Merge staging-next-25.11 into staging-25.11

ci/github-script/bot.js

@@ -483,7 +483,6 @@ module.exports = async ({ github, context, core, dry }) => {
           dry,
           pull_request,
           reviews,
-          events,
           // TODO: Use maintainer map instead of the artifact.
           user_maintainers: Object.keys(
             JSON.parse(

ci/github-script/reviewers.js

@@ -6,7 +6,6 @@ async function handleReviewers({
   dry,
   pull_request,
   reviews,
-  events,
   user_maintainers,
   team_maintainers,
   owners,
@@ -15,28 +14,20 @@ async function handleReviewers({
 }) {
   const pull_number = pull_request.number
 
-  // Users currently requested for review (pending).
-  const pending_users = new Set(
-    pull_request.requested_reviewers.map(({ login }) => login.toLowerCase()),
-  )
-  // Users who actually submitted a review in this PR (any state, including DISMISSED).
-  const users_engaged = new Set(
-    reviews.map(({ user }) => user.login.toLowerCase()),
-  )
-  // Users the PR has already reached: pending OR engaged.
-  const users_reached = pending_users.union(users_engaged)
+  // Users that the PR has already reached, e.g. they've left a review or have been requested for one
+  const users_reached = new Set([
+    ...pull_request.requested_reviewers.map(({ login }) => login.toLowerCase()),
+    ...reviews.map(({ user }) => user.login.toLowerCase()),
+  ])
   log('reviewers - users_reached', Array.from(users_reached).join(', '))
 
-  // Same for teams. A team is engaged only via `onBehalfOf` reviews.
-  const pending_teams = new Set(
-    pull_request.requested_teams.map(({ slug }) => slug.toLowerCase()),
-  )
-  const teams_engaged = new Set(
-    reviews.flatMap(({ onBehalfOf }) =>
+  // Same for teams
+  const teams_reached = new Set([
+    ...pull_request.requested_teams.map(({ slug }) => slug.toLowerCase()),
+    ...reviews.flatMap(({ onBehalfOf }) =>
       onBehalfOf.nodes.map(({ slug }) => slug.toLowerCase()),
     ),
-  )
-  const teams_reached = pending_teams.union(teams_engaged)
+  ])
   log('reviewers - teams_reached', Array.from(teams_reached).join(', '))
 
   // Early sanity check, before we start making any API requests. The list of maintainers
@@ -158,101 +149,37 @@ async function handleReviewers({
   )
   log('reviewers - teams_not_yet_reached', teams_not_yet_reached.join(', '))
 
-  // The usernames of bots that make review requests we may auto-revoke.
-  const revokable_requesters = ['github-actions[bot]', 'nixpkgs-ci[bot]']
-
-  // Find latest `review_requested` actor per reviewer / team.
-  const last_request_actor_for_user = new Map()
-  const last_request_actor_for_team = new Map()
-  for (const ev of events) {
-    if (ev.event !== 'review_requested') continue
-    if (ev.requested_reviewer?.login) {
-      last_request_actor_for_user.set(
-        ev.requested_reviewer.login.toLowerCase(),
-        ev.actor?.login ?? '',
-      )
-    }
-    if (ev.requested_team?.slug) {
-      last_request_actor_for_team.set(
-        ev.requested_team.slug.toLowerCase(),
-        ev.actor?.login ?? '',
-      )
-    }
-  }
-
-  // Pending requests no longer in the to_reach set, excluding the engaged
-  // and anything not requested by our own bot.
-  const users_to_remove = Array.from(
-    pending_users.difference(users_to_reach).difference(users_engaged),
-  ).filter((login) =>
-    revokable_requesters.includes(last_request_actor_for_user.get(login)),
-  )
-  log('reviewers - users_to_remove', users_to_remove.join(', '))
-
-  // Same for teams.
-  const teams_to_remove = Array.from(
-    pending_teams.difference(teams_to_reach).difference(teams_engaged),
-  ).filter((slug) =>
-    revokable_requesters.includes(last_request_actor_for_team.get(slug)),
-  )
-  log('reviewers - teams_to_remove', teams_to_remove.join(', '))
-
-  const has_adds =
-    users_not_yet_reached.length > 0 || teams_not_yet_reached.length > 0
-  const has_removals = users_to_remove.length > 0 || teams_to_remove.length > 0
-
-  if (!has_adds && !has_removals) {
+  if (
+    users_not_yet_reached.length === 0 &&
+    teams_not_yet_reached.length === 0
+  ) {
     log('Has reviewer changes', 'false (skipped)')
   } else if (dry) {
-    if (has_adds) {
-      core.info(
-        `Requesting user reviewers for #${pull_number}: ${users_not_yet_reached.join(', ')} (dry)`,
-      )
-      core.info(
-        `Requesting team reviewers for #${pull_number}: ${teams_not_yet_reached.join(', ')} (dry)`,
-      )
-    }
-    if (has_removals) {
-      core.info(
-        `Revoking stale reviewers for #${pull_number}: users=[${users_to_remove.join(', ')}], teams=[${teams_to_remove.join(', ')}] (dry)`,
-      )
-    }
+    core.info(
+      `Requesting user reviewers for #${pull_number}: ${users_not_yet_reached.join(', ')} (dry)`,
+    )
+    core.info(
+      `Requesting team reviewers for #${pull_number}: ${teams_not_yet_reached.join(', ')} (dry)`,
+    )
   } else {
     // We had tried the "request all reviewers at once" thing in the past, but it didn't work out:
     //   https://github.com/NixOS/nixpkgs/commit/034613f860fcd339bd2c20c8f6bc259a2f9dc034
     // If we're hitting API errors here again, we'll need to investigate - and possibly reverse
     // course.
-    // Add and remove sets are disjoint by construction. Parallel is safe.
-    await Promise.all(
-      [
-        has_adds &&
-          github.rest.pulls.requestReviewers({
-            ...context.repo,
-            pull_number,
-            reviewers: users_not_yet_reached,
-            team_reviewers: teams_not_yet_reached,
-          }),
-        has_removals &&
-          github.rest.pulls.removeRequestedReviewers({
-            ...context.repo,
-            pull_number,
-            reviewers: users_to_remove,
-            team_reviewers: teams_to_remove,
-          }),
-      ].filter(Boolean),
-    )
+    await github.rest.pulls.requestReviewers({
+      ...context.repo,
+      pull_number,
+      reviewers: users_not_yet_reached,
+      team_reviewers: teams_not_yet_reached,
+    })
   }
 
