[Backport release-25.11] boringssl: 0.20260508.0 -> 0.20260526.0 (#527514)

release announcement: https://blog.torproject.org/new-release-tor-browser-15015/
changelog: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/tbb-15.0.13-build1/projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt
tor changelog: https://gitlab.torproject.org/tpo/core/tor/-/raw/tor-0.4.9.9/ReleaseNotes
trove: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE

Fixes: TROVE-2026-013, TROVE-2026-014, TROVE-2026-015, TROVE-2026-016, TROVE-2026-017, TROVE-2026-018, TROVE-2026-019, TROVE-2026-020, TROVE-2026-021, TROVE-2026-022
(cherry picked from commit bf5a34b2f9)

.github/labeler-no-sync.yml

@@ -33,4 +33,15 @@
               - maintainers/github-teams.json
       - base-branch: ['master']
 
+"backport release-26.05":
+  - all:
+      - changed-files:
+          - any-glob-to-any-file:
+              - .github/actions/**/*
+              - .github/workflows/*
+              - .github/labeler*.yml
+              - ci/**/*.*
+              - maintainers/github-teams.json
+      - base-branch: ['master']
+
 # keep-sorted end

.github/labeler.yml

@@ -9,6 +9,7 @@
           - '^release-'
           - '^staging-\d'
           - '^staging-next-\d'
+          - '^staging-nixos-\d'
 
 # NOTE: bsd, darwin and cross-compilation labels are handled by ofborg
 "6.topic: agda":

.github/workflows/backport.yml

@@ -21,7 +21,7 @@ defaults:
 jobs:
   backport:
     name: Backport Pull Request
-    if: vars.NIXPKGS_CI_APP_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
+    if: vars.NIXPKGS_CI_CLIENT_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
     runs-on: ubuntu-slim
     timeout-minutes: 3
     steps:
@@ -30,13 +30,13 @@ jobs:
       - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         id: app-token
         with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
           private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
           permission-contents: write
           permission-pull-requests: write
           permission-workflows: write
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           token: ${{ steps.app-token.outputs.token }}

.github/workflows/bot.yml

@@ -46,7 +46,7 @@ jobs:
       # https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
       FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout: |
@@ -57,10 +57,10 @@ jobs:
 
       # Use a GitHub App, because it has much higher rate limits: 12,500 instead of 5,000 req / hour.
       - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
         id: app-token
         with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
           private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
           permission-administration: read
           permission-contents: write

.github/workflows/build.yml

@@ -52,7 +52,7 @@ jobs:
     runs-on: ${{ matrix.runner }}
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout: .github/actions

.github/workflows/check.yml

@@ -43,7 +43,7 @@ jobs:
     runs-on: ubuntu-slim
     timeout-minutes: 3
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           path: trusted
@@ -95,7 +95,7 @@ jobs:
     runs-on: ubuntu-slim
     timeout-minutes: 3
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           path: trusted
@@ -137,7 +137,7 @@ jobs:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout: .github/actions

.github/workflows/comment.yml

@@ -23,7 +23,7 @@ jobs:
     timeout-minutes: 2
     if: contains(github.event.comment.body, '@NixOS/nixpkgs-merge-bot merge')
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout: |
@@ -31,10 +31,10 @@ jobs:
 
       # Use the GitHub App to make sure the reaction happens with the same user who will later merge.
       - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
         id: app-token
         with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
           private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
           permission-pull-requests: write
 

.github/workflows/edited.yml

@@ -39,7 +39,7 @@ jobs:
       - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         id: app-token
         with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
           private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
           permission-pull-requests: write
 

.github/workflows/eval.yml

@@ -47,7 +47,7 @@ jobs:
       ciPinBumpCommit: ${{ steps.find-pinned-commit.outputs.ciPinBumpCommit }}
       ciPinBumpCommitShort: ${{ steps.find-pinned-commit.outputs.ciPinBumpCommitShort }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           path: trusted
@@ -55,7 +55,7 @@ jobs:
             ci/supportedVersions.nix
 
       - name: Check out the PR at the test merge commit
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           ref: ${{ inputs.mergedSha }}
@@ -171,7 +171,7 @@ jobs:
           sudo mkswap /swap
           sudo swapon /swap
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout: .github/actions
@@ -256,7 +256,7 @@ jobs:
       statuses: write # creating 'Eval Summary' commit statuses
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout: .github/actions
@@ -471,7 +471,7 @@ jobs:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout: .github/actions

.github/workflows/lint.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout: .github/actions
@@ -61,7 +61,7 @@ jobs:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout: .github/actions
@@ -90,7 +90,7 @@ jobs:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout: .github/actions
@@ -134,7 +134,7 @@ jobs:
     runs-on: ubuntu-slim
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: true # Needed to run git fetch for large PRs.
           path: trusted

.github/workflows/merge-group.yml

@@ -25,7 +25,7 @@ jobs:
       targetSha: ${{ steps.prepare.outputs.targetSha }}
       systems: ${{ steps.prepare.outputs.systems }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout: |

.github/workflows/periodic-merge-24h.yml

@@ -22,7 +22,7 @@ defaults:
 
 jobs:
   periodic-merge:
-    if: github.repository_owner == 'NixOS'
+    if: github.repository_owner == 'NixOS' || github.event_name == 'workflow_dispatch'
     strategy:
       # don't fail fast, so that all pairs are tried
       fail-fast: false
@@ -35,10 +35,14 @@ jobs:
             into: staging-next-25.11
           - from: staging-next-25.11
             into: staging-25.11
-          - from: master
+          - from: release-25.11
+            into: staging-nixos-25.11
+          - from: release-26.05
             into: staging-next-26.05
           - from: staging-next-26.05
             into: staging-26.05
+          - from: release-26.05
+            into: staging-nixos-26.05
           - name: merge-base(master,staging) → haskell-updates
             from: master staging
             into: haskell-updates
@@ -49,3 +53,34 @@ jobs:
     name: ${{ matrix.pairs.name || format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
     secrets:
       NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
+
+  # Resets the target branch of the current haskell-updates PR.
+  # This makes GitHub hide all the commits that are already part of staging and gives us a much clearer PR view.
+  haskell-updates:
+    needs: periodic-merge
+    runs-on: ubuntu-slim
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Find PR and update target branch
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            // There will at most be a single haskell-updates PR anyway, so no need to paginate.
+            await Promise.all(
+              (
+                await github.rest.pulls.list({
+                  ...context.repo,
+                  state: 'open',
+                  head: `${context.repo.owner}:haskell-updates`,
+                })
+              ).data.map((pr) =>
+                github.rest.pulls.update({
+                  ...context.repo,
+                  pull_number: pr.number,
+                  // Just updating to the same branch to trigger a UI update.
+                  // This is staging most of the time, but could be staging-next in rare cases.
+                  base: pr.base.ref,
+                }),
+              ),
+            )

.github/workflows/periodic-merge-6h.yml

@@ -22,7 +22,7 @@ defaults:
 
 jobs:
   periodic-merge:
-    if: github.repository_owner == 'NixOS'
+    if: github.repository_owner == 'NixOS' || github.event_name == 'workflow_dispatch'
     strategy:
       # don't fail fast, so that all pairs are tried
       fail-fast: false

.github/workflows/periodic-merge.yml

@@ -29,12 +29,12 @@ jobs:
       - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         id: app-token
         with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
           private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
           permission-contents: write
           permission-pull-requests: write
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
 

.github/workflows/pull-request-target.yml

@@ -36,7 +36,7 @@ jobs:
       systems: ${{ steps.prepare.outputs.systems }}
       touched: ${{ steps.prepare.outputs.touched }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout-cone-mode: true # default, for clarity

.github/workflows/review.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-slim
     timeout-minutes: 2
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout: |
@@ -28,10 +28,10 @@ jobs:
 
       # Use the GitHub App to make sure the reaction happens with the same user who will later merge.
       - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
         id: app-token
         with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
           private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
           permission-pull-requests: write
 

.github/workflows/teams.yml

@@ -22,7 +22,7 @@ jobs:
       - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         id: app-token
         with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
           private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
           permission-administration: read
           permission-contents: write
@@ -30,7 +30,7 @@ jobs:
           permission-pull-requests: write
 
       - name: Fetch source
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout: |

.github/workflows/test.yml

@@ -19,7 +19,7 @@ jobs:
       push: ${{ steps.files.outputs.push }}
       targetSha: ${{ steps.prepare.outputs.targetSha }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
           sparse-checkout-cone-mode: true # default, for clarity

CONTRIBUTING.md

@@ -443,6 +443,7 @@ The staging workflow is used for all stable branches with corresponding names:
 - `master`/`release-YY.MM`
 - `staging`/`staging-YY.MM`
 - `staging-next`/`staging-next-YY.MM`
+- `staging-nixos`/`staging-nixos-YY.MM`
 
 [^1]: Except changes that cause no more rebuilds than kernel updates
 
@@ -506,7 +507,7 @@ These PRs go to `staging-nixos`, see [the next section for more context](#change
 Changes causing a rebuild of all NixOS tests get a special [`10.rebuild-nixos-tests`](https://github.com/NixOS/nixpkgs/issues?q=state%3Aopen%20label%3A10.rebuild-nixos-tests) label.
 These changes pose a significant impact on the build infrastructure.
 
-Hence, these PRs should either target a `staging`-branch or `staging-nixos`, provided one of following conditions applies:
+Hence, these PRs should either target a `staging`-branch or `staging-nixos`-branch, provided one of following conditions applies:
 
 * The label `10.rebuild-nixos-tests` is set, or
 * The PR is a change affecting the Linux kernel.

ci/github-script/check-target-branch.js

@@ -101,9 +101,8 @@ async function checkTargetBranch({ github, context, core, dry }) {
   const rebuildsAllTests =
     changed.attrdiff.changed.includes('nixosTests.simple')
 
-  // https://github.com/NixOS/nixpkgs/pull/481205#issuecomment-3790123921
-  // These should go to staging-nixos instead of master,
-  // but release-xx.xx (not staging-xx.xx) when backported
+  // https://github.com/NixOS/nixpkgs/pull/521157
+  // These should go to master and release-xx.xx when backported
   let isExemptKernelUpdate = false
   if (prInfo.changed_files === 1) {
     const changedFiles = (
@@ -114,11 +113,8 @@ async function checkTargetBranch({ github, context, core, dry }) {
     ).data
     isExemptKernelUpdate =
       changedFiles.length === 1 &&
-      (changedFiles[0].filename ===
-        'pkgs/os-specific/linux/kernel/xanmod-kernels.nix' ||
-        (base.startsWith('release-') &&
-          changedFiles[0].filename ===
-            'pkgs/os-specific/linux/kernel/kernels-org.json'))
+      changedFiles[0].filename ===
+        'pkgs/os-specific/linux/kernel/xanmod-kernels.nix'
   }
 
   // https://github.com/NixOS/nixpkgs/pull/483194#issuecomment-3793393218
@@ -163,8 +159,10 @@ async function checkTargetBranch({ github, context, core, dry }) {
       branchText = '(probably either `staging-nixos` or `staging`)'
     } else if (base === 'master') {
       branchText = '(probably `staging-nixos`)'
+    } else if (maxRebuildCount >= 500) {
+      branchText = `(probably either \`staging-nixos-${split(base).version}\` or \`staging-${split(base).version}\`)`
     } else {
-      branchText = `(probably \`staging-${split(base).version}\`)`
+      branchText = `(probably \`staging-nixos-${split(base).version}\`)`
     }
     const body = [
       `The PR's base branch is set to \`${base}\`, but this PR rebuilds all NixOS tests.`,

doc/packages/linux.section.md

@@ -119,11 +119,10 @@ $ pkgs/os-specific/linux/kernel/update.sh
 The change gets submitted like this:
 
 * File a PR against `staging-nixos`.
-  * Add a `backport release-XX.XX` label for an automated backport.
-    We don't expect many other changes on that branch to require a backport, hence there's no such branch for stable.
+  * Add a `backport staging-nixos-XX.XX` label for an automated backport.
     By using an additional PR, we get the automatic backport against stable without manual cherry-picks.
-* Merge into `staging-nixos`.
-* File as PR from `staging-nixos` against `master`.
+* Merge into `staging-nixos` or `staging-nixos-XX.XX`.
+* File as PR from `staging-nixos` against `master` or `staging-nixos-XX.XX` against `release-xx.xx`.
 * When all status checks are green, merge.
 
