Merge master into staging-next

.github/workflows/update-terraform-providers.yml

@@ -46,7 +46,7 @@ jobs:
         run: |
           git clean -f
       - name: create PR
-        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
+        uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1
         with:
           body: |
             Automatic update by [update-terraform-providers](https://github.com/NixOS/nixpkgs/blob/master/.github/workflows/update-terraform-providers.yml) action.

nixos/lib/testing/nixos-test-base.nix

@@ -3,7 +3,7 @@
 # even in `inheritParentConfig = false` specialisations.
 { lib, ... }:
 let
-  inherit (lib) mkForce;
+  inherit (lib) mkDefault mkForce;
 in
 {
   imports = [
@@ -22,6 +22,11 @@ in
         label = mkForce "test";
       };
     }
-
+    ({ config, ... }: {
+      # Don't pull in switch-to-configuration by default, except when specialisations are involved.
+      # This is mostly a Hydra optimization, so we don't rebuild all the tests every time switch-to-configuration-ng changes.
+      key = "no-switch-to-configuration";
+      system.switch.enable = mkDefault (config.isSpecialisation || config.specialisation != {});
+    })
   ];
 }

nixos/modules/installer/tools/nixos-install.sh

@@ -245,6 +245,7 @@ if [[ -z $noBootLoader ]]; then
     ln -sfn /proc/mounts "$mountPoint"/etc/mtab
     export mountPoint
     NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "$mountPoint" -c "$(cat <<'EOF'
+      set -e
       # Create a bind mount for each of the mount points inside the target file
       # system. This preserves the validity of their absolute paths after changing
       # the root with `nixos-enter`.

nixos/modules/system/activation/no-clone.nix

@@ -5,4 +5,5 @@ with lib;
 {
   boot.loader.grub.device = mkOverride 0 "nodev";
   specialisation = mkOverride 0 {};
+  isSpecialisation = mkOverride 0 true;
 }

nixos/modules/system/activation/specialisation.nix

@@ -23,6 +23,12 @@ let
 in
 {
   options = {
+    isSpecialisation = mkOption {
+      type = lib.types.bool;
+      internal = true;
+      default = false;
+      description = "Whether this system is a specialisation of another.";
+    };
 
     specialisation = mkOption {
       default = { };

nixos/tests/chrony.nix

@@ -7,25 +7,24 @@ import ./make-test-python.nix ({ lib, ... }:
   };
 
   nodes = {
-    default = {
+    machine = {
       services.chrony.enable = true;
-    };
+
-    graphene-hardened = {
+      specialisation.hardened.configuration = {
-      services.chrony.enable = true;
+        services.chrony.enableMemoryLocking = true;
-      services.chrony.enableMemoryLocking = true;
+        environment.memoryAllocator.provider = "graphene-hardened";
-      environment.memoryAllocator.provider = "graphene-hardened";
+        # dhcpcd privsep is incompatible with graphene-hardened
-      # dhcpcd privsep is incompatible with graphene-hardened
+        networking.useNetworkd = true;
-      networking.useNetworkd = true;
+      };
     };
   };
 
-  testScript = {nodes, ...} : let
+  testScript = ''
-    graphene-hardened = nodes.graphene-hardened.system.build.toplevel;
+    machine.start()
-  in ''
+    machine.wait_for_unit('multi-user.target')
-    default.start()
+    machine.succeed('systemctl is-active chronyd.service')
-    default.wait_for_unit('multi-user.target')
+    machine.succeed('/run/booted-system/specialisation/hardened/bin/switch-to-configuration test')
-    default.succeed('systemctl is-active chronyd.service')
+    machine.succeed('systemctl restart chronyd.service')
-    default.succeed('${graphene-hardened}/bin/switch-to-configuration test')
+    machine.wait_for_unit('chronyd.service')
-    default.succeed('systemctl is-active chronyd.service')
   '';
 })

nixos/tests/containers-reloadable.nix

@@ -1,71 +1,57 @@
 import ./make-test-python.nix ({ pkgs, lib, ... }:
-let
+{
-  client_base = {
-    containers.test1 = {
-      autoStart = true;
-      config = {
-        environment.etc.check.text = "client_base";
-      };
-    };
-
-    # prevent make-test-python.nix to change IP
-    networking.interfaces = {
-      eth1.ipv4.addresses = lib.mkOverride 0 [ ];
-    };
-  };
-in {
   name = "containers-reloadable";
   meta = {
     maintainers = with lib.maintainers; [ danbst ];
   };
 
   nodes = {
-    client = { ... }: {
+    machine = { lib, ... }: {
-      imports = [ client_base ];
+      containers.test1 = {
-    };
+        autoStart = true;
-
+        config.environment.etc.check.text = "client_base";
-    client_c1 = { lib, ... }: {
-      imports = [ client_base ];
-
-      containers.test1.config = {
-        environment.etc.check.text = lib.mkForce "client_c1";
-        services.httpd.enable = true;
-        services.httpd.adminAddr = "nixos@example.com";
       };
-    };
-    client_c2 = { lib, ... }: {
-      imports = [ client_base ];
 
-      containers.test1.config = {
+      # prevent make-test-python.nix to change IP
-        environment.etc.check.text = lib.mkForce "client_c2";
+      networking.interfaces.eth1.ipv4.addresses = lib.mkOverride 0 [ ];
-        services.nginx.enable = true;
+
+      specialisation.c1.configuration = {
+        containers.test1.config = {
+          environment.etc.check.text = lib.mkForce "client_c1";
+          services.httpd.enable = true;
+          services.httpd.adminAddr = "nixos@example.com";
+        };
+      };
+
+      specialisation.c2.configuration = {
+        containers.test1.config = {
+          environment.etc.check.text = lib.mkForce "client_c2";
+          services.nginx.enable = true;
+        };
       };
     };
   };
 
-  testScript = {nodes, ...}: let
+  testScript = ''
-    c1System = nodes.client_c1.config.system.build.toplevel;
+    machine.start()
-    c2System = nodes.client_c2.config.system.build.toplevel;
+    machine.wait_for_unit("default.target")
-  in ''
-    client.start()
-    client.wait_for_unit("default.target")
 
-    assert "client_base" in client.succeed("nixos-container run test1 cat /etc/check")
+    assert "client_base" in machine.succeed("nixos-container run test1 cat /etc/check")
 
     with subtest("httpd is available after activating config1"):
-        client.succeed(
+        machine.succeed(
-            "${c1System}/bin/switch-to-configuration test >&2",
+            "/run/booted-system/specialisation/c1/bin/switch-to-configuration test >&2",
             "[[ $(nixos-container run test1 cat /etc/check) == client_c1 ]] >&2",
             "systemctl status httpd -M test1 >&2",
         )
 
     with subtest("httpd is not available any longer after switching to config2"):
-        client.succeed(
+        machine.succeed(
-            "${c2System}/bin/switch-to-configuration test >&2",
+            "/run/booted-system/specialisation/c2/bin/switch-to-configuration test >&2",
             "[[ $(nixos-container run test1 cat /etc/check) == client_c2 ]] >&2",
             "systemctl status nginx -M test1 >&2",
         )
-        client.fail("systemctl status httpd -M test1 >&2")
+        machine.fail("systemctl status httpd -M test1 >&2")
   '';
 
 })

nixos/tests/containers-restart_networking.nix

@@ -1,20 +1,4 @@
-let
+import ./make-test-python.nix ({ pkgs, lib, ... }:
-  client_base = {
-    networking.firewall.enable = false;
-
-    containers.webserver = {
-      autoStart = true;
-      privateNetwork = true;
-      hostBridge = "br0";
-      config = {
-        networking.firewall.enable = false;
-        networking.interfaces.eth0.ipv4.addresses = [
-          { address = "192.168.1.122"; prefixLength = 24; }
-        ];
-      };
-    };
-  };
-in import ./make-test-python.nix ({ pkgs, lib, ... }:
 {
   name = "containers-restart_networking";
   meta = {
@@ -22,46 +6,55 @@ in import ./make-test-python.nix ({ pkgs, lib, ... }:
   };
 
   nodes = {
-    client = { lib, ... }: client_base // {
+    client = {
       virtualisation.vlans = [ 1 ];
 