-  // Subtract the just-revoked so revoking the last pending reviewer flips the label.
-  const users_still_reached = users_reached.difference(new Set(users_to_remove))
-  const teams_still_reached = teams_reached.difference(new Set(teams_to_remove))
-
   // Return a boolean on whether the "needs: reviewers" label should be set.
   return (
     users_not_yet_reached.length === 0 &&
     teams_not_yet_reached.length === 0 &&
-    users_still_reached.size === 0 &&
-    teams_still_reached.size === 0
+    users_reached.size === 0 &&
+    teams_reached.size === 0
   )
 }
 

nixos/modules/services/scheduling/prefect.nix

@@ -174,7 +174,7 @@ in
           ProtectControlGroups = true;
           MemoryAccounting = true;
 
-          ExecStart = "${pkgs.prefect}/bin/prefect server start --host ${cfg.host} --port ${toString cfg.port}";
+          ExecStart = "${lib.getExe cfg.package} server start --host ${cfg.host} --port ${toString cfg.port}";
           Restart = "always";
           WorkingDirectory = cfg.dataDir;
         };
@@ -216,7 +216,7 @@ in
           ProtectControlGroups = true;
           MemoryAccounting = true;
           ExecStart = ''
-            ${pkgs.prefect}/bin/prefect worker start \
+            ${lib.getExe cfg.package} worker start \
               --pool ${poolName} \
               --type process \
               --install-policy ${poolCfg.installPolicy}

pkgs/applications/graphics/ImageMagick/6.x.nix

@@ -70,13 +70,13 @@ in
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "imagemagick";
-  version = "6.9.13-38";
+  version = "6.9.13-48";
 
   src = fetchFromGitHub {
     owner = "ImageMagick";
     repo = "ImageMagick6";
     rev = finalAttrs.version;
-    sha256 = "sha256-49o1jFFs7GrQMBvkoUvTmlI5TDnS1mVycghuaOfDrIc=";
+    sha256 = "sha256-c1u7eMq97eXhCZAXoDNrd6ix+wv4DSza7yu7KaG5fyg=";
   };
 
   outputs = [
@@ -134,7 +134,13 @@ stdenv.mkDerivation (finalAttrs: {
   ++ lib.optional libXtSupport libXt
   ++ lib.optional libwebpSupport libwebp;
 
-  doCheck = false; # fails 2 out of 76 tests
+  doCheck = true;
+
+  # One of the demo tests fail, but we don't want to disable all of
+  # the test suite.
+  postPatch = ''
+    substituteInPlace Makefile.in --replace "Magick++/demo/demos.tap" ""
+  '';
 
   postInstall = ''
     (cd "$dev/include" && ln -s ImageMagick* ImageMagick)
@@ -167,30 +173,10 @@ stdenv.mkDerivation (finalAttrs: {
     maintainers = [ ];
     license = lib.licenses.asl20;
     knownVulnerabilities = [
-      "CVE-2019-13136"
-      "CVE-2019-17547"
-      "CVE-2020-25663"
-      "CVE-2020-27768"
-      "CVE-2020-27769"
-      "CVE-2020-27829"
-      "CVE-2021-20243"
-      "CVE-2021-20244"
-      "CVE-2021-20310"
-      "CVE-2021-20311"
-      "CVE-2021-20312"
-      "CVE-2021-20313"
-      "CVE-2021-3596"
-      "CVE-2022-0284"
-      "CVE-2022-2719"
-      "CVE-2023-1289"
-      "CVE-2023-2157"
-      "CVE-2023-34151"
+      # This is only an issue with --enable-pipes. Upstream has
+      # rejected this as a security issue:
+      # https://github.com/ImageMagick/ImageMagick/issues/6339#issuecomment-1559698800
       "CVE-2023-34152"
-      "CVE-2023-34153"
-      "CVE-2023-3428"
-      "CVE-2023-34474"
-      "CVE-2023-34475"
-      "CVE-2023-5341"
     ];
   };
 })