 ### Add a new (major) version of the Linux kernel {#sec-linux-add-new-kernel-version}

maintainers/github-teams.json

@@ -309,8 +309,7 @@
     "members": {
       "AndersonTorres": 5954806,
       "adisbladis": 63286,
-      "panchoh": 471059,
-      "ttuegel": 563054
+      "panchoh": 471059
     },
     "name": "emacs"
   },
@@ -407,12 +406,13 @@
   "gnome": {
     "description": "Maintain GNOME desktop environment and platform.",
     "id": 3806133,
-    "maintainers": {},
+    "maintainers": {
+      "jtojnar": 705123
+    },
     "members": {
       "bobby285271": 20080233,
       "dasj19": 7589338,
-      "hedning": 71978,
-      "jtojnar": 705123
+      "hedning": 71978
     },
     "name": "GNOME"
   },
@@ -702,6 +702,7 @@
       "Mic92": 96200,
       "Radvendii": 1239929,
       "edolstra": 1148549,
+      "lisanna-dettwyler": 72424138,
       "lovesegfault": 7243783,
       "xokdvium": 145775305
     },
@@ -819,14 +820,13 @@
     "description": "Maintain the Qt framework, KDE application suite, Plasma desktop environment and related projects",
     "id": 4341481,
     "maintainers": {
-      "ttuegel": 563054
+      "K900": 386765,
+      "NickCao": 15247171,
+      "SuperSandro2000": 7258858
     },
     "members": {
       "FRidh": 2129135,
-      "K900": 386765,
       "LunNova": 782440,
-      "NickCao": 15247171,
-      "SuperSandro2000": 7258858,
       "bkchr": 5718007,
       "ilya-fedin": 17829319,
       "mjm": 1181,
@@ -896,8 +896,7 @@
     "id": 7304571,
     "maintainers": {
       "Mic92": 96200,
-      "winterqt": 78392041,
-      "zowoq": 59103226
+      "winterqt": 78392041
     },
     "members": {},
     "name": "rust"
@@ -936,6 +935,7 @@
       "infinisil": 20525370
     },
     "members": {
+      "andir": 638836,
       "pyrox0": 35778371
     },
     "name": "Security review"

maintainers/maintainer-list.nix

@@ -7094,12 +7094,6 @@
     github = "DSeeLP";
     githubId = 46624152;
   };
-  dsferruzza = {
-    email = "david.sferruzza@gmail.com";
-    github = "dsferruzza";
-    githubId = 1931963;
-    name = "David Sferruzza";
-  };
   dsluijk = {
     name = "Dany Sluijk";
     email = "nix@dany.dev";
@@ -20442,6 +20436,12 @@
     githubId = 7420227;
     name = "Peter Tri Ho";
   };
+  peterwaller-arm = {
+    email = "peter.waller@arm.com";
+    github = "peterwaller-arm";
+    githubId = 52030119;
+    name = "Peter Waller";
+  };
   peterwilli = {
     email = "peter@codebuffet.co";
     github = "peterwilli";
@@ -25534,12 +25534,6 @@
     githubId = 127287939;
     name = "Syed Sumairul Hasan";
   };
-  syberant = {
-    email = "sybrand@neuralcoding.com";
-    github = "syberant";
-    githubId = 20063502;
-    name = "Sybrand Aarnoutse";
-  };
   syboxez = {
     email = "syboxez@gmail.com";
     matrix = "@syboxez:matrix.org";

nixos/modules/module-list.nix

@@ -676,6 +676,7 @@
   ./services/hardware/nvidia-optimus.nix
   ./services/hardware/openrgb.nix
   ./services/hardware/pcscd.nix
+  ./services/hardware/pdudaemon.nix
   ./services/hardware/pid-fan-controller.nix
   ./services/hardware/pommed.nix
   ./services/hardware/power-profiles-daemon.nix

nixos/modules/services/display-managers/default.nix

@@ -120,16 +120,7 @@ in
       };
 
       defaultSession = lib.mkOption {
-        type = lib.types.nullOr lib.types.str // {
-          description = "session name";
-          check =
-            d:
-            lib.assertMsg (d != null -> (lib.types.str.check d && lib.elem d cfg.sessionData.sessionNames)) ''
-              Default graphical session, '${d}', not found.
-              Valid names for 'services.displayManager.defaultSession' are:
-                ${lib.concatStringsSep "\n  " cfg.sessionData.sessionNames}
-            '';
-        };
+        type = lib.types.nullOr (lib.types.str // { description = "session name"; });
         default = null;
         example = "gnome";
         description = ''
@@ -149,26 +140,12 @@ in
 
       sessionPackages = lib.mkOption {
         type = lib.types.listOf (
-          lib.types.package
+          lib.types.addCheck lib.types.package (
+            p: p ? providedSessions && p.providedSessions != [ ] && lib.all lib.isString p.providedSessions
+          )
           // {
             description = "package with provided sessions";
-            check =
-              p:
-              lib.assertMsg
-                (
-                  lib.types.package.check p
-                  && p ? providedSessions
-                  && p.providedSessions != [ ]
-                  && lib.all lib.isString p.providedSessions
-                )
-                ''
-                  Package, '${p.name}', did not specify any session names, as strings, in
-                  'passthru.providedSessions'. This is required when used as a session package.
-
-                  The session names can be looked up in:
-                    ${p}/share/xsessions
-                    ${p}/share/wayland-sessions
-                '';
+            descriptionClass = "composite";
           }
         );
         default = [ ];
@@ -230,6 +207,14 @@ in
           services.displayManager.autoLogin.enable requires services.displayManager.autoLogin.user to be set
         '';
       }
+      {
+        assertion = cfg.defaultSession == null || lib.elem cfg.defaultSession cfg.sessionData.sessionNames;
+        message = ''
+          Default graphical session, '${toString cfg.defaultSession}', not found.
+          Valid names for 'services.displayManager.defaultSession' are:
+            ${lib.concatStringsSep "\n    " cfg.sessionData.sessionNames}
+        '';
+      }
     ];
 
     # Make xsessions and wayland sessions available in XDG_DATA_DIRS

nixos/modules/services/hardware/pdudaemon.nix

@@ -0,0 +1,146 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.services.pdudaemon;
+  configFile = pkgs.writeText "pdudaemon.conf" (
+    lib.generators.toJSON { } {
+      daemon = {
+        hostname = cfg.bindAddress;
+        port = cfg.port;
+        logging_level = cfg.logLevel;
+        listener = cfg.listener;
+      };
+      pdus = cfg.pdus;
+    }
+  );
+in
+{
+  meta = {
+    maintainers = with lib.maintainers; [
+      aiyion
+      emantor
+    ];
+  };
+
+  options = {
+    services.pdudaemon = {
+      enable = lib.mkEnableOption "PDUDaemon";
+
+      package = lib.mkPackageOption pkgs "pdudaemon" { };
+
+      bindAddress = lib.mkOption {
+        default = "0.0.0.0";
+        type = lib.types.str;
+        description = "Bind address for the PDUDaemon.";
+      };
+
+      port = lib.mkOption {
+        default = 16421;
+        type = lib.types.port;
+        description = "Port to bind to.";
+      };
+
+      openFirewall = lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = ''
+          Whether to automatically open the PDUDaemon listen port in the firewall.
+        '';
+      };
+
+      listener = lib.mkOption {
+        default = "http";
+        type = lib.types.enum [
+          "http"
+          "tcp"
+        ];
+        description = "Which kind of listener to provide.";
+      };
+
+      logLevel = lib.mkOption {
+        default = "error";
+        type = lib.types.enum [
+          "debug"
+          "info"
+          "warning"
+          "error"
+        ];
+        description = "PDUDaemon log level.";
+      };
+
+      pdus = lib.mkOption {
+        type = with lib.types; attrsOf anything;
+        default = { };
+        description = ''
+          Structural pdus section of PDUDaemon's pdudaemon.conf.
+          Refer to <https://github.com/pdudaemon/pdudaemon/blob/main/share/pdudaemon.conf>
+          for more examples.
+        '';
+        example = lib.literalExpression ''
+          {
+            cbs350-poe-switch = {
+              driver = "snmpv1";
+              community = "private";
+              oid = ".1.3.6.1.2.1.105.1.1.1.3.1.*;
+              onsetting = 1;
+              offsetting = 2;
+            };
+            energenie = {
+              driver = "EG-PMS";
+              device = "aa:bb:cc:xx:yy";
+            };
+            local = {
+              driver = "localcmdline";
+            };
+          };
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.port ];
+
+    systemd.services.pdudaemon = {
+      after = [ "network-online.target" ];
+      description = "Control and Queueing daemon for PDUs";
+      serviceConfig = {
+        ExecStart = "${lib.getExe cfg.package} --conf ${configFile}";
+        Type = "simple";
+        DynamicUser = "yes";
+        StateDirectory = "pdudaemon";
+        ProtectHome = true;
+        Restart = "on-failure";
+        CapabilityBoundingSet = "";
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        SystemCallArchitectures = "native";
+        MemoryDenyWriteExecute = true;
+        RestrictNamespaces = true;
+        ProtectHostname = true;
+        LockPersonality = true;
+        ProtectKernelTunables = true;
+        RestrictRealtime = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        PrivateUsers = true;
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+      };
+
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ];
+    };
+  };
+}

nixos/modules/services/logging/logrotate.nix

@@ -91,9 +91,9 @@ let
       # files required to exist also won't be present, so missingok is forced.
       user=$(${pkgs.buildPackages.coreutils}/bin/id -un)
       group=$(${pkgs.buildPackages.coreutils}/bin/id -gn)
-      sed -e "s/\bsu\s.*/su $user $group/" \
-          -e "s/\b\(create\s\+[0-9]*\s*\|createolddir\s\+[0-9]*\s\+\).*/\1$user $group/" \
-          -e "1imissingok" -e "s/\bnomissingok\b//" \
+      sed -E -e "s/\bsu\s.*/su $user $group/" \
+             -e "s/\b((create|createolddir)\b(\s+[0-9]+)?).*/\1 $user $group/" \
+             -e "1imissingok" -e "s/\bnomissingok\b//" \
           $out > logrotate.conf
       # Since this makes for very verbose builds only show real error.
       # There is no way to control log level, but logrotate hardcodes

nixos/modules/services/networking/fastnetmon-advanced.nix

@@ -207,6 +207,10 @@ in
           AmbientCapabilities = "cap_net_bind_service";
         };
       };
+
+      services.fastnetmon-advanced.hostgroups = {
+        global = { };
+      };
     })
 
     (lib.mkIf (cfg.enable && cfg.enableAdvancedTrafficPersistence) {

nixos/modules/services/security/warpgate.nix

@@ -51,7 +51,10 @@ in
           freeformType = yaml.type;
           options = {
             sso_providers = mkOption {
-              description = "Configure OIDC single sign-on providers.";
+              description = ''
+                Configure OIDC single sign-on providers.
+                Main documentation can be found [here](https://warpgate.null.page/sso).
+              '';
               default = [ ];
               type = listOf (submodule {
                 freeformType = yaml.type;
@@ -62,12 +65,40 @@ in
                   };
                   label = mkOption {
                     description = "SSO provider name displayed on login page.";
-                    type = str;
+                    default = null;
+                    type = nullOr str;
+                  };
+                  auto_create_users = mkOption {
+                    description = "Whether to create user automatically at first SSO login.";
+                    default = false;
+                    type = bool;
                   };
                   provider = mkOption {
-                    description = "SSO provider configurations.";
+                    description = ''
+                      SSO provider configurations.
+                      See [here](https://github.com/warp-tech/warpgate/blob/ffc755f0137944bd39cf4cbce90f4279da500943/config-schema.json#L430) for all acceptable options.
+                    '';
                     type = attrsOf yaml.type;
                   };
+                  return_domain_whitelist = mkOption {
+                    description = ''
+                      Controls the SSO return URL supplied to SSO provider.
+                      This will also required you to connect to this instance via whitelisted domain when doing SSO login.
+                    '';
+                    default = null;
+                    type = nullOr (listOf str);
+                  };
+                  return_url_prefix = mkOption {
+                    description = ''
+                      Controls the SSO return URL supplied to SSO provider.
+                      Useful for providers that do not allow the @ sign in the URL (e.g. Azure).
+                    '';
+                    default = "@";
+                    type = enum [
+                      "@"
+                      "_"
+                    ];
+                  };
                 };
               });
               example = literalExpression ''
@@ -105,6 +136,7 @@ in
               description = ''
                 Configure the domain name of this Warpgate instance.
                 See [HTTP domain binding](https://warpgate.null.page/http-domain-binding/).
+                This option is considered legacy, please use protocol specific `external_host` instead.
               '';
               default = null;
               type = nullOr str;
@@ -128,6 +160,11 @@ in
                 default = "[::]:2222";
                 type = str;
               };
+              external_host = mkOption {
+                description = "The SSH listener is reachable via this domain name externally.";
+                default = null;
+                type = nullOr str;
+              };
               external_port = mkOption {
                 description = "The SSH listener is reachable via this port externally.";
                 default = null;
@@ -164,6 +201,11 @@ in
                 default = "[::]:8888";
                 type = str;
               };
+              external_host = mkOption {
+                description = "The HTTP listener is reachable via this domain name externally.";
+                default = null;
+                type = nullOr str;
+              };
               external_port = mkOption {
                 description = "The HTTP listener is reachable via this port externally.";
                 default = null;
@@ -239,6 +281,11 @@ in
                 default = "[::]:33306";
                 type = str;
               };
+              external_host = mkOption {
+                description = "The MySQL listener is reachable via this domain name externally.";
+                default = null;
+                type = nullOr str;
+              };
               external_port = mkOption {
                 description = "The MySQL listener is reachable via this port externally.";
                 default = null;
@@ -266,6 +313,11 @@ in
                 default = "[::]:55432";
                 type = str;
               };
+              external_host = mkOption {
+                description = "The PostgreSQL listener is reachable via this domain name externally.";
+                default = null;
+                type = nullOr str;
+              };
               external_port = mkOption {
                 description = "The PostgreSQL listener is reachable via this port externally.";
                 default = null;
@@ -282,9 +334,59 @@ in
                 type = str;
               };
             };
+            kubernetes = {
+              enable = mkOption {
+                description = "Whether to enable Kubernetes listener.";
+                default = false;
+                type = bool;
+              };
+              listen = mkOption {
+                description = "Listen endpoint of Kubernetes listener.";
+                default = "[::]:8443";
+                type = str;
+              };
+              external_host = mkOption {
+                description = "The Kubernetes listener is reachable via this domain name externally.";
+                default = null;
+                type = nullOr str;
+              };
+              external_port = mkOption {
+                description = "The Kubernetes listener is reachable via this port externally.";
+                default = null;
+                type = nullOr str;
+              };
+              certificate = mkOption {
+                description = "Path to Kubernetes listener certificate.";
+                default = "/var/lib/warpgate/tls.certificate.pem";
+                type = str;
+              };
+              key = mkOption {
+                description = "Path to Kubernetes listener private key.";
+                default = "/var/lib/warpgate/tls.key.pem";
+                type = str;
+              };
+              session_max_age = mkOption {
+                description = "How long until a logged in session expires.";
+                default = "30m";
+                type = str;
+              };
+            };
             log = {
+              format = mkOption {
+                description = "The format Warpgate emits logs in.";
+                default = "text";
+                type = enum [
+                  "text"
+                  "json"
+                ];
+              };
+              audit_retention = mkOption {
+                description = "How long Warpgate keeps its audit logs.";
+                default = "1year";
+                type = str;
+              };
               retention = mkOption {
-                description = "How long Warpgate keep its logs.";
+                description = "How long Warpgate keeps its non-audit logs and session recordings.";
                 default = "7days";
                 type = str;
               };
@@ -297,17 +399,6 @@ in
                 type = nullOr str;
               };
             };
-            config_provider = mkOption {
-              description = ''
-                Source of truth of users.
-                DO NOT change this, Warpgate only implemented database provider.
-              '';
-              default = "database";
-              type = enum [
-                "file"
-                "database"
-              ];
-            };
           };
         };
         default = { };
@@ -372,6 +463,10 @@ in
           assertion = !((cfg.databaseUrlFile == null) && (cfg.settings.database_url == null));
           message = "Either databaseUrlFile or settings.database_url must be set; Set the other to null.";
         }
+        {
+          assertion = !(lib.hasAttr "config_provider" cfg.settings);
+          message = "`services.warpgate.settings.config_provider` is a legacy option that has been removed since 0.14.0. Please do not set this option.";
+        }
       ];
 
