64.tar.gz", - "sha256": "2209f6ab1f7fb4c16247e30115d0ff7c1511161aeae4d166e0e79ec81125a4b1" + "url": "https://acli.atlassian.com/linux/1.3.21-stable/acli_1.3.21-stable_linux_arm64.tar.gz", + "sha256": "b6104cd1737613fe4b24c20619965bb59b7b9bc09e39fb95f41a671b2b320ab8" }, "x86_64-darwin": { - "url": "https://acli.atlassian.com/darwin/1.3.20-stable/acli_1.3.20-stable_darwin_amd64.tar.gz", - "sha256": "4b9c4faa0d635b6e9194b101d4826b26cd6a15c46313f6a5f9436e20e8a48b78" + "url": "https://acli.atlassian.com/darwin/1.3.21-stable/acli_1.3.21-stable_darwin_amd64.tar.gz", + "sha256": "75f08d45886f770117405bb5b053bfa4c8e98045afe3dfa965905fabd8825f5c" }, "x86_64-linux": { - "url": "https://acli.atlassian.com/linux/1.3.20-stable/acli_1.3.20-stable_linux_amd64.tar.gz", - "sha256": "4e0190233a58276001a3cdff23e4be5e30844f98c639c49cfdeb581b9eb147aa" + "url": "https://acli.atlassian.com/linux/1.3.21-stable/acli_1.3.21-stable_linux_amd64.tar.gz", + "sha256": "f158f6e8f6ae7e279d1ced8ce85a93647aa70c42c29f0d5ad303ebd3c727f956" } } } diff --git a/pkgs/by-name/ad/adscan/package.nix b/pkgs/by-name/ad/adscan/package.nix index 80646c0ab464..03e840cd3223 100644 --- a/pkgs/by-name/ad/adscan/package.nix +++ b/pkgs/by-name/ad/adscan/package.nix @@ -7,7 +7,7 @@ python3Packages.buildPythonApplication (finalAttrs: { pname = "adscan"; - version = "9.1.1"; + version = "9.2.0"; pyproject = true; __structuredAttrs = true; @@ -16,7 +16,7 @@ python3Packages.buildPythonApplication (finalAttrs: { owner = "ADScanPro"; repo = "adscan"; tag = "v${finalAttrs.version}"; - hash = "sha256-lVoDPRw2NQBQJo37uKT807HXN28cDFxiWwedTiYhojc="; + hash = "sha256-28v36+sbgt/xaE8N7w4o0WTMYd95QsW190VPhOgL3+8="; }; pythonRelaxDeps = [ "credsweeper" ]; diff --git a/pkgs/by-name/em/embedxpl/package.nix b/pkgs/by-name/em/embedxpl/package.nix index d0dc0c484c3e..71069e1fa840 100644 --- a/pkgs/by-name/em/embedxpl/package.nix +++ b/pkgs/by-name/em/embedxpl/package.nix @@ -6,14 +6,14 @@ python3.pkgs.buildPythonApplication (finalAttrs: { pname = "embedxpl"; - version = "3.8.1"; + version = "3.8.8"; pyproject = true; src = fetchFromGitHub { owner = "mrhenrike"; repo = "EmbedXPL-Forge"; tag = "v${finalAttrs.version}"; - hash = "sha256-y3Ftmqb5RnY1U2uqrq4Olyr0I0ZVJo/pgMY7RpbZqlU="; + hash = "sha256-L3gY2wna1V7nF/vGwr1hzq8WeQxTTsvgKMAatVUKZ9E="; }; __structuredAttrs = true; diff --git a/pkgs/by-name/fl/flarum/package.nix b/pkgs/by-name/fl/flarum/package.nix index 227eb5b395fe..d79a26a5bb34 100644 --- a/pkgs/by-name/fl/flarum/package.nix +++ b/pkgs/by-name/fl/flarum/package.nix @@ -2,6 +2,7 @@ lib, php, fetchFromGitHub, + nixosTests, }: php.buildComposerProject2 (finalAttrs: { @@ -19,6 +20,8 @@ php.buildComposerProject2 (finalAttrs: { composerStrictValidation = false; vendorHash = "sha256-EHl+Mr6y5A51EpLPAWUGtiPkLOky6KvsSY4JWHeyO28="; + passthru.tests.module = nixosTests.flarum; + meta = { changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md"; description = "Delightfully simple discussion platform for your website"; diff --git a/pkgs/by-name/ha/handheld-daemon/package.nix b/pkgs/by-name/ha/handheld-daemon/package.nix index c13f6c85b96f..f46fb5cd7457 100644 --- a/pkgs/by-name/ha/handheld-daemon/package.nix +++ b/pkgs/by-name/ha/handheld-daemon/package.nix @@ -16,14 +16,14 @@ }: python3Packages.buildPythonApplication (finalAttrs: { pname = "handheld-daemon"; - version = "4.1.9"; + version = "4.1.10"; pyproject = true; src = fetchFromGitHub { owner = "hhd-dev"; repo = "hhd"; tag = "v${finalAttrs.version}"; - hash = "sha256-pzcMIXLZUkSqJuZTujAoKjfPuZgtit4u08wHZPPz8Ss="; + hash = "sha256-+POL5d9kn5oCGeu79gWxK0b0UHn//j/QjHq9wLZw6h8="; }; # Handheld-daemon runs some selinux-related utils which are not in nixpkgs. diff --git a/pkgs/by-name/ic/icestudio/package.nix b/pkgs/by-name/ic/icestudio/package.nix index 025a837aaffc..9e7995642d03 100644 --- a/pkgs/by-name/ic/icestudio/package.nix +++ b/pkgs/by-name/ic/icestudio/package.nix @@ -13,13 +13,13 @@ let # Use unstable because it has improvements for finding python - version = "0.12-unstable-2026-05-28"; + version = "0.12-unstable-2026-06-29"; src = fetchFromGitHub { owner = "FPGAwars"; repo = "icestudio"; - rev = "cfa40bd83ada8d7f3594c2cd60e39d2d63ff14d0"; - hash = "sha256-vp4cLDK2mfheLw+0ysNjKW5bbrm806Y6sHkSpEgWo4U="; + rev = "8607f7ef538c4b447362b2ab90aece2fbb7d1b75"; + hash = "sha256-8KYwlOKKmTQza71cVpssOGJJNwIUvMHMYcokhK/LhEo="; }; collection = fetchurl { diff --git a/pkgs/by-name/in/incus-ui-canonical/package.nix b/pkgs/by-name/in/incus-ui-canonical/package.nix index daf58189b326..e4e500e0ecbf 100644 --- a/pkgs/by-name/in/incus-ui-canonical/package.nix +++ b/pkgs/by-name/in/incus-ui-canonical/package.nix @@ -20,14 +20,14 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "incus-ui-canonical"; - version = "0.21.2"; + version = "0.21.3"; src = fetchFromGitHub { owner = "zabbly"; repo = "incus-ui-canonical"; # only use tags prefixed by incus- they are the tested fork versions tag = "incus-${finalAttrs.version}"; - hash = "sha256-nCussrzWjFbZ6its3X74KBktv/dZO76OJGwG7upjkMw="; + hash = "sha256-fyeh7KX2Cvo2YmUNnmzeWkTGgGrJHhjbq39AmnwhgAs="; }; offlineCache = fetchYarnDeps { diff --git a/pkgs/by-name/in/intiface-central/package.nix b/pkgs/by-name/in/intiface-central/package.nix index 34b2c6e0a62d..7a4fd3bc653e 100644 --- a/pkgs/by-name/in/intiface-central/package.nix +++ b/pkgs/by-name/in/intiface-central/package.nix @@ -146,9 +146,8 @@ flutter338.buildFlutterApplication { ln -s ${buttplug} ../buttplug ''; - # without this, only the splash screen will be shown and the logs will contain the - # line `Failed to load dynamic library 'lib/libintiface_engine_flutter_bridge.so'` - extraWrapProgramArgs = "--chdir $out/app/intiface-central"; + # without this, only the splash screen will be shown + extraWrapProgramArgs = "--set FRB_DART_LOAD_EXTERNAL_LIBRARY_NATIVE_LIB_DIR $out/app/intiface-central/lib"; postInstall = '' install -Dm644 $out/app/intiface-central/data/flutter_assets/assets/icons/intiface_central_icon.png $out/share/icons/hicolor/512x512/apps/intiface-central.png diff --git a/pkgs/by-name/li/libfprint-tod/package.nix b/pkgs/by-name/li/libfprint-tod/package.nix index 9abebbb42b25..120082b2029e 100644 --- a/pkgs/by-name/li/libfprint-tod/package.nix +++ b/pkgs/by-name/li/libfprint-tod/package.nix @@ -27,6 +27,10 @@ libfprint.overrideAttrs ( hash = "sha256-xkywuFbt8EFJOlIsSN2hhZfMUhywdgJ/uT17uiO3YV4="; }; + # Different source than libfprint, so override any patches, because they + # would only apply to the original source tree + patches = [ ]; + mesonFlags = [ # Include virtual drivers for fprintd tests "-Ddrivers=all" diff --git a/pkgs/by-name/li/libfprint/package.nix b/pkgs/by-name/li/libfprint/package.nix index 160cec4aa0f9..edfc4aa8ea74 100644 --- a/pkgs/by-name/li/libfprint/package.nix +++ b/pkgs/by-name/li/libfprint/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchFromGitLab, + fetchpatch, pkg-config, meson, python3, @@ -35,6 +36,35 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-aNBUIKY3PP5A07UNg3N0qq+2cwb6Fk67oKQcXgr2G/4="; }; + patches = [ + # New hardware support since 1.94.10, just new USB Product IDs + (fetchpatch { + name = "realtek-3274-9003.patch"; + url = "https://gitlab.freedesktop.org/libfprint/libfprint/-/commit/a25f71cf97820c51edc4c32f84686fcdc608d9d1.patch"; + sha256 = "sha256-T9rvT53Ij+5gtiVOp+xfzQwiVkyF0m6lZAUCXWmaugg="; + }) + (fetchpatch { + name = "elan-0c58.patch"; + url = "https://gitlab.freedesktop.org/libfprint/libfprint/-/commit/4610f2285e6373c2fe4ead0dff4ebf8dabe4e532.patch"; + sha256 = "sha256-VR96V+7FvSa8sE6JpcCx/slZ0MaK9HLuNuAay2P9C6M="; + }) + (fetchpatch { + name = "elan-04F3-0C9C.patch"; + url = "https://gitlab.freedesktop.org/libfprint/libfprint/-/commit/2bdc2b7ca6d8bedc675054934fbc8f8b6a21deac.patch"; + sha256 = "sha256-LFMip9Mq55uDRgHkW+XeI+j0mILOb7DIHscHjyKe4yE="; + }) + (fetchpatch { + name = "focal-077a-079a.patch"; + url = "https://gitlab.freedesktop.org/libfprint/libfprint/-/commit/2c7842c905147a2d127c1b168b2e9d432b8c91a4.patch"; + sha256 = "sha256-PuISGITn0/6AWY0WVUfViZtdcQFh+0s+4OLIszqdLUs="; + }) + (fetchpatch { + name = "focal-a97a.patch"; + url = "https://gitlab.freedesktop.org/libfprint/libfprint/-/commit/0dc384b90ed8cd78b3e8d7c0d30a953bd088b98c.patch"; + sha256 = "sha256-X/wl4MpxfQ7sLlFTkkiDQGyRFQ6lC9pdcy3XPrSeOZw="; + }) + ]; + postPatch = '' patchShebangs \ tests/test-runner.sh \ diff --git a/pkgs/by-name/ma/mailpit/source.nix b/pkgs/by-name/ma/mailpit/source.nix index 163ac2f273cb..16256eccff09 100644 --- a/pkgs/by-name/ma/mailpit/source.nix +++ b/pkgs/by-name/ma/mailpit/source.nix @@ -1,6 +1,6 @@ { - version = "1.30.2"; - hash = "sha256-37nJRJL1mxvUdD7L9/yO/Lzyjvn09Tu9xHTEt4pxu2s="; - npmDepsHash = "sha256-AApRrIIYC4NtKIFyGQ3lnKIOk7LZNDK8wvUUbSczTrA="; - vendorHash = "sha256-em0317Q1u5sl8gws4/qqM8e9H5F4vfBiM7tLCyufgEk="; + version = "1.30.3"; + hash = "sha256-6Vt1GpGWHfaYaORBFa/cB+AxYQxAdkGtGTsrvL08dsA="; + npmDepsHash = "sha256-vXAXuvKqLWbwCjSLNS8mLDA9AmaGSRsB67iKQMi+/No="; + vendorHash = "sha256-A/kef2PgrA0Jpb/o+f1nUeiwSibOgsnyYLOzJ/HB1Fo="; } diff --git a/pkgs/by-name/mu/musescore-evolution/package.nix b/pkgs/by-name/mu/musescore-evolution/package.nix index 03f01633f930..a544f3ec94f1 100644 --- a/pkgs/by-name/mu/musescore-evolution/package.nix +++ b/pkgs/by-name/mu/musescore-evolution/package.nix @@ -28,13 +28,13 @@ stdenv.mkDerivation (finalAttrs: { __structuredAttrs = true; pname = "musescore-evolution"; - version = "3.7.0-unstable-2026-06-10"; + version = "3.7.0-unstable-2026-06-30"; src = fetchFromGitHub { owner = "Jojo-Schmitz"; repo = "MuseScore"; - rev = "ec719c0152fbb0fb57758a14a3754ad08d31dfc7"; - hash = "sha256-yXVKjaY/utXA3617ik4misxeOVFp+0oo0RSU3yPUA00="; + rev = "8b07f250f0a657582609a870f27ea4794ec81ff2"; + hash = "sha256-XclDbyopuP4+3tfgsCThxr7QYdKmoaBSfWd+3h8A+6w="; }; patches = [ diff --git a/pkgs/by-name/ne/netavark/package.nix b/pkgs/by-name/ne/netavark/package.nix index 21ab26755886..cdccae339838 100644 --- a/pkgs/by-name/ne/netavark/package.nix +++ b/pkgs/by-name/ne/netavark/package.nix @@ -11,16 +11,16 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "netavark"; - version = "2.0.0"; + version = "1.17.2"; src = fetchFromGitHub { owner = "containers"; repo = "netavark"; rev = "v${finalAttrs.version}"; - hash = "sha256-hMtYAG1OnnK1xECp8yiGEtgrWWnVfywLokOw6fzKEjw="; + hash = "sha256-FdJNcHYK6Jc1dNqcUr5Ne8dv1dzlHRhcjoldiihrov8="; }; - cargoHash = "sha256-oVIOS0bzvT6FW43TJ/p0PZO/cjskzljhyxqeM0aSCCo="; + cargoHash = "sha256-wp/1lWc3OfNQt74m8DtpuFO/Mf07+M7numq2FMEkeGo="; nativeBuildInputs = [ installShellFiles diff --git a/pkgs/by-name/on/onnxruntime/nvrtc-link.patch b/pkgs/by-name/on/onnxruntime/nvrtc-link.patch new file mode 100644 index 000000000000..8c83c364498a --- /dev/null +++ b/pkgs/by-name/on/onnxruntime/nvrtc-link.patch @@ -0,0 +1,26 @@ +diff --git a/cmake/onnxruntime_providers_cuda.cmake b/cmake/onnxruntime_providers_cuda.cmake +index 624057dd43..64de9a0860 100644 +--- a/cmake/onnxruntime_providers_cuda.cmake ++++ b/cmake/onnxruntime_providers_cuda.cmake +@@ -310,7 +310,7 @@ + message( WARNING "To compile with NHWC ops enabled please compile against cuDNN 9 or newer." ) + endif() + endif() +- target_link_libraries(${target} PRIVATE CUDA::cublasLt CUDA::cublas CUDNN::cudnn_all cudnn_frontend CUDA::curand CUDA::cufft CUDA::cudart ++ target_link_libraries(${target} PRIVATE CUDA::cublasLt CUDA::cublas CUDNN::cudnn_all cudnn_frontend CUDA::curand CUDA::cufft CUDA::cudart CUDA::nvrtc CUDA::cuda_driver + ${ABSEIL_LIBS} ${ONNXRUNTIME_PROVIDERS_SHARED} Boost::mp11 safeint_interface) + endif() + +diff --git a/cmake/onnxruntime_providers_cuda_plugin.cmake b/cmake/onnxruntime_providers_cuda_plugin.cmake +index e345c944dc..82742df359 100644 +--- a/cmake/onnxruntime_providers_cuda_plugin.cmake ++++ b/cmake/onnxruntime_providers_cuda_plugin.cmake +@@ -250,6 +250,8 @@ target_link_libraries(onnxruntime_providers_cuda_plugin PRIVATE + CUDA::cublas + CUDA::cublasLt + CUDA::cufft ++ CUDA::nvrtc ++ CUDA::cuda_driver + CUDNN::cudnn_all + cudnn_frontend + Boost::mp11 diff --git a/pkgs/by-name/on/onnxruntime/package.nix b/pkgs/by-name/on/onnxruntime/package.nix index 01bd2b82e828..01b8ee43df55 100644 --- a/pkgs/by-name/on/onnxruntime/package.nix +++ b/pkgs/by-name/on/onnxruntime/package.nix @@ -134,6 +134,12 @@ effectiveStdenv.mkDerivation (finalAttrs: { # https://github.com/microsoft/onnxruntime/issues/9155 # Patch adapted from https://gitlab.alpinelinux.org/alpine/aports/-/raw/462dfe0eb4b66948fe48de44545cc22bb64fdf9f/community/onnxruntime/0001-Remove-MATH_NO_EXCEPT-macro.patch ./remove-MATH_NO_EXCEPT-macro.patch + ] + # Include additional target_link_libraries needed for cudnn-frontend >= 2.19 + # See: https://github.com/microsoft/onnxruntime/pull/28849 + # These changes are included in 548ab6e and fc7a9f0 upstream + ++ lib.optionals cudaSupport [ + ./nvrtc-link.patch ]; postPatch = '' diff --git a/pkgs/by-name/pa/pana/package.nix b/pkgs/by-name/pa/pana/package.nix index fb5d0c9a97ab..6881bae84334 100644 --- a/pkgs/by-name/pa/pana/package.nix +++ b/pkgs/by-name/pa/pana/package.nix @@ -9,13 +9,13 @@ }: buildDartApplication rec { pname = "pana"; - version = "0.23.12"; + version = "0.23.13"; src = fetchFromGitHub { owner = "dart-lang"; repo = "pana"; tag = version; - hash = "sha256-y72E2ojoAJF38QLb+5iKiAjF7c8AqglmY0qI53MohX4="; + hash = "sha256-LPTcmAb0eZKhxzz/LzV4GnHfw/RAKCItoC7Vn9vvOuw="; }; dartEntryPoints = { diff --git a/pkgs/by-name/pa/pana/pubspec.lock.json b/pkgs/by-name/pa/pana/pubspec.lock.json index 4e3c4076ee5e..2ca72fb00a18 100644 --- a/pkgs/by-name/pa/pana/pubspec.lock.json +++ b/pkgs/by-name/pa/pana/pubspec.lock.json @@ -4,21 +4,21 @@ "dependency": "transitive", "description": { "name": "_fe_analyzer_shared", - "sha256": "1dd467c7e56541bea70bbd35d537e3aa12dfba81f39e2a75bb6a61fc5595985b", + "sha256": "1b0e6a07425a3e460666e88bf1c949ccc7bb0116ad562ce94a1eca60fe820725", "url": "https://pub.dev" }, "source": "hosted", - "version": "97.0.0" + "version": "103.0.0" }, "analyzer": { "dependency": "direct main", "description": { "name": "analyzer", - "sha256": "041602214e3ec5a02ba85c08fe8e381aa25ac5367db17d03fbb6d22d851d4bba", + "sha256": "61c04d0c1bfed555c681ea079519933f071a5a026578ff73c4ff0df2d3462e5e", "url": "https://pub.dev" }, "source": "hosted", - "version": "11.0.0" + "version": "13.3.0" }, "args": { "dependency": "direct main", @@ -54,11 +54,11 @@ "dependency": "direct dev", "description": { "name": "build", - "sha256": "aadd943f4f8cc946882c954c187e6115a84c98c81ad1d9c6cbf0895a8c85da9c", + "sha256": "a156715e7cd728130c592f30552575908aae5b100005fbc1f0fb16b3c03a3d10", "url": "https://pub.dev" }, "source": "hosted", - "version": "4.0.5" + "version": "4.0.6" }, "build_config": { "dependency": "direct dev", @@ -84,11 +84,11 @@ "dependency": "direct dev", "description": { "name": "build_runner", - "sha256": "521daf8d189deb79ba474e43a696b41c49fb3987818dbacf3308f1e03673a75e", + "sha256": "1523ce62448ebac2c15a8ba5fbad8acac169788658a7dd2a1c2d9c2a9318b9a6", "url": "https://pub.dev" }, "source": "hosted", - "version": "2.13.1" + "version": "2.15.0" }, "build_verify": { "dependency": "direct dev", @@ -124,11 +124,11 @@ "dependency": "transitive", "description": { "name": "built_value", - "sha256": "0730c18c770d05636a8f945c32a4d7d81cb6e0f0148c8db4ad12e7748f7e49af", + "sha256": "34e4067d30ce212937df995f03b69992eea683539ceeac7f679a1f1eba055b56", "url": "https://pub.dev" }, "source": "hosted", - "version": "8.12.5" + "version": "8.12.6" }, "checked_yaml": { "dependency": "transitive", @@ -154,21 +154,11 @@ "dependency": "direct main", "description": { "name": "cli_util", - "sha256": "ff6785f7e9e3c38ac98b2fb035701789de90154024a75b6cb926445e83197d1c", + "sha256": "5909d2c6b66817222779e1eedc19e0e28b76d1df7bd9856a4792ccb9881df358", "url": "https://pub.dev" }, "source": "hosted", - "version": "0.4.2" - }, - "code_builder": { - "dependency": "transitive", - "description": { - "name": "code_builder", - "sha256": "6a6cab2ba4680d6423f34a9b972a4c9a94ebe1b62ecec4e1a1f2cba91fd1319d", - "url": "https://pub.dev" - }, - "source": "hosted", - "version": "4.11.1" + "version": "0.5.1" }, "collection": { "dependency": "direct main", @@ -194,11 +184,11 @@ "dependency": "transitive", "description": { "name": "coverage", - "sha256": "5da775aa218eaf2151c721b16c01c7676fbfdd99cebba2bf64e8b807a28ff94d", + "sha256": "956a3de0725ca232ad353565a8290d3357592bf4250f6f298a185e2d949c5d3d", "url": "https://pub.dev" }, "source": "hosted", - "version": "1.15.0" + "version": "1.15.1" }, "crypto": { "dependency": "direct main", @@ -234,11 +224,21 @@ "dependency": "transitive", "description": { "name": "dart_style", - "sha256": "29f7ecc274a86d32920b1d9cfc7502fa87220da41ec60b55f329559d5732e2b2", + "sha256": "59d53ef8eaed9d288ed9767618e2b31c4fa0383a127db59d5eb2e737a7638a60", "url": "https://pub.dev" }, "source": "hosted", - "version": "3.1.7" + "version": "3.1.9" + }, + "ffi": { + "dependency": "transitive", + "description": { + "name": "ffi", + "sha256": "6d7fd89431262d8f3125e81b50d3847a091d846eafcd4fdb88dd06f36d705a45", + "url": "https://pub.dev" + }, + "source": "hosted", + "version": "2.2.0" }, "file": { "dependency": "transitive", @@ -344,21 +344,21 @@ "dependency": "direct main", "description": { "name": "json_annotation", - "sha256": "cb09e7dac6210041fad964ed7fbee004f14258b4eca4040f72d1234062ace4c8", + "sha256": "2a743920d81b7910627f68ee2c9ac1fc0bfee32b9fc3403587d7c6791ca12f80", "url": "https://pub.dev" }, "source": "hosted", - "version": "4.11.0" + "version": "4.12.0" }, "json_serializable": { "dependency": "direct