pkgs/applications/networking/browsers/firefox/packages/firefox-esr-140.nix

@@ -9,11 +9,11 @@
 
 buildMozillaMach rec {
   pname = "firefox";
-  version = "140.10.2esr";
+  version = "140.11.0esr";
   applicationName = "Firefox ESR";
   src = fetchurl {
     url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-    sha512 = "bda7d5e6d59a2ad310e3f3e6e8ec05c78222edce266671d5d454dfa3e8f0086add3b9c0099db907cb62b2587ed47026ba7b3aa4f0406693d142d8d91b818d551";
+    sha512 = "d06adb3ef4de1324e3d61872d70de31ab08ac013f33903549bed28c6ebcc5b4dee94bb36388282c1935d77d1a564079f3adbf08d6bb80284a899cbb3d861300c";
   };
 
   meta = {

pkgs/applications/networking/browsers/firefox/packages/firefox.nix

@@ -9,10 +9,10 @@
 
 buildMozillaMach rec {
   pname = "firefox";
-  version = "150.0.3";
+  version = "151.0";
   src = fetchurl {
     url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-    sha512 = "8452da61200f8ee66790d3fff230ca84b2ac9291af2b57e018486c50f938c53c6fb4943fe6cfe1e99b9783466fb00bf707fa006293753ac698618fc1e3b70a4a";
+    sha512 = "5e6b01236c6aad17889c1d33614637a13e41d659c3306b2dadf13ab50d91a36d1269fae6d405d31351e4defe589f47f31c0798b66ad87438720f5779bcb90401";
   };
 
   meta = {

pkgs/by-name/as/asciinema-agg/package.nix

@@ -1,5 +1,6 @@
 {
   lib,
+  stdenv,
   rustPlatform,
   fetchFromGitHub,
   versionCheckHook,
@@ -7,25 +8,29 @@
 
 rustPlatform.buildRustPackage (finalAttrs: {
   pname = "agg";
-  version = "1.7.0";
+  version = "1.8.1";
 
   src = fetchFromGitHub {
     owner = "asciinema";
     repo = "agg";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-6UenPE6mmmvliaIuGdQj/FrlmoJvmBJgfo0hW+uRaxM=";
+    hash = "sha256-64VyCTGjzey6AHEAfk5V/Qoffe5+sDaDNve54M7tmf4=";
   };
 
   strictDeps = true;
 
-  cargoHash = "sha256-VpbjvrMhzS1zrcMNWBjTLda6o3ea2cwpnEDUouwyp8w=";
+  cargoHash = "sha256-/WS5nAFKnP/CsU5+Pf5rtNN4LWaXVjlidLzH7DWYds0=";
+
+  __impureHostDeps = lib.optionals stdenv.hostPlatform.isDarwin [
+    "/System/Library/Fonts"
+  ];
 
   doInstallCheck = true;
   nativeInstallCheckInputs = [ versionCheckHook ];
   versionCheckProgramArg = "--version";
 
   meta = {
-    description = "Command-line tool for generating animated GIF files from asciicast v2 files produced by asciinema terminal recorder";
+    description = "Command-line tool for generating animated GIF files from asciicast files produced by asciinema terminal recorder";
     homepage = "https://github.com/asciinema/agg";
     changelog = "https://github.com/asciinema/agg/releases/tag/${finalAttrs.src.tag}";
     license = lib.licenses.asl20;

pkgs/by-name/ci/cinny-desktop/package.nix

@@ -21,18 +21,18 @@
 rustPlatform.buildRustPackage (finalAttrs: {
   pname = "cinny-desktop";
   # We have to be using the same version as cinny-web or this isn't going to work.
-  version = "4.11.1";
+  version = "4.12.1";
 
   src = fetchFromGitHub {
     owner = "cinnyapp";
     repo = "cinny-desktop";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-/zHXlAqIxWN1obFO3H/eqFj38pjopF4D5ooz0YiVgD0=";
+    hash = "sha256-SRtnib5C9YlNOC1YgXZVFgO2dIHSmk+I20Ltf4XkJ6E=";
   };
 
   sourceRoot = "${finalAttrs.src.name}/src-tauri";
 
-  cargoHash = "sha256-bchjUTC0/hWPf/cOs+cxRbqho/B9LMJ3ChW530zEoXU=";
+  cargoHash = "sha256-x7rpnhTz454Ftolu4x50NSGKdg8NfenUwdhPY4a+lbA=";
 
   postPatch =
     let

pkgs/by-name/ci/cinny-unwrapped/package.nix

@@ -7,17 +7,17 @@
 buildNpmPackage (finalAttrs: {
   pname = "cinny-unwrapped";
   # Remember to update cinny-desktop when bumping this version.
-  version = "4.11.1";
+  version = "4.12.1";
 
   # nixpkgs-update: no auto update
   src = fetchFromGitHub {
     owner = "cinnyapp";
     repo = "cinny";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-dwI3zNey/ukF3t2fhH/ePf4o4iBDwZyLWMYebPgXmWU=";
+    hash = "sha256-s9nu6hYe0OvRcp8n2cOJnhEzIV+nyjnfwTrY477XDT8=";
   };
 