       environment.systemPackages = [ cfg.package ];

nixos/modules/system/boot/kernel_config.nix

@@ -29,9 +29,7 @@ let
       };
 
       freeform = mkOption {
-        type = types.nullOr types.str // {
-          merge = mergeEqualOption;
-        };
+        type = types.nullOr types.str;
         default = null;
         example = ''MMC_BLOCK_MINORS.freeform = "32";'';
         description = ''

nixos/modules/virtualisation/incus-agent.nix

@@ -7,6 +7,8 @@
 
 let
   cfg = config.virtualisation.incus.agent;
+
+  package = pkgs.incus;
 in
 {
   meta = {
@@ -18,8 +20,8 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    services.udev.packages = [ config.virtualisation.incus.package.agent_loader ];
-    systemd.packages = [ config.virtualisation.incus.package.agent_loader ];
+    services.udev.packages = [ package.agent_loader ];
+    systemd.packages = [ package.agent_loader ];
 
     systemd.services.incus-agent = {
       enable = true;

nixos/tests/all-tests.nix

@@ -405,6 +405,7 @@ in
   containers-tmpfs = runTest ./containers-tmpfs.nix;
   containers-unified-hierarchy = runTest ./containers-unified-hierarchy.nix;
   convos = runTest ./convos.nix;
+  coredns = runTest ./coredns.nix;
   corerad = runTest ./corerad.nix;
   corteza = runTest ./corteza.nix;
   cosmic = runTest {
@@ -1207,6 +1208,7 @@ in
   password-option-override-ordering = runTest ./password-option-override-ordering.nix;
   patroni = handleTestOn [ "x86_64-linux" ] ./patroni.nix { };
   pdns-recursor = runTest ./pdns-recursor.nix;
+  pdudaemon = runTest ./pdudaemon.nix;
   peerflix = runTest ./peerflix.nix;
   peering-manager = runTest ./web-apps/peering-manager.nix;
   peertube = handleTestOn [ "x86_64-linux" ] ./web-apps/peertube.nix { };

nixos/tests/caddy.nix

@@ -74,7 +74,7 @@
           services.caddy = {
             package = pkgs.caddy.withPlugins {
               plugins = [ "github.com/caddyserver/replace-response@v0.0.0-20250618171559-80962887e4c6" ];
-              hash = "sha256-kKWXpxEAn23yud8tcgw7FFOaxLjoodZ/cuM1239TRoY=";
+              hash = "sha256-0N/bQAM5yT6g9UAteWsfxofGcelmU/NDTroS2oL43Gs=";
             };
             configFile = pkgs.writeText "Caddyfile" ''
               {

nixos/tests/coredns.nix

@@ -0,0 +1,42 @@
+{ pkgs, ... }:
+{
+  name = "coredns";
+  meta = with pkgs.lib.maintainers; {
+    maintainers = [ johanot ];
+  };
+
+  nodes.machine =
+    { pkgs, ... }:
+    {
+      environment.systemPackages = [ pkgs.dnsutils ];
+      services.coredns = {
+        enable = true;
+        config = ''
+          .:10053 {
+                ipecho {
+                  domain test.nixos.org
+                  ttl 2629800
+                }
+              }
+        '';
+        package = pkgs.coredns.override {
+          externalPlugins = [
+            {
+              name = "ipecho";
+              repo = "github.com/Eun/coredns-ipecho";
+              version = "224170ebca45cc59c6b071d280a18f42d1ff130c";
+              position = "start-of-file";
+            }
+          ];
+          vendorHash = "sha256-66WNU+t/frHfbxexYdiXzgXKLxPyLnN6JuKnlG/kSQY=";
+        };
+      };
+    };
+
+  testScript = ''
+    machine.start()
+    machine.wait_for_unit("coredns.service")
+    machine.wait_for_open_port(10053)
+    machine.succeed("dig @127.0.0.1 -p 10053 127.0.0.2.test.nixos.org A +short | grep 127.0.0.2")
+  '';
+}

nixos/tests/docker.nix

@@ -15,7 +15,7 @@
       {
         virtualisation.docker.enable = true;
         virtualisation.docker.autoPrune.enable = true;
-        virtualisation.docker.package = pkgs.docker;
+        virtualisation.docker.package = pkgs.docker_29;
 
         users.users = {
           noprivs = {
@@ -48,7 +48,7 @@
     docker.succeed("docker stop sleeping")
 
     # Must match version 4 times to ensure client and server git commits and versions are correct
-    docker.succeed('[ $(docker version | grep ${pkgs.docker.version} | wc -l) = "4" ]')
+    docker.succeed('[ $(docker version | grep ${pkgs.docker_29.version} | wc -l) = "4" ]')
     docker.succeed("systemctl restart systemd-sysctl")
     docker.succeed("grep 1 /proc/sys/net/ipv4/conf/all/forwarding")
     docker.succeed("grep 1 /proc/sys/net/ipv4/conf/default/forwarding")

nixos/tests/fastnetmon-advanced.nix

@@ -62,7 +62,7 @@
       bird.wait_for_unit("bird.service")
 
       fnm.wait_until_succeeds('journalctl -eu fastnetmon.service | grep "BGP daemon restarted correctly"')
-      fnm.wait_until_succeeds("journalctl -eu gobgp.service | grep BGP_FSM_OPENCONFIRM")
+      fnm.wait_until_succeeds('journalctl -eu gobgp.service | grep "Peer Up"')
       bird.wait_until_succeeds("birdc show protocol fnm | grep Estab")
       fnm.wait_until_succeeds('journalctl -eu fastnetmon.service | grep "API server listening"')
       fnm.succeed("fcli set blackhole 172.23.42.123")

nixos/tests/logrotate.nix

@@ -66,8 +66,10 @@ in
             checkConf = {
               su = "root utmp";
               createolddir = "0750 root utmp";
+              "createolddir " = "0750";
               create = "root utmp";
               "create " = "0750 root utmp";
+              "create  " = "0750";
             };
             # multiple paths should be aggregated
             multipath = {

nixos/tests/oci-containers.nix

@@ -40,6 +40,8 @@ let
               };
             };
 
+            virtualisation.docker.package = lib.mkIf (backend == "docker") pkgs.docker_29;
+
             # Stop systemd from killing remaining processes if ExecStop script
             # doesn't work, so that proper stopping can be tested.
             systemd.services.${serviceName}.serviceConfig.KillSignal = "SIGCONT";

nixos/tests/pdudaemon.nix

@@ -0,0 +1,50 @@
+{ pkgs, ... }:
+{
+  name = "PDUDaemon";
+  meta.maintainers = with pkgs.lib.maintainers; [
+    aiyion
+    emantor
+  ];
+
+  nodes.pdudaemonhost =
+    { pkgs, ... }:
+    {
+      environment.systemPackages = [ pkgs.curl ];
+      services.pdudaemon.enable = true;
+      services.pdudaemon.openFirewall = true;
+      services.pdudaemon.pdus = {
+        testpduhost = {
+          driver = "localcmdline";
+          cmd_on = "echo '%s on' >> /tmp/pdu";
+          cmd_off = "echo '%s off' >> /tmp/pdu";
+        };
+      };
+    };
+
+  nodes.clienthost =
+    { pkgs, ... }:
+    {
+      environment.systemPackages = [ pkgs.curl ];
+    };
+
+  testScript =
+    { nodes, ... }:
+    #python
+    ''
+      with subtest("Wait for pdudaemon startup"):
+          pdudaemonhost.start()
+          pdudaemonhost.wait_for_unit("pdudaemon.service")
+          pdudaemonhost.wait_for_open_port(16421)
+          print(pdudaemonhost.succeed("curl 'http://localhost:16421/power/control/on?hostname=testpduhost&port=1'"))
+
+      with subtest("Connect from client"):
+          clienthost.start()
+          clienthost.wait_until_succeeds("curl 'http://pdudaemonhost:16421/power/control/off?hostname=testpduhost&port=1'")
+
+      with subtest("Check systemd hardening does not degrade unnoticed"):
+          exact_threshold = 15
+          service_name = "pdudaemon"
+          pdudaemonhost.fail(f"systemd-analyze security {service_name}.service --threshold={exact_threshold-1}")
+          pdudaemonhost.succeed(f"systemd-analyze security {service_name}.service --threshold={exact_threshold}")
+    '';
+}

nixos/tests/podman/default.nix

@@ -62,7 +62,8 @@ import ../make-test-python.nix (
           virtualisation.podman.dockerSocket.enable = true;
 
           environment.systemPackages = [
-            pkgs.docker-client
+            # docker-client for docker 29
+            (pkgs.docker_29.override { clientOnly = true; })
           ];
 
           users.users.alice = {

pkgs/applications/graphics/ImageMagick/default.nix

@@ -85,13 +85,13 @@ in
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "imagemagick";
-  version = "7.1.2-19";
+  version = "7.1.2-23";
 
   src = fetchFromGitHub {
     owner = "ImageMagick";
     repo = "ImageMagick";
     tag = finalAttrs.version;
-    hash = "sha256-4uASM+GRTe0ES6FdshUMMkVof4IlLV+CMm2l+v5qZN0=";
+    hash = "sha256-zYk75q+EyWq5g/AHFU6v8a7gye0aDAEe/ZZvjqR9ZTc=";
   };
 
   outputs = [

pkgs/applications/misc/plover/default.nix

@@ -1,63 +0,0 @@
-{
-  lib,
-  config,
-  fetchFromGitHub,
-  python3Packages,
-  wmctrl,
-  qtbase,
-  mkDerivationWith,
-}:
-
-{
-  dev =
-    with python3Packages;
-    mkDerivationWith buildPythonPackage rec {
-      pname = "plover";
-      version = "4.0.2";
-      format = "setuptools";
-
-      meta = with lib; {
-        broken = stdenv.hostPlatform.isDarwin;
-        description = "OpenSteno Plover stenography software";
-        maintainers = with lib.maintainers; [
-          twey
-          kovirobi
-        ];
-        license = lib.licenses.gpl2;
-      };
-
-      src = fetchFromGitHub {
-        owner = "openstenoproject";
-        repo = "plover";
-        tag = "v${version}";
-        sha256 = "sha256-VpQT25bl8yPG4J9IwLkhSkBt31Y8BgPJdwa88WlreA8=";
-      };
-
-      # I'm not sure why we don't find PyQt5 here but there's a similar
-      # sed on many of the platforms Plover builds for
-      postPatch = "sed -i /PyQt5/d setup.cfg";
-
-      nativeCheckInputs = [
-        pytest
-        mock
-      ];
-      propagatedBuildInputs = [
-        babel
-        pyqt5
-        xlib
-        pyserial
-        appdirs
-        wcwidth
-        setuptools
-      ];
-
-      dontWrapQtApps = true;
-
-      preFixup = ''
-        makeWrapperArgs+=("''${qtWrapperArgs[@]}")
-      '';
-    };
-}
-// lib.optionalAttrs config.allowAliases {
-  stable = throw "plover.stable was removed because it used Python 2. Use plover.dev instead."; # added 2022-06-05
-}