dev", "description": { "name": "json_serializable", - "sha256": "fbcf404b03520e6e795f6b9b39badb2b788407dfc0a50cf39158a6ae1ca78925", + "sha256": "ffcd10cde35a93b2abbbcc26bd9971f4ca93763e8abe78d855e3c4177797e501", "url": "https://pub.dev" }, "source": "hosted", - "version": "6.13.1" + "version": "6.14.0" }, "lints": { "dependency": "direct main", @@ -394,21 +394,21 @@ "dependency": "transitive", "description": { "name": "matcher", - "sha256": "dc0b7dc7651697ea4ff3e69ef44b0407ea32c487a39fff6a4004fa585e901861", + "sha256": "31bd099b47c10cd1aeb55146a2d46ce0277630ecef3f7dae54ad7873f36696cd", "url": "https://pub.dev" }, "source": "hosted", - "version": "0.12.19" + "version": "0.12.20" }, "meta": { "dependency": "direct main", "description": { "name": "meta", - "sha256": "df0c643f44ad098eb37988027a8e2b2b5a031fd3977f06bbfd3a76637e8df739", + "sha256": "c82594181e3312f3d0695fc95aaaf7758d75b8d4ae2bbecf223b9fd5109a059d", "url": "https://pub.dev" }, "source": "hosted", - "version": "1.18.2" + "version": "1.18.3" }, "mime": { "dependency": "transitive", @@ -544,21 +544,21 @@ "dependency": "direct dev", "description": { "name": "source_gen", - "sha256": "732792cfd197d2161a65bb029606a46e0a18ff30ef9e141a7a82172b05ea8ecd", + "sha256": "ec37cc0e6694374cbef59ed79685572c870a54ede6fa30a3e420feb3adffea02", "url": "https://pub.dev" }, "source": "hosted", - "version": "4.2.2" + "version": "4.2.3" }, "source_helper": { "dependency": "transitive", "description": { "name": "source_helper", - "sha256": "1d3b229b2934034fb2e691fbb3d53e0f75a4af7b1407f88425ed8f209bcb1b8f", + "sha256": "4227d54ceefd0bb8ca4c8fcb96e1719dc53f1ee1b6e2ca9d7a6069da160e4eae", "url": "https://pub.dev" }, "source": "hosted", - "version": "1.3.11" + "version": "1.3.12" }, "source_map_stack_trace": { "dependency": "transitive", @@ -654,31 +654,31 @@ "dependency": "direct main", "description": { "name": "test", - "sha256": "8d9ceddbab833f180fbefed08afa76d7c03513dfdba87ffcec2718b02bbcbf20", + "sha256": "0d5ba5602ec3baa28c8ce365e1efc5575969c765f45c554a3e167dc7945b9c30", "url": "https://pub.dev" }, "source": "hosted", - "version": "1.31.0" + "version": "1.31.2" }, "test_api": { "dependency": "transitive", "description": { "name": "test_api", - "sha256": "949a932224383300f01be9221c39180316445ecb8e7547f70a41a35bf421fb9e", + "sha256": "475610b2aa23c19687cce2961e44b0cc57cafe220f67c2b80201231b2a07fbe7", "url": "https://pub.dev" }, "source": "hosted", - "version": "0.7.11" + "version": "0.7.13" }, "test_core": { "dependency": "transitive", "description": { "name": "test_core", - "sha256": "1991d4cfe85d5043241acac92962c3977c8d2f2add1ee73130c7b286417d1d34", + "sha256": "a39c204a4fc7a7ccb04a2b985e359fda3cc37e45e0b8ac61c3fb1a05aa832132", "url": "https://pub.dev" }, "source": "hosted", - "version": "0.6.17" + "version": "0.6.19" }, "test_descriptor": { "dependency": "direct dev", @@ -714,11 +714,11 @@ "dependency": "transitive", "description": { "name": "vm_service", - "sha256": "45caa6c5917fa127b5dbcfbd1fa60b14e583afdc08bfc96dda38886ca252eb60", + "sha256": "0016aef94fc66495ac78af5859181e3f3bf2026bd8eecc72b9565601e19ab360", "url": "https://pub.dev" }, "source": "hosted", - "version": "15.0.2" + "version": "15.2.0" }, "watcher": { "dependency": "transitive", @@ -782,6 +782,6 @@ } }, "sdks": { - "dart": ">=3.10.0 <4.0.0" + "dart": ">=3.11.0 <4.0.0" } } diff --git a/pkgs/by-name/ph/phpstan/package.nix b/pkgs/by-name/ph/phpstan/package.nix index cdc91f106bd9..e24c35dc4c40 100644 --- a/pkgs/by-name/ph/phpstan/package.nix +++ b/pkgs/by-name/ph/phpstan/package.nix @@ -9,13 +9,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "phpstan"; - version = "2.2.2"; + version = "2.2.3"; src = fetchFromGitHub { owner = "phpstan"; repo = "phpstan"; tag = finalAttrs.version; - hash = "sha256-4C3d8ae9TGpyLNspClSS+Eor6epjG1BTS/Nzy4K5zZE="; + hash = "sha256-P0LmURcau2DGHJI5NZd9nZ56rWvO1EDYXoK1++ZcG6A="; }; nativeBuildInputs = [ diff --git a/pkgs/by-name/sc/scid/package.nix b/pkgs/by-name/sc/scid/package.nix index c093366bf294..2b7a4a21c8f1 100644 --- a/pkgs/by-name/sc/scid/package.nix +++ b/pkgs/by-name/sc/scid/package.nix @@ -35,6 +35,8 @@ tcl.mkTclDerivation rec { zlib ]; + addTclConfigureFlags = false; + configureFlags = [ "BINDIR=$(out)/bin" "SHAREDIR=$(out)/share" diff --git a/pkgs/by-name/sk/skypilot/CVE-2026-13482.patch b/pkgs/by-name/sk/skypilot/CVE-2026-13482.patch new file mode 100644 index 000000000000..a6c7766082d6 --- /dev/null +++ b/pkgs/by-name/sk/skypilot/CVE-2026-13482.patch @@ -0,0 +1,364 @@ +From 2435727f0c6b02d56e254a5ba1d8e041c7c33c86 Mon Sep 17 00:00:00 2001 +From: DanielZhangQD <36026334+DanielZhangQD@users.noreply.github.com> +Date: Mon, 29 Jun 2026 14:59:48 +0800 +Subject: [PATCH] [Core] Mark non-security MD5/SHA1 hashes with + usedforsecurity=False (#9972) + +* [Core] Mark non-security MD5/SHA1 hashes with usedforsecurity=False + +These hashlib.md5/sha1 calls derive identifiers, cache keys, and resource +names from non-secret inputs (usernames, paths, region/subscription ids, +cluster/host names, wheel/catalog contents). None protects a secret or +makes an authentication decision -- passwords use bcrypt via crypt_ctx and +auth is enforced by oauth2-proxy / SSO. Pass usedforsecurity=False so +weak-hash scanners (CWE-328) stop flagging them. The flag does not change +any digest value, so all derived ids, cache keys and names are unchanged. + +Co-Authored-By: Claude Opus 4.8 (1M context) + +* [Core] Address review: avoid split hexdigest() call in oauth2_proxy + +Compute the digest first, then slice, instead of splitting the empty +hexdigest() parentheses across lines. yapf-stable and more readable. + +Co-Authored-By: Claude Opus 4.8 (1M context) + +--------- + +Co-authored-by: Claude Opus 4.8 (1M context) +--- + sky/backends/backend_utils.py | 3 ++- + sky/backends/wheel_utils.py | 3 ++- + sky/batch/io_formats.py | 3 ++- + sky/catalog/aws_catalog.py | 6 ++++-- + sky/catalog/common.py | 4 +++- + sky/clouds/aws.py | 2 +- + sky/clouds/nebius.py | 3 ++- + sky/data/mounting_utils.py | 3 ++- + sky/data/storage.py | 6 ++++-- + sky/provision/azure/config.py | 2 +- + sky/provision/kubernetes/utils.py | 3 ++- + sky/provision/scp/instance.py | 2 +- + sky/server/auth/oauth2_proxy.py | 7 +++++-- + sky/server/server.py | 5 ++++- + sky/users/permission.py | 6 ++++-- + sky/users/server.py | 13 ++++++++++--- + sky/utils/command_runner.py | 7 ++++--- + sky/utils/common_utils.py | 13 ++++++++++--- + sky/utils/kubernetes/gpu_labeler.py | 3 ++- + 19 files changed, 65 insertions(+), 29 deletions(-) + +diff --git a/sky/backends/backend_utils.py b/sky/backends/backend_utils.py +index ff4662b4160..ec0b4bf74fb 100644 +--- a/sky/backends/backend_utils.py ++++ b/sky/backends/backend_utils.py +@@ -707,7 +707,8 @@ def get_expirable_clouds( + + + def _get_volume_name(path: str, cluster_name_on_cloud: str) -> str: +- path_hash = hashlib.md5(path.encode()).hexdigest()[:6] ++ path_hash = hashlib.md5(path.encode(), ++ usedforsecurity=False).hexdigest()[:6] + return f'{cluster_name_on_cloud}-{path_hash}' + + +diff --git a/sky/backends/wheel_utils.py b/sky/backends/wheel_utils.py +index 4cfd4c485a5..f142011bfe1 100644 +--- a/sky/backends/wheel_utils.py ++++ b/sky/backends/wheel_utils.py +@@ -210,7 +210,8 @@ def _build_sky_wheel() -> pathlib.Path: + # wheel content hash doesn't change. + with open(wheel_path, 'rb') as f: + contents = f.read() +- hash_of_latest_wheel = hashlib.md5(contents).hexdigest() ++ hash_of_latest_wheel = hashlib.md5(contents, ++ usedforsecurity=False).hexdigest() + + wheel_dir = WHEEL_DIR / hash_of_latest_wheel + wheel_dir.mkdir(parents=True, exist_ok=True) +diff --git a/sky/catalog/aws_catalog.py b/sky/catalog/aws_catalog.py +index c2480965708..e842068beaa 100644 +--- a/sky/catalog/aws_catalog.py ++++ b/sky/catalog/aws_catalog.py +@@ -113,7 +113,8 @@ def _get_az_mappings(aws_user_hash: str) -> Optional['pd.DataFrame']: + # Write md5 of the az_mapping file to a file so we can check it for + # any changes when uploading to the controller + with open(az_mapping_path, 'r', encoding='utf-8') as f: +- az_mapping_hash = hashlib.md5(f.read().encode()).hexdigest() ++ az_mapping_hash = hashlib.md5(f.read().encode(), ++ usedforsecurity=False).hexdigest() + with open(az_mapping_md5_path, 'w', encoding='utf-8') as f: + f.write(az_mapping_hash) + else: +@@ -147,7 +148,8 @@ def _fetch_and_apply_az_mapping(df: common.LazyDataFrame) -> 'pd.DataFrame': + user_identity_list = aws.AWS.get_active_user_identity() + assert user_identity_list, user_identity_list + user_identity = user_identity_list[0] +- aws_user_hash = hashlib.md5(user_identity.encode()).hexdigest()[:8] ++ aws_user_hash = hashlib.md5(user_identity.encode(), ++ usedforsecurity=False).hexdigest()[:8] + except (exceptions.CloudUserIdentityError, ImportError): + # If failed to get user identity, or import aws dependencies, we use the + # latest mapping file or the default mapping file. +diff --git a/sky/catalog/common.py b/sky/catalog/common.py +index 00829871e53..a0397e6301f 100644 +--- a/sky/catalog/common.py ++++ b/sky/catalog/common.py +@@ -291,7 +291,9 @@ def _update_catalog(): + tmp_path = f.name + os.rename(tmp_path, catalog_path) + with open(meta_path + '.md5', 'w', encoding='utf-8') as f: +- f.write(hashlib.md5(r.text.encode()).hexdigest()) ++ f.write( ++ hashlib.md5(r.text.encode(), ++ usedforsecurity=False).hexdigest()) + logger.debug(f'Updated {cloud} catalog {filename}.') + return True + +diff --git a/sky/clouds/aws.py b/sky/clouds/aws.py +index af4ca56e911..06607e0d802 100644 +--- a/sky/clouds/aws.py ++++ b/sky/clouds/aws.py +@@ -1347,7 +1347,7 @@ def get_user_identities(cls) -> Optional[List[List[str]]]: + # - aws credentials are not set, proceed anyway to get unified error + # message for users + return cls._sts_get_caller_identity() +- config_hash = hashlib.md5(stdout).hexdigest()[:8] ++ config_hash = hashlib.md5(stdout, usedforsecurity=False).hexdigest()[:8] + # Getting aws identity cost ~1s, so we cache the result with the output of + # `aws configure list` as cache key. Different `aws configure list` output + # can have same aws identity, our assumption is the output would be stable +diff --git a/sky/data/mounting_utils.py b/sky/data/mounting_utils.py +index f49a8db097f..6b97b2d6ef0 100644 +--- a/sky/data/mounting_utils.py ++++ b/sky/data/mounting_utils.py +@@ -714,7 +714,8 @@ def get_mount_cached_cmd( + # This is because the full path may be longer than + # the filename length limit. + # The hash is a non-negative integer in string form. +- hashed_mount_path = hashlib.md5(mount_path.encode()).hexdigest() ++ hashed_mount_path = hashlib.md5(mount_path.encode(), ++ usedforsecurity=False).hexdigest() + log_file_path = os.path.join(constants.RCLONE_MOUNT_CACHED_LOG_DIR, + f'{hashed_mount_path}.log') + create_log_cmd = (f'mkdir -p {constants.RCLONE_MOUNT_CACHED_LOG_DIR} && ' +diff --git a/sky/data/storage.py b/sky/data/storage.py +index 022fc471f41..13e068c5be5 100644 +--- a/sky/data/storage.py ++++ b/sky/data/storage.py +@@ -3367,10 +3367,12 @@ def get_default_storage_account_name(region: Optional[str]) -> str: + """ + assert region is not None + subscription_id = azure.get_subscription_id() +- subscription_hash_obj = hashlib.md5(subscription_id.encode('utf-8')) ++ subscription_hash_obj = hashlib.md5(subscription_id.encode('utf-8'), ++ usedforsecurity=False) + subscription_hash = subscription_hash_obj.hexdigest( + )[:AzureBlobStore._SUBSCRIPTION_HASH_LENGTH] +- region_hash_obj = hashlib.md5(region.encode('utf-8')) ++ region_hash_obj = hashlib.md5(region.encode('utf-8'), ++ usedforsecurity=False) + region_hash = region_hash_obj.hexdigest()[:AzureBlobStore. + _REGION_HASH_LENGTH] + +diff --git a/sky/provision/azure/config.py b/sky/provision/azure/config.py +index 2dbf115807f..074bc801c3e 100644 +--- a/sky/provision/azure/config.py ++++ b/sky/provision/azure/config.py +@@ -44,7 +44,7 @@ def get_azure_sdk_function(client: Any, function_name: str) -> Callable: + + def get_cluster_id_and_nsg_name(resource_group: str, + cluster_name_on_cloud: str) -> Tuple[str, str]: +- hasher = hashlib.md5(resource_group.encode('utf-8')) ++ hasher = hashlib.md5(resource_group.encode('utf-8'), usedforsecurity=False) + unique_id = hasher.hexdigest()[:UNIQUE_ID_LEN] + # We use the cluster name + resource group hash as the + # unique ID for the cluster, as we need to make sure that +diff --git a/sky/provision/kubernetes/utils.py b/sky/provision/kubernetes/utils.py +index 1ec32ffb095..e3478c45608 100644 +--- a/sky/provision/kubernetes/utils.py ++++ b/sky/provision/kubernetes/utils.py +@@ -5085,7 +5085,8 @@ def format_kubeconfig_exec_auth_with_cache(kubeconfig_path: str) -> str: + with open(kubeconfig_path, 'r', encoding='utf-8') as file: + config = yaml_utils.safe_load(file) + normalized = yaml.dump(config, sort_keys=True) +- hashed = hashlib.sha1(normalized.encode('utf-8')).hexdigest() ++ hashed = hashlib.sha1(normalized.encode('utf-8'), ++ usedforsecurity=False).hexdigest() + path = os.path.expanduser( + f'{kubernetes_constants.SKY_K8S_EXEC_AUTH_KUBECONFIG_CACHE}/{hashed}.yaml' + ) +diff --git a/sky/provision/scp/instance.py b/sky/provision/scp/instance.py +index 9aae05c9196..5a03c308e3f 100644 +--- a/sky/provision/scp/instance.py ++++ b/sky/provision/scp/instance.py +@@ -223,7 +223,7 @@ def _worker(cluster_name_on_cloud: str): + + + def _suffix(name: str, n: int = 5): +- return hashlib.sha1(name.encode()).hexdigest()[:n] ++ return hashlib.sha1(name.encode(), usedforsecurity=False).hexdigest()[:n] + + + def _get_instance_id(instance_name, cluster_name_on_cloud): +diff --git a/sky/server/auth/oauth2_proxy.py b/sky/server/auth/oauth2_proxy.py +index dece4792fa9..7d117642cf7 100644 +--- a/sky/server/auth/oauth2_proxy.py ++++ b/sky/server/auth/oauth2_proxy.py +@@ -204,8 +204,11 @@ def get_auth_user( + """Extract user info from OAuth2 proxy response headers.""" + email_header = response.headers.get('X-Auth-Request-Email') + if email_header: +- user_hash = hashlib.md5(email_header.encode()).hexdigest( +- )[:common_utils.USER_HASH_LENGTH] ++ # MD5 only derives a stable user id from the (non-secret) SSO ++ # email; auth itself is done by oauth2-proxy. Not a security use. ++ email_hash = hashlib.md5(email_header.encode(), ++ usedforsecurity=False).hexdigest() ++ user_hash = email_hash[:common_utils.USER_HASH_LENGTH] + return models.User(id=user_hash, + name=email_header, + user_type=models.UserType.SSO.value) +diff --git a/sky/server/server.py b/sky/server/server.py +index 4ec8ce1a86d..995ef89764c 100644 +--- a/sky/server/server.py ++++ b/sky/server/server.py +@@ -282,8 +282,11 @@ def _extract_user_from_header( + if not user_name: + return None + ++ # MD5 only derives a stable user id from the (non-secret) user name; ++ # not a security use. + user_hash = hashlib.md5( +- user_name.encode()).hexdigest()[:common_utils.USER_HASH_LENGTH] ++ user_name.encode(), ++ usedforsecurity=False).hexdigest()[:common_utils.USER_HASH_LENGTH] + if proxy_config.enabled: + return models.User(id=user_hash, + name=user_name, +diff --git a/sky/users/permission.py b/sky/users/permission.py +index 82fb2877e50..a07be1c9b05 100644 +--- a/sky/users/permission.py ++++ b/sky/users/permission.py +@@ -182,8 +182,10 @@ def _maybe_initialize_basic_auth_user(self) -> None: + return + username, password = basic_auth.split(':', 1) + if username and password: +- user_hash = hashlib.md5( +- username.encode()).hexdigest()[:common_utils.USER_HASH_LENGTH] ++ # MD5 only derives a stable user id from the (non-secret) ++ # username; the password is checked separately. Not a security use. ++ user_hash = hashlib.md5(username.encode(), usedforsecurity=False ++ ).hexdigest()[:common_utils.USER_HASH_LENGTH] + user_info = global_user_state.get_user(user_hash) + if user_info: + logger.debug(f'Basic auth user {username} already exists') +diff --git a/sky/users/server.py b/sky/users/server.py +index 7cd42ee1726..8258702a2ff 100644 +--- a/sky/users/server.py ++++ b/sky/users/server.py +@@ -287,8 +287,12 @@ def user_create(user_create_body: payloads.UserCreateBody) -> None: + + # Create user + password_hash = server_common.crypt_ctx.hash(password) ++ # MD5 here only derives a stable user identifier from the (non-secret) ++ # username; it is not used for any security purpose (passwords use bcrypt ++ # via crypt_ctx). + user_hash = hashlib.md5( +- username.encode()).hexdigest()[:common_utils.USER_HASH_LENGTH] ++ username.encode(), ++ usedforsecurity=False).hexdigest()[:common_utils.USER_HASH_LENGTH] + with _user_lock(user_hash): + # Check if user already exists + if global_user_state.get_user_by_name(username): +@@ -627,8 +631,11 @@ def user_import(user_import_body: payloads.UserImportBody) -> Dict[str, Any]: + # Password is plain text, hash it + password_hash = server_common.crypt_ctx.hash(password) + +- user_hash = hashlib.md5( +- username.encode()).hexdigest()[:common_utils.USER_HASH_LENGTH] ++ # MD5 only derives a stable user identifier from the (non-secret) ++ # username; not a security use (passwords use bcrypt via crypt_ctx). ++ user_hash = hashlib.md5(username.encode(), ++ usedforsecurity=False).hexdigest() ++ user_hash = user_hash[:common_utils.USER_HASH_LENGTH] + + with _user_lock(user_hash): + global_user_state.add_or_update_user( +diff --git a/sky/utils/command_runner.py b/sky/utils/command_runner.py +index 344a65eb789..44f981ac520 100644 +--- a/sky/utils/command_runner.py ++++ b/sky/utils/command_runner.py +@@ -875,8 +875,8 @@ def git_clone( + raise exceptions.CommandError(1, '', error_msg, None) + + # Remote script path (use a unique name to avoid conflicts) +- script_hash = hashlib.md5( +- f'{self.node_id}_{target_dir}'.encode()).hexdigest()[:8] ++ script_hash = hashlib.md5(f'{self.node_id}_{target_dir}'.encode(), ++ usedforsecurity=False).hexdigest()[:8] + remote_script_path = f'/tmp/sky_git_clone_{script_hash}.sh' + + # Step 1: Transfer the script to remote machine using rsync +@@ -992,7 +992,8 @@ def __init__( + self.ssh_private_key = ssh_private_key + self.ssh_control_name = ( + None if ssh_control_name is None else hashlib.md5( +- ssh_control_name.encode()).hexdigest()[:_HASH_MAX_LENGTH]) ++ ssh_control_name.encode(), ++ usedforsecurity=False).hexdigest()[:_HASH_MAX_LENGTH]) + self._ssh_proxy_command = ssh_proxy_command + self._ssh_proxy_jump = ssh_proxy_jump + self.disable_control_master = ( +diff --git a/sky/utils/common_utils.py b/sky/utils/common_utils.py +index 027a59d5bca..71e7034f6a7 100644 +--- a/sky/utils/common_utils.py ++++ b/sky/utils/common_utils.py +@@ -91,7 +91,10 @@ def is_valid_user_hash(user_hash: Optional[str]) -> bool: + def generate_user_hash() -> str: + """Generates a unique user-machine specific hash.""" + hash_str = user_and_hostname_hash() +- user_hash = hashlib.md5(hash_str.encode()).hexdigest()[:USER_HASH_LENGTH] ++ # MD5 only derives a stable machine-specific identifier, not a security ++ # use. ++ user_hash = hashlib.md5( ++ hash_str.encode(), usedforsecurity=False).hexdigest()[:USER_HASH_LENGTH] + if not is_valid_user_hash(user_hash): + # A fallback in case the hash is invalid. + user_hash = uuid.uuid4().hex[:USER_HASH_LENGTH] +@@ -297,7 +300,9 @@ def make_cluster_name_on_cloud(display_name: str, + if truncate_cluster_name.endswith('-'): + truncate_cluster_name = truncate_cluster_name.rstrip('-') + assert truncate_cluster_name_length > 0, (cluster_name_on_cloud, max_length) +- display_name_hash = hashlib.md5(display_name.encode()).hexdigest() ++ # MD5 only derives a short suffix for the cluster name, not a security use. ++ display_name_hash = hashlib.md5(display_name.encode(), ++ usedforsecurity=False).hexdigest() + # Use base36 to reduce the length of the hash. + display_name_hash = base36_encode(display_name_hash) + return (f'{truncate_cluster_name}' +@@ -650,7 +655,9 @@ def user_and_hostname_hash() -> str: + The reason is AWS security group names are derived from this string, and + thus changing the SG name makes these clusters unrecognizable. + """ +- hostname_hash = hashlib.md5(socket.gethostname().encode()).hexdigest()[-4:] ++ # MD5 only derives a short hostname suffix, not a security use. ++ hostname_hash = hashlib.md5(socket.gethostname().encode(), ++ usedforsecurity=False).hexdigest()[-4:] + return f'{getpass.getuser()}-{hostname_hash}' + + +diff --git a/sky/utils/kubernetes/gpu_labeler.py b/sky/utils/kubernetes/gpu_labeler.py +index 227847cd50c..5de797139f9 100644 +--- a/sky/utils/kubernetes/gpu_labeler.py ++++ b/sky/utils/kubernetes/gpu_labeler.py +@@ -71,7 +71,8 @@ def cleanup(context: Optional[str] = None) -> Tuple[bool, str]: + + def get_node_hash(node_name: str): + # Generates a 32 character md5 hash from a string +- md5_hash = hashlib.md5(node_name.encode()).hexdigest() ++ md5_hash = hashlib.md5(node_name.encode(), ++ usedforsecurity=False).hexdigest() + return md5_hash[:32] + + diff --git a/pkgs/by-name/sk/skypilot/package.nix b/pkgs/by-name/sk/skypilot/package.nix index fe2dfc14dbe9..71df3b03526f 100644 --- a/pkgs/by-name/sk/skypilot/package.nix +++ b/pkgs/by-name/sk/skypilot/package.nix @@ -38,6 +38,8 @@ python3Packages.buildPythonApplication (finalAttrs: { patches = [ ./0001-Fix-docker-flag-default-for-Click-8.2-compatibility.patch ./0002-Fix-websocket-proxy-call-script-directly-as-executable.patch + # https://github.com/skypilot-org/skypilot/pull/9972 + ./CVE-2026-13482.patch ]; nativeBuildInputs = [ diff --git a/pkgs/by-name/vi/vivaldi/package.nix b/pkgs/by-name/vi/vivaldi/package.nix index de2af51620bc..f1f08fc50e47 100644 --- a/pkgs/by-name/vi/vivaldi/package.nix +++ b/pkgs/by-name/vi/vivaldi/package.nix @@ -67,7 +67,7 @@ stdenv.mkDerivation rec { pname = "vivaldi"; - version = "8.0.4033.50"; + version = "8.0.4033.54"; suffix = { @@ -80,8 +80,8 @@ stdenv.mkDerivation rec { url = "https://downloads.vivaldi.com/stable/vivaldi-stable_${version}-1_${suffix}.deb"; hash = { - aarch64-linux = "sha256-5n5+DY03lRDKLWX/WPX17Wg7IeTl4MDKEWOZEYHaPDE="; - x86_64-linux = "sha256-IVytlw5NzxV1TwLHeX81AgWEHHVzksVC3a0S/WuWEaA="; + aarch64-linux = "sha256-i2FAMp3MFsnXTjQoF4Y/BuB6j+x3ugfsu0ePGI/h5Po="; + x86_64-linux = "sha256-a4ZLX/DpygZgPPjt4BQxTuRbFoPmNuRgdZFiI6UclQI="; } .${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}"); }; diff --git a/pkgs/by-name/xl/xlights/package.nix b/pkgs/by-name/xl/xlights/package.nix index 547ea042748a..450c28ea209e 100644 --- a/pkgs/by-name/xl/xlights/package.nix +++ b/pkgs/by-name/xl/xlights/package.nix @@ -13,6 +13,16 @@ appimageTools.wrapType2 rec { hash = "sha256-kTJD2xeclNApeSo1ALNI/XAwDY8tsBO0eMMQurtRF/M="; }; + appimageContents = appimageTools.extract { inherit pname version src; }; + + extraInstallCommands = '' + install -m 444 -D ${appimageContents}/xlights.desktop $out/share/applications/xlights.desktop + install -m 444 -D ${appimageContents}/usr/share/icons/hicolor/256x256/apps/xlights.png \ + $out/share/icons/hicolor/256x256/apps/xlights.png + substituteInPlace $out/share/applications/xlights.desktop \ + --replace-fail 'Exec=xLights' 'Exec=xlights' + ''; + meta = { description = "Sequencer for lights with USB and E1.31 drivers"; homepage = "https://xlights.org"; diff --git a/pkgs/development/python-modules/free-proxy/default.nix b/pkgs/development/python-modules/free-proxy/default.nix index c315076b09c5..349d006b710c 100644 --- a/pkgs/development/python-modules/free-proxy/default.nix +++ b/pkgs/development/python-modules/free-proxy/default.nix @@ -10,14 +10,14 @@ buildPythonPackage rec { pname = "free-proxy"; - version = "1.1.3"; + version = "1.2.1"; pyproject = true; src = fetchFromGitHub { owner = "jundymek"; repo = "free-proxy"; tag = "v${version}"; - hash = "sha256-8SxKGGifQTU0CUrtUQUtrmeq+Do4GIqNUWAdCt++eUA="; + hash = "sha256-Q8102tnssVnIYEP9fBOBFSSsZqTGGulalyAkvnlp3UY="; }; build-system = [ setuptools ]; diff --git a/pkgs/development/python-modules/pyanglianwater/default.nix b/pkgs/development/python-modules/pyanglianwater/default.nix index abc7172cb4cd..311e81b2f1a6 100644 --- a/pkgs/development/python-modules/pyanglianwater/default.nix +++ b/pkgs/development/python-modules/pyanglianwater/default.nix @@ -12,14 +12,14 @@ buildPythonPackage rec { pname = "pyanglianwater"; - version = "3.2.2"; + version = "3.2.3"; pyproject = true; src = fetchFromGitHub { owner = "pantherale0"; repo = "pyanglianwater"; tag = version; - hash = "sha256-u1s/XsNN6AuTzj0jLE7us1Mmoe8r+VuCl0khS5BRxkQ="; + hash = "sha256-hXHkRiKnv59TW1Wr2aJcMvW65SQbkfSokGjh9AvmN3s="; }; build-system = [ setuptools ]; diff --git a/pkgs/development/python-modules/reolink-aio/default.nix b/pkgs/development/python-modules/reolink-aio/default.nix index d384a522147e..6efd2ecd025f 100644 --- a/pkgs/development/python-modules/reolink-aio/default.nix +++ b/pkgs/development/python-modules/reolink-aio/default.nix @@ -12,14 +12,14 @@ buildPythonPackage (finalAttrs: { pname = "reolink-aio"; - version = "0.21.1"; + version = "0.21.3"; pyproject = true; src = fetchFromGitHub { owner = "starkillerOG"; repo = "reolink_aio"; tag = finalAttrs.version; - hash = "sha256-Rq+fciIG3W0X+2zHSsI23pHbkr+A3flu3E6VbTEeKnI="; + hash = "sha256-XL6Z+1dr35XgMczUcxp4v3ejBcdgWkhUOISFA4lpjU4="; }; build-system = [ setuptools ]; diff --git a/pkgs/development/python-modules/rich-rst/default.nix b/pkgs/development/python-modules/rich-rst/default.nix index 457138c5e226..15750beec57c 100644 --- a/pkgs/development/python-modules/rich-rst/default.nix +++ b/pkgs/development/python-modules/rich-rst/default.nix @@ -1,33 +1,31 @@ { lib, buildPythonPackage, - docutils, fetchFromGitHub, + pygments, pytestCheckHook, rich, - setuptools-scm, setuptools, }: buildPythonPackage (finalAttrs: { pname = "rich-rst"; - version = "2.0.1"; + version = "2.0.2"; pyproject = true; src = fetchFromGitHub { owner = "wasi-master"; repo = "rich-rst"; tag = "v${finalAttrs.version}"; - hash = "sha256-7nniBu9UnXA0pogv0TDkANTeOcsVYbyDxEr6/r7MxcY="; + hash = "sha256-M4ngZNYPasEqqfRay8aGHDII+LkwLhBp5kF9ryJ5LwQ="; }; build-system = [ setuptools - setuptools-scm ]; dependencies = [ - docutils + pygments rich ]; diff --git a/pkgs/development/python-modules/simplisafe-python/default.nix b/pkgs/development/python-modules/simplisafe-python/default.nix index 27b021ff8fb1..03cf12a85c32 100644 --- a/pkgs/development/python-modules/simplisafe-python/default.nix +++ b/pkgs/development/python-modules/simplisafe-python/default.nix @@ -18,21 +18,21 @@ websockets, }: -buildPythonPackage rec { +buildPythonPackage (finalAttrs: { pname = "simplisafe-python"; - version = "2024.01.0"; + version = "2026.06.0"; pyproject = true; src = fetchFromGitHub { owner = "bachya"; repo = "simplisafe-python"; - tag = version; - hash = "sha256-ewbR2FI0t2F8HF0ZL5omsclB9OPAjHygGLPtSkVlvgM="; + tag = finalAttrs.version; + hash = "sha256-e59h4zX0AuzNlR1sovw4QJ6zXxksElY5emEM9eTfjwI="; }; - nativeBuildInputs = [ poetry-core ]; + build-system = [ poetry-core ]; - propagatedBuildInputs = [ + dependencies = [ aiohttp backoff beautifulsoup4 @@ -69,10 +69,10 @@ buildPythonPackage rec { __darwinAllowLocalNetworking = true; meta = { - changelog = "https://github.com/bachya/simplisafe-python/releases/tag/${version}"; description = "Python library the SimpliSafe API"; homepage = "https://simplisafe-python.readthedocs.io/"; - license = with lib.licenses; [ mit ]; + changelog = "https://github.com/bachya/simplisafe-python/releases/tag/${finalAttrs.src.tag}"; + license = lib.licenses.mit; maintainers = with lib.maintainers; [ fab ]; }; -} +}) diff --git a/pkgs/os-specific/linux/batman-adv/version.nix b/pkgs/os-specific/linux/batman-adv/version.nix index e12da2673ae4..8f05cf345198 100644 --- a/pkgs/os-specific/linux/batman-adv/version.nix +++ b/pkgs/os-specific/linux/batman-adv/version.nix @@ -1,14 +1,14 @@ { - version = "2026.1"; + version = "2026.2"; # To get these, run: # # ``` - # for tool in alfred batctl batman-adv; do nix-prefetch-url https://downloads.open-mesh.org/batman/releases/batman-adv-2026.1/$tool-2026.1.tar.gz --type sha256 | xargs nix --extra-experimental-features nix-command hash convert --hash-algo sha256 --to sri; done + # for tool in alfred batctl batman-adv; do nix-prefetch-url https://downloads.open-mesh.org/batman/releases/batman-adv-2026.2/$tool-2026.2.tar.gz --type sha256 | xargs nix --extra-experimental-features nix-command hash convert --hash-algo sha256 --to sri; done # ``` sha256 = { - alfred = "sha256-Rd+8uKfLuq7j4SYHpGYB3YbOUiUHJTXptJ2kC78CtIk="; - batctl = "sha256-hEQWhsHUTtV6Vg8qC+n4brksMQ8iqqSgCTPrbIk2CHo="; - batman-adv = "sha256-ZIfdO0rQ+FUQ3tu6M1/nexuHfQ53OTxR3coHp0Ubj0U="; + alfred = "sha256-2ZV0i+X2KkIJFSXMwQLfWsZCGG6bkBRpipVaRGm2m5Y="; + batctl = "sha256-wdWAr7Bm0xZcI5tnQwuUxpkyYZwGqQsSlegoy1CBsSI="; + batman-adv = "sha256-Thf87SyAlF4iYJvodTRIFzP/G10XBQ3k5PMjwXFBgTU="; }; } diff --git a/pkgs/servers/home-assistant/custom-components/blueprints-updater/package.nix b/pkgs/servers/home-assistant/custom-components/blueprints-updater/package.nix index 31d0bf0b2d4b..7bc24178269c 100644 --- a/pkgs/servers/home-assistant/custom-components/blueprints-updater/package.nix +++ b/pkgs/servers/home-assistant/custom-components/blueprints-updater/package.nix @@ -13,13 +13,13 @@ buildHomeAssistantComponent rec { owner = "luuquangvu"; domain = "blueprints_updater"; - version = "2.9.0"; + version = "2.9.1"; src = fetchFromGitHub { inherit owner; repo = "blueprints-updater"; tag = version; - hash = "sha256-zIkK7ZhUC8fPycWJqXP706XbOdhVlNAOwZBTYTII3dE="; + hash = "sha256-OGQ6lE14w84C88QJv5w+mNBGg7gbCtqb9nde47FkL6A="; }; patches = [