+      networking.firewall.enable = false;
+
+      containers.webserver = {
+        autoStart = true;
+        privateNetwork = true;
+        hostBridge = "br0";
+        config = {
+          networking.firewall.enable = false;
+          networking.interfaces.eth0.ipv4.addresses = [
+            { address = "192.168.1.122"; prefixLength = 24; }
+          ];
+        };
+      };
+
       networking.bridges.br0 = {
         interfaces = [];
         rstp = false;
       };
-      networking.interfaces = {
+
-        eth1.ipv4.addresses = lib.mkOverride 0 [ ];
+      networking.interfaces.br0.ipv4.addresses = [ { address = "192.168.1.1"; prefixLength = 24; } ];
-        br0.ipv4.addresses = [ { address = "192.168.1.1"; prefixLength = 24; } ];
+
+      specialisation.eth1.configuration = {
+        networking.bridges.br0.interfaces = [ "eth1" ];
+        networking.interfaces = {
+          eth1.ipv4.addresses = lib.mkForce [ ];
+          eth1.ipv6.addresses = lib.mkForce [ ];
+          br0.ipv4.addresses = [ { address = "192.168.1.2"; prefixLength = 24; } ];
+        };
       };
 
-    };
+      specialisation.eth1-rstp.configuration = {
-    client_eth1 = { lib, ... }: client_base // {
+        networking.bridges.br0 = {
-      networking.bridges.br0 = {
+          interfaces = [ "eth1" ];
-        interfaces = [ "eth1" ];
+          rstp = lib.mkForce true;
-        rstp = false;
+        };
-      };
+
-      networking.interfaces = {
+        networking.interfaces = {
-        eth1.ipv4.addresses = lib.mkOverride 0 [ ];
+          eth1.ipv4.addresses = lib.mkForce [ ];
-        br0.ipv4.addresses = [ { address = "192.168.1.2"; prefixLength = 24; } ];
+          eth1.ipv6.addresses = lib.mkForce [ ];
-      };
+          br0.ipv4.addresses = [ { address = "192.168.1.2"; prefixLength = 24; } ];
-    };
+        };
-    client_eth1_rstp = { lib, ... }: client_base // {
-      networking.bridges.br0 = {
-        interfaces = [ "eth1" ];
-        rstp = true;
-      };
-      networking.interfaces = {
-        eth1.ipv4.addresses = lib.mkOverride 0 [ ];
-        br0.ipv4.addresses =  [ { address = "192.168.1.2"; prefixLength = 24; } ];
       };
     };
   };
 
-  testScript = {nodes, ...}: let
+  testScript = ''
-    originalSystem = nodes.client.config.system.build.toplevel;
-    eth1_bridged = nodes.client_eth1.config.system.build.toplevel;
-    eth1_rstp = nodes.client_eth1_rstp.config.system.build.toplevel;
-  in ''
     client.start()
 
     client.wait_for_unit("default.target")
@@ -75,7 +68,7 @@ in import ./make-test-python.nix ({ pkgs, lib, ... }:
 
     with subtest("Bridged configuration without STP preserves connectivity"):
         client.succeed(
-            "${eth1_bridged}/bin/switch-to-configuration test >&2"
+            "/run/booted-system/specialisation/eth1/bin/switch-to-configuration test >&2"
         )
 
         client.succeed(
@@ -87,7 +80,7 @@ in import ./make-test-python.nix ({ pkgs, lib, ... }:
 
     #  activating rstp needs another service, therefore the bridge will restart and the container will lose its connectivity
     # with subtest("Bridged configuration with STP"):
-    #     client.succeed("${eth1_rstp}/bin/switch-to-configuration test >&2")
+    #     client.succeed("/run/booted-system/specialisation/eth1-rstp/bin/switch-to-configuration test >&2")
     #     client.execute("ip -4 a >&2")
     #     client.execute("ip l >&2")
     #
@@ -100,7 +93,7 @@ in import ./make-test-python.nix ({ pkgs, lib, ... }:
 
     with subtest("Reverting to initial configuration preserves connectivity"):
         client.succeed(
-            "${originalSystem}/bin/switch-to-configuration test >&2"
+            "/run/booted-system/bin/switch-to-configuration test >&2"
         )
 
         client.succeed("ping 192.168.1.122 -c 1 -n >&2")

nixos/tests/firewall.nix

@@ -14,17 +14,10 @@ import ./make-test-python.nix ( { pkgs, nftables, ... } : {
           networking.nftables.enable = nftables;
           services.httpd.enable = true;
           services.httpd.adminAddr = "foo@example.org";
-        };
 
-      # Dummy configuration to check whether firewall.service will be honored
+          specialisation.different-config.configuration = {
-      # during system activation. This only needs to be different to the
+            networking.firewall.rejectPackets = true;
-      # original walled configuration so that there is a change in the service
+          };
-      # file.
-      walled2 =
-        { ... }:
-        { networking.firewall.enable = true;
-          networking.firewall.rejectPackets = true;
-          networking.nftables.enable = nftables;
         };
 
       attacker =
@@ -36,7 +29,6 @@ import ./make-test-python.nix ( { pkgs, nftables, ... } : {
     };
 
   testScript = { nodes, ... }: let
-    newSystem = nodes.walled2.system.build.toplevel;
     unit = if nftables then "nftables" else "firewall";
   in ''
     start_all()
@@ -62,7 +54,7 @@ import ./make-test-python.nix ( { pkgs, nftables, ... } : {
 
     # Check whether activation of a new configuration reloads the firewall.
     walled.succeed(
-        "${newSystem}/bin/switch-to-configuration test 2>&1 | grep -qF ${unit}.service"
+        "/run/booted-system/specialisation/different-config/bin/switch-to-configuration test 2>&1 | grep -qF ${unit}.service"
     )
   '';
 })

nixos/tests/gnupg.nix

@@ -69,9 +69,11 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
           machine.wait_until_tty_matches("1", "Change")
           machine.send_chars("O\n")
           machine.wait_until_tty_matches("1", "Please enter")
-          machine.send_chars("pgp_p4ssphrase\n")
+          machine.send_chars("pgp_p4ssphrase")
-          machine.wait_until_tty_matches("1", "Please re-enter")
+          machine.send_key("tab")
-          machine.send_chars("pgp_p4ssphrase\n")
+          machine.send_chars("pgp_p4ssphrase")
+          machine.wait_until_tty_matches("1", "Passphrases match")
+          machine.send_chars("\n")
           machine.wait_until_tty_matches("1", "public and secret key created")
 
       with subtest("Confirm the key is in the keyring"):
@@ -90,9 +92,11 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
           machine.wait_until_tty_matches("1", "Enter passphrase")
           machine.send_chars("ssh_p4ssphrase\n")
           machine.wait_until_tty_matches("1", "Please enter")
-          machine.send_chars("ssh_agent_p4ssphrase\n")
+          machine.send_chars("ssh_agent_p4ssphrase")
-          machine.wait_until_tty_matches("1", "Please re-enter")
+          machine.send_key("tab")
-          machine.send_chars("ssh_agent_p4ssphrase\n")
+          machine.send_chars("ssh_agent_p4ssphrase")
+          machine.wait_until_tty_matches("1", "Passphrases match")
+          machine.send_chars("\n")
 
       with subtest("Confirm the SSH key has been registered"):
           machine.wait_until_succeeds(as_alice("ssh-add -l | grep -q alice@machine"))