pkgs/applications/networking/browsers/chromium/common.nix

@@ -681,7 +681,7 @@ let
       # clang++: error: unknown argument: '-fno-lifetime-dse'
       ./patches/chromium-147-llvm-22.patch
     ]
-    ++ lib.optionals (chromiumVersionAtLeast "148" && lib.versionOlder llvmVersion "23") [
+    ++ lib.optionals (versionRange "148" "149" && lib.versionOlder llvmVersion "23") [
       # clang++: error: unknown argument: '-fsanitize-ignore-for-ubsan-feature=return'
       (fetchpatch {
         name = "chromium-148-revert-build-Add--fsanitizer=return-config.patch";
@@ -711,7 +711,22 @@ let
         hash = "sha256-jR0G9z2R8VGl2tkB3u0368RyWM1J6qYXqNWwKkYd5zU=";
       })
     ]
-    ++ lib.optionals (chromiumVersionAtLeast "148") [
+    ++ lib.optionals (chromiumVersionAtLeast "149" && lib.versionOlder llvmVersion "23") [
+      # clang++: error: unknown argument: '-fdiagnostics-show-inlining-chain'
+      # clang++: error: unknown argument: '-fsanitize-ignore-for-ubsan-feature=array-bounds'
+      # clang++: error: unknown argument: '-fsanitize-ignore-for-ubsan-feature=return'
+      ./patches/chromium-149-llvm-22.patch
+    ]
+    ++ lib.optionals (chromiumVersionAtLeast "149" && stdenv.hostPlatform.isAarch64) [
+      # [43731/56364] CXX obj/media/gpu/sandbox/sandbox/hardware_video_decoding_sandbox_hook_linux.o
+      # FAILED: [code=1] obj/media/gpu/sandbox/sandbox/hardware_video_decoding_sandbox_hook_linux.o
+      # clang++ -MD -MF obj/media/gpu/sandbox/sandbox/hardware_video_decoding_sandbox_hook_linux.o.d [...]
+      # ../../media/gpu/sandbox/hardware_video_decoding_sandbox_hook_linux.cc:123:9: error: use of undeclared identifier 'ERROR'
+      #   123 |     LOG(ERROR) << "dlopen(radeonsi_dri.so) failed with error: " << dlerror();
+      #       |         ^~~~~
+      ./patches/chromium-149-use-of-undeclared-identifier-ERROR.patch
+    ]
+    ++ lib.optionals (versionRange "148" "149") [
       # ninja: error: '../../third_party/rust-toolchain/bin/rustc', needed by 'phony/default_for_rust_host_build_tools_rust_bin_inputs', missing and no known rule to make it
       (fetchpatch {
         name = "chromium-148-revert-Reland-build-use-tool-inputs-instead-of-siso-config-for-rust-actions.patch";
@@ -854,6 +869,12 @@ let
         mkdir -p third_party/gperf/cipd/bin
         ln -s "${pkgsBuildHost.gperf}/bin/gperf" third_party/gperf/cipd/bin/gperf
       ''
+      # https://chromium-review.googlesource.com/c/chromium/src/+/7719879
+      # ninja: error: '../../third_party/rust-toolchain/bin/rustc', needed by 'phony/default_for_rust_host_build_tools_rust_bin_inputs', missing and no known rule to make it
+      + lib.optionalString (chromiumVersionAtLeast "149") ''
+        mkdir -p third_party/rust-toolchain/bin
+        ln -s "${buildPackages.rustc}/bin/rustc" third_party/rust-toolchain/bin/rustc
+      ''
       +
         lib.optionalString (stdenv.hostPlatform == stdenv.buildPlatform && stdenv.hostPlatform.isAarch64)
           ''
@@ -1036,7 +1057,11 @@ let
     # Mute some warnings that are enabled by default. This is useful because
     # our Clang is always older than Chromium's and the build logs have a size
     # of approx. 25 MB without this option (and this saves e.g. 66 %).
-    env.NIX_CFLAGS_COMPILE = "-Wno-unknown-warning-option -Wno-unused-command-line-argument -Wno-shadow";
+    env.NIX_CFLAGS_COMPILE =
+      "-Wno-unknown-warning-option -Wno-unused-command-line-argument -Wno-shadow"
+      # warning: '_LIBCPP_HARDENING_MODE' macro redefined [-Wmacro-redefined]
+      # because of hardeningDisable = [ "strictflexarrays1" ];
+      + lib.optionalString (chromiumVersionAtLeast "149") " -Wno-macro-redefined";
     env.BUILD_CC = "$CC_FOR_BUILD";
     env.BUILD_CXX = "$CXX_FOR_BUILD";
     env.BUILD_AR = "$AR_FOR_BUILD";

pkgs/applications/networking/browsers/chromium/patches/chromium-149-llvm-22.patch

@@ -0,0 +1,30 @@
+diff --git a/build/config/compiler/BUILD.gn b/build/config/compiler/BUILD.gn
+index f977c9fed76e6f50c50351ca22128e8c8c8897b1..81460f3591b734f3354a6f9ac7bb0990e5b28889 100644
+--- a/build/config/compiler/BUILD.gn
++++ b/build/config/compiler/BUILD.gn
+@@ -589,7 +589,7 @@ config("compiler") {
+     # Flags for diagnostics.
+     cflags += [ "-fcolor-diagnostics" ]
+     if (!is_win) {
+-      cflags += [ "-fdiagnostics-show-inlining-chain" ]
++      cflags += [ ]
+     } else {
+       # Combine after https://github.com/llvm/llvm-project/pull/192241
+       cflags += [ "/clang:-fdiagnostics-show-inlining-chain" ]
+@@ -1911,7 +1911,7 @@ config("clang_warning_suppression") {
+ # See also: https://crbug.com/40891132#comment10
+ ubsan_hardening("c_array_bounds") {
+   sanitizer = "array-bounds"
+-  condition = !(is_asan && target_cpu == "x86")
++  condition = false
+ 
+   # Because we've enabled array-bounds sanitizing we also want to suppress
+   # the related warning about "unsafe-buffer-usage-in-static-sized-array",
+@@ -1925,6 +1925,7 @@ ubsan_hardening("c_array_bounds") {
+ # `NOTREACHED()` at the end of such functions.
+ ubsan_hardening("return") {
+   sanitizer = "return"
++  condition = false
+ }
+ 
+ config("rustc_revision") {

pkgs/applications/networking/browsers/chromium/patches/chromium-149-use-of-undeclared-identifier-ERROR.patch

@@ -0,0 +1,12 @@
+diff --git a/media/gpu/sandbox/hardware_video_decoding_sandbox_hook_linux.cc b/media/gpu/sandbox/hardware_video_decoding_sandbox_hook_linux.cc
+index 58ab0db508f73dbac36a84cb71ffdad972b3fc3c..b5b97f6c6b22a79fd5e4e53393859a107cc0f399 100644
+--- a/media/gpu/sandbox/hardware_video_decoding_sandbox_hook_linux.cc
++++ b/media/gpu/sandbox/hardware_video_decoding_sandbox_hook_linux.cc
+@@ -7,6 +7,7 @@
+ #include <dlfcn.h>
+ #include <sys/stat.h>
+ 
++#include "base/logging.h"
+ #include "base/process/process_metrics.h"
+ #include "base/strings/stringprintf.h"
+ #include "build/build_config.h"

pkgs/applications/networking/browsers/firefox/packages/firefox.nix

@@ -9,10 +9,10 @@
 
 buildMozillaMach rec {
   pname = "firefox";
-  version = "151.0.1";
+  version = "151.0.3";
   src = fetchurl {
     url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-    sha512 = "8492a1bb956b38373153938bd18b0e18e3a4ad0d2abc2017b45e02bc2768c8f468d5c06329a32485a03a67bb9c22102e6abff1e73080c77764735d430dc77277";
+    sha512 = "511723e5cf042abb66cbeda89b78d42de8d1b53544565670173f3e69c2a7ceefc76468c90576221418bfc9b122151ec117978caa4823cfb9b80797f3064bd895";
   };
 
   meta = {

pkgs/applications/networking/browsers/firefox/wrapper.nix

@@ -149,36 +149,34 @@ let
           ) (lib.optionals usesNixExtensions nixExtensions);
 
       enterprisePolicies = {
-        policies = {
-          DisableAppUpdate = true;
-        }
-        // lib.optionalAttrs usesNixExtensions {
-          ExtensionSettings = {
-            "*" = {
-              blocked_install_message = "You can't have manual extension mixed with nix extensions";
-              installation_mode = "blocked";
-            };
-          }
-          // lib.foldr (
-            e: ret:
-            ret
-            // {
-              "${e.extid}" = {
-                installation_mode = "allowed";
+        policies =
+          lib.optionalAttrs usesNixExtensions {
+            ExtensionSettings = {
+              "*" = {
+                blocked_install_message = "You can't have manual extension mixed with nix extensions";
+                installation_mode = "blocked";
               };
             }
-          ) { } extensions;
+            // lib.foldr (
+              e: ret:
+              ret
+              // {
+                "${e.extid}" = {
+                  installation_mode = "allowed";
+                };
+              }
+            ) { } extensions;
 
-          Extensions = {
-            Install = lib.foldr (e: ret: ret ++ [ "${e.outPath}/${e.extid}.xpi" ]) [ ] extensions;
-          };
-        }
-        // lib.optionalAttrs smartcardSupport {
-          SecurityDevices = {
-            "OpenSC PKCS#11 Module" = "opensc-pkcs11.so";
-          };
-        }
-        // extraPolicies;
+            Extensions = {
+              Install = lib.foldr (e: ret: ret ++ [ "${e.outPath}/${e.extid}.xpi" ]) [ ] extensions;
+            };
+          }
+          // lib.optionalAttrs smartcardSupport {
+            SecurityDevices = {
+              "OpenSC PKCS#11 Module" = "opensc-pkcs11.so";
+            };
+          }
+          // extraPolicies;
       };
 
       mozillaCfg = ''
@@ -213,7 +211,7 @@ let
           terminal = false;
         }
         // (
-          if libName == "thunderbird" then
+          if lib.strings.hasPrefix "thunderbird" libName then
             {
               genericName = "Email Client";
               comment = "Read and write e-mails or RSS feeds, or manage tasks on calendars.";
@@ -397,6 +395,9 @@ let
             ln -sfT "$target" "$out/$l"
           done
 
+          # Disable update checks
+          touch "$out/${libDir}/is-packaged-app"
+
           cd "$out"
 
         ''

pkgs/applications/networking/irc/weechat/default.nix

@@ -105,11 +105,11 @@ assert lib.all (p: p.enabled -> !(builtins.elem null p.buildInputs)) plugins;
 
 stdenv.mkDerivation rec {
   pname = "weechat";
-  version = "4.9.0";
+  version = "4.9.1";
 
   src = fetchurl {
     url = "https://weechat.org/files/src/weechat-${version}.tar.xz";
-    hash = "sha256-fLubJ/JafS8djEJqCPjmJe77wdPlm793WSVET3I5S28=";
+    hash = "sha256-BJYLVuHdhhJ/Y8+P0Bu/93yBQvQK6KlBrD22QtMQzek=";
   };
 
   # Why is this needed? https://github.com/weechat/weechat/issues/2031
@@ -200,7 +200,7 @@ stdenv.mkDerivation rec {
       on https://nixos.org/nixpkgs/manual/#sec-weechat .
     '';
     license = lib.licenses.gpl3;
-    maintainers = with lib.maintainers; [ ncfavier ];
+    maintainers = with lib.maintainers; [ abbe ];
     mainProgram = "weechat";
     platforms = lib.platforms.unix;
   };

pkgs/applications/networking/mailreaders/thunderbird/packages.nix

@@ -30,12 +30,16 @@ let
         (if lib.versionOlder version "140" then ./no-buildconfig.patch else ./no-buildconfig-tb140.patch)
       ];
       # FIXME: let's hope that upstream will fix this soon and we can drop this hack again.
-      # https://bugzilla.mozilla.org/show_bug.cgi?id=2006630
+      # https://bugzilla.mozilla.org/show_bug.cgi?id=2040877
       extraPostPatch =
-        lib.optionalString (lib.versionAtLeast version "147" && lib.versionOlder version "149")
-          ''
-            find . -name .cargo-checksum.json | xargs sed 's/"[^"]*\.gitmodules":"[a-z0-9]*",//g' -i
-          '';
+        lib.optionalString (lib.versionAtLeast version "151" && lib.versionOlder version "152") ''
+          echo https://hg.mozilla.org/releases/comm-release/rev/becfb8fb2c70f1603882a2787e2170d5d8013949 >> sourcestamp.txt
+          echo https://hg.mozilla.org/releases/mozilla-release/rev/fc12dc911f904307729760a817deb829cbf8feb4 >> sourcestamp.txt
+        ''
+        # https://bugzilla.mozilla.org/show_bug.cgi?id=2006630
+        + lib.optionalString (lib.versionAtLeast version "140.8" && lib.versionOlder version "151") ''
+          find . -name .cargo-checksum.json | xargs sed 's/"[^"]*\.gitmodules":"[a-z0-9]*",//g' -i
+        '';
 
       meta = {
         changelog = "https://www.thunderbird.net/en-US/thunderbird/${version}/releasenotes/";
@@ -73,8 +77,8 @@ rec {
   thunderbird = thunderbird-latest;
 
   thunderbird-latest = common {
-    version = "150.0.2";
-    sha512 = "3e52220ff34aa6cd1bf46a910dba1f30d0abf7d19ed7f501ffeeb8f5901b8d97fdc0adb0cceb434ef8e83c7f7b83f28024b872280237af72ff2da9d89fafe065";
+    version = "151.0.1";
+    sha512 = "a09c1e18faa8d7fdccf39e905542c21e817230e68c7cc6050beec048d0fec0f8eb92e51278d2ccd8d8cfa842762662235517e20238b555a4ad48ee5648dc3589";
 
     updateScript = callPackage ./update.nix {
       attrPath = "thunderbirdPackages.thunderbird-latest";
@@ -87,8 +91,8 @@ rec {
   thunderbird-140 = common {
     applicationName = "Thunderbird ESR";
 
