Revert "vscode-extensions.github.copilot-chat: 0.37.6 -> 0.37.9"

2026-06-06 05:13:37 +00:00 · 2026-03-12 13:42:02 +01:00
16492 changed files with 310729 additions and 504519 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,6 +1,6 @@
 {
  "name": "nixpkgs",
-  "image": "mcr.microsoft.com/devcontainers/universal:5-linux",
+  "image": "mcr.microsoft.com/devcontainers/universal:2-linux",
  "features": {
    "ghcr.io/devcontainers/features/nix:1": {
      // fails in the devcontainer sandbox, enable sandbox via config instead
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,26 +1,7 @@
-# node/js lock files
-**/package-lock.json linguist-generated
-**/yarn.nix linguist-generated
-**/yarn.lock linguist-generated
-
-# Rust lock files
-**/Cargo.lock linguist-generated
-pkgs/build-support/rust/**/Cargo.lock -linguist-generated
-
-# NuGet, Gradle and others
-**/deps.json linguist-generated
-
-# Ruby lock files
-**/gemset.nix linguist-generated
-**/Gemfile.lock linguist-generated
-
-# PHP lock files
-**/composer.lock linguist-generated
-
-# various package managers and tools
 **/deps.nix linguist-generated
+**/deps.json linguist-generated
 **/deps.toml linguist-generated
-
+**/node-packages.nix linguist-generated

 pkgs/applications/editors/emacs-modes/*-generated.nix linguist-generated
 pkgs/development/r-modules/*-packages.nix linguist-generated
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -0,0 +1,6 @@
+<!--
+    Please note: This blank issue template is meant for extraordinary issues
+    that do not fit the templates. Unless you know your issue is relevant to
+    Nixpkgs and requires the free-form blank issue, please use the issue
+    templates instead.
+-->
--- a/.github/ISSUE_TEMPLATE/01_bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/01_bug_report.yml
@@ -35,8 +35,7 @@ body:
        If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
        - "- Stable (25.11)"
      default: 0
    validations:
@@ -55,7 +54,7 @@ body:
      description: "Please include a step-by-step guide for reproducing this issue. Consider writing in concise, numbered bullet points to ensure that Nixpkgs developers can retrace your steps."
    validations:
      required: true
-  - type: "textarea"
+  - type: "input"
    id: "expected-behaviour"
    attributes:
      label: "Expected behaviour"
@@ -122,8 +121,6 @@ body:
          required: true
        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
          required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
  - type: "markdown"
    attributes:
      value: |
--- a/.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml
+++ b/.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml
@@ -35,8 +35,7 @@ body:
        If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
        - "- Stable (25.11)"
      default: 0
    validations:
@@ -55,7 +54,7 @@ body:
      description: "Please include a step-by-step guide for reproducing this issue. Consider writing in concise, numbered bullet points to ensure that Nixpkgs developers can retrace your steps."
    validations:
      required: true
-  - type: "textarea"
+  - type: "input"
    id: "expected-behaviour"
    attributes:
      label: "Expected behaviour"
@@ -100,7 +99,7 @@ body:
    attributes:
      label: "Are you using nix-darwin?"
      description: |
-        [`nix-darwin`](https://github.com/nix-darwin/nix-darwin) is a set of NixOS-like modules for macOS systems. Depending on your issue, this information may be relevant.
+        [`nix-darwin`](https://github.com/LnL7/nix-darwin) is a set of NixOS-like modules for macOS systems. Depending on your issue, this information may be relevant.
      options:
        - "Yes, I am using nix-darwin."
        - "No, I am not using nix-darwin."
@@ -136,8 +135,6 @@ body:
          required: true
        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
          required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
  - type: "markdown"
    attributes:
      value: |
--- a/.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml
+++ b/.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml
@@ -35,8 +35,7 @@ body:
        If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
        - "- Stable (25.11)"
      default: 0
    validations:
@@ -55,7 +54,7 @@ body:
      description: "Please include a step-by-step guide for reproducing this issue. Consider writing in concise, numbered bullet points to ensure that Nixpkgs developers can retrace your steps."
    validations:
      required: true
-  - type: "textarea"
+  - type: "input"
    id: "expected-behaviour"
    attributes:
      label: "Expected behaviour"
@@ -126,8 +125,6 @@ body:
          required: true
        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
          required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
  - type: "markdown"
    attributes:
      value: |
--- a/.github/ISSUE_TEMPLATE/04_build_failure.yml
+++ b/.github/ISSUE_TEMPLATE/04_build_failure.yml
@@ -37,8 +37,7 @@ body:
        If you are purposefully trying to build an ancient version of a package in an older Nixpkgs, please coordinate with the [NixOS Archivists](https://matrix.to/#/#archivists:nixos.org).
      options:
        - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
        - "- Stable (25.11)"
      default: 0
    validations:
@@ -132,8 +131,6 @@ body:
          required: true
        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
          required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
  - type: "markdown"
    attributes:
      value: |
--- a/.github/ISSUE_TEMPLATE/05_update_request.yml
+++ b/.github/ISSUE_TEMPLATE/05_update_request.yml
@@ -37,8 +37,7 @@ body:
        If the package has been updated in unstable, but you believe the update should be backported to the stable release of Nixpkgs, please file the '**Request: backport to stable**' form instead.
      options:
        - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
        - "- Stable (25.11)"
      default: 0
    validations:
@@ -105,8 +104,6 @@ body:
          required: true
        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
          required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
  - type: "markdown"
    attributes:
      value: |
--- a/.github/ISSUE_TEMPLATE/06_module_request.yml
+++ b/.github/ISSUE_TEMPLATE/06_module_request.yml
@@ -35,8 +35,7 @@ body:
        If you are using an older or stable version, please update to the latest **unstable** version and check if the module still does not exist before continuing this request.
      options:
        - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
        - "- Stable (25.11)"
      default: 0
    validations:
@@ -80,8 +79,6 @@ body:
          required: true
        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
          required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
  - type: "markdown"
    attributes:
      value: |
--- a/.github/ISSUE_TEMPLATE/07_backport_request.yml
+++ b/.github/ISSUE_TEMPLATE/07_backport_request.yml
@@ -85,8 +85,6 @@ body:
          required: true
        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
          required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
  - type: "markdown"
    attributes:
      value: |
--- a/.github/ISSUE_TEMPLATE/08_documentation_request.yml
+++ b/.github/ISSUE_TEMPLATE/08_documentation_request.yml
@@ -67,8 +67,6 @@ body:
          required: true
        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
          required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
  - type: "markdown"
    attributes:
      value: |
--- a/.github/ISSUE_TEMPLATE/09_unreproducible_package.yml
+++ b/.github/ISSUE_TEMPLATE/09_unreproducible_package.yml
@@ -137,8 +137,6 @@ body:
          required: true
        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
          required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
  - type: "markdown"
    attributes:
      value: |
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -27,14 +27,12 @@ For new packages please briefly describe the package or provide a link to its ho
  - [ ] Module addition: when adding a new NixOS module.
  - [ ] Module update: when the change is significant.
 - [ ] Fits [CONTRIBUTING.md], [pkgs/README.md], [maintainers/README.md] and other READMEs.
- [ ] Follows the [automation/AI policy].

 [NixOS tests]: https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests
 [Package tests]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests
 [nixpkgs-review usage]: https://github.com/Mic92/nixpkgs-review#usage

 [CONTRIBUTING.md]: https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md
-[automation/AI policy]: https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy
 [lib/tests]: https://github.com/NixOS/nixpkgs/blob/master/lib/tests
 [maintainers/README.md]: https://github.com/NixOS/nixpkgs/blob/master/maintainers/README.md
 [nixos/tests]: https://github.com/NixOS/nixpkgs/blob/master/nixos/tests
--- a/.github/actions/checkout/action.yml
+++ b/.github/actions/checkout/action.yml
@@ -13,7 +13,7 @@ inputs:
 runs:
  using: composite
  steps:
-    - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      env:
        MERGED_SHA: ${{ inputs.merged-as-untrusted-at }}
        TARGET_SHA: ${{ inputs.target-as-trusted-at }}
@@ -95,22 +95,25 @@ runs:
          // This would fail without --refetch, because the we had a partial clone before, but changed it above.
          await run('git', 'fetch', '--depth=1', '--refetch', 'origin', ...(commits.map(({ sha }) => sha)))

-          // On Linux, checking out onto tmpfs takes 1s and is faster by at least 10x.
-          // Currently, on Darwin we can only allocate 3.5GB, which isn't enough.
-          // See https://github.com/NixOS/nixpkgs/pull/506437
+          // Checking out onto tmpfs takes 1s and is faster by at least factor 10x.
          await run('mkdir', 'nixpkgs')
-          if (process.env.RUNNER_OS === 'Linux') {
-            await run('sudo', 'mount', '-t', 'tmpfs', 'tmpfs', 'nixpkgs')
+          switch (process.env.RUNNER_OS) {
+            case 'macOS':
+              await run('sudo', 'mount_tmpfs', 'nixpkgs')
+              break
+            case 'Linux':
+              await run('sudo', 'mount', '-t', 'tmpfs', 'tmpfs', 'nixpkgs')
+              break
          }

-          // Git worktree setup can race when multiple worktrees are created and
-          // initialized at the same time against one repository. See #511286.
-          // Keep the setup sequential so shared repo config updates cannot contend.
-          for (const { sha, path } of commits) {
-            await run('git', 'worktree', 'add', join('nixpkgs', path), sha, '--no-checkout')
-            await run('git', '-C', join('nixpkgs', path), 'sparse-checkout', 'disable')
-            await run('git', '-C', join('nixpkgs', path), 'checkout', '--progress')
-          }
+          // Create all worktrees in parallel.
+          await Promise.all(
+            commits.map(async ({ sha, path }) => {
+              await run('git', 'worktree', 'add', join('nixpkgs', path), sha, '--no-checkout')
+              await run('git', '-C', join('nixpkgs', path), 'sparse-checkout', 'disable')
+              await run('git', '-C', join('nixpkgs', path), 'checkout', '--progress')
+            })
+          )

          // Apply pin bump to untrusted worktree
          if (pin_bump_sha) {
@@ -131,6 +134,3 @@ runs:
              await rm('pin-bump.patch')
            }
          }
-
-          console.log('final disk usage:')
-          await run('df', '-h')
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,5 +5,3 @@ updates:
    schedule:
      interval: "weekly"
    labels: []
-    commit-message:
-      prefix: ".github"
--- a/.github/labeler-no-sync.yml
+++ b/.github/labeler-no-sync.yml
@@ -33,15 +33,4 @@
              - maintainers/github-teams.json
      - base-branch: ['master']

-"backport release-26.05":
-  - all:
-      - changed-files:
-          - any-glob-to-any-file:
-              - .github/actions/**/*
-              - .github/workflows/*
-              - .github/labeler*.yml
-              - ci/**/*.*
-              - maintainers/github-teams.json
-      - base-branch: ['master']
-
 # keep-sorted end
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -270,14 +270,8 @@
  - any:
      - changed-files:
          - any-glob-to-any-file:
-              - doc/packages/linux.section.md
-              - lib/kernel.nix
-              - nixos/doc/manual/configuration/linux-kernel.chapter.md
-              - nixos/modules/system/boot/kernel.nix
-              - nixos/tests/kernel-generic/**/*
              - pkgs/build-support/kernel/**/*
              - pkgs/os-specific/linux/kernel/**/*
-              - pkgs/top-level/linux-kernels.nix

 "6.topic: lib":
  - any:
@@ -551,6 +545,7 @@
              - pkgs/by-name/*/*tree-sitter*/**/*
              - pkgs/by-name/ne/neovim-unwrapped/treesitter-parsers.nix
              - pkgs/development/python-modules/*tree-sitter*/**/*
+              - pkgs/development/tools/parsing/tree-sitter/**/*

 "6.topic: updaters":
  - any:
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -11,7 +11,7 @@ on:

 permissions:
  contents: read
-  issues: write # adding the 'has: port to stable' and 'has: backport failed' label
+  issues: write # adding the 'has: port to stable' label
  pull-requests: write # creating backport pull requests

 defaults:
@@ -21,16 +21,16 @@ defaults:
 jobs:
  backport:
    name: Backport Pull Request
-    if: vars.NIXPKGS_CI_CLIENT_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
+    if: vars.NIXPKGS_CI_APP_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
    runs-on: ubuntu-slim
    timeout-minutes: 3
    steps:
      # Use a GitHub App to create the PR so that CI gets triggered
      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        id: app-token
        with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-contents: write
          permission-pull-requests: write
@@ -49,7 +49,7 @@ jobs:

      - name: Create backport PRs
        id: backport
-        uses: korthout/backport-action@66065406958f46e82238fd59546f5a99e69e22aa # v4.5.2
+        uses: korthout/backport-action@4aaf0e03a94ff0a619c9a511b61aeb42adea5b02 # v4.2.0
        with:
          # Config README: https://github.com/korthout/backport-action#backport-action
          add_author_as_reviewer: true
@@ -72,7 +72,7 @@ jobs:

      - name: "Add 'has: port to stable' label"
        if: steps.backport.outputs.created_pull_numbers != ''
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          # Not using the app on purpose to avoid triggering another workflow run after adding this label.
          script: |
@@ -82,16 +82,3 @@ jobs:
              issue_number: context.payload.pull_request.number,
              labels: [ '8.has: port to stable' ]
            })
-
-      - name: "Add 'has: failed backport' label"
-        if: steps.backport.outputs.was_successful == 'false'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          # Not using the app on purpose to avoid triggering another workflow run after adding this label.
-          script: |
-            await github.rest.issues.addLabels({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.payload.pull_request.number,
-              labels: [ '8.has: failed backport' ]
-            })
--- a/.github/workflows/bot.yml
+++ b/.github/workflows/bot.yml
@@ -53,14 +53,14 @@ jobs:
            ci/github-script

      - name: Install dependencies
-        run: npm install @actions/artifact@6.2.1 bottleneck@2.19.5
+        run: npm install @actions/artifact@5.0.3 bottleneck@2.19.5

      # Use a GitHub App, because it has much higher rate limits: 12,500 instead of 5,000 req / hour.
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
        id: app-token
        with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-administration: read
          permission-contents: write
@@ -74,7 +74,7 @@ jobs:
        run: gh api /rate_limit | jq

      - name: Run bot
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ steps.app-token.outputs.token || github.token }}
          retries: 3
@@ -91,7 +91,7 @@ jobs:
          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
        run: gh api /rate_limit | jq

-      - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
        name: Labels from touched files
        if: |
          github.event_name == 'pull_request_target' &&
@@ -101,7 +101,7 @@ jobs:
          configuration-path: .github/labeler.yml # default
          sync-labels: true

-      - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
        name: Labels from touched files (no sync)
        if: |
          github.event_name == 'pull_request_target' &&
@@ -111,7 +111,7 @@ jobs:
          configuration-path: .github/labeler-no-sync.yml
          sync-labels: false

-      - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
        name: Labels from touched files (development branches)
        # Development branches like staging-next, haskell-updates and python-updates get special labels.
        # This is to avoid the mass of labels there, which is mostly useless - and really annoying for
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -62,12 +62,12 @@ jobs:
          merged-as-untrusted-at: ${{ inputs.mergedSha }}
          target-as-trusted-at: ${{ inputs.targetSha }}

-      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+      - uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1
        with:
          # Sandbox is disabled on MacOS by default.
          extra_nix_config: sandbox = true

-      - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
+      - uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
        continue-on-error: true
        with:
          # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
@@ -85,9 +85,7 @@ jobs:
      - name: Build NixOS manual
        if: |
          contains(matrix.builds, 'manual-nixos') && !cancelled() &&
-          (contains(fromJSON(inputs.baseBranch).type, 'primary')
-            || startsWith(fromJSON(inputs.baseBranch).branch, 'staging-nixos')
-          )
+          contains(fromJSON(inputs.baseBranch).type, 'primary')
        run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A manual-nixos --out-link nixos-manual

      - name: Build Nixpkgs manual
@@ -106,7 +104,7 @@ jobs:
        if: |
          contains(matrix.builds, 'manual-nixos') && !cancelled() &&
          contains(fromJSON(inputs.baseBranch).type, 'primary')
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: ${{ inputs.artifact-prefix }}nixos-manual-${{ matrix.name }}
          path: nixos-manual
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -16,14 +16,6 @@ on:
        required: true
        type: string
    secrets:
-      # Can be provided in pull requests because the job it is used in does
-      # not evaluate untrusted code.
-      NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY:
-        required: false
-      # Can be provided in pull requests because the job it is used in does
-      # not evaluate untrusted code.
-      NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY:
-        required: false
      # Should only be provided in the merge queue, not in pull requests,
      # where we're evaluating untrusted code.
      CACHIX_AUTH_TOKEN_GHA:
@@ -53,26 +45,17 @@ jobs:
      - name: Install dependencies
        run: npm install bottleneck@2.19.5

-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID
-        id: app-token
-        with:
-          client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }}
-          private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }}
-          permission-pull-requests: write
-
      - name: Log current API rate limits
        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
+          GH_TOKEN: ${{ github.token }}
        run: gh api /rate_limit | jq

      - name: Check commits
        id: check
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          TARGETS_STABLE: ${{ fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development') }}
        with:
-          github-token: ${{ steps.app-token.outputs.token || github.token }}
          script: |
            const targetsStable = JSON.parse(process.env.TARGETS_STABLE)
            require('./trusted/ci/github-script/commits.js')({
@@ -85,52 +68,7 @@ jobs:

      - name: Log current API rate limits
        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
-        run: gh api /rate_limit | jq
-
-  manual-file-edits:
-    if: inputs.baseBranch && inputs.headBranch
-    permissions:
-      pull-requests: write
-    runs-on: ubuntu-slim
-    timeout-minutes: 3
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-          path: trusted
-          sparse-checkout: |
-            ci/github-script
-
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID
-        id: app-token
-        with:
-          client-id: ${{ vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID }}
-          private-key: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }}
-          permission-pull-requests: write
-
-      - name: Log current API rate limits
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
-        run: gh api /rate_limit | jq
-
-      - name: Discourage manual edits to certain files
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          github-token: ${{ steps.app-token.outputs.token || github.token }}
-          script: |
-            require('./trusted/ci/github-script/manual-file-edits.js')({
-              github,
-              context,
-              core,
-              dry: context.eventName == 'pull_request',
-              repoPath: 'trusted',
-            })
-
-      - name: Log current API rate limits
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
+          GH_TOKEN: ${{ github.token }}
        run: gh api /rate_limit | jq

  owners:
@@ -147,9 +85,9 @@ jobs:
          merged-as-untrusted-at: ${{ inputs.mergedSha }}
          target-as-trusted-at: ${{ inputs.targetSha }}

-      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+      - uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1

-      - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
+      - uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
        continue-on-error: true
        with:
          # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
--- a/.github/workflows/comment.yml
+++ b/.github/workflows/comment.yml
@@ -30,15 +30,15 @@ jobs:
            ci/github-script

      # Use the GitHub App to make sure the reaction happens with the same user who will later merge.
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
        id: app-token
        with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-pull-requests: write

-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ steps.app-token.outputs.token || github.token }}
          retries: 3
--- a/.github/workflows/edited.yml
+++ b/.github/workflows/edited.yml
@@ -36,14 +36,14 @@ jobs:
      # Use a GitHub App to create the PR so that CI gets triggered
      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
      # We only need Pull Requests: write here, but the app is also used for backports.
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        id: app-token
        with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-pull-requests: write

-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ steps.app-token.outputs.token }}
          script: |
--- a/.github/workflows/eval.yml
+++ b/.github/workflows/eval.yml
@@ -23,10 +23,6 @@ on:
        default: false
        type: boolean
    secrets:
-      # Can be provided in pull requests because the job it is used in does
-      # not evaluate untrusted code.
-      NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY:
-        required: false
      # Should only be provided in the merge queue, not in pull requests,
      # where we're evaluating untrusted code.
      CACHIX_AUTH_TOKEN_GHA:
@@ -65,7 +61,7 @@ jobs:

      - name: Find commit that touched ci/pinned.json
        id: find-pinned-commit
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          TARGET_SHA: ${{ inputs.targetSha }}
          HEAD_SHA: ${{ inputs.headSha }}
@@ -136,7 +132,7 @@ jobs:
            core.info(`Found pinned.json commit: ${ciPinBumpCommit}`)

      - name: Install Nix
-        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+        uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1

      - name: Load supported versions
        id: versions
@@ -158,7 +154,7 @@ jobs:
    # to not interrupt main Eval's compare step.
    continue-on-error: ${{ matrix.version != '' }}
    name: ${{ matrix.system }}${{ matrix.version && format(' @ {0} ({1})', matrix.version, needs.versions.outputs.ciPinBumpCommitShort) || '' }}
-    timeout-minutes: 20
+    timeout-minutes: 15
    steps:
      # This is not supposed to be used and just acts as a fallback.
      # Without swap, when Eval runs OOM, it will fail badly with a
@@ -184,9 +180,9 @@ jobs:
          target-as-trusted-at: ${{ inputs.targetSha }}

      - name: Install Nix
-        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+        uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1

-      - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
+      - uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
        continue-on-error: true
        with:
          # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
@@ -242,7 +238,7 @@ jobs:
            --out-link diff

      - name: Upload outpaths diff and stats
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: ${{ inputs.artifact-prefix }}${{ matrix.version && format('{0}-', matrix.version) || '' }}diff-${{ matrix.system }}
          path: diff/*
@@ -267,14 +263,14 @@ jobs:
          target-as-trusted-at: ${{ inputs.targetSha }}

      - name: Download output paths and eval stats for all systems
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
        with:
          pattern: ${{ inputs.artifact-prefix }}diff-*
          path: diff
          merge-multiple: true

      - name: Install Nix
-        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+        uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1

      - name: Combine all output paths and eval stats
        run: |
@@ -283,7 +279,7 @@ jobs:
            --out-link combined

      - name: Upload the maintainer list
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: ${{ inputs.artifact-prefix }}maintainers
          path: combined/maintainers.json
@@ -304,24 +300,18 @@ jobs:
          cat comparison/step-summary.md >> "$GITHUB_STEP_SUMMARY"

      - name: Upload the comparison results
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: ${{ inputs.artifact-prefix }}comparison
          path: comparison/*

      - name: Add eval summary to commit statuses
        if: ${{ github.event_name == 'pull_request_target' }}
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const { readFile } = require('node:fs/promises')
            const changed = JSON.parse(await readFile('comparison/changed-paths.json', 'utf-8'))
-            const removedByKernel = Object.fromEntries(
-              Object.entries(changed.attrdiffByKernel ?? {}).map(([kernel, diff]) => [
-                kernel,
-                diff.removed.length,
-              ]),
-            )
            const description =
              'Package: ' + [
                `added ${changed.attrdiff.added.length}`,
@@ -331,15 +321,7 @@ jobs:
              ' — Rebuild: ' + [
                `linux ${changed.rebuildCountByKernel.linux}`,
                `darwin ${changed.rebuildCountByKernel.darwin}`
-              ].join(', ') +
-              (
-                Object.values(removedByKernel).some((count) => count > 0)
-                  ? ' — Removed: ' + [
-                      `linux ${removedByKernel.linux ?? 0}`,
-                      `darwin ${removedByKernel.darwin ?? 0}`
-                    ].join(', ')
-                  : ''
-              )
+              ].join(', ')

            const { serverUrl, repo, runId, payload } = context
            const target_url =
@@ -353,22 +335,10 @@ jobs:
              description,
              target_url
            })
-
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name == 'pull_request_target' && vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID
-        id: app-token
-        with:
-          client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }}
-          private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }}
-          permission-pull-requests: write
-
-      # It's fine to reuse this app in the 'pull-request-target / prepare' job,
-      # because that job has to run before this one.
      - name: Request changes if PR is against an inappropriate branch
        if: ${{ github.event_name == 'pull_request_target' }}
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
-          github-token: ${{ steps.app-token.outputs.token || github.token }}
          script: |
            require('./nixpkgs/trusted/ci/github-script/check-target-branch.js')({
              github,
@@ -383,13 +353,13 @@ jobs:
    needs: [versions, eval]
    steps:
      - name: Download output paths and eval stats for all versions
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
        with:
          pattern: "*-diff-*"
          path: versions

      - name: Add version comparison table to job summary
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          ARTIFACT_PREFIX: ${{ inputs.artifact-prefix }}
          SYSTEMS: ${{ inputs.systems }}
@@ -481,7 +451,7 @@ jobs:
          merged-as-untrusted-at: ${{ inputs.mergedSha }}

      - name: Install Nix
-        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+        uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1

      - name: Ensure flake outputs on all systems still evaluate
        run: nix flake check --all-systems --no-build './nixpkgs/untrusted?shallow=1'
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -35,7 +35,7 @@ jobs:
        with:
          merged-as-untrusted-at: ${{ inputs.mergedSha }}

-      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+      - uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1

      # TODO: Figure out how to best enable caching for the treefmt job. Cachix won't work well,
      # because the cache would be invalidated on every commit - treefmt checks every file.
@@ -70,9 +70,9 @@ jobs:
        with:
          merged-as-untrusted-at: ${{ inputs.mergedSha }}

-      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+      - uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1

-      - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
+      - uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
        continue-on-error: true
        with:
          # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
@@ -100,9 +100,9 @@ jobs:
          merged-as-untrusted-at: ${{ inputs.mergedSha }}
          target-as-trusted-at: ${{ inputs.targetSha }}

-      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+      - uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1

-      - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
+      - uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
        continue-on-error: true
        with:
          # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
@@ -139,7 +139,7 @@ jobs:
          persist-credentials: true # Needed to run git fetch for large PRs.
          path: trusted
      - name: Check commit messages
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const checkCommitMessages = require('./trusted/ci/github-script/lint-commits.js')
--- a/.github/workflows/merge-group.yml
+++ b/.github/workflows/merge-group.yml
@@ -32,7 +32,7 @@ jobs:
            ci/github-script/supportedSystems.js

      - id: prepare
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          MERGED_SHA: ${{ inputs.mergedSha }}
          TARGET_SHA: ${{ inputs.targetSha }}
@@ -125,7 +125,7 @@ jobs:
    permissions:
      statuses: write # creating 'no PR failures' commit status
    steps:
-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          RESULTS: ${{ toJSON(needs.*.result) }}
        with:
--- a/.github/workflows/periodic-merge-24h.yml
+++ b/.github/workflows/periodic-merge-24h.yml
@@ -22,7 +22,7 @@ defaults:

 jobs:
  periodic-merge:
-    if: github.repository_owner == 'NixOS' || github.event_name == 'workflow_dispatch'
+    if: github.repository_owner == 'NixOS'
    strategy:
      # don't fail fast, so that all pairs are tried
      fail-fast: false
@@ -35,14 +35,6 @@ jobs:
            into: staging-next-25.11
          - from: staging-next-25.11
            into: staging-25.11
-          - from: release-25.11
-            into: staging-nixos-25.11
-          - from: release-26.05
-            into: staging-next-26.05
-          - from: staging-next-26.05
-            into: staging-26.05
-          - from: release-26.05
-            into: staging-nixos-26.05
          - name: merge-base(master,staging) → haskell-updates
            from: master staging
            into: haskell-updates
@@ -53,34 +45,3 @@ jobs:
    name: ${{ matrix.pairs.name || format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
    secrets:
      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-
-  # Resets the target branch of the current haskell-updates PR.
-  # This makes GitHub hide all the commits that are already part of staging and gives us a much clearer PR view.
-  haskell-updates:
-    needs: periodic-merge
-    runs-on: ubuntu-slim
-    permissions:
-      pull-requests: write
-    steps:
-      - name: Find PR and update target branch
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          script: |
-            // There will at most be a single haskell-updates PR anyway, so no need to paginate.
-            await Promise.all(
-              (
-                await github.rest.pulls.list({
-                  ...context.repo,
-                  state: 'open',
-                  head: `${context.repo.owner}:haskell-updates`,
-                })
-              ).data.map((pr) =>
-                github.rest.pulls.update({
-                  ...context.repo,
-                  pull_number: pr.number,
-                  // Just updating to the same branch to trigger a UI update.
-                  // This is staging most of the time, but could be staging-next in rare cases.
-                  base: pr.base.ref,
-                }),
-              ),
-            )
--- a/.github/workflows/periodic-merge-6h.yml
+++ b/.github/workflows/periodic-merge-6h.yml
@@ -22,7 +22,7 @@ defaults:

 jobs:
  periodic-merge:
-    if: github.repository_owner == 'NixOS' || github.event_name == 'workflow_dispatch'
+    if: github.repository_owner == 'NixOS'
    strategy:
      # don't fail fast, so that all pairs are tried
      fail-fast: false
--- a/.github/workflows/periodic-merge.yml
+++ b/.github/workflows/periodic-merge.yml
@@ -26,10 +26,10 @@ jobs:
    steps:
      # Use a GitHub App to create the PR so that CI gets triggered
      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        id: app-token
        with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-contents: write
          permission-pull-requests: write
@@ -60,10 +60,10 @@ jobs:
          github_token: ${{ steps.app-token.outputs.token }}

      - name: Comment on failure
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
        if: ${{ failure() }}
-        env:
-          BODY_TEXT: |
+        with:
+          issue-number: 105153
+          body: |
            Periodic merge from `${{ inputs.from }}` into [`${{ inputs.into }}`](https://github.com/NixOS/nixpkgs/tree/${{ inputs.into }}) has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: |
-          gh pr comment 105153 --body "$BODY_TEXT"
+          token: ${{ steps.app-token.outputs.token }}
--- a/.github/workflows/pull-request-target.yml
+++ b/.github/workflows/pull-request-target.yml
@@ -10,12 +10,6 @@ on:
    secrets:
      NIXPKGS_CI_APP_PRIVATE_KEY:
        required: true
-      NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY:
-        required: true
-      NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY:
-        required: true
-      NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY:
-        required: true

 concurrency:
  group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
@@ -42,21 +36,9 @@ jobs:
          sparse-checkout-cone-mode: true # default, for clarity
          sparse-checkout: |
            ci/github-script
-
-      # It's fine to reuse this app in the 'eval / compare' job,
-      # because this job has to run before that one.
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID && github.actor != 'dependabot[bot]'
-        id: app-token
-        with:
-          client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }}
-          private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }}
-          permission-pull-requests: write
-
      - id: prepare
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
-          github-token: ${{ steps.app-token.outputs.token || github.token }}
          retries: 10
          # The default for this includes code 422, which happens regularly for us when comparing commits:
          #   422 - Server Error: Sorry, this diff is taking too long to generate.
@@ -78,9 +60,6 @@ jobs:
    permissions:
      # cherry-picks
      pull-requests: write
-    secrets:
-      NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }}
-      NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }}
    with:
      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
      headBranch: ${{ needs.prepare.outputs.headBranch }}
@@ -103,8 +82,6 @@ jobs:
      # compare
      pull-requests: write
      statuses: write
-    secrets:
-      NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }}
    with:
      artifact-prefix: ${{ inputs.artifact-prefix }}
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
@@ -149,7 +126,7 @@ jobs:
    permissions:
      statuses: write
    steps:
-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          RESULTS: ${{ toJSON(needs.*.result) }}
        with:
--- a/.github/workflows/review.yml
+++ b/.github/workflows/review.yml
@@ -27,15 +27,15 @@ jobs:
            ci/github-script

      # Use the GitHub App to make sure the reaction happens with the same user who will later merge.
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
        id: app-token
        with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-pull-requests: write

-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ steps.app-token.outputs.token || github.token }}
          retries: 3
--- a/.github/workflows/teams.yml
+++ b/.github/workflows/teams.yml
@@ -19,10 +19,10 @@ jobs:
    steps:
      # Use a GitHub App to create the PR so that CI gets triggered and to
      # request team member lists.
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        id: app-token
        with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-administration: read
          permission-contents: write
@@ -41,7 +41,7 @@ jobs:
        run: npm install bottleneck@2.19.5

      - name: Synchronise teams
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ steps.app-token.outputs.token }}
          script: |
@@ -64,7 +64,7 @@ jobs:
          echo "git-string=$name <$email>" >> "$GITHUB_OUTPUT"

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        with:
          token: ${{ steps.app-token.outputs.token }}
          add-paths: maintainers/github-teams.json
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -26,7 +26,7 @@ jobs:
          sparse-checkout: |
            ci/github-script
      - id: prepare
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          retries: 10
          # The default for this includes code 422, which happens regularly for us when comparing commits:
@@ -45,7 +45,7 @@ jobs:

      - name: Determine changed files
        id: files
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const files = (await github.paginate(github.rest.pulls.listFiles, {
@@ -62,7 +62,6 @@ jobs:
              '.github/workflows/merge-group.yml',
              '.github/workflows/test.yml',
              'ci/github-script/supportedSystems.js',
-              'ci/pinned.json',
              'ci/supportedBranches.js',
            ].includes(file))) core.setOutput('merge-group', true)

@@ -78,7 +77,6 @@ jobs:
              'ci/github-script/bot.js',
              'ci/github-script/check-target-branch.js',
              'ci/github-script/commits.js',
-              'ci/github-script/get-pr-commit-details.js',
              'ci/github-script/lint-commits.js',
              'ci/github-script/merge.js',
              'ci/github-script/prepare.js',
@@ -86,7 +84,6 @@ jobs:
              'ci/github-script/reviews.js',
              'ci/github-script/supportedSystems.js',
              'ci/github-script/withRateLimit.js',
-              'ci/pinned.json',
              'ci/supportedBranches.js',
            ].includes(file))) core.setOutput('pr', true)

@@ -116,8 +113,5 @@ jobs:
      statuses: write # unused on pull_request, required by PR workflow
    secrets:
      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-      NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }}
-      NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }}
-      NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }}
    with:
      artifact-prefix: pr-
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -10,5 +10,3 @@
 rules:
  dangerous-triggers:
    disable: true
-  secrets-outside-env:
-    disable: true
--- a/.mailmap
+++ b/.mailmap
@@ -22,7 +22,6 @@ Lin Jian <me@linj.tech> <75130626+jian-lin@users.noreply.github.com>
 Martin Weinelt <hexa@darmstadt.ccc.de> <mweinelt@users.noreply.github.com>
 Martin Häcker <spamfaenger@gmx.de> <spamfaenger@gmx.de>
 moni <lythe1107@gmail.com> <lythe1107@icloud.com>
-Noah Biewesch <dev@noahbiewesch.com> <90870942+trueNAHO@users.noreply.github.com>
 quantenzitrone <nix@dev.quantenzitrone.eu>
 quantenzitrone <nix@dev.quantenzitrone.eu> <74491719+Quantenzitrone@users.noreply.github.com>
 quantenzitrone <nix@dev.quantenzitrone.eu> <74491719+quantenzitrone@users.noreply.github.com>
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -206,7 +206,7 @@ For example, if you make a change to `texlive`, you probably would only check th

 #### Meets Nixpkgs contribution standards

-The last two checkboxes are about whether it fits the guidelines in this `CONTRIBUTING.md` file.
+The last checkbox is about whether it fits the guidelines in this `CONTRIBUTING.md` file.
 This document details our standards for commit messages, reviews, licensing of contributions, etc...
 Everyone should read and understand these standards before submitting a pull request.

@@ -442,7 +442,6 @@ The staging workflow is used for all stable branches with corresponding names:
 - `master`/`release-YY.MM`
 - `staging`/`staging-YY.MM`
 - `staging-next`/`staging-next-YY.MM`
- `staging-nixos`/`staging-nixos-YY.MM`

 [^1]: Except changes that cause no more rebuilds than kernel updates

@@ -506,7 +505,7 @@ These PRs go to `staging-nixos`, see [the next section for more context](#change
 Changes causing a rebuild of all NixOS tests get a special [`10.rebuild-nixos-tests`](https://github.com/NixOS/nixpkgs/issues?q=state%3Aopen%20label%3A10.rebuild-nixos-tests) label.
 These changes pose a significant impact on the build infrastructure.

