Merge staging-next into staging

This commit is contained in:
nixpkgs-ci[bot] 2026-05-08 12:30:53 +00:00 committed by GitHub
commit dd91387877
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 69 additions and 14 deletions

View file

@ -249,6 +249,8 @@
- Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.
- The `services.avahi.wideArea` option now defaults to `false` as a mitigation against [`CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`](https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g).
- `coreth` has been removed, as upstream has moved it into `avalanchego`.
- `nodePackages.prebuild-install` was removed because it appeared to be unmaintained upstream.

View file

@ -141,7 +141,6 @@ in
systemd.packages = [ cfg.package ];
services.dbus.packages = [ cfg.package ];
services.udev.packages = [ cfg.package ];
services.supergfxd.enable = lib.mkDefault true;
};
meta.maintainers = pkgs.asusctl.meta.maintainers;

View file

@ -155,8 +155,12 @@ in
wideArea = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether to enable wide-area service discovery.";
default = false;
description = ''
Whether to enable wide-area service discovery.
It is recommended to keep this options disabled as it exposes the system to `CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`.
'';
};
reflector = lib.mkOption {
@ -279,6 +283,10 @@ in
};
config = lib.mkIf cfg.enable {
warnings = [
(lib.mkIf cfg.wideArea "Enabling `services.avahi.wideArea` exposes this system to `CVE-2024-52615`.")
];
users.users.avahi = {
description = "avahi-daemon privilege separation user";
home = "/var/empty";

View file

@ -200,8 +200,8 @@ rec {
mkTerraform = attrs: pluggable (generic attrs);
terraform_1 = mkTerraform {
version = "1.15.0";
hash = "sha256-cKgZFCPLusXXSjcff/PmKGIdSm3wRY1DpduXBRrgcDc=";
version = "1.15.2";
hash = "sha256-jwmyZJHGfi2oO8FBebPKBQdXt61w02H6zbbqSXxMhMM=";
vendorHash = "sha256-Gv6V5aXqTuQoG1StbD/7Ln2QrLpMsW6fbUJUkyZMkvk=";
patches = [ ./provider-path-0_15.patch ];
passthru = {

View file

@ -140,6 +140,44 @@ stdenv.mkDerivation rec {
url = "https://github.com/avahi/avahi/commit/366e3798bdbd6b7bf24e59379f4a9a51af575ce9.patch";
hash = "sha256-9AdhtzrimmcpMmeyiFcjmDfG5nqr/S8cxWTaM1mzCWA=";
})
# https://github.com/avahi/avahi/pull/662 merged 2025-06-19
# NOTE: CVE-2024-52615 is mitigated by the default NixOS configuration.
# NOTE: CVE-2025-59529 is introduced by 4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942.
/*
(fetchpatch {
name = "CVE-2024-52615.patch"; # AKA GHSA-x6vp-f33h-h32g
url = "https://github.com/avahi/avahi/commit/4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942.patch";
hash = "sha256-rW6jmKg9oH44rRZow0zE4z6lfTlD8wpFUC8DaI/gruA=";
})
*/
# https://github.com/avahi/avahi/pull/806 merged 2025-12-17
(fetchpatch {
name = "CVE-2025-68276.patch"; # AKA GHSA-mhf3-865v-g5rc
url = "https://github.com/avahi/avahi/commit/0c013e2e819be3bda74cecf48b5f64956cf8a760.patch";
hash = "sha256-kNOwl2DC2FR7CFvPQBBEYaSUSbFnR/ETH9JNGMwzzLE=";
})
(fetchpatch {
name = "CVE-2025-68468.patch"; # AKA GHSA-cp79-r4x9-vf52
url = "https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a.patch";
hash = "sha256-HkbKSN2LYqPfVnij1/n6ToN4vKugex3ZPxjHz6pN8eA=";
})
(fetchpatch {
name = "CVE-2025-68471.patch"; # AKA GHSA-56rf-42xr-qmmg
url = "https://github.com/avahi/avahi/commit/9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1.patch";
hash = "sha256-V0OiC0UkZXhUnOUcrPZ+Xvph7MJMQ9DEXgVafoshSi4=";
})
(fetchpatch {
name = "CVE-2026-24401.patch"; # AKA GHSA-h4vp-5m8j-f6w3
url = "https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524.patch";
hash = "sha256-Iq7ghHS8gTJ5OeD6Bemis+wPJzKXb2P44qbtTaAaWZI=";
})
# https://github.com/avahi/avahi/pull/891 merged 2026-04-01
(fetchpatch {
name = "CVE-2026-34933.patch"; # AKA GHSA-w65r-6gxh-vhvc
url = "https://github.com/avahi/avahi/compare/0ccadca425af151ebb67f276e5cc88e50266a8e6%5E%5E...0ccadca425af151ebb67f276e5cc88e50266a8e6.patch";
hash = "sha256-yi40iuQmTAW+nLsOIJhh7kg4vG/lqT/PCaSEBPfF2mw=";
})
];
depsBuildBuild = [
@ -243,5 +281,10 @@ stdenv.mkDerivation rec {
DNS") and DNS-SD (for "DNS-Based Service Discovery")
protocols.
'';
knownVulnerabilities = [
# NOTE: CVE-2024-52615 mitigated by the default NixOS configuration.
# "CVE-2024-52615: Avahi Wide-Area DNS Uses Constant Source Port"
];
};
}