-    version = "140.7.2esr";
-    sha512 = "513bcaa496f987d0f3906aeb6fe3ea651331470646b0c58479c91bb2c8eb52e389bc8aa646437a03b611ab78bda1df7252545960ffe38086d1fc462e65421819";
+    version = "140.11.1esr";
+    sha512 = "93dfdd26e6f4c7dd2f7dcc2e4994980d017868341c60c93775721467abd9192b815f2de63928e7d10c965fc045ed72ca5b49ed6502a61e50104ee5cd00941d1e";
 
     updateScript = callPackage ./update.nix {
       attrPath = "thunderbirdPackages.thunderbird-140";

pkgs/applications/networking/remote/putty/default.nix

@@ -12,7 +12,7 @@
 }:
 
 stdenv.mkDerivation rec {
-  version = "0.83";
+  version = "0.84";
   pname = "putty";
 
   src = fetchurl {
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
       "https://the.earth.li/~sgtatham/putty/${version}/${pname}-${version}.tar.gz"
       "ftp://ftp.wayne.edu/putty/putty-website-mirror/${version}/${pname}-${version}.tar.gz"
     ];
-    hash = "sha256-cYd3wT1j0N/5H+AxYrwqBbTfyLCCdjTNYLUc79/2McY=";
+    hash = "sha256-BgV4Yq4Zjx29IZ0MdJMIDVn2BhlLtQVsVJ40KqAbaf4=";
   };
 
   nativeBuildInputs = [

pkgs/applications/science/logic/hol_light/default.nix

@@ -9,6 +9,7 @@
   zarith,
   camlp5,
   camlp-streams,
+  pcre2,
 }:
 
 let
@@ -18,6 +19,7 @@ let
       ''
         -I ${zarith}/lib/ocaml/${ocaml.version}/site-lib/zarith \
         -I ${zarith}/lib/ocaml/${ocaml.version}/site-lib/stublibs \
+        -I ${pcre2}/lib/ocaml/${ocaml.version}/site-lib/stublibs \
       ''
     else
       lib.optionalString (num != null) ''
@@ -61,6 +63,7 @@ stdenv.mkDerivation {
   ];
   propagatedBuildInputs = [
     camlp-streams
+    pcre2
     (if use_zarith then zarith else num)
   ];
 

pkgs/applications/virtualization/docker/default.nix

@@ -396,7 +396,7 @@ in
   # https://github.com/moby/moby/tree/${mobyRev}/Dockerfile
   docker_25 =
     let
-      version = "25.0.13";
+      version = "25.0.16";
     in
     callPackage dockerGen {
       inherit version;
@@ -405,7 +405,7 @@ in
       cliRev = "43987fca488a535d810c429f75743d8c7b63bf4f";
       cliHash = "sha256-OwufdfuUPbPtgqfPeiKrQVkOOacU2g4ommHb770gV40=";
       mobyRev = "v${version}";
-      mobyHash = "sha256-X+1QG/toJt+VNLktR5vun8sG3PRoTVBAcekFXxocJdU=";
+      mobyHash = "sha256-St5yLoxo8QUTu7PjNcblS/EzZm98T189RPl1y+pAyHA=";
       runcRev = "v1.2.5";
       runcHash = "sha256-J/QmOZxYnMPpzm87HhPTkYdt+fN+yeSUu2sv6aUeTY4=";
       containerdRev = "v1.7.27";
@@ -430,18 +430,21 @@ in
       containerdHash = "sha256-vz7RFJkFkMk2gp7bIMx1kbkDFUMS9s0iH0VoyD9A21s=";
       tiniRev = "369448a167e8b3da4ca5bca0b3307500c3371828";
       tiniHash = "sha256-jCBNfoJAjmcTJBx08kHs+FmbaU82CbQcf0IVjd56Nuw=";
+      knownVulnerabilities = [
+        "docker_28 has been unmaintained since November 2025, use docker_29 or newer instead"
+      ];
     };
 
   docker_29 =
     let
-      version = "29.4.3";
+      version = "29.5.2";
     in
     callPackage dockerGen {
       inherit version;
       cliRev = "v${version}";
-      cliHash = "sha256-jGD+Z3koM0a2Te7cq2HdKFizZj39djvTQUmn815Mn4o=";
+      cliHash = "sha256-kHgDZVr6mAyCtZ6bSG9FWV0GhWDfXLXzHYFrmjFzO9w=";
       mobyRev = "docker-v${version}";
-      mobyHash = "sha256-YWmxJZwjxh0gwqjHHJDpzZy1K1jS82Twmzb+uWtnejk=";
+      mobyHash = "sha256-lux7tTyF6vm5wuIXs+z3Ygd2v4JjgHbRvOXNA4kjNtg=";
       runcRev = "v1.3.5";
       runcHash = "sha256-Swphxbu/OLkUrfRjLMZIVGwYb7AN0xHdyxm0ysAVam0=";
       containerdRev = "v2.2.3";

pkgs/build-support/build-mozilla-mach/default.nix

@@ -640,7 +640,7 @@ buildStdenv.mkDerivation {
 
   profilingPhase = lib.optionalString pgoSupport ''
     # Avoid compressing the instrumented build with high levels of compression
-    export MOZ_PKG_FORMAT=tar
+    export MOZ_PKG_FORMAT=TAR
 
     # Package up Firefox for profiling
     ./mach package

pkgs/build-support/rust/fetchcrate.nix

@@ -9,7 +9,7 @@
   pname ? null,
   # The `dl` field of the registry's index configuration
   # https://doc.rust-lang.org/cargo/reference/registry-index.html#index-configuration
-  registryDl ? "https://crates.io/api/v1/crates",
+  registryDl ? "https://static.crates.io/crates",
   version,
   unpack ? true,
   ...

pkgs/build-support/rust/import-cargo-lock.nix

@@ -130,7 +130,10 @@ let
     };
 
   registries = {
-    "https://github.com/rust-lang/crates.io-index" = "https://crates.io/api/v1/crates";
+    # Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec
+    # rate limit on the API servers, which currently returns intermittent 403s.
+    # See https://github.com/rust-lang/crates.io/issues/13482
+    "https://github.com/rust-lang/crates.io-index" = "https://static.crates.io/crates";
   }
   // extraRegistries;
 

pkgs/build-support/trivial-builders/default.nix

@@ -620,7 +620,10 @@ rec {
     in
     runCommand name args ''
       mkdir -p $out
-      for i in $(cat $pathsPath); do
+      if [ -n "''${pathsPath:-}" ] && [ -f "$pathsPath" ]; then
+        mapfile -d " " -t paths < "$pathsPath"
+      fi
+      for i in "''${paths[@]}"; do
         ${optionalString (!failOnMissing) "if test -d $i; then "}${lndir}/bin/lndir -silent $i $out${
           optionalString (!failOnMissing) "; fi"
         }

pkgs/build-support/trivial-builders/test/symlink-join.nix

@@ -55,6 +55,24 @@ in
     '';
   };
 
+  symlinkJoin-structured-attrs = testEqualContents {
+    assertion = "symlinkJoin-structured-attrs";
+    actual = symlinkJoin {
+      __structuredAttrs = true;
+      name = "symlinkJoin-structured-attrs";
+      paths = [
+        foo
+        bar
+        baz
+      ];
+    };
+    expected = runCommand "symlinkJoin-foo-bar-baz" { } ''
+      mkdir -p $out/{var/lib/arbitrary,etc/test.d}
+      ln -s {${foo},${bar}}/etc/test.d/* $out/etc/test.d
+      ln -s ${baz}/var/lib/arbitrary/baz $out/var/lib/arbitrary/
+    '';
+  };
+
   symlinkJoin-strip-paths = testEqualContents {
     assertion = "symlinkJoin-strip-paths";
     actual = symlinkJoin {

pkgs/by-name/al/alire/package.nix

@@ -8,13 +8,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "alire";
-  version = "2.1.0";
+  version = "2.1.1";
 
   src = fetchFromGitHub {
     owner = "alire-project";
     repo = "alire";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-DfzCQu9xOe9JgX6RTrYOGTIS6EcPimLnd5pfXMtfRss=";
+    hash = "sha256-YOUFTKbqbFfdYNWcGCvtFCDCW2tH8E3YuRQrV522Px4=";
 
     fetchSubmodules = true;
   };

pkgs/by-name/as/asciinema-agg/package.nix

@@ -8,18 +8,18 @@
 
 rustPlatform.buildRustPackage (finalAttrs: {
   pname = "agg";
-  version = "1.8.1";
+  version = "1.9.0";
 
   src = fetchFromGitHub {
     owner = "asciinema";
     repo = "agg";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-64VyCTGjzey6AHEAfk5V/Qoffe5+sDaDNve54M7tmf4=";
+    hash = "sha256-XuAVckgTsKvngrR/blgpLgONaWxfrn8o7hCKqCGPNeM=";
   };
 
   strictDeps = true;
 
-  cargoHash = "sha256-/WS5nAFKnP/CsU5+Pf5rtNN4LWaXVjlidLzH7DWYds0=";
+  cargoHash = "sha256-VcdHlQOplki31uLOutVx7HH7rjH9a5fEZhlxtLvuS9E=";
 
   __impureHostDeps = lib.optionals stdenv.hostPlatform.isDarwin [
     "/System/Library/Fonts"

pkgs/by-name/au/audit/package.nix

@@ -29,13 +29,13 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "audit";
-  version = "4.1.2-unstable-2025-09-06"; # fixes to non-static builds right after 4.1.2 release
+  version = "4.1.4";
 
   src = fetchFromGitHub {
     owner = "linux-audit";
     repo = "audit-userspace";
-    rev = "cb13fe75ee2c36d5c525ed9de22aae10dbc8caf4";
-    hash = "sha256-NX0TWA+LtcZgbM9aQfokWv2rGNAAb3ksGqAH8URAkYM=";
+    tag = "v${finalAttrs.version}";
+    hash = "sha256-GdJ9nzlDAdOazOHH/YWuEoELrJh+G5ZJUKwIqAKAzpo=";
   };
 
   postPatch = ''
@@ -130,10 +130,6 @@ stdenv.mkDerivation (finalAttrs: {
   # Instead, we load audit rules in a dedicated module.
   postFixup = ''
     moveToOutput bin/augenrules $scripts
-    substituteInPlace $scripts/bin/augenrules \
-      --replace-fail "/sbin/auditctl -R" "$bin/bin/auditctl -R" \
-      --replace-fail "auditctl -s" "$bin/bin/auditctl -s" \
-      --replace-fail "/bin/ls" "ls"
     wrapProgram $scripts/bin/augenrules \
       --prefix PATH : ${
         lib.makeBinPath [

pkgs/by-name/be/bettercap/package.nix

@@ -12,16 +12,16 @@
 
 buildGoModule rec {
   pname = "bettercap";
-  version = "2.41.4";
+  version = "2.41.7";
 
   src = fetchFromGitHub {
     owner = "bettercap";
     repo = "bettercap";
     rev = "v${version}";
-    sha256 = "sha256-y23gNqS5f/MP+wyRMxe40I+9RuZGyZEok17LIc9Z8O4=";
+    sha256 = "sha256-oiJPZW0ywrRlKq9kfKilCxbq9WN5VhhY2T/5iDe78RM=";
   };
 
-  vendorHash = "sha256-1kgjMPsj8z2Cl0YWe/1zY0Zuiza0X+ZAIgsMqPhCrMw=";
+  vendorHash = "sha256-ssNGy40KMJ9P33uEGyYOer92QRS2T6DQlKaf/3XMFwQ=";
 
   doCheck = false;
 

pkgs/by-name/bi/bird2/package.nix

@@ -12,14 +12,14 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "bird";
-  version = "2.18.1";
+  version = "2.19.0";
 
   src = fetchFromGitLab {
     domain = "gitlab.nic.cz";
     owner = "labs";
     repo = "bird";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-tYICTipTzugtb7kv/zwsChM8v+zJ2TVsotEkJDcZCto=";
+    hash = "sha256-xk3z5kkjnInmIwtE6Q7kCJ5P5Njt/Oz1+HPO0vcr93E=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/bi/bird3/package.nix

@@ -12,14 +12,14 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "bird";
-  version = "3.2.1";
+  version = "3.3.0";
 
   src = fetchFromGitLab {
     domain = "gitlab.nic.cz";
     owner = "labs";
     repo = "bird";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-FkrVrjT4Q9zLeauP2GOX38a7a4q7h2aQbEe/kmfKB3A=";
+    hash = "sha256-mH9CM9Emie2B9c5PeW4DKUQUzvgxTExPBGG06YbWqGo=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/bo/boringssl/package.nix

@@ -11,12 +11,12 @@
 # reference: https://boringssl.googlesource.com/boringssl/+/refs/tags/0.20250818.0/BUILDING.md
 stdenv.mkDerivation (finalAttrs: {
   pname = "boringssl";
-  version = "0.20260508.0";
+  version = "0.20260526.0";
 
   src = fetchgit {
     url = "https://boringssl.googlesource.com/boringssl";
     tag = finalAttrs.version;
-    hash = "sha256-7fW0OmOj+Hduq5YCc5xpcfICpC8qAc/05/UMgZ70jhM=";
+    hash = "sha256-SmyImyzGn7v2b5qGJbMmQZX5bODA9i6+8jy3uGwOawA=";
   };
 
   patches = [

pkgs/by-name/br/brave/package.nix

@@ -3,24 +3,24 @@
 
 let
   pname = "brave";
-  version = "1.90.124";
+  version = "1.90.128";
 
   allArchives = {
     aarch64-linux = {
       url = "https://github.com/brave/brave-browser/releases/download/v${version}/brave-browser_${version}_arm64.deb";
-      hash = "sha256-+ZJxwwL5jPO49anc+6aBA5jlAsFw7BSHt6lXjFseJ3c=";
+      hash = "sha256-tRFlzHOz2pMpSrdp6vst9zuKhmpqWga3FzLWglLAgwc=";
     };
     x86_64-linux = {
       url = "https://github.com/brave/brave-browser/releases/download/v${version}/brave-browser_${version}_amd64.deb";
-      hash = "sha256-mcqe531FqdBVIgZrQLOVDgIi2JBPSKadD4fCLQMimwI=";
+      hash = "sha256-BBOpwAM7KVLCd6v47q6ndA6Lb9LsI8dQXB/evwBXV/w=";
     };
     aarch64-darwin = {
       url = "https://github.com/brave/brave-browser/releases/download/v${version}/brave-v${version}-darwin-arm64.zip";
-      hash = "sha256-u3KmZffPQpHzS9IxZ7UsL7D6ETGJxExil20vmD6flMo=";
+      hash = "sha256-pJFvRP8GKTv+b2OSaAhiabIXxSJjelZPsYROTuHw0qo=";
     };
     x86_64-darwin = {
       url = "https://github.com/brave/brave-browser/releases/download/v${version}/brave-v${version}-darwin-x64.zip";
-      hash = "sha256-jSWamdWVBCR9uPY/i0awwdhTG3pD/iVdJIeYBnG747k=";
+      hash = "sha256-DgqaYEZJ6je3N/BDwIiwXrJ+w6qrBJse6d9LtKq7Dac=";
     };
   };
 

pkgs/by-name/bu/buildbox/package.nix

@@ -23,13 +23,13 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "buildbox";
-  version = "1.4.6";
+  version = "1.4.7";
 
   src = fetchFromGitLab {
     owner = "BuildGrid";
     repo = "buildbox/buildbox";
     tag = finalAttrs.version;
-    hash = "sha256-zNZMk9C/KsiqqGZOzc6B1WjL4wemWmdrr0a+CMA2BlQ=";
+    hash = "sha256-+OK9rmAGGLq/rJIHs++dbdyvh6WFu+Xhcp48TpnYV0w=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/ca/caddy/package.nix