nixos/tests/installer.nix

@@ -635,6 +635,7 @@ let
             (python3.withPackages (p: [ p.mistune ]))
             shared-mime-info
             sudo
+            switch-to-configuration-ng
             texinfo
             unionfs-fuse
             xorg.lndir
@@ -648,6 +649,10 @@ let
           in [
             (pkgs.grub2.override { inherit zfsSupport; })
             (pkgs.grub2_efi.override { inherit zfsSupport; })
+            pkgs.nixos-artwork.wallpapers.simple-dark-gray-bootloader
+            pkgs.perlPackages.FileCopyRecursive
+            pkgs.perlPackages.XMLSAX
+            pkgs.perlPackages.XMLSAXBase
           ])
           ++ optionals (bootLoader == "systemd-boot") [
             pkgs.zstd.bin

nixos/tests/mutable-users.nix

@@ -7,19 +7,19 @@ import ./make-test-python.nix ({ pkgs, ...} : {
   };
 
   nodes = {
-    machine = { ... }: {
+    machine = {
-      users.mutableUsers = false;
+      specialisation.immutable.configuration = {
-    };
+        users.mutableUsers = false;
-    mutable = { ... }: {
+      };
-      users.mutableUsers = true;
+
-      users.users.dry-test.isNormalUser = true;
+      specialisation.mutable.configuration = {
+        users.mutableUsers = true;
+        users.users.dry-test.isNormalUser = true;
+      };
     };
   };
 
-  testScript = {nodes, ...}: let
+  testScript = ''
-    immutableSystem = nodes.machine.config.system.build.toplevel;
-    mutableSystem = nodes.mutable.config.system.build.toplevel;
-  in ''
     machine.start()
     machine.wait_for_unit("default.target")
 
@@ -30,7 +30,7 @@ import ./make-test-python.nix ({ pkgs, ...} : {
         machine.succeed("sudo useradd foobar")
         assert "foobar" in machine.succeed("cat /etc/passwd")
         machine.succeed(
-            "${immutableSystem}/bin/switch-to-configuration test"
+            "/run/booted-system/specialisation/immutable/bin/switch-to-configuration test"
         )
         assert "foobar" not in machine.succeed("cat /etc/passwd")
 
@@ -39,7 +39,7 @@ import ./make-test-python.nix ({ pkgs, ...} : {
     with subtest("Password is wrapped in mutable mode"):
         assert "/run/current-system/" in machine.succeed("which passwd")
         machine.succeed(
-            "${mutableSystem}/bin/switch-to-configuration test"
+            "/run/booted-system/specialisation/mutable/bin/switch-to-configuration test"
         )
         assert "/run/wrappers/" in machine.succeed("which passwd")
 
@@ -63,7 +63,7 @@ import ./make-test-python.nix ({ pkgs, ...} : {
             expected_hashes[file] = machine.succeed(f"sha256sum {file}")
             expected_stats[file] = machine.succeed(f"stat {file}")
 
-        machine.succeed("/run/current-system/bin/switch-to-configuration dry-activate")
+        machine.succeed("/run/booted-system/specialisation/mutable/bin/switch-to-configuration dry-activate")
 
         machine.fail('test -e /home/dry-test')  # home was not recreated
         for file in files_to_check:

nixos/tests/nat.nix

@@ -6,17 +6,6 @@
 import ./make-test-python.nix ({ pkgs, lib, withFirewall, nftables ? false, ... }:
   let
     unit = if nftables then "nftables" else (if withFirewall then "firewall" else "nat");
-
-    routerBase =
-      lib.mkMerge [
-        { virtualisation.vlans = [ 2 1 ];
-          networking.firewall.enable = withFirewall;
-          networking.firewall.filterForward = nftables;
-          networking.nftables.enable = nftables;
-          networking.nat.internalIPs = [ "192.168.1.0/24" ];
-          networking.nat.externalInterface = "eth1";
-        }
-      ];
   in
   {
     name = "nat" + (lib.optionalString nftables "Nftables")
@@ -26,27 +15,27 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, nftables ? false, ...
     };
 
     nodes =
-      { client =
+      {
-          { pkgs, nodes, ... }:
+        client = { lib, nodes, ... }: {
-          lib.mkMerge [
+          virtualisation.vlans = [ 1 ];
-            { virtualisation.vlans = [ 1 ];
+          networking.defaultGateway =
-              networking.defaultGateway =
+            (lib.head nodes.router.networking.interfaces.eth2.ipv4.addresses).address;
-                (pkgs.lib.head nodes.router.networking.interfaces.eth2.ipv4.addresses).address;
+          networking.nftables.enable = nftables;
-              networking.nftables.enable = nftables;
+        };
-            }
-          ];
 
-        router =
+        router = { lib, ... }: {
-        { ... }: lib.mkMerge [
+          virtualisation.vlans = [ 2 1 ];
-          routerBase
+          networking.firewall.enable = withFirewall;
-          { networking.nat.enable = true; }
+          networking.firewall.filterForward = nftables;
-        ];
+          networking.nftables.enable = nftables;
+          networking.nat.enable = true;
+          networking.nat.internalIPs = [ "192.168.1.0/24" ];
+          networking.nat.externalInterface = "eth1";
 
-        routerDummyNoNat =
+          specialisation.no-nat.configuration = {
-        { ... }: lib.mkMerge [
+            networking.nat.enable = lib.mkForce false;
-          routerBase
+          };
-          { networking.nat.enable = false; }
+        };
-        ];
 
         server =
           { ... }:
@@ -59,11 +48,7 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, nftables ? false, ...
           };
       };
 
-    testScript =
+    testScript = ''
-      { nodes, ... }: let
-        routerDummyNoNatClosure = nodes.routerDummyNoNat.system.build.toplevel;
-        routerClosure = nodes.router.system.build.toplevel;
-      in ''
         client.start()
         router.start()
         server.start()
@@ -94,14 +79,14 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, nftables ? false, ...
 
         # If we turn off NAT, the client shouldn't be able to reach the server.
         router.succeed(
-            "${routerDummyNoNatClosure}/bin/switch-to-configuration test 2>&1"
+            "/run/booted-system/specialisation/no-nat/bin/switch-to-configuration test 2>&1"
         )
         client.fail("curl -4 --fail --connect-timeout 5 http://server/ >&2")
         client.fail("ping -4 -c 1 server >&2")
 
         # And make sure that reloading the NAT job works.
         router.succeed(
-            "${routerClosure}/bin/switch-to-configuration test 2>&1"
+            "/run/booted-system/bin/switch-to-configuration test 2>&1"
         )
         # FIXME: this should not be necessary, but nat.service is not started because
         #        network.target is not triggered

nixos/tests/restart-by-activation-script.nix

@@ -7,6 +7,8 @@ import ./make-test-python.nix ({ pkgs, ...} : {
   nodes.machine = { pkgs, ... }: {
     imports = [ ../modules/profiles/minimal.nix ];
 
+    system.switch.enable = true;
+
     systemd.services.restart-me = {
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {

nixos/tests/switch-test.nix

@@ -591,6 +591,7 @@ in {
     };
 
     other = {
+      system.switch.enable = true;
       users.mutableUsers = true;
     };
   };

nixos/tests/systemd-boot.nix

@@ -13,6 +13,7 @@ let
     boot.loader.systemd-boot.enable = true;
     boot.loader.efi.canTouchEfiVariables = true;
     environment.systemPackages = [ pkgs.efibootmgr ];
+    system.switch.enable = true;
   };
 
   commonXbootldr = { config, lib, pkgs, ... }:

nixos/tests/user-activation-scripts.nix

@@ -3,6 +3,7 @@ import ./make-test-python.nix ({ lib, ... }: {
   meta = with lib.maintainers; { maintainers = [ chkno ]; };
 
   nodes.machine = {
+    system.switch.enable = true;
     system.userActivationScripts.foo = "mktemp ~/user-activation-ran.XXXXXX";
     users.users.alice = {
       initialPassword = "pass1";

pkgs/applications/misc/tui-journal/default.nix

@@ -11,16 +11,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "tui-journal";
-  version = "0.10.0";
+  version = "0.11.0";
 
   src = fetchFromGitHub {
     owner = "AmmarAbouZor";
     repo = "tui-journal";
     rev = "v${version}";
-    hash = "sha256-5in2GulBGUjmrzEDFGRKYzEvB1Z7etVDM2TIb+hlMQA=";
+    hash = "sha256-2tl2jL/ikBAziwjgpP4JIDnAvpFGjm/U0etz+SC8xHk=";
   };
 