View file

@ -7,13 +7,13 @@
buildGoModule (finalAttrs: {
pname = "grpc-health-probe";
version = "0.4.48";
version = "0.4.49";
src = fetchFromGitHub {
owner = "grpc-ecosystem";
repo = "grpc-health-probe";
rev = "v${finalAttrs.version}";
hash = "sha256-W5B14om0oAKEm8XP5vYJzHv2Mplfv+2VapsvOnS0wTY=";
hash = "sha256-JH4Km8nlUffkga7oKgXXwqRYm/8oG9giLCFn1BZ1eVY=";
};
tags = [
@ -25,7 +25,7 @@ buildGoModule (finalAttrs: {
"-X main.versionTag=${finalAttrs.version}"
];
vendorHash = "sha256-3Ucro8FHOiSFHqGB2jwLshhzbkRdkZnJJFbNyuDX2QY=";
vendorHash = "sha256-97OFqr93G/6F58nF1riGFbCOtORPojMMU4IX9ivjSxg=";
nativeInstallCheckInputs = [
versionCheckHook

View file

@ -22,10 +22,13 @@
xcbuild,
zip,
electron,
electron_39,
git,
}:
let
electron = electron_39;
in
stdenv.mkDerivation (finalAttrs: {
pname = "logseq";
version = "0.10.15";

View file

@ -37,7 +37,7 @@ let
in
python3Packages.buildPythonApplication (finalAttrs: {
pname = "mistral-vibe";
version = "2.9.4";
version = "2.9.5";
pyproject = true;
__structuredAttrs = true;
@ -45,7 +45,7 @@ python3Packages.buildPythonApplication (finalAttrs: {
owner = "mistralai";
repo = "mistral-vibe";
tag = "v${finalAttrs.version}";
hash = "sha256-TOA1ybK41f3+/I5gCaPlAd3yo9N399l6JumWnATbS00=";
hash = "sha256-NiW4VZyQerFhDEDXOOTNzOpsPnZvoyxJWMfg9hHJJ8c=";
};
build-system = with python3Packages; [

View file

@ -15,7 +15,7 @@
setuptools,
}:
let
version = "0.5.12";
version = "0.5.13";
in
buildPythonPackage {
pname = "pdf2docx";
@ -26,7 +26,7 @@ buildPythonPackage {
owner = "ArtifexSoftware";
repo = "pdf2docx";
tag = "v${version}";
hash = "sha256-fn5MnuLCmqjl99Xvs9THwerkIyUeXwPQmn+znvWtgUE=";
hash = "sha256-GZ7aUTSGSly21lMiUOXc6Y8h9WY2zQQxF5M11PwTtCA=";
};
build-system = [

View file

@ -28,7 +28,7 @@
}:
buildPythonPackage (finalAttrs: {
pname = "pgmpy";
version = "1.1.0";
version = "1.1.2";
pyproject = true;
src = fetchFromGitHub {