@@ -11,12 +11,12 @@
   versionCheckHook,
 }:
 let
-  version = "2.11.3";
+  version = "2.11.4";
   dist = fetchFromGitHub {
     owner = "caddyserver";
     repo = "dist";
     tag = "v${version}";
-    hash = "sha256-D1qI7TDJpSvtgpo1FsPZk6mpqRvRharFZ8soI7Mn3RE=";
+    hash = "sha256-oRQfQH1GKjAjVMj+dZo1f1+HOaOdJIyEfod0iGLYcc8=";
   };
 in
 buildGoModule (finalAttrs: {
@@ -27,10 +27,10 @@ buildGoModule (finalAttrs: {
     owner = "caddyserver";
     repo = "caddy";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-7Hgmo7ldDtbwl/acEY/4RNhSGnK/NNcXn+eIm1I8HKg=";
+    hash = "sha256-wzk8KRZfDCbbjRlBwkoKAoMjOhV4xF3yuXUueqtl1xM=";
   };
 
-  vendorHash = "sha256-QiZZxYsYFUneZ52TfFKQWJ42lmBofvUTZrHmDBuN2O4=";
+  vendorHash = "sha256-2GwSM7EKN9GwN6kte7CekpXIJ0vzHhhsnrs3TC6vTW4=";
 
   ldflags = [
     "-s"

pkgs/by-name/ce/ceph/old-python-packages/pyopenssl-Cherry-pick-fix-for-CVE-2026-27459-and-CVE-2026-27448.patch

@@ -0,0 +1,202 @@
+From 776f2a97d34c2ccfba90c0bcb448de7792edfdb6 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Wed, 18 Feb 2026 07:46:15 -0500
+Subject: [PATCH 1/2] Fix buffer overflow in DTLS cookie generation callback
+ (#1479)
+
+The cookie generate callback copied user-returned bytes into a
+fixed-size native buffer without enforcing a maximum length. A
+callback returning more than DTLS1_COOKIE_LENGTH bytes would overflow
+the OpenSSL-provided buffer, corrupting adjacent memory.
+
+Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
+---
+ src/OpenSSL/SSL.py |  7 +++++++
+ tests/test_ssl.py  | 38 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 45 insertions(+)
+
+diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
+index efbf7907e618c912d48352f74fb80a9c19b9b98b..e28e10ab81ade8d79aff0cb9232fa71b1fb5314b 100644
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -561,11 +561,18 @@ class _CookieGenerateCallbackHelper(_CallbackExceptionHelper):
+     def __init__(self, callback):
+         _CallbackExceptionHelper.__init__(self)
+ 
++        max_cookie_len = getattr(_lib, "DTLS1_COOKIE_LENGTH", 255)
++
+         @wraps(callback)
+         def wrapper(ssl, out, outlen):
+             try:
+                 conn = Connection._reverse_mapping[ssl]
+                 cookie = callback(conn)
++                if len(cookie) > max_cookie_len:
++                    raise ValueError(
++                        f"Cookie too long (got {len(cookie)} bytes, "
++                        f"max {max_cookie_len})"
++                    )
+                 out[0 : len(cookie)] = cookie
+                 outlen[0] = len(cookie)
+                 return 1
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index 024436f064ddadbf79a3e6b78e2a9e4aeeee7ac2..5f427e92b48e57276fee7acb5ffdbaf136462cee 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -4497,6 +4497,44 @@ class TestDTLS:
+         except NotImplementedError:  # OpenSSL 1.1.0 and earlier
+             pass
+ 
++    def test_cookie_generate_too_long(self) -> None:
++        s_ctx = Context(DTLS_METHOD)
++
++        def generate_cookie(ssl: Connection) -> bytes:
++            return b"\x00" * 256
++
++        def verify_cookie(ssl: Connection, cookie: bytes) -> bool:
++            return True
++
++        s_ctx.set_cookie_generate_callback(generate_cookie)
++        s_ctx.set_cookie_verify_callback(verify_cookie)
++        s_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
++        s_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
++        s_ctx.set_options(OP_NO_QUERY_MTU)
++        s = Connection(s_ctx)
++        s.set_accept_state()
++
++        c_ctx = Context(DTLS_METHOD)
++        c_ctx.set_options(OP_NO_QUERY_MTU)
++        c = Connection(c_ctx)
++        c.set_connect_state()
++
++        c.set_ciphertext_mtu(1500)
++        s.set_ciphertext_mtu(1500)
++
++        # Client sends ClientHello
++        try:
++            c.do_handshake()
++        except SSL.WantReadError:
++            pass
++        chunk = c.bio_read(self.LARGE_BUFFER)
++        s.bio_write(chunk)
++
++        # Server tries DTLSv1_listen, which triggers cookie generation.
++        # The oversized cookie should raise ValueError.
++        with pytest.raises(ValueError, match="Cookie too long"):
++            s.DTLSv1_listen()
++
+     def test_timeout(self, monkeypatch):
+         c_ctx = Context(DTLS_METHOD)
+         c = Connection(c_ctx)
+-- 
+2.53.0
+
+
+From d39f020cc63c1da4d44be683f310fbc9f44f61bb Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 16 Feb 2026 21:04:37 -0500
+Subject: [PATCH 2/2] Handle exceptions in set_tlsext_servername_callback
+ callbacks (#1478)
+
+When the servername callback raises an exception, call sys.excepthook
+with the exception info and return SSL_TLSEXT_ERR_ALERT_FATAL to abort
+the handshake. Previously, exceptions would propagate uncaught through
+the CFFI callback boundary.
+
+https://claude.ai/code/session_01P7y1XmWkdtC5UcmZwGDvGi
+
+Co-authored-by: Claude <noreply@anthropic.com>
+---
+ src/OpenSSL/SSL.py |  9 +++++++--
+ tests/test_ssl.py  | 50 ++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 57 insertions(+), 2 deletions(-)
+
+diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
+index e28e10ab81ade8d79aff0cb9232fa71b1fb5314b..a2d5f5b086b3fe27c6e30848cdd027ee60f69677 100644
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -1,5 +1,6 @@
+ import os
+ import socket
++import sys
+ from errno import errorcode
+ from functools import partial, wraps
+ from itertools import chain, count
+@@ -1444,8 +1445,12 @@ class Context:
+         """
+ 
+         @wraps(callback)
+-        def wrapper(ssl, alert, arg):
+-            callback(Connection._reverse_mapping[ssl])
++        def wrapper(ssl, alert, arg):  # type: ignore[no-untyped-def]
++            try:
++                callback(Connection._reverse_mapping[ssl])
++            except Exception:
++                sys.excepthook(*sys.exc_info())
++                return _lib.SSL_TLSEXT_ERR_ALERT_FATAL
+             return 0
+ 
+         self._tlsext_servername_callback = _ffi.callback(
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index 5f427e92b48e57276fee7acb5ffdbaf136462cee..d42beace175c1ea79929050ec6f88faa539ff6b4 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -1854,6 +1854,56 @@ class TestServerNameCallback:
+ 
+         assert args == [(server, b"foo1.example.com")]
+ 
++    def test_servername_callback_exception(
++        self, monkeypatch: pytest.MonkeyPatch
++    ) -> None:
++        """
++        When the callback passed to `Context.set_tlsext_servername_callback`
++        raises an exception, ``sys.excepthook`` is called with the exception
++        and the handshake fails with an ``Error``.
++        """
++        exc = TypeError("server name callback failed")
++
++        def servername(conn: Connection) -> None:
++            raise exc
++
++        excepthook_calls: list[
++            tuple[type[BaseException], BaseException, object]
++        ] = []
++
++        def custom_excepthook(
++            exc_type: type[BaseException],
++            exc_value: BaseException,
++            exc_tb: object,
++        ) -> None:
++            excepthook_calls.append((exc_type, exc_value, exc_tb))
++
++        context = Context(SSLv23_METHOD)
++        context.set_tlsext_servername_callback(servername)
++
++        # Necessary to actually accept the connection
++        context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
++        context.use_certificate(
++            load_certificate(FILETYPE_PEM, server_cert_pem)
++        )
++
++        # Do a little connection to trigger the logic
++        server = Connection(context, None)
++        server.set_accept_state()
++
++        client = Connection(Context(SSLv23_METHOD), None)
++        client.set_connect_state()
++        client.set_tlsext_host_name(b"foo1.example.com")
++
++        monkeypatch.setattr(sys, "excepthook", custom_excepthook)
++        with pytest.raises(Error):
++            interact_in_memory(server, client)
++
++        assert len(excepthook_calls) == 1
++        assert excepthook_calls[0][0] is TypeError
++        assert excepthook_calls[0][1] is exc
++        assert excepthook_calls[0][2] is not None
++
+ 
+ class TestApplicationLayerProtoNegotiation:
+     """
+-- 
+2.53.0
+

pkgs/by-name/ce/ceph/package.nix

@@ -282,7 +282,9 @@ let
             inherit version;
             hash = "sha256-hBSYub7GFiOxtsR+u8AjZ8B9YODhlfGXkIF/EMyNsLc=";
           };
-          patches = [ ]; # those two CVE patches do not apply (!)
+          patches = [
+            ./old-python-packages/pyopenssl-Cherry-pick-fix-for-CVE-2026-27459-and-CVE-2026-27448.patch
+          ];
           disabledTests = old.disabledTests or [ ] ++ [
             "test_export_md5_digest"
           ];

pkgs/by-name/co/coredns/package.nix

@@ -6,7 +6,7 @@
   installShellFiles,
   nixosTests,
   externalPlugins ? [ ],
-  vendorHash ? "sha256-bnNpJgy54wvTST1Jtfbd1ldLJrIzTW62TL7wyHeqz28=",
+  vendorHash ? "sha256-9LLTgIjOOMvYx4nhy+6X9bEBvqlKeTx//39q+YWXeHw=",
 }:
 
 let
@@ -14,13 +14,13 @@ let
 in
 buildGoModule (finalAttrs: {
   pname = "coredns";
-  version = "1.13.2";
+  version = "1.14.3";
 
   src = fetchFromGitHub {
     owner = "coredns";
     repo = "coredns";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-9ggyFixdNy0t4UA8ZxU5oMUzA/8EB/k1jors4f8Q6YE=";
+    hash = "sha256-Uk4oWsUxaGdLQzX5JywYzi7pmQHGo06uQdLeOkP4U/s";
   };
 
   inherit vendorHash;
@@ -32,59 +32,61 @@ buildGoModule (finalAttrs: {
     "man"
   ];
 
-  # Override the go-modules fetcher derivation to fetch plugins
-  modBuildPhase = ''
-    cp plugin.cfg plugin.cfg.orig
-    ${
-      (lib.concatMapStringsSep "\n" (
-        plugin:
-        let
-          position = plugin.position or "end-of-file";
-          formatPlugin = { name, repo, ... }: "${name}:${repo}";
-        in
-        if position == "end-of-file" then
-          "echo '${formatPlugin plugin}' >> plugin.cfg"
-        else if position == "start-of-file" then
-          "sed -i '1i ${formatPlugin plugin}' plugin.cfg"
-        else if lib.hasAttrByPath [ "before" ] position then
-          ''
-            if ! grep -q '^${position.before}:' plugin.cfg; then
-              echo 'Failed to insert ${plugin.name} before ${position.before} in plugin.cfg: ${position.before} is not in plugin.cfg'
-              exit 1
-            fi
-            sed -i '/^${position.before}:/i ${formatPlugin plugin}' plugin.cfg
-          ''
-        else if lib.hasAttrByPath [ "after" ] position then
-          ''
-            if ! grep -q '^${position.after}:' plugin.cfg; then
-              echo 'Failed to insert ${plugin.name} after ${position.after} in plugin.cfg: ${position.after} is not in plugin.cfg'
-              exit 1
-            fi
-            sed -i '/^${position.after}:/a ${formatPlugin plugin}' plugin.cfg
-          ''
-        else
-          throw ''
-            Unsupported position value in externalPlugin:
-              ${builtins.toJSON plugin}.
-            Valid values for position attr are:
-              - position = "end-of-file" (the default)
-              - position = "start-of-file"
-              - position.before = "{other plugin}"
-              - position.after = "{other plugin}"
-          ''
-      ) externalPlugins)
-    }
-    diff -u plugin.cfg.orig plugin.cfg || true
-    for src in ${toString (attrsToSources externalPlugins)}; do go get $src; done
-    CC= GOOS= GOARCH= go generate
-    go mod tidy
-    go mod vendor
-  '';
+  overrideModAttrs = {
+    # Add plugins before vendoring the modules.
+    preBuild = ''
+      cp plugin.cfg plugin.cfg.orig
+      ${
+        (lib.concatMapStringsSep "\n" (
+          plugin:
+          let
+            position = plugin.position or "end-of-file";
+            formatPlugin = { name, repo, ... }: "${name}:${repo}";
+          in
+          if position == "end-of-file" then
+            "echo '${formatPlugin plugin}' >> plugin.cfg"
+          else if position == "start-of-file" then
+            "sed -i '1i ${formatPlugin plugin}' plugin.cfg"
+          else if lib.hasAttrByPath [ "before" ] position then
+            ''
+              if ! grep -q '^${position.before}:' plugin.cfg; then
+                echo 'Failed to insert ${plugin.name} before ${position.before} in plugin.cfg: ${position.before} is not in plugin.cfg'
+                exit 1
+              fi
+              sed -i '/^${position.before}:/i ${formatPlugin plugin}' plugin.cfg
+            ''
+          else if lib.hasAttrByPath [ "after" ] position then
+            ''
+              if ! grep -q '^${position.after}:' plugin.cfg; then
+                echo 'Failed to insert ${plugin.name} after ${position.after} in plugin.cfg: ${position.after} is not in plugin.cfg'
+                exit 1
+              fi
+              sed -i '/^${position.after}:/a ${formatPlugin plugin}' plugin.cfg
+            ''
+          else
+            throw ''
+              Unsupported position value in externalPlugin:
+                ${builtins.toJSON plugin}.
+              Valid values for position attr are:
+                - position = "end-of-file" (the default)
+                - position = "start-of-file"
+                - position.before = "{other plugin}"
+                - position.after = "{other plugin}"
+            ''
+        ) externalPlugins)
+      }
+      diff -u plugin.cfg.orig plugin.cfg || true
+      for src in ${toString (attrsToSources externalPlugins)}; do go get $src; done
+      GOFLAGS=''${GOFLAGS//-mod=vendor/} CC= GOOS= GOARCH= go generate
+      go mod tidy
+    '';
 