-  npmDepsHash = "sha256-27WFjb08p09aJRi0S2PvYq3bivEuG5+z2QhFahTSj4Q=";
+  npmDepsHash = "sha256-e37tSrqrEXGH2uInFAiikHNwJ13gXlG50SeYF/HO0z4=";
 
   # Skip rebuilding native modules since they're not needed for the web app
   npmRebuildFlags = [
@@ -38,6 +38,7 @@ buildNpmPackage (finalAttrs: {
     maintainers = with lib.maintainers; [
       abbe
       rebmit
+      ryand56
     ];
     license = lib.licenses.agpl3Only;
     platforms = lib.platforms.all;

pkgs/by-name/cl/cloud-hypervisor/package.nix

@@ -10,16 +10,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "cloud-hypervisor";
-  version = "50.2";
+  version = "52.0";
 
   src = fetchFromGitHub {
     owner = "cloud-hypervisor";
     repo = "cloud-hypervisor";
     rev = "v${version}";
-    hash = "sha256-UqagcomatsoSmmdFLg+hIguctiVTSasDVtXZFi8ILew=";
+    hash = "sha256-OGyvmedSaWPsyH6mdHhgXN7MvTnK1HzdfTKUhJRlq8I=";
   };
 
-  cargoHash = "sha256-FHBp7Aeq1qubkhrOPDbZ1LX12P7PrMVWIoS6DLy4mpU=";
+  cargoHash = "sha256-ZNj1H3Iq+IUSe0McHJjrwPOoR+YRB+rsSmZHMhXsHy0=";
 
   separateDebugInfo = true;
 
@@ -39,6 +39,12 @@ rustPlatform.buildRustPackage rec {
     "net_util" # /dev/net/tun
     "--exclude"
     "vmm" # /dev/kvm
+    "--"
+    # io_uring syscalls are blocked by the Lix sandbox
+    "--skip=io_uring"
+    "--skip=qcow_async::unit_tests::"
+    # fallocate(PUNCH_HOLE) reported size depends on the host filesystem
+    "--skip=test_query_device_size_sparse_file_punch_hole"
   ];
 
   meta = {

pkgs/by-name/dp/dprint/plugins/dprint-plugin-biome.nix

@@ -1,7 +1,7 @@
 { mkDprintPlugin }:
 mkDprintPlugin {
   description = "Biome (JS/TS/JSON) wrapper plugin";
-  hash = "sha256-ccPkzEV0Gtzi6iKq6oIREvIccEFvHec06XxoUWufDZc=";
+  hash = "sha256-k+o4eiLwzoCF6MPX0dEn/3modSwvFYFuzMe47cdJWo8=";
   initConfig = {
     configExcludes = [ "**/node_modules" ];
     configKey = "biome";
@@ -17,6 +17,6 @@ mkDprintPlugin {
   };
   pname = "dprint-plugin-biome";
   updateUrl = "https://plugins.dprint.dev/dprint/biome/latest.json";
-  url = "https://plugins.dprint.dev/biome-0.12.10.wasm";
-  version = "0.12.10";
+  url = "https://plugins.dprint.dev/biome-0.12.11.wasm";
+  version = "0.12.11";
 }

pkgs/by-name/fl/floorp-bin-unwrapped/sources.json

@@ -1,21 +1,21 @@
 {
-  "version": "12.13.0",
+  "version": "12.14.0",
   "sources": {
     "aarch64-linux": {
-      "url": "https://github.com/Floorp-Projects/Floorp/releases/download/v12.13.0/floorp-linux-aarch64.tar.xz",
-      "sha256": "bd5b59386fc3957f065bc13813c1b392055f629012c303c6fbc264e29ffe5b09"
+      "url": "https://github.com/Floorp-Projects/Floorp/releases/download/v12.14.0/floorp-linux-aarch64.tar.xz",
+      "sha256": "741303a83ba272b035ba850f24dcb21e7300ec1a79f03d93523f794187a5a615"
     },
     "x86_64-linux": {
-      "url": "https://github.com/Floorp-Projects/Floorp/releases/download/v12.13.0/floorp-linux-x86_64.tar.xz",
-      "sha256": "d6a360d900bcd754e8c14cc382aaa7c00147a2e2692c62e924dcff1d64f20638"
+      "url": "https://github.com/Floorp-Projects/Floorp/releases/download/v12.14.0/floorp-linux-x86_64.tar.xz",
+      "sha256": "0fc3b7f192c9ae1def3a160c68a2dee42c8a0277c1b48deede0bd1f2dc69e317"
     },
     "aarch64-darwin": {
-      "url": "https://github.com/Floorp-Projects/Floorp/releases/download/v12.13.0/floorp-macOS-universal.dmg",
-      "sha256": "0c848d1a65fbabf94e226cdfd9fae4915aa6357e9262608b30140ff221d43ad1"
+      "url": "https://github.com/Floorp-Projects/Floorp/releases/download/v12.14.0/floorp-macOS-universal.dmg",
+      "sha256": "494d1a9dcbedd3430290ccb672a174acdafeb056860071fb26ecc9bf45137e3a"
     },
     "x86_64-darwin": {
-      "url": "https://github.com/Floorp-Projects/Floorp/releases/download/v12.13.0/floorp-macOS-universal.dmg",
-      "sha256": "0c848d1a65fbabf94e226cdfd9fae4915aa6357e9262608b30140ff221d43ad1"
+      "url": "https://github.com/Floorp-Projects/Floorp/releases/download/v12.14.0/floorp-macOS-universal.dmg",
+      "sha256": "494d1a9dcbedd3430290ccb672a174acdafeb056860071fb26ecc9bf45137e3a"
     }
   }
 }