-  cargoHash = "sha256-gIBMtzGNcHjJ0ZWLU5+ys4ARHl6mN3PpU5zxsfAzG2M=";
+  cargoHash = "sha256-rZVIlKK9TdIUabzmuRAzAnybz8mgDpto0nkImb8Mx8A=";
 
   nativeBuildInputs = [
     pkg-config

pkgs/applications/networking/mailreaders/thunderbird/packages.nix

@@ -50,8 +50,8 @@ in rec {
   thunderbird = thunderbird-128;
 
   thunderbird-115 = common {
-    version = "115.14.0";
+    version = "115.15.0";
-    sha512 = "b12e1302d6be94dd88bee6dd069d3fec944bfce95e1afc1d72c14cc188d952fd5a85f0e70575317250701ac89498d876f3384b022957689fabcef61ad7d78c29";
+    sha512 = "b161b99e09b6d1ba833f77264e35034ad199438b4fc88d244a6b68c84693fa2e90fbab60dafb827a2e23b37c484f9843a58751d93826ba7cdd0391114d253de2";
 
     updateScript = callPackage ./update.nix {
       attrPath = "thunderbirdPackages.thunderbird-115";

pkgs/applications/office/treesheets/default.nix

@@ -12,13 +12,13 @@
 
 stdenv.mkDerivation rec {
   pname = "treesheets";
-  version = "0-unstable-2024-08-25";
+  version = "0-unstable-2024-09-08";
 
   src = fetchFromGitHub {
     owner = "aardappel";
     repo = "treesheets";
-    rev = "89a03e5db0c083f1c8cd422d615a3340e69856b4";
+    rev = "8db448f67710194d64211ac467ffd2d456854432";
-    hash = "sha256-p780EW/62xf4vf7Lvi5mB8fiQt91Iqi1tNTLC5iyRtE=";
+    hash = "sha256-SM62ymN5HXRiyXayoWQaGXLCGEDbHcKMJdPLXDv5dv8=";
   };
 
   nativeBuildInputs = [

pkgs/applications/science/astronomy/calcmysky/default.nix

@@ -11,13 +11,13 @@
 
 stdenv.mkDerivation rec {
   pname = "calcmysky";
-  version = "0.3.2";
+  version = "0.3.3";
 
   src = fetchFromGitHub {
     owner = "10110111";
     repo = "CalcMySky";
     rev = "refs/tags/v${version}";
-    hash = "sha256-AP6YkORbvH8PzF869s2OWbTwTfwMC+RLJx3V3BqVy88=";
+    hash = "sha256-18ZNnLK2zMT7P0MDXS6Z38LffE8EqXKBH89TPPxVWlo=";
   };
 
   nativeBuildInputs = [ cmake wrapQtAppsHook ];

pkgs/applications/version-management/stgit/default.nix

@@ -18,15 +18,15 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "stgit";
-  version = "2.4.11";
+  version = "2.4.12";
 
   src = fetchFromGitHub {
     owner = "stacked-git";
     repo = "stgit";
     rev = "v${version}";
-    hash = "sha256-wmBbcK6oImIlgbJ1gMkCVPBLaHUUeN2y9szx8age7mo=";
+    hash = "sha256-fNQLdW5KFpYUBBmaUYYOmDym7OweXsDfD+uFl688zcY=";
   };
-  cargoHash = "sha256-hw5pXmwcoi76XwPFdfQoai8S6ApDit48nVuII4ksCRM=";
+  cargoHash = "sha256-s3PFNc1rn01X6tauRXp5B4cg3AIVSishqDFy0lP/8g8=";
 
   nativeBuildInputs = [
     pkg-config installShellFiles makeWrapper asciidoc xmlto docbook_xsl

pkgs/applications/video/gyroflow/default.nix

@@ -5,13 +5,13 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "gyroflow";
-  version = "1.5.4-2023-12-25";
+  version = "1.5.4-2024-09-05";
 
   src = fetchFromGitHub {
     owner = "gyroflow";
     repo = "gyroflow";
-    rev = "e0869ffe648cb3fd88d81c807b1f7fa2e18d7430";
+    rev = "52038dedad0bd14d6af68db36a09da0243ad5455";
-    hash = "sha256-KB/uoQR43im/m5uJhheAPCqUH9oIx85JaIUwW9rhAAw=";
+    hash = "sha256-EuhUF2b8YWv2eN2pcoHA0SlnyeQ8gJ5eHbXi6G4GIzk=";
   };
 
   cargoLock = {
@@ -19,17 +19,20 @@ rustPlatform.buildRustPackage rec {
     outputHashes = {
       "ahrs-0.6.0" = "sha256-CxWyX8t+BjqIyNj1p1LdkCmNrtJkudmKgZPv0MVcghY=";
       "akaze-0.7.0" = "sha256-KkGXKoVRZZ7HUTtWYBerrN36a7RqsHjYQb+bwG1JagY=";
-      "d3d12-0.7.0" = "sha256-FqAVwW2jtDE1BV31OfrCJljGhj5iD0OfN2fANQ1wasc=";
+      "app_dirs2-2.5.5" = "sha256-nQ5Cs9r1k/3zjqXJ18Oilk8ErLKim7bGwCXDlQW4GRQ=";
-      "fc-blackbox-0.2.0" = "sha256-gL8m9DpHJPVD8vvrmuYv+biJT4PA5LmtohJwFVO+khU=";
+      "fc-blackbox-0.2.0" = "sha256-82DuI0KuHhDVhCMUsnDqk6Fk774VpvoJ1qYFLO+n1X4=";
-      "glow-0.13.0" = "sha256-vhPWzsm7NZx9JiRZcVoUslTGySQbASRh/wNlo1nK5jg=";
+      "ffmpeg-next-7.0.4" = "sha256-F1N70tSxdC36uS9Bh7X2S9Wspd7bcCbGPmoMRs1cm8Y=";
-      "keep-awake-0.1.0" = "sha256-EoXhK4/Aij70f73+5NBUoCXqZISG1+n2eVavNqe8mq4=";
+      "ffmpeg-sys-next-7.0.2" = "sha256-7C46WJseKIhqXW0cQGaF8Q/xQi7sX+e8fKVrhBMVwZE=";
+      "keep-awake-0.1.0" = "sha256-iZuntDkAhDZBojRgNEupAExtqOhiw4mf6XK0N6ff2Oc=";
+      "mp4parse-0.17.0" = "sha256-DktX6zmQsHBlo7uLgLXcXWxKq9uisnX0R16lftWRLZY=";
+      "naga-22.0.0" = "sha256-+ngomv0VyWKNDkSGVI/f5wtDyLs79qiXxtj3qNOsbFc=";
       "nshare-0.9.0" = "sha256-PAV41mMLDmhkAz4+qyf+MZnYTAdMwjk83+f+RdaJji8=";
-      "qmetaobject-0.2.10" = "sha256-ldmpbOYoCOaAoipfcCSwuV+fzF9gg1PTbRz2Jm4zJvA=";
+      "qmetaobject-0.2.10" = "sha256-kEwFjDe1tYTLQ8XdjrPyYEYnjVFyYeaWUPCj5D8mg7A=";
-      "qml-video-rs-0.1.0" = "sha256-rwdci0QhGYOnCf04u61xuon06p8Zm2wKCNrW/qti9+U=";
+      "qml-video-rs-0.1.0" = "sha256-8RYB+numVy7u29EYtSSdf/+cTsUMVjrcw4u5mqB7KbE=";
-      "rs-sync-0.1.0" = "sha256-sfym7zv5SUitopqNJ6uFP6AMzAGf4Y7U0dzXAKlvuGA=";
+      "rs-sync-0.1.0" = "sha256-6xQb0CUlBDx7S7zsqNL9zfZZtkmw0cbUUXd6pOYIrXI=";
-      "simplelog-0.12.0" = "sha256-NvmtLbzahSw1WMS3LY+jWiX4SxfSRwidTMvICGcmDO4=";
+      "spirv-std-0.9.0" = "sha256-uZn1p2pM5UYQKlY9u16aafPH7dfQcSG7PaFDd1sT4Qc=";
-      "system_shutdown-4.0.1" = "sha256-arJWmEjDdaig/oAfwSolVmk9s1UovrQ5LNUgTpUvoOQ=";
+      "system_shutdown-4.0.1" = "sha256-YypNnZzTxkmUgIxaP4jOpFBje/fEzI5L1g+3pJgMd0w=";
-      "telemetry-parser-0.2.8" = "sha256-Nr4SWEERKEAiZppqzjn1LIuMiZ2BTQEOKOlSnLVAXAg=";
+      "telemetry-parser-0.3.0" = "sha256-U26cWC7pSw4NFiu43BZf+KlLy9NU61iRpFx3Btse1aY=";
      };
   };
 