-Hence, these PRs should either target a `staging`-branch or `staging-nixos`-branch, provided one of following conditions applies:
+Hence, these PRs should either target a `staging`-branch or `staging-nixos`, provided one of following conditions applies:

 * The label `10.rebuild-nixos-tests` is set, or
 * The PR is a change affecting the Linux kernel.
@@ -889,77 +888,3 @@ As mentioned previously, it is unfortunately perfectly normal for a PR to sit ar

 Please don't blow up situations where progress is happening but is merely not going fast enough for your tastes.
 Honking in a traffic jam will not make you go any faster.
-
-# Automation/AI policy
-
-Every contribution to Nixpkgs and related development venues, including code, documentation, and communication on GitHub and Matrix, must have a **responsible person in the loop** who is accountable for that contribution and reviews it before submission, and must **transparently disclose** any non‐trivial use of automation to produce it, including but not limited to LLM‐based AI tools.
-
-The following sections give more detail.
-
-## Scope
-
-Any use of automated tools to generate non‐trivial amounts of output as part of a contribution, in whole or in part, verbatim or edited, is covered by this policy, except as listed in the Exemptions section.
-Both LLM‐based AI tools and hand‐written automation are covered.
-Contributions include code and documentation in commits, commit messages, pull request summaries and reviews, issue and vulnerability reports, GitHub comments, Matrix messages, and Discourse posts.
-The covered venues are the GitHub repositories for Nixpkgs and [related projects](https://github.com/orgs/NixOS/teams/nixpkgs-core/repositories) under the jurisdiction of the Nixpkgs core team, Matrix rooms that are focused on development of those projects, and Discourse topics about Nixpkgs development.
-
-## Accountability
-
-Everyone who submits a contribution to Nixpkgs is responsible for it, regardless of the use of automated tooling.
-Before submission, they must establish a reasonable level of understanding of the contribution and expectation of its correctness.
-A contributor submitting a contribution intended for inclusion in Nixpkgs is also responsible for ensuring that it is [appropriately licensed](https://github.com/NixOS/nixpkgs/blob/master/COPYING) and credited, and not encumbered by any incompatible copyright.
-
-When output from automated tooling is used in contributions, a contributor must establish confidence in that output.
-This can be achieved by establishing confidence in the correctness of the tooling’s logic, manual review of the included output, or using further automation to verify the output (e.g. programmatically checking whether a refactor avoids causing rebuilds).
-As the inner workings of LLM‐based AI tools cannot be sufficiently understood at present, only the latter two options are available when those are used; vibe coding without review is not permitted.
-When automation is used to verify output, the verification tooling itself must be disclosed and reviewed in line with this policy.
-
-This policy applies equally to any further discussion of a contribution.
-Comments and reviews must separately satisfy the same requirements of understanding, review, and disclosure.
-Contributors are expected to be able to answer questions about their contribution and respond to feedback appropriately, without simply forwarding messages back and forth to automated tools.
-
-It is not permitted to submit automated contributions without any manual review or intervention, outside of standard community automation.
-Automation without any manual review must not be used as the sole arbiter of whether to merge a change.
-
-## Transparency
-
-All covered use of automated tooling for a contribution must be disclosed as part of that contribution.
-
-In the case of LLM‐based AI tooling used for commits, this **must** be in the form of an `Assisted-by:` Git commit trailer, including at least the tool name and the primary model name and version used for the contribution.
-A `Co-authored-by:` trailer does not satisfy this policy.
-
-Any adequate form of disclosure is permitted for other kinds of tooling and contribution.
-Pull request summaries and review comments must be disclosed separately to commits.
-
-## Exemptions
-
-The following situations are fully or partially exempt:
-
-* Use of standard deterministic editor/IDE/formatter/text transformation tooling to produce changes that the author manually reviews and understands is exempt, including inline “auto‐completion” (even if LLM‐based) of short, rote snippets of text that do not contribute anything beyond boilerplate the author would have written anyway.
-
-* Use of standard community automation is exempt, such as `nix-update`, the official Nixpkgs CI bots, the @r-ryantm update bot, other maintainer‐approved bots that run update scripts, and the Nixpkgs security tracker bot.
-
-* Use of AI tools for research, testing, debugging, or private review is out of scope, if no substantial amount of their output is included in the resulting contribution.
-  However, if these tools had a significant technical influence on your contribution, you are still responsible for it per the Accountability section, and are expected to disclose this where relevant.
-
-* Use of machine translation is exempt from the requirement to understand the translated output.
-  However, the requirements of appropriate confidence in the original text, responsibility, and disclosure still apply, and you are encouraged to additionally include the original untranslated contribution.
-
-* Use of automation in a contribution clearly marked as not being ready for merge (e.g. a draft pull request) is exempt from the requirement for full self‐review, as long as some amount of review has been done and it is expected that the requirements will be met by the time it is marked as ready.
-  This does not waive any other requirement.
-
-* Use of automated tools to develop upstream software packaged inside Nixpkgs is not in scope.
-
-## Enforcement
-
-If you believe that someone is using automation without appropriate disclosure and review, you can politely ask them if that’s the case and point them to this policy as appropriate.
-Please assume good faith and remain civil; it’s not always possible to determine, and it is more likely that someone overlooked this policy than deliberately violated it.
-If you think someone is continuing to break the policy after this, please escalate to the [Nixpkgs core team](https://nixos.org/community/teams/nixpkgs-core/) rather than fighting over it.
-
-If a contribution is clearly in violation of the policy (e.g. the contributor admits it was not followed, or there are AI tool attributions that do not meet our required format), it can be closed or hidden, preferably after informing the contributor of the policy and giving them a chance to address the violations.
-Deliberate violations of this policy are considered to break the [Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) clause against “Wasting other people’s time with low quality contributions, including but not limited to LLM and bot spam”.
-Repeated violations are grounds for further moderation action.
-
-## Credits
-
-This policy takes inspiration from similar policies in [LLVM](https://llvm.org/docs/AIToolPolicy.html), [Mesa](https://gitlab.freedesktop.org/mesa/mesa/-/blob/mesa-26.1.0-rc1/docs/submittingpatches.rst?ref_type=tags), [Fedora](https://docs.fedoraproject.org/en-US/council/policy/ai-contribution-policy/), and the [Linux kernel](https://docs.kernel.org/7.0/process/coding-assistants.html), along with [a proposal by the author of Anubis](https://xeiaso.net/notes/2025/assisted-by-footer/).
--- a/ci/OWNERS
+++ b/ci/OWNERS
@@ -21,15 +21,15 @@
 /ci/OWNERS                              @infinisil @philiptaron

 # Development support
-/.editorconfig @Mic92
+/.editorconfig @Mic92 @zowoq
 /shell.nix @infinisil @NixOS/Security

 # Libraries
 /lib                        @infinisil @hsjobeki
-/lib/generators.nix         @infinisil @hsjobeki
-/lib/cli.nix                @infinisil @hsjobeki
-/lib/debug.nix              @infinisil @hsjobeki
-/lib/asserts.nix            @infinisil @hsjobeki
+/lib/generators.nix         @infinisil @hsjobeki @Profpatsch
+/lib/cli.nix                @infinisil @hsjobeki @Profpatsch
+/lib/debug.nix              @infinisil @hsjobeki @Profpatsch
+/lib/asserts.nix            @infinisil @hsjobeki @Profpatsch
 /lib/path/*                 @infinisil @hsjobeki
 /lib/fileset                @infinisil @hsjobeki
 /maintainers/github-teams.json @infinisil
@@ -75,7 +75,7 @@
 /pkgs/pkgs-lib                                   @Stunkymonkey @h7x4

 # Nixpkgs build-support
-/pkgs/build-support/writers @lassulus
+/pkgs/build-support/writers @lassulus @Profpatsch

 # Nixpkgs make-disk-image
 /doc/build-helpers/images/makediskimage.section.md  @raitobezarius
@@ -124,7 +124,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @Artturin @Ericson2314 @lo

 # NixOS integration test driver
 /nixos/lib/test-driver  @tfc
-/nixos/lib/testing      @tfc

 # NixOS QEMU virtualisation
 /nixos/modules/virtualisation/qemu-vm.nix                 @raitobezarius
@@ -220,10 +219,10 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @Artturin @Ericson2314 @lo
 /pkgs/development/r-modules         @jbedo

 # Rust
-/pkgs/development/compilers/rust @alyssais @Mic92 @winterqt
-/pkgs/build-support/rust @winterqt
+/pkgs/development/compilers/rust @alyssais @Mic92 @zowoq @winterqt
+/pkgs/build-support/rust @zowoq @winterqt
 /pkgs/build-support/rust/fetch-cargo-vendor* @TomaSajt
-/doc/languages-frameworks/rust.section.md @winterqt
+/doc/languages-frameworks/rust.section.md @zowoq @winterqt

 # Tcl
 /pkgs/development/interpreters/tcl  @fgaz
@@ -269,7 +268,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/applications/editors/jetbrains @leona-ya @theCapypara

 # Licenses
-/lib/licenses @alyssais @emilazy @jopejoe1
+/lib/licenses.nix @alyssais @emilazy @jopejoe1

 # Qt
 /pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel
@@ -295,6 +294,9 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /nixos/modules/services/databases/mysql.nix     @6543
 /nixos/modules/services/backup/mysql-backup.nix @6543

+# Hardened profile & related modules
+/pkgs/os-specific/linux/kernel/hardened/        @fabianhjr
+
 # Home Automation
 /nixos/modules/services/home-automation/home-assistant.nix @mweinelt
 /nixos/modules/services/home-automation/zigbee2mqtt.nix @mweinelt
@@ -304,14 +306,8 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/by-name/es/esphome @mweinelt

 # Linux kernel
-/doc/packages/linux.section.md @NixOS/linux-kernel
-/lib/kernel.nix @NixOS/linux-kernel
-/nixos/doc/manual/configuration/linux-kernel.chapter.md @NixOS/linux-kernel
-/nixos/modules/system/boot/kernel.nix @NixOS/linux-kernel
-/nixos/tests/kernel-generic/ @NixOS/linux-kernel
-/pkgs/build-support/kernel/ @NixOS/linux-kernel
-/pkgs/os-specific/linux/kernel/ @NixOS/linux-kernel
 /pkgs/top-level/linux-kernels.nix @NixOS/linux-kernel
+/pkgs/os-specific/linux/kernel/ @NixOS/linux-kernel

 # Network Time Daemons
 /pkgs/by-name/ch/chrony @thoughtpolice
@@ -339,8 +335,8 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/build-support/dlang @jtbx @TomaSajt

 # Dhall
-/pkgs/development/dhall-modules      @Gabriella439
-/pkgs/development/interpreters/dhall @Gabriella439
+/pkgs/development/dhall-modules      @Gabriella439 @Profpatsch
+/pkgs/development/interpreters/dhall @Gabriella439 @Profpatsch

 # Agda
 /pkgs/build-support/agda                  @NixOS/agda
@@ -353,6 +349,9 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/development/idris-modules @Infinisil
 /pkgs/development/compilers/idris2 @mattpolzin

+# Bazel
+/pkgs/by-name/ba/bazel_7 @Profpatsch
+
 # NixOS modules for e-mail and dns services
 /nixos/modules/services/mail/mailman.nix    @peti
 /nixos/modules/services/mail/postfix.nix    @peti
@@ -377,9 +376,6 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt

 # VimPlugins
 /pkgs/applications/editors/vim/plugins         @NixOS/neovim
-## nvim-treesitter
-/pkgs/applications/editors/vim/plugins/nvim-treesitter/overrides.nix @NixOS/neovim @figsoda
-/pkgs/applications/editors/vim/plugins/utils/nvim-treesitter         @NixOS/neovim @figsoda

 # VsCode Extensions
 /pkgs/applications/editors/vscode/extensions
@@ -481,7 +477,7 @@ pkgs/by-name/lx/lxc*                    @adamcstephens
 /pkgs/desktops/expidus              @RossComputerGuy

 # GNU Tar & Zip
-/pkgs/by-name/gn/gnutar        @RossComputerGuy
+/pkgs/tools/archivers/gnutar        @RossComputerGuy
 /pkgs/by-name/zi/zip           @RossComputerGuy

 # SELinux
@@ -496,7 +492,7 @@ pkgs/by-name/lx/lxc*                    @adamcstephens

 # Darwin
 /pkgs/by-name/ap/apple-sdk                     @NixOS/darwin-core
-/pkgs/os-specific/darwin                       @NixOS/darwin-core
+/pkgs/os-specific/darwin/apple-source-releases @NixOS/darwin-core
 /pkgs/stdenv/darwin                            @NixOS/darwin-core

 # BEAM
@@ -506,7 +502,7 @@ pkgs/development/interpreters/elixir/   @NixOS/beam
 pkgs/development/interpreters/lfe/      @NixOS/beam

 # Authelia
-pkgs/by-name/au/authelia/ @06kellyjac @nicomem
+pkgs/by-name/au/authelia/ @06kellyjac @dit7ya @nicomem

 # OctoDNS
 pkgs/by-name/oc/octodns/ @anthonyroussel
@@ -523,10 +519,3 @@ pkgs/by-name/wa/warp-terminal/  @emilytrau @imadnyc @FlameFlag @johnrtitor
 /pkgs/build-support/build-nim-package.nix @NixOS/nim
 /pkgs/build-support/build-nim-sbom.nix    @NixOS/nim
 /pkgs/top-level/nim-overrides.nix         @NixOS/nim
-
-# Radicle
-/pkgs/build-support/fetchradicle/      @NixOS/radicle
-/pkgs/build-support/fetchradiclepatch/ @NixOS/radicle
-
-# Zellij plugins
-/pkgs/by-name/ze/zellij/plugins/   @PerchunPak
--- a/ci/default.nix
+++ b/ci/default.nix
@@ -184,10 +184,9 @@ rec {
    nix = pkgs.nixVersions.latest;
  };
  parse = pkgs.lib.recurseIntoAttrs {
-    nix_latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; };
-    nix_2_28 = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.nix_2_28; };
+    latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; };
    lix = pkgs.callPackage ./parse.nix { nix = pkgs.lix; };
-    lix_latest = pkgs.callPackage ./parse.nix { nix = pkgs.lixPackageSets.latest.lix; };
+    nix_2_28 = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.nix_2_28; };
  };
  shell = import ../shell.nix { inherit nixpkgs system; };
  tarball = import ../pkgs/top-level/make-tarball.nix {
--- a/ci/eval/compare/default.nix
+++ b/ci/eval/compare/default.nix
@@ -74,38 +74,9 @@ let
        {
          attrdiff: {
            added: ["package1"],
-            changed: ["package2", "package3", "package4"],
+            changed: ["package2", "package3"],
            removed: ["package4"],
          },
-          attrdiffByKernel: {
-            darwin: {
-              added: [],
-              changed: ["package2", "package4"],
-              removed: ["package4"],
-            },
-            linux: {
-              added: ["package1"],
-              changed: ["package3", "package4"],
-              removed: [],
-            },
-          },
-          attrdiffByPlatform: {
-            aarch64-darwin: {
-              added: [],
-              changed: ["package2"],
-              removed: ["package4"],
-            },
-            aarch64-linux: {
-              added: ["package1"],
-              changed: ["package3"],
-              removed: [],
-            },
-            x86_64-linux: {
-              added: [],
-              changed: ["package4"],
-              removed: [],
-            },
-          },
          labels: {
            "10.rebuild-darwin: 1-10": true,
            "10.rebuild-linux: 1-10": true
@@ -142,8 +113,6 @@ let
  inherit (import ./utils.nix { inherit lib; })
    groupByKernel
    convertToPackagePlatformAttrs
-    groupAttrdiffByKernel
-    groupAttrdiffByPlatform
    groupByPlatform
    extractPackageNames
    getLabels
@@ -154,29 +123,21 @@ let
  # - values: lists of `packagePlatformPath`s
  diffAttrs = builtins.fromJSON (builtins.readFile "${combined}/combined-diff.json");

+  changedPackagePlatformAttrs = convertToPackagePlatformAttrs diffAttrs.changed;
  rebuildsPackagePlatformAttrs = convertToPackagePlatformAttrs diffAttrs.rebuilds;
+  removedPackagePlatformAttrs = convertToPackagePlatformAttrs diffAttrs.removed;

  changed-paths =
    let
-      attrdiff = lib.mapAttrs (_: extractPackageNames) {
-        inherit (diffAttrs) added changed removed;
-      };
-      attrdiffByPlatform = groupAttrdiffByPlatform {
-        inherit (diffAttrs) added changed removed;
-      };
-      attrdiffByKernel = groupAttrdiffByKernel {
-        inherit (diffAttrs) added changed removed;
-      };
      rebuildsByPlatform = groupByPlatform rebuildsPackagePlatformAttrs;
      rebuildsByKernel = groupByKernel rebuildsPackagePlatformAttrs;
      rebuildCountByKernel = lib.mapAttrs (
        kernel: kernelRebuilds: lib.length kernelRebuilds
      ) rebuildsByKernel;
-      rebuildNames = extractPackageNames diffAttrs.rebuilds;
    in
    writeText "changed-paths.json" (
      builtins.toJSON {
-        inherit attrdiff attrdiffByKernel attrdiffByPlatform;
+        attrdiff = lib.mapAttrs (_: extractPackageNames) { inherit (diffAttrs) added changed removed; };
        inherit
          rebuildsByPlatform
          rebuildsByKernel
@@ -190,19 +151,20 @@ let
          ) rebuildsByKernel
          // {
            "10.rebuild-nixos-tests" =
-              lib.elem "nixosTests.simple-container" rebuildNames || lib.elem "nixosTests.simple-vm" rebuildNames;
+              lib.elem "nixosTests.simple" (extractPackageNames diffAttrs.rebuilds)
+              &&
+                # Only set this label when no other label with indication for staging has been set.
+                # This avoids confusion whether to target staging or batch this with kernel updates.
+                lib.last (lib.sort lib.lessThan (lib.attrValues rebuildCountByKernel)) <= 500;
          };
      }
    );

-  getMaintainers = callPackage ./maintainers.nix { };
-
  inherit
-    (getMaintainers {
-      affectedAttrPaths = map (a: a.packagePath) (
-        convertToPackagePlatformAttrs (diffAttrs.changed ++ diffAttrs.removed)
-      );
-      changedFiles = lib.importJSON touchedFilesJson;
+    (callPackage ./maintainers.nix {
+      changedattrs = lib.attrNames (lib.groupBy (a: a.name) changedPackagePlatformAttrs);
+      changedpathsjson = touchedFilesJson;
+      removedattrs = lib.attrNames (lib.groupBy (a: a.name) removedPackagePlatformAttrs);
    })
    users
    teams
@@ -219,7 +181,7 @@ runCommand "compare"
    ];
    users = builtins.toJSON users;
    teams = builtins.toJSON teams;
-    packages = builtins.toJSON (lib.map (lib.concatStringsSep ".") packages);
+    packages = builtins.toJSON packages;
    passAsFile = [
      "users"
      "teams"
--- a/ci/eval/compare/maintainers.nix
+++ b/ci/eval/compare/maintainers.nix
@@ -1,59 +1,70 @@
-# Figure out which maintainers (users/teams) are relevant for a PR:
-# - All maintainers that can be linked directly to changedFiles
-# - Maintainers of affectedAttrPaths if a file directly related to the attribute is in changedFiles
-#
-# Files and attributes are linked in various ways:
-# - pkgs/by-name/<attr>/* is linked to pkgs.<attr>
-# - The file position of various attributes of pkgs.<attr>
-# - Explicitly specified file positions in derivations
-#
-# Test with
-#   nix-instantiate --eval --strict --json test.nix -A result | jq
-#
-# Empty list as an output means success
-
-# Dependencies coming from the CI-pinned Nixpkgs
 {
  lib,
+  changedattrs,
+  changedpathsjson,
+  removedattrs,
 }:
-# Function arguments
-{
-  # Files that were changed
-  # Type: ListOf (Nixpkgs-root-relative path)
-  changedFiles,
-  # Attributes whose value was affected by the change
-  # Type: ListOf (ListOf String)
-  affectedAttrPaths,
-  # Nixpkgs used to check maintainers. Customisable for testing
-  pkgs ? import ../../.. {
+let
+  pkgs = import ../../.. {
    system = "x86_64-linux";
    # We should never try to ping maintainers through package aliases, this can only lead to errors.
    # One example case is, where an attribute is a throw alias, but then re-introduced in a PR.
    # This would trigger the throw. By disabling aliases, we can fallback gracefully below.
    config.allowAliases = false;
-    overlays = [ ];
-  },
-}:
-let
-  nixpkgsRoot = toString ../../.. + "/";
-  stripNixpkgsRootFromKeys = lib.mapAttrs' (
-    file: value: lib.nameValuePair (lib.removePrefix nixpkgsRoot file) value
-  );
+  };

-  moduleMeta = (pkgs.nixos { }).config.meta;
+  changedpaths = lib.importJSON changedpathsjson;

-  # Currently just nixos module maintainers, but in the future we can use this for code owners too
-  fileUsers = stripNixpkgsRootFromKeys moduleMeta.maintainers;
-  fileTeams = stripNixpkgsRootFromKeys moduleMeta.teams;
+  # Extract attributes that changed from by-name paths.
+  # This allows pinging reviewers for pure refactors.
+  touchedattrs = lib.pipe changedpaths [
+    (lib.filter (changed: lib.hasPrefix "pkgs/by-name/" changed && changed != "pkgs/by-name/README.md"))
+    (map (lib.splitString "/"))
+    (map (path: lib.elemAt path 3))
+    lib.unique
+  ];

-  anyMatchingFile = filename: lib.any (lib.hasPrefix filename) changedFiles;
+  anyMatchingFile = filename: lib.any (lib.hasPrefix filename) changedpaths;

  anyMatchingFiles = files: lib.any anyMatchingFile files;

+  sharded = name: "${lib.substring 0 2 name}/${name}";
+
+  attrsWithMaintainers = lib.pipe (changedattrs ++ removedattrs ++ touchedattrs) [
+    # An attribute can appear in changed/removed *and* touched
+    lib.unique
+    (map (
+      name:
+      let
+        path = lib.splitString "." name;
+        # Some packages might be reported as changed on a different platform, but
+        # not even have an attribute on the platform the maintainers are requested on.
+        # Fallback to `null` for these to filter them out below.
+        package = lib.attrByPath path null pkgs;
+      in
+      {
+        inherit name package;
+        # Adds all files in by-name to each package, no matter whether they are discoverable
+        # via meta attributes below. For example, this allows pinging maintainers for
+        # updates to .json files.
+        # TODO: Support by-name package sets.
+        filenames = lib.optional (lib.length path == 1) "pkgs/by-name/${sharded (lib.head path)}/";
+        # meta.maintainers also contains all individual team members.
+        # We only want to ping individuals if they're added individually as maintainers, not via teams.
+        users = package.meta.nonTeamMaintainers or [ ];
+        teams = package.meta.teams or [ ];
+      }
+    ))
+    # No need to match up packages without maintainers with their files.
+    # This also filters out attributes where `package = null`, which is the
+    # case for libintl, for example.
+    (lib.filter (pkg: pkg.users != [ ] || pkg.teams != [ ]))
+  ];
+
  relevantFilenames =
    drv:
    (lib.unique (
-      map (pos: lib.removePrefix nixpkgsRoot pos.file) (
+      map (pos: lib.removePrefix "${toString ../../..}/" pos.file) (
        lib.filter (x: x != null) [
          (drv.meta.maintainersPosition or null)
          (drv.meta.teamsPosition or null)
@@ -76,84 +87,50 @@ let
      )
    ));

-  relevantAffectedAttrPaths = lib.filter (
-    attrPath:
-    # Some packages might be reported as changed on a different platform, but
-    # not even have an attribute on the platform the maintainers are requested on.
-    # Fallback to `null` for these to filter them out
-    let
-      package = lib.attrByPath attrPath null pkgs;
-    in
-    package != null && anyMatchingFiles (relevantFilenames package)
-  ) affectedAttrPaths;
+  attrsWithFilenames = map (
+    pkg: pkg // { filenames = pkg.filenames ++ relevantFilenames pkg.package; }
+  ) attrsWithMaintainers;

-  # Extract attributes that changed from by-name paths.
-  # This allows pinging reviewers for pure refactors.
-  changedByNameAttrPaths = lib.pipe changedFiles [
-    (lib.filter (changed: lib.hasPrefix "pkgs/by-name/" changed))
-    (map (lib.splitString "/"))
-    # Filters out e.g. pkgs/by-name/README.md
-    (lib.filter (path: lib.length path > 3))
-    (map (path: lib.elemAt path 3))
-    (map lib.singleton)
-    # Filter out new packages
-    (lib.filter (attrPath: lib.hasAttrByPath attrPath pkgs))
-  ];
-
-  # An attribute can appear in affected *and* touched
-  attrPathsToGetMaintainersFor = lib.unique (relevantAffectedAttrPaths ++ changedByNameAttrPaths);
-
-  attrPathEntities = lib.concatMap (
-    attrPath:
-    let
-      package = lib.getAttrFromPath attrPath pkgs;
-    in
-    # meta.maintainers also contains all individual team members.
-    # We only want to ping individuals if they're added individually as maintainers, not via teams.
-    userPings { inherit attrPath; } (package.meta.nonTeamMaintainers or [ ])
-    ++ lib.concatMap (teamPings { inherit attrPath; }) (package.meta.teams or [ ])
-  ) attrPathsToGetMaintainersFor;
-
-  changedFileEntities = lib.concatMap (
-    file:
-    userPings { inherit file; } (fileUsers.${file} or [ ])
-    ++ lib.concatMap (teamPings { inherit file; }) (fileTeams.${file} or [ ])
-  ) changedFiles;
+  attrsWithModifiedFiles = lib.filter (pkg: anyMatchingFiles pkg.filenames) attrsWithFilenames;

  userPings =
-    context:
+    pkg:
    map (maintainer: {
      type = "user";
      userId = maintainer.githubId;
-      inherit context;
+      packageName = pkg.name;
    });

  teamPings =
-    context: team:
-    if team ? githubId then
+    pkg: team:
+    if team ? github then
      [
        {
          type = "team";
          teamId = team.githubId;
-          inherit context;
+          packageName = pkg.name;
        }
      ]
    else
-      userPings context team.members;
+      userPings pkg team.members;

-  byType = lib.groupBy (ping: ping.type) (attrPathEntities ++ changedFileEntities);
+  maintainersToPing = lib.concatMap (
+    pkg: userPings pkg pkg.users ++ lib.concatMap (teamPings pkg) pkg.teams
+  ) attrsWithModifiedFiles;
+
+  byType = lib.groupBy (ping: ping.type) maintainersToPing;

  byUser = lib.pipe (byType.user or [ ]) [
    (lib.groupBy (ping: toString ping.userId))
-    (lib.mapAttrs (_user: lib.map (pkg: pkg.context)))
+    (lib.mapAttrs (_user: lib.map (pkg: pkg.packageName)))
  ];
  byTeam = lib.pipe (byType.team or [ ]) [
    (lib.groupBy (ping: toString ping.teamId))
-    (lib.mapAttrs (_team: lib.map (pkg: pkg.context)))
+    (lib.mapAttrs (_team: lib.map (pkg: pkg.packageName)))
  ];
 in
 {
  users = byUser;
  teams = byTeam;
-  packages = attrPathsToGetMaintainersFor;
+  packages = lib.catAttrs "name" attrsWithModifiedFiles;
 }
--- a/ci/eval/compare/test.nix
+++ b/ci/eval/compare/test.nix
@@ -1,311 +0,0 @@
-{
-  pkgs ? import ../../.. {
-    config = { };
-    overlays = [ ];
-  },
-  lib ? pkgs.lib,
-}:
-let
-  fun = import ./maintainers.nix { inherit lib; };
-  utils = import ./utils.nix { inherit lib; };
-
-  mockPkgs =
-    {
-      packages ? [ ],
-      modules ? [ ],
-      githubTeams ? true,
-    }:
-    lib.updateManyAttrsByPath
-      (lib.imap0 (i: p: {
-        path = p;
-        update = _: {
-          meta.maintainersPosition.file = lib.concatStringsSep "/" p;
-          meta.nonTeamMaintainers = [ { githubId = i; } ];
-          meta.teams =
-            if githubTeams then [ { githubId = i + 100; } ] else [ { members = [ { githubId = i + 100; } ]; } ];
-        };
-      }) packages)
-      {
-        nixos =
-          { }:
-          {
-            config.meta.maintainers = lib.listToAttrs (
-              lib.imap0 (i: m: lib.nameValuePair m [ { githubId = i; } ]) modules
-            );
-            config.meta.teams = lib.listToAttrs (
-              lib.imap0 (
-                i: m:
-                lib.nameValuePair m (
-                  if githubTeams then [ { githubId = i + 100; } ] else [ { members = [ { githubId = i + 100; } ]; } ]
-                )
-              ) modules
-            );
-          };
-      };
-
-  tests = {
-    testEmpty = {
-      expr = fun {
-        pkgs = mockPkgs { };
-        changedFiles = [ ];
-        affectedAttrPaths = [ ];
-      };
-      expected = {
-        packages = [ ];
-        teams = { };
-        users = { };
-      };
-    };
-    testNonExistentAffected = {
-      expr = fun {
-        pkgs = mockPkgs { };
-        changedFiles = [ "a" ];
-        affectedAttrPaths = [ [ "b" ] ];
-      };
-      expected = {
-        packages = [ ];
-        teams = { };
-        users = { };
-      };
-    };
-    testIrrelevantAffected = {
-      expr = fun {
-        pkgs = mockPkgs {
-          packages = [ [ "b" ] ];
-        };
-        changedFiles = [ "a" ];
-        affectedAttrPaths = [ [ "b" ] ];
-      };
-      expected = {
-        packages = [ ];
-        teams = { };
-        users = { };
-      };
-    };
-    testRelevantAffected = {
-      expr = fun {
-        pkgs = mockPkgs {
-          packages = [ [ "b" ] ];
-        };
-        # Also tests that subpaths work
-        changedFiles = [ "b/c" ];
-        affectedAttrPaths = [ [ "b" ] ];
-      };
-      expected = {
-        packages = [ [ "b" ] ];
-        teams."100" = [
-          { attrPath = [ "b" ]; }
-        ];
-        users."0" = [
-          { attrPath = [ "b" ]; }
-        ];
-      };
-    };
-    testRelevantAffectedNonGitHub = {
-      expr = fun {
-        pkgs = mockPkgs {
-          packages = [ [ "b" ] ];
-          githubTeams = false;
-        };
-        changedFiles = [ "b/c" ];
-        affectedAttrPaths = [ [ "b" ] ];
-      };
-      expected = {
-        packages = [ [ "b" ] ];
-        teams = { };
-        users."0" = [
-          { attrPath = [ "b" ]; }
-        ];
-        users."100" = [
-          { attrPath = [ "b" ]; }
-        ];
-      };
-    };
-    testByNameChanged = {
-      expr = fun {
-        pkgs = mockPkgs {
-          packages = [ [ "hello" ] ];
-        };
-        changedFiles = [ "pkgs/by-name/he/hello/sources.json" ];
-        affectedAttrPaths = [ ];
-      };
-      expected = {
-        packages = [ [ "hello" ] ];
-        teams."100" = [
-          { attrPath = [ "hello" ]; }
-        ];
-        users."0" = [
-          { attrPath = [ "hello" ]; }
-        ];
-      };
-    };
-    testByNameNonExistentChanged = {
-      expr = fun {
-        pkgs = mockPkgs {
-          packages = [ ];
-        };
-        # Happens when a new package was added to pkgs/by-name
-        changedFiles = [ "pkgs/by-name/he/hello/sources.json" ];
-        affectedAttrPaths = [ ];
-      };
-      expected = {
-        packages = [ ];
-        teams = { };
-        users = { };
-      };
-    };
-    testByNameReadmeChanged = {
-      expr = fun {
-        pkgs = mockPkgs {
-          packages = [ [ "hello" ] ];
-        };
-        changedFiles = [ "pkgs/by-name/README.md" ];
-        affectedAttrPaths = [ ];
-      };
-      expected = {
-        packages = [ ];
-        teams = { };
-        users = { };
-      };
-    };
-    testNoDuplicates = {
-      expr = fun {
-        pkgs = mockPkgs {
-          packages = [ [ "hello" ] ];
-        };
-        changedFiles = [
-          "hello"
-          "pkgs/by-name/he/hello/sources.json"
-        ];
-        affectedAttrPaths = [ [ "hello" ] ];
-      };
-      expected = {
-        packages = [ [ "hello" ] ];
-        teams."100" = [
-          { attrPath = [ "hello" ]; }
-        ];
-        users."0" = [
-          { attrPath = [ "hello" ]; }
-        ];
-      };
-    };
-    testModuleMaintainers = {
-      expr = fun {
-        pkgs = mockPkgs {
-          modules = [ "a" ];
-        };
-        changedFiles = [ "a" ];
-        affectedAttrPaths = [ ];
-      };
-      expected = {
-        packages = [ ];
-        teams."100" = [
-          { file = "a"; }
-        ];
-        users."0" = [
-          { file = "a"; }
-        ];
-      };
-    };
-    testModuleMaintainersNonGithub = {
-      expr = fun {
-        pkgs = mockPkgs {
-          modules = [ "a" ];
-          githubTeams = false;
-        };
-        changedFiles = [ "a" ];
-        affectedAttrPaths = [ ];
-      };
-      expected = {
-        packages = [ ];
-        teams = { };
-        users."100" = [
-          { file = "a"; }
-        ];
-        users."0" = [
-          { file = "a"; }
-        ];
-      };
-    };
-    testGroupAttrdiffByPlatform = {
-      expr = utils.groupAttrdiffByPlatform {
-        added = [
-          "new-tool.aarch64-linux"
-          "new-tool.x86_64-darwin"
-        ];
-        changed = [
-          "updated-tool.x86_64-darwin"
-          "shared-tool.x86_64-darwin"
-        ];
-        removed = [
-          "removed-tool.aarch64-darwin"
-          "shared-tool.aarch64-darwin"
-        ];
-      };
-      expected = {
-        aarch64-darwin = {
-          added = [ ];
-          changed = [ ];
-          removed = [
-            "removed-tool"
-            "shared-tool"
-          ];
-        };
-        aarch64-linux = {
-          added = [ "new-tool" ];
-          changed = [ ];
-          removed = [ ];
-        };
-        x86_64-darwin = {
-          added = [ "new-tool" ];
-          changed = [
-            "shared-tool"
-            "updated-tool"
-          ];
-          removed = [ ];
-        };
-      };
-    };
-    testGroupAttrdiffByKernel = {
-      expr =
-        let
-          grouped = utils.groupAttrdiffByKernel {
-            added = [
-              "new-tool.aarch64-linux"
-              "new-tool.x86_64-darwin"
-            ];
-            changed = [
-              "updated-tool.x86_64-darwin"
-              "shared-tool.x86_64-darwin"
-            ];
-            removed = [
-              "removed-tool.aarch64-darwin"
-              "shared-tool.aarch64-darwin"
-            ];
-          };
-        in
-        lib.mapAttrs (_: diff: lib.mapAttrs (_: lib.sort lib.lessThan) diff) grouped;
-      expected = {
-        darwin = {
-          added = [ "new-tool" ];
-          changed = [
-            "shared-tool"
-            "updated-tool"
-          ];
-          removed = [
-            "removed-tool"
-            "shared-tool"
-          ];
-        };
-        linux = {
-          added = [ "new-tool" ];
-          changed = [ ];
-          removed = [ ];
-        };
-      };
-    };
-  };
-in
-{
-  result = lib.runTests tests;
-}
--- a/ci/eval/compare/utils.nix
+++ b/ci/eval/compare/utils.nix
@@ -150,50 +150,6 @@ rec {
    in
    lib.genAttrs [ "linux" "darwin" ] filterKernel;

-  /*
-    Group an attrdiff-style mapping by a derived key such as platform or kernel.
-
-    Turns
-      {
-        added = [ "new-tool.aarch64-linux" "new-tool.x86_64-darwin" ];
-        changed = [ "updated-tool.x86_64-darwin" "shared-tool.x86_64-darwin" ];
-        removed = [ "removed-tool.aarch64-darwin" "shared-tool.aarch64-darwin" ];
-      }
-    into
-      {
-        aarch64-darwin = {
-          added = [ ];
-          changed = [ ];
-          removed = [ "removed-tool" "shared-tool" ];
-        };
-        aarch64-linux = {
-          added = [ "new-tool" ];
-          changed = [ ];
-          removed = [ ];
-        };
-        x86_64-darwin = {
-          added = [ "new-tool" ];
-          changed = [ "shared-tool" "updated-tool" ];
-          removed = [ ];
-        };
-      }
-    when used with `groupByPlatform`.
-  */
-  groupAttrdiffBy =
-    grouper: attrdiff:
-    let
-      groupedByKind = lib.mapAttrs (
-        _: packagePlatformPaths:
-        grouper (convertToPackagePlatformAttrs (uniqueStrings packagePlatformPaths))
-      ) attrdiff;
-      groups = uniqueStrings (lib.flatten (map builtins.attrNames (lib.attrValues groupedByKind)));
-    in
-    lib.genAttrs groups (group: lib.mapAttrs (_: byGroup: byGroup.${group} or [ ]) groupedByKind);
-
-  groupAttrdiffByPlatform = groupAttrdiffBy groupByPlatform;
-
-  groupAttrdiffByKernel = groupAttrdiffBy groupByKernel;
-
  /*
    Maps an attrs of `kernel - rebuild counts` mappings to an attrs of labels

--- a/ci/eval/outpaths.nix
+++ b/ci/eval/outpaths.nix
@@ -108,8 +108,6 @@ in
 tweak (
  (removeAttrs nixpkgsJobs blacklist)
  // {
-    nixosTests = lib.filterAttrs (
-      name: _: name == "simple-container" || name == "simple-vm"
-    ) nixosJobs.tests;
+    nixosTests = lib.filterAttrs (name: _: name == "simple") nixosJobs.tests;
  }
 )
--- a/ci/github-script/bot.js
+++ b/ci/github-script/bot.js
@@ -1,6 +1,6 @@
 module.exports = async ({ github, context, core, dry }) => {
  const path = require('node:path')
-  const { DefaultArtifactClient } = await import('@actions/artifact')
+  const { DefaultArtifactClient } = require('@actions/artifact')
  const { readFile, writeFile } = require('node:fs/promises')
  const withRateLimit = require('./withRateLimit.js')
  const { classify } = require('../supportedBranches.js')
--- a/ci/github-script/check-target-branch.js
+++ b/ci/github-script/check-target-branch.js
@@ -25,16 +25,6 @@ async function checkTargetBranch({ github, context, core, dry }) {
   *   changed: string[],
   *   removed: string[],
   *  },
-   *  attrdiffByKernel: Record<string, {
-   *   added: string[],
-   *   changed: string[],
-   *   removed: string[],
-   *  }>,
-   *  attrdiffByPlatform: Record<string, {
-   *   added: string[],
-   *   changed: string[],
-   *   removed: string[],
-   *  }>,
   *  labels: Record<string, boolean>,
   *  rebuildCountByKernel: Record<string, number>,
   *  rebuildsByKernel: Record<string, string[]>,
@@ -99,13 +89,13 @@ async function checkTargetBranch({ github, context, core, dry }) {
    ...Object.values(changed.rebuildCountByKernel),
  )
  const rebuildsAllTests =
-    changed.attrdiff.changed.includes('nixosTests.simple-container') ||
-    changed.attrdiff.changed.includes('nixosTests.simple-vm')
+    changed.attrdiff.changed.includes('nixosTests.simple')

-  // https://github.com/NixOS/nixpkgs/pull/521157
-  // These should go to master and release-xx.xx when backported
+  // https://github.com/NixOS/nixpkgs/pull/481205#issuecomment-3790123921
+  // These should go to staging-nixos instead of master,
+  // but release-xx.xx (not staging-xx.xx) when backported
  let isExemptKernelUpdate = false
-  if (prInfo.changed_files === 1) {
+  if (prInfo.changed_files === 1 && base.startsWith('release-')) {
    const changedFiles = (
      await github.rest.pulls.listFiles({
        ...context.repo,
@@ -115,7 +105,7 @@ async function checkTargetBranch({ github, context, core, dry }) {
    isExemptKernelUpdate =
      changedFiles.length === 1 &&
      changedFiles[0].filename ===
-        'pkgs/os-specific/linux/kernel/xanmod-kernels.nix'
+        'pkgs/os-specific/linux/kernel/kernels-org.json'
  }

  // https://github.com/NixOS/nixpkgs/pull/483194#issuecomment-3793393218
@@ -151,19 +141,19 @@ async function checkTargetBranch({ github, context, core, dry }) {
      core,
      dry,
      body,
-      event: 'REQUEST_CHANGES',
+      event: 'COMMENT',
      reviewKey,
    })
+
+    throw new Error('This PR is against the wrong branch.')
  } else if (rebuildsAllTests && !isExemptKernelUpdate) {
    let branchText
    if (base === 'master' && maxRebuildCount >= 500) {
      branchText = '(probably either `staging-nixos` or `staging`)'
    } else if (base === 'master') {
      branchText = '(probably `staging-nixos`)'
-    } else if (maxRebuildCount >= 500) {
-      branchText = `(probably either \`staging-nixos-${split(base).version}\` or \`staging-${split(base).version}\`)`
    } else {
-      branchText = `(probably \`staging-nixos-${split(base).version}\`)`
+      branchText = `(probably \`staging-${split(base).version}\`)`
    }
    const body = [
      `The PR's base branch is set to \`${base}\`, but this PR rebuilds all NixOS tests.`,
@@ -179,9 +169,11 @@ async function checkTargetBranch({ github, context, core, dry }) {
      core,
      dry,
      body,
-      event: 'REQUEST_CHANGES',
+      event: 'COMMENT',
      reviewKey,
    })
+
+    throw new Error('This PR is against the wrong branch.')
  } else if (
    maxRebuildCount >= 500 &&
    !isExemptKernelUpdate &&
@@ -202,7 +194,7 @@ async function checkTargetBranch({ github, context, core, dry }) {
      core,
      dry,
      body,
-      event: 'REQUEST_CHANGES',
+      event: 'COMMENT',
      reviewKey,
    })
  } else {
--- a/ci/github-script/get-pr-commit-details.js
+++ b/ci/github-script/get-pr-commit-details.js
@@ -1,117 +0,0 @@
-// @ts-check
-const { promisify } = require('node:util')
-const execFile = promisify(require('node:child_process').execFile)
-
-/**
- * @typedef {{
- *  subject: string,
- *  sha: string,
- *  author: { name: string, email: string },
- *  committer: { name: string, email: string}
- *  changedPaths: string[],
- *  changedPathSegments: Set<string>,
- * }} Commit
- */
-
-/**
- * @param {{
- *  args: string[]
- *  core: import('@actions/core'),
- *  quiet?: boolean,
- *  repoPath?: string,
- * }} RunGitProps
- */
-async function runGit({ args, repoPath, core, quiet }) {
-  if (repoPath) {
-    args = ['-C', repoPath, ...args]
-  }
-
-  if (!quiet) {
-    core.info(`About to run \`git ${args.map((s) => `'${s}'`).join(' ')}\``)
-  }
-
-  return await execFile('git', args)
-}
-
-/**
- * Gets the SHA, subject and changed files for each commit in the given PR.
- *
- * Don't use GitHub API at all: the "list commits on PR" endpoint has a limit
- * of 250 commits and doesn't return the changed files.
- *
- * @param {{
- *  core: import('@actions/core'),
- *  pr: Awaited<ReturnType<InstanceType<import('@actions/github/lib/utils').GitHub>["rest"]["pulls"]["get"]>>["data"]
- *  repoPath?: string,
- * }} GetCommitMessagesForPRProps
- *
- * @returns {Promise<Commit[]>}
- */
-async function getCommitDetailsForPR({ core, pr, repoPath }) {
-  await runGit({
-    args: ['fetch', `--depth=1`, 'origin', pr.base.sha],
-    repoPath,
-    core,
-  })
-  await runGit({
-    args: ['fetch', `--depth=${pr.commits + 1}`, 'origin', pr.head.sha],
-    repoPath,
-    core,
-  })
-
-  const shas = (
-    await runGit({
-      args: [
-        'rev-list',
-        `--max-count=${pr.commits}`,
-        `${pr.base.sha}..${pr.head.sha}`,
-      ],
-      repoPath,
-      core,
-    })
-  ).stdout
-    .split('\n')
-    .map((s) => s.trim())
-    .filter(Boolean)
-
-  return Promise.all(
-    shas.map(async (sha) => {
-      // Subject, author name, author email, committer name, committer email (all tab-seperated)
-      // then a blank line, then filenames.
-      const result = (
-        await runGit({
-          args: [
-            'log',
-            '--format=%s\t%aN\t%aE\t%cN\t%cE',
-            '--name-only',
-            '-1',
-            sha,
-          ],
-          repoPath,
-          core,
-          quiet: true,
-        })
-      ).stdout.split('\n')
-
-      const [subject, authorName, authorEmail, committerName, committerEmail] =
-        result[0].split('\t')
-
-      const changedPaths = result.slice(2, -1)
-
-      const changedPathSegments = new Set(
-        changedPaths.flatMap((path) => path.split('/')),
-      )
-
-      return {
-        sha,
-        subject,
-        author: { name: authorName, email: authorEmail },
-        committer: { name: committerName, email: committerEmail },
-        changedPaths,
-        changedPathSegments,
-      }
-    }),
-  )
-}
-
-module.exports = { getCommitDetailsForPR }
--- a/ci/github-script/lint-commits.js
+++ b/ci/github-script/lint-commits.js
@@ -1,18 +1,37 @@
 // @ts-check
 const { classify } = require('../supportedBranches.js')
-const { getCommitDetailsForPR } = require('./get-pr-commit-details.js')
+const { promisify } = require('node:util')
+const execFile = promisify(require('node:child_process').execFile)

-/** @typedef {import('./get-pr-commit-details.js').Commit} Commit */
+/**
+ * @param {{
+ *  args: string[]
+ *  core: import('@actions/core'),
+ *  quiet?: boolean,
+ *  repoPath?: string,
+ * }} RunGitProps
+ */
+async function runGit({ args, repoPath, core, quiet }) {
+  if (repoPath) {
+    args = ['-C', repoPath, ...args]
+  }
+
+  if (!quiet) {
+    core.info(`About to run \`git ${args.map((s) => `'${s}'`).join(' ')}\``)
+  }
+
+  return await execFile('git', args)
+}

 /**
 * @param {{
 *  github: InstanceType<import('@actions/github/lib/utils').GitHub>,
- *  context: typeof import('@actions/github').context,
+ *  context: import('@actions/github/lib/context').Context,
 *  core: import('@actions/core'),
 *  repoPath?: string,
- * }} LintCommitsProps
+ * }} CheckCommitMessagesProps
 */
-async function lintCommits({ github, context, core, repoPath }) {
+async function checkCommitMessages({ github, context, core, repoPath }) {
  // This check should only be run when we have the pull_request context.
  const pull_number = context.payload.pull_request?.number
  if (!pull_number) {
@@ -48,81 +67,84 @@ async function lintCommits({ github, context, core, repoPath }) {
    return
  }

-  const commits = await getCommitDetailsForPR({ core, pr, repoPath })
-
-  await checkCommitMessages({ commits, core })
-  await checkCommitMetadata({ commits, core })
-}
-
-/**
- * @param {{
- *  commits: Commit[],
- *  core: import('@actions/core'),
- * }} CheckCommitMessagesProps
- */
-async function checkCommitMessages({ commits, core }) {
-  const failures = new Set()
-
-  const conventionalCommitTypes = [
-    'build',
-    'chore',
-    'ci',
-    'doc',
-    'docs',
-    'feat',
-    'feature',
-    'fix',
-    'perf',
-    'refactor',
-    'style',
-    'test',
-  ]
-
  /**
-   * @param {string[]} types e.g. ["fix", "feat"]
-   * @param {string?} sha commit hash
+   * GitHub's API will return a maximum of 250 commits.
+   * We will use it if we can, but fall back to using git locally.
+   * This type is used to abstract over the differences between the two.
+   * @type {{
+   *  message: string,
+   *  sha: string,
+   * }[]}
   */
-  function makeConventionalCommitRegex(types, sha = null) {
-    core.info(
-      `${
-        sha
-          ? `Conventional commit types for ${sha?.slice(0, 16)}`
-          : 'Default conventional commit types'
-      }: ${JSON.stringify(types)}`,
-    )
+  let commits

-    return new RegExp(`^(${types.join('|')})!?(\\(.*\\))?!?:`)
+  if (pr.commits < 250) {
+    commits = (
+      await github.paginate(github.rest.pulls.listCommits, {
+        ...context.repo,
+        pull_number,
+      })
+    ).map((commit) => ({ message: commit.commit.message, sha: commit.sha }))
+  } else {
+    await runGit({
+      args: ['fetch', `--depth=1`, 'origin', pr.base.sha],
+      repoPath,
+      core,
+    })
+    await runGit({
+      args: ['fetch', `--depth=${pr.commits + 1}`, 'origin', pr.head.sha],
+      repoPath,
+      core,
+    })
+
+    const shas = (
+      await runGit({
+        args: [
+          'rev-list',
+          `--max-count=${pr.commits}`,
+          `${pr.base.sha}..${pr.head.sha}`,
+        ],
+        repoPath,
+        core,
+      })
+    ).stdout
+      .split('\n')
+      .map((s) => s.trim())
+      .filter(Boolean)
+
+    commits = await Promise.all(
+      shas.map(async (sha) => ({
+        sha,
+        message: (
+          await runGit({
+            args: ['log', '--format=%s', '-1', sha],
+            repoPath,
+            core,
+            quiet: true,
+          })
+        ).stdout,
+      })),
+    )
  }

-  // Optimize for the common case that we don't have path segments with the
-  // same name as a conventional commit type.
-  const fullConventionalCommitRegex = makeConventionalCommitRegex(
-    conventionalCommitTypes,
-  )
+  const failures = new Set()

  for (const commit of commits) {
-    const logMsgStart = `Commit ${commit.sha}'s message's subject ("${commit.subject}")`
+    const message = commit.message
+    const firstLine = message.split('\n')[0]

-    // If we have a commit `perf: ...`, and we touch a file containing the path
-    // segment "perf", we don't want to flag this.
-    const filteredTypes = conventionalCommitTypes.filter(
-      (type) => !commit.changedPathSegments.has(type),
-    )
-    const conventionalCommitRegex =
-      filteredTypes.length === conventionalCommitTypes.length
-        ? fullConventionalCommitRegex
-        : makeConventionalCommitRegex(filteredTypes, commit.sha)
+    const logMsgStart = `Commit ${commit.sha}'s message's subject ("${firstLine}")`

-    if (!commit.subject.includes(': ')) {
+    if (!firstLine.includes(': ')) {
      core.error(
        `${logMsgStart} was detected as not meeting our guidelines because ` +
-          'it does not contain a colon followed by a whitespace. ' +
+          'it does not contain a colon followed by a whitespace.' +
          'There are likely other issues as well.',
      )
      failures.add(commit.sha)
    }

-    if (commit.subject.endsWith('.')) {
+    if (firstLine.endsWith('.')) {
      core.error(
        `${logMsgStart} was detected as not meeting our guidelines because ` +
          'it ends in a period. There may be other issues as well.',
@@ -131,25 +153,15 @@ async function checkCommitMessages({ commits, core }) {
    }

    const fixups = ['amend!', 'fixup!', 'squash!']
-    if (fixups.some((s) => commit.subject.startsWith(s))) {
+    if (fixups.some((s) => firstLine.startsWith(s))) {
      core.error(
        `${logMsgStart} was detected as not meeting our guidelines because ` +
-          `it begins with "${fixups.find((s) => commit.subject.startsWith(s))}". ` +
+          `it begins with "${fixups.find((s) => firstLine.startsWith(s))}". ` +
          'Did you forget to run `git rebase -i --autosquash`?',
      )
      failures.add(commit.sha)
    }

-    if (conventionalCommitRegex.test(commit.subject)) {
-      core.error(
-        `${logMsgStart} was detected as not meeting our guidelines because ` +
-          'it seems to use conventional commit (conventionalcommits.org) ' +
-          'formatting. Nixpkgs has its own, different, commit message ' +
-          'formatting standards.',
-      )
-      failures.add(commit.sha)
-    }
-
    if (!failures.has(commit.sha)) {
      core.info(`${logMsgStart} passed our automated checks!`)
    }
@@ -158,66 +170,11 @@ async function checkCommitMessages({ commits, core }) {
  if (failures.size !== 0) {
    core.error(
      'Please review the guidelines at ' +
-        '<https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#commit-conventions>, ' +
+        'https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#commit-conventions, ' +
        'as well as the applicable area-specific guidelines linked there.',
    )
    core.setFailed('Committers: merging is discouraged.')
  }
 }

-/**
- * @param {{
- *  commits: Commit[],
- *  core: import('@actions/core'),
- * }} CheckGitFieldsProps
- */
-async function checkCommitMetadata({ commits, core }) {
-  const failures = new Set()
-
-  /** @type {(s: string) => boolean} */
-  const isEmail = (s) => /^.+@.*$/.test(s)
-
-  for (const commit of commits) {
-    if (!commit.author.name) {
-      core.error(`Commit ${commit.sha} author's name field is missing`)
-      failures.add(commit.sha)
-    }
-
-    if (!commit.author.email || !isEmail(commit.author.email)) {
-      core.error(
-        `Commit ${commit.sha} author's email field is missing or invalid`,
-      )
-      failures.add(commit.sha)
-    }
-
-    if (!commit.committer.name) {
-      core.error(`Commit ${commit.sha} committer's name field is missing`)
-      failures.add(commit.sha)
-    }
-
-    if (!commit.committer.email || !isEmail(commit.committer.email)) {
-      core.error(
-        `Commit ${commit.sha} committer's email field is missing or invalid`,
-      )
-      failures.add(commit.sha)
-    }
-
-    if (!failures.has(commit.sha)) {
-      core.info(
-        `Commit ${commit.sha}'s git fields passed our automated checks!`,
-      )
-    }
-  }
-
-  if (failures.size !== 0) {
-    core.error(
-      'Please add the missing commit fields. ' +
-        'You can use the noreply email address generated for you by GitHub ' +
-        '(https://docs.github.com/en/account-and-profile/reference/email-addresses-reference#your-noreply-email-address) ' +
-        "if you'd like.",
-    )
-    core.setFailed('Committers: merging is discouraged.')
-  }
-}
-
-module.exports = lintCommits
+module.exports = checkCommitMessages
--- a/ci/github-script/manual-file-edits.js
+++ b/ci/github-script/manual-file-edits.js
@@ -1,95 +0,0 @@
-// @ts-check
-const { classify } = require('../supportedBranches.js')
-const { getCommitDetailsForPR } = require('./get-pr-commit-details')
-
-/**
- * @param {{
- *  github: InstanceType<import('@actions/github/lib/utils').GitHub>,
- *  context: import('@actions/github/lib/context').Context,
- *  core: import('@actions/core'),
- *  repoPath?: string,
- *  dry: boolean,
- * }} CheckManualFileEditsProps
- */
-async function checkManualFileEdits({ github, context, core, repoPath, dry }) {
-  const { dismissReviews, postReview } = require('./reviews.js')
-  const reviewKey = 'manual-file-edits'
-
-  const pull_number = context.payload.pull_request?.number
-  if (!pull_number) {
-    core.info('This is not a pull request. Skipping checks.')
-    return
-  }
-
-  const pr = (
-    await github.rest.pulls.get({
-      ...context.repo,
-      pull_number,
-    })
-  ).data
-
-  if (pr.user.login.endsWith('[bot]')) {
-    core.info('This is a bot, so these checks do not apply.')
-    return
-  }
-
-  const baseBranchType = classify(
-    pr.base.ref.replace(/^refs\/heads\//, ''),
-  ).type
-  const headBranchType = classify(
-    pr.head.ref.replace(/^refs\/heads\//, ''),
-  ).type
-
-  if (
-    baseBranchType.includes('development') &&
-    headBranchType.includes('development') &&
-    pr.base.repo.id === pr.head.repo?.id
-  ) {
-    // This matches, for example, PRs from NixOS:staging-next to NixOS:master, or vice versa.
-    // Ignore them: we should only care about PRs introducing *new* commits.
-    // We still want to run on PRs from, e.g., Someone:master to NixOS:master, though.
-    core.info(
-      'This PR is from one development branch to another. Skipping checks.',
-    )
-    return
-  }
-
-  const details = await getCommitDetailsForPR({ core, pr, repoPath })
-
-  if (
-    details.some(({ changedPaths }) =>
-      changedPaths.includes('maintainers/github-teams.json'),
-    )
-  ) {
-    postReview({
-      github,
-      context,
-      core,
-      dry,
-      event: 'REQUEST_CHANGES',
-      body: [
-        'maintainers/github-teams.json is supposed to accurately reflect the state of the teams in GitHub.\n',
-        'Therefore, it should not be edited manually.\n',
-        'All changes to teams listed in maintainers/github-teams.json should be performed in GitHub by a team maintainer.\n',
-        "Team maintainers are listed in the github-teams.json file and in GitHub's UI.\n",
-        'If there is no team maintainer available, an org owner can make the needed change, please contact one by',
-        'following the instructions at https://github.com/NixOS/org/blob/main/doc/github-org-owners.md#how-to-contact-the-team.\n',
-        'Thank you!',
-      ].reduce(
-        (prev, curr) => prev + (!prev || prev.endsWith('\n') ? '' : ' ') + curr,
-        '',
-      ),
-      reviewKey,
-    })
-  } else {
-    dismissReviews({
-      github,
-      context,
-      core,
-      dry,
-      reviewKey,
-    })
-  }
-}
-
-module.exports = checkManualFileEdits
--- a/ci/github-script/merge.js
+++ b/ci/github-script/merge.js
@@ -56,7 +56,6 @@ function runChecklist({
      'Opened by [@r-ryantm](https://nix-community.github.io/nixpkgs-update/r-ryantm/).':
        pull_request.user.login === 'r-ryantm',
    },
-    'PR is not a draft': !pull_request.draft,
  }

  if (user) {
@@ -66,9 +65,8 @@ function runChecklist({
    if (allByName) {
      // We can only determine the below, if all packages are in by-name, since
      // we can't reliably relate changed files to packages outside by-name.
-      checklist[
-        `${user.login} is a maintainer of all touched packages on the ${pull_request.base.ref} branch.`
-      ] = eligible.has(user.id)
+      checklist[`${user.login} is a maintainer of all touched packages.`] =
+        eligible.has(user.id)
    }
  } else {
    // This is only used when no user is passed, i.e. for labeling.
--- a/ci/github-script/package-lock.json
+++ b/ci/github-script/package-lock.json
@@ -4,107 +4,55 @@
  "requires": true,
  "packages": {
    "": {
-      "name": "github-script",
      "dependencies": {
-        "@actions/artifact": "6.2.1",
-        "@actions/core": "1.10.1",
-        "@actions/github": "9.1.0",
+        "@actions/artifact": "5.0.3",
+        "@actions/core": "1.11.1",
+        "@actions/github": "6.0.1",
        "bottleneck": "2.19.5",
        "commander": "14.0.3"
      }
    },
    "node_modules/@actions/artifact": {
-      "version": "6.2.1",
-      "resolved": "https://registry.npmjs.org/@actions/artifact/-/artifact-6.2.1.tgz",
-      "integrity": "sha512-sJGH0mhEbEjBCw7o6SaLhUU66u27aFW8HTfkIb5Tk2/Wy0caUDc+oYQEgnuFN7a0HCpAbQyK0U6U7XUJDgDWrw==",
+      "version": "5.0.3",
+      "resolved": "https://registry.npmjs.org/@actions/artifact/-/artifact-5.0.3.tgz",
+      "integrity": "sha512-FIEG8Kum0wABZnktJvFi1xuVPc31xrunhZwLCvjrCGISQOm0ifyo7cjqf6PHiEeqoWMa5HIGOsB+lGM4aKCseA==",
      "license": "MIT",
      "dependencies": {
-        "@actions/core": "^3.0.0",
-        "@actions/github": "^9.0.0",
-        "@actions/http-client": "^4.0.0",
-        "@azure/storage-blob": "^12.30.0",
-        "@octokit/core": "^7.0.6",
-        "@octokit/plugin-request-log": "^6.0.0",
-        "@octokit/plugin-retry": "^8.0.0",
-        "@octokit/request": "^10.0.7",
-        "@octokit/request-error": "^7.1.0",
+        "@actions/core": "^2.0.0",
+        "@actions/github": "^6.0.1",
+        "@actions/http-client": "^3.0.2",
+        "@azure/storage-blob": "^12.29.1",
+        "@octokit/core": "^5.2.1",
+        "@octokit/plugin-request-log": "^1.0.4",
+        "@octokit/plugin-retry": "^3.0.9",
+        "@octokit/request": "^8.4.1",
+        "@octokit/request-error": "^5.1.1",
        "@protobuf-ts/plugin": "^2.2.3-alpha.1",
-        "@protobuf-ts/runtime": "^2.9.4",
        "archiver": "^7.0.1",
-        "jwt-decode": "^4.0.0",
+        "jwt-decode": "^3.1.2",
        "unzip-stream": "^0.3.1"
      }
    },
    "node_modules/@actions/artifact/node_modules/@actions/core": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-3.0.1.tgz",
-      "integrity": "sha512-a6d/Nwahm9fliVGRhdhofo40HjHQasUPusmc7vBfyky+7Z+P2A1J68zyFVaNcEclc/Se+eO595oAr5nwEIoIUA==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-2.0.3.tgz",
+      "integrity": "sha512-Od9Thc3T1mQJYddvVPM4QGiLUewdh+3txmDYHHxoNdkqysR1MbCT+rFOtNUxYAz+7+6RIsqipVahY2GJqGPyxA==",
      "license": "MIT",
      "dependencies": {
-        "@actions/exec": "^3.0.0",
-        "@actions/http-client": "^4.0.0"
+        "@actions/exec": "^2.0.0",
+        "@actions/http-client": "^3.0.2"
      }
    },
    "node_modules/@actions/artifact/node_modules/@actions/exec": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-3.0.0.tgz",
-      "integrity": "sha512-6xH/puSoNBXb72VPlZVm7vQ+svQpFyA96qdDBvhB8eNZOE8LtPf9L4oAsfzK/crCL8YZ+19fKYVnM63Sl+Xzlw==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-2.0.0.tgz",
+      "integrity": "sha512-k8ngrX2voJ/RIN6r9xB82NVqKpnMRtxDoiO+g3olkIUpQNqjArXrCQceduQZCQj3P3xm32pChRLqRrtXTlqhIw==",
      "license": "MIT",
      "dependencies": {
-        "@actions/io": "^3.0.2"
+        "@actions/io": "^2.0.0"
      }
    },
    "node_modules/@actions/artifact/node_modules/@actions/http-client": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-4.0.1.tgz",
-      "integrity": "sha512-+Nvd1ImaOZBSoPbsUtEhv+1z99H12xzncCkz0a3RuehINE81FZSe2QTj3uvAPTcJX/SCzUQHQ0D1GrPMbrPitg==",
-      "license": "MIT",
-      "dependencies": {
-        "tunnel": "^0.0.6",
-        "undici": "^6.23.0"
-      }
-    },
-    "node_modules/@actions/artifact/node_modules/@actions/io": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/@actions/io/-/io-3.0.2.tgz",
-      "integrity": "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw==",
-      "license": "MIT"
-    },
-    "node_modules/@actions/artifact/node_modules/undici": {
-      "version": "6.25.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-6.25.0.tgz",
-      "integrity": "sha512-ZgpWDC5gmNiuY9CnLVXEH8rl50xhRCuLNA97fAUnKi8RRuV4E6KG31pDTsLVUKnohJE0I3XDrTeEydAXRw47xg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=18.17"
-      }
-    },
-    "node_modules/@actions/core": {
-      "version": "1.10.1",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.1.tgz",
-      "integrity": "sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==",
-      "license": "MIT",
-      "dependencies": {
-        "@actions/http-client": "^2.0.1",
-        "uuid": "^8.3.2"
-      }
-    },
-    "node_modules/@actions/github": {
-      "version": "9.1.0",
-      "resolved": "https://registry.npmjs.org/@actions/github/-/github-9.1.0.tgz",
-      "integrity": "sha512-u0hDGQeCS+7VNoLA8hYG65RLdPLMaPGfka0sZ0up7P0AiShqfX6xcuXNteGkQ7X7Tod7AMNwHd4p7DS63i8zzA==",
-      "license": "MIT",
-      "dependencies": {
-        "@actions/http-client": "^3.0.2",
-        "@octokit/core": "^7.0.6",
-        "@octokit/plugin-paginate-rest": "^14.0.0",
-        "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
-        "@octokit/request": "^10.0.7",
-        "@octokit/request-error": "^7.1.0",
-        "undici": "^6.23.0"
-      }
-    },
-    "node_modules/@actions/github/node_modules/@actions/http-client": {
      "version": "3.0.2",
      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-3.0.2.tgz",
      "integrity": "sha512-JP38FYYpyqvUsz+Igqlc/JG6YO9PaKuvqjM3iGvaLqFnJ7TFmcLyy2IDrY0bI0qCQug8E9K+elv5ZNfw62ZJzA==",
@@ -114,15 +62,115 @@
        "undici": "^6.23.0"
      }
    },
-    "node_modules/@actions/github/node_modules/undici": {
-      "version": "6.25.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-6.25.0.tgz",
-      "integrity": "sha512-ZgpWDC5gmNiuY9CnLVXEH8rl50xhRCuLNA97fAUnKi8RRuV4E6KG31pDTsLVUKnohJE0I3XDrTeEydAXRw47xg==",
+    "node_modules/@actions/artifact/node_modules/@actions/io": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@actions/io/-/io-2.0.0.tgz",
+      "integrity": "sha512-Jv33IN09XLO+0HS79aaODsvIRyduiF7NY/F6LYeK5oeUmrsz7aFdRphQjFoESF4jS7lMauDOttKALcpapVDIAg==",
+      "license": "MIT"
+    },
+    "node_modules/@actions/artifact/node_modules/undici": {
+      "version": "6.23.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
+      "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
      "license": "MIT",
      "engines": {
        "node": ">=18.17"
      }
    },
+    "node_modules/@actions/core": {
+      "version": "1.11.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
+      "integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==",
+      "license": "MIT",
+      "dependencies": {
+        "@actions/exec": "^1.1.1",
+        "@actions/http-client": "^2.0.1"
+      }
+    },
+    "node_modules/@actions/exec": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
+      "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
+      "license": "MIT",
+      "dependencies": {
+        "@actions/io": "^1.0.1"
+      }
+    },
+    "node_modules/@actions/github": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/github/-/github-6.0.1.tgz",
+      "integrity": "sha512-xbZVcaqD4XnQAe35qSQqskb3SqIAfRyLBrHMd/8TuL7hJSz2QtbDwnNM8zWx4zO5l2fnGtseNE3MbEvD7BxVMw==",
+      "license": "MIT",
+      "dependencies": {
+        "@actions/http-client": "^2.2.0",
+        "@octokit/core": "^5.0.1",
+        "@octokit/plugin-paginate-rest": "^9.2.2",
+        "@octokit/plugin-rest-endpoint-methods": "^10.4.0",
+        "@octokit/request": "^8.4.1",
+        "@octokit/request-error": "^5.1.1",
+        "undici": "^5.28.5"
+      }
+    },
+    "node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest": {
+      "version": "9.2.2",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-9.2.2.tgz",
+      "integrity": "sha512-u3KYkGF7GcZnSD/3UP0S7K5XUFT2FkOQdcfXZGZQPGv3lm4F2Xbf71lvjldr8c1H3nNbF+33cLEkWYbokGWqiQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/types": "^12.6.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      },
+      "peerDependencies": {
+        "@octokit/core": "5"
+      }
+    },
+    "node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/node_modules/@octokit/openapi-types": {
+      "version": "20.0.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-20.0.0.tgz",
+      "integrity": "sha512-EtqRBEjp1dL/15V7WiX5LJMIxxkdiGJnabzYx5Apx4FkQIFgAfKumXeYAqqJCj1s+BMX4cPFIFC4OLCR6stlnA==",
+      "license": "MIT"
+    },
+    "node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/node_modules/@octokit/types": {
+      "version": "12.6.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-12.6.0.tgz",
+      "integrity": "sha512-1rhSOfRa6H9w4YwK0yrf5faDaDTb+yLyBUKOCV4xtCDB5VmIPqd/v9yr9o6SAzOAlRxMiRiCic6JVM1/kunVkw==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/openapi-types": "^20.0.0"
+      }
+    },
+    "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods": {
+      "version": "10.4.1",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-10.4.1.tgz",
+      "integrity": "sha512-xV1b+ceKV9KytQe3zCVqjg+8GTGfDYwaT1ATU5isiUyVtlVAO3HNdzpS4sr4GBx4hxQ46s7ITtZrAsxG22+rVg==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/types": "^12.6.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      },
+      "peerDependencies": {
+        "@octokit/core": "5"
+      }
+    },
+    "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/node_modules/@octokit/openapi-types": {
+      "version": "20.0.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-20.0.0.tgz",
+      "integrity": "sha512-EtqRBEjp1dL/15V7WiX5LJMIxxkdiGJnabzYx5Apx4FkQIFgAfKumXeYAqqJCj1s+BMX4cPFIFC4OLCR6stlnA==",
+      "license": "MIT"
+    },
+    "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/node_modules/@octokit/types": {
+      "version": "12.6.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-12.6.0.tgz",
+      "integrity": "sha512-1rhSOfRa6H9w4YwK0yrf5faDaDTb+yLyBUKOCV4xtCDB5VmIPqd/v9yr9o6SAzOAlRxMiRiCic6JVM1/kunVkw==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/openapi-types": "^20.0.0"
+      }
+    },
    "node_modules/@actions/http-client": {
      "version": "2.2.3",
      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz",
@@ -133,6 +181,12 @@
        "undici": "^5.25.4"
      }
    },
+    "node_modules/@actions/io": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz",
+      "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==",
+      "license": "MIT"
+    },
    "node_modules/@azure/abort-controller": {
      "version": "2.1.2",
      "resolved": "https://registry.npmjs.org/@azure/abort-controller/-/abort-controller-2.1.2.tgz",
@@ -164,6 +218,7 @@
      "resolved": "https://registry.npmjs.org/@azure/core-client/-/core-client-1.10.1.tgz",
      "integrity": "sha512-Nh5PhEOeY6PrnxNPsEHRr9eimxLwgLlpmguQaHKBinFYA/RU9+kOYVOQqOrTsCL+KSxrLLl1gD8Dk5BFW/7l/w==",
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "@azure/abort-controller": "^2.1.2",
        "@azure/core-auth": "^1.10.0",
@@ -225,6 +280,7 @@
      "resolved": "https://registry.npmjs.org/@azure/core-rest-pipeline/-/core-rest-pipeline-1.22.2.tgz",
      "integrity": "sha512-MzHym+wOi8CLUlKCQu12de0nwcq9k9Kuv43j4Wa++CsCpJwps2eeBQwD2Bu8snkxTtDKDx4GwjuR9E8yC8LNrg==",
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "@azure/abort-controller": "^2.1.2",
        "@azure/core-auth": "^1.10.0",
@@ -391,174 +447,197 @@
        "node": ">=12"
      }
    },
-    "node_modules/@nodable/entities": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/@nodable/entities/-/entities-2.1.0.tgz",
-      "integrity": "sha512-nyT7T3nbMyBI/lvr6L5TyWbFJAI9FTgVRakNoBqCD+PmID8DzFrrNdLLtHMwMszOtqZa8PAOV24ZqDnQrhQINA==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/nodable"
-        }
-      ],
-      "license": "MIT"
-    },
    "node_modules/@octokit/auth-token": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-6.0.0.tgz",
-      "integrity": "sha512-P4YJBPdPSpWTQ1NU4XYdvHvXJJDxM6YwpS0FZHRgP7YFkdVxsWcpWGy/NVqlAA7PcPCnMacXlRm1y2PFZRWL/w==",
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-4.0.0.tgz",
+      "integrity": "sha512-tY/msAuJo6ARbK6SPIxZrPBms3xPbfwBrulZe0Wtr/DIY9lje2HeV1uoebShn6mx7SjCHif6EjMvoREj+gZ+SA==",
      "license": "MIT",
      "engines": {
-        "node": ">= 20"
+        "node": ">= 18"
      }
    },
    "node_modules/@octokit/core": {
-      "version": "7.0.6",
-      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-7.0.6.tgz",
-      "integrity": "sha512-DhGl4xMVFGVIyMwswXeyzdL4uXD5OGILGX5N8Y+f6W7LhC1Ze2poSNrkF/fedpVDHEEZ+PHFW0vL14I+mm8K3Q==",
+      "version": "5.2.2",
+      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.2.tgz",
+      "integrity": "sha512-/g2d4sW9nUDJOMz3mabVQvOGhVa4e/BN/Um7yca9Bb2XTzPPnfTWHWQg+IsEYO7M3Vx+EXvaM/I2pJWIMun1bg==",
      "license": "MIT",
+      "peer": true,
      "dependencies": {
-        "@octokit/auth-token": "^6.0.0",
-        "@octokit/graphql": "^9.0.3",
-        "@octokit/request": "^10.0.6",
-        "@octokit/request-error": "^7.0.2",
-        "@octokit/types": "^16.0.0",
-        "before-after-hook": "^4.0.0",
-        "universal-user-agent": "^7.0.0"
+        "@octokit/auth-token": "^4.0.0",
+        "@octokit/graphql": "^7.1.0",
+        "@octokit/request": "^8.4.1",
+        "@octokit/request-error": "^5.1.1",
+        "@octokit/types": "^13.0.0",
+        "before-after-hook": "^2.2.0",
+        "universal-user-agent": "^6.0.0"
      },
      "engines": {
-        "node": ">= 20"
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/core/node_modules/@octokit/openapi-types": {
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "license": "MIT"
+    },
+    "node_modules/@octokit/core/node_modules/@octokit/types": {
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/openapi-types": "^24.2.0"
      }
    },
    "node_modules/@octokit/endpoint": {
-      "version": "11.0.3",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-11.0.3.tgz",
-      "integrity": "sha512-FWFlNxghg4HrXkD3ifYbS/IdL/mDHjh9QcsNyhQjN8dplUoZbejsdpmuqdA76nxj2xoWPs7p8uX2SNr9rYu0Ag==",
+      "version": "9.0.6",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.6.tgz",
+      "integrity": "sha512-H1fNTMA57HbkFESSt3Y9+FBICv+0jFceJFPWDePYlR/iMGrwM5ph+Dd4XRQs+8X+PUFURLQgX9ChPfhJ/1uNQw==",
      "license": "MIT",
      "dependencies": {
-        "@octokit/types": "^16.0.0",
-        "universal-user-agent": "^7.0.2"
+        "@octokit/types": "^13.1.0",
+        "universal-user-agent": "^6.0.0"
      },
      "engines": {
-        "node": ">= 20"
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/endpoint/node_modules/@octokit/openapi-types": {
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "license": "MIT"
+    },
+    "node_modules/@octokit/endpoint/node_modules/@octokit/types": {
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/openapi-types": "^24.2.0"
      }
    },
    "node_modules/@octokit/graphql": {
-      "version": "9.0.3",
-      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-9.0.3.tgz",
-      "integrity": "sha512-grAEuupr/C1rALFnXTv6ZQhFuL1D8G5y8CN04RgrO4FIPMrtm+mcZzFG7dcBm+nq+1ppNixu+Jd78aeJOYxlGA==",
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-7.1.1.tgz",
+      "integrity": "sha512-3mkDltSfcDUoa176nlGoA32RGjeWjl3K7F/BwHwRMJUW/IteSa4bnSV8p2ThNkcIcZU2umkZWxwETSSCJf2Q7g==",
      "license": "MIT",
      "dependencies": {
-        "@octokit/request": "^10.0.6",
-        "@octokit/types": "^16.0.0",
-        "universal-user-agent": "^7.0.0"
+        "@octokit/request": "^8.4.1",
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^6.0.0"
      },
      "engines": {
-        "node": ">= 20"
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/graphql/node_modules/@octokit/openapi-types": {
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "license": "MIT"
+    },
+    "node_modules/@octokit/graphql/node_modules/@octokit/types": {
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/openapi-types": "^24.2.0"
      }
    },
    "node_modules/@octokit/openapi-types": {
-      "version": "27.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-27.0.0.tgz",
-      "integrity": "sha512-whrdktVs1h6gtR+09+QsNk2+FO+49j6ga1c55YZudfEG+oKJVvJLQi3zkOm5JjiUXAagWK2tI2kTGKJ2Ys7MGA==",
+      "version": "12.11.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-12.11.0.tgz",
+      "integrity": "sha512-VsXyi8peyRq9PqIz/tpqiL2w3w80OgVMwBHltTml3LmVvXiphgeqmY9mvBw9Wu7e0QWk/fqD37ux8yP5uVekyQ==",
      "license": "MIT"
    },
-    "node_modules/@octokit/plugin-paginate-rest": {
-      "version": "14.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-14.0.0.tgz",
-      "integrity": "sha512-fNVRE7ufJiAA3XUrha2omTA39M6IXIc6GIZLvlbsm8QOQCYvpq/LkMNGyFlB1d8hTDzsAXa3OKtybdMAYsV/fw==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/types": "^16.0.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      },
-      "peerDependencies": {
-        "@octokit/core": ">=6"
-      }
-    },
    "node_modules/@octokit/plugin-request-log": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-request-log/-/plugin-request-log-6.0.0.tgz",
-      "integrity": "sha512-UkOzeEN3W91/eBq9sPZNQ7sUBvYCqYbrrD8gTbBuGtHEuycE4/awMXcYvx6sVYo7LypPhmQwwpUe4Yyu4QZN5Q==",
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-request-log/-/plugin-request-log-1.0.4.tgz",
+      "integrity": "sha512-mLUsMkgP7K/cnFEw07kWqXGF5LKrOkD+lhCrKvPHXWDywAwuDUeDwWBpc69XK3pNX0uKiVt8g5z96PJ6z9xCFA==",
      "license": "MIT",
-      "engines": {
-        "node": ">= 20"
-      },
      "peerDependencies": {
-        "@octokit/core": ">=6"
-      }
-    },
-    "node_modules/@octokit/plugin-rest-endpoint-methods": {
-      "version": "17.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-17.0.0.tgz",
-      "integrity": "sha512-B5yCyIlOJFPqUUeiD0cnBJwWJO8lkJs5d8+ze9QDP6SvfiXSz1BF+91+0MeI1d2yxgOhU/O+CvtiZ9jSkHhFAw==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/types": "^16.0.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      },
-      "peerDependencies": {
-        "@octokit/core": ">=6"
+        "@octokit/core": ">=3"
      }
    },
    "node_modules/@octokit/plugin-retry": {
-      "version": "8.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-retry/-/plugin-retry-8.1.0.tgz",
-      "integrity": "sha512-O1FZgXeiGb2sowEr/hYTr6YunGdSAFWnr2fyW39Ah85H8O33ELASQxcvOFF5LE6Tjekcyu2ms4qAzJVhSaJxTw==",
+      "version": "3.0.9",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-retry/-/plugin-retry-3.0.9.tgz",
+      "integrity": "sha512-r+fArdP5+TG6l1Rv/C9hVoty6tldw6cE2pRHNGmFPdyfrc696R6JjrQ3d7HdVqGwuzfyrcaLAKD7K8TX8aehUQ==",
      "license": "MIT",
      "dependencies": {
-        "@octokit/request-error": "^7.0.2",
-        "@octokit/types": "^16.0.0",
+        "@octokit/types": "^6.0.3",
        "bottleneck": "^2.15.3"
-      },
-      "engines": {
-        "node": ">= 20"
-      },
-      "peerDependencies": {
-        "@octokit/core": ">=7"
      }
    },
    "node_modules/@octokit/request": {
-      "version": "10.0.9",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-10.0.9.tgz",
-      "integrity": "sha512-o8Bi3f608eyM+7BmBiUWxFsdjLb3/ym1cQek5LZOv9KkZcxRrHCPhhRzm6xjO6HVZ85ItD6+sTsjxo821SVa/A==",
+      "version": "8.4.1",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-8.4.1.tgz",
+      "integrity": "sha512-qnB2+SY3hkCmBxZsR/MPCybNmbJe4KAlfWErXq+rBKkQJlbjdJeS85VI9r8UqeLYLvnAenU8Q1okM/0MBsAGXw==",
      "license": "MIT",
      "dependencies": {
-        "@octokit/endpoint": "^11.0.3",
-        "@octokit/request-error": "^7.0.2",
-        "@octokit/types": "^16.0.0",
-        "content-type": "^2.0.0",
-        "fast-content-type-parse": "^3.0.0",
-        "json-with-bigint": "^3.5.3",
-        "universal-user-agent": "^7.0.2"
+        "@octokit/endpoint": "^9.0.6",
+        "@octokit/request-error": "^5.1.1",
+        "@octokit/types": "^13.1.0",
+        "universal-user-agent": "^6.0.0"
      },
      "engines": {
-        "node": ">= 20"
+        "node": ">= 18"
      }
    },
    "node_modules/@octokit/request-error": {
-      "version": "7.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-7.1.0.tgz",
-      "integrity": "sha512-KMQIfq5sOPpkQYajXHwnhjCC0slzCNScLHs9JafXc4RAJI+9f+jNDlBNaIMTvazOPLgb4BnlhGJOTbnN0wIjPw==",
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-5.1.1.tgz",
+      "integrity": "sha512-v9iyEQJH6ZntoENr9/yXxjuezh4My67CBSu9r6Ve/05Iu5gNgnisNWOsoJHTP6k0Rr0+HQIpnH+kyammu90q/g==",
      "license": "MIT",
      "dependencies": {
-        "@octokit/types": "^16.0.0"
+        "@octokit/types": "^13.1.0",
+        "deprecation": "^2.0.0",
+        "once": "^1.4.0"
      },
      "engines": {
-        "node": ">= 20"
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/request-error/node_modules/@octokit/openapi-types": {
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "license": "MIT"
+    },
+    "node_modules/@octokit/request-error/node_modules/@octokit/types": {
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/openapi-types": "^24.2.0"
+      }
+    },
+    "node_modules/@octokit/request/node_modules/@octokit/openapi-types": {
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "license": "MIT"
+    },
+    "node_modules/@octokit/request/node_modules/@octokit/types": {
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/openapi-types": "^24.2.0"
      }
    },
    "node_modules/@octokit/types": {
-      "version": "16.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-16.0.0.tgz",
-      "integrity": "sha512-sKq+9r1Mm4efXW1FCk7hFSeJo4QKreL/tTbR0rz/qx/r1Oa2VV83LTA/H/MuCOX7uCIJmQVRKBcbmWoySjAnSg==",
+      "version": "6.41.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.41.0.tgz",
+      "integrity": "sha512-eJ2jbzjdijiL3B4PrSQaSjuF2sPEQPVCPzBvTHJD9Nz+9dw2SGH4K4xeQJ77YfTq5bRQ+bD8wT11JbeDPmxmGg==",
      "license": "MIT",
      "dependencies": {
-        "@octokit/openapi-types": "^27.0.0"
+        "@octokit/openapi-types": "^12.11.0"
      }
    },
    "node_modules/@pkgjs/parseargs": {
@@ -766,9 +845,9 @@
      "license": "MIT"
    },
    "node_modules/before-after-hook": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-4.0.0.tgz",
-      "integrity": "sha512-q6tR3RPqIB1pMiTRMFcZwuG5T8vwp+vUvEG0vuI6B+Rikh5BfPp2fQ82c925FOs+b0lcFQ8CFrL+KbilfZFhOQ==",
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz",
+      "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==",
      "license": "Apache-2.0"
    },
    "node_modules/binary": {
@@ -791,9 +870,9 @@
      "license": "MIT"
    },
    "node_modules/brace-expansion": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
-      "integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
      "license": "MIT",
      "dependencies": {
        "balanced-match": "^1.0.0"
@@ -895,19 +974,6 @@
        "node": ">= 14"
      }
    },
-    "node_modules/content-type": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/content-type/-/content-type-2.0.0.tgz",
-      "integrity": "sha512-j/O/d7GcZCyNl7/hwZAb606rzqkyvaDctLmckbxLzHvFBzTJHuGEdodATcP3yIRoDrLHkIATJuvzbFlp/ki2cQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
-      }
-    },
    "node_modules/core-util-is": {
      "version": "1.0.3",
      "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz",
@@ -970,6 +1036,12 @@
        }
      }
    },
+    "node_modules/deprecation": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz",
+      "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ==",
+      "license": "ISC"
+    },
    "node_modules/eastasianwidth": {
      "version": "0.2.0",
      "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz",
@@ -1000,48 +1072,16 @@
        "node": ">=0.8.x"
      }
    },
-    "node_modules/fast-content-type-parse": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/fast-content-type-parse/-/fast-content-type-parse-3.0.0.tgz",
-      "integrity": "sha512-ZvLdcY8P+N8mGQJahJV5G4U88CSvT1rP8ApL6uETe88MBXrBHAkZlSEySdUlyztF7ccb+Znos3TFqaepHxdhBg==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/fastify"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/fastify"
-        }
-      ],
-      "license": "MIT"
-    },
    "node_modules/fast-fifo": {
      "version": "1.3.2",
      "resolved": "https://registry.npmjs.org/fast-fifo/-/fast-fifo-1.3.2.tgz",
      "integrity": "sha512-/d9sfos4yxzpwkDkuN7k2SqFKtYNmCTzgfEpz82x34IM9/zc8KGxQoXg1liNC/izpRM/MBdt44Nmx41ZWqk+FQ==",
      "license": "MIT"
    },
-    "node_modules/fast-xml-builder": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz",
-      "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT",
-      "dependencies": {
-        "path-expression-matcher": "^1.5.0",
-        "xml-naming": "^0.1.0"
-      }
-    },
    "node_modules/fast-xml-parser": {
-      "version": "5.8.0",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.8.0.tgz",
-      "integrity": "sha512-6bIM7fsJxeo3uXv7OncQYsBAMPJ7V16Slahl/6M98C/i2q+vB1+4a0MtrvYwDFEUrwDSbAmeLDRXsOBwrL7yAg==",
+      "version": "5.3.6",
+      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.3.6.tgz",
+      "integrity": "sha512-QNI3sAvSvaOiaMl8FYU4trnEzCwiRr8XMWgAHzlrWpTSj+QaCSvOf1h82OEP1s4hiAXhnbXSyFWCf4ldZzZRVA==",
      "funding": [
        {
          "type": "github",
@@ -1050,11 +1090,7 @@
      ],
      "license": "MIT",
      "dependencies": {
-        "@nodable/entities": "^2.1.0",
-        "fast-xml-builder": "^1.2.0",
-        "path-expression-matcher": "^1.5.0",
-        "strnum": "^2.3.0",
-        "xml-naming": "^0.1.0"
+        "strnum": "^2.1.2"
      },
      "bin": {
        "fxparser": "src/cli/cli.js"
@@ -1203,20 +1239,11 @@
        "@pkgjs/parseargs": "^0.11.0"
      }
    },
-    "node_modules/json-with-bigint": {
-      "version": "3.5.8",
-      "resolved": "https://registry.npmjs.org/json-with-bigint/-/json-with-bigint-3.5.8.tgz",
-      "integrity": "sha512-eq/4KP6K34kwa7TcFdtvnftvHCD9KvHOGGICWwMFc4dOOKF5t4iYqnfLK8otCRCRv06FXOzGGyqE8h8ElMvvdw==",
-      "license": "MIT"
-    },
    "node_modules/jwt-decode": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/jwt-decode/-/jwt-decode-4.0.0.tgz",
-      "integrity": "sha512-+KJGIyHgkGuIq3IEBNftfhW/LfWhXUIY6OmyVWjliu5KH1y0fw7VQ8YndE2O4qZdMSd9SqbnC8GOcZEy0Om7sA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=18"
-      }
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/jwt-decode/-/jwt-decode-3.1.2.tgz",
+      "integrity": "sha512-UfpWE/VZn0iP50d8cz9NrZLM9lSWhcJ+0Gt/nm4by88UL+J1SiKN8/5dkjMmbEzwL2CAe+67GsegCbIKtbp75A==",
+      "license": "MIT"
    },
    "node_modules/lazystream": {
      "version": "1.0.1",
@@ -1261,9 +1288,9 @@
      }
    },
    "node_modules/lodash": {
-      "version": "4.18.1",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
-      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+      "version": "4.17.23",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
+      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
      "license": "MIT"
    },
    "node_modules/lru-cache": {
@@ -1273,12 +1300,12 @@
      "license": "ISC"
    },
    "node_modules/minimatch": {
-      "version": "9.0.9",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
-      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
+      "version": "9.0.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
      "license": "ISC",
      "dependencies": {
-        "brace-expansion": "^2.0.2"
+        "brace-expansion": "^2.0.1"
      },
      "engines": {
        "node": ">=16 || 14 >=14.17"
@@ -1332,27 +1359,21 @@
        "node": ">=0.10.0"
      }
    },
+    "node_modules/once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
+      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
+      "license": "ISC",
+      "dependencies": {
+        "wrappy": "1"
+      }
+    },
    "node_modules/package-json-from-dist": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz",
      "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==",
      "license": "BlueOak-1.0.0"
    },
-    "node_modules/path-expression-matcher": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz",
-      "integrity": "sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT",
-      "engines": {
-        "node": ">=14.0.0"
-      }
-    },
    "node_modules/path-key": {
      "version": "3.1.1",
      "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
@@ -1419,9 +1440,9 @@
      }
    },
    "node_modules/readdir-glob/node_modules/minimatch": {
-      "version": "5.1.9",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.9.tgz",
-      "integrity": "sha512-7o1wEA2RyMP7Iu7GNba9vc0RWWGACJOCZBJX2GJWip0ikV+wcOsgVuY9uE8CPiyQhkGFSlhuSkZPavN7u1c2Fw==",
+      "version": "5.1.6",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz",
+      "integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==",
      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^2.0.1"
@@ -1602,9 +1623,9 @@
      }
    },
    "node_modules/strnum": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.3.0.tgz",
-      "integrity": "sha512-ums3KNd42PGyx5xaoVTO1mjU1bH3NpY4vsrVlnv9PNGqQj8wd7rJ6nEypLrJ7z5vxK5RP0yMLo6J/Gsm62DI5Q==",
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.1.2.tgz",
+      "integrity": "sha512-l63NF9y/cLROq/yqKXSLtcMeeyOfnSQlfMSlzFt/K73oIaD8DGaQWd7Z34X9GPiKqP5rbSh84Hl4bOlLcjiSrQ==",
      "funding": [
        {
          "type": "github",
@@ -1662,6 +1683,7 @@
      "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.10.tgz",
      "integrity": "sha512-w6fIxVE/H1PkLKcCPsFqKE7Kv7QUwhU8qQY2MueZXWx5cPZdwFupLgKK3vntcK98BtNHZtAF4LA/yl2a7k8R6Q==",
      "license": "Apache-2.0",
+      "peer": true,
      "bin": {
        "tsc": "bin/tsc",
        "tsserver": "bin/tsserver"
@@ -1683,9 +1705,9 @@
      }
    },
    "node_modules/universal-user-agent": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.3.tgz",
-      "integrity": "sha512-TmnEAEAsBJVZM/AADELsK76llnwcf9vMKuPz8JflO1frO8Lchitr0fNaN9d+Ap0BjKtqWqd/J17qeDnXh8CL2A==",
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
+      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==",
      "license": "ISC"
    },
    "node_modules/unzip-stream": {
@@ -1704,16 +1726,6 @@
      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==",
      "license": "MIT"
    },
-    "node_modules/uuid": {
-      "version": "8.3.2",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
-      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
-      "deprecated": "uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).",
-      "license": "MIT",
-      "bin": {
-        "uuid": "dist/bin/uuid"
-      }
-    },
    "node_modules/which": {
      "version": "2.0.2",
      "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
@@ -1820,20 +1832,11 @@
        "node": ">=8"
      }
    },
-    "node_modules/xml-naming": {
-      "version": "0.1.0",
-      "resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz",
-      "integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT",
-      "engines": {
-        "node": ">=16.0.0"
-      }
+    "node_modules/wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==",
+      "license": "ISC"
    },
    "node_modules/zip-stream": {
      "version": "6.0.1",
--- a/ci/github-script/package.json
+++ b/ci/github-script/package.json
@@ -7,9 +7,9 @@
    "`.github/workflows/bot.yml`."
  ],
  "dependencies": {
-    "@actions/artifact": "6.2.1",
-    "@actions/core": "1.10.1",
-    "@actions/github": "9.1.0",
+    "@actions/artifact": "5.0.3",
+    "@actions/core": "1.11.1",
+    "@actions/github": "6.0.1",
    "bottleneck": "2.19.5",
    "commander": "14.0.3"
  }
--- a/ci/github-script/prepare.js
+++ b/ci/github-script/prepare.js
@@ -172,20 +172,14 @@ module.exports = async ({ github, context, core, dry }) => {
          '  ```',
        ].join('\n')

-        await postReview({
-          github,
-          context,
-          core,
-          dry,
-          body,
-          event: 'REQUEST_CHANGES',
-          reviewKey,
-        })
-      } else {
-        await dismissReviews({ github, context, core, dry, reviewKey })
+        await postReview({ github, context, core, dry, body, reviewKey })
+
+        throw new Error(`The PR contains commits from a different base.`)
      }
    }

+    await dismissReviews({ github, context, core, dry, reviewKey })
+
    let mergedSha, targetSha

    if (prInfo.mergeable) {
--- a/ci/github-script/reviews.js
+++ b/ci/github-script/reviews.js
@@ -5,28 +5,10 @@ const eventToState = {
  REQUEST_CHANGES: 'CHANGES_REQUESTED',
 }

-// Use substring checks in order to allow testing in forks
-// Usernames must also end in "[bot]"
-const reviewUsers = [
-  'github-actions',
-  'nixpkgs-ci',
-  'branch-check',
-  'commit-check',
-  'manual-edit',
-]
-
-/**
- * @typedef {InstanceType<import('@actions/github/lib/utils').GitHub>} GitHub
- * @typedef {typeof import('@actions/github').context} Context
- *
- * @typedef {Awaited<ReturnType<GitHub['rest']['pulls']['listReviews']>>['data'][number]} Review
- * @typedef {Review & { user: NonNullable<Review['user']> }} ReviewWithNonNullUser
- */
-
 /**
 * @param {{
- *  github: GitHub,
- *  context: Context,
+ *  github: InstanceType<import('@actions/github/lib/utils').GitHub>,
+ *  context: import('@actions/github/lib/context').Context,
 *  core: import('@actions/core'),
 *  dry: boolean,
 *  reviewKey?: string,
@@ -43,32 +25,18 @@ async function dismissReviews({ github, context, core, dry, reviewKey }) {
    return
  }

-  const allReviews = await github.paginate(github.rest.pulls.listReviews, {
-    ...context.repo,
-    pull_number,
-  })
-
-  const reviews = /** @type {ReviewWithNonNullUser[]} */ (
-    allReviews.filter(
-      (review) =>
-        review.user &&
-        review.state !== 'DISMISSED' &&
-        review.user.login.endsWith('[bot]') &&
-        reviewUsers.some((substr) => review.user?.login.includes(substr)),
-    )
+  const reviews = (
+    await github.paginate(github.rest.pulls.listReviews, {
+      ...context.repo,
+      pull_number,
+    })
+  ).filter(
+    (review) =>
+      review.user?.login === 'github-actions[bot]' &&
+      review.state !== 'DISMISSED',
  )
-
-  const reviewsByUser = reviews.reduce(
-    (prev, curr) => {
-      if (!(curr.user.login in prev)) {
-        prev[curr.user.login] = []
-      }
-
-      prev[curr.user.login].push(curr)
-
-      return prev
-    },
-    /** @type {Record<string, ReviewWithNonNullUser[]> } */ ({}),
+  const changesRequestedReviews = reviews.filter(
+    (review) => review.state === 'CHANGES_REQUESTED',
  )

  const commentRegex = new RegExp(
@@ -82,8 +50,8 @@ async function dismissReviews({ github, context, core, dry, reviewKey }) {
  )

  let reviewsToMinimize = reviews
-  const /** @type {ReviewWithNonNullUser[]} */ reviewsToDismiss = []
-  const /** @type {ReviewWithNonNullUser[]} */ reviewsToResolve = []
+  let /** @type {typeof reviews} */ reviewsToDismiss = []
+  let /** @type {typeof reviews} */ reviewsToResolve = []

  if (reviewKey && reviews.every((review) => commentRegex.test(review.body))) {
    reviewsToMinimize = reviews.filter((review) =>
@@ -91,39 +59,29 @@ async function dismissReviews({ github, context, core, dry, reviewKey }) {
    )
  }

-  for (const reviewsForUser of Object.values(reviewsByUser)) {
-    // Make sure that we don't dismiss all reviews by a user if they
-    // have any reviews we don't want to dismiss.
-    if (
-      reviewsForUser.every(
-        (review) =>
-          commentResolvedRegex.test(review.body) ||
-          (reviewKey && reviewKeyRegex.test(review.body)) ||
-          // If we are called by check-commits and the review body is clearly
-          // from `commits.js`, then we can safely dismiss the review.
-          // This helps with pre-existing reviews (before the comments were added).
-          (reviewKey &&
-            reviewKey === 'check-commits' &&
-            review.body.includes('PR / Check / cherry-pick')),
-      )
-    ) {
-      reviewsToDismiss.push(
-        ...reviewsForUser.filter(
-          (review) => review.state === 'CHANGES_REQUESTED',
-        ),
-      )
-    } else {
-      reviewsToResolve.push(
-        ...reviewsForUser.filter(
-          (review) =>
-            review.state === 'CHANGES_REQUESTED' &&
-            !commentResolvedRegex.test(review.body) &&
-            reviewsToMinimize.some(
-              (toMinimize) => toMinimize.node_id === review.node_id,
-            ),
-        ),
-      )
-    }
+  // If we want to dismiss all reviews with the key reviewKey,
+  // but there are other requested changes from CI, we can't dismiss,
+  // because then the other requested changes will be dismissed too.
+  if (
+    changesRequestedReviews.every(
+      (review) =>
+        commentResolvedRegex.test(review.body) ||
+        (reviewKey && reviewKeyRegex.test(review.body)) ||
+        // If we are called by check-commits and the review body is clearly
+        // from `commits.js`, then we can safely dismiss the review.
+        // This helps with pre-existing reviews (before the comments were added).
+        (reviewKey &&
+          reviewKey === 'check-commits' &&
+          review.body.includes('PR / Check / cherry-pick')),
+    )
+  ) {
+    reviewsToDismiss = changesRequestedReviews
+  } else if (reviewsToMinimize.length) {
+    reviewsToResolve = reviewsToMinimize.filter(
+      (review) =>
+        review.state === 'CHANGES_REQUESTED' &&
+        !commentResolvedRegex.test(review.body),
+    )
  }

  await Promise.all([
@@ -163,8 +121,8 @@ async function dismissReviews({ github, context, core, dry, reviewKey }) {

 /**
 * @param {{
- *  github: GitHub,
- *  context: Context,
+ *  github: InstanceType<import('@actions/github/lib/utils').GitHub>,
+ *  context: import('@actions/github/lib/context').Context
 *  core: import('@actions/core'),
 *  dry: boolean,
 *  body: string,
@@ -200,13 +158,11 @@ async function postReview({
    })
  ).filter(
    (review) =>
-      review.user &&
-      review.state !== 'DISMISSED' &&
-      review.user.login.endsWith('[bot]') &&
-      reviewUsers.some((substr) => review.user?.login.includes(substr)),
+      review.user?.login === 'github-actions[bot]' &&
+      review.state !== 'DISMISSED',
  )

-  /** @type {null | Review} */
+  /** @type {null | typeof reviews[number]} */
  let pendingReview
  const matchingReviews = reviews.filter((review) =>
    reviewKeyRegex.test(review.body),
--- a/ci/github-script/run
+++ b/ci/github-script/run
@@ -116,15 +116,4 @@ program
    await run(checkCommitMessages, owner, repo, pr, options)
  })

-program
-  .command('manual-file-edits')
-  .description("Error when files that shouldn't be edited manually are")
-  .argument('<owner>', 'Owner of the GitHub repository to run on (Example: NixOS)')
-  .argument('<repo>', 'Name of the GitHub repository to run on (Example: nixpkgs)')
-  .argument('<pr>', 'Number of the Pull Request to run on')
-  .action(async (owner, repo, pr, options) => {
-    const checkManualFileEdits = (await import('./manual-file-edits.js')).default
-    await run(checkManualFileEdits, owner, repo, pr, options)
-  })
-
 await program.parse()
--- a/ci/parse.nix
+++ b/ci/parse.nix
@@ -28,14 +28,7 @@ runCommand "nix-parse-${nix.name}"
    # the other CI jobs will report in more detail. This job is about checking parsing
    # across different implementations / versions, not about providing the best DX.
    # Returning all parse errors requires significantly more resources.
-
-    find . -type f -iname '*.nix' | xargs -P $(nproc) nix-instantiate --parse 2>&1 >/dev/null | {
-      # Also fail on (deprecation) warnings printed to stderr.
-      if grep "warning"; then
-        echo "Failing due to warnings in stderr" >&2
-        exit 1
-      fi
-    }
+    find . -type f -iname '*.nix' | xargs -P $(nproc) nix-instantiate --parse >/dev/null

    touch $out
  ''
--- a/ci/pinned.json
+++ b/ci/pinned.json
@@ -9,9 +9,9 @@
      },
      "branch": "nixpkgs-unstable",
      "submodules": false,
-      "revision": "02f3fa0374fa13707d42d55d58ecc76b091f223c",
-      "url": "https://github.com/NixOS/nixpkgs/archive/02f3fa0374fa13707d42d55d58ecc76b091f223c.tar.gz",
-      "hash": "0z8d33c5g0gk9a74ppqq77npisf9xx9c8ai9isxa2hyjx4lv1pki"
+      "revision": "bde09022887110deb780067364a0818e89258968",
+      "url": "https://github.com/NixOS/nixpkgs/archive/bde09022887110deb780067364a0818e89258968.tar.gz",
+      "hash": "13mi187zpa4rw680qbwp7pmykjia8cra3nwvjqmsjba3qhlzif5l"
    },
    "treefmt-nix": {
      "type": "Git",
@@ -22,9 +22,9 @@
      },
      "branch": "main",
      "submodules": false,
-      "revision": "790751ff7fd3801feeaf96d7dc416a8d581265ba",
-      "url": "https://github.com/numtide/treefmt-nix/archive/790751ff7fd3801feeaf96d7dc416a8d581265ba.tar.gz",
-      "hash": "1zah3dmbpn3ap5acg22kq1j19dg32gj73l43yamjcxhc38sv9kd5"
+      "revision": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca",
+      "url": "https://github.com/numtide/treefmt-nix/archive/e96d59dff5c0d7fddb9d113ba108f03c3ef99eca.tar.gz",
+      "hash": "02gqyxila3ghw8gifq3mns639x86jcq079kvfvjm42mibx7z5fzb"
    }
  },
  "version": 5
--- a/doc/README.md
+++ b/doc/README.md
@@ -217,38 +217,6 @@ Not everything has been migrated to this format yet.
 Please always use it for new content.
 When changing existing content, update formatting if possible, but avoid excessive diffs.

-### Examples first
-
-Readers look at examples first: an example communicates what something does faster than a description.
-Put examples before detailed explanations.
-
-Prefer this structure for each documented item:
-
-1. Title
-2. Abstract (optional, one sentence max, the example often speaks for itself)
-3. Example
-4. Explanation (details, edge cases, types, defaults)
-
-For instance:
-
-````markdown
-## `lib.toUpper`
-
-Converts all characters in a string to uppercase.
-
-:::{.example #ex-lib-toUpper}
-# Converting a string to uppercase
-```nix
-lib.toUpper "hello"
-=> "HELLO"
-```
-
-:::
-
-Only acts on ASCII characters.
-Unicode characters are passed through unchanged.
-````
-
 ### Writing Function Documentation

 Function documentation is *reference documentation*, for which
--- a/doc/build-helpers/fetchers.chapter.md
+++ b/doc/build-helpers/fetchers.chapter.md
@@ -920,14 +920,14 @@ respectively. Otherwise, the fetcher uses `fetchzip`.

 This is used with Radicle repositories. The arguments expected are similar to `fetchgit`.

-Requires a `seed` argument (e.g. `seed.radicle.dev` or `rosa.radicle.network`) and a `repo` argument
+Requires a `seed` argument (e.g. `seed.radicle.xyz` or `rosa.radicle.xyz`) and a `repo` argument
 (the repository id *without* the `rad:` prefix). Also accepts an optional `node` argument which
 contains the id of the node from which to fetch the specified ref. If `node` is `null` (the
 default), a canonical ref is fetched instead.

 ```nix
 fetchFromRadicle {
-  seed = "seed.radicle.dev";
+  seed = "seed.radicle.xyz";
  repo = "z3gqcJUoA1n9HaHKufZs5FCSGazv5"; # heartwood
  tag = "releases/1.3.0";
  hash = "sha256-4o88BWKGGOjCIQy7anvzbA/kPOO+ZsLMzXJhE61odjw=";
@@ -942,7 +942,7 @@ contains the full revision id of the Radicle patch to fetch.

 ```nix
 fetchRadiclePatch {
-  seed = "rosa.radicle.network";
+  seed = "rosa.radicle.xyz";
  repo = "z4V1sjrXqjvFdnCUbxPFqd5p4DtH5"; # radicle-explorer
  revision = "d97d872386c70607beda2fb3fc2e60449e0f4ce4"; # patch: d77e064
  hash = "sha256-ttnNqj0lhlSP6BGzEhhUOejKkkPruM9yMwA5p9Di4bk=";
--- a/doc/build-helpers/special.md
+++ b/doc/build-helpers/special.md
@@ -3,7 +3,6 @@
 This chapter describes several special build helpers.

 ```{=include=} sections
-special/buildenv.section.md
 special/fakenss.section.md
 special/fhs-environments.section.md
 special/makesetuphook.section.md
--- a/doc/build-helpers/special/buildenv.section.md
+++ b/doc/build-helpers/special/buildenv.section.md
@@ -1,101 +0,0 @@
-# buildEnv {#sec-buildEnv}
-
-`buildEnv` constructs a derivation containing directories and symbolic links, which resembles the profile layout where a list of derivations or store paths are installed.
-
-Unlike [`symlinkJoin`](#trivial-builder-symlinkJoin), `buildEnv` takes special care of the outputs to link and checks for content collisions across the paths by default.
-A common use case for `buildEnv` is constructing environment wrappers, such as an interpreter with modules or a program with extensions.
-For example, [`python.withPackage`](#attributes-on-interpreters-packages) is based on `buildEnv`.
-
-## Arguments {#sec-buildEnv-arguments}
-
-`buildEnv` takes [fixed-point arguments (`buildEnv (finalAttrs: { })`)](#chap-build-helpers-finalAttrs) as well as a plain attribute set.
-
-Unless otherwise noted, arguments can be overridden directly using [`<pkg>.overrideAttrs`](#sec-pkg-overrideAttrs).
-
-`buildEnv` enforces [structured attributes (`{ __structuredAttrs = true; }`)](https://nix.dev/manual/nix/2.18/language/advanced-attributes.html#adv-attr-structuredAttrs).
-
- `name` or `pname` and `version` (required):
-    The name of the environment.
-
- `paths` (required):
-    The derivations or store paths to symlink ("install").
-
-    The elements can be any path-like object that string-interpolates to a store path.
-    The priority of each path is taken from `<path>.meta.priority` and falls back to `lib.meta.defaultPriority` if not set.
-
-    The argument `paths` is passed as attribute `passthru.paths` to prevent unexpected context pollution.
-    `passthru.paths` can be overridden with `<pkg>.overrideAttrs`.
-
-   `extraOutputsToInstall` (default to `[ ]`):
-    Package outputs to include in addition to what `meta.outputsToInstall` specifies.
-
-   `includeClosures` (default to `false`):
-    Whether to include closures of all input paths.
-    The list of the closure paths are constructed with `writeClosure`.
-    They are installed with lower priority and with build-time exceptions silenced.
-
-   `extraPrefix` (default to `""`):
-    Root the result in directory `"$out${extraPrefix}"`, e.g. `"/share"`.
-
-   `ignoreCollisions` (default: `false`):
-    Don't fail the build upon content collisions.
-
-   `checkCollisionContents` (default: `true`):
-    If there is a collision, check whether the contents and permissions match; and only if not, throw a collision error.
-
-   `ignoreSingleFileOutputs` (default: `false`):
-    Don't fail the build upon single-file outputs.
-
-   `manifest` (default: `""`):
-    The manifest file (if any). A symlink `$out/manifest` will be created to it.
-
-   `pathsToLink` (default: `[ "/" ]`):
-    The paths (relative to each element of `paths`) that we want to symlink (e.g., `["/bin"]`).
-    Any file outside the directories in this list won't be symlinked into the produced environment.
-
-   `postBuild` (default: `""`):
-    Shell commands to run after building the symlink tree.
-
-   `passthru` and `meta` (default: `{ }`):
-    `stdenv.mkDerivation`-supported attributes not passing down to `builtins.derivation`.
-
-   `derivationArgs` (default: `{ }`):
-    Additional `stdenv.mkDerivation` arguments, such as `nativeBuildInputs`/`buildInputs` for `postBuild` dependencies and setup hooks.
-
-    `derivationArgs` is not passed down to `stdenv.mkDerivation`.
-    Override its attributes directly via `<pkg>.overrideAttrs` and reference directly via `finalAttrs`.
-
-## Build-time exceptions {#sec-buildEnv-exceptions}
-
-There are situations where the specified `paths` might not produce sensible profile layout.
-By default, the builder fails early upon detecting these exceptions.
-`buildEnv` provides arguments to fine-tune or ignore certain exceptions.
-
-### Path collisions {#ssec-buildEnv-collisions}
-
-Path collisions occur when files provided by two more output paths with the same priority overlap with each other, making the result profile layout potentially affected by the order of elements of `paths`.
-This is undesirable in several use cases, such as when `paths` are determined by merging Nix modules.
-
-If the argument `checkCollisionContents` is `true`, the builder checks whether the overlapping paths share the same content and mode, and fails only if not.
-
-The argument `ignoreCollisions` silence the collision checks and allow the files to be overwritten based on the order of chosen output paths.
-
-In addition to silencing this exception with `ignoreCollisions`, one can also adjust the priority of colliding packages and store paths.
-Store paths can specify priority in the form
-
-```nix
-{
-  outPath = <path>;
-  meta.priority = <priority>;
-}
-```
-
-And [`lib.meta.setPrio`](#function-library-lib.meta.setPrio)-related Nixpkgs Library functions also apply to a string-like attribute set (`{ outPath = <path>; }`).
-
-### Single-file outputs {#ssec-buildEnv-singleFileOutputs}
-
-When an output path provides a single file instead of a directory, it inherently cannot merge into the result layout.
-All discoverable packages should configure their `meta.outputsToInstall` correctly, so that single-file outputs won't be installed into a profile.
-
-Set `ignoreSingleFileOutputs` to `true` to drop all single-file output paths silently.
-This option is useful when the specified paths contain the output paths of package tests.
--- a/doc/build-helpers/testers.chapter.md
+++ b/doc/build-helpers/testers.chapter.md
@@ -129,13 +129,6 @@ It has two modes:

  Example: `{ "include_verbatim" = true; }`

-`extraArgs` (list of strings, optional) {#tester-lycheeLinkCheck-param-extraArgs}
-
-: Extra command line arguments to pass to the `lychee` invocation.
-  These are passed in both the offline (build) and [`online`](#tester-lycheeLinkCheck-return) modes.
-
-  Example: `[ "--format" "json" ]`
-
 `lychee` (derivation, optional) {#tester-lycheeLinkCheck-param-lychee}

 : The `lychee` package to use.
--- a/doc/build-helpers/trivial-build-helpers.chapter.md
+++ b/doc/build-helpers/trivial-build-helpers.chapter.md
@@ -734,80 +734,7 @@ Some basic Bash options are set by default (`errexit`, `nounset`, and `pipefail`
 Extra arguments may be passed to `stdenv.mkDerivation` by setting `derivationArgs`; note that variables set in this manner will be set when the shell script is _built,_ not when it's run.
 Runtime environment variables can be set with the `runtimeEnv` argument.

-`writeShellApplication` has the following arguments:
-
-`name` (String)
-
-: The name of the script to write.
-
-`text` (String)
-
-: The shell script's text, not including a shebang.
-
-`runtimeInputs` (List of derivations or strings, _optional_)
-
-: Inputs to add to the shell script's `$PATH` at runtime.
-
-  Each elements can either be a normal derivation, or a string containing a path, in which case it will be suffixed with `/bin` to create a `PATH` expression (see [`lib.strings.makeBinPath`](#function-library-lib.strings.makeBinPath) for more information).
-
-`runtimeEnv` (Attribute set, _optional_)
-
-: Extra environment variables to set at runtime.
-
-`checkPhase` (String, _optional_)
-
-: The `checkPhase` to run.
-
-  The script path will be given as `$target` in the `checkPhase`
-
-  _Default behavior:_ run [`shellcheck`](https://github.com/koalaman/shellcheck) (on supported platforms) and `bash -n` (check syntax but don't execute commands).
-
-`excludeShellChecks` (List of strings, _optional_)
-
-: Checks to exclude when running `shellcheck`.
-
-  For example, `excludeShellChecks = [ "SC2016" ]` would prevent `shellcheck` from reporting `SC2016`, but would still detect any other problems.
-
-  See [the `shellcheck` wiki](https://www.shellcheck.net/wiki/) for a list of checks.
-
-`extraShellCheckFlags` (List of strings, _optional_)
-
-: Extra command-line flags to pass to `shellcheck`.
-
-`bashOptions` (List of strings, _optional_)
-
-: Bash options to activate with `set -o` at the start of the script
-
-  _Default:_ `[ "errexit" "nounset" "pipefail" ]`, which means:
-  1. A failing command inside of a command list or pipeline will make the script exit, except if used as a conditional (inside a `while`, `if`, `&&`, `||`, etc.);
-  2. Any attempt to expand an undefined variable will make the script exit.
-
-`inheritPath` (Bool, _optional_)
-
-: Whether the script will inherit the PATH from its parent environment.
-
-  _Default:_ `true`
-
-`meta` (Attribute set, _optional_)
-
-: `stdenv.mkDerivation`'s [`meta`](#chap-meta) argument
-
-`passthru` (Attribute set, _optional_)
-
-: `stdenv.mkDerivation`'s [`passthru`](#chap-passthru) argument
-
-`derivationArgs` (Attribute set, _optional_)
-
-: Extra arguments to pass to [`stdenv.mkDerivation`](#chap-stdenv)
-
-  ::: {.caution}
-  Certain derivation attributes are also set internally, so overriding those could cause problems.
-  :::
-
-::: {.example #ex-writeShellApplication}
-# Usage of `writeShellApplication`
-
-The following shell application can refer to `curl` directly, rather than needing to write `${curl}/bin/curl`
+For example, the following shell application can refer to `curl` directly, rather than needing to write `${curl}/bin/curl`:

 ```nix
 writeShellApplication {
@@ -823,7 +750,6 @@ writeShellApplication {
  '';
 }
 ```
-:::

 ## `symlinkJoin` {#trivial-builder-symlinkJoin}

--- a/doc/doc-support/epub.nix
+++ b/doc/doc-support/epub.nix
@@ -37,16 +37,16 @@ runCommand "manual.epub"
      </book>
    '';

-    __structuredAttrs = true;
+    passAsFile = [ "epub" ];
  }
  ''
    mkdir scratch
-    printf "%s" "$epub" | xsltproc \
+    xsltproc \
      --param chapter.autolabel 0 \
      --nonet \
      --output scratch/ \
      ${docbook_xsl_ns}/xml/xsl/docbook/epub/docbook.xsl \
-      -
+      $epubPath

    echo "application/epub+zip" > mimetype
    zip -0Xq -b "$TMPDIR" "$out" mimetype
--- a/doc/hooks/index.md
+++ b/doc/hooks/index.md
@@ -20,7 +20,6 @@ ghc.section.md
 gnome.section.md
 haredo.section.md
 installShellFiles.section.md
-installFonts.section.md
 julec.section.md
 just.section.md
 libglycin.section.md
@@ -29,11 +28,6 @@ libxml2.section.md
 meson.section.md
 mpi-check-hook.section.md
 ninja.section.md
-nodejs-install-executables.section.md
-nodejs-install-manuals.section.md
-npm-build-hook.section.md
-npm-config-hook.section.md
-npm-install-hook.section.md
 patch-rc-path-hooks.section.md
 perl.section.md
 pkg-config.section.md
@@ -48,7 +42,6 @@ unzip.section.md
 validatePkgConfig.section.md
 versionCheckHook.section.md
 waf.section.md
-writable-tmpdir-as-home-hook.section.md
 zig.section.md
 xcbuild.section.md
 xfce4-dev-tools.section.md
--- a/doc/hooks/installFonts.section.md
+++ b/doc/hooks/installFonts.section.md
@@ -1,24 +0,0 @@
-# `installFonts` {#installfonts}
-
-This hook installs common font formats to the proper location. In its default state, the hook automatically handles ttf, ttc, otf, bdf, and psf. Given a `webfont` output, woff and woff2 formats will be installed under this output.
-
-The automatic behavior of the hook can be disabled by setting the `dontInstallFonts` variable to true.
-
-Additionally, it exposes the `installFont` function that can be used from your `postInstall`
-hook, to install additional formats:
-
-## `installFont` {#installfonts-installfont}
-
-The `installFont` function takes two arguments, a file extension to move (*without* a preceding dot), and the install location.
-
-### Example Usage {#installfonts-installfont-exampleusage}
-
-```nix
-{
-  nativeBuildInputs = [ installFonts ];
-
-  postInstall = ''
-    installFont svg $out/share/fonts/svg
-  '';
-}
-```
--- a/doc/hooks/nodejs-install-executables.section.md
+++ b/doc/hooks/nodejs-install-executables.section.md
@@ -1,29 +0,0 @@
-# nodejsInstallExecutables {#nodejs-install-executables}
-
-Hook for wrapping Node.js executables.
-Primarily created for a multi-language environment.
-
-## Examples {#nodejs-install-executables-example}
-
-[](#npm-build-hook-example-snippet)
-
-## Variables controlling `nodejsInstallExecutables` {#nodejs-install-executables-variables}
-
-### `nodejsInstallExecutables` Exclusive Variables {#nodejs-install-executables-exclusive-variables}
-
-#### `makeWrapperArgs` {#nodejs-install-executables-wrapper-args}
-
-Flags to pass to the call to [`makeWrapper`](#fun-makeWrapper).
-To avoid double-wrapping, this flag can also be accessed in Bash.
-
-```nix
-stdenv.mkDerivation (finalAttrs: {
-  #...
-  dontWrapGApps = true;
-
-  postInstall = ''
-    makeWrapperArgs+=("''${gappsWrapperArgs[@]}")
-  '';
-  #...
-})
-```
--- a/doc/hooks/nodejs-install-manuals.section.md
+++ b/doc/hooks/nodejs-install-manuals.section.md
@@ -1,12 +0,0 @@
-# nodejsInstallManuals {#nodejs-install-manuals}
-
-Detects manuals in Node.js packages, and attempts to install them in standard locations.
-This detection is done by inspecting the package.json of the project and finding any entries
-with type `man`.
-
-
-There are no ways currently to configure this hook.
-
-## Examples {#nodejs-install-manuals-example}
-
-[](#npm-build-hook-example-snippet)
--- a/doc/hooks/npm-build-hook.section.md
+++ b/doc/hooks/npm-build-hook.section.md
@@ -1,93 +0,0 @@
-# npmHooks.npmBuildHook {#npm-build-hook}
-
-Hook for building packages that use npm. Can be used in multi-language environments.
-
-## Examples {#npm-build-hook-snippet}
-
-:::{.example #npm-build-hook-example-snippet}
-
-# Using `npmHooks`
-
-```nix
-{
-  stdenv,
-  fetchFromGitHub,
-  fetchNpmDeps,
-  npmHooks,
-  nodejsInstallExecutables,
-  nodejsInstallManuals,
-  nodejs,
-}:
-stdenv.mkDerivation (finalAttrs: {
-  pname = "some-npm-project";
-  version = "1.0";
-
-  src = fetchFromGitHub {
-    owner = "JohnNpm";
-    repo = "SomeProject";
-    tag = finalAttrs.version;
-    hash = "...";
-  };
-
-  strictDeps = true;
-
-  nativeBuildInputs = [
-    nodejs
-    nodejsInstallExecutables
-    nodejsInstallManuals
-    npmHooks.npmConfigHook
-    npmHooks.npmBuildHook
-    npmHooks.npmInstallHook
-  ];
-
-  npmBuildScript = "build";
-
-  npmBuildFlags = [
-    "--prod"
-  ];
-
-  npmFlags = [
-    "--ignore-scripts"
-  ];
-
-  npmDeps = fetchNpmDeps {
-    inherit (finalAttrs) src;
-    hash = "...";
-  };
-
-  makeWrapperArgs = [
-    "--set"
-    "NODE_ENV"
-    "production"
-  ];
-
-  meta = {
-    description = "npm project";
-  };
-})
-```
-:::
-
-## Variables controlling `npmBuildHook` {#npm-build-hook-variables}
-
-### `npmBuildHook` Exclusive Variables {#npm-build-hook-exclusive-variables}
-
-#### `npmBuildScript` {#npm-build-hook-script}
-
-Controls the script ran to build the npm package within the `package.json` file.
-Required to be set, usually to `build`, but can vary between packages.
-
-#### `npmBuildFlags` {#npm-build-hook-flags}
-
-Controls the arguments to the {command}`npm run $npmBuildScript` command.
-
-#### `dontNpmBuild` {#npm-build-hook-dont}
-
-Disables `npmBuildHook` when enabled
-
-### Honored Variables {#npm-build-hook-honored-variables}
-
-The following variables are honored by the `npmBuildHook`.
-
- [`npmWorkspace`](#javascript-buildNpmPackage-npmWorkspace)
- [`npmFlags`](#javascript-buildNpmPackage-npmFlags)
--- a/doc/hooks/npm-config-hook.section.md
+++ b/doc/hooks/npm-config-hook.section.md
@@ -1,41 +0,0 @@
-# npmHooks.npmConfigHook {#npm-config-hook}
-
-Hook for configuring packages that use npm.
-Primarily made for a multi-language environment.
-
-## Examples {#npm-config-hook-snippet}
-
-[](#npm-build-hook-example-snippet)
-
-## Variables controlling `npmConfigHook` {#npm-config-hook-variables}
-
-### `npmConfigHook` Exclusive Variables {#npm-config-hook-exclusive-variables}
-
-#### `npmDeps` {#npm-config-hook-deps}
-
-Derivation that contains the npm package dependencies.
-Usually built with `fetchNpmDeps`.
-This attribute is required or the hook will abort the build.
-
-#### `makeCacheWritable` {#npm-config-hook-writable-cache}
-
-Whether to make the dependency cache writable prior to installing the dependencies.
-Don't set this unless npm tries to write to the cache directory.
-
-#### `npmInstallFlags` {#npm-config-hook-install-flags}
-
-Flags to pass to the {command}`npm ci` call for installing the dependencies to the build environment.
-Defaults to `--ignore-scripts`, which cannot be removed.
-This does not control anything with the `npmInstallHook`.
-
-#### `npmRebuildFlags` {#npm-config-hook-rebuild-flags}
-
-Flags to pass to the {command}`npm rebuild` command after the dependencies are installed to the environment.
-
-### Honored Variables {#npm-config-hook-honored-variables}
-
-The following variables are honored by the `npmConfigHook`.
-
- [`npmWorkspace`](#javascript-buildNpmPackage-npmWorkspace)
- [`npmFlags`](#javascript-buildNpmPackage-npmFlags)
- `npmRoot`
--- a/doc/hooks/npm-install-hook.section.md
+++ b/doc/hooks/npm-install-hook.section.md
@@ -1,35 +0,0 @@
-# npmHooks.npmInstallHook {#npm-install-hook}
-
-Hook to install node_modules for npm packages.
-Does not create wrappers for executable npm projects
-Primarily made for a multi-language environment.
-
-## Examples {#npm-install-hook-snippet}
-
-[](#npm-build-hook-example-snippet)
-
-## Variables controlling `npmInstallHook` {#npm-install-hook-variables}
-
-### `npmInstallHook` Exclusive Variables {#npm-install-hook-exclusive-variables}
-
-#### `dontNpmPrune` {#npm-install-hook-dont-prune}
-
-Whether to run {command}`npm prune` on the `node_modules` or not.
-Defaults to `true`.
-
-#### `npmInstallFlags` {#npm-install-hook-prune-flags}
-
-Flags to pass to the {command}`npm prune` call for the `node_modules` of the package.
-Defaults to `--omit=dev --no-save` which cannot be modified.
-
-#### `dontNpmInstall` {#npm-install-hook-dont}
-
-Controls whether `npmInstallHook` is enabled or not.
-Defaults to `true`, so the hook will run.
-
-### Honored Variables {#npm-install-hook-honored-variables}
-
-The following variables are honored by the `npmInstallHook`.
-
- [`npmWorkspace`](#javascript-buildNpmPackage-npmWorkspace)
- [`npmFlags`](#javascript-buildNpmPackage-npmFlags)
--- a/doc/hooks/writable-tmpdir-as-home-hook.section.md
+++ b/doc/hooks/writable-tmpdir-as-home-hook.section.md
@@ -1,5 +0,0 @@
-# writableTmpDirAsHomeHook {#writableTmpDirAsHomeHook}
-
-This setup hook provides a writable home directory for packages that require it.
-
-To use, just add the hook to the `nativeBuildInputs` of the package.
--- a/doc/languages-frameworks/android.section.md
+++ b/doc/languages-frameworks/android.section.md
@@ -27,7 +27,7 @@ Alternatively, you can pass composeAndroidPackages to the `withSdk` passthrough:
 }
 ```

-These will export `ANDROID_HOME` and `ANDROID_NDK_ROOT` to the SDK and NDK directories
+These will export `ANDROID_SDK_ROOT` and `ANDROID_NDK_ROOT` to the SDK and NDK directories
 in the specified Android build environment.

 ## Deploying an Android SDK installation with plugins {#deploying-an-android-sdk-installation-with-plugins}
@@ -308,7 +308,7 @@ Ensure that your buildToolsVersion and ndkVersion match what is declared in andr
 If you are using cmake, make sure its declared version is correct too.

 Otherwise, you may get cryptic errors from aapt2 and the Android Gradle plugin warning
-that it cannot install the build tools because the SDK directory is not writable.
+that it cannot install the build tools because the SDK directory is not writeable.

 ```gradle
 android {
--- a/doc/languages-frameworks/beam.section.md
+++ b/doc/languages-frameworks/beam.section.md
@@ -6,68 +6,46 @@ In this document and related Nix expressions, we use the term, _BEAM_, to descri

 ## Available versions and deprecations schedule {#available-versions-and-deprecations-schedule}

-### Erlang OTP {#erlang}
-
-Nixpkgs follows upstream Erlang in their [support lifecycle](https://erlang.org/download/otp_versions_tree.html) and keeps up to the last 3 released versions of Erlang available. Due to upstream and NixOS release timings, this may mean removal of the oldest release prior to upstream fully dropping support.
-
 ### Elixir {#elixir}

-Nixpkgs follows the [official elixir deprecation schedule](https://hexdocs.pm/elixir/compatibility-and-deprecations.html) and keeps up to the last 5 released versions of Elixir available.
+Nixpkgs follows the [official elixir deprecation schedule](https://hexdocs.pm/elixir/compatibility-and-deprecations.html) and keeps the last 5 released versions of Elixir available.

 ## Structure {#beam-structure}

-All BEAM-related expressions are available via top-level package sets. It is recommended to work with a single package set to ensure consistent versions.
+All BEAM-related expressions are available via the top-level `beam` attribute, which includes:

- `beamPackages` - default OTP version
- `beamMinimalPackages` - default OTP version, without wxwidgets, which saves ~1GB in closure size
+- `interpreters`: a set of compilers running on the BEAM, including multiple Erlang/OTP versions (`beam.interpreters.erlang_22`, etc), Elixir (`beam.interpreters.elixir`) and LFE (Lisp Flavoured Erlang) (`beam.interpreters.lfe`).

-There are also OTP version specific package sets, e.g. for OTP 28:
+- `packages`: a set of package builders (Mix and rebar3), each compiled with a specific Erlang/OTP version, e.g. `beam.packages.erlang22`.

- `beam28Packages`
- `beamMinimal28Packages`
+The default Erlang compiler, defined by `beam.interpreters.erlang`, is aliased as `erlang`. The default BEAM package set is defined by `beam.packages.erlang` and aliased at the top level as `beamPackages`.

-Inside each package set are:
+To create a package builder built with a custom Erlang version, use the lambda, `beam.packagesWith`, which accepts an Erlang/OTP derivation and produces a package builder similar to `beam.packages.erlang`.

- erlang itself (version comes from package set)
- interpreters: elixir (multiple versions, e.g. elixir_1_18) and lfe
- packages: rebar3, hex, etc
- builders: mixRelease, buildRebar3, etc
- hooks: for composing builders and packages
+Many Erlang/OTP distributions available in `beam.interpreters` have versions with ODBC and/or Java enabled or without wx (no observer support). For example, there's `beam.interpreters.erlang_22_odbc_javac`, which corresponds to `beam.interpreters.erlang_22` and `beam.interpreters.erlang_22_nox`, which corresponds to `beam.interpreters.erlang_22`.

-To use a non-default Elixir it's important to keep the rest of the package set consistent, so it's recommended to use `.extend`. This ensures that builders like `mixRelease`, `fetchMixDeps`, and `buildMix` all pick up the overridden Elixir:
+## Build Tools {#build-tools}

-```nix
-let
-  beamPackages = beam27Packages.extend (self: super: { elixir = self.elixir_1_18; });
-in
-beamPackages.mixRelease {
-  # ...
-}
-```
+### Rebar3 {#build-tools-rebar3}

-## Build Tools {#beam-build-tools}
+We provide a version of Rebar3, under `rebar3`. We also provide a helper to fetch Rebar3 dependencies from a lockfile under `fetchRebar3Deps`.

-### Rebar3 {#beam-build-tools-rebar3}
-
-We provide a version of Rebar3, under `beamPackages.rebar3`. We also provide a helper to fetch Rebar3 dependencies from a lockfile under `beamPackages.fetchRebar3Deps`.
-
-We also provide a version on Rebar3 with plugins included, under `beamPackages.rebar3WithPlugins`. This package is a function which takes two arguments: `plugins`, a list of nix derivations to include as plugins (loaded only when specified in `rebar.config`), and `globalPlugins`, which should always be loaded by rebar3. Example: `beamPackages.rebar3WithPlugins { globalPlugins = [beamPackages.pc]; }`.
+We also provide a version on Rebar3 with plugins included, under `rebar3WithPlugins`. This package is a function which takes two arguments: `plugins`, a list of nix derivations to include as plugins (loaded only when specified in `rebar.config`), and `globalPlugins`, which should always be loaded by rebar3. Example: `rebar3WithPlugins { globalPlugins = [beamPackages.pc]; }`.

 When adding a new plugin it is important that the `name` attribute is the same as the atom used by rebar3 to refer to the plugin.

-### Erlang.mk {#beam-build-tools-erlangmk}
+### Mix & Erlang.mk {#build-tools-other}

 Erlang.mk works exactly as expected. There is a bootstrap process that needs to be run, which is supported by the `buildErlangMk` derivation.

-### Mix {#beam-build-tools-mix}
+For Elixir applications use `mixRelease` to make a release. See examples for more details.

-For Elixir applications that use [mix release](https://hexdocs.pm/mix/Mix.Release.html), use the `mixRelease` builder to make a release. See examples for more details.
-
-There is also a `buildMix` helper, whose behavior is closer to that of `buildErlangMk` and `buildRebar3`. The primary difference is that `mixRelease` makes a release, while `buildMix` only builds the package, which is more useful for libraries and other dependencies.
+There is also a `buildMix` helper, whose behavior is closer to that of `buildErlangMk` and `buildRebar3`. The primary difference is that mixRelease makes a release, while buildMix only builds the package, making it useful for libraries and other dependencies.

 ## How to Install BEAM Packages {#how-to-install-beam-packages}

-To use any of these builders in your environment, refer to them by their attribute path under `beamPackages` (or another BEAM package set), e.g. `beamPackages.rebar3`:
+BEAM builders are not registered at the top level, because they are not relevant to the vast majority of Nix users.
+To use any of those builders into your environment, refer to them by their attribute path under `beamPackages`, e.g. `beamPackages.rebar3`:

 ::: {.example #ex-beam-ephemeral-shell}
 # Ephemeral shell
@@ -97,39 +75,35 @@ pkgs.mkShell { packages = [ pkgs.beamPackages.rebar3 ]; }

 #### Rebar3 Packages {#rebar3-packages}

-The builder `beamPackages.buildRebar3` can be used to build a derivation that understands how to build a Rebar3 project.
+The Nix function, `buildRebar3`, defined in `beam.packages.erlang.buildRebar3` and aliased at the top level, can be used to build a derivation that understands how to build a Rebar3 project.
+
+If a package needs to compile native code via Rebar3's port compilation mechanism, add `compilePort = true;` to the derivation.

 #### Erlang.mk Packages {#erlang-mk-packages}

-Erlang.mk functions similarly to Rebar3, except we use `beamPackages.buildErlangMk` instead of `beamPackages.buildRebar3`.
-
-If a package needs to compile native code via Erlang.mk's port compilation mechanism, add `compilePorts = true;` to the derivation.
-
-### Elixir Applications {#packaging-elixir-applications}
+Erlang.mk functions similarly to Rebar3, except we use `buildErlangMk` instead of `buildRebar3`.

 #### Mix Packages {#mix-packages}

-`beamPackages.mixRelease` is used to make a release in the mix sense. Dependencies will need to be fetched with `beamPackages.fetchMixDeps` and passed to it.
+`mixRelease` is used to make a release in the mix sense. Dependencies will need to be fetched with `fetchMixDeps` and passed to it.

 #### mixRelease - Elixir Phoenix example {#mix-release-elixir-phoenix-example}

-There are 3 steps: frontend dependencies (javascript), backend dependencies (elixir), and the final derivation that puts both of those together.
+there are 3 steps: frontend dependencies (javascript), backend dependencies (elixir), and the final derivation that puts both of those together

 ##### mixRelease - Frontend dependencies (javascript) {#mix-release-javascript-deps}

-For phoenix projects, inside of Nixpkgs you can either use `fetchYarnDeps` or `buildNpmPackage`. An example with `buildNpmPackage` can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pl/plausible/package.nix), and an example with `fetchYarnDeps` can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pi/pinchflat/package.nix).
+For phoenix projects, inside of Nixpkgs you can either use yarn2nix (mkYarnModule) or node2nix. An example with yarn2nix can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/web-apps/plausible/default.nix#L39). An example with node2nix will follow. To package something outside of nixpkgs, you have alternatives like [npmlock2nix](https://github.com/nix-community/npmlock2nix) or [nix-npm-buildpackage](https://github.com/serokell/nix-npm-buildpackage)

 ##### mixRelease - backend dependencies (mix) {#mix-release-mix-deps}

-There are 2 ways to package backend dependencies: either per-dependency mix2nix or with a fixed-output-derivation (FOD).
-
-When writing an elixir project targeting `mixRelease`, you can also consider using [deps_nix](https://github.com/code-supply/deps_nix) with `mixNixDeps`. `deps_nix` supports git dependencies, but is intended to be added to the project's `mix.exs` directly.
+There are 2 ways to package backend dependencies. With mix2nix and with a fixed-output-derivation (FOD).

 ###### mix2nix {#mix2nix}

 `mix2nix` is a cli tool available in Nixpkgs. It will generate a Nix expression from a `mix.lock` file. It is quite standard in the 2nix tool series.

-Note that currently mix2nix can't handle git dependencies inside the mix.lock file. If you have git dependencies, you can either add them manually (see [example](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pl/pleroma/package.nix)) or use the FOD method.
+Note that currently mix2nix can't handle git dependencies inside the mix.lock file. If you have git dependencies, you can either add them manually (see [example](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/pleroma/default.nix#L20)) or use the FOD method.

 The advantage of using mix2nix is that nix will know your whole dependency graph. On a dependency update, this won't trigger a full rebuild and download of all the dependencies, where FOD will do so.

@@ -177,7 +151,7 @@ You will need to run the build process once to fix the hash to correspond to you

 ###### FOD {#fixed-output-derivation}

-A fixed output derivation will download mix dependencies from the internet. To ensure reproducibility, a hash will be supplied. Note that mix is relatively reproducible. An FOD generating a different hash on each run hasn't been observed (as opposed to npm where the chances are relatively high). See [akkoma](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/ak/akkoma/package.nix) for a usage example of FOD.
+A fixed output derivation will download mix dependencies from the internet. To ensure reproducibility, a hash will be supplied. Note that mix is relatively reproducible. An FOD generating a different hash on each run hasn't been observed (as opposed to npm where the chances are relatively high). See [elixir-ls](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/beam-modules/elixir-ls/default.nix) for a usage example of FOD.

 Practical steps

@@ -202,11 +176,12 @@ Note that if after you've replaced the value, nix suggests another hash, then mi
 Here is how your `default.nix` file would look for a Phoenix project.

 ```nix
-{
-  # beam27Packages or beam29Packages is available if you need a particular version
-  beamPackages,
-}:
+with import <nixpkgs> { };
+
 let
+  # beam.interpreters.erlang_26 is available if you need a particular version
+  packages = beam.packagesWith beam.interpreters.erlang;
+
  pname = "your_project";
  version = "0.0.1";

@@ -216,7 +191,7 @@ let
  };

  # if using mix2nix you can use the mixNixDeps attribute
-  mixFodDeps = beamPackages.fetchMixDeps {
+  mixFodDeps = packages.fetchMixDeps {
    pname = "mix-deps-${pname}";
    inherit src version;
    # nix will complain and tell you the right value to replace this with
@@ -225,8 +200,11 @@ let
    # if you have build time environment variables add them here
    MY_ENV_VAR = "my_value";
  };
+
+  nodeDependencies = (pkgs.callPackage ./assets/default.nix { }).shell.nodeDependencies;
+
 in
-beamPackages.mixRelease {
+packages.mixRelease {
  inherit
    src
    pname
@@ -237,6 +215,9 @@ beamPackages.mixRelease {
  MY_ENV_VAR = "my_value";

  postBuild = ''
+    ln -sf ${nodeDependencies}/lib/node_modules assets/node_modules
+    npm run deploy --prefix ./assets
+
    # for external task you need a workaround for the no deps check flag
    # https://github.com/phoenixframework/phoenix/issues/2690
    mix do deps.loadpaths --no-deps-check, phx.digest
@@ -248,7 +229,7 @@ beamPackages.mixRelease {
 Setup will require the following steps:

 - Move your secrets to runtime environment variables. For more information refer to the [runtime.exs docs](https://hexdocs.pm/mix/Mix.Tasks.Release.html#module-runtime-configuration). On a fresh Phoenix build that would mean that both `DATABASE_URL` and `SECRET_KEY` need to be moved to `runtime.exs`.
- Generate a Nix expression for your frontend dependencies using `fetchNpmDeps`/`buildNpmPackage` or `fetchYarnDeps`, depending on whether the project uses npm or yarn
+- `cd assets` and `nix-shell -p node2nix --run "node2nix --development"` will generate a Nix expression containing your frontend dependencies
 - commit and push those changes
 - you can now `nix-build .`
 - To run the release, set the `RELEASE_TMP` environment variable to a directory that your program has write access to. It will be used to store the BEAM settings.
@@ -267,7 +248,7 @@ in your project with the following
 }:

 let
-  release = pkgs.callPackage ./default.nix { };
+  release = pkgs.callPackage ./default.nix;
  release_name = "app";
  working_directory = "/home/app";
 in
@@ -339,10 +320,9 @@ Usually, we need to create a `shell.nix` file and do our development inside the

 with pkgs;
 let
-  # pin OTP via beam27Packages/beam28Packages/... and Elixir via .extend
-  beamPackages = beam27Packages.extend (self: super: { elixir = self.elixir_1_18; });
+  elixir = beam.packages.erlang_27.elixir_1_18;
 in
-mkShell { buildInputs = [ beamPackages.elixir ]; }
+mkShell { buildInputs = [ elixir ]; }
 ```

 ### Using an overlay {#beam-using-overlays}
@@ -357,7 +337,7 @@ let
    self: super: {
      elixir_1_18 = super.elixir_1_18.override {
        version = "1.18.1";
-        hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+        sha256 = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
      };
    }
  );
@@ -375,17 +355,18 @@ Here is an example `shell.nix`.
 with import <nixpkgs> { };

 let
-  # pin OTP via beam27Packages/beam28Packages/... and Elixir via .extend
-  beamPackages = beam27Packages.extend (self: super: { elixir = self.elixir_1_18; });
-
  # define packages to install
  basePackages = [
    git
-    beamPackages.elixir
+    # replace with beam.packages.erlang.elixir_1_18 if you need
+    beam.packages.erlang.elixir
    nodejs
    postgresql_14
+    # only used for frontend dependencies
+    # you are free to use yarn2nix as well
+    nodePackages.node2nix
    # formatting js file
-    prettier
+    nodePackages.prettier
  ];

  inputs = basePackages ++ lib.optionals stdenv.hostPlatform.isLinux [ inotify-tools ];
@@ -398,13 +379,13 @@ let
    export HEX_HOME=$PWD/.nix-mix
    # make hex from Nixpkgs available
    # `mix local.hex` will install hex into MIX_HOME and should take precedence
-    export MIX_PATH="${beamPackages.hex}/lib/erlang/lib/hex/ebin"
+    export MIX_PATH="${beam.packages.erlang.hex}/lib/erlang/lib/hex/ebin"
    export PATH=$MIX_HOME/bin:$HEX_HOME/bin:$PATH
    export LANG=C.UTF-8
    # keep your shell history in iex
    export ERL_AFLAGS="-kernel shell_history enabled"

-    # postgres related
+    # postges related
    # keep all your db data in a folder inside the project
    export PGDATA="$PWD/db"

--- a/doc/languages-frameworks/emscripten.section.md
+++ b/doc/languages-frameworks/emscripten.section.md
@@ -205,7 +205,7 @@ pkgs.buildEmscriptenPackage {

 ## Debugging {#declarative-debugging}

-Use `nix-shell -I nixpkgs=/some/dir/nixpkgs -A emscriptenPackages.libz` and from there you can go through the individual steps. This makes it easy to build a good `unit test` or list the files of the project.
+Use `nix-shell -I nixpkgs=/some/dir/nixpkgs -A emscriptenPackages.libz` and from there you can go trough the individual steps. This makes it easy to build a good `unit test` or list the files of the project.

 1. `nix-shell -I nixpkgs=/some/dir/nixpkgs -A emscriptenPackages.libz`
 2. `cd /tmp/`
--- a/doc/languages-frameworks/go.section.md
+++ b/doc/languages-frameworks/go.section.md
@@ -101,7 +101,6 @@ If `true`, the intermediate fetcher downloads dependencies from the

 This is useful if your code depends on C code and `go mod tidy` does not include the needed sources to build or
 if any dependency has case-insensitive conflicts which will produce platform-dependent `vendorHash` checksums.
-It may also be needed if the module targets language version 1.16 or earlier, since vendoring compiles all dependencies against language version 1.16 in this case.

 Defaults to `false`.

--- a/doc/languages-frameworks/index.md
+++ b/doc/languages-frameworks/index.md
@@ -17,7 +17,7 @@ Each supported language or software ecosystem has its own package set named `<la
  # Navigate Java compiler variants in `javaPackages` with `nix repl`

  ```shell-session
-  $ nix repl -f '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable
+  $ nix repl '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable
  nix-repl> javaPackages.<tab>
  javaPackages.compiler               javaPackages.openjfx15              javaPackages.openjfx21              javaPackages.recurseForDerivations
  javaPackages.jogl_2_4_0             javaPackages.openjfx17              javaPackages.openjfx25
@@ -79,7 +79,6 @@ ios.section.md
 java.section.md
 javascript.section.md
 julia.section.md
-lean4.section.md
 lisp.section.md
 lua.section.md
 maven.section.md
--- a/doc/languages-frameworks/javascript.section.md
+++ b/doc/languages-frameworks/javascript.section.md
@@ -45,14 +45,17 @@ If a particular lock file is present, it is a strong indication of which package

 It's better to try to use a Nix tool that understands the lock file.
 Using a different tool might give you a hard-to-understand error because different packages have been installed.
+An example of problems that could arise can be found [here](https://github.com/NixOS/nixpkgs/pull/126629).
+Upstream use npm, but this is an attempt to package it with `yarn2nix` (that uses yarn.lock).

 Using a different tool forces you to commit a lock file to the repository.
 These files are fairly large, so when packaging for nixpkgs, this approach does not scale well.

 Exceptions to this rule are:

- When you encounter one of the bugs from a Nix tool. In each of the tool-specific instructions, known problems will be detailed. If you have a problem with a particular tool, then it's best to try another tool, even if this means you will have to re-create a lock file and commit it to Nixpkgs.
+- When you encounter one of the bugs from a Nix tool. In each of the tool-specific instructions, known problems will be detailed. If you have a problem with a particular tool, then it's best to try another tool, even if this means you will have to re-create a lock file and commit it to Nixpkgs. In general `yarn2nix` has fewer known problems, and so a simple search in Nixpkgs will reveal many `yarn.lock` files committed.
 - Some lock files contain particular version of a package that has been pulled off npm for some reason. In that case, you can recreate upstream lock (by removing the original and `npm install`, `yarn`, ...) and commit this to nixpkgs.
+- The only tool that supports workspaces (a feature of npm that helps manage sub-directories with different package.json from a single top level package.json) is `yarn2nix`. If upstream has workspaces you should try `yarn2nix`.

 ### Try to use upstream package.json {#javascript-upstream-package-json}

@@ -89,14 +92,14 @@ Exceptions to this rule are:
 Each tool has an abstraction to just build the node_modules (dependencies) directory.
 You can always use the `stdenv.mkDerivation` with the node_modules to build the package (symlink the node_modules directory and then use the package build command).
 The node_modules abstraction can be also used to build some web framework frontends.
-For an example of this see how [plausible](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pl/plausible/package.nix) is built.
+For an example of this see how [plausible](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/web-apps/plausible/default.nix) is built. `mkYarnModules` to make the derivation containing node_modules.
 Then when building the frontend you can just symlink the node_modules directory.

 ## Tool-specific instructions {#javascript-tool-specific}

 ### buildNpmPackage {#javascript-buildNpmPackage}

-`buildNpmPackage` allows you to package npm-based projects in Nixpkgs without the use of an auto-generated dependencies file.
+`buildNpmPackage` allows you to package npm-based projects in Nixpkgs without the use of an auto-generated dependencies file (as used in [node2nix](#javascript-node2nix)).
 It works by utilizing npm's cache functionality -- creating a reproducible cache that contains the dependencies of a project, and pointing npm to it.

 Here's an example:
@@ -144,10 +147,10 @@ If these are not defined, `npm pack` may miss some files, and no binaries will b
 * `npmDepsHash`: The output hash of the dependencies for this project. Can be calculated in advance with [`prefetch-npm-deps`](#javascript-buildNpmPackage-prefetch-npm-deps).
 * `makeCacheWritable`: Whether to make the cache writable prior to installing dependencies. Don't set this unless npm tries to write to the cache directory, as it can slow down the build.
 * `npmBuildScript`: The script to run to build the project. Defaults to `"build"`.
-* []{#javascript-buildNpmPackage-npmWorkspace} `npmWorkspace`: The workspace directory within the project to build and install.
+* `npmWorkspace`: The workspace directory within the project to build and install.
 * `dontNpmBuild`: Option to disable running the build script. Set to `true` if the package does not have a build script. Defaults to `false`. Alternatively, setting `buildPhase` explicitly also disables this.
 * `dontNpmInstall`: Option to disable running `npm install`. Defaults to `false`. Alternatively, setting `installPhase` explicitly also disables this.
-* []{#javascript-buildNpmPackage-npmFlags} `npmFlags`: Flags to pass to all npm commands.
+* `npmFlags`: Flags to pass to all npm commands.
 * `npmInstallFlags`: Flags to pass to `npm ci`.
 * `npmBuildFlags`: Flags to pass to `npm run ${npmBuildScript}`.
 * `npmPackFlags`: Flags to pass to `npm pack`.
@@ -303,9 +306,28 @@ It's recommended to set `package-lock-only = true` in your project-local [`.npmr

 This package puts the corepack wrappers for pnpm and yarn in your PATH, and they will honor the `packageManager` setting in the `package.json`.

+### node2nix {#javascript-node2nix}
+
+#### Preparation {#javascript-node2nix-preparation}
+
+You will need to generate a Nix expression for the dependencies. Don't forget the `-l package-lock.json` if there is a lock file. Most probably you will need the `--development` to include the `devDependencies`
+
+So the command will most likely be:
+```sh
+node2nix --development -l package-lock.json
+```
+
+See `node2nix` [docs](https://github.com/svanderburg/node2nix) for more info.
+
+#### Pitfalls {#javascript-node2nix-pitfalls}
+
+- If upstream package.json does not have a "version" attribute, `node2nix` will crash. You will need to add it like shown in [the package.json section](#javascript-upstream-package-json).
+- `node2nix` has some [bugs](https://github.com/svanderburg/node2nix/issues/238) related to working with lock files from npm distributed with `nodejs_16`.
+- `node2nix` does not like missing packages from npm. If you see something like `Cannot resolve version: vue-loader-v16@undefined` then you might want to try another tool. The package might have been pulled off of npm.
+
 ### pnpm {#javascript-pnpm}

-pnpm is available as the top-level package `pnpm`. Additionally, there are variants pinned to certain major versions, like `pnpm_8`, `pnpm_9`, `pnpm_10`, `pnpm_10_29_2` and `pnpm_11`, which support different sets of lock file versions.
+pnpm is available as the top-level package `pnpm`. Additionally, there are variants pinned to certain major versions, like `pnpm_8`, `pnpm_9` and `pnpm_10`, which support different sets of lock file versions.

 When packaging an application that includes a `pnpm-lock.yaml`, you need to fetch the pnpm store for that project using a fixed-output-derivation. The function `fetchPnpmDeps` can create this pnpm store derivation. In conjunction, the setup hook `pnpmConfigHook` will prepare the build environment to install the pre-fetched dependencies store. Here is an example for a package that contains `package.json` and a `pnpm-lock.yaml` files using the fetcher and setup hook above:

@@ -313,18 +335,11 @@ When packaging an application that includes a `pnpm-lock.yaml`, you need to fetc
 {
  fetchPnpmDeps,
  nodejs,
-  pnpm_11,
+  pnpm,
  pnpmConfigHook,
  stdenv,
 }:
-let
-  # It is recommended to pin pnpm to a major version, due to regular breaking changes in the store format
-  # The latest major version is always available under `pkgs.pnpm`
-  # Optionally override pnpm to use a custom nodejs version
-  # Make sure that the same nodejs version is referenced in nativeBuildInputs
-  # pnpm = pnpm_11.override { nodejs = nodejs_24; };
-  pnpm = pnpm_11;
-in
+
 stdenv.mkDerivation (finalAttrs: {
  pname = "foo";
  version = "0-unstable-1980-01-01";
@@ -341,8 +356,7 @@ stdenv.mkDerivation (finalAttrs: {

  pnpmDeps = fetchPnpmDeps {
    inherit (finalAttrs) pname version src;
-    inherit pnpm;
-    fetcherVersion = 4;
+    fetcherVersion = 3;
    hash = "...";
  };
 })
@@ -364,7 +378,7 @@ It is highly recommended to use a pinned version of pnpm (i.e., `pnpm_9` or `pnp
 +let
 +  # Optionally override pnpm to use a custom nodejs version
 +  # Make sure that the same nodejs version is referenced in nativeBuildInputs
-+  # pnpm = pnpm_10.override { nodejs = nodejs-slim_22; };
+  # pnpm = pnpm_10.override { nodejs = nodejs_20; };
 +in
 stdenv.mkDerivation (finalAttrs: {
   pname = "foo";
@@ -384,7 +398,7 @@ It is highly recommended to use a pinned version of pnpm (i.e., `pnpm_9` or `pnp
   pnpmDeps = fetchPnpmDeps {
     inherit (finalAttrs) pname version src;
 +    pnpm = pnpm_10;
-     fetcherVersion = 4;
+     fetcherVersion = 3;
     hash = "...";
   };
 })
@@ -491,32 +505,40 @@ In this example, `prePnpmInstall` will be run by both `pnpmConfigHook` and by th

 #### pnpm `fetcherVersion` {#javascript-pnpm-fetcherVersion}

-This is the version of the output of `fetchPnpmDeps`. New packages should use `3`:
+This is the version of the output of `fetchPnpmDeps`, if you haven't set it already, you can use `1` with your current hash:

 ```nix
 {
  # ...
  pnpmDeps = fetchPnpmDeps {
    # ...
-    fetcherVersion = 4;
-    hash = "..."; # clear this hash and generate a new one
+    fetcherVersion = 1;
+    hash = "..."; # you can use your already set hash here
  };
 }
 ```

-When upgrading to a newer `fetcherVersion`, you need to regenerate the hash.
+After upgrading to a newer `fetcherVersion`, you need to regenerate the hash:
+
+```nix
+{
+  # ...
+  pnpmDeps = fetchPnpmDeps {
+    # ...
+    fetcherVersion = 2;
+    hash = "..."; # clear this hash and generate a new one
+  };
+}
+```

 This variable ensures that we can make changes to the output of `fetchPnpmDeps` without breaking existing hashes.
 Changes can include workarounds or bug fixes to existing PNPM issues.

 ##### Version history {#javascript-pnpm-fetcherVersion-versionHistory}

-Version 3 is the recommended value for new packages. Versions 1 and 2 are deprecated and scheduled for removal in the 26.11 release; existing packages must migrate.
-
- 1: Initial version, nothing special.
+- 1: Initial version, nothing special
 - 2: [Ensure consistent permissions](https://github.com/NixOS/nixpkgs/pull/422975)
 - 3: [Build a reproducible tarball](https://github.com/NixOS/nixpkgs/pull/469950)
- 4: [Dump SQLite database to an SQL file](https://github.com/NixOS/nixpkgs/pull/522703)

 ### Yarn {#javascript-yarn}

@@ -595,6 +617,139 @@ To install the package `yarnInstallHook` uses both `npm` and `yarn` to cleanup p

 - `yarnKeepDevDeps`: Disables the removal of devDependencies from `node_modules` before installation.

+#### yarn2nix {#javascript-yarn2nix}
+
+> [!WARNING]
+> The `yarn2nix` functions have been deprecated in favor of `yarnConfigHook`, `yarnBuildHook` and `yarnInstallHook` (for Yarn v1) and `yarn-berry_*.*` tooling (Yarn v3 and v4). Documentation for `yarn2nix` functions still appears here for the sake of the packages that still use them. See also a tracking issue [#324246](https://github.com/NixOS/nixpkgs/issues/324246).
+
+##### Preparation {#javascript-yarn2nix-preparation}
+
+You will need at least a `yarn.lock` file. If upstream does not have one you need to generate it and reference it in your package definition.
+
+If the downloaded files contain the `package.json` and `yarn.lock` files they can be used like this:
+
+```nix
+{
+  offlineCache = fetchYarnDeps {
+    yarnLock = src + "/yarn.lock";
+    hash = "....";
+  };
+}
+```
+
+##### mkYarnPackage {#javascript-yarn2nix-mkYarnPackage}
+
+> [!WARNING]
+> The `mkYarnPackage` functions have been deprecated in favor of `yarnConfigHook`, `yarnBuildHook` and `yarnInstallHook` (for Yarn v1) and `yarn-berry_*.*` tooling (Yarn v3 and v4). Documentation for `mkYarnPackage` functions still appears here for the sake of the packages that still use them. See also a tracking issue [#324246](https://github.com/NixOS/nixpkgs/issues/324246).
+
+`mkYarnPackage` will by default try to generate a binary. For packages only generating static assets (Svelte, Vue, React, Webpack, ...), you will need to explicitly override the build step with your instructions.
+
+It's important to use the `--offline` flag. For example if you script is `"build": "something"` in `package.json` use:
+
+```nix
+{
+  nativeBuildInputs = [ writableTmpDirAsHomeHook ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    yarn --offline build
+
+    runHook postBuild
+  '';
+}
+```
+
+The `distPhase` is packing the package's dependencies in a tarball using `yarn pack`. You can disable it using:
+
+```nix
+{ doDist = false; }
+```
+
+The configure phase can sometimes fail because it makes many assumptions that may not always apply. One common override is:
+
+```nix
+{
+  configurePhase = ''
+    runHook preConfigure
+
+    ln -s $node_modules node_modules
+
+    runHook postConfigure
+  '';
+}
+```
+
+or if you need a writeable node_modules directory:
+
+```nix
+{
+  configurePhase = ''
+    runHook preConfigure
+
+    cp -r $node_modules node_modules
+    chmod +w node_modules
+
+    runHook postConfigure
+  '';
+}
+```
+
+##### mkYarnModules {#javascript-yarn2nix-mkYarnModules}
+
+This will generate a derivation including the `node_modules` directory.
+If you have to build a derivation for an integrated web framework (Rails, Phoenix, etc.), this is probably the easiest way.
+
+#### Overriding dependency behavior {#javascript-mkYarnPackage-overriding-dependencies}
+
+In the `mkYarnPackage` record the property `pkgConfig` can be used to override packages when you encounter problems building.
+
+For instance, say your package is throwing errors when trying to invoke node-sass:
+
+```
+ENOENT: no such file or directory, scandir '/build/source/node_modules/node-sass/vendor'
+```
+
+To fix this we will specify different versions of build inputs to use, as well as some post install steps to get the software built the way we want:
+
+```nix
+mkYarnPackage rec {
+  pkgConfig = {
+    node-sass = {
+      buildInputs = with final; [
+        python
+        libsass
+        pkg-config
+      ];
+      postInstall = ''
+        LIBSASS_EXT=auto yarn --offline run build
+        rm build/config.gypi
+      '';
+    };
+  };
+}
+```
+
+##### Pitfalls {#javascript-yarn2nix-pitfalls}
+
+- If version is missing from upstream package.json, yarn will silently install nothing. In that case, you will need to override package.json as shown in the [package.json section](#javascript-upstream-package-json)
+- Having trouble with `node-gyp`? Try adding these lines to the `yarnPreBuild` steps:
+
+  ```nix
+  {
+    yarnPreBuild = ''
+      mkdir -p $HOME/.node-gyp/${nodejs.version}
+      echo 9 > $HOME/.node-gyp/${nodejs.version}/installVersion
+      ln -sfv ${nodejs}/include $HOME/.node-gyp/${nodejs.version}
+      export npm_config_nodedir=${nodejs}
+    '';
+  }
+  ```
+
+  - The `echo 9` steps comes from this answer: <https://stackoverflow.com/a/49139496>
+  - Exporting the headers in `npm_config_nodedir` comes from this issue: <https://github.com/nodejs/node-gyp/issues/1191#issuecomment-301243919>
+- `offlineCache` (described [above](#javascript-yarn2nix-preparation)) must be specified to avoid [Import From Derivation](#ssec-import-from-derivation) (IFD) when used inside Nixpkgs.
+
 #### Yarn Berry v3/v4 {#javascript-yarn-v3-v4}
 Yarn Berry (v3 / v4) have similar formats, they start with blocks like these:

--- a/doc/languages-frameworks/lean4.section.md
+++ b/doc/languages-frameworks/lean4.section.md
@@ -1,51 +0,0 @@
-# Lean 4 {#sec-language-lean4}
-
-Lean 4 is a strict functional language with dependent types. `leanPackages` provides the toolchain and a curated set of libraries — including the full mathlib dependency tree — with its own Lean toolchain. A standalone compiler is also available as `pkgs.lean4` for use outside the package set.
-
-## Building Lean 4 projects with `buildLakePackage` {#lean4-buildLakePackage}
-
-```nix
-leanPackages.buildLakePackage {
-  pname = "my-project";
-  version = "0.1.0";
-  src = ./.;
-  leanDeps = with leanPackages; [ mathlib ];
-  lakeHash = null; # all deps nix-managed; set to lib.fakeHash for Lake-managed deps
-}
-```
-
-Dependencies are declared in the lakefile for Lake and in the Nix expression for Nix. `leanDeps` provides Nix-managed libraries whose `.olean` files — the default build artifact of the Lake library facet — are reused without recompilation. `buildLakePackage` injects them via `lake --packages`, which takes precedence over Lake's own dependency resolution, producing a hermetic build.
-
-Sui generis among nixpkgs builders, `buildLakePackage` supports heterogeneous dependency resolution, in that Nix transparently substitutes for upstream-managed dependencies at per-package granularity: Nix-managed dependencies via `leanDeps` and Lake-managed dependencies via `lakeHash` compose in the same derivation. Setting `lakeHash = lib.fakeHash` and building will report the expected hash for a fixed-output derivation that pins what Lake would normally fetch, less Nix-managed dependencies. Nix-managed dependencies take precedence by name — so moving a dependency from `lakeHash` to `leanDeps` will change the expected hash — providing an on-ramp for projects to incrementally adopt nix-managed libraries. Setting `lakeHash = null` (the default) declares that all dependencies are Nix-managed and no fixed-output fetch is performed during the build.
-
-A `lake-manifest.json` is required at the project root. If all dependencies are Nix-managed, an empty manifest suffices:
-
-```json
-{"version":"1.1.0","packagesDir":".lake/packages","packages":[]}
-```
-
-## Development shells {#lean4-dev-shells}
-
-In `nix develop`, the scoped `lean4` and `buildLakePackage` provide the same toolchain used for hermetic builds. Note that Lake's normal dependency resolution is available in the shell — Lake may fetch dependencies not covered by `leanDeps` from the network, as is standard for Nix development shells.
-
-## The `leanPackages` scope {#lean4-leanPackages}
-
-`leanPackages` is a `lib.makeScope` with its own `lean4`. Overriding it propagates to all packages and to `buildLakePackage`:
-
-```nix
-leanPackages.overrideScope (
-  self: super: {
-    lean4 = myCustomLean4;
-  }
-)
-```
-
-The `lean4` supplied by `leanPackages` is binary-patched to ensure that the Lean language server discovers the wrapped `lake` rather than an unwrapped one. This is necessary because Lake's `serve` subcommand has a vexing invocation pattern: it derives `LAKE` from `IO.appPath` and unconditionally sets it in the spawned environment, bypassing any wrapper. The binary patch rewrites store path references so that this discovery mechanism finds the correct binary, enabling LSP integration — including the InfoView, which requires Lean-specific protocol extensions — without improper mutation of the user's project directory.
-
-Note that `leanPackages.lean4` supplants Lake's built-in cache invalidation for dependencies in `/nix/store/`, deferring entirely to Nix's bespoke dependency model. Lake's trace validation — which checks compiler "hash," platform, and package identity — is gracefully subsumed by guarantees Nix already provides. Cache coherence responsibilities are delegated to the orchestrator of streamlined Nix integration.
-
-For Emacs, `emacsPackages.nael` and `emacsPackages.nael-lsp` (eglot-based and lsp-mode-based respectively, available via MELPA) provide Lean 4 support including proof state display via eldoc. For VSCode (unfree) / VSCodium, `vscode-extensions.leanprover.lean4` is available. Editor packages discover the toolchain from `PATH`.
-
-## Relationship to earlier Lean 4 Nix support {#lean4-history}
-
-Users familiar with the per-module derivation approach (2020–2025) should note that `buildLakePackage` follows a different architecture. The earlier integration discovered dependencies at evaluation time via import-from-derivation — an ambitious attempt to reconcile declarative package management with fine-grained build semantics, ultimately undermined by Nix's own evaluation model. It was [removed upstream](https://github.com/leanprover/lean4/commit/535435955b482176e8d62a54deebcacdec0827db). `buildLakePackage` treats Lake as a build driver and uses Nix for package-level boundaries, while `nix develop` and `nix-shell` achieve feature parity with the vanilla Lake development experience.
--- a/doc/languages-frameworks/lua.section.md
+++ b/doc/languages-frameworks/lua.section.md
@@ -232,7 +232,7 @@ The following is an example:
        vyp
        lblasc
      ];
-      license = lib.licenses.mit;
+      license.fullName = "MIT/X11";
    };
  };
 }
--- a/doc/languages-frameworks/maven.section.md
+++ b/doc/languages-frameworks/maven.section.md
@@ -17,14 +17,14 @@ Consider the following package:
  maven,
 }:

-maven.buildMavenPackage (finalAttrs: {
+maven.buildMavenPackage rec {
  pname = "jd-cli";
  version = "1.2.1";

  src = fetchFromGitHub {
    owner = "intoolswetrust";
    repo = "jd-cli";
-    tag = "jd-cli-${finalAttrs.version}";
+    tag = "jd-cli-${version}";
    hash = "sha256-rRttA5H0A0c44loBzbKH7Waoted3IsOgxGCD2VM0U/Q=";
  };

@@ -50,7 +50,7 @@ maven.buildMavenPackage (finalAttrs: {
    license = lib.licenses.gpl3Plus;
    maintainers = with lib.maintainers; [ majiir ];
  };
-})
+}
 ```

 This package calls `maven.buildMavenPackage` to do its work. The primary difference from `stdenv.mkDerivation` is the `mvnHash` variable, which is a hash of all of the Maven dependencies.
@@ -133,7 +133,7 @@ step 2 which will most probably fail the build. The `go-offline` plugin cannot
 handle these so-called [dynamic dependencies](https://github.com/qaware/go-offline-maven-plugin?tab=readme-ov-file#dynamic-dependencies).
 In that case you must add these dynamic dependencies manually with:
 ```nix
-maven.buildMavenPackage {
+maven.buildMavenPackage rec {
  manualMvnArtifacts = [
    # add dynamic test dependencies here
    "org.apache.maven.surefire:surefire-junit-platform:3.1.2"
--- a/doc/languages-frameworks/neovim.section.md
+++ b/doc/languages-frameworks/neovim.section.md
@@ -64,7 +64,6 @@ For instance, `sqlite-lua` needs `g:sqlite_clib_path` to be set to work. Nixpkgs
 - `wrapRc`: Nix, not being able to write in your `$HOME`, loads the
  generated Neovim configuration via the `$VIMINIT` environment variable, i.e. : `export VIMINIT='lua dofile("/nix/store/…-init.lua")'`. This has side effects like preventing Neovim from sourcing your `init.lua` in `$XDG_CONFIG_HOME/nvim` (see bullet 7 of [`:help startup`](https://neovim.io/doc/user/starting.html#startup) in Neovim). Disable it if you want to generate your own wrapper. You can still reuse the generated vimscript init code via `neovim.passthru.initRc`.
 - `plugins`: A list of plugins to add to the wrapper.
- `extraLuaPackages`: A function passed on to `lua.withPackages`
 - `withPython3`, `withNodeJs`, `withRuby` control when to enable neovim
  providers (see `:h provider`).

@@ -91,7 +90,6 @@ wrapNeovimUnstable neovim-unwrapped {
    (nvim-treesitter.withPlugins (p: [ p.nix p.python ]))
    hex-nvim
  ];
-  extraLuaPackages = lp: [ lp.mpack ];
  withPython3 = true;
  withNodeJs = false;
  withRuby = false;
@@ -115,25 +113,6 @@ patch those plugins but expose the necessary configuration under
 `PLUGIN.passthru.initLua` for neovim plugins. For instance, the `unicode-vim` plugin
 needs the path towards a unicode database so we expose the following snippet `vim.g.Unicode_data_directory="${self.unicode-vim}/autoload/unicode"` under `vimPlugins.unicode-vim.passthru.initLua`.

-### Plugin license overrides {#neovim-plugin-license-overrides}
-
-Generated Vim and Neovim plugins get their `meta.license` from GitHub license metadata when possible.
-Some upstream repositories do not expose a license file that GitHub can detect, or only mention the license in a README.
-In those cases, add a manual `meta.license` override in [overrides.nix](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/editors/vim/plugins/overrides.nix).
-
-For example, if upstream documents that a plugin uses the Vim license but GitHub does not detect it:
-
-```nix
-{
-  foo-nvim = super.foo-nvim.overrideAttrs (old: {
-    meta = old.meta // {
-      # README says this plugin is distributed under the Vim license.
-      license = lib.licenses.vim;
-    };
-  });
-}
-```
-
 ## LuaRocks based plugins {#neovim-luarocks-based-plugins}

 In order to automatically handle plugin dependencies, several Neovim plugins
--- a/doc/languages-frameworks/octave.section.md
+++ b/doc/languages-frameworks/octave.section.md
@@ -76,17 +76,6 @@ See [Symbolic](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/oct
 `requiredOctavePackages`
 : This is a special dependency that ensures the specified Octave packages are dependent on others, and are made available simultaneously when loading them in Octave.

-### Testing Octave packages {#sssec-testing-octave-packages}
-
-Octave packages built using the `buildOctavePackage` function do not have a `checkPhase` or `installCheckPhase`.
-Instead, the tests `testOctaveBuildEnv` and `testOctavePkgTests` are added to the package's `passthru.tests`.
-
-`passthru.tests.testOctaveBuildEnv` tests whether the package can be used by `octave.withPackages` successfully.
-
-`passthru.tests.testOctavePkgTests` runs a `pkg test` command for the package.
-If the package needs additional inputs to successfully run the tests, the `nativeOctavePkgTestInputs` attribute can be specified.
-If the package needs environment variables to be set to successfully run the tests, ensure that `__structuredAttrs = true;` in the package, then set the environment variables you need in `octavePkgTestEnv` (which should be an attrset where the key is the name of the variable and the value is its value (as a string)).
-
 ### Installing Octave Packages {#sssec-installing-octave-packages}

 By default, the `buildOctavePackage` function does _not_ install the requested package into Octave for use.
--- a/doc/languages-frameworks/php.section.md
+++ b/doc/languages-frameworks/php.section.md
@@ -214,6 +214,12 @@ code, while others choose not to.

 In Nix, there are multiple approaches to building a Composer-based project.

+::: {.warning}
+`buildComposerProject2` has a [known bug](https://github.com/NixOS/nixpkgs/issues/451395)
+where the `vendorHash` changes every time a Composer release happens that changes the
+`autoload.php` or vendored composer code.
+:::
+
 One such method is the `php.buildComposerProject2` helper function, which serves
 as a wrapper around `mkDerivation`.

--- a/doc/languages-frameworks/python.section.md
+++ b/doc/languages-frameworks/python.section.md
@@ -207,62 +207,6 @@ following are specific to `buildPythonPackage`:
 * `setupPyGlobalFlags ? []`: List of flags passed to `setup.py` command.
 * `setupPyBuildFlags ? []`: List of flags passed to `setup.py build_ext` command.

-##### Using fixed-point arguments {#buildpythonpackage-fixed-point-arguments}
-
-Both `buildPythonPackage` and `buildPythonApplication` support [fixed-point arguments](#chap-build-helpers-finalAttrs), similar to `stdenv.mkDerivation`.
-This allows you to reference the final attributes of the derivation.
-
-Instead of using `rec`:
-
-```nix
-buildPythonPackage rec {
-  pname = "pyspread";
-  version = "2.4";
-  src = fetchPypi {
-    inherit pname version;
-    hash = "sha256-...";
-  };
-}
-```
-
-You can use the `finalAttrs` pattern:
-
-```nix
-buildPythonPackage (finalAttrs: {
-  pname = "pyspread";
-  version = "2.4";
-  src = fetchPypi {
-    pname = "pyspread";
-    inherit (finalAttrs) version;
-    hash = "sha256-...";
-  };
-})
-```
-
-See the [general documentation on fixed-point arguments](#chap-build-helpers-finalAttrs) for more details on the benefits of this pattern.
-
-::: {.note}
-
-Some `buildPythonPackage`/`buildPythonApplication` arguments are passed down indirectly to `stdenv.mkDerivation` via `passthru`.
-Therefore the final state of these attributes can be accessed via `finalAttrs.passthru.${name}`.
-[`<pkg>.overrideAttrs`](#sec-pkg-overrideAttrs) can override them using the `passthru = prevAttrs.passthru // { foo = "bar"; }` pattern.
-Such arguments include:
-
- `disabled`
- `pyproject`
- `format`
- `build-system`
- `dependencies`
- `optional-dependencies`
-
-<!--
-TODO(@doronbehar): When `.overridePythonAttrs` will be removed, the above text might need to be revised. See:
-
- https://github.com/NixOS/nixpkgs/pull/379637
- https://github.com/NixOS/nixpkgs/pull/469804
-->
-:::
-
 The [`stdenv.mkDerivation`](#sec-using-stdenv) function accepts various parameters for describing
 build inputs (see "Specifying dependencies"). The following are of special
 interest for Python packages, either because these are primarily used, or
@@ -293,23 +237,29 @@ the overrides for packages in the package set.
 ```nix
 with import <nixpkgs> { };

-let
-  python = pkgs.python3.override {
-    packageOverrides = self: super: {
-      pandas = super.pandas.overridePythonAttrs (
-        finalAttrs: prevAttrs: {
-          version = "0.19.1";
-          src = fetchPypi {
-            pname = "pandas";
-            inherit (finalAttrs) version;
-            hash = "sha256-JQn+rtpy/OA2deLszSKEuxyttqBzcAil50H+JDHUdCE=";
-          };
-        }
-      );
-    };
-  };
-in
-(python.withPackages (ps: [ ps.blaze ])).env
+(
+  let
+    python =
+      let
+        packageOverrides = self: super: {
+          pandas = super.pandas.overridePythonAttrs (old: rec {
+            version = "0.19.1";
+            src = fetchPypi {
+              pname = "pandas";
+              inherit version;
+              hash = "sha256-JQn+rtpy/OA2deLszSKEuxyttqBzcAil50H+JDHUdCE=";
+            };
+          });
+        };
+      in
+      pkgs.python3.override {
+        inherit packageOverrides;
+        self = python;
+      };
+
+  in
+  python.withPackages (ps: [ ps.blaze ])
+).env
 ```

 The next example shows a non trivial overriding of the `blas` implementation to
@@ -1093,57 +1043,57 @@ Our example, `toolz`, does not have any dependencies on other Python packages or
 Dependencies can belong to multiple arguments, for example if something is both a build time requirement & a runtime dependency.

 The following example shows which arguments are given to [`buildPythonPackage`](#buildpythonpackage-function) in
-order to build [`dirigera`](https://github.com/Leggin/dirigera).
+order to build [`datashape`](https://github.com/blaze/datashape).

 ```nix
 {
  lib,
  buildPythonPackage,
-  fetchFromGitHub,
-  pydantic,
-  pytestCheckHook,
-  requests,
+  fetchPypi,
+
+  # build dependencies
  setuptools,
-  websocket-client,
+
+  # dependencies
+  numpy,
+  multipledispatch,
+  python-dateutil,
+
+  # tests
+  pytestCheckHook,
 }:

 buildPythonPackage (finalAttrs: {
-  pname = "dirigera";
-  version = "1.2.6";
+  pname = "datashape";
+  version = "0.4.7";
  pyproject = true;

-  src = fetchFromGitHub {
-    owner = "Leggin";
-    repo = "dirigera";
-    tag = "v${finalAttrs.version}";
-    hash = "sha256-5pfzmaIkIEtxDtkhG1lOLSTjWahEDgQKLJKbAG5rBjE=";
+  src = fetchPypi {
+    inherit (finalAttrs) pname version;
+    hash = "sha256-FLLvdm1MllKrgTGC6Gb0k0deZeVYvtCCLji/B7uhong=";
  };

  build-system = [ setuptools ];

  dependencies = [
-    pydantic
-    requests
-    websocket-client
+    multipledispatch
+    numpy
+    python-dateutil
  ];

  nativeCheckInputs = [ pytestCheckHook ];

-  pythonImportsCheck = [ "dirigera" ];
-
  meta = {
-    description = "Module for controlling the IKEA Dirigera Smart Home Hub";
-    homepage = "https://github.com/Leggin/dirigera";
-    changelog = "https://github.com/Leggin/dirigera/releases/tag/${finalAttrs.src.tag}";
-    license = lib.licenses.mit;
-    maintainers = with lib.maintainers; [ fab ];
-    mainProgram = "generate-token";
+    changelog = "https://github.com/blaze/datashape/releases/tag/${finalAttrs.version}";
+    homepage = "https://github.com/ContinuumIO/datashape";
+    description = "Data description language";
+    license = lib.licenses.bsd2;
  };
 })
 ```

-We can see several runtime dependencies, `pydantic`, `requests`, and
-`websocket-client`. Furthermore, we have [`nativeCheckInputs`](#var-stdenv-nativeCheckInputs) with `pytestCheckHook`.
+We can see several runtime dependencies, `numpy`, `multipledispatch`, and
+`python-dateutil`. Furthermore, we have [`nativeCheckInputs`](#var-stdenv-nativeCheckInputs) with `pytestCheckHook`.
 `pytestCheckHook` is a test runner hook and is only used during the [`checkPhase`](#ssec-check-phase) and is
 therefore not added to `dependencies`.

--- a/doc/languages-frameworks/rust.section.md
+++ b/doc/languages-frameworks/rust.section.md
@@ -736,35 +736,6 @@ stdenv.mkDerivation (finalAttrs: {
 })
 ```

-### Compiling `wasm32-wasip1` package {#compiling-wasm32-wasip1-package}
-
-```nix
-pkgsCross.wasi32.callPackage (
-  {
-    fetchFromGitHub,
-    rustPlatform,
-    lld,
-  }:
-  rustPlatform.buildRustPackage (finalAttrs: {
-    pname = "zellij-harpoon";
-    version = "0.3.0";
-
-    src = fetchFromGitHub {
-      owner = "Nacho114";
-      repo = "harpoon";
-      tag = "v${finalAttrs.version}";
-      hash = "sha256-JmYcbzxIF6qZs2/RKuspHqNpyDibGp9CVQJj47y/BOQ=";
-    };
-
-    cargoHash = "sha256-lsv5Wssakni18jif++fPo3Z5WyBtvPsGpWwG3abR7jQ=";
-
-    # these two lines are currently required
-    env.RUSTFLAGS = "-C linker=wasm-ld";
-    nativeBuildInputs = [ lld ];
-  })
-) { }
-```
-
 ## `buildRustCrate`: Compiling Rust crates using Nix instead of Cargo {#compiling-rust-crates-using-nix-instead-of-cargo}

 ### Simple operation {#simple-operation}
@@ -871,47 +842,6 @@ general. A number of other parameters can be overridden:
  (hello { }).override { extraRustcOpts = "-Z debuginfo=2"; }
  ```

- Extra arguments passed to `rustc` when the crate is a proc-macro,
-  replacing `extraRustcOpts`. Useful to keep instrumentation flags
-  (sanitizers, coverage) off host dylibs. Defaults to `null`, which
-  inherits `extraRustcOpts`:
-
-  ```nix
-  (myProcMacro { }).override { extraRustcOptsForProcMacro = [ ]; }
-  ```
-
- The lint level cap passed to `rustc`. Defaults to `null`, which
-  auto-resolves to `"allow"` (silences all lints) when `lints` is
-  empty, or `"forbid"` (no cap) when `lints` is set. Because `rustc`
-  only honours the first `--cap-lints` it receives, this cannot be
-  changed via `extraRustcOpts`; use this attribute instead. Useful
-  when overriding the `rust` attribute to point at `clippy-driver`,
-  since clippy lints are also capped by this flag:
-
-  ```nix
-  (hello { }).override { capLints = "warn"; }
-  ```
-
- Lint configuration mirroring Cargo.toml's `[lints]` table. Keys are
-  tool names (`rust`, `clippy`, `rustdoc`); values map lint names to
-  either a level string (`"allow"`, `"warn"`, `"deny"`, `"forbid"`) or
-  `{ level = "..."; priority = <int>; }`. Lower priorities are emitted
-  first so that more specific lints can override them. Setting a
-  non-empty `lints` raises the default `capLints` to `"forbid"` so the
-  lints actually apply:
-
-  ```nix
-  (hello { }).override {
-    lints.rust = {
-      unsafe_code = "forbid";
-      unused = {
-        level = "deny";
-        priority = -1;
-      };
-    };
-  }
-  ```
-
 - Phases, just like in any other derivation, can be specified using
  the following attributes: `preUnpack`, `postUnpack`, `prePatch`,
  `patches`, `postPatch`, `preConfigure` (in the case of a Rust crate,
--- a/doc/languages-frameworks/tcl.section.md
+++ b/doc/languages-frameworks/tcl.section.md
@@ -13,20 +13,19 @@ Tcl packages are typically built with `tclPackages.mkTclDerivation`.
 Tcl dependencies go in `buildInputs`/`nativeBuildInputs`/... like other packages.
 For more complex package definitions, such as packages with mixed languages, use `tcl.tclPackageHook`.

-Where possible, make sure to enable stubs for maximum compatibility.
-If you are using `mkTclDerivation`, `--enable-stubs` will be automatically added to `configureFlags`.
+Where possible, make sure to enable stubs for maximum compatibility, usually with the `--enable-stubs` configure flag.

 Here is a simple package example to be called with `tclPackages.callPackage`.

 ```
 { lib, fetchzip, mkTclDerivation, openssl }:

-mkTclDerivation (finalAttrs: {
+mkTclDerivation rec {
  pname = "tcltls";
  version = "1.7.22";

  src = fetchzip {
-    url = "https://core.tcl-lang.org/tcltls/uv/tcltls-${finalAttrs.version}.tar.gz";
+    url = "https://core.tcl-lang.org/tcltls/uv/tcltls-${version}.tar.gz";
    hash = "sha256-TOouWcQc3MNyJtaAGUGbaQoaCWVe6g3BPERct/V65vk=";
  };

@@ -34,6 +33,7 @@ mkTclDerivation (finalAttrs: {

  configureFlags = [
    "--with-ssl-dir=${openssl.dev}"
+    "--enable-stubs"
  ];

  meta = {
@@ -43,7 +43,7 @@ mkTclDerivation (finalAttrs: {
    license = lib.licenses.tcltk;
    platforms = lib.platforms.unix;
  };
-})
+}
 ```

 All Tcl libraries are declared in `pkgs/top-level/tcl-packages.nix` and are defined in `pkgs/development/tcl-modules/`.
@@ -52,35 +52,3 @@ Its use is documented in `pkgs/development/tcl-modules/by-name/README.md`.

 All Tcl applications reside elsewhere.
 In case a package is used as both a library and an application (for example `expect`), it should be defined in `tcl-packages.nix`, with an alias elsewhere.
-
-### Using tclRequiresCheck {#using-tclrequirescheck}
-
-Although unit tests are highly preferred to validate correctness of a package, not
-all packages have test suites that can be run easily, and some have none at all.
-To help ensure the package still works, [`tclRequiresCheck`](#using-tclrequirescheck) can attempt to `package require`
-the listed modules.
-
-```nix
-{
-  tclRequiresCheck = [
-    "json"
-    "doctools"
-  ];
-}
-```
-
-roughly translates to:
-
-```nix
-{
-  preDist = ''
-    TCLLIBPATH="$out/lib $TCLLIBPATH"
-    tclsh <<<'exit [catch {package require json; package require doctools}]'
-  '';
-}
-```
-
-However, this is done in its own phase, and not dependent on whether [`doCheck = true;`](#var-stdenv-doCheck).
-
-This can also be useful in verifying that the package doesn't assume commonly
-present packages (e.g. `tcllib`).
--- a/doc/languages-frameworks/texlive.section.md
+++ b/doc/languages-frameworks/texlive.section.md
@@ -2,7 +2,9 @@

 There is a TeX Live packaging that lives entirely under attribute `texlive`.

-## User's guide {#sec-language-texlive-user-guide}
+## User's guide (experimental new interface) {#sec-language-texlive-user-guide-experimental}
+
+Release 23.11 ships with a new interface that will eventually replace `texlive.combine`.

 - For basic usage, use some of the prebuilt environments available at the top level, such as `texliveBasic`, `texliveSmall`. For the full list of prebuilt environments, inspect `texlive.schemes`.

@@ -22,7 +24,7 @@ There is a TeX Live packaging that lives entirely under attribute `texlive`.

 - `texlive.withPackages` uses the same logic as `buildEnv`. Only parts of a package are installed in an environment: its 'runtime' files (`tex` output), binaries (`out` output), and support files (`tlpkg` output). Moreover, man and info pages are assembled into separate `man` and `info` outputs. To add only the TeX files of a package, or its documentation (`texdoc` output), just specify the outputs:
  ```nix
-  texliveBasic.withPackages (
+  texlive.withPackages (
    ps: with ps; [
      texdoc # recommended package to navigate the documentation
      perlPackages.LaTeXML.tex # tex files of LaTeXML, omit binaries
@@ -32,19 +34,64 @@ There is a TeX Live packaging that lives entirely under attribute `texlive`.
  )
  ```

- To add the documentation for all packages in the environment, use
-  ```nix
-  texliveSmall.overrideAttrs { withDocs = true; }
-  ```
-  This can be applied before or after calling `withPackages`. The parameter `withSources` adds all source containers.
-
 - All packages distributed by TeX Live, which contains most of CTAN, are available and can be found under `texlive.pkgs`:
  ```ShellSession
  $ nix repl
  nix-repl> :l <nixpkgs>
  nix-repl> texlive.pkgs.[TAB]
  ```
-  These are derivations with outputs `out`, `tex`, `texdoc`, `texsource`, `tlpkg`, `man`, `info`. They cannot be installed outside of `texlive.withPackages` but are available for other uses. To repackage a font, for instance, use
+  Note that the packages in `texlive.pkgs` are only provided for search purposes and must not be used directly.
+
+- **Experimental and subject to change without notice:** to add the documentation for all packages in the environment, use
+  ```nix
+  texliveSmall.__overrideTeXConfig { withDocs = true; }
+  ```
+  This can be applied before or after calling `withPackages`.
+
+  The function currently supports the parameters `withDocs`, `withSources`, and `requireTeXPackages`.
+
+## User's guide {#sec-language-texlive-user-guide}
+
+- For basic usage just pull `texlive.combined.scheme-basic` for an environment with basic LaTeX support.
+
+- It typically won't work to use separately installed packages together. Instead, you can build a custom set of packages like this. Most CTAN packages should be available:
+
+  ```nix
+  texlive.combine {
+    inherit (texlive)
+      scheme-small
+      collection-langkorean
+      algorithms
+      cm-super
+      ;
+  }
+  ```
+
+- There are all the schemes, collections and a few thousand packages, as defined upstream (perhaps with tiny differences).
+
+- By default you only get executables and files needed during runtime, and a little documentation for the core packages. To change that, you need to add `pkgFilter` function to `combine`.
+
+  ```nix
+  texlive.combine {
+    # inherit (texlive) whatever-you-want;
+    pkgFilter =
+      pkg: pkg.tlType == "run" || pkg.tlType == "bin" || pkg.hasManpages || pkg.pname == "cm-super";
+    # elem tlType [ "run" "bin" "doc" "source" ]
+    # there are also other attributes: version, name
+  }
+  ```
+
+- You can list packages e.g. by `nix repl`.
+
+  ```ShellSession
+  $ nix repl
+  nix-repl> :l <nixpkgs>
+  nix-repl> texlive.collection-[TAB]
+  ```
+
+- Note that the wrapper assumes that the result has a chance to be useful. For example, the core executables should be present, as well as some core data files. The supported way of ensuring this is by including some scheme, for example, `scheme-basic`, into the combination.
+
+- TeX Live packages are also available under `texlive.pkgs` as derivations with outputs `out`, `tex`, `texdoc`, `texsource`, `tlpkg`, `man`, `info`. They cannot be installed outside of `texlive.combine` but are available for other uses. To repackage a font, for instance, use

  ```nix
  stdenvNoCC.mkDerivation (finalAttrs: {
@@ -65,9 +112,9 @@ There is a TeX Live packaging that lives entirely under attribute `texlive`.

 ## Custom packages {#sec-language-texlive-custom-packages}

-You may find that you need to use an external TeX package. A derivation for such package has to provide the contents of the "texmf" directory in its `"tex"` output, according to the [TeX Directory Structure](https://tug.ctan.org/tds/tds.html). Dependencies on other TeX packages can be listed in the attribute `passthru.tlDeps`, which is a function taking a package set and returning a list of packages.
+You may find that you need to use an external TeX package. A derivation for such package has to provide the contents of the "texmf" directory in its `"tex"` output, according to the [TeX Directory Structure](https://tug.ctan.org/tds/tds.html). Dependencies on other TeX packages can be listed in the attribute `tlDeps`.

-The function `texlive.withPackages` recognise the following outputs:
+The functions `texlive.combine` and `texlive.withPackages` recognise the following outputs:

 - `"out"`: contents are linked in the TeX Live environment, and binaries in the `$out/bin` folder are wrapped;
 - `"tex"`: linked in `$TEXMFDIST`; files should follow the TDS (for instance `$tex/tex/latex/foiltex/foiltex.cls`);
@@ -75,6 +122,8 @@ The function `texlive.withPackages` recognise the following outputs:
 - `"tlpkg"`: linked in `$TEXMFROOT/tlpkg`;
 - `"man"`, `"info"`, ...: the other outputs are combined into separate outputs.

+When using `pkgFilter`, `texlive.combine` will assign `tlType` respectively `"bin"`, `"run"`, `"doc"`, `"source"`, `"tlpkg"` to the above outputs.
+
 Here is a (very verbose) example. See also the packages `auctex`, `eukleides`, `mftrace` for more examples.

 ```nix
@@ -89,7 +138,7 @@ let
      "tex"
      "texdoc"
    ];
-    passthru.tlDeps = ps: [ ps.latex ];
+    passthru.tlDeps = with texlive; [ latex ];

    srcs = [
      (fetchurl {
@@ -120,14 +169,13 @@ let
          latexmk
        ]
      ))
+      # multiple-outputs.sh fails if $out is not defined
+      (writeShellScript "force-tex-output.sh" ''
+        out="''${tex-}"
+      '')
      writableTmpDirAsHomeHook # Need a writable $HOME for latexmk
    ];

-    # multiple-outputs.sh fails if $out is not defined
-    preHook = ''
-      out="''${tex-}"
-    '';
-
    dontConfigure = true;

    buildPhase = ''
--- a/doc/languages-frameworks/vim.section.md
+++ b/doc/languages-frameworks/vim.section.md
@@ -170,6 +170,8 @@ Sometimes plugins require an override that must be changed when the plugin is up

 To add a new plugin, run `nix-shell -p vimPluginsUpdater --run 'vim-plugins-updater add "[owner]/[name]"'`. **NOTE**: This script automatically commits to your git repository. Be sure to check out a fresh branch before running.

+Finally, there are some plugins that are also packaged in nodePackages because they have Javascript-related build steps, such as running webpack. Those plugins are not listed in `vim-plugin-names` or managed by `vimPluginsUpdater` at all, and are included separately in `overrides.nix`. Currently, all these plugins are related to the `coc.nvim` ecosystem of the Language Server Protocol integration with Vim/Neovim.
+
 ## Updating plugins in nixpkgs {#updating-plugins-in-nixpkgs}

 Run the update script with a GitHub API token that has at least `public_repo` access. Running the script without the token is likely to result in rate-limiting (429 errors). For steps on creating an API token, please refer to [GitHub's token documentation](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token).
--- a/doc/packages/darwin-builder.section.md
+++ b/doc/packages/darwin-builder.section.md
@@ -89,7 +89,7 @@ Note that if the builder is running and you have created the above ssh conf file
 {
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-22.11-darwin";
-    darwin.url = "github:nix-darwin/nix-darwin/master";
+    darwin.url = "github:lnl7/nix-darwin/master";
    darwin.inputs.nixpkgs.follows = "nixpkgs";
  };

--- a/doc/packages/linux.section.md
+++ b/doc/packages/linux.section.md
@@ -119,10 +119,11 @@ $ pkgs/os-specific/linux/kernel/update.sh
 The change gets submitted like this:

 * File a PR against `staging-nixos`.
-  * Add a `backport staging-nixos-XX.XX` label for an automated backport.
+  * Add a `backport release-XX.XX` label for an automated backport.
+    We don't expect many other changes on that branch to require a backport, hence there's no such branch for stable.
    By using an additional PR, we get the automatic backport against stable without manual cherry-picks.
-* Merge into `staging-nixos` or `staging-nixos-XX.XX`.
-* File as PR from `staging-nixos` against `master` or `staging-nixos-XX.XX` against `release-xx.xx`.
+* Merge into `staging-nixos`.
+* File as PR from `staging-nixos` against `master`.
 * When all status checks are green, merge.

 ### Add a new (major) version of the Linux kernel {#sec-linux-add-new-kernel-version}
@@ -148,6 +149,15 @@ The change gets submitted like this:
    ```
  * Update `linux_latest` to the new attribute.
 * __SQUASH__ the changes into the `linux: init at …` commit.
+* If a new hardened is available:
+  * Instantiate a `linux_X_Y_hardened = hardenedKernelsFor kernels.linux_X_Y { };` in `kernels` and
+    `linux_X_Y_hardened = hardenedKernelFor kernels.linux_X_Y { };` in the `packages`-section.
+  * Make sure to remove the hardened variant of the previous kernel version unless it's LTS.
+    We only support the latest and latest LTS version of hardened.
+* If no new hardened kernel is available:
+  * Keep the previously latest kernel until its mainline counterpart gets removed.
+    After that `linux_hardened` points to the latest LTS supported by hardened.
+* __SQUASH__ the changes into the `linux_X_Y_hardened: init at …` commit.

 ### Policy for accepting new kernel flavours {#sec-linux-new-kernels}

--- a/doc/redirects.json
+++ b/doc/redirects.json
@@ -20,9 +20,6 @@
  "cmake-ctest-variables": [
    "index.html#cmake-ctest-variables"
  ],
-  "compiling-wasm32-wasip1-package": [
-    "index.html#compiling-wasm32-wasip1-package"
-  ],
  "coq-withPackages": [
    "index.html#coq-withPackages"
  ],
@@ -122,9 +119,6 @@
  "ex-testEqualArrayOrMap-test-function-add-cowbell": [
    "index.html#ex-testEqualArrayOrMap-test-function-add-cowbell"
  ],
-  "ex-writeShellApplication": [
-    "index.html#ex-writeShellApplication"
-  ],
  "friction-graphics": [
    "index.html#friction-graphics"
  ],
@@ -137,20 +131,11 @@
  "inkscape-plugins": [
    "index.html#inkscape-plugins"
  ],
-  "installfonts": [
-    "index.html#installfonts"
+  "libcxxhardeningextensive": [
+    "index.html#libcxxhardeningextensive"
  ],
-  "installfonts-installfont": [
-    "index.html#installfonts-installfont"
-  ],
-  "installfonts-installfont-exampleusage": [
-    "index.html#installfonts-installfont-exampleusage"
-  ],
-  "javascript-buildNpmPackage-npmFlags": [
-    "index.html#javascript-buildNpmPackage-npmFlags"
-  ],
-  "javascript-buildNpmPackage-npmWorkspace": [
-    "index.html#javascript-buildNpmPackage-npmWorkspace"
+  "libcxxhardeningfast": [
+    "index.html#libcxxhardeningfast"
  ],
  "julec-hook": [
    "index.html#julec-hook"
@@ -188,12 +173,6 @@
  "julec-hook-variables": [
    "index.html#julec-hook-variables"
  ],
-  "libcxxhardeningextensive": [
-    "index.html#libcxxhardeningextensive"
-  ],
-  "libcxxhardeningfast": [
-    "index.html#libcxxhardeningfast"
-  ],
  "major-ghc-deprecation": [
    "index.html#major-ghc-deprecation"
  ],
@@ -224,108 +203,9 @@
  "no-broken-symlinks.sh": [
    "index.html#no-broken-symlinks.sh"
  ],
-  "nodejs-install-executables": [
-    "index.html#nodejs-install-executables"
-  ],
-  "nodejs-install-executables-example": [
-    "index.html#nodejs-install-executables-example"
-  ],
-  "nodejs-install-executables-exclusive-variables": [
-    "index.html#nodejs-install-executables-exclusive-variables"
-  ],
-  "nodejs-install-executables-variables": [
-    "index.html#nodejs-install-executables-variables"
-  ],
-  "nodejs-install-executables-wrapper-args": [
-    "index.html#nodejs-install-executables-wrapper-args"
-  ],
-  "nodejs-install-manuals": [
-    "index.html#nodejs-install-manuals"
-  ],
-  "nodejs-install-manuals-example": [
-    "index.html#nodejs-install-manuals-example"
-  ],
  "nostrictaliasing": [
    "index.html#nostrictaliasing"
  ],
-  "npm-build-hook": [
-    "index.html#npm-build-hook"
-  ],
-  "npm-build-hook-dont": [
-    "index.html#npm-build-hook-dont"
-  ],
-  "npm-build-hook-example-snippet": [
-    "index.html#npm-build-hook-example-snippet"
-  ],
-  "npm-build-hook-exclusive-variables": [
-    "index.html#npm-build-hook-exclusive-variables"
-  ],
-  "npm-build-hook-flags": [
-    "index.html#npm-build-hook-flags"
-  ],
-  "npm-build-hook-honored-variables": [
-    "index.html#npm-build-hook-honored-variables"
-  ],
-  "npm-build-hook-script": [
-    "index.html#npm-build-hook-script"
-  ],
-  "npm-build-hook-snippet": [
-    "index.html#npm-build-hook-snippet"
-  ],
-  "npm-build-hook-variables": [
-    "index.html#npm-build-hook-variables"
-  ],
-  "npm-config-hook": [
-    "index.html#npm-config-hook"
-  ],
-  "npm-config-hook-deps": [
-    "index.html#npm-config-hook-deps"
-  ],
-  "npm-config-hook-exclusive-variables": [
-    "index.html#npm-config-hook-exclusive-variables"
-  ],
-  "npm-config-hook-honored-variables": [
-    "index.html#npm-config-hook-honored-variables"
-  ],
-  "npm-config-hook-install-flags": [
-    "index.html#npm-config-hook-install-flags"
-  ],
-  "npm-config-hook-rebuild-flags": [
-    "index.html#npm-config-hook-rebuild-flags"
-  ],
-  "npm-config-hook-snippet": [
-    "index.html#npm-config-hook-snippet"
-  ],
-  "npm-config-hook-variables": [
-    "index.html#npm-config-hook-variables"
-  ],
-  "npm-config-hook-writable-cache": [
-    "index.html#npm-config-hook-writable-cache"
-  ],
-  "npm-install-hook": [
-    "index.html#npm-install-hook"
-  ],
-  "npm-install-hook-dont": [
-    "index.html#npm-install-hook-dont"
-  ],
-  "npm-install-hook-dont-prune": [
-    "index.html#npm-install-hook-dont-prune"
-  ],
-  "npm-install-hook-exclusive-variables": [
-    "index.html#npm-install-hook-exclusive-variables"
-  ],
-  "npm-install-hook-honored-variables": [
-    "index.html#npm-install-hook-honored-variables"
-  ],
-  "npm-install-hook-prune-flags": [
-    "index.html#npm-install-hook-prune-flags"
-  ],
-  "npm-install-hook-snippet": [
-    "index.html#npm-install-hook-snippet"
-  ],
-  "npm-install-hook-variables": [
-    "index.html#npm-install-hook-variables"
-  ],
  "pkgs-replacevars": [
    "index.html#pkgs-replacevars",
    "index.html#pkgs-substituteall",
@@ -379,9 +259,6 @@
  "sec-build-helper-extendMkDerivation": [
    "index.html#sec-build-helper-extendMkDerivation"
  ],
-  "sec-buildEnv-exceptions": [
-    "index.html#sec-buildEnv-exceptions"
-  ],
  "sec-building-packages-with-llvm": [
    "index.html#sec-building-packages-with-llvm"
  ],
@@ -412,9 +289,6 @@
  "sec-meta-identifiers-cpe": [
    "index.html#sec-meta-identifiers-cpe"
  ],
-  "sec-meta-identifiers-purl": [
-    "index.html#sec-meta-identifiers-purl"
-  ],
  "sec-modify-via-packageOverrides": [
    "index.html#sec-modify-via-packageOverrides"
  ],
@@ -436,30 +310,6 @@
  "chap-overlays": [
    "index.html#chap-overlays"
  ],
-  "sec-nixpkgs-release-26.11": [
-    "release-notes.html#sec-nixpkgs-release-26.11"
-  ],
-  "sec-nixpkgs-release-26.11-highlights": [
-    "release-notes.html#sec-nixpkgs-release-26.11-highlights"
-  ],
-  "sec-nixpkgs-release-26.11-incompatibilities": [
-    "release-notes.html#sec-nixpkgs-release-26.11-incompatibilities"
-  ],
-  "sec-nixpkgs-release-26.11-lib": [
-    "release-notes.html#sec-nixpkgs-release-26.11-lib"
-  ],
-  "sec-nixpkgs-release-26.11-lib-breaking": [
-    "release-notes.html#sec-nixpkgs-release-26.11-lib-breaking"
-  ],
-  "sec-nixpkgs-release-26.11-lib-deprecations": [
-    "release-notes.html#sec-nixpkgs-release-26.11-lib-deprecations"
-  ],
-  "sec-nixpkgs-release-26.11-lib-additions-improvements": [
-    "release-notes.html#sec-nixpkgs-release-26.11-lib-additions-improvements"
-  ],
-  "sec-nixpkgs-release-26.11-notable-changes": [
-    "release-notes.html#sec-nixpkgs-release-26.11-notable-changes"
-  ],
  "sec-nixpkgs-release-26.05": [
    "release-notes.html#sec-nixpkgs-release-26.05"
  ],
@@ -472,16 +322,7 @@
    "index.html#katamari-tarballs",
    "index.html#individual-tarballs",
    "index.html#generating-nix-expressions",
-    "index.html#overriding-the-generator",
-    "index.html#javascript-node2nix",
-    "index.html#javascript-node2nix-preparation",
-    "index.html#javascript-node2nix-pitfalls",
-    "index.html#javascript-yarn2nix-mkYarnPackage",
-    "index.html#javascript-yarn2nix",
-    "index.html#javascript-yarn2nix-preparation",
-    "index.html#javascript-yarn2nix-mkYarnModules",
-    "index.html#javascript-mkYarnPackage-overriding-dependencies",
-    "index.html#javascript-yarn2nix-pitfalls"
+    "index.html#overriding-the-generator"
  ],
  "sec-nixpkgs-release-26.05-lib": [
    "release-notes.html#sec-nixpkgs-release-26.05-lib"
@@ -806,12 +647,6 @@
  "sec-treefmt-options-reference": [
    "index.html#sec-treefmt-options-reference"
  ],
-  "ssec-buildEnv-collisions": [
-    "index.html#ssec-buildEnv-collisions"
-  ],
-  "ssec-buildEnv-singleFileOutputs": [
-    "index.html#ssec-buildEnv-singleFileOutputs"
-  ],
  "ssec-cosmic-common-issues": [
    "index.html#ssec-cosmic-common-issues"
  ],
@@ -860,9 +695,6 @@
  "footnote-stdenv-find-inputs-location.__back.0": [
    "index.html#footnote-stdenv-find-inputs-location.__back.0"
  ],
-  "sssec-testing-octave-packages": [
-    "index.html#sssec-testing-octave-packages"
-  ],
  "strictflexarrays1": [
    "index.html#strictflexarrays1"
  ],
@@ -920,15 +752,9 @@
  "typst-package-scope-and-usage": [
    "index.html#typst-package-scope-and-usage"
  ],
-  "using-tclrequirescheck": [
-    "index.html#using-tclrequirescheck"
-  ],
  "var-go-buildTestBinaries": [
    "index.html#var-go-buildTestBinaries"
  ],
-  "var-meta-donationPage": [
-    "index.html#var-meta-donationPage"
-  ],
  "var-meta-identifiers-cpe": [
    "index.html#var-meta-identifiers-cpe"
  ],
@@ -938,15 +764,6 @@
  "var-meta-identifiers-possibleCPEs": [
    "index.html#var-meta-identifiers-possibleCPEs"
  ],
-  "var-meta-identifiers-purl": [
-    "index.html#var-meta-identifiers-purl"
-  ],
-  "var-meta-identifiers-purlParts": [
-    "index.html#var-meta-identifiers-purlParts"
-  ],
-  "var-meta-identifiers-purls": [
-    "index.html#var-meta-identifiers-purls"
-  ],
  "var-meta-teams": [
    "index.html#var-meta-teams"
  ],
@@ -1010,9 +827,6 @@
  "var-stdenv-enableParallelBuilding": [
    "index.html#var-stdenv-enableParallelBuilding"
  ],
-  "var-stdenv-__structuredAttrs": [
-    "index.html#var-stdenv-__structuredAttrs"
-  ],
  "mkderivation-recursive-attributes": [
    "index.html#mkderivation-recursive-attributes"
  ],
@@ -1055,9 +869,6 @@
  "tar-files": [
    "index.html#tar-files"
  ],
-  "writableTmpDirAsHomeHook": [
-    "index.html#writableTmpDirAsHomeHook"
-  ],
  "x86_64-darwin-26.05": [
    "release-notes.html#x86_64-darwin-26.05"
  ],
@@ -1644,9 +1455,6 @@
  "lib.sourceTypes.binaryBytecode": [
    "index.html#lib.sourceTypes.binaryBytecode"
  ],
-  "lib.sourceTypes.obfuscatedCode": [
-    "index.html#lib.sourceTypes.obfuscatedCode"
-  ],
  "chap-passthru": [
    "index.html#chap-passthru"
  ],
@@ -1800,9 +1608,6 @@
  "ssec-cross-cookbook": [
    "index.html#ssec-cross-cookbook"
  ],
-  "cross-qa-emulation": [
-    "index.html#cross-qa-emulation"
-  ],
  "cross-qa-fails-to-find-binutils": [
    "index.html#cross-qa-fails-to-find-binutils"
  ],
@@ -2245,12 +2050,6 @@
  "chap-special": [
    "index.html#chap-special"
  ],
-  "sec-buildEnv": [
-    "index.html#sec-buildEnv"
-  ],
-  "sec-buildEnv-arguments": [
-    "index.html#sec-buildEnv-arguments"
-  ],
  "sec-fakeNss": [
    "index.html#sec-fakeNss"
  ],
@@ -3091,28 +2890,19 @@
  "available-versions-and-deprecations-schedule": [
    "index.html#available-versions-and-deprecations-schedule"
  ],
-  "erlang": [
-    "index.html#erlang"
-  ],
  "elixir": [
    "index.html#elixir"
  ],
  "beam-structure": [
    "index.html#beam-structure"
  ],
-  "beam-build-tools": [
-    "index.html#beam-build-tools",
+  "build-tools": [
    "index.html#build-tools"
  ],
-  "beam-build-tools-rebar3": [
-    "index.html#beam-build-tools-rebar3",
+  "build-tools-rebar3": [
    "index.html#build-tools-rebar3"
  ],
-  "beam-build-tools-erlangmk": [
-    "index.html#beam-build-tools-erlangmk"
-  ],
-  "beam-build-tools-mix": [
-    "index.html#beam-build-tools-mix",
+  "build-tools-other": [
    "index.html#build-tools-other"
  ],
  "how-to-install-beam-packages": [
@@ -3130,9 +2920,6 @@
  "packaging-erlang-applications": [
    "index.html#packaging-erlang-applications"
  ],
-  "packaging-elixir-applications": [
-    "index.html#packaging-elixir-applications"
-  ],
  "rebar3-packages": [
    "index.html#rebar3-packages"
  ],
@@ -3678,9 +3465,6 @@
  "sec-language-java": [
    "index.html#sec-language-java"
  ],
-  "sec-language-lean4": [
-    "index.html#sec-language-lean4"
-  ],
  "language-javascript": [
    "index.html#language-javascript"
  ],
@@ -3747,6 +3531,15 @@
  "javascript-corepack": [
    "index.html#javascript-corepack"
  ],
+  "javascript-node2nix": [
+    "index.html#javascript-node2nix"
+  ],
+  "javascript-node2nix-preparation": [
+    "index.html#javascript-node2nix-preparation"
+  ],
+  "javascript-node2nix-pitfalls": [
+    "index.html#javascript-node2nix-pitfalls"
+  ],
  "javascript-pnpm": [
    "index.html#javascript-pnpm"
  ],
@@ -3783,6 +3576,24 @@
  "javascript-yarninstallhook": [
    "index.html#javascript-yarninstallhook"
  ],
+  "javascript-yarn2nix": [
+    "index.html#javascript-yarn2nix"
+  ],
+  "javascript-yarn2nix-preparation": [
+    "index.html#javascript-yarn2nix-preparation"
+  ],
+  "javascript-yarn2nix-mkYarnPackage": [
+    "index.html#javascript-yarn2nix-mkYarnPackage"
+  ],
+  "javascript-yarn2nix-mkYarnModules": [
+    "index.html#javascript-yarn2nix-mkYarnModules"
+  ],
+  "javascript-mkYarnPackage-overriding-dependencies": [
+    "index.html#javascript-mkYarnPackage-overriding-dependencies"
+  ],
+  "javascript-yarn2nix-pitfalls": [
+    "index.html#javascript-yarn2nix-pitfalls"
+  ],
  "javascript-yarnBerry-missing-hashes": [
    "index.html#javascript-yarnBerry-missing-hashes"
  ],
@@ -3822,18 +3633,6 @@
  "julia-withpackage-arguments": [
    "index.html#julia-withpackage-arguments"
  ],
-  "lean4-buildLakePackage": [
-    "index.html#lean4-buildLakePackage"
-  ],
-  "lean4-dev-shells": [
-    "index.html#lean4-dev-shells"
-  ],
-  "lean4-history": [
-    "index.html#lean4-history"
-  ],
-  "lean4-leanPackages": [
-    "index.html#lean4-leanPackages"
-  ],
  "lisp": [
    "index.html#lisp"
  ],
@@ -4116,9 +3915,6 @@
  "buildpythonpackage-parameters": [
    "index.html#buildpythonpackage-parameters"
  ],
-  "buildpythonpackage-fixed-point-arguments": [
-    "index.html#buildpythonpackage-fixed-point-arguments"
-  ],
  "overriding-python-build-helpers": [
    "index.html#overriding-python-build-helpers"
  ],
@@ -4482,10 +4278,12 @@
  "sec-language-texlive": [
    "index.html#sec-language-texlive"
  ],
-  "sec-language-texlive-user-guide": [
-    "index.html#sec-language-texlive-user-guide",
+  "sec-language-texlive-user-guide-experimental": [
    "index.html#sec-language-texlive-user-guide-experimental"
  ],
+  "sec-language-texlive-user-guide": [
+    "index.html#sec-language-texlive-user-guide"
+  ],
  "sec-language-texlive-custom-packages": [
    "index.html#sec-language-texlive-custom-packages"
  ],
@@ -4541,9 +4339,6 @@
    "index.html#neovim-plugin-required-snippet",
    "index.html#vim-plugin-required-snippet"
  ],
-  "neovim-plugin-license-overrides": [
-    "index.html#neovim-plugin-license-overrides"
-  ],
  "updating-plugins-in-nixpkgs": [
    "index.html#updating-plugins-in-nixpkgs"
  ],
--- a/doc/release-notes/release-notes.md
+++ b/doc/release-notes/release-notes.md
@@ -3,7 +3,6 @@
 This section lists the release notes for each stable version of Nixpkgs and the current unstable revision.

 ```{=include=} sections
-rl-2611.section.md
 rl-2605.section.md
 rl-2511.section.md
 rl-2505.section.md
--- a/doc/release-notes/rl-2511.section.md
+++ b/doc/release-notes/rl-2511.section.md
@@ -44,7 +44,7 @@

 - `base16-builder` node package has been removed due to lack of upstream maintenance.

- `budgie-desktop` has been updated to [10.9.4](https://github.com/BuddiesOfBudgie/budgie-desktop/releases/tag/v10.9.4). This changes `XDG_CURRENT_DESKTOP` from `Budgie:GNOME` to `Budgie` and contains ABI bumps for libpeas2 migration.
+- `budgie-desktop` has been updated [10.9.4](https://github.com/BuddiesOfBudgie/budgie-desktop/releases/tag/v10.9.4). This changes `XDG_CURRENT_DESKTOP` from `Budgie:GNOME` to `Budgie` and contains ABI bumps for libpeas2 migration.

 - `buildGoModule` removes the compatibility layer of `CGO_ENABLED` not specified via `env`.
  Specifying `CGO_ENABLED` directly now results in an error.
@@ -53,7 +53,7 @@

 - `cardboard` has been removed due to the package having been broken since at least November 2024.

- `carla` no longer supports `gtk2` override.
+- `carla` no longer support `gtk2` override.

 - `chatgpt-retrieval-plugin` has been removed due to the package having been broken since at least November 2024.

@@ -135,7 +135,7 @@

 - `linux` and all other Linux kernel packages have moved all in-tree kernel modules into a new `modules` output.

- `lxde` scope has been removed, and its packages have been moved to the top-level.
+- `lxde` scope has been removed, and its packages have been moved the top-level.

 - `mariadb` now defaults to `mariadb_114` instead of `mariadb_1011`, meaning the default version was upgraded from 10.11.x to 11.4.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-4/) for potential issues.

@@ -183,7 +183,7 @@
 - `pcp` has been removed because the upstream repo was archived and it hasn't been updated since 2021.

 - `podofo` has been updated from `0.9.8` to `1.0.0`. These releases are by nature very incompatible due to major API changes. The legacy versions can be found under `podofo_0_10` and `podofo_0_9`.
-  Changelog: <https://github.com/podofo/podofo/blob/1.0.0/CHANGELOG.md>, API-Migration-Guide: <https://github.com/podofo/podofo/blob/1.0.0/API-MIGRATION.md>.
+  Changelog: https://github.com/podofo/podofo/blob/1.0.0/CHANGELOG.md, API-Migration-Guide: https://github.com/podofo/podofo/blob/1.0.0/API-MIGRATION.md.

 - `privatebin` has been updated to `2.0.0`. This release changes configuration defaults including switching the template and removing legacy features. See the [v2.0.0 changelog entry](https://github.com/PrivateBin/PrivateBin/releases/tag/2.0.0) for details on how to upgrade.

@@ -246,7 +246,7 @@

 - `sublime-music` has been removed because upstream has announced it is no longer maintained. Upstream suggests using `supersonic` instead.

- Support for bootstrapping native GHC compilers on 32‐bit ARM and little‐endian 64-bit PowerPC has been dropped.
+- Support for bootstrapping native GHC compilers on 32‐bit ARM and little‐endian 64‐bit PowerPC has been dropped.
  The latter was probably broken anyway.
  If there is interest in restoring support for these architectures, it should be possible to cross‐compile a bootstrap GHC binary.

@@ -324,13 +324,6 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- `buildEnv` now takes fixed-point arguments (`finalAttrs: { }`).
-  The custom overrider `<env-pkg>.override` is deprecated but kept in this release. It will be removed in future releases after tree-wide transition.
-  The argument `paths` is passed as `passthru.paths` to avoid bringing in unexpected context.
-
- `buildEnv` now takes `derivationArgs` for additional arguments to pass to `stdenv.mkDerivation`.
-  A compatibility layer is added for directly-specified arguments `nativeBuildInputs` and `buildInputs`.
-
 - Added `rewriteURL` attribute to the nixpkgs `config`, to allow for rewriting the URLs downloaded by `fetchurl`.

 - Added `hashedMirrors` attribute to the nixpkgs `config`, to allow for customization of the hashed mirrors used by `fetchurl`.
@@ -355,11 +348,11 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

 - `fetchgit` now accepts a `rootDir` argument to limit the resulting source to one subdirectory of the whole Git repository. Corresponding `--root-dir` option added to `nix-prefetch-git`.

- `fetchNpmDeps` now accepts a `npmRegistryOverridesString` argument to pass npm registry overrides to the fetcher.
+- `fetchNpmDeps` now accepts a `npmRegistryOverridesString` argument to pass NPM registry overrides to the fetcher.

 - `ffmpeg_8`, `ffmpeg_8-headless`, and `ffmpeg_8-full` have been added. The default version of FFmpeg is now `ffmpeg_8`. You can install previous versions from package attributes such as `ffmpeg_7`.

- `forgejo-runner` has been upgraded to version 11, which brings a license change from MIT to GPLv3-or-later.
+- `forgejo-runner` upgrading to version 11 brings a license change from MIT to GPLv3-or-later.

 - GIMP now defaults to version 3. Use `gimp2` for the old version.

@@ -405,6 +398,8 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

 - `prl-tools` has been moved out of `linuxPackages` because Parallels Guest Tools become driverless since 26.1.0.

+- `searx` was updated to use `envsubst` instead of `sed` for parsing secrets from environment variables.
+
 - `sftpman` has been updated to version 2, a rewrite in Rust which is mostly backward compatible but does include some changes to the CLI.
  For more information, [check the project's README](https://github.com/spantaleev/sftpman-rs#is-sftpman-v2-compatible-with-sftpman-v1).

@@ -429,7 +424,7 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

 - The `dockerTools.streamLayeredImage` builder now uses a better algorithm for generating layered docker images, such that much more sharing is possible when the number of store paths exceeds the layer limit. It gives each of the largest store paths its own layer and adds dependencies to those layers when they aren't used elsewhere.

- The `open-webui` package's postgres support has been moved to optional dependencies to comply with upstream changes in 0.6.26.
+- The `open-webui` package's postgres support have been moved to optional dependencies to comply with upstream changes in 0.6.26.

 - The systemd initrd will now respect `x-systemd.wants` and `x-systemd.requires` for reliably unlocking multi-disk bcachefs volumes.

@@ -438,8 +433,6 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).
 - Packages using `versionCheckHook` that previously relied solely on `pname` to locate the program used to version check, but have a differing `meta.mainProgram` entry, might now fail.

 - `waydroid-nftables` is a new variant of `waydroid` that supports nftables instead of iptables.
-
- `searx` was updated to use `envsubst` instead of `sed` for parsing secrets from environment variables.
  If your previous configuration included a secret reference like `server.secret_key = "@SEARX_SECRET_KEY@"`, you must migrate to the new envsubst syntax: `server.secret_key = "$SEARX_SECRET_KEY"`.

 ## Nixpkgs Library {#sec-nixpkgs-release-25.11-lib}
@@ -470,7 +463,7 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

 - `lib.sources.pathType`, `lib.sources.pathIsDirectory` and `lib.sources.pathIsRegularFile` have been replaced by `lib.filesystem.pathType`, `lib.filesystem.pathIsDirectory` and `lib.filesystem.pathIsRegularFile` respectively.

- `lib.strings.isCoercibleToString` has been replaced in favor of either `lib.strings.isStringLike` or `lib.strings.isConvertibleWithToString`. Only use the latter if it needs to return true for null, numbers, booleans, or a list of those.
+- `lib.strings.isCoercibleToString` has been in favor of either `lib.strings.isStringLike` or `lib.strings.isConvertibleWithToString`. Only use the latter if it needs to return true for null, numbers, booleans, or a list of those.

 - `lib.types.string` has been removed. See [this pull request](https://github.com/NixOS/nixpkgs/pull/66346) for better alternative types like `lib.types.str`.

--- a/doc/release-notes/rl-2605.section.md
+++ b/doc/release-notes/rl-2605.section.md
@@ -74,27 +74,15 @@

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- The `nodePackages` package set has been removed entirely from nixpkgs. This package set was created to ease the maintenance burden of maintaining lots of
-  NodeJS-based packages within nixpkgs, but became a burden itself. Over the past several releases, there has been a focus on removing it in favor of the more modern nixpkgs packaging strategies.
-  After a long time, this package set has been deprecated and removed. If you are using its package set in your own config, please use the top-level packages instead.(i.e `pkgs.package-name` instead of `pkgs.nodePackages.package-name`).
-
- Note that the above `nodePackages` removal also coincides with the removal of `node2nix` and its tooling, which have been deprecated for a long time.
-
- `buildEnv`-constructed packages now take only [structured attributes (`{ __structuredAttrs = true; }`)](https://nix.dev/manual/nix/2.18/language/advanced-attributes.html#adv-attr-structuredAttrs).
-
 - `xfce.mkXfceDerivation` has been deprecated (i.e. conditioned behind `nixpkgs.config.allowAliases`)
  and will be removed in NixOS 26.11, please use `stdenv.mkDerivation` directly. You can migrate by
  adding `pkg-config`, `xfce4-dev-tools`, and `wrapGAppsHook3` to your `nativeBuildInputs` and
  `--enable-maintainer-mode` to your `configureFlags`.

- `yarn2nix`/`yarn2nix-moretea` and its tooling(`mkYarnPackage`, `mkYarnModules`, and `fixup_yarn_lock`) have been removed as they were unmaintainable in nixpkgs. If you want to build with Yarn V1 going forward, use the hooks instead(`yarnBuildHook`, `yarnConfigHook`, and `yarnInstallHook`). See the yarn v1 documentation in the nixpkgs manual for more details.
-
- `albert` has been updated to version 34.0.5. This release redesigns the query system to support stateful asynchronous handlers and infinite scrolling, and adds internationalized tokenization.
+- `albert` has been updated to the version 34.0.5. This release redesigns the query system to support stateful asynchronous handlers and infinite scrolling, and adds internationalized tokenization.
  This update introduces several breaking changes: the Python plugin interface is now v5.0, the `PATH` plugin has been renamed to `Commandline`, and the QStylesheets-based widgets box model frontend has been removed.
  For more information read the [changelog for 34.0.0](https://albertlauncher.github.io/2026/01/19/albert-v34.0.0-released/).

- `asciinema_3` is now renamed to `asciinema` and the old `asciinema` version 2.x.x written in python was removed.
-
 - `sing-box` has been updated to 1.13.0, which has removed some deprecated options.  See [upstream documentation](https://sing-box.sagernet.org/configuration/) for details and migration options.

 - `cargo-codspeed` has been updated from `3.0.5` to `4.2.0`. Version `4.0.0` includes breaking changes. For more information read the [changelog for 4.0.0](https://github.com/CodSpeedHQ/codspeed-rust/releases/tag/v4.0.0).
@@ -103,20 +91,16 @@

 - `corepack_latest` has been removed, as Corepack is no longer distributed with Node.js.

- `spoof` has been removed, as there are many issues upstream with it working on modern OS versions, and it appears to be unmaintained.
+- `nodePackages.browser-sync` has been removed, as it was unmaintained within nixpkgs.

- `duckstation` package has been removed, as it was requested by upstream and build sources were changed to be incompatible with NixOS.
+- `spoof` has been removed, as there are many issues upstream with it working on modern OS versions, and it appears to be unmaintained.

 - `nodePackages.coc-go` and `nodePackages.coc-tsserver`, along with their vim plugins, have been removed from nixpkgs due to being unmaintained.

 - `nodePackages.wavedrom-cli` has been removed, as it was unmaintained within nixpkgs.

- `requireFile` now treats any `message` or `url` argument as a literal string, rather than subjecting it to Bash here-doc expansion.  This allows including strings like `$PWD` in the message without needing to know about and handle the undocumented Bash expansion.
-
 - `nodePackages.browserify` has been removed, as it was unmaintained within nixpkgs.

- `command-not-found` package will be enabled by default if the source of nixpkgs contains the file `programs.sqlite`. This is the case if a nixpkgs tarball from <https://channels.nixos.org> is used. This usage will also make the database of `command-not-found` stateless.
-
 - `nodePackages.sass` has been removed, as it was unmaintained within nixpkgs.

 - All `@tailwindcss` packages in the `nodePackages` set have been removed, as they are libraries that should instead be locked by JS projects that utilize them.
@@ -128,50 +112,23 @@

 - Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.

- Keycloak has been updated to 26.6.X, bringing a lot of new features like federated client authentication, JWT authorization grants, workflows and the ability to do
-  zero-downtime patch releases. Read more about [all the exciting new capabilities in keycloak 26.6 here](https://github.com/keycloak/keycloak/releases/tag/26.6.0)
-  and [consult the migration guide to 26.6](https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-26-6-0) to find out whether this is a breaking
-  change for your keycloak instance.
-
 - `elegant-sddm` has been updated to be Qt6 compatible. Themes for SDDM are slightly different so read the [wiki](https://wiki.nixos.org/wiki/SDDM_Themes) for more.

- `forgejo-lts` has been updated to major version 15. For more information, see the [release blog post](https://forgejo.org/2026-04-release-v15-0/) and [full release notes](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/15.0.0.md)
+- `forgejo` has been updated to major version 14. For more information, see the [release blog post](https://forgejo.org/2026-01-release-v14-0/) and [full release notes](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/14.0.0.md)

 - `pulsar` has finally migrated from electron v12 to v30, backup `~/.pulsar` before upgrading. See [Pulsar on Electron 30: what it means for you](https://blog.pulsar-edit.dev/posts/20251202-savetheclocktower-pulsar-on-electron-30/).

- `mactracker` has been updated to major version 8, which now [requires macOS 11 Big Sur or later](https://mactracker.ca/releasenotes-mac.html#:~:text=System%20requirements%20updated%20to%20macOS%2011%20Big%20Sur%20and%20later). The previous version supported Mac OS X 10.6.8 or later.
-
- `net-news-wire` has been updated from 6.x to 7.x, which now requires macOS 15 (Sequoia) or newer. The previous version supported macOS 13 and newer.
-
 - `bartender` has been updated to major version 6. This removes support for MacOS Sonoma (and adds support for Tahoe). For more information, see [the release notes](https://www.macbartender.com/Bartender6/release_notes/) or [the Bartender 6 support page](https://www.macbartender.com/Bartender6/support/).

 - `lima` has been updated from `1.x` to `2.x`. This major update includes several breaking changes, such as `/tmp/lima` no longer being mounted by default.

- Varnish Cache has been updated to major version 8, `varnish` now refers to `varnish80`. That release contains breaking changes, see [Upgrading to Varnish-Cache 8.0](https://vinyl-cache.org/docs/8.0/whats-new/upgrading-8.0.html).
-  Note that the Varnish 6 LTS release remains available as `varnish60`.
-  The Varnish Cache open-source project renamed itself to Vinyl Cache. Please migrate to `vinyl-cache`. See the `vinyl-cache` release notes entry for more information.
-  Varnish 8 is not supported for the entire NixOS 26.05 release cycle.
+- `eslint` has been updated from version 9 to version 10. Please see https://eslint.org/blog/2026/02/eslint-v10.0.0-released/ for details about the breaking changes included in the update.

- Vinyl Cache has been introduced with the major version 9 as the Varnish Cache open source project renamed itself to Vinyl Cache. Please migrate to Vinyl Cache 9 when you still use Varnish Cache.
-  A new module has also been introduced for this migration: `services.vinyl-cache`.
-  This release contains breaking changes, see [Upgrading to Vinyl Cache 9.0](https://vinyl-cache.org/docs/9.0/whats-new/upgrading-9.0.html).
-  The `varnish-modules` project is currently not packaged for Vinyl Cache, as it is incompatible.
+- `minio_legacy_fs` has been removed. If you used that package, migrate your data to be compatible with the newest minio and use the package `minio`.

- `eslint` has been updated from version 9 to version 10. Please see <https://eslint.org/blog/2026/02/eslint-v10.0.0-released/> for details about the breaking changes included in the update.
+- `mercure` has been update to `0.21.4` (or later). Version [0.21.0](https://github.com/dunglas/mercure/releases/v0.21.0) and [0.21.2](https://github.com/dunglas/mercure/releases/tag/v0.21.2) introduce breaking changes to the package.

- `minio` has been abandoned by upstream and security issues won't be fixed. `minio_legacy_fs` has also been removed. Both are scheduled for full removal in 26.11. Users should migrate to alternatives such as Garage, SeaweedFS, or Ceph. S3-compatible clients such as rclone can be used to move data.
-
- `mercure` has been updated to `0.21.4` (or later). Version [0.21.0](https://github.com/dunglas/mercure/releases/v0.21.0) and [0.21.2](https://github.com/dunglas/mercure/releases/tag/v0.21.2) introduce breaking changes to the package.
-
- `mozc` and `mozc-ut` no longer contain the IBus front-end, which is now provided by `ibus-engines.mozc` and `ibus-engines.mozc-ut`.
-
- `nemorosa` has been updated from `0.4.3` to `0.5.0`. Version [0.5.0](https://github.com/KyokoMiki/nemorosa/releases/tag/0.5.0) introduced breaking changes to the package configuration.
-
- `n8n` has been updated to version 2. You can find the breaking changes here: <https://docs.n8n.io/2-0-breaking-changes/>.
-
- `nomad` has been updated to v1.11. Refer to the [release note](https://developer.hashicorp.com/nomad/docs/release-notes/nomad/v1-11-x) for more details. Once a new Nomad version has started and upgraded its data directory, it generally cannot be downgraded to the previous version.
-
- The default NVIDIA drivers no longer support Maxwell (GTX 1xxx) or older GPUs. Pin the nvidia package to ` config.boot.kernelPackages.nvidiaPackages.legacy_580` for continued support.
+- `n8n` has been updated to version 2. You can find the breaking changes here: https://docs.n8n.io/2-0-breaking-changes/.

 - `gurk-rs` has been updated from `0.6.4` to `0.8.0`. Version `0.8.0` includes breaking changes. For more information read the [release notes for 0.8.0](https://github.com/boxdot/gurk-rs/releases/tag/v0.8.0).

@@ -179,30 +136,18 @@

 - the `xorg` package set has been deprecated, packages have moved to the top level.

- `python3Packages.buildPythonPackage` and `python3Packages.buildPythonApplication` now throw errors in the presence of `pytestFlagsArray`.
-  Please use [`pytestFlags` and `(enabled|disabled)(TestPaths|Tests|TestMarks)`](#using-pytestcheckhook) instead.
-  If modifying the Nix expression is not feasible, users can remediate the error by overriding `pytestFlagsArray` with `null` or `[ ]`.
+- `python3Packages.pygame` has been been renamed to `python3Packages.pygame-original`, the attribute `python3Packages.pygame` will from python 3.14 default to the more actively maintained `python3Packages.pygame-ce`

- `python3Packages.pygame` has been renamed to `python3Packages.pygame-original`, the attribute `python3Packages.pygame` will from python 3.14 default to the more actively maintained `python3Packages.pygame-ce`.
-
- `fastly` has been updated to major version 14. For more information, you can check the [release notes](https://github.com/fastly/cli/releases/tag/v14.0.0).
+- `fastly` has been updated to major version 14. For more information, you can check the [release notes](https://github.com/fastly/cli/releases/tag/v14.0.0)

 - `peertube` has been updated from `7.3.0` to `8.0.2`, introducing several breaking changes.
  Some notable new features include channel collaboration and video player redesign with a new theme.
  For details on how to upgrade, see the `IMPORTANT NOTES` section of the [v8.0.0 CHANGELOG entry](https://docs.joinpeertube.org/CHANGELOG#v8-0-0).

- `python3Packages.gradio` has been updated to version 6. See upstream's migration guide at <https://www.gradio.app/main/guides/gradio-6-migration-guide>.
-
- `python3Packages.pikepdf` no longer builds with mupdf support by default, which may be nice in Jupyter and iPython. Build with `withMupdf = true` if this is required.
-
- `olive-editor` has been dropped as upstream development ceased and no longer builds.
-
- `python3Packages.django-mdeditor` has been removed, as it was unmaintained upstream and the latest release was vulnerable to a [critical security vulnerability](https://github.com/NixOS/nixpkgs/issues/515462).
+- `python3Packages.gradio` has been updated to version 6. See upstream's migration guide at https://www.gradio.app/main/guides/gradio-6-migration-guide.

 - `vicinae` has been updated to v0.20. This includes, among several other breaking changes, a complete overhaul of the configuration system. For update instructions, see the [upstream configuration documentation](https://docs.vicinae.com/config#migration-from-v0-16-x-to-v0-17-x).

- `percona-server_8_4` has been removed. Please update to `percona-server_8_0`, `mysql84` or `mariadb`.
-
 - The `man-pages` package's outputs have been split. The manual pages are installed into the `man` output, which is installed by default. Binaries (including `diffman-git`, `mansect`, `pdfman`, and `sortman`) are installed into the `out` output, which is not installed by default.

 - All Log4Shell vulnerability scanners were removed, as they were all unmaintained upstream and are no longer relevant given that the vulnerability has been fixed upstream for several years.
@@ -216,10 +161,6 @@

 - The `programs.captive-browser` module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to [GHSA-wc3r-c66x-8xmc](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc) (CVE-2026-25740). If you're using this module, you must either configure `programs.captive-browser.dhcp-dns` manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.

- NetBox was updated to `>= 4.5.5`. Have a look at the breaking changes
-  of the [4.5 release](https://github.com/netbox-community/netbox/releases/tag/v4.5.0),
-  make the required changes to your database, if needed, then upgrade by setting `services.netbox.package = pkgs.netbox_4_5;` in your configuration.
-
 - The `services.yggdrasil` module has been refactored with the following breaking changes:
  - The `services.yggdrasil.configFile` option has been removed. Configuration should now be specified directly via `services.yggdrasil.settings`.
  - The `services.yggdrasil.persistentKeys` option has been removed. To maintain persistent keys and IPv6 addresses across reboots, use `services.yggdrasil.settings.PrivateKeyPath` to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8).
@@ -238,23 +179,10 @@

 - `docker-color-output` has been updated from major version 2 to 3. One breaking change is, that they switched to [YAML-based configuration files](https://github.com/devemio/docker-color-output?tab=readme-ov-file#configuration).

- `dasel` has been updated from v2.8.1 to v3. There were significant breaking changes:
-
-  - The `put` and `delete` commands have been removed. Use the new query syntax with expressions to modify data in-place.
-  - The `--version` flag is now a subcommand: `dasel version`
-  - CLI framework migrated from Cobra to Kong, changing flag parsing behavior
-  - Selector syntax has been revamped, see [dasel v3 documentation](https://daseldocs.tomwright.me/v3) for migration guide.
-
-  Example migration:
-  - Old: `echo '{"my":{"favourites":{"colour":"blue"}}}' | dasel put -t json -r json -t string -v "red" "my.favourites.colour"`
-  - New: `echo '{"my":{"favourites":{"colour":"blue"}}}' | dasel query -i json -o json --root 'my.favourites.colour = "red"'`
-
 - `stalwart-mail` has been renamed to `stalwart`

 - Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.

- The `services.avahi.wideArea` option now defaults to `false` as a mitigation against [`CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`](https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g).
-
 - `coreth` has been removed, as upstream has moved it into `avalanchego`.

 - `nodePackages.prebuild-install` was removed because it appeared to be unmaintained upstream.
@@ -272,61 +200,32 @@
    IMAP_CERTIFICATE_VALIDATION=false
    ```

- `python3Packages.pillow-avif-plugin` has been removed as the functionality is included in `python3Packages.pillow` directly since version 11.3.
-
- `wasistlos` (previously known as `whatsapp-for-linux`) has been removed because it was unmaintained and archived upstream.
-  Multiple alternatives exist: `karere`, `whatsie` and `zapzap` among others.
+- `python3packages.pillow-avif-plugin` has been removed as the functionality is included in `python3packages.pillow` directly since version 11.3.

 - `light` has been removed because it was unmaintained.
  `brightnessctl` and `acpilight` provide similar functionality.

- `opensmtpd-filter-dkimsign` is now installed into `libexec/smtpd` instead of `libexec/opensmtpd` so that now it is properly linked into the environment built by `services.opensmtpd.procPackages`. If you hardcoded path to `filter-dkimsign` please consider using this option.
-
- `shisho` has been removed because it's archived. `semgrep`, `opengrep`, and `ast-grep` provide similar functionality.
-
- `services.openssh.settings.AcceptEnv` is now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
+- `services.openssh.settings.AcceptEnv` now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.

 - All Xfce packages have been moved to top level (e.g. if you previously added `pkgs.xfce.xfce4-whiskermenu-plugin` to `environment.systemPackages`, you will need to change it to `pkgs.xfce4-whiskermenu-plugin`). The `xfce` scope will be removed in NixOS 26.11.

- The Dovecot IMAP server has been updated to version 2.4, with the `dovecot` attribute now referring to this backwards-incompatible version. The attribute `dovecot_2_3` refers to the previous version. The Pigeonhole plugin has been similarly updated to 2.4, with the version compatible with Dovecot 2.3 being at `dovecot_pigeonhole_0_5`. See <https://doc.dovecot.org/latest/installation/upgrade/2.3-to-2.4.html> for more information on how to upgrade.
-
 - `spacefm` was removed because it appeared to be unmaintained upstream.

- `neofetch` has been removed because it was unmaintained upstream. Consider using the updated fork `neowofetch` provided by the `hyfetch` package or the alternative `fastfetch` instead.
-
 - `vimPlugins.nvim-treesitter` has been updated to `main` branch, which is a full and incompatible rewrite. If you can't or don't want to update, you should use `vimPlugins.nvim-treesitter-legacy`.

- `services.taskchampion-sync-server` module has had an option `services.taskchampion-sync-server.dynamicUser` added to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.
-
- Package `jellyseerr` has been renamed to `seerr` following the upstream rename.
-
- The default packages in `services.jenkins.packages` have been dropped, since not every Jenkins installation needs any package at all. It's more reasonable to leave it empty and let users configure what they need.
-
- The `pie` hardening flag has been removed and will now error, after being deprecated in 25.11. Compilers are expected to enable PIE by default, as has been common practice since 2016 outside of Nixpkgs. If a package needs `pie` disabled pass `-no-pie` in `CFLAGS`. It is unlikely this will be necessary in many cases; due to the prevalence of default PIE toolchains, most packages incompatible with PIE already pass `-no-pie`.
-
- `pqos-wrapper` was removed as it has been unmaintained since 2022 and not widely used.
+- `services.taskchampion-sync-server` module have been added an option `services.taskchampion-sync-server.dynamicUser` to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.

 ## Other Notable Changes {#sec-nixpkgs-release-26.05-notable-changes}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- `nvidia-x11` proprietary kernel modules are now provided separately as `nvidia_x11.mod`, while `nvidia_x11.open` remains the open-source kernel module package.
-
- `linuxPackages.nvidiaPackages` now follows NVIDIA's official release branches by exposing `production`, `new_feature`, and `beta`. The convenience aliases `latest` (newer of `production` and `new_feature`) and `bleeding_edge` (newer of `latest` and `beta`) are provided; note that `beta` now refers strictly to the beta branch.
-
 - `balatro` now supports the Google Play and Xbox PC versions of the game.  Pass the `apk` or `Assets.zip` as `balatro.override { src = "…" }`.

 - `uptime-kuma` has been updated to v2, which requires an automated migration that can take a few hours. **A backup is highly recommended.**
  If your SQLite database is corrupted, the migration might fail and require [manual intervention](https://github.com/louislam/uptime-kuma/issues/5281).
  See the [migration guide](https://github.com/louislam/uptime-kuma/wiki/Migration-From-v1-To-v2) for more information.

- `incus-lts` has been updated from v6 to v7
-
- The `libcxxhardeningextensive` hardening flag has been **disabled** by default. Enabling it by default in 25.11 was unintentional and may have had a negative effect on performance in some cases. `libcxxhardeningfast` remains enabled by default.
-
- The packages `ibtool`, `actool` and `re-plistbuddy` have been added, providing reimplementations of the corresponding proprietary Apple tools. They are more compatible with the originals than the previously existing `xcbuild` package, and should enable more darwin software to be built from source.
-
- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows avoiding switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.
+- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows to avoid switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.

 - GNU Taler has been updated to version 1.3.
  This release focuses on getting everything ready for a deployment of GNU Taler by Magnet bank.
@@ -334,44 +233,19 @@

 - The `services.nextcloud-spreed-signaling` NixOS module has been added to facilitate declarative management of a standalone Spreed signaling server ("High Performance Backend" for Nextcloud Talk).

- `collabora-desktop` The desktop version of Collabora Office is now available, package version `25.05.9.2-2`.
-
 - `fetchPnpmDeps` and `pnpmConfigHook` were added as top-level attributes, replacing the now deprecated `pnpm.fetchDeps` and `pnpm.configHook` attributes.

- `fetchPnpmDeps`' `fetcherVersion = 1` and `fetcherVersion = 2` are deprecated
-  and scheduled for removal in the 26.11 release. A deprecation warning has
-  been added. Packages still on `fetcherVersion = 1` or `fetcherVersion = 2`
-  should migrate to `fetcherVersion = 3` and regenerate their hashes. See the
-  [pnpm `fetcherVersion` section](#javascript-pnpm-fetcherVersion) of the
-  manual for details.
-
- `buildNpmPackage` now supports `npmDepsFetcherVersion` (and `fetchNpmDeps` now supports `fetcherVersion`). Set to `2` to enable packument caching, which fixes builds for projects using npm workspaces.
+- `buildNpmPackage` now supports `npmDepsCacheVersion`. Set to `2` to enable packument caching, which fixes builds for projects using npm workspaces.

 - Added `dell-bios-fan-control` package and service.

- Added `lovr` package, a Lua-based game engine for VR and XR applications.
-
- Updated `wsjtx` from 2.7.0 to 3.0.0 for amateur radio hobbyists who use FT8 and other related digital modes.
-  See the [release notes](https://wsjt.sourceforge.io/Release_Notes.txt) for the changelog.
-
 - `openrgb` was updated to 1.0rc2, which now uses Plugin API version 4.
  Some existing OpenRGB plugins may be incompatible or require updates.

- `wrapNeovimUnstable` now sets provider-related configuration in its generated config rather than as wrapper arguments. It should not affect configuration unless you set `wrapRc` to false or are using the `legacyWrapper`.
-
- Neovim Lua dependencies are now set in the generated init.lua instead of
-  modifying LUA_PATH in the wrapper. Commands run pre-vimrc via `nvim --cmd
-  "require'LUA_MODULE'"` may
-  not find their lua dependencies anymore. Use `nvim -c "lua require'LUA_MODULE'"` instead to run these commands after loading `init.lua`. If you use `wrapNeovim` with `wrapRc` set to `false`, you may lose the lua dependencies if you are not loading the generated `init.lua`.
-
 - We now use the upstream wrapper script for Gradle, supporting both the `JAVA_HOME` and `GRADLE_OPTS` environment variables.

- Updated `gonic` to 0.21.0. A full ("slow") scan is recommended after upgrading to v0.21.0 to pick up the newly scanned fields (contributors, ISRCs, record labels, per-track years, ARTIST_CREDIT).
-
 - the `autossh-ng` NixOS module was introduced as a simpler alternative to the existing `autossh` module.

- Added `haskell.packages.microhs`, a set of Haskell packages built with MicroHs.
-
 - `gnuradio`: Overriding the `.pkgs` package set is now possible with a `packageOverrides` function, like with `python.pkgs` and other language-specific package sets.
 Example:

@@ -388,27 +262,21 @@ gnuradioMinimal.override {
 }
 ```

- Added `headplane` and `headplane-agent` packages, and `services.headplane` service.
-
 ## Nixpkgs Library {#sec-nixpkgs-release-26.05-lib}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

 ### Breaking changes {#sec-nixpkgs-release-26.05-lib-breaking}

- The `nodejs_latest` alias now points to `nodejs_26` instead of `nodejs_24`.
+- The `nodejs_latest` alias now points to `nodejs_25` instead of `nodejs_24`.

- `nodejs-slim` no longer exposes a `corepack` executable, it has been moved to an ad-hoc output; to restore the previous behavior, `nodejs-slim.corepack` must be explicitly included.
+- `nodejs-slim` no longer exposes a `corepack` executable, it has been moved to an ad-hoc output; to restore the previous behavior, `nodejs-slim.corepack` must be explicitely included.

 - `nodejs` is now a simple wrapper for `nodejs-slim`+`nodejs-slim.npm`+`nodejs-slim.corepack`, meaning it is no longer possible to reference or override its attributes or outputs (e.g. `nodejs.libv8` must be replaced with `nodejs-slim.libv8`, `nodejs.nativeBuildInputs` with `nodejs-slim.nativeBuildInputs`, etc.).

- `navidrome` has removed the built-in Spotify integration. See [v0.61.0](https://github.com/navidrome/navidrome/releases/tag/v0.61.0) for details on optional replacements.
-
 - `mold` is now wrapped by default.

- The `neovim` package and module now disable by default the `python3` and `ruby` providers, unused by most users and reducing closure size from 365MiB to 240MiB. Host provider executables are not exposed anymore along with the neovim wrapper. You can still refer to those using the neovim provider variables (e.g., `python3_host_prog`).
-
- `canokey-qemu` support for `qemu` was restored (although disabled by default), after being marked as broken since nixpkgs 25.11. Please note that the format of canokey files has changed, and that some data created with older canokey-qemu release cannot be read by the current version. See the [documentation](https://github.com/canokeys/canokey-qemu/tree/v1?tab=readme-ov-file#compatibility-warning) for details.
+- `neovim` now disables by default the `python3` and `ruby` providers, unused by most users and reducing closure size from 365MiB to 240MiB. Host provider executables are not exposed anymore along with the neovim wrapper. You can still refer to those using the neovim provider variables (e.g., `python3_host_prog`).

 ### Deprecations {#sec-nixpkgs-release-26.05-lib-deprecations}

@@ -416,10 +284,6 @@ gnuradioMinimal.override {

 - `fetchFromSavannah` is now deprecated and is expected to be fully removed in a future release. From now on, use `fetchgit` or a Savannah releases mirror when applicable.

- Using nested lists in build/runtime inputs in `mkDerivation` is now deprecated.
-
 ### Additions and Improvements {#sec-nixpkgs-release-26.05-lib-additions-improvements}

 - The builder `php.buildComposerProject2` for PHP applications has been improved for better reliability and stability.
-
- The `services.drupal` module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and some new settings for managing variable content and filepaths.
--- a/doc/release-notes/rl-2611.section.md
+++ b/doc/release-notes/rl-2611.section.md
@@ -1,45 +0,0 @@
-# Nixpkgs 26.11 ("Zokor", 2026.11/??) {#sec-nixpkgs-release-26.11}
-
-## Highlights {#sec-nixpkgs-release-26.11-highlights}
-
-<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-
- Create the first release note entry in this section!
-
-## Backward Incompatibilities {#sec-nixpkgs-release-26.11-incompatibilities}
-
-<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-
- `hurl` has been updated to `8.x.x` which has some breaking changes. See [upstream changelog](https://github.com/Orange-OpenSource/hurl/releases/tag/8.0.0) for details.
- `python3Packages.django-health-check` has been updated to major version 4. See its [migration guide](https://codingjoe.dev/django-health-check/migrate-to-v4/) and [changelog](https://github.com/codingjoe/django-health-check/releases/tag/4.0.0) for breaking changes.
-
- `requireFile` now sets `meta.license = lib.licenses.unfree` by default. Users of `requireFile`-based derivations that preserve this default will need to explicitly allow their evaluation as described in [](#sec-allow-unfree).
-
-## Other Notable Changes {#sec-nixpkgs-release-26.11-notable-changes}
-
-<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-
- Package-URL (PURL, https://github.com/package-url/purl-spec) metadata identifier has been added for `fetchgit`, `fetchpypi` and `fetchFromGithub` fetchers.
-  `mkDerivation` has been adjusted to reuse this information.
-  Package-URLs allow reliably identifying and locating software packages.
-  Maintainers of derivations using the adapted fetchers should rely on the `drv.src.meta.identifiers.v1.purl` default identifier and can enhance their `drv.meta.identifiers.v1.purls` list once they would like to have additional identifiers.
-  Maintainers using `fetchurl` for `drv.src` are urged to adapt their `drv.meta.identifiers.purlParts` for proper identification.
-
-## Nixpkgs Library {#sec-nixpkgs-release-26.11-lib}
-
-<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-
-### Breaking changes {#sec-nixpkgs-release-26.11-lib-breaking}
-
- Create the first release note entry in this section!
-
-
-### Deprecations {#sec-nixpkgs-release-26.11-lib-deprecations}
-
- Create the first release note entry in this section!
-
-
-### Additions and Improvements {#sec-nixpkgs-release-26.11-lib-additions-improvements}
-
- Create the first release note entry in this section!
-
--- a/doc/stdenv/cross-compilation.chapter.md
+++ b/doc/stdenv/cross-compilation.chapter.md
@@ -2,9 +2,7 @@

 ## Introduction {#sec-cross-intro}

-"Cross-compilation" means compiling a program on one machine for another type of machine. A typical use of cross-compilation is to compile programs for embedded devices that lack the computing power and memory to compile their own programs, but it is useful in many other contexts: producing trusted bootstrap artifacts on Hydra for platforms without physical build hardware, using fast machines (e.g. x86_64) to build for slower architectures popular in routers and switches (e.g. mips/powerpc), and rigorously distinguishing build-time from run-time environments even when developing and deploying on the same machine. Nixpkgs adopts the opinion that packages should be written with cross-compilation in mind, and Nixpkgs should evaluate in a similar way (by minimizing cross-compilation-specific special cases) whether or not one is cross-compiling.
-
-For a hands-on tutorial, see the [cross-compilation guide on nix.dev](https://nix.dev/tutorials/cross-compilation).
+"Cross-compilation" means compiling a program on one machine for another type of machine. For example, a typical use of cross-compilation is to compile programs for embedded devices. These devices often don't have the computing power and memory to compile their own programs. One might think that cross-compilation is a fairly niche concern. However, there are significant advantages to rigorously distinguishing between build-time and run-time environments! Significant, because the benefits apply even when one is developing and deploying on the same machine. Nixpkgs is increasingly adopting the opinion that packages should be written with cross-compilation in mind, and Nixpkgs should evaluate in a similar way (by minimizing cross-compilation-specific special cases) whether or not one is cross-compiling.

 This chapter will be organized in three parts. First, it will describe the basics of how to package software in a way that supports cross-compilation. Second, it will describe how to use Nixpkgs when cross-compiling. Third, it will describe the internal infrastructure supporting cross-compilation.

@@ -72,8 +70,6 @@ The exact schema these fields follow is a bit ill-defined due to a long and conv

 : This is, quite frankly, a dumping ground of ad-hoc settings (it's an attribute set). See `lib.systems.platforms` for examples—there's hopefully one in there that will work verbatim for each platform that is working. Please help us triage these flags and give them better homes!

-Using these attributes, the build process of a package can change depending on the situation.
-
 ### Theory of dependency categorization {#ssec-cross-dependency-categorization}

 ::: {.note}
@@ -135,52 +131,6 @@ software floating point emulation.  `libgcc` would be a "target→ *" dependency

 Some frequently encountered problems when packaging for cross-compilation should be answered here. Ideally, the information above is exhaustive, so this section cannot provide any new information, but it is ludicrous and cruel to expect everyone to spend effort working through the interaction of many features just to figure out the same answer to the same common problem. Feel free to add to this list!

-#### How do I test cross-compilation using emulation? {#cross-qa-emulation}
-
-Every elaborated platform exposes an `emulator` function on its `hostPlatform` attribute that returns the path to an emulator capable of running binaries for that platform. The dispatch is defined in `lib/systems/default.nix` and selects:
-
- a no-op exec wrapper, when the build platform can already execute the host platform's binaries
- `wine` for Windows targets
- `qemu-user` for foreign Linux targets on a Linux builder
- `wasmtime` for WASI
- `nodejs-slim` for GHCJS
- `mmix` for MMIX
-
-`emulator` is a function of the package set; `emulatorAvailable` is a predicate of the same shape that reports whether an emulator exists. Use them from a `nix` expression rather than invoking `qemu` by hand, for example inside a `checkPhase` or `passthru.tests` derivation:
-
-```nix
-stdenv.mkDerivation {
-  # ...
-  doCheck = stdenv.hostPlatform.emulatorAvailable buildPackages;
-  checkPhase = ''
-    ${stdenv.hostPlatform.emulator buildPackages} ./my-binary --self-test
-  '';
-}
-```
-
-To run a cross-compiled binary outside the Nix sandbox, build it and invoke the emulator from a shell. This is also a quick way to verify the dispatch table above:
-
-```ShellSession
-$ nix-build '<nixpkgs>' -A pkgsCross.aarch64-multiplatform.hello # Should be available in cache.nixos.org
-```
-
-To get a path for an emulator, given a `crossSystem.config` (e.g with `aarch64-linux`):
-
-```ShellSession
-$ nix-instantiate --eval --strict -E \
-    '(import <nixpkgs> { crossSystem.config = "aarch64-unknown-linux-gnu"; }).stdenv.hostPlatform.emulator (import <nixpkgs> {})'
-"/nix/store/.../bin/qemu-aarch64"
-```
-
-And specifically for `aarch64-linux`, and many other platforms, you have all of them available in `qemu` package, meaning you can simply run:
-
-```ShellSession
-$ nix-shell -p qemu --run 'qemu-aarch64 ./result/bin/hello'
-Hello, world!
-```
-
-The same pattern works for other targets by substituting the `pkgsCross.*` attribute and the emulator package (e.g. `wine` for `pkgsCross.mingwW64`).
-
 #### My package fails to find a binutils command (`cc`/`ar`/`ld` etc.) {#cross-qa-fails-to-find-binutils}
 Many packages assume that an unprefixed binutils (`cc`/`ar`/`ld` etc.) is available, but Nix doesn't provide one. It only provides a prefixed one, just as it only does for all the other binutils programs. It may be necessary to patch the package to fix the build system to use a prefix. For instance, instead of `cc`, use `${stdenv.cc.targetPrefix}cc`.

@@ -285,24 +235,13 @@ One would think that `localSystem` and `crossSystem` overlap horribly with the t

 ### Implementation of dependencies {#ssec-cross-dependency-implementation}

-The categories of dependencies developed in [](#ssec-cross-dependency-categorization) are specified as lists of derivations given to `mkDerivation`, as documented in [](#ssec-stdenv-dependencies). In short, each list of dependencies for `host → target` is called `deps<theirHost><theirTarget>` (where `theirHost`, and `theirTarget` values are either `build`, `host`, or `target`), with exceptions for backwards compatibility that `depsBuildHost` is instead called `nativeBuildInputs` and `depsHostTarget` is instead called `buildInputs`. Nixpkgs is now structured so that each `deps<theirHost><theirTarget>` is automatically taken from `pkgs<theirHost><theirTarget>`. (These `pkgs<theirHost><theirTarget>`s are quite new, so there is no special case for `nativeBuildInputs` and `buildInputs`.) For example, `pkgsBuildHost.gcc` should be used at build-time, while `pkgsHostTarget.openssl` should be used at run-time.
+The categories of dependencies developed in [](#ssec-cross-dependency-categorization) are specified as lists of derivations given to `mkDerivation`, as documented in [](#ssec-stdenv-dependencies). In short, each list of dependencies for `host → target` is called `deps<host><target>` (where `host`, and `target` values are either `build`, `host`, or `target`), with exceptions for backwards compatibility that `depsBuildHost` is instead called `nativeBuildInputs` and `depsHostTarget` is instead called `buildInputs`. Nixpkgs is now structured so that each `deps<host><target>` is automatically taken from `pkgs<host><target>`. (These `pkgs<host><target>`s are quite new, so there is no special case for `nativeBuildInputs` and `buildInputs`.) For example, `pkgsBuildHost.gcc` should be used at build-time, while `pkgsHostTarget.gcc` should be used at run-time.

-Adjacent package sets are defined as `pkgs<theirHost><theirTarget>` attributes, where "their" represents the new attribute set, and "our" represents the "current" package set. Below is a table of adjacent stages and their aliases. See [](#variables-specifying-dependencies) for usage examples.
+Now, for most of Nixpkgs's history, there were no `pkgs<host><target>` attributes, and most packages have not been refactored to use it explicitly. Prior to those, there were just `buildPackages`, `pkgs`, and `targetPackages`. Those are now redefined as aliases to `pkgsBuildHost`, `pkgsHostTarget`, and `pkgsTargetTarget`. It is acceptable, even recommended, to use them for libraries to show that the host platform is irrelevant.

-| Adjacent package set                   | Their host platform | Their target platform |
-|----------------------------------------|---------------------|-----------------------|
-| `pkgsBuildBuild`                       | Our build platform  | Our build platform    |
-| `pkgsBuildHost` or `buildPackages`     | Our build platform  | Our host platform     |
-| `pkgsBuildTarget`                      | Our build platform  | Our target platform   |
-| `pkgsHostHost`                         | Our host platform   | Our host platform     |
-| `pkgsHostTarget` or `pkgs`             | Our host platform   | Our target platform   |
-| `pkgsTargetTarget` or `targetPackages` | Our target platform | Our target platform   |
+But before that, there was just `pkgs`, even though both `buildInputs` and `nativeBuildInputs` existed. \[Cross barely worked, and those were implemented with some hacks on `mkDerivation` to override dependencies.\] What this means is the vast majority of packages do not use any explicit package set to populate their dependencies, just using whatever `callPackage` gives them even if they do correctly sort their dependencies into the multiple lists described above. And indeed, asking that users both sort their dependencies, _and_ take them from the right attribute set, is both too onerous and redundant, so the recommended approach (for now) is to continue just categorizing by list and not using an explicit package set.

-Now, for most of Nixpkgs's history, there were no `pkgs<theirHost><theirTarget>` attributes, and most packages have not been refactored to use it explicitly. Prior to those, there were just `buildPackages`, `pkgs`, and `targetPackages`. Those are now redefined as aliases to `pkgsBuildHost`, `pkgsHostTarget`, and `pkgsTargetTarget`. It is acceptable, even recommended, to use them to show that only their host platform matters. That is, use `buildPackages` where any of `pkgsBuild*` would do, and `targetPackages` when any of `pkgsTarget*` would do (if we had more than just `pkgsTargetTarget`).
-
-But before that, there was just `pkgs`, even though both `buildInputs` and `nativeBuildInputs` existed. (Cross barely worked, and those were implemented with some hacks on `mkDerivation` to override dependencies.) What this means is the vast majority of packages do not use any explicit package set to populate their dependencies, just using whatever `callPackage` gives them even if they do correctly sort their dependencies into the multiple lists described above. And indeed, asking that users both sort their dependencies, _and_ take them from the right attribute set, is both too onerous and redundant, so the recommended approach (for now) is to continue just categorizing by list and not using an explicit package set.
-
-To make this work, we "splice" together the six `pkgs<theirHost><theirTarget>` package sets and have `callPackage` actually take its arguments from that. This is currently implemented in `pkgs/top-level/splice.nix`. `mkDerivation` then, for each dependency attribute, pulls the right derivation out from the splice. This splicing can be skipped when not cross-compiling as the package sets are the same, but still is a bit slow for cross-compiling. We'd like to do something better, but haven't come up with anything yet.
+To make this work, we "splice" together the six `pkgsFooBar` package sets and have `callPackage` actually take its arguments from that. This is currently implemented in `pkgs/top-level/splice.nix`. `mkDerivation` then, for each dependency attribute, pulls the right derivation out from the splice. This splicing can be skipped when not cross-compiling as the package sets are the same, but still is a bit slow for cross-compiling. We'd like to do something better, but haven't come up with anything yet.

 ### Bootstrapping {#ssec-bootstrapping}

--- a/doc/stdenv/meta.chapter.md
+++ b/doc/stdenv/meta.chapter.md
@@ -61,12 +61,6 @@ Release branch. Used to specify that a package is not going to receive updates t

 The package’s homepage. Example: `https://www.gnu.org/software/hello/manual/`

-### `donationPage` {#var-meta-donationPage}
-
-The package or project's donation page, if it exists. Example: `https://neovim.io/sponsors/`
-
-Authoritative project URLs are preferred.
-
 ### `downloadPage` {#var-meta-downloadPage}

 The page where a link to the current version can be found. Example: `https://ftp.gnu.org/gnu/hello/`
@@ -157,11 +151,9 @@ The list of Nix platform types for which the [Hydra](https://github.com/nixos/hy
 }
 ```

-Note that this does not affect whether reverse dependencies of the package are built on Hydra.
-
 ### `broken` {#var-meta-broken}

-If set to `true`, the package is marked as "broken", meaning that it won’t show up in [search.nixos.org](https://search.nixos.org/packages), and cannot be built or installed unless [explicitly allowed](#sec-allow-broken).
+If set to `true`, the package is marked as "broken", meaning that it won’t show up in [search.nixos.org](https://search.nixos.org/packages), and cannot be built or installed unless the environment variable [`NIXPKGS_ALLOW_BROKEN`](#opt-allowBroken) is set.
 Such unconditionally-broken packages should be removed from Nixpkgs eventually unless they are fixed.

 The value of this attribute can depend on a package's arguments, including `stdenv`.
@@ -189,15 +181,6 @@ This means that `broken` can be used to express constraints, for example:
 This makes `broken` strictly more powerful than `meta.badPlatforms`.
 However `meta.availableOn` currently examines only `meta.platforms` and `meta.badPlatforms`, so `meta.broken` does not influence the default values for optional dependencies.

-Underneath, `meta.broken = true;` is the same as
-```nix
-{
-  meta.problems.broken.message = "This package is broken.";
-}
-```
-
-By specifying this manually, the error message can be customised.
-
 ## `knownVulnerabilities` {#var-meta-knownVulnerabilities}

 A list of known vulnerabilities affecting the package, usually identified by CVE identifiers.
@@ -266,10 +249,6 @@ Code to be executed on a peripheral device or embedded controller, built by a th

 Code to run on a VM interpreter or JIT compiled into bytecode by a third party. This includes packages which download Java `.jar` files from another source.

-### `lib.sourceTypes.obfuscatedCode` {#lib.sourceTypes.obfuscatedCode}
-
-Code which is intentionally obfuscated by a third party, for example by using a code obfuscator or by being distributed in an obfuscated form.
-
 ## Software identifiers {#sec-meta-identifiers}

 Package's `meta.identifiers` attribute specifies information about software identifiers associated with this package. Software identifiers are used, for example:
@@ -299,17 +278,14 @@ Some of them are as follows:
 * *vendor* - can point to the source of the package, or to Nixpkgs itself
 * *product* - name of the package
 * *version* - version of the package
-* *update* - vendor-specific string part of the version string of the latest update (e.g. `rc1`, `beta`, etc...)
-* *edition* - deprecated and should be set to `*`
+* *update* - name of the latest update, can be a patch version for semantically versioned packages
+* *edition* - any additional specification about the version

 You can find information about all of these attributes in the [official specification](https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/cpe/naming) (heading 5.3.3, pages 11-13).

-Any fields that don't have a value are set to either:
+Any fields that don't have a value are set to either `-` if the value is not available or `*` when the field can match any value.

-* `*` (ANY) when the field can match any value
-* `-` (NA) when the value is not meaningful or not used in the description
-
-For example, for glibc 2.40.1 CPE would be `cpe:2.3:a:gnu:glibc:2.40.1:*:*:*:*:*:*:*`.
+For example, for glibc 2.40.1 CPE would be `cpe:2.3:a:gnu:glibc:2.40:1:*:*:*:*:*:*`.

 #### `meta.identifiers.cpeParts` {#var-meta-identifiers-cpeParts}

@@ -325,13 +301,14 @@ It is up to the package author to make sure all parts are correct and match expe
 Following functions help with filling out `version` and `update` fields:

 * [`lib.meta.cpeFullVersionWithVendor`](#function-library-lib.meta.cpeFullVersionWithVendor)
+* [`lib.meta.cpePatchVersionInUpdateWithVendor`](#function-library-lib.meta.cpePatchVersionInUpdateWithVendor)

 For many packages to make CPE available it should be enough to specify only:

 ```nix
 {
  # ...
-  meta.identifiers.cpeParts = lib.meta.cpeFullVersionWithVendor vendor version;
+  meta.identifiers.cpeParts = lib.meta.cpePatchVersionInUpdateWithVendor vendor version;
 }
 ```

@@ -342,30 +319,3 @@ A readonly attribute that concatenates all CPE parts in one string.
 #### `meta.identifiers.possibleCPEs` {#var-meta-identifiers-possibleCPEs}

 A readonly attribute containing the list of guesses for what CPE for this package can look like. It includes all variants of version handling mentioned above. Each item is an attrset with attributes `cpeParts` and `cpe` for each guess.
-
-### Package URL {#sec-meta-identifiers-purl}
-
-[Package-URL](https://github.com/package-url/purl-spec) (PURL) is a specification to reliably identify and locate software packages.
-Through identification of software packages, additional (non-major) use cases are e.g. software license cross-verification via third party databases or initial vulnerability response management.
-Package-URLs shall default to the `mkDerivation.src`, as the original consumed software package is the single source of truth.
-
-#### `meta.identifiers.purlParts` {#var-meta-identifiers-purlParts}
-
-This attribute contains an attribute set of all parts of the PURL for this package.
-
-* `type` mandatory [type](https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/docs/standard/summary.md) which needs to be provided
-* `spec` specify the PURL in accordance with the [purl-spec](https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/purl-specification.md)
-
-#### `meta.identifiers.purl` {#var-meta-identifiers-purl}
-
-An extendable attribute which is built based on `purlParts`.
-This is the main identifier of the software package.
-For handling edge cases, consider using the list interface [`meta.identifiers.purls`](#var-meta-identifiers-purls).
-
-#### `meta.identifiers.purls` {#var-meta-identifiers-purls}
-
-An extendable list attribute which defaults to a single element equal to [`meta.identifiers.purl`](#var-meta-identifiers-purl).
-It provides an interface for additional identifiers of `mkDerivation.src` or for identifiers of vendored dependencies inside `mkDerivation.src`, which maintainers may carefully consider to specify as well.
-
-Additional identifiers are generally not recommended, as they might cause maintenance overhead or diverge.
-For example, a source distribution `pkg:github` may be hard to keep correctly aligned with the corresponding binary distribution `pkg:pypi`.
--- a/doc/stdenv/stdenv.chapter.md
+++ b/doc/stdenv/stdenv.chapter.md
@@ -431,7 +431,7 @@ Overall, the unifying theme here is that propagation shouldn’t be introducing

 ##### `depsBuildBuild` {#var-stdenv-depsBuildBuild}

-A list of dependencies whose host and target platforms are the new derivation’s build platform. These are programs and libraries used at build time that produce programs and libraries also used at build time. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it in `nativeBuildInputs` instead. The most common use of this `buildPackages.stdenv.cc` (the compiler for `buildPackages`, which means that it's from the package set `buildPackages.buildPackages = pkgsBuildBuild`), the default C compiler for this role. That example crops up more than one might think in old commonly used C libraries.
+A list of dependencies whose host and target platforms are the new derivation’s build platform. These are programs and libraries used at build time that produce programs and libraries also used at build time. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it in `nativeBuildInputs` instead. The most common use of this `buildPackages.stdenv.cc`, the default C compiler for this role. That example crops up more than one might think in old commonly used C libraries.

 Since these packages are able to be run at build-time, they are always added to the `PATH`, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future.

@@ -511,30 +511,6 @@ If set to `true`, `stdenv` will pass specific flags to `make` and other build to

 Unless set to `false`, some build systems with good support for parallel building including `cmake`, `meson`, and `qmake` will set it to `true`.

-#### `__structuredAttrs` {#var-stdenv-__structuredAttrs}
-
-`__structuredAttrs` defines how derivation attributes are passed to the builder.
-
-If enabled, a shell script and a JSON representation of the derivation attributes are created.
-The environment variables {env}`NIX_ATTRS_SH_FILE` and {env}`NIX_ATTRS_JSON_FILE` point to the exact location of these files.
-
-Attributes intended to be _exported_ as environment variables must be defined in the `env` attribute.
-Attributes that are _local_ to the buildscript should be defined outside of `env`, to benefit from structured shell variables.
-
-::: {.important}
-`__structuredAttrs` is a complete replacement for the way attributes are handled currently, and is the preferred default.
-
-`passAsFile` is disabled when `__structuredAttrs` is enabled, since {env}`NIX_ATTRS_JSON_FILE` can be read from instead.
-
-All new top level packages must enable `__structuredAttrs`.
-
-:::
-
-See the upstream nix documentation for more detail:
-  - [Advanced Derivation Attributes](https://nix.dev/manual/nix/2.34/language/advanced-attributes.html#adv-attr-structuredAttrs)
-  - [Builder Execution](https://nix.dev/manual/nix/2.34/store/building.html#builder-execution)
-  - [Structured Attributes](https://nix.dev/manual/nix/2.34/store/derivation/#structured-attrs)
-
 ### Fixed-point arguments of `mkDerivation` {#mkderivation-recursive-attributes}

 If you pass a function to `mkDerivation`, it will call the function with an argument that represents the final state of the package: the return value of the function itself, with any overrides applied, as the function is reinvoked by any `overrideAttrs` calls. For example:
@@ -1655,11 +1631,13 @@ Adds the `-fzero-call-used-regs=used-gpr` compiler option. This causes the gener

 This flag adds the `-fstack-clash-protection` compiler option, which causes growth of a program's stack to access each successive page in order. This should force the guard page to be accessed and cause an attempt to "jump over" this guard page to crash.

-#### `libcxxhardeningfast` {#libcxxhardeningfast}
+### Hardening flags disabled by default {#sec-hardening-flags-disabled-by-default}

-Adds the `-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_FAST` compiler flag. This flag only has an effect on libc++ targets, and when defined, enables a set of assertions that prevent undefined behavior caused by violating preconditions of the standard library. libc++ provides several hardening modes, and this "fast" mode contains a set of security-critical checks that can be done with relatively little overhead in constant time.
+The following flags are disabled by default and should be enabled with `hardeningEnable` for packages that take untrusted input like network services.

-Disabling `libcxxhardeningfast` implies disablement of checks from `libcxxhardeningextensive`.
+#### `nostrictaliasing` {#nostrictaliasing}
+
+This flag adds the `-fno-strict-aliasing` compiler option, which prevents the compiler from assuming code has been written strictly following the standard in regards to pointer aliasing and therefore performing optimizations that may be unsafe for code that has not followed these rules.

 #### `strictflexarrays1` {#strictflexarrays1}

@@ -1669,14 +1647,6 @@ Enabling this flag on packages that still use length declarations of flexible ar

 Disabling `strictflexarrays1` implies disablement of `strictflexarrays3`.

-### Hardening flags disabled by default {#sec-hardening-flags-disabled-by-default}
-
-The following flags are disabled by default and should be enabled with `hardeningEnable` for packages that take untrusted input like network services.
-
-#### `nostrictaliasing` {#nostrictaliasing}
-
-This flag adds the `-fno-strict-aliasing` compiler option, which prevents the compiler from assuming code has been written strictly following the standard in regards to pointer aliasing and therefore performing optimizations that may be unsafe for code that has not followed these rules.
-
 #### `strictflexarrays3` {#strictflexarrays3}

 This flag adds the `-fstrict-flex-arrays=3` compiler option, which reduces the cases the compiler treats as "flexible arrays" to only those declared with length as (the correct) `[]`. This increases the coverage of fortify checks, because such arrays declared as the trailing element of a structure can normally not have their intended length determined by the compiler.
@@ -1713,6 +1683,12 @@ Adds the `-D_GLIBCXX_ASSERTIONS` compiler flag. This flag only has an effect on

 These checks may have an impact on performance in some cases.

+#### `libcxxhardeningfast` {#libcxxhardeningfast}
+
+Adds the `-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_FAST` compiler flag. This flag only has an effect on libc++ targets, and when defined, enables a set of assertions that prevent undefined behavior caused by violating preconditions of the standard library. libc++ provides several hardening modes, and this "fast" mode contains a set of security-critical checks that can be done with relatively little overhead in constant time.
+
+Disabling `libcxxhardeningfast` implies disablement of checks from `libcxxhardeningextensive`.
+
 #### `libcxxhardeningextensive` {#libcxxhardeningextensive}

 Adds the `-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE` compiler flag. This flag only has an effect on libc++ targets, and when defined, enables a set of assertions that prevent undefined behavior caused by violating preconditions of the standard library. libc++ provides several hardening modes, and this "extensive" mode adds checks for undefined behavior that incur relatively little overhead but aren’t security-critical. The additional rigour impacts performance more than fast mode: benchmarking is recommended to determine if it is acceptable for a particular application.
--- a/doc/style.css
+++ b/doc/style.css
@@ -325,10 +325,8 @@ div.appendix .important > :last-child {

 div.book .note,
 div.book .tip,
-div.book .important,
 div.appendix .note,
-div.appendix .tip,
-div.appendix .important {
+div.appendix .tip {
  color: var(--note-text-color);
  background: var(--note-background);
 }
@@ -492,7 +490,3 @@ div.appendix .variablelist .term {
  font-family: Roboto;
  src: url(Roboto.ttf);
 }
-
-.chapter {
-  content-visibility: auto;
-}
--- a/doc/using/configuration.chapter.md
+++ b/doc/using/configuration.chapter.md
@@ -31,22 +31,6 @@ Unfree software is not tested or built in Nixpkgs continuous integration, and th
 Most unfree licenses prohibit either executing or distributing the software.
 :::

-The `NIXPKGS_CONFIG` environment variable can override the configuration file location.
-Nixpkgs resolves the config in this order:
-
-1.  `$NIXPKGS_CONFIG`, if set and the file exists.
-2.  `~/.config/nixpkgs/config.nix`, if it exists.
-3.  `~/.nixpkgs/config.nix` (legacy), if it exists.
-4.  Empty configuration.
-
-On NixOS, `NIXPKGS_CONFIG` points to `/etc/nix/nixpkgs-config.nix` system-wide.
-Drop a file there to apply configuration to `nix-env`, `nix-shell`, and other user-level commands.
-NixOS does not create this file.
-The [`nixpkgs.config`](https://nixos.org/manual/nixos/stable/options#opt-nixpkgs.config) option does not affect `nix-env`, `nix-shell`, or other user-level commands.
-
-This lookup applies to non-flake usage like channels and `<nixpkgs>`.
-Flakes ignore it; pass `config` directly when importing `nixpkgs`.
-
 ## Installing broken packages {#sec-allow-broken}

 There are several ways to try compiling a package which has been marked as broken.
@@ -57,11 +41,11 @@ There are several ways to try compiling a package which has been marked as broke
    $ export NIXPKGS_ALLOW_BROKEN=1
    ```

-   For permanently allowing broken packages with a specific name to be built, you may add a corresponding `problems.handlers` to your user's configuration file, for example:
+-   For permanently allowing broken packages that match some condition to be built, you may add `allowBrokenPredicate` to your user's configuration file with the desired condition, for example:

    ```nix
    {
-      problems.handlers.hello.broken = "warn"; # or "ignore"
+      allowBrokenPredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [ "hello" ];
    }
    ```

@@ -195,7 +179,6 @@ Currently, the following problem kinds are known (with more reserved to be added
 - "removal": The package is planned to be removed some time in the future. Unique.
 - "deprecated": The package relies on software which has reached its end of life.
 - "maintainerless": Automatically generated for packages with `meta.maintainers == []`. Unique, not manually specifiable.
- "broken": Automatically generated for packages with `meta.broken = true`.

 Each problem has a handler that deals with it, which can be one of "error", "warn" or "ignore".
 "error" will disallow evaluating a package, while "warn" will simply print a message to the log.
--- a/Show More
+++ b/Show More