pkgs/by-name/ma/mailpit/package.nix

@@ -83,13 +83,15 @@ buildGoModule (finalAttrs: {
 
   passthru = {
     tests = {
-      inherit (nixosTests) mailpit;
       # cannot use versionCheckHook due to the extra --no-release-check flag
       # for workarounds and other solutions see https://github.com/NixOS/nixpkgs/pull/486143#discussion_r2754533347
       version = testers.testVersion {
         package = mailpit;
         command = "mailpit version --no-release-check";
       };
+    }
+    // lib.optionalAttrs (!stdenv.hostPlatform.isDarwin) {
+      inherit (nixosTests) mailpit;
     };
 
     updateScript = {

pkgs/by-name/ma/mailpit/source.nix

@@ -1,6 +1,6 @@
 {
-  version = "1.29.6";
-  hash = "sha256-jkWrh2pQ4LBQMTb3r1kgbSmYRBCWPXIVC8ywM5yYnQg=";
-  npmDepsHash = "sha256-vt28b02zDkrNWR4nTD2IH87gqGlhxxaF7L0N5jSS76k=";
-  vendorHash = "sha256-k07JTSQ67ZVOiCUkRRW9u6V+E75gtfKpZ6zNa4eHH/Y=";
+  version = "1.30.0";
+  hash = "sha256-lUynHDFfbX9BxwTdREbgAMil7S3+vwAl05myzMEWgGQ=";
+  npmDepsHash = "sha256-snWhjSy9au81bJZwjh/KVvchjEaJJ05HYhyh3V8/Y5g=";
+  vendorHash = "sha256-LMjS0YxRTvHZ8U10BOST/5Zthqhoi5OxngWWB+2CSeQ=";
 }

pkgs/by-name/ma/mattermost/package.nix

@@ -4,24 +4,31 @@
   stdenvNoCC,
   buildGoModule,
   fetchFromGitHub,
+  fetchpatch,
   buildNpmPackage,
+  nodejs,
   nix-update-script,
   npm-lockfile-fix,
   fetchNpmDeps,
   jq,
   nixosTests,
 
+  latestVersionInfo ? null,
   versionInfo ? {
-    # ESR releases only.
-    # See https://docs.mattermost.com/upgrade/extended-support-release.html
+    # ESR releases only. Note: if NixOS would release with an ESR that goes out
+    # of support during the lifetime of the NixOS release, it is acceptable
+    # to put the latest non-ESR release here if we change it to an ESR shortly after
+    # the NixOS release.
+    #
+    # See <https://docs.mattermost.com/upgrade/extended-support-release.html>.
     # When a new ESR version is available (e.g. 8.1.x -> 9.5.x), update
     # the version regex here as well.
     #
     # Ensure you also check ../mattermostLatest/package.nix.
     regex = "^v(10\\.11\\.[0-9]+)$";
-    version = "10.11.15";
-    srcHash = "sha256-b/hXZHYULl9nNJZT4GtKsaOfX8BEzz/v3Uy3EEbzN8U=";
-    vendorHash = "sha256-Z94d1eCIkuMG72Mlvk5su/99+4kJoaeHxaeZuk96Hlc=";
+    version = "10.11.17";
+    srcHash = "sha256-RS/Q3Q2UJjUuQQ8PaaLkVe00ixhZML2jBHeAq0/n/aA=";
+    vendorHash = "sha256-zngDxO3UCuB53PMpaE+ga8v2FL5l78BD2NmJsu+zZ00=";
     npmDepsHash = "sha256-p9dq31qw0EZDQIl2ysKE38JgDyLA6XvSv+VtHuRh+8A=";
     lockfileOverlay = ''
       unlock(.; "@floating-ui/react"; "channels/node_modules/@floating-ui/react")
@@ -85,16 +92,27 @@ let
         };
     in
     finalPassthru.withoutTests;
+
+  versionInfo' =
+    if
+      latestVersionInfo != null && lib.versionAtLeast latestVersionInfo.version versionInfo.version
+    then
+      # Prefer the latest if we're building mattermostLatest
+      latestVersionInfo
+    else
+      # Prefer the one we have
+      assert versionInfo != null;
+      versionInfo;
 in
 buildMattermost rec {
   pname = "mattermost";
-  inherit (versionInfo) version;
+  inherit (versionInfo') version;
 
   src = fetchFromGitHub {
     owner = "mattermost";
     repo = "mattermost";
     tag = "v${version}";
-    hash = versionInfo.srcHash;
+    hash = versionInfo'.srcHash;
     postFetch = ''
       cd $out/webapp
 
@@ -105,13 +123,13 @@ buildMattermost rec {
       ' < package-lock.json > package-lock.fixed.json
 