pkgs/applications/video/gyroflow/lens-profiles.nix

@@ -2,12 +2,12 @@
 
 fetchFromGitHub {
   pname = "gyroflow-lens-profiles";
-  version = "2023-12-01";
+  version = "2024-09-08";
 
   owner = "gyroflow";
   repo = "lens_profiles";
-  rev = "3e72169ae6b8601260497d7216d5fcbbc8b67194";
+  rev = "a100b233a1df242d5bf1be06df2888a5852febf3";
-  hash = "sha256-18KtunSxTsJhBge+uOGBcNZRG3W26M/Osyxllu+N0UI=";
+  hash = "sha256-z994k2lozakaKNKcdrJKzTiMGeL9oJ70jFnEYgbutq4=";
 
   meta = with lib; {
     description = "Lens profile database for Gyroflow";

pkgs/by-name/am/amazon-ssm-agent/package.nix

@@ -41,13 +41,13 @@ let
 in
 buildGoModule rec {
   pname = "amazon-ssm-agent";
-  version = "3.3.808.0";
+  version = "3.3.859.0";
 
   src = fetchFromGitHub {
     owner = "aws";
     repo = "amazon-ssm-agent";
     rev = "refs/tags/${version}";
-    hash = "sha256-ig8mr4xfYnj1z1H3Ro6HFmlzW9HsBWMDtbHtpM6BIfg=";
+    hash = "sha256-Qxzq91GXOrssBO9VaQTkLZjVqdpUYoYq3N/rakwewJs=";
   };
 
   vendorHash = null;

pkgs/by-name/ci/cirrus-cli/package.nix

@@ -6,13 +6,13 @@
 
 buildGoModule rec {
   pname = "cirrus-cli";
-  version = "0.124.2";
+  version = "0.125.1";
 
   src = fetchFromGitHub {
     owner = "cirruslabs";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-S57ApSuO3Mo/GpoaXx0dKOU3CfdQXmPM8AWi8fZ9MfY=";
+    hash = "sha256-QlQ1TaS6iUXNVF5SXyBmbcIBQfD6R7nKjPeOjRuvSds=";
   };
 
   vendorHash = "sha256-BbBwia47E6EtoEzO2c2fhjg6WHGHTnzl5VyVYxIMu6E=";

pkgs/by-name/do/docker-credential-gcr/package.nix

@@ -9,13 +9,13 @@
 
 buildGoModule rec {
   pname = "docker-credential-gcr";
-  version = "2.1.23";
+  version = "2.1.25";
 
   src = fetchFromGitHub {
     owner = "GoogleCloudPlatform";
     repo = "docker-credential-gcr";
     rev = "refs/tags/v${version}";
-    sha256 = "sha256-ViZxxqRZQPevuK/yueHKmg4CwnNpgfyXszGalzWucko=";
+    sha256 = "sha256-BnYh+MFTj76AWf0GfjzjQ/g/ACgCOLOLVfCSPssvfUY=";
   };
 
   postPatch = ''

pkgs/by-name/fa/fast-float/package.nix

@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "fast-float";
-  version = "6.1.5";
+  version = "6.1.6";
 
   src = fetchFromGitHub {
     owner = "fastfloat";
     repo = "fast_float";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-tFHrvwZKZkNkJM5VEpWRPD+yDMH1seuNDR/Rd9pCqBg=";
+    hash = "sha256-MEJMPQZZZhOFiKlPAKIi0zVzaJBvjAlbSyg3wLOQ1fg=";
   };
 
   nativeBuildInputs = [ cmake ];

pkgs/by-name/ga/gatus/package.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "gatus";
-  version = "5.12.0";
+  version = "5.12.1";
 
   src = fetchFromGitHub {
     owner = "TwiN";
     repo = "gatus";
     rev = "v${version}";
-    hash = "sha256-fxRHO37lxFb/rGr3TWLR817sNXaSClucuVtI1XgWrgM=";
+    hash = "sha256-K9jEepcxfV1sAC3YKqkvDA9HHlobksJPwsAcqD3gcmQ=";
   };
 
   vendorHash = "sha256-jRRFj4NdxsjC9CM+Vm5+gV0ZMbz45YtGyE3FaGaGp28=";

pkgs/by-name/pr/protoc-gen-es/package.nix

@@ -29,6 +29,13 @@ buildNpmPackage rec {
     npm run --workspace=packages/protoplugin build
   '';
 
+  # copy npm workspace modules while properly resolving symlinks
+  # TODO: workaround can be removed once this is merged: https://github.com/NixOS/nixpkgs/pull/333759
+  postInstall = ''
+    rm -rf $out/lib/node_modules/protobuf-es/node_modules/@bufbuild
+    cp -rL node_modules/@bufbuild $out/lib/node_modules/protobuf-es/node_modules/
+  '';
+
   passthru.updateScript = ./update.sh;
 
   meta = with lib; {

pkgs/by-name/re/reposilite/package.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "Reposilite";
-  version = "3.5.16";
+  version = "3.5.17";
 
   src = fetchurl {
     url = "https://maven.reposilite.com/releases/com/reposilite/reposilite/${finalAttrs.version}/reposilite-${finalAttrs.version}-all.jar";
-    hash = "sha256-zketAvn0XgBRAS+Bb3KcUcpdydbQQruS+gZ5Bfrjiig=";
+    hash = "sha256-O2dDkjypTLRu3tWRLEQQSwgX53doTsTxGSEfA2k0hlI=";
   };
 
   dontUnpack = true;

pkgs/by-name/ru/rustlings/package.nix

@@ -1,5 +1,7 @@
 {
   lib,
+  stdenv,
+  darwin,
   rustPlatform,
   fetchFromGitHub,
   pkg-config,
@@ -34,6 +36,8 @@ rustPlatform.buildRustPackage {
     makeWrapper
   ];
 
+  buildInputs = lib.optionals stdenv.isDarwin (with darwin.apple_sdk.frameworks; [ CoreServices ]);
+
   postFixup = ''
     wrapProgram $out/bin/rustlings --suffix PATH : ${
       lib.makeBinPath [

pkgs/by-name/s3/s3scanner/package.nix

@@ -2,18 +2,18 @@
 
 buildGoModule rec {
   pname = "s3scanner";
-  version = "3.0.4";
+  version = "3.1.0";
 
   src = fetchFromGitHub {
     owner = "sa7mon";
     repo = "s3scanner";
     rev = "v${version}";
-    hash = "sha256-f1r5ubH7iLKuuEhs4MPNY779FjyASW1xOXtMtXvF/CY=";
+    hash = "sha256-yQymMtXQam/PMNZMBeKWtDtdrFikjvE/Nh5K61NUaYI=";
   };
 
   ldflags = [ "-s -w" ];
 
-  vendorHash = "sha256-3Y1izt6xLg7aNJNqIEXROxR3IGAIIeptHlnoYEcuLew=";
+  vendorHash = "sha256-Y7eIvZIUtp+sOENiaG/eliZEl41qTHN2k3vJCXsjlIw=";
 
   # Requires networking
   doCheck = false;

pkgs/by-name/sc/screenly-cli/package.nix

@@ -12,16 +12,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "screenly-cli";
-  version = "0.2.8";
+  version = "1.0.0";
 
   src = fetchFromGitHub {
     owner = "screenly";
     repo = "cli";
     rev = "refs/tags/v${version}";
-    hash = "sha256-WAdQWOrrC85DBgkZ0bU91TJgYOTdxNukis5DJngHI1s=";
+    hash = "sha256-th/V0hyTMcraJHbRM5VoSM19oE6CKqIQ3qdM86TR4vE=";
   };
 
-  cargoHash = "sha256-fGUwMDSs5jJsAZmeHwYghXuOZFWHG6/NClhV0YcPQVg=";
+  cargoHash = "sha256-sv59Yu+oSxp/IVePokHrXD4FI+bZcz6aERSTLScYaLk=";
 
   nativeBuildInputs = [
     pkg-config

pkgs/by-name/sr/srm-cuarzo/package.nix

@@ -14,9 +14,9 @@
 }:
 stdenv.mkDerivation (self: {
   pname = "srm-cuarzo";
-  version = "0.7.1-1";
+  version = "0.7.2-1";
   rev = "v${self.version}";
-  hash = "sha256-cwZWEuht4XClVUQomMKUA3GScaxv7xBxj3tJhmDYG6Y=";
+  hash = "sha256-VxLiGA7AvNNjl8UjFbBE9Z/T+YrTj9Hb3LASgzE9iH0=";
 
   src = fetchFromGitHub {
     inherit (self) rev hash;

pkgs/by-name/td/tdl/package.nix

@@ -5,16 +5,16 @@
 }:
 buildGoModule rec {
   pname = "tdl";
-  version = "0.17.3";
+  version = "0.17.4";
 
   src = fetchFromGitHub {
     owner = "iyear";
     repo = "tdl";
     rev = "v${version}";
-    hash = "sha256-PX6Ja7o7K/iq7hqn0g9jZHPPRp97sHau1Xd37m8RD2A=";
+    hash = "sha256-+2K+8IGl7c2Nq1wr3pDl4H9MEbPsXZotsyaor5TzD5s=";
   };
 
-  vendorHash = "sha256-NNTIigd8Gm+7jJzhizaRHc4jLwO7QKhFh4ce0lrYBh4=";
+  vendorHash = "sha256-1PgE7Qxxe+GMaMpH5xql/NX8+QSkGRn++/+T6MQkUmM=";
 
   ldflags = [
     "-s"

pkgs/by-name/tr/trunk-io/package.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "trunk-io";
-  version = "1.3.1";
+  version = "1.3.2";
 
   src = fetchurl {
     url = "https://trunk.io/releases/launcher/${finalAttrs.version}/trunk";
-    hash = "sha256-kiUcc7RFPo7UWzEe2aQ2nrbI3GZ/zfxOlOdWw7YFoAs=";
+    hash = "sha256-zrfnPWHFoFQkVtxPedKrL1Y1xLZSDX3JuF0qgo/hhnE=";
   };
 
   dontUnpack = true;
@@ -23,6 +23,7 @@ stdenv.mkDerivation (finalAttrs: {
     homepage = "https://trunk.io/";
     description = "Developer experience toolkit used to check, test, merge, and monitor code";
     license = licenses.unfree;
+    platforms = platforms.linux ++ platforms.darwin;
     maintainers = with maintainers; [ aaronjheng ];
   };
 })

pkgs/development/python-modules/fuzzyfinder/default.nix

@@ -1,25 +1,31 @@
 {
   lib,
   buildPythonPackage,
-  fetchPypi,
+  fetchFromGitHub,
   pytestCheckHook,
+  setuptools,
 }:
 
 buildPythonPackage rec {
   pname = "fuzzyfinder";
-  version = "2.1.0";
+  version = "2.2.0";
-  format = "setuptools";
+  pyproject = true;
 
-  src = fetchPypi {
+  src = fetchFromGitHub {
-    inherit pname version;
+    owner = "amjith";
-    sha256 = "c56d86f110866becad6690c7518f7036c20831c0f82fc87eba8fdb943132f04b";
+    repo = "fuzzyfinder";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-QWUABljgtzsZONl1klCrxEh0tPYodMOXokEb3YvWsyg=";
   };
 
+  build-system = [ setuptools ];
+
   nativeCheckInputs = [ pytestCheckHook ];
 
   pythonImportsCheck = [ "fuzzyfinder" ];
 
   meta = with lib; {
+    changelog = "https://github.com/amjith/fuzzyfinder/blob/${src.rev}/CHANGELOG.rst";
     description = "Fuzzy Finder implemented in Python";
     homepage = "https://github.com/amjith/fuzzyfinder";
     license = licenses.bsd3;

pkgs/development/python-modules/gsd/default.nix

@@ -4,27 +4,33 @@
   cython,
   fetchFromGitHub,
   numpy,
+  numpy_2,
   pytestCheckHook,
   pythonOlder,
+  setuptools,
 }:
 
 buildPythonPackage rec {
   pname = "gsd";
-  version = "3.3.1";
+  version = "3.3.2";
-  format = "setuptools";
+  pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "glotzerlab";
-    repo = pname;
+    repo = "gsd";
     rev = "refs/tags/v${version}";
-    hash = "sha256-9C66k3OI+Xw+DPe8ZxuQmOiXmPWDTvJ2tVLHhfsEhgU=";
+    hash = "sha256-4NxZPu4DrwQW6qHeYairefabfN7J0+48tvVwi6ti4vk=";
   };
 
-  nativeBuildInputs = [ cython ];
+  build-system = [
+    cython
+    numpy_2
+    setuptools
+  ];
 
-  propagatedBuildInputs = [ numpy ];
+  dependencies = [ numpy ];
 
   nativeCheckInputs = [ pytestCheckHook ];
 

pkgs/development/python-modules/pysigma/default.nix

@@ -14,7 +14,7 @@
 
 buildPythonPackage rec {
   pname = "pysigma";
-  version = "0.11.12";
+  version = "0.11.13";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -23,7 +23,7 @@ buildPythonPackage rec {
     owner = "SigmaHQ";
     repo = "pySigma";
     rev = "refs/tags/v${version}";
-    hash = "sha256-1FQSs5+rRLkJg3G+GGeA4OMuNrXsodvX70nDRoaYBAY=";
+    hash = "sha256-YgEgPvBvVzk0Q2mBXyjBozGnjcs4H/+/5ghMU7/CMDw=";
   };
 
   pythonRelaxDeps = [

pkgs/development/python-modules/pytest-playwright/default.nix

@@ -14,7 +14,7 @@
 
 buildPythonPackage rec {
   pname = "pytest-playwright";
-  version = "0.5.1";
+  version = "0.5.2";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -23,7 +23,7 @@ buildPythonPackage rec {
     owner = "microsoft";
     repo = "playwright-pytest";
     rev = "refs/tags/v${version}";
-    hash = "sha256-s+0kk9kmMctPCKFd5rbdEwGgfHKYRvKq0rY9eosifCU=";
+    hash = "sha256-F5tbqm1k4SdTHIUgwSunLIL2W5mhJoMI4x4UZBLidlA=";
   };
 
   build-system = [

pkgs/development/python-modules/tencentcloud-sdk-python/default.nix

@@ -10,7 +10,7 @@
 
 buildPythonPackage rec {
   pname = "tencentcloud-sdk-python";
-  version = "3.0.1226";
+  version = "3.0.1227";
   pyproject = true;
 
   disabled = pythonOlder "3.9";
@@ -19,7 +19,7 @@ buildPythonPackage rec {
     owner = "TencentCloud";
     repo = "tencentcloud-sdk-python";
     rev = "refs/tags/${version}";
-    hash = "sha256-tqLAt8WTsIgQnBuQQfQuXwG1thOA0IKjOjxVpGBeVs8=";
+    hash = "sha256-nHTsUYyGqM/4S4B8F8iz0A7MPpotTNp1S/yPL0KCkok=";
   };
 
   build-system = [ setuptools ];

pkgs/development/tools/analysis/checkov/default.nix

@@ -6,14 +6,14 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "checkov";
-  version = "3.2.246";
+  version = "3.2.249";
   pyproject = true;
 
   src = fetchFromGitHub {
     owner = "bridgecrewio";
     repo = "checkov";
     rev = "refs/tags/${version}";
-    hash = "sha256-oEAu/GDW7u/jPCGLkvazmFJ5c73gAMDWwRu/AkVLDpk=";
+    hash = "sha256-xsb57uCPLzrqMA2T0rcbnmXlsioagFr0yc4wcRUubPI=";
   };
 
   patches = [ ./flake8-compat-5.x.patch ];

pkgs/development/tools/detekt/default.nix

@@ -1,13 +1,13 @@
 { detekt, lib, stdenv, fetchurl, makeWrapper, jre_headless, testers }:
 stdenv.mkDerivation rec {
   pname = "detekt";
-  version = "1.23.6";
+  version = "1.23.7";
 
   jarfilename = "${pname}-${version}-executable.jar";
 
   src = fetchurl {
     url = "https://github.com/detekt/detekt/releases/download/v${version}/detekt-cli-${version}-all.jar";
-    sha256 = "sha256-iY3PgQ6JH0SeTj+fSk4tx1rs+OEInfQaQqaa2yy7z/o=";
+    sha256 = "sha256-hL7e0oMBLLKzi8rvSZZFL81gadLpynS1Dqp54K0hiX4=";
   };
 
   dontUnpack = true;

pkgs/development/tools/go-migrate/default.nix

@@ -2,17 +2,17 @@
 
 buildGoModule rec {
   pname = "go-migrate";
-  version = "4.17.1";
+  version = "4.18.1";
 
   src = fetchFromGitHub {
     owner = "golang-migrate";
     repo = "migrate";
     rev = "v${version}";
-    sha256 = "sha256-9PJ3XxEA2PEaPFE3BbZkJB8XdJmm0gZf2Ko5T9DAZBw=";
+    sha256 = "sha256-ZZeurnoFcObrK75zkIZvz9ycdDP9AM3uX6h/4bMWpGc=";
   };
 
   proxyVendor = true; # darwin/linux hash mismatch
-  vendorHash = "sha256-03nNN1FkGee01gNOmIASc2B7mMTes1pEDc6Lo08dhcw=";
+  vendorHash = "sha256-Zaq88oF5rSCSv736afyKDvTNCSIyrIGTN0kuJWqS7tg=";
 
   subPackages = [ "cmd/migrate" ];
 

pkgs/development/tools/rbspy/default.nix

@@ -9,16 +9,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "rbspy";
-  version = "0.24.0";
+  version = "0.25.0";
 
   src = fetchFromGitHub {
     owner = "rbspy";
     repo = "rbspy";
     rev = "refs/tags/v${version}";
-    hash = "sha256-Tg9A7S6z/qaJ/saZRD3SSLxRQBwq/YNSTuHcmwwhqeM=";
+    hash = "sha256-6J+/clldoMSTcZXM4N8THZ3fk2NE9VQ2XyDIzVej6OY=";
   };
 
-  cargoHash = "sha256-yDz7FuAw4mvL16EMUmywB0lfnMC6okLZ1px3Blx5rn4=";
+  cargoHash = "sha256-u42FDaSpunkj5u1zYtk27tKunW4ZzsNgYCmrSnuAe5k=";
 
   # error: linker `aarch64-linux-gnu-gcc` not found
   postPatch = ''

pkgs/development/web/flyctl/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "flyctl";
-  version = "0.2.124";
+  version = "0.2.125";
 
   src = fetchFromGitHub {
     owner = "superfly";
     repo = "flyctl";
     rev = "v${version}";
-    hash = "sha256-l+rq3L4JQcc8mXbBukAOTtoX0Z7fudYxAIPnPFvupjQ=";
+    hash = "sha256-7jMti/NShvo6T3JLzRM9FKqRXkgS8jeUitZq5SU4sHE=";
   };
 
-  vendorHash = "sha256-rFFaRtEXc+rCCxUckrnFq79zIXg2XETa+hPZo1usBrc=";
+  vendorHash = "sha256-uYGOXXeNfe2rYtJh2ggNv2TbVJul4RbiBQ1KSbEjqW8=";
 
   subPackages = [ "." ];
 

pkgs/games/steam/fhsenv.nix

@@ -126,7 +126,7 @@ in buildFHSEnv rec {
     xorg.libSM
     xorg.libICE
     gnome2.GConf
-    curlWithGnuTls
+    curl
     nspr
     nss
     cups

pkgs/os-specific/darwin/bartender/default.nix

@@ -6,12 +6,12 @@
 
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "bartender";
-  version = "5.1.1";
+  version = "5.1.2";
 
   src = fetchurl {
     name = "Bartender ${lib.versions.major finalAttrs.version}.dmg";
     url = "https://www.macbartender.com/B2/updates/${builtins.replaceStrings [ "." ] [ "-" ] finalAttrs.version}/Bartender%20${lib.versions.major finalAttrs.version}.dmg";
-    hash = "sha256-XxBnzHYX/S172rVEiymc3sLOmIeH7ttIxSHMsh1vR/s=";
+    hash = "sha256-t3ygKL3CPebSK1JcVbabVHFpe7lvrMrFQxTh0DVyGmU=";
   };
 
   dontPatch = true;

pkgs/os-specific/linux/firmware/linux-firmware/default.nix

@@ -7,11 +7,11 @@
 
 stdenvNoCC.mkDerivation rec {
   pname = "linux-firmware";
-  version = "20240811";
+  version = "20240909";
 
   src = fetchzip {
     url = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/snapshot/linux-firmware-${version}.tar.gz";
-    hash = "sha256-sfQIXXBU5oIDmTpWExDc0drO8QH9lBL8opPO3mSk98E=";
+    hash = "sha256-3nwo4lGTV5PlsxZXa5D/7upaB+5XfXFZHbgEO5jnRrw=";
   };
 
   nativeBuildInputs = [

pkgs/servers/computing/slurm/default.nix

@@ -14,7 +14,7 @@
 
 stdenv.mkDerivation rec {
   pname = "slurm";
-  version = "24.05.2.1";
+  version = "24.05.3.1";
 