-  modInstallPhase = ''
-    mv -t vendor go.mod go.sum plugin.cfg
-    cp -r --reflink=auto vendor "$out"
-  '';
+    # Move the modified `go.mod`, `go.sum`, and `plugin.cfg` files into the
+    # vendor directory so we can retrieve them later in the `preBuild` hook.
+    postBuild = ''
+      mv -t vendor go.mod go.sum plugin.cfg
+    '';
+  };
 
   preBuild = ''
     chmod -R u+w vendor
@@ -102,10 +104,21 @@ buildGoModule (finalAttrs: {
     substituteInPlace test/readme_test.go \
       --replace-fail "TestReadme" "SkipReadme"
 
+    substituteInPlace test/metrics_test.go \
+      --replace-fail "TestMetricsRewriteRequestSize" "SkipMetricsRewriteRequestSize"
+
+    substituteInPlace test/quic_test.go \
+      --replace-fail "TestQUICReloadDoesNotPanic" "SkipQUICReloadDoesNotPanic"
+
     # this test fails if any external plugins were imported.
     # it's a lint rather than a test of functionality, so it's safe to disable.
     substituteInPlace test/presubmit_test.go \
       --replace-fail "TestImportOrdering" "SkipImportOrdering"
+
+    substituteInPlace plugin/pkg/parse/transport_test.go \
+      --replace-fail \
+        "TestTransport" \
+        "SkipTransport"
   ''
   + lib.optionalString stdenv.hostPlatform.isDarwin ''
     # loopback interface is lo0 on macos
@@ -123,6 +136,7 @@ buildGoModule (finalAttrs: {
   '';
 
   passthru.tests = {
+    coredns-external-plugins = nixosTests.coredns;
     kubernetes-single-node = nixosTests.kubernetes.dns-single-node;
     kubernetes-multi-node = nixosTests.kubernetes.dns-multi-node;
   };

pkgs/by-name/cu/cups/package.nix

@@ -23,15 +23,18 @@
   nixosTests,
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "cups";
-  version = "2.4.16";
+  version = "2.4.19";
 
   src = fetchurl {
-    url = "https://github.com/OpenPrinting/cups/releases/download/v${version}/cups-${version}-source.tar.gz";
-    hash = "sha256-AzlYcgS0+UKN0FkuswHewL+epuqNzl2WkNVr5YWrqS0=";
+    url = "https://github.com/OpenPrinting/cups/releases/download/v${finalAttrs.version}/cups-${finalAttrs.version}-source.tar.gz";
+    hash = "sha256-ggmEsSpn+YcFeFquLdE0f+CsCXgoAB1Fg/9kV0rtY4k=";
   };
 
+  __structuredAttrs = true;
+  strictDeps = true;
+
   outputs = [
     "out"
     "lib"
@@ -183,4 +186,4 @@ stdenv.mkDerivation rec {
     maintainers = with lib.maintainers; [ matthewbauer ];
     platforms = lib.platforms.unix;
   };
-}
+})

pkgs/by-name/cu/curlMinimal/package.nix

@@ -86,7 +86,7 @@ assert
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "curl";
-  version = "8.19.0";
+  version = "8.20.0";
 
   src = fetchurl {
     urls = [
@@ -95,7 +95,7 @@ stdenv.mkDerivation (finalAttrs: {
         builtins.replaceStrings [ "." ] [ "_" ] finalAttrs.version
       }/curl-${finalAttrs.version}.tar.xz"
     ];
-    hash = "sha256-TrQUiXkNGeGQ16x+GOgoV83Wivj05mspLO1WLTM/Ed8=";
+    hash = "sha256-Y/4twUi6DOromSLvg49+XJRicsLni3xZ+rS3nTziuJY=";
   };
 
   # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion

pkgs/by-name/de/deezer-desktop/package.nix

@@ -8,15 +8,15 @@
 }:
 
 let
-  version = "7.1.190";
+  version = "7.1.220";
   srcs = {
     x86_64-linux = fetchurl {
       url = "https://github.com/aunetx/deezer-linux/releases/download/v${version}/deezer-desktop-${version}-x64.tar.xz";
-      hash = "sha256-XoZRlFMiN5VVp3vkTwGDMekhW1KzmvuN9oYTXZFn6B4=";
+      hash = "sha256-q4j4S88c7xsC+Ax7XY1EVbqRRJXH+JzLrZRRB6rfQOE=";
     };
     aarch64-linux = fetchurl {
       url = "https://github.com/aunetx/deezer-linux/releases/download/v${version}/deezer-desktop-${version}-arm64.tar.xz";
-      hash = "sha256-ChPuz8wd3SOxRmxM5bEbz3paBw7pfIVfSY23nasRI4A=";
+      hash = "sha256-g94qn+EHr8Dwn21L7z3W7Z5+LJoVSQcAEXHpJiAdbJg=";
     };
   };
 

pkgs/by-name/di/distribution/package.nix

@@ -9,13 +9,13 @@
 
 buildGoModule (finalAttrs: {
   pname = "distribution";
-  version = "3.0.0";
+  version = "3.1.1";
 
   src = fetchFromGitHub {
     owner = "distribution";
     repo = "distribution";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-myezQTEdH7kkpCoAeZMf5OBxT4Bz8Qx6vCnwim230RY=";
+    hash = "sha256-KsN3QW71VwGrgrhOmwzzmTm/54+ZaTFj5kNgbta1FmI=";
   };
 
   vendorHash = null;

pkgs/by-name/el/element-desktop/package.nix

@@ -16,6 +16,7 @@
   fetchPnpmDeps,
   pnpmConfigHook,
   pnpm,
+  faketty,
   asar,
   copyDesktopItems,
   darwin,
@@ -27,13 +28,13 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "element-desktop";
-  version = "1.12.14";
+  version = "1.12.18";
 
   src = fetchFromGitHub {
     owner = "element-hq";
     repo = "element-web";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-yy7CfMOMT1DBXHDHaDyAaOgp3s2KQIKA1A6zUhVOUhM=";
+    hash = "sha256-G2HEOv1fHVgbT79bo8ibp9VmtQ8o5vA6/i6Q5TUKqdw=";
   };
 
   pnpmDeps = fetchPnpmDeps {
@@ -43,7 +44,7 @@ stdenv.mkDerivation (finalAttrs: {
       src
       ;
     fetcherVersion = 3;
-    hash = "sha256-0yqWObZtRntsH7gk+OB8pMuWsrvCQ4L9173Qv0o5abk=";
+    hash = "sha256-0iGzjwT+99tvRuxYD+1+SrYrCYAI1dcjhXT3x6E/wHg=";
   };
 
   env.ELECTRON_SKIP_BINARY_DOWNLOAD = "1";
@@ -57,6 +58,7 @@ stdenv.mkDerivation (finalAttrs: {
     pnpm
     pnpmConfigHook
     tsx
+    faketty
   ]
   ++ lib.optionals stdenv.hostPlatform.isDarwin [
     darwin.autoSignDarwinBinariesHook
@@ -81,13 +83,15 @@ stdenv.mkDerivation (finalAttrs: {
     cd ../../
   '';
 
+  # faketty is required to work around a bug in nx.
+  # See: https://github.com/nrwl/nx/issues/22445
   buildPhase = ''
     runHook preBuild
 
     export VERSION=${finalAttrs.version}
 
-    pnpm -C apps/desktop run build:ts
-    pnpm -C apps/desktop run build:res
+    faketty pnpm -C apps/desktop exec nx build:ts
+    faketty pnpm -C apps/desktop exec nx build:res
     pnpm -C apps/desktop exec electron-builder --dir -c.electronDist=electron-dist -c.electronVersion=${electron.version} -c.mac.identity=null
 
     cd apps/desktop

pkgs/by-name/el/element-web-unwrapped/package.nix

@@ -24,20 +24,20 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "element-web";
-  version = "1.12.14";
+  version = "1.12.18";
 
   src = fetchFromGitHub {
     owner = "element-hq";
     repo = "element-web";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-yy7CfMOMT1DBXHDHaDyAaOgp3s2KQIKA1A6zUhVOUhM=";
+    hash = "sha256-G2HEOv1fHVgbT79bo8ibp9VmtQ8o5vA6/i6Q5TUKqdw=";
   };
 
   pnpmDeps = fetchPnpmDeps {
     pname = "element";
     inherit (finalAttrs) version src;
     fetcherVersion = 3;
-    hash = "sha256-0yqWObZtRntsH7gk+OB8pMuWsrvCQ4L9173Qv0o5abk=";
+    hash = "sha256-0iGzjwT+99tvRuxYD+1+SrYrCYAI1dcjhXT3x6E/wHg=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/ex/exim/package.nix

@@ -39,11 +39,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "exim";
-  version = "4.99.2";
+  version = "4.99.3";
 
   src = fetchurl {
     url = "https://ftp.exim.org/pub/exim/exim4/exim-${version}.tar.xz";
-    hash = "sha256-JTZPGZiCcNhGllaJ3SnGYs9d4VJjmHXQ1TUqaf11Okc=";
+    hash = "sha256-Zj520qDZuPxbNz0ACORK4ETxD+sivJ266MfyE0Xr+zs=";
   };
 
   enableParallelBuilding = true;

pkgs/by-name/ex/expat/package.nix

@@ -18,7 +18,7 @@
 # files.
 
 let
-  version = "2.7.5";
+  version = "2.8.1";
   tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}";
 in
 stdenv.mkDerivation (finalAttrs: {
@@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: {
     url =
       with finalAttrs;
       "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz";
-    hash = "sha256-EDLf70/xf3BGSCfaooNpsg9lhNEIvDbxerFnbh7dL5E=";
+    hash = "sha256-ELGV7ngWCpCDiBgKj+NgPU6aEvR1X79fOBayOp11DaA=";
   };
 
   strictDeps = true;

pkgs/by-name/fa/fastnetmon-advanced/package.nix

@@ -9,11 +9,11 @@
 
 stdenv.mkDerivation rec {
   pname = "fastnetmon-advanced";
-  version = "2.0.372";
+  version = "2.0.380";
 
   src = fetchurl {
-    url = "https://repo.fastnetmon.com/fastnetmon_ubuntu_jammy/pool/fastnetmon/f/fastnetmon/fastnetmon_${version}_amd64.deb";
-    hash = "sha256-FwYAbTBkk+AciDVxTIimswsB0M3gbzKX+03PD0fLMsY=";
+    url = "https://repo.fastnetmon.com/fastnetmon_ubuntu_noble/pool/fastnetmon/f/fastnetmon/fastnetmon_${version}_amd64.deb";
+    hash = "sha256-4hCrDaFat0kEbyzKg6nHdV+LlqCBYYJEojyvXyPYKD0=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/ff/fflogs/package.nix

@@ -6,10 +6,10 @@
 
 let
   pname = "fflogs";
-  version = "9.0.33";
+  version = "9.3.61";
   src = fetchurl {
     url = "https://github.com/RPGLogs/Uploaders-fflogs/releases/download/v${version}/fflogs-v${version}.AppImage";
-    hash = "sha256-gUIETMc0JQXONBt0+Pw52y37Pw4Wh5CHo1uY6IBhvkc=";
+    hash = "sha256-QBiZR8wjhMsLguzBaM21mADlR1hKHdBuK66DcSzyVtQ=";
   };
   extracted = appimageTools.extractType2 { inherit pname version src; };
 in

pkgs/by-name/fi/filebrowser/package.nix

@@ -12,13 +12,13 @@
 }:
 
 let
-  version = "2.63.3";
+  version = "2.63.5";
 
   src = fetchFromGitHub {
     owner = "filebrowser";
     repo = "filebrowser";
     rev = "v${version}";
-    hash = "sha256-v3cC8opClvt91MqUIKNZdvCv0hPeCvWPi0IlOMHlWbQ=";
+    hash = "sha256-/X/TztbZDC1hkRL97jkm6Ak8QmKFDMycekLl6NVPS0k=";
   };
 
   frontend = buildNpmPackage rec {
@@ -41,7 +41,7 @@ let
         ;
       fetcherVersion = 3;
       pnpm = pnpm_10;
-      hash = "sha256-g8BWDEymQNOkLYBws0ii4iLnpjB7X4EQl0OzR3GXeq0=";
+      hash = "sha256-UwTA7Eogp2GrvmXDbdfGBTJS3DuOTJ42e6fHlQxSHoA=";
     };
 
     installPhase = ''

pkgs/by-name/fl/fluxcd/package.nix

@@ -9,10 +9,10 @@
 }:
 
 let
-  version = "2.8.6";
-  srcHash = "sha256-pKP4g2pTMYtx/B/Y3ow7tvDdhCSuwbszzeLVXB0W7Bo=";
-  vendorHash = "sha256-VBafft9/AuXaHWvZymy7P9gaSuO8D6IZHfK68Ixp3mI=";
-  manifestsHash = "sha256-h/HR/rJwPWXiuoj9T+LajdsdT4Jo8/EuN+O1I7e9sjI=";
+  version = "2.8.8";
+  srcHash = "sha256-ECFEzYhnhse2yrfWYaeN5dE+HUvCy5RKZ2OceCb5+sA=";
+  vendorHash = "sha256-pV7eoiGhWk6KYZbK8bamXJY/NdK7ZYqrVcCTX9ccLJc=";
+  manifestsHash = "sha256-fF21nDstKUrlW6fgm0DrDtntR/0cnHMEzRltjBm9nwA=";
 
   manifests = fetchzip {
     url = "https://github.com/fluxcd/flux2/releases/download/v${version}/manifests.tar.gz";

pkgs/by-name/fo/forgejo-runner/package.nix

@@ -52,17 +52,17 @@ let
 in
 buildGoModule (finalAttrs: {
   pname = "forgejo-runner";
-  version = "12.10.1";
+  version = "12.10.2";
 
   src = fetchFromGitea {
     domain = "code.forgejo.org";
     owner = "forgejo";
     repo = "runner";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-OBMduRaGSVPojSAr6DKPbAdUyuw1MSCpipRv+EA5OGw=";
+    hash = "sha256-Uo+x02HgpfOY+KXug7cmnW4d85AlX6wqz+nYGF/JrHk=";
   };
 
-  vendorHash = "sha256-V9dEHNp80oS7NfsGIlKgFyHD1PmMm2bCqydVADpphuA=";
+  vendorHash = "sha256-0gOftkxkBPziU0Tm8lIiD72rXcMMY5M57G9/Bt/mneI=";
 
   nativeBuildInputs = [ makeWrapper ];
 

pkgs/by-name/gh/gh/package.nix

@@ -1,27 +1,31 @@
 {
   lib,
   fetchFromGitHub,
-  buildGoModule,
+  buildGo126Module,
   installShellFiles,
   stdenv,
   testers,
   gh,
+  makeWrapper,
 }:
 
-buildGoModule rec {
+buildGo126Module rec {
   pname = "gh";
-  version = "2.83.2";
+  version = "2.93.0";
 
   src = fetchFromGitHub {
     owner = "cli";
     repo = "cli";
     tag = "v${version}";
-    hash = "sha256-YpbxdD+83pK326EmwLCzUh+wASdOjuCqSP2eXIJndxI=";
+    hash = "sha256-r/+JFdMOUIb32St+VkUw+Q7Lb2L6IiPczmONFE4hwDw=";
   };
 
-  vendorHash = "sha256-AkcbtVR1+uYy2AtRl1hvUBBF8vI3hH4NXznmgwmAzmw=";
+  vendorHash = "sha256-eMPcla1XKfq+zBb633Zz4cn820FWuEaRrXQJ1TQ8Lkg=";
 
-  nativeBuildInputs = [ installShellFiles ];
+  nativeBuildInputs = [
+    installShellFiles
+    makeWrapper
+  ];
 
   # N.B.: using the Makefile is intentional.
   # We pass "nixpkgs" for build.Date to avoid `gh --version` reporting a very old date.
@@ -34,6 +38,8 @@ buildGoModule rec {
   installPhase = ''
     runHook preInstall
     install -Dm755 bin/gh -t $out/bin
+    wrapProgram $out/bin/gh \
+      --set-default GH_TELEMETRY false
   ''
   + lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
     installManPage share/man/*/*.[1-9]
@@ -63,6 +69,7 @@ buildGoModule rec {
     maintainers = with lib.maintainers; [
       mdaniels5757
       zowoq
+      savtrip
     ];
   };
 }

pkgs/by-name/gi/git-absorb/package.nix

@@ -42,7 +42,8 @@ rustPlatform.buildRustPackage rec {
     installShellCompletion --cmd git-absorb \
       --bash <($out/bin/git-absorb --gen-completions bash) \
       --fish <($out/bin/git-absorb --gen-completions fish) \
-      --zsh <($out/bin/git-absorb --gen-completions zsh)
+      --zsh <($out/bin/git-absorb --gen-completions zsh) \
+      --nushell <($out/bin/git-absorb --gen-completions nushell)
   '';
 
   meta = {

pkgs/by-name/gi/gitaly/package.nix

@@ -7,7 +7,7 @@
 }:
 
 let
-  version = "18.11.3";
+  version = "18.11.4";
   package_version = "v${lib.versions.major version}";
   gitaly_package = "gitlab.com/gitlab-org/gitaly/${package_version}";
 
@@ -21,10 +21,10 @@ let
       owner = "gitlab-org";
       repo = "gitaly";
       rev = "v${version}";
-      hash = "sha256-oFQevVXbxu9G4LF3BrC0EUUviypSwB4cKRjipdiO3jU=";
+      hash = "sha256-YQpNsSCjcMC1tpwLVN0fCB9T3vBFxp0TyrvxzJfTnFg=";
     };
 
-    vendorHash = "sha256-123WUtoUaPIyDywcTKEhiZP2SYYHxAQoOPyCebsHYRI=";
+    vendorHash = "sha256-/RJnCcmUoqGy08MSGEVM/taV1qZK65kiZw19n6S3ZQ0=";
 
     ldflags = [
       "-X ${gitaly_package}/internal/version.version=${version}"

pkgs/by-name/gi/gitlab-elasticsearch-indexer/package.nix

@@ -11,17 +11,17 @@ let
 in
 buildGoModule (finalAttrs: {
   pname = "gitlab-elasticsearch-indexer";
-  version = "5.14.1";
+  version = "5.14.7";
 
   # nixpkgs-update: no auto update
   src = fetchFromGitLab {
     owner = "gitlab-org";
     repo = "gitlab-elasticsearch-indexer";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-yYl2cSPY5hn1GSda5ioMD3rEectNMtYGstVpz73pi3Y=";
+    hash = "sha256-1fVBCem23X8u1NQ6ph37EiXRvMpzF/8Yac+VefAe9Yg=";
   };
 
-  vendorHash = "sha256-yeVEQEXHGAkdkfcnjok8iOvVRxucObVAxhuACmyFDJw=";
+  vendorHash = "sha256-cUHXrUd+pSMiS6iSwKKA+o1B6ZHbaQYHYPeVk1Y6wYM=";
 
   buildInputs = [ icu ];
   nativeBuildInputs = [ pkg-config ];

pkgs/by-name/gi/gitlab-pages/package.nix

@@ -6,14 +6,14 @@
 
 buildGoModule (finalAttrs: {
   pname = "gitlab-pages";
-  version = "18.11.3";
+  version = "18.11.4";
 
   # nixpkgs-update: no auto update
   src = fetchFromGitLab {
     owner = "gitlab-org";
     repo = "gitlab-pages";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-ozkrU3QF/LK0uqfF52dnm2MCga+vRD8dGsLNnze6E+Y=";
+    hash = "sha256-tE2PHWk12S482TjNhI0u7Afm0mPAgJWqcJiU5dgqN60=";
   };
 
   vendorHash = "sha256-PUW4cgAiM1GTtvja894OZ4pe0SWChf5JsL4/fkns2kI=";

pkgs/by-name/gi/gitlab-runner/package.nix

@@ -12,13 +12,13 @@
 
 buildGoModule (finalAttrs: {
   pname = "gitlab-runner";
-  version = "18.11.2";
+  version = "18.11.3";
 
   src = fetchFromGitLab {
     owner = "gitlab-org";
     repo = "gitlab-runner";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-TWpIu6LxFX5ssijlYQA/dmAiPrB0nrHtlS2MWEk6C30=";
+    hash = "sha256-/QMmBDZz6nWmc9hODS3yVe9iyNERbebGysZ1Z4B5Gw8=";
   };
 
   vendorHash = "sha256-xEvvYAVIwHwQDd38P2i6GcgFqf8FPnflWh5IEqmWQdE=";
@@ -125,6 +125,7 @@ buildGoModule (finalAttrs: {
   meta = {
     description = "GitLab Runner the continuous integration executor of GitLab";
     homepage = "https://docs.gitlab.com/runner";
+    changelog = "https://gitlab.com/gitlab-org/gitlab-runner/blob/v${finalAttrs.version}/CHANGELOG.md";
     license = lib.licenses.mit;
     mainProgram = "gitlab-runner";
     maintainers = with lib.maintainers; [ zimbatm ];

pkgs/by-name/gi/gitlab-shell/package.nix

@@ -8,14 +8,14 @@
 
 buildGoModule (finalAttrs: {
   pname = "gitlab-shell";
-  version = "14.49.0";
+  version = "14.50.0";
 
   # nixpkgs-update: no auto update
   src = fetchFromGitLab {
     owner = "gitlab-org";
     repo = "gitlab-shell";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-8PnFRwP5vctnOh6t45crxkoVF6Z03bfYry24KfFHCww=";
+    hash = "sha256-a9s+TCm5yKPjNh+BD9fm6iVA4H9KJiMyWNulY+7BKZo=";
   };
 
   buildInputs = [
@@ -27,7 +27,7 @@ buildGoModule (finalAttrs: {
     ./remove-hardcoded-locations.patch
   ];
 
-  vendorHash = "sha256-JBKU134/Yyz49HWfU9Dw/EC4bI/o3Hs56Ou7wtzp5qM=";
+  vendorHash = "sha256-ceSnQQTtGdLb0QGR9fDbGC0NtRPGqkyXJ6b0TRXkjQM=";
 
   subPackages = [
     "cmd/gitlab-shell"

pkgs/by-name/gi/gitlab/data.json

@@ -1,17 +1,17 @@
 {
-  "version": "18.11.3",
-  "repo_hash": "sha256-QxaLdWErE+b4SpwHtxnCa2tqheWUfEixRcQwYD/A9s8=",
+  "version": "18.11.4",
+  "repo_hash": "sha256-ThtRXdUreorOIea5Izd+zKb88cC4nhitkzqT+Yf5UtU=",
   "yarn_hash": "sha256-k8JHi0f/XfSV4kICyPW01Erk3YnKw33yeUWYrOaPdTM=",
   "frontend_islands_yarn_hash": "sha256-EvGQin+5DqqIgM36jlVkVI49WcJzVvceYnkSS9ybfcY=",
   "owner": "gitlab-org",
   "repo": "gitlab",
-  "rev": "v18.11.3-ee",
+  "rev": "v18.11.4-ee",
   "passthru": {
-    "GITALY_SERVER_VERSION": "18.11.3",
-    "GITLAB_KAS_VERSION": "18.11.3",
-    "GITLAB_PAGES_VERSION": "18.11.3",
-    "GITLAB_SHELL_VERSION": "14.49.0",
-    "GITLAB_ELASTICSEARCH_INDEXER_VERSION": "5.14.1",
-    "GITLAB_WORKHORSE_VERSION": "18.11.3"
+    "GITALY_SERVER_VERSION": "18.11.4",
+    "GITLAB_KAS_VERSION": "18.11.4",
+    "GITLAB_PAGES_VERSION": "18.11.4",
+    "GITLAB_SHELL_VERSION": "14.50.0",
+    "GITLAB_ELASTICSEARCH_INDEXER_VERSION": "5.14.7",
+    "GITLAB_WORKHORSE_VERSION": "18.11.4"
   }
 }

pkgs/by-name/gi/gitlab/gitlab-workhorse/default.nix

@@ -10,7 +10,7 @@ in
 buildGoModule rec {
   pname = "gitlab-workhorse";
 
-  version = "18.11.3";
+  version = "18.11.4";
 
   # nixpkgs-update: no auto update
   src = fetchFromGitLab {

pkgs/by-name/gi/gitlab/rubyEnv/Gemfile

@@ -765,3 +765,6 @@ gem "gitlab-cloud-connector", "~> 1.45", require: 'gitlab/cloud_connector', feat
 gem "gvltools", "~> 0.4.0", feature_category: :shared # rubocop:todo Gemfile/MissingFeatureCategory -- https://gitlab.com/gitlab-org/gitlab/-/issues/581839
 
 gem 'gitlab_query_language', '~> 0.26.0', feature_category: :integrations
+
+# standard Gem, version increase to resolve vulnerabilities
+gem "zlib", "~> 3.2", ">= 3.2.3", feature_category: :shared # rubocop:todo Gemfile/MissingFeatureCategory -- https://gitlab.com/gitlab-org/gitlab/-/work_items/596593

pkgs/by-name/gi/gitlab/rubyEnv/Gemfile.lock

@@ -2174,6 +2174,7 @@ GEM
     yard-solargraph (0.1.0)
       yard (~> 0.9)
     zeitwerk (2.6.18)
+    zlib (3.2.3)
 
 PLATFORMS
   ruby
@@ -2553,6 +2554,7 @@ DEPENDENCIES
   yajl-ruby (~> 1.4.3)
   yard (~> 0.9)
   zeitwerk (= 2.6.18)
+  zlib (~> 3.2, >= 3.2.3)
 
 BUNDLED WITH
    2.7.1

pkgs/by-name/gi/gitlab/rubyEnv/gemset.nix

@@ -10473,4 +10473,14 @@ src: {
     };
     version = "2.6.18";
   };
+  zlib = {
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "084w64p55s3l2rmbs6x84qbclhi451n8n2limdj1mwrjidlidlsv";
+      type = "gem";
+    };
+    version = "3.2.3";
+  };
 }

pkgs/by-name/gi/gitoxide/package.nix

@@ -18,16 +18,16 @@ let
 in
 rustPlatform.buildRustPackage (finalAttrs: {
   pname = "gitoxide";
-  version = "0.45.0";
+  version = "0.54.0";
 
   src = fetchFromGitHub {
     owner = "GitoxideLabs";
     repo = "gitoxide";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-mMmyFFEVvzI5UmpA10XxnfYZiCg3tizplqFVUND/wQc=";
+    hash = "sha256-MkOmxvACroJAB1nQZT1pcJ/Fn9gWNFwKiwVNb9iUlgY=";
   };
 
-  cargoHash = "sha256-JMpNe8jg52wDTJkPy4ZnNcLqjH6K1tXo5SFVPJdITdo=";
+  cargoHash = "sha256-bYgGQa8Gym4dzkuTrOSu3NwUhYdZNtq7ACwVwhdKQRI=";
 
   nativeBuildInputs = [
     cmake
@@ -60,7 +60,7 @@ rustPlatform.buildRustPackage (finalAttrs: {
       mit # or
       asl20
     ];
-    maintainers = with lib.maintainers; [ syberant ];
+    maintainers = with lib.maintainers; [ hythera ];
     # NB: `ein` is also provided by this package, but `nix run
     # nixpkgs#gitoxide` doesn't work at all without this set.
     mainProgram = "gix";