       # Run the lockfile overlay, if present.
-      ${lib.optionalString (versionInfo.lockfileOverlay or null != null) ''
+      ${lib.optionalString (versionInfo'.lockfileOverlay or null != null) ''
         ${lib.getExe jq} ${lib.escapeShellArg ''
           # Unlock a dependency and let npm-lockfile-fix relock it.
           def unlock(root; dependency; path):
             root | .packages[path] |= del(.resolved, .integrity)
                  | .packages[path].version = root.packages.channels.dependencies[dependency];
-          ${versionInfo.lockfileOverlay}
+          ${versionInfo'.lockfileOverlay}
         ''} < package-lock.fixed.json > package-lock.overlaid.json
         mv package-lock.overlaid.json package-lock.fixed.json
       ''}
@@ -128,20 +146,42 @@ buildMattermost rec {
   # https://github.com/mattermost/mattermost/issues/26221#issuecomment-1945351597
   overrideModAttrs = _: {
     buildPhase = ''
+      runHook preBuild
+
       make setup-go-work
       go work vendor -e -v
+
+      runHook postBuild
     '';
   };
 
   npmDeps = fetchNpmDeps {
     inherit src;
     sourceRoot = "${src.name}/webapp";
-    hash = versionInfo.npmDepsHash;
+    hash = versionInfo'.npmDepsHash;
     makeCacheWritable = true;
     forceGitDeps = true;
   };
 
-  inherit (versionInfo) vendorHash;
+  inherit (versionInfo') vendorHash;
+
+  patches = lib.optionals (lib.versionOlder version "11.0") [
+    # https://github.com/mattermost/mattermost/issues/36594
+    # Prevents upgrading to next ESR in NixOS 26.05.
+    (fetchpatch {
+      name = "revert-out-of-order-migrations.patch";
+      url = "https://github.com/mattermost/mattermost/commit/9408b98025d7364d7dfe7cdb28fcd109b1b595a6.patch";
+      hash = "sha256-YI2aFKNsQt69mecK85A6izsjf1I2cPfp4NBq5Majz/g=";
+      revert = true;
+    })
+  ];
+
+  postPatch = ''
+    if [ "$version" == 10.11.17 ]; then
+      # 25.11 only: tagged and released as 10.11.17 but prints the wrong version
+      substituteInPlace server/public/model/version.go --replace-fail "10.11.16" "10.11.17"
+    fi
+  '';
 
   modRoot = "./server";
   preBuild = ''
@@ -186,9 +226,14 @@ buildMattermost rec {
 
   doInstallCheck = true;
   installCheckPhase = ''
+    runHook preInstallCheck
+
     for subPackage in $subPackages; do
+      echo "Checking version for: $subPackage" >&2
       "$out/bin/$(basename -- "$subPackage")" version | grep "$version"
     done
+
+    runHook postInstallCheck
   '';
 
   passthru = {
@@ -196,11 +241,11 @@ buildMattermost rec {
       extraArgs = [
         "--use-github-releases"
         "--version-regex"
-        versionInfo.regex
+        versionInfo'.regex
       ]
-      ++ lib.optionals (versionInfo.autoUpdate or null != null) [
+      ++ lib.optionals (versionInfo'.autoUpdate or null != null) [
         "--override-filename"
-        versionInfo.autoUpdate
+        versionInfo'.autoUpdate
       ];
     };
     tests.mattermost = nixosTests.mattermost;
@@ -222,6 +267,7 @@ buildMattermost rec {
           --replace-fail 'options: {}' 'options: { disable: true }'
       '';
 
+      inherit nodejs;
       npmDepsHash = npmDeps.hash;
       makeCacheWritable = true;
       forceGitDeps = true;
@@ -231,10 +277,11 @@ buildMattermost rec {
       buildPhase = ''
         runHook preBuild
 
-        npm run build --workspace=platform/types
-        npm run build --workspace=platform/client
-        npm run build --workspace=platform/components
-        npm run build --workspace=channels
+        for ws in platform/{types,client,components,shared} channels; do
+          if [ -d "$ws" ]; then
+            npm run build --workspace="$ws"
+          fi
+        done
 
         runHook postBuild
       '';
@@ -260,7 +307,6 @@ buildMattermost rec {
     maintainers = with lib.maintainers; [
       ryantm
       numinit
-      kranzes
       mgdelacroix
     ];
     platforms = lib.platforms.linux;

pkgs/by-name/ma/mattermostLatest/package.nix

@@ -5,21 +5,20 @@
 
 mattermost.override (
   {
-    versionInfo = {
+    latestVersionInfo = {
       # Latest, non-RC releases only.
       # If the latest is an ESR (Extended Support Release),
       # duplicate it here to facilitate the update script.
+      # Note that the Mattermost package will prefer whichever is later of this one
+      # or itself, in case the update script is lagging on one set of hashes.
       # See https://docs.mattermost.com/about/mattermost-server-releases.html
       # and make sure the version regex is up to date here.
       # Ensure you also check ../mattermost/package.nix for ESR releases.
       regex = "^v(11\\.[0-9]+\\.[0-9]+)$";
-      version = "11.5.3";
-      srcHash = "sha256-r7rfiQ4C0E511QWdpQihydsuoRZCzboodmh1iT4a8r4=";
-      vendorHash = "sha256-/ts6j86tvbYFjVACkJwcSnXDd+8BXzpaFVdV9DRHkqY=";
-      npmDepsHash = "sha256-r7iq1pCAJjFyspZBdeNWe00W7A3l73PGC6rrsZ7O6Uw=";
-      lockfileOverlay = ''
-        unlock(.; "@floating-ui/react"; "channels/node_modules/@floating-ui/react")
-      '';
+      version = "11.7.0";
+      srcHash = "sha256-oH9bLN2BPvRSWl5m3VNHBNMBXfdmkwaE9tzL7pcD1mg=";
+      vendorHash = "sha256-PmwwiXNaDarc1H7z1G4zstgs7tvmZ/d7V5eGqMh1VX4=";
+      npmDepsHash = "sha256-C3vfWW2hMOMnrPn1538kT+ma09T9VswrmADV/KPkrPc=";
       autoUpdate = ./package.nix;
     };
   }