   # N.B. We use github release tags instead of https://www.schedmd.com/downloads.php
   # because the latter does not keep older releases.
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
     repo = "slurm";
     # The release tags use - instead of .
     rev = "${pname}-${builtins.replaceStrings ["."] ["-"] version}";
-    hash = "sha256-GQbZCMS9FWS0w4mgqqdQ+G8wm/g0PPFKSH60q7U9DiI=";
+    hash = "sha256-qYIpYBjbYgbYzPKEgKEEXEf/0bFyp1sFFl7A7mq6Nco=";
   };
 
   outputs = [ "out" "dev" ];

pkgs/servers/mail/mailpit/source.nix

@@ -1,6 +1,6 @@
 {
-  version = "1.20.2";
+  version = "1.20.4";
-  hash = "sha256-VQwDb1Q0RPoRzBm7GWjzXpL3jnYhqmKPmOGLqCzUosY=";
+  hash = "sha256-YvVaKNd7e+NHgRaIzzjSj2Jv4FowGJSwiPzdN2viQdk=";
-  npmDepsHash = "sha256-DBSlzpsZbXcaPogTgsXpl/KlcSS21vFeI0BMS58XJhg=";
+  npmDepsHash = "sha256-9/55zhRLMxo51vuLcCMGiJ9VPvUF1cSm8HhvDn2UnQo=";
-  vendorHash = "sha256-QcsDF/YKAaNhg61zEURGuB54XfnjvFeDmTlk/J/445I=";
+  vendorHash = "sha256-peE8VzgzQeawajk+bndO8lJZEGpCO17003dD90c9Xfg=";
 }

pkgs/tools/filesystems/dysk/default.nix

@@ -6,16 +6,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "dysk";
-  version = "2.9.0";
+  version = "2.9.1";
 
   src = fetchFromGitHub {
     owner = "Canop";
     repo = "dysk";
     rev = "v${version}";
-    hash = "sha256-EXP9uI98NXP1VRlhEaMTkJsAYVT9DpMFwquAVMoyjxU=";
+    hash = "sha256-PGl2pUeLPznut/ETJdaQlin9thDBPvqBE30cgXwV+KM=";
   };
 
-  cargoHash = "sha256-N51M9uEMfcoNyR8r76bd0PW2jSQTpU/0V+cEl82gFqk=";
+  cargoHash = "sha256-ppOAQ6Y9GJNLwGbbg1qfQ7ArVKiYxt26oEEWMOjbu0w=";
 
   nativeBuildInputs = [
     installShellFiles

pkgs/tools/inputmethods/ibus-engines/ibus-m17n/default.nix

@@ -13,13 +13,13 @@
 
 stdenv.mkDerivation rec {
   pname = "ibus-m17n";
-  version = "1.4.31";
+  version = "1.4.32";
 
   src = fetchFromGitHub {
     owner = "ibus";
     repo = "ibus-m17n";
     rev = version;
-    sha256 = "sha256-o0qW+7NM+DHD8plXGP4J/PbhOgykdc1n5n2P3gi7pbU=";
+    sha256 = "sha256-wNpbjnP44eDjKygG+0VhUj8fhiRXGwfdV33H39o7asc=";
   };
 
   nativeBuildInputs = [

pkgs/tools/networking/openapi-generator-cli/default.nix

@@ -1,7 +1,7 @@
 { callPackage, lib, stdenv, fetchurl, jre, makeWrapper }:
 
 let this = stdenv.mkDerivation (finalAttrs: {
-  version = "7.7.0";
+  version = "7.8.0";
   pname = "openapi-generator-cli";
 
   jarfilename = "openapi-generator-cli-${finalAttrs.version}.jar";
@@ -12,7 +12,7 @@ let this = stdenv.mkDerivation (finalAttrs: {
 
   src = fetchurl {
     url = "mirror://maven/org/openapitools/openapi-generator-cli/${finalAttrs.version}/${finalAttrs.jarfilename}";
-    sha256 = "sha256-OnVydsMdJJpPBqFGUbH/Hxpc9G4RCnCtzEpqKDT4VWE=";
+    sha256 = "sha256-0Yec9C2jH4z2HPaHmLjvJBivDGvZOlwYcOH/VD+7k2U=";
   };
 
   dontUnpack = true;

pkgs/tools/networking/v2ray/default.nix

@@ -6,18 +6,18 @@
 
 buildGoModule rec {
   pname = "v2ray-core";
-  version = "5.16.1";
+  version = "5.17.1";
 
   src = fetchFromGitHub {
     owner = "v2fly";
     repo = "v2ray-core";
     rev = "v${version}";
-    hash = "sha256-bgDTraLufl6txl9TMPstuPs4IgN1pLIBlpl2VlvuN0o=";
+    hash = "sha256-22Jvt64RS1BVHU6y2hIW8jcyzXo/36ogyAfFBbQXtvI=";
   };
 
   # `nix-update` doesn't support `vendorHash` yet.
   # https://github.com/Mic92/nix-update/pull/95
-  vendorHash = "sha256-FDmwZoBN2/8jPMs7xkQiI9hFt9cgaQPHC31ueYq3n9k=";
+  vendorHash = "sha256-yUVQ3H4m9gyyMFQY2k3gCx/EVKGf0fGZmJ52NW7vTW8=";
 
   ldflags = [ "-s" "-w" ];
 

pkgs/tools/security/buttercup-desktop/default.nix

@@ -2,10 +2,10 @@
 
 let
   pname = "buttercup-desktop";
-  version = "2.28.0";
+  version = "2.28.1";
   src = fetchurl {
     url = "https://github.com/buttercup/buttercup-desktop/releases/download/v${version}/Buttercup-linux-x86_64.AppImage";
-    sha256 = "sha256-A1HoJ9MdBPQ9HNkMPOBKe2SEFMqQ0nxBLd6bhUyRMD8=";
+    sha256 = "sha256-iCuvs+FisYPvCmPVg1dhYMX+Lw3WmrMSRytdy6TLrxg=";
   };
   appimageContents = appimageTools.extractType2 { inherit pname src version; };
 

pkgs/tools/security/ldeep/default.nix

@@ -6,14 +6,14 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "ldeep";
-  version = "1.0.61";
+  version = "1.0.63";
   pyproject = true;
 
   src = fetchFromGitHub {
     owner = "franc-pentest";
     repo = "ldeep";
     rev = "refs/tags/${version}";
-    hash = "sha256-2962O/7EqX1lR8rNrtg9hku6O3+2gPtGhT5jDojxBDY=";
+    hash = "sha256-LL8uyzj97Fp7Vbv4WC8OjI2YUzml7v08ITXkDoJAbT4=";
   };
 
   pythonRelaxDeps = [

pkgs/tools/text/riffdiff/default.nix

@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "riffdiff";
-  version = "3.2.0";
+  version = "3.2.1";
 
   src = fetchFromGitHub {
     owner = "walles";
     repo = "riff";
     rev = version;
-    hash = "sha256-CMH+6/YGepl6SJLytfDEu7NLvPA/HHY/sDm2LTi0R8w=";
+    hash = "sha256-UjuJTA+MP5EItLD2z/THeh+6dJ2byIrOBqQfUiAWSvk=";
   };
 
-  cargoHash = "sha256-w3oDpJMsfV9mIWI44YgOsNZH2vahSRCSJnYpFWBx/eU=";
+  cargoHash = "sha256-2J+7uwDzoviytbPQ+B36/oJwysBtbiJXKU7zW5vCCEU=";
 
   meta = with lib; {
     description = "Diff filter highlighting which line parts have changed";

pkgs/top-level/all-packages.nix

@@ -8477,7 +8477,7 @@ with pkgs;
   gvproxy = callPackage ../tools/networking/gvproxy { };
 
   gyroflow = qt6Packages.callPackage ../applications/video/gyroflow {
-    ffmpeg = ffmpeg_6;
+    ffmpeg = ffmpeg_7;
   };
 
   gzip = callPackage ../tools/compression/gzip { };
@@ -13287,8 +13287,6 @@ with pkgs;
     inherit (darwin.apple_sdk.frameworks) CoreServices SystemConfiguration;
   };
 
-  trunk-io = callPackage ../development/tools/trunk-io { };
-
   trunk-ng = callPackage ../by-name/tr/trunk-ng/package.nix {
     inherit (darwin.apple_sdk.frameworks) CoreServices Security SystemConfiguration;
   };
@@ -19114,7 +19112,7 @@ with pkgs;
     inherit (buildPackages.darwin) xnu bootstrap_cmds;
   };
   valgrind-light = (res.valgrind.override { gdb = null; }).overrideAttrs (oldAttrs: {
-    meta.description = "${oldAttrs.meta.description} (without GDB)";
+    meta = oldAttrs.meta // { description = "${oldAttrs.meta.description} (without GDB)"; };
   });
 
   qcachegrind = libsForQt5.callPackage ../development/tools/analysis/qcachegrind { };