pkgs/by-name/qb/qbz/package.nix

@@ -22,16 +22,16 @@
 
 rustPlatform.buildRustPackage (finalAttrs: {
   pname = "qbz";
-  version = "1.2.12";
+  version = "1.2.13";
 
   src = fetchFromGitHub {
     owner = "vicrodh";
     repo = "qbz";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-SuEmBxwwEkINmH/cswV9Ed6FtBKP6IRrjQ7sIYMPOTg=";
+    hash = "sha256-LlpMCO8RHbC+MNCcsaUqAGNuaK2CSk4GEpVtmfKtsFo=";
   };
 
-  cargoHash = "sha256-bOm2W7lQag87dDRqcCCFPp2c+qVuOAoLpPH7Pihz1BU=";
+  cargoHash = "sha256-X5YJb1Pu+phAHOLUX9YnKDL0lJQqUXxK4J3S4PVt1YY=";
   cargoRoot = "src-tauri";
   buildAndTestSubdir = finalAttrs.cargoRoot;
 
@@ -40,7 +40,7 @@ rustPlatform.buildRustPackage (finalAttrs: {
   npmDeps = fetchNpmDeps {
     name = "qbz-${finalAttrs.version}-npm-deps";
     inherit (finalAttrs) src;
-    hash = "sha256-WjZg3xaJFOdCA0XaIFwWhd4kglUjkWei6Cw3+NiP6zs=";
+    hash = "sha256-HfdYKnjXf6/LqdTy7RCPfVfh8NdXuGHYrqDWAT3ozk4=";
   };
 
   env.LIBCLANG_PATH = "${lib.getLib llvmPackages.libclang}/lib";

pkgs/by-name/so/sogo/package.nix

@@ -25,14 +25,14 @@
 
 clangStdenv.mkDerivation rec {
   pname = "sogo";
-  version = "5.12.7";
+  version = "5.12.8";
 
   # always update the sope package as well, when updating sogo
   src = fetchFromGitHub {
     owner = "Alinto";
     repo = "sogo";
     rev = "SOGo-${version}";
-    hash = "sha256-HMnJQTC9P6gOVP1hViRtshIS0oWj0AKoRkeNr/udlso=";
+    hash = "sha256-UkqXOInp6z5x8HzIqD9YOuD1oqXIdTEzC+paf6FDkIg=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/so/sope/package.nix

@@ -14,7 +14,7 @@
 
 clangStdenv.mkDerivation rec {
   pname = "sope";
-  version = "5.12.7";
+  version = "5.12.8";
 
   src = fetchFromGitHub {
     owner = "Alinto";

pkgs/by-name/sp/spamassassin/package.nix

@@ -97,6 +97,9 @@ perlPackages.buildPerlPackage rec {
     mkdir -p $HOME
     mkdir t/log  # pre-create to avoid race conditions
 
+    #401737: Sometimes we get: Failed tests:  2, 4-5, 7-9
+    rm t/spamd_ssl.t
+
     # https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8068
     checkFlagsArray+=(TEST_FILES='$(shell find t -name *.t -not -name spamd_ssl_accept_fail.t)')
   '';

pkgs/by-name/vi/vivaldi/package.nix

@@ -66,7 +66,7 @@
 
 stdenv.mkDerivation rec {
   pname = "vivaldi";
-  version = "7.9.3970.64";
+  version = "7.9.3970.67";
 
   suffix =
     {
@@ -79,8 +79,8 @@ stdenv.mkDerivation rec {
     url = "https://downloads.vivaldi.com/stable/vivaldi-stable_${version}-1_${suffix}.deb";
     hash =
       {
-        aarch64-linux = "sha256-51Lsbs1Vv8Qy9aBUxPzfadpKia+PHnBjptHY4LSN1Mo=";
-        x86_64-linux = "sha256-WJn7vmIPJ7/e0UG2uoNedji/Vd0QTY2LNJMBNqTF9Po=";
+        aarch64-linux = "sha256-GXG1e5d+wxmrzryDQdGplJlAnxAl6kGWzopgE4qH8Zw=";
+        x86_64-linux = "sha256-fvw2FajFP5Aspwdb+C0XUJLWABrZ7/clD4OX8FLtIKI=";
       }
       .${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
   };

pkgs/by-name/wa/wayle/package.nix

@@ -24,7 +24,7 @@ let
 in
 rustPlatform.buildRustPackage (finalAttrs: {
   pname = "wayle";
-  version = "0.2.3";
+  version = "0.3.0";
 
   __structuredAttrs = true;
   strictDeps = true;
@@ -33,10 +33,10 @@ rustPlatform.buildRustPackage (finalAttrs: {
     owner = "wayle-rs";
     repo = "wayle";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-K4ItGV7kTZrm3uqHeN/hSZjKzkQpSn+nan3509FYUQw=";
+    hash = "sha256-4hnbv31BWu6KbdSHphHnpl80R0ByxS0RxsM5uqtNnCU=";
   };
 
-  cargoHash = "sha256-omCcKXYouS9qPdhVINJC2mAjI7uG0M9MH14BN/4Zegs=";
+  cargoHash = "sha256-sXoqNF7hzE97PkRMBnxVFNPa92CgD5gYeMd0RmzPJzY=";
 
   nativeBuildInputs = [
     copyDesktopItems

pkgs/development/compilers/llvm/default.nix

@@ -27,9 +27,9 @@ let
     "20.1.8".officialRelease.sha256 = "sha256-ysyB/EYxi2qE9fD5x/F2zI4vjn8UDoo1Z9ukiIrjFGw=";
     "21.1.7".officialRelease.sha256 = "sha256-SaRJ7+iZMhhBdcUDuJpMAY4REQVhrvYMqI2aq3Kz08o=";
     "23.0.0-git".gitRelease = {
-      rev = "084a5acf5a076aa32c04cbcdca25c27fc75d8e6d";
-      rev-version = "23.0.0-unstable-2026-05-10";
-      sha256 = "sha256-xSyanVzsHokSrxhixUW3ovREeojTX7pedlBoaFpbtXQ=";
+      rev = "e9122d11ff92f2f343668cc759081496a130a943";
+      rev-version = "23.0.0-unstable-2026-05-17";
+      sha256 = "sha256-dnfnxQJ6Ye3wW3FOqZbaY0t/vuSapqc8c85oItGD4D8=";
     };
   }
   // llvmVersions;

pkgs/os-specific/linux/amneziawg/default.nix

@@ -2,7 +2,6 @@
   lib,
   stdenv,
   fetchFromGitHub,
-  srcOnly,
   kernel,
   kernelModuleMakeFlags,
   nix-update-script,
@@ -10,13 +9,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "amneziawg";
-  version = "1.0.20251009";
+  version = "1.0.20260329-2";
 
   src = fetchFromGitHub {
     owner = "amnezia-vpn";
     repo = "amneziawg-linux-kernel-module";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-OcMlwXOwjxLqHkAQHSwDigK6wuOFCSzoE5spVwybN1M=";
+    hash = "sha256-BlWnncTzVKDpCVvtLp8L+bABs81YH/Ce+9JGCoCm1LI=";
   };
 
   sourceRoot = "${finalAttrs.src.name}/src";
@@ -24,14 +23,12 @@ stdenv.mkDerivation (finalAttrs: {
   nativeBuildInputs = kernel.moduleBuildDependencies;
 
   buildFlags = [
-    "apply-patches"
     "module"
   ];
 
-  makeFlags =
-    kernelModuleMakeFlags
-    ++ [ "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ]
-    ++ lib.optional (lib.versionAtLeast kernel.version "5.6") "KERNEL_SOURCE_DIR=${srcOnly kernel}";
+  makeFlags = kernelModuleMakeFlags ++ [
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
 
   enableParallelBuilding = true;
 

pkgs/os-specific/linux/kernel/xanmod-kernels.nix

@@ -15,14 +15,14 @@ let
   variants = {
     # ./update-xanmod.sh lts
     lts = {
-      version = "6.18.31";
-      hash = "sha256-AvsMS5Za+k+b08Nz4UOey9Uzg0Z9hT5lkwMN5cf5ZG8=";
+      version = "6.18.32";
+      hash = "sha256-XgqytdTnL3Jjcs9riMRGgRVfyy76jxdBcC0hSt4rc58=";
       isLTS = true;
     };
     # ./update-xanmod.sh main
     main = {
-      version = "7.0.8";
-      hash = "sha256-bB/qCLw3m+g3Z/JcYl7XNYT313jBbQdcMzvZaK8Fw4Q=";
+      version = "7.0.9";
+      hash = "sha256-QlCbzTqHtVROdIEoqwrAf8mylLh2WHSqFY/eQ3jvrW8=";
     };
   };
 

pkgs/os-specific/linux/kernel/zen-kernels.nix

@@ -12,13 +12,13 @@ let
   # override options if they need using lib.mkForce (that has 50 priority)
   mkKernelOverride = lib.mkOverride 90;
 
-  suffix = "zen2";
+  suffix = "zen1";
 in
 
 buildLinux (
   args
   // rec {
-    version = "7.0.7";
+    version = "7.0.9";
     pname = "linux-zen";
     modDirVersion = lib.versions.pad 3 "${version}-${suffix}";
     isZen = true;
@@ -27,7 +27,7 @@ buildLinux (
       owner = "zen-kernel";
       repo = "zen-kernel";
       rev = "v${version}-${suffix}";
-      sha256 = "0b27mh7rndbyjbqf4gfivacgda9srkjlh1hdflasl0vq4sdy3d68";
+      sha256 = "vu6rRldDBp/N6kkMzZEgz9aMsGa/VWPdnkZTCF/Yobo=";
     };
 
     # This is based on the following source: