From 4a0f1f616999c01707f44534746610a4ae12360f Mon Sep 17 00:00:00 2001 From: Randy Eckenrode Date: Sat, 15 Nov 2025 20:05:41 -0500 Subject: [PATCH 01/70] c-ares: fix IPv6 link-local DNS server support (cherry picked from commit 93e142f083a31d4d500ffb8f5059a7936afdc9a8) --- pkgs/development/libraries/c-ares/default.nix | 5 ++ .../c-ares/fix-link-local-dns-servers.patch | 50 +++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 pkgs/development/libraries/c-ares/fix-link-local-dns-servers.patch diff --git a/pkgs/development/libraries/c-ares/default.nix b/pkgs/development/libraries/c-ares/default.nix index 926859f60b2d9..3bd0f48bc8f6e 100644 --- a/pkgs/development/libraries/c-ares/default.nix +++ b/pkgs/development/libraries/c-ares/default.nix @@ -26,6 +26,11 @@ stdenv.mkDerivation rec { hash = "sha256-fZNXkOmvCBwlxJX9E8LPzaR5KYNBjpY1jvbnMg7gY0Y="; }; + patches = [ + # Fix being unable to use Ipv6 link-local DNS servers. See: https://github.com/c-ares/c-ares/pull/997. + ./fix-link-local-dns-servers.patch + ]; + outputs = [ "out" "dev" diff --git a/pkgs/development/libraries/c-ares/fix-link-local-dns-servers.patch b/pkgs/development/libraries/c-ares/fix-link-local-dns-servers.patch new file mode 100644 index 0000000000000..07a5b5f2084c5 --- /dev/null +++ b/pkgs/development/libraries/c-ares/fix-link-local-dns-servers.patch @@ -0,0 +1,50 @@ +From 0fbeb87f65ad9e9e6cead10d778291db71489f34 Mon Sep 17 00:00:00 2001 +From: iucoen <68678186+iucoen@users.noreply.github.com> +Date: Thu, 5 Jun 2025 20:08:43 -0700 +Subject: [PATCH] Fix IPv6 link-local nameservers in /etc/resolv.conf (#997) + +There are two issues that broke link-local nameservers in resolv.conf +1. channel->sock_funcs needs to be initialized before +ares_init_by_sysconfig() +2. The aif_nametoindex and aif_indextoname function pointers were not +initlized at all. +--- + src/lib/ares_init.c | 4 ++-- + src/lib/ares_set_socket_functions.c | 2 ++ + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c +index ae78262a11..ce6181833c 100644 +--- a/src/lib/ares_init.c ++++ b/src/lib/ares_init.c +@@ -271,6 +271,8 @@ int ares_init_options(ares_channel_t **channelptr, + goto done; + } + ++ ares_set_socket_functions_def(channel); ++ + /* Initialize Server List */ + channel->servers = + ares_slist_create(channel->rand_state, server_sort_cb, server_destroy_cb); +@@ -346,8 +348,6 @@ int ares_init_options(ares_channel_t **channelptr, + goto done; + } + +- ares_set_socket_functions_def(channel); +- + /* Initialize the event thread */ + if (channel->optmask & ARES_OPT_EVENT_THREAD) { + ares_event_thread_t *e = NULL; +diff --git a/src/lib/ares_set_socket_functions.c b/src/lib/ares_set_socket_functions.c +index cfe434327d..9994e81df5 100644 +--- a/src/lib/ares_set_socket_functions.c ++++ b/src/lib/ares_set_socket_functions.c +@@ -127,6 +127,8 @@ ares_status_t + channel->sock_funcs.asendto = funcs->asendto; + channel->sock_funcs.agetsockname = funcs->agetsockname; + channel->sock_funcs.abind = funcs->abind; ++ channel->sock_funcs.aif_nametoindex = funcs->aif_nametoindex; ++ channel->sock_funcs.aif_indextoname = funcs->aif_indextoname; + } + + /* Implement newer versions here ...*/ \ No newline at end of file From a7bdafec10eeaeed19e0ee130a90726ef639ffc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Laurent=20Sava=C3=ABte?= Date: Thu, 11 Sep 2025 23:37:41 +0200 Subject: [PATCH 02/70] nixosTestRunner: cache store path length to avoid useless calls (cherry picked from commit eca6071a74d8ae6805f38c47065157c8ee017829) --- pkgs/applications/virtualization/qemu/force-uid0-on-9p.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/virtualization/qemu/force-uid0-on-9p.patch b/pkgs/applications/virtualization/qemu/force-uid0-on-9p.patch index 33c4ffff6fe54..9ece109737582 100644 --- a/pkgs/applications/virtualization/qemu/force-uid0-on-9p.patch +++ b/pkgs/applications/virtualization/qemu/force-uid0-on-9p.patch @@ -9,7 +9,7 @@ index 45e9a1f9b0..494ee00c66 100644 +static int is_in_store_path(const char *path) +{ + static char *store_path = NULL; -+ int store_path_len = -1; ++ static ssize_t store_path_len = -1; + + if (store_path_len == -1) { + if ((store_path = getenv("NIX_STORE")) != NULL) @@ -19,7 +19,7 @@ index 45e9a1f9b0..494ee00c66 100644 + } + + if (store_path_len > 0) -+ return strncmp(path, store_path, strlen(store_path)) == 0; ++ return strncmp(path, store_path, store_path_len) == 0; + return 0; +} + From 8a0fa8fdab09b0d18e131ee21518db4eef1eef17 Mon Sep 17 00:00:00 2001 From: OPNA2608 Date: Mon, 17 Nov 2025 20:12:38 +0100 Subject: [PATCH 03/70] gst_all_1.gst-plugins-bad: Fix build on ppc64 (cherry picked from commit 6c3170c73501a1bbf52175ead6770951f77f84bc) --- pkgs/development/libraries/gstreamer/bad/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/development/libraries/gstreamer/bad/default.nix b/pkgs/development/libraries/gstreamer/bad/default.nix index 5bee93cb51241..7e67bce244403 100644 --- a/pkgs/development/libraries/gstreamer/bad/default.nix +++ b/pkgs/development/libraries/gstreamer/bad/default.nix @@ -322,6 +322,9 @@ stdenv.mkDerivation (finalAttrs: { (lib.mesonEnable "doc" enableDocumentation) (lib.mesonEnable "directfb" false) (lib.mesonEnable "lcevcdecoder" lcevcdecSupport) + (lib.mesonEnable "ldac" ldacbtSupport) + (lib.mesonEnable "webrtcdsp" webrtcAudioProcessingSupport) + (lib.mesonEnable "isac" webrtcAudioProcessingSupport) ] ++ lib.optionals (!stdenv.hostPlatform.isLinux) [ "-Ddoc=disabled" # needs gstcuda to be enabled which is Linux-only From be36784c183d5dcf49da92d2c83a80fe2b8361ed Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Tue, 18 Nov 2025 06:22:32 +0000 Subject: [PATCH 04/70] libimagequant: 4.4.0 -> 4.4.1 Changes: https://github.com/ImageOptim/libimagequant/compare/4.4.0...4.4.1 (cherry picked from commit 3208867a9dc038d8cb195bfe453f70ba8c60506e) --- pkgs/by-name/li/libimagequant/Cargo.lock | 97 +++++++++++++++-------- pkgs/by-name/li/libimagequant/package.nix | 4 +- 2 files changed, 65 insertions(+), 36 deletions(-) diff --git a/pkgs/by-name/li/libimagequant/Cargo.lock b/pkgs/by-name/li/libimagequant/Cargo.lock index eaed4b693bfe0..989062e597b6f 100644 --- a/pkgs/by-name/li/libimagequant/Cargo.lock +++ b/pkgs/by-name/li/libimagequant/Cargo.lock @@ -4,9 +4,9 @@ version = 3 [[package]] name = "adler2" -version = "2.0.0" +version = "2.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627" +checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa" [[package]] name = "arrayvec" @@ -16,15 +16,15 @@ checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50" [[package]] name = "bitflags" -version = "2.8.0" +version = "2.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f68f53c83ab957f72c32642f3868eec03eb974d1fb82e453128456482613d36" +checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3" [[package]] name = "bytemuck" -version = "1.21.0" +version = "1.24.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ef657dfab802224e671f5818e9a4935f9b1957ed18e58292690cc39e7a4092a3" +checksum = "1fbdf580320f38b612e485521afda1ee26d10cc9884efaaa750d383e13e3c5f4" [[package]] name = "c_test" @@ -36,24 +36,25 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.10" +version = "1.2.46" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13208fcbb66eaeffe09b99fffbe1af420f00a7b35aa99ad683dfc1aa76145229" +checksum = "b97463e1064cb1b1c1384ad0a0b9c8abd0988e2a91f52606c80ef14aadb63e36" dependencies = [ + "find-msvc-tools", "shlex", ] [[package]] name = "cfg-if" -version = "1.0.0" +version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801" [[package]] name = "crc32fast" -version = "1.4.2" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a97769d94ddab943e4510d138150169a2758b5ef3eb191a9ee688de3e23ef7b3" +checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511" dependencies = [ "cfg-if", ] @@ -85,23 +86,30 @@ checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28" [[package]] name = "either" -version = "1.13.0" +version = "1.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0" +checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719" + +[[package]] +name = "find-msvc-tools" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3a3076410a55c90011c298b04d0cfa770b00fa04e1e3c97d3f6c9de105a03844" [[package]] name = "flate2" -version = "1.0.35" +version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c936bfdafb507ebbf50b8074c54fa31c5be9a1e7e5f467dd659697041407d07c" +checksum = "bfe33edd8e85a12a67454e37f8c75e730830d83e313556ab9ebf9ee7fbeb3bfb" dependencies = [ "crc32fast", + "libz-rs-sys", "miniz_oxide", ] [[package]] name = "imagequant" -version = "4.4.0" +version = "4.4.1" dependencies = [ "arrayvec", "lodepng", @@ -122,15 +130,24 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.169" +version = "0.2.177" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a" +checksum = "2874a2af47a2325c2001a6e6fad9b16a53b802102b528163885171cf92b15976" + +[[package]] +name = "libz-rs-sys" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "840db8cf39d9ec4dd794376f38acc40d0fc65eec2a8f484f7fd375b84602becd" +dependencies = [ + "zlib-rs", +] [[package]] name = "lodepng" -version = "3.11.0" +version = "3.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7720115060cd38dcfe5c758525a43fd34dc615d0566374212ff0dc3b6151eac" +checksum = "77a32335d22e44238e2bb0b4d726964d18952ce1f1279ec3305305d2c61539eb" dependencies = [ "crc32fast", "flate2", @@ -140,24 +157,25 @@ dependencies = [ [[package]] name = "miniz_oxide" -version = "0.8.3" +version = "0.8.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8402cab7aefae129c6977bb0ff1b8fd9a04eb5b51efc50a70bea51cda0c7924" +checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316" dependencies = [ "adler2", + "simd-adler32", ] [[package]] name = "once_cell" -version = "1.20.2" +version = "1.21.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775" +checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d" [[package]] name = "rayon" -version = "1.10.0" +version = "1.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b418a60154510ca1a002a752ca9714984e21e4241e804d32555251faf8b78ffa" +checksum = "368f01d005bf8fd9b1206fb6fa653e6c4a81ceb1466406b81792d87c5677a58f" dependencies = [ "either", "rayon-core", @@ -165,9 +183,9 @@ dependencies = [ [[package]] name = "rayon-core" -version = "1.12.1" +version = "1.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1465873a3dfdaa8ae7cb14b4383657caab0b3e8a0aa9ae8e04b044854c8dfce2" +checksum = "22e18b0f0062d30d4230b2e85ff77fdfe4326feb054b9783a3460d8435c8ab91" dependencies = [ "crossbeam-deque", "crossbeam-utils", @@ -175,9 +193,9 @@ dependencies = [ [[package]] name = "rgb" -version = "0.8.50" +version = "0.8.52" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "57397d16646700483b67d2dd6511d79318f9d057fdbd21a4066aeac8b41d310a" +checksum = "0c6a884d2998352bb4daf0183589aec883f16a6da1f4dde84d8e2e9a5409a1ce" dependencies = [ "bytemuck", ] @@ -188,12 +206,23 @@ version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" +[[package]] +name = "simd-adler32" +version = "0.3.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d66dc143e6b11c1eddc06d5c423cfc97062865baf299914ab64caa38182078fe" + [[package]] name = "thread_local" -version = "1.1.8" +version = "1.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8b9ef9bad013ada3808854ceac7b46812a6465ba368859a37e2100283d2d719c" +checksum = "f60246a4944f24f6e018aa17cdeffb7818b76356965d03b07d6a9886e8962185" dependencies = [ "cfg-if", - "once_cell", ] + +[[package]] +name = "zlib-rs" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2f06ae92f42f5e5c42443fd094f245eb656abf56dd7cce9b8b263236565e00f2" diff --git a/pkgs/by-name/li/libimagequant/package.nix b/pkgs/by-name/li/libimagequant/package.nix index 687e006e47b0c..dc45be56d77db 100644 --- a/pkgs/by-name/li/libimagequant/package.nix +++ b/pkgs/by-name/li/libimagequant/package.nix @@ -15,13 +15,13 @@ rustPlatform.buildRustPackage rec { pname = "libimagequant"; - version = "4.4.0"; + version = "4.4.1"; src = fetchFromGitHub { owner = "ImageOptim"; repo = "libimagequant"; rev = version; - hash = "sha256-c9j0wVwTWtNrPy9UUsc0Gxbe6lP82C3DMXe+k/ZBYEw="; + hash = "sha256-A7idjAAJ+syqIahyU+LPZBF+MLxVDymY+M3HM7d/qk0="; }; cargoLock = { From 6820e2319732ea933d6fb3876925c6a1585b41f6 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Mon, 24 Nov 2025 06:23:15 +0000 Subject: [PATCH 05/70] libdrm: 2.4.128 -> 2.4.129 Changes: https://lists.x.org/archives/xorg-announce/2025-November/003642.html (cherry picked from commit 92e4e51585225bf7d48d066d31b78cc4b54cfbd9) --- pkgs/by-name/li/libdrm/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libdrm/package.nix b/pkgs/by-name/li/libdrm/package.nix index f78ff46011f29..c6a4d9e11eb34 100644 --- a/pkgs/by-name/li/libdrm/package.nix +++ b/pkgs/by-name/li/libdrm/package.nix @@ -16,11 +16,11 @@ stdenv.mkDerivation rec { pname = "libdrm"; - version = "2.4.128"; + version = "2.4.129"; src = fetchurl { url = "https://dri.freedesktop.org/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-O7NduHAMKgtWnyxnKaU/VJV4aFazEIVMjeV3gqIr3aw="; + hash = "sha256-WXgYP5eNaX4mpQugZhdJZO+wq5fKoeyqG4Yfvl3fd9w="; }; outputs = [ From 99a697368892e5e48a39c2e0a1e2b9c7ac7a411c Mon Sep 17 00:00:00 2001 From: Benjamin Sparks Date: Tue, 18 Nov 2025 23:16:30 +0100 Subject: [PATCH 06/70] eb-garamond: disable ttfautohint's GUI (cherry picked from commit 68b124821aa9272e7c4f28f8909b26710eae593d) --- pkgs/by-name/eb/eb-garamond/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/eb/eb-garamond/package.nix b/pkgs/by-name/eb/eb-garamond/package.nix index e2417fd380b79..e839dbea17c57 100644 --- a/pkgs/by-name/eb/eb-garamond/package.nix +++ b/pkgs/by-name/eb/eb-garamond/package.nix @@ -3,7 +3,7 @@ stdenvNoCC, fetchFromGitHub, python3, - ttfautohint, + ttfautohint-nox, }: stdenvNoCC.mkDerivation rec { pname = "eb-garamond"; @@ -18,7 +18,7 @@ stdenvNoCC.mkDerivation rec { nativeBuildInputs = [ (python3.withPackages (p: [ p.fontforge ])) - ttfautohint + ttfautohint-nox ]; postPatch = '' From a0b56d1c084d9c8b8470140de9d19f0a9fc1ed46 Mon Sep 17 00:00:00 2001 From: Benjamin Sparks Date: Tue, 18 Nov 2025 22:45:49 +0100 Subject: [PATCH 07/70] eb-garamond: modernise `rec` -> `finalAttrs`, inlining `with lib` (cherry picked from commit 8151f333a612bf530849a42a2997893790657ed3) --- pkgs/by-name/eb/eb-garamond/package.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/pkgs/by-name/eb/eb-garamond/package.nix b/pkgs/by-name/eb/eb-garamond/package.nix index e839dbea17c57..c4e589d66acad 100644 --- a/pkgs/by-name/eb/eb-garamond/package.nix +++ b/pkgs/by-name/eb/eb-garamond/package.nix @@ -5,14 +5,14 @@ python3, ttfautohint-nox, }: -stdenvNoCC.mkDerivation rec { +stdenvNoCC.mkDerivation (finalAttrs: { pname = "eb-garamond"; version = "0.016"; src = fetchFromGitHub { owner = "georgd"; repo = "EB-Garamond"; - tag = "v${version}"; + tag = "v${finalAttrs.version}"; hash = "sha256-ajieKhTeH6yv2qiE2xqnHFoMS65//4ZKiccAlC2PXGQ="; }; @@ -42,15 +42,15 @@ stdenvNoCC.mkDerivation rec { runHook postInstall ''; - meta = with lib; { + meta = { homepage = "http://www.georgduffner.at/ebgaramond/"; description = "Digitization of the Garamond shown on the Egenolff-Berner specimen"; - maintainers = with maintainers; [ + maintainers = with lib.maintainers; [ bengsparks relrod rycee ]; - license = licenses.ofl; - platforms = platforms.all; + license = lib.licenses.ofl; + platforms = lib.platforms.all; }; -} +}) From a696d052b972313df90ff67fef01fe5964648b37 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 3 Dec 2025 00:25:03 +0100 Subject: [PATCH 08/70] python313: 3.13.9 -> 3.13.10 https://docs.python.org/release/3.13.10/whatsnew/changelog.html (cherry picked from commit 367dac5dcf1d92186be6a3d4d430be5a29194224) --- pkgs/development/interpreters/python/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index 2bc80e5df1181..d347f2011bd75 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -20,10 +20,10 @@ sourceVersion = { major = "3"; minor = "13"; - patch = "9"; + patch = "10"; suffix = ""; }; - hash = "sha256-7V7zTNo2z6Lzo0DwfKx+eBT5HH88QR9tNWIyOoZsXGY="; + hash = "sha256-vGc8BDdaGj8ICMJ7qPBBGrgRrTkKh0AxjMucYPrY/Xc="; }; }; From 5b0ae94e0068935a69a5b591661b69bdb21a477f Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 3 Dec 2025 10:04:42 +0100 Subject: [PATCH 09/70] python314: 3.14.0 -> 3.14.1 https://docs.python.org/release/3.14.1/whatsnew/changelog.html (cherry picked from commit a2ccc79edb1f5fe378d3818ca25e3fe9e3c9791f) --- pkgs/development/interpreters/python/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index d347f2011bd75..d8fdc04a097f7 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -91,10 +91,10 @@ sourceVersion = { major = "3"; minor = "14"; - patch = "0"; + patch = "1"; suffix = ""; }; - hash = "sha256-Ipna5ULTlc44g6ygDTyRAwfNaOCy9zNgmMjnt+7p8+k="; + hash = "sha256-jfoIsZWdnRWDihwtq3fcjY/0pVOh7QRt+svICVxtQvw="; inherit passthruFun; }; From 3da9b787fae493340e0d7c72efacecdf4366fb12 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 5 Dec 2025 02:40:35 +0100 Subject: [PATCH 10/70] cpython: fix gh-142218 on 3.13.10 and 3.14.1 Fixes split table dictionary crash regression. (cherry picked from commit ae4f7fd1e9478b043606132b87c22c13198eb037) --- .../python/cpython/3.13/gh-142218.patch | 66 ++++++++++++++++++ .../python/cpython/3.14/gh-142218.patch | 69 +++++++++++++++++++ .../interpreters/python/cpython/default.nix | 4 ++ 3 files changed, 139 insertions(+) create mode 100644 pkgs/development/interpreters/python/cpython/3.13/gh-142218.patch create mode 100644 pkgs/development/interpreters/python/cpython/3.14/gh-142218.patch diff --git a/pkgs/development/interpreters/python/cpython/3.13/gh-142218.patch b/pkgs/development/interpreters/python/cpython/3.13/gh-142218.patch new file mode 100644 index 0000000000000..2a8aaf9aeaa7b --- /dev/null +++ b/pkgs/development/interpreters/python/cpython/3.13/gh-142218.patch @@ -0,0 +1,66 @@ +From 1a75c0fb054db6910fc2b74c99911329b80e25b5 Mon Sep 17 00:00:00 2001 +From: Sam Gross +Date: Thu, 4 Dec 2025 02:46:24 -0500 +Subject: [PATCH] [3.13] gh-142218: Fix split table dictionary crash + (gh-142229) (gh-142245) + +This fixes a regression introduced in gh-140558. The interpreter would +crash if we inserted a non `str` key into a split table that matches an +existing key. +(cherry picked from commit 547d8daf780646e2800bec598ed32085817c8606) +--- + Lib/test/test_dict.py | 8 ++++++++ + .../2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst | 2 ++ + Objects/dictobject.c | 10 +++++++--- + 3 files changed, 17 insertions(+), 3 deletions(-) + create mode 100644 Misc/NEWS.d/next/Core and Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst + +diff --git a/Lib/test/test_dict.py b/Lib/test/test_dict.py +index 5c3889550953dd..c7b6f64b53b42f 100644 +--- a/Lib/test/test_dict.py ++++ b/Lib/test/test_dict.py +@@ -1674,6 +1674,14 @@ def __eq__(self, other): + + self.assertEqual(len(d), 1) + ++ def test_split_table_update_with_str_subclass(self): ++ class MyStr(str): pass ++ class MyClass: pass ++ obj = MyClass() ++ obj.attr = 1 ++ obj.__dict__[MyStr('attr')] = 2 ++ self.assertEqual(obj.attr, 2) ++ + + class CAPITest(unittest.TestCase): + +diff --git a/Misc/NEWS.d/next/Core and Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst b/Misc/NEWS.d/next/Core and Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst +new file mode 100644 +index 00000000000000..a8ce0fc65267d5 +--- /dev/null ++++ b/Misc/NEWS.d/next/Core and Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst +@@ -0,0 +1,2 @@ ++Fix crash when inserting into a split table dictionary with a non ++:class:`str` key that matches an existing key. +diff --git a/Objects/dictobject.c b/Objects/dictobject.c +index 4a88e08d1da52e..c987af31c45dd1 100644 +--- a/Objects/dictobject.c ++++ b/Objects/dictobject.c +@@ -1873,10 +1873,14 @@ insertdict(PyInterpreterState *interp, PyDictObject *mp, + uint64_t new_version = _PyDict_NotifyEvent( + interp, PyDict_EVENT_MODIFIED, mp, key, value); + assert(old_value != NULL); +- assert(!_PyDict_HasSplitTable(mp)); + if (DK_IS_UNICODE(mp->ma_keys)) { +- PyDictUnicodeEntry *ep = &DK_UNICODE_ENTRIES(mp->ma_keys)[ix]; +- STORE_VALUE(ep, value); ++ if (_PyDict_HasSplitTable(mp)) { ++ STORE_SPLIT_VALUE(mp, ix, value); ++ } ++ else { ++ PyDictUnicodeEntry *ep = &DK_UNICODE_ENTRIES(mp->ma_keys)[ix]; ++ STORE_VALUE(ep, value); ++ } + } + else { + PyDictKeyEntry *ep = &DK_ENTRIES(mp->ma_keys)[ix]; diff --git a/pkgs/development/interpreters/python/cpython/3.14/gh-142218.patch b/pkgs/development/interpreters/python/cpython/3.14/gh-142218.patch new file mode 100644 index 0000000000000..347ba638c1533 --- /dev/null +++ b/pkgs/development/interpreters/python/cpython/3.14/gh-142218.patch @@ -0,0 +1,69 @@ +From 319c6a2ae1ea033d5aea09a43acbc8d451764869 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Thu, 4 Dec 2025 01:03:18 +0100 +Subject: [PATCH] [3.14] gh-142218: Fix split table dictionary crash + (gh-142229) (gh-142244) + +This fixes a regression introduced in gh-140558. The interpreter would +crash if we inserted a non `str` key into a split table that matches an +existing key. +(cherry picked from commit 547d8daf780646e2800bec598ed32085817c8606) + +Co-authored-by: Sam Gross +--- + Lib/test/test_dict.py | 8 ++++++++ + .../2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst | 2 ++ + Objects/dictobject.c | 10 +++++++--- + 3 files changed, 17 insertions(+), 3 deletions(-) + create mode 100644 Misc/NEWS.d/next/Core_and_Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst + +diff --git a/Lib/test/test_dict.py b/Lib/test/test_dict.py +index 2e6c2bbdf19409..665b3e843dd3a5 100644 +--- a/Lib/test/test_dict.py ++++ b/Lib/test/test_dict.py +@@ -1621,6 +1621,14 @@ def __eq__(self, other): + + self.assertEqual(len(d), 1) + ++ def test_split_table_update_with_str_subclass(self): ++ class MyStr(str): pass ++ class MyClass: pass ++ obj = MyClass() ++ obj.attr = 1 ++ obj.__dict__[MyStr('attr')] = 2 ++ self.assertEqual(obj.attr, 2) ++ + + class CAPITest(unittest.TestCase): + +diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst +new file mode 100644 +index 00000000000000..a8ce0fc65267d5 +--- /dev/null ++++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst +@@ -0,0 +1,2 @@ ++Fix crash when inserting into a split table dictionary with a non ++:class:`str` key that matches an existing key. +diff --git a/Objects/dictobject.c b/Objects/dictobject.c +index 1b4640f9649569..0eb00410cf41eb 100644 +--- a/Objects/dictobject.c ++++ b/Objects/dictobject.c +@@ -1863,10 +1863,14 @@ insertdict(PyInterpreterState *interp, PyDictObject *mp, + if (old_value != value) { + _PyDict_NotifyEvent(interp, PyDict_EVENT_MODIFIED, mp, key, value); + assert(old_value != NULL); +- assert(!_PyDict_HasSplitTable(mp)); + if (DK_IS_UNICODE(mp->ma_keys)) { +- PyDictUnicodeEntry *ep = &DK_UNICODE_ENTRIES(mp->ma_keys)[ix]; +- STORE_VALUE(ep, value); ++ if (_PyDict_HasSplitTable(mp)) { ++ STORE_SPLIT_VALUE(mp, ix, value); ++ } ++ else { ++ PyDictUnicodeEntry *ep = &DK_UNICODE_ENTRIES(mp->ma_keys)[ix]; ++ STORE_VALUE(ep, value); ++ } + } + else { + PyDictKeyEntry *ep = &DK_ENTRIES(mp->ma_keys)[ix]; diff --git a/pkgs/development/interpreters/python/cpython/default.nix b/pkgs/development/interpreters/python/cpython/default.nix index 2c754ba43fc70..e7812913654b1 100644 --- a/pkgs/development/interpreters/python/cpython/default.nix +++ b/pkgs/development/interpreters/python/cpython/default.nix @@ -399,6 +399,10 @@ stdenv.mkDerivation (finalAttrs: { # backport fix for https://github.com/python/cpython/issues/95855 ./platform-triplet-detection.patch ] + ++ optionals (version == "3.13.10" || version == "3.14.1") [ + # https://github.com/python/cpython/issues/142218 + ./${lib.versions.majorMinor version}/gh-142218.patch + ] ++ optionals (stdenv.hostPlatform.isMinGW) ( let # https://src.fedoraproject.org/rpms/mingw-python3 From 9bc8c09feb96641e719278331f979f0951a55b3c Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 5 Dec 2025 13:23:01 +0100 Subject: [PATCH 11/70] cpython: fix gh-142214 on 3.14.1 Fixes two regressions in dataclasses. (cherry picked from commit 27dcfd3e044aea0bed1fe234a88ebf5d0efeadc6) --- .../python/cpython/3.14/gh-142214.patch | 114 ++++++++++++++++++ .../interpreters/python/cpython/default.nix | 4 + 2 files changed, 118 insertions(+) create mode 100644 pkgs/development/interpreters/python/cpython/3.14/gh-142214.patch diff --git a/pkgs/development/interpreters/python/cpython/3.14/gh-142214.patch b/pkgs/development/interpreters/python/cpython/3.14/gh-142214.patch new file mode 100644 index 0000000000000..d38eaee0c8bad --- /dev/null +++ b/pkgs/development/interpreters/python/cpython/3.14/gh-142214.patch @@ -0,0 +1,114 @@ +From 654e3c7435180d4aec8a2fcb16a16585cea7ab70 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Fri, 5 Dec 2025 09:08:15 +0100 +Subject: [PATCH] [3.14] gh-142214: Fix two regressions in dataclasses + (GH-142223) (#142277) + +gh-142214: Fix two regressions in dataclasses (GH-142223) +(cherry picked from commit 53ec7c8fc07eb6958869638a0cad70c52ad6fcf5) + +Co-authored-by: Jelle Zijlstra +--- + Lib/dataclasses.py | 14 +++++++--- + Lib/test/test_dataclasses/__init__.py | 28 +++++++++++++++++++ + ...-12-03-06-12-39.gh-issue-142214.appYNZ.rst | 12 ++++++++ + 3 files changed, 50 insertions(+), 4 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2025-12-03-06-12-39.gh-issue-142214.appYNZ.rst + +diff --git a/Lib/dataclasses.py b/Lib/dataclasses.py +index fb7e1701cce0a4..c8dbb247745ab7 100644 +--- a/Lib/dataclasses.py ++++ b/Lib/dataclasses.py +@@ -550,7 +550,12 @@ def __annotate__(format, /): + + new_annotations = {} + for k in annotation_fields: +- new_annotations[k] = cls_annotations[k] ++ # gh-142214: The annotation may be missing in unusual dynamic cases. ++ # If so, just skip it. ++ try: ++ new_annotations[k] = cls_annotations[k] ++ except KeyError: ++ pass + + if return_type is not MISSING: + if format == Format.STRING: +@@ -1398,9 +1403,10 @@ def _add_slots(cls, is_frozen, weakref_slot, defined_fields): + f.type = ann + + # Fix the class reference in the __annotate__ method +- init_annotate = newcls.__init__.__annotate__ +- if getattr(init_annotate, "__generated_by_dataclasses__", False): +- _update_func_cell_for__class__(init_annotate, cls, newcls) ++ init = newcls.__init__ ++ if init_annotate := getattr(init, "__annotate__", None): ++ if getattr(init_annotate, "__generated_by_dataclasses__", False): ++ _update_func_cell_for__class__(init_annotate, cls, newcls) + + return newcls + +diff --git a/Lib/test/test_dataclasses/__init__.py b/Lib/test/test_dataclasses/__init__.py +index 513dd78c4381b4..3b335429b98500 100644 +--- a/Lib/test/test_dataclasses/__init__.py ++++ b/Lib/test/test_dataclasses/__init__.py +@@ -927,6 +927,20 @@ class C: + + validate_class(C) + ++ def test_incomplete_annotations(self): ++ # gh-142214 ++ @dataclass ++ class C: ++ "doc" # needed because otherwise we fetch the annotations at the wrong time ++ x: int ++ ++ C.__annotate__ = lambda _: {} ++ ++ self.assertEqual( ++ annotationlib.get_annotations(C.__init__), ++ {"return": None} ++ ) ++ + def test_missing_default(self): + # Test that MISSING works the same as a default not being + # specified. +@@ -2578,6 +2592,20 @@ def __init__(self, x: int) -> None: + + self.assertFalse(hasattr(E.__init__.__annotate__, "__generated_by_dataclasses__")) + ++ def test_slots_true_init_false(self): ++ # Test that slots=True and init=False work together and ++ # that __annotate__ is not added to __init__. ++ ++ @dataclass(slots=True, init=False) ++ class F: ++ x: int ++ ++ f = F() ++ f.x = 10 ++ self.assertEqual(f.x, 10) ++ ++ self.assertFalse(hasattr(F.__init__, "__annotate__")) ++ + def test_init_false_forwardref(self): + # Test forward references in fields not required for __init__ annotations. + +diff --git a/Misc/NEWS.d/next/Library/2025-12-03-06-12-39.gh-issue-142214.appYNZ.rst b/Misc/NEWS.d/next/Library/2025-12-03-06-12-39.gh-issue-142214.appYNZ.rst +new file mode 100644 +index 00000000000000..b87430ec1a3d65 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2025-12-03-06-12-39.gh-issue-142214.appYNZ.rst +@@ -0,0 +1,12 @@ ++Fix two regressions in :mod:`dataclasses` in Python 3.14.1 related to ++annotations. ++ ++* An exception is no longer raised if ``slots=True`` is used and the ++ ``__init__`` method does not have an ``__annotate__`` attribute ++ (likely because ``init=False`` was used). ++ ++* An exception is no longer raised if annotations are requested on the ++ ``__init__`` method and one of the fields is not present in the class ++ annotations. This can occur in certain dynamic scenarios. ++ ++Patch by Jelle Zijlstra. diff --git a/pkgs/development/interpreters/python/cpython/default.nix b/pkgs/development/interpreters/python/cpython/default.nix index e7812913654b1..3e8246250b5a9 100644 --- a/pkgs/development/interpreters/python/cpython/default.nix +++ b/pkgs/development/interpreters/python/cpython/default.nix @@ -403,6 +403,10 @@ stdenv.mkDerivation (finalAttrs: { # https://github.com/python/cpython/issues/142218 ./${lib.versions.majorMinor version}/gh-142218.patch ] + ++ optionals (version == "3.14.1") [ + # https://github.com/python/cpython/issues/142214 + ./3.14/gh-142214.patch + ] ++ optionals (stdenv.hostPlatform.isMinGW) ( let # https://src.fedoraproject.org/rpms/mingw-python3 From 0c72fb55a7396602e599d6821e64be96cb8aa660 Mon Sep 17 00:00:00 2001 From: Gavin John Date: Fri, 5 Dec 2025 14:47:39 -0800 Subject: [PATCH 12/70] Revert "libcosmicAppHook: use RUSTFLAGS instead of platform specific flags" This reverts commit d2c62217d3748a3ff8ac8d6c9281cb05f92ae641. This is no longer needed in staging due to the proper fix https://github.com/NixOS/nixpkgs/pull/464707 having been merged (cherry picked from commit ea27ed76400eaf70745dedbe0f22031425980bd9) --- pkgs/by-name/li/libcosmicAppHook/libcosmic-app-hook.sh | 6 +----- pkgs/by-name/li/libcosmicAppHook/package.nix | 5 +---- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/pkgs/by-name/li/libcosmicAppHook/libcosmic-app-hook.sh b/pkgs/by-name/li/libcosmicAppHook/libcosmic-app-hook.sh index 7245d51495c05..e6a5231919564 100644 --- a/pkgs/by-name/li/libcosmicAppHook/libcosmic-app-hook.sh +++ b/pkgs/by-name/li/libcosmicAppHook/libcosmic-app-hook.sh @@ -15,11 +15,7 @@ libcosmicAppVergenHook() { libcosmicAppLinkerArgsHook() { # Force linking to certain libraries like libEGL, which are always dlopen()ed - # local flags="CARGO_TARGET_@cargoLinkerVar@_RUSTFLAGS" - - # Temporarily use this simpler solution, it should work for simple cross compilation - # https://github.com/NixOS/nixpkgs/issues/464392 - local flags="RUSTFLAGS" + local flags="CARGO_TARGET_@cargoLinkerVar@_RUSTFLAGS" export "$flags"="${!flags-} -C link-arg=-Wl,--push-state,--no-as-needed" # shellcheck disable=SC2043 diff --git a/pkgs/by-name/li/libcosmicAppHook/package.nix b/pkgs/by-name/li/libcosmicAppHook/package.nix index 150bfd6797623..f3042e13ac8ef 100644 --- a/pkgs/by-name/li/libcosmicAppHook/package.nix +++ b/pkgs/by-name/li/libcosmicAppHook/package.nix @@ -55,10 +55,7 @@ makeSetupHook { lib.makeSearchPath "share" ( lib.optionals includeSettings [ fallbackThemes ] ++ [ targetPackages.cosmic-icons ] ); - # Temporarily using RUSTFLAGS: https://github.com/NixOS/nixpkgs/issues/464392 - # See ./libcosmic-app-hook.sh - # cargoLinkerVar = targetPackages.stdenv.hostPlatform.rust.cargoEnvVarTarget; - + cargoLinkerVar = targetPackages.stdenv.hostPlatform.rust.cargoEnvVarTarget; # force linking for all libraries that may be dlopen'd by libcosmic/iced apps cargoLinkLibs = lib.escapeShellArgs ( [ From 88f82adb5b06d9e6fc3d5d77bfb196b2beb30b91 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 5 Dec 2025 23:55:33 +0100 Subject: [PATCH 13/70] python313: 3.13.10 -> 3.13.11 https://docs.python.org/release/3.13.11/whatsnew/changelog.html (cherry picked from commit c83a2227bb4c0f768595eaf43b08b848457fe2d0) --- pkgs/development/interpreters/python/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index d8fdc04a097f7..e46ce4212f89a 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -20,10 +20,10 @@ sourceVersion = { major = "3"; minor = "13"; - patch = "10"; + patch = "11"; suffix = ""; }; - hash = "sha256-vGc8BDdaGj8ICMJ7qPBBGrgRrTkKh0AxjMucYPrY/Xc="; + hash = "sha256-Fu3nu3zb+oldEbBkL6DlI/KR5khxlNU89tOzOMOhfqI="; }; }; From 25d2c625bcd5fa3bef9e79b29c228cec4e5906c9 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 5 Dec 2025 23:58:59 +0100 Subject: [PATCH 14/70] python314: 3.14.1 -> 3.14.2 https://docs.python.org/release/3.14.2/whatsnew/changelog.html (cherry picked from commit 9dde8c194a5608ff938bb2bcb005e3c6f57e3431) --- pkgs/development/interpreters/python/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index e46ce4212f89a..cd0c0a9ffadbd 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -91,10 +91,10 @@ sourceVersion = { major = "3"; minor = "14"; - patch = "1"; + patch = "2"; suffix = ""; }; - hash = "sha256-jfoIsZWdnRWDihwtq3fcjY/0pVOh7QRt+svICVxtQvw="; + hash = "sha256-zlQ6uFS8JWthtx6bJ/gx/9G/1gpHnWOfi+f5dXz1c+k="; inherit passthruFun; }; From fab0107268cb35241f4c0ae70d81c36b849d0fbe Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 6 Dec 2025 00:00:47 +0100 Subject: [PATCH 15/70] Revert "cpython: fix gh-142218 on 3.13.10 and 3.14.1" This reverts commit ae4f7fd1e9478b043606132b87c22c13198eb037. Fixed in 3.13.11 and 3.14.2 and as such obsoleted. (cherry picked from commit d7040cdaeea01c906d3fcb91489cd35b71abfaf8) --- .../python/cpython/3.13/gh-142218.patch | 66 ------------------ .../python/cpython/3.14/gh-142218.patch | 69 ------------------- .../interpreters/python/cpython/default.nix | 4 -- 3 files changed, 139 deletions(-) delete mode 100644 pkgs/development/interpreters/python/cpython/3.13/gh-142218.patch delete mode 100644 pkgs/development/interpreters/python/cpython/3.14/gh-142218.patch diff --git a/pkgs/development/interpreters/python/cpython/3.13/gh-142218.patch b/pkgs/development/interpreters/python/cpython/3.13/gh-142218.patch deleted file mode 100644 index 2a8aaf9aeaa7b..0000000000000 --- a/pkgs/development/interpreters/python/cpython/3.13/gh-142218.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 1a75c0fb054db6910fc2b74c99911329b80e25b5 Mon Sep 17 00:00:00 2001 -From: Sam Gross -Date: Thu, 4 Dec 2025 02:46:24 -0500 -Subject: [PATCH] [3.13] gh-142218: Fix split table dictionary crash - (gh-142229) (gh-142245) - -This fixes a regression introduced in gh-140558. The interpreter would -crash if we inserted a non `str` key into a split table that matches an -existing key. -(cherry picked from commit 547d8daf780646e2800bec598ed32085817c8606) ---- - Lib/test/test_dict.py | 8 ++++++++ - .../2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst | 2 ++ - Objects/dictobject.c | 10 +++++++--- - 3 files changed, 17 insertions(+), 3 deletions(-) - create mode 100644 Misc/NEWS.d/next/Core and Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst - -diff --git a/Lib/test/test_dict.py b/Lib/test/test_dict.py -index 5c3889550953dd..c7b6f64b53b42f 100644 ---- a/Lib/test/test_dict.py -+++ b/Lib/test/test_dict.py -@@ -1674,6 +1674,14 @@ def __eq__(self, other): - - self.assertEqual(len(d), 1) - -+ def test_split_table_update_with_str_subclass(self): -+ class MyStr(str): pass -+ class MyClass: pass -+ obj = MyClass() -+ obj.attr = 1 -+ obj.__dict__[MyStr('attr')] = 2 -+ self.assertEqual(obj.attr, 2) -+ - - class CAPITest(unittest.TestCase): - -diff --git a/Misc/NEWS.d/next/Core and Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst b/Misc/NEWS.d/next/Core and Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst -new file mode 100644 -index 00000000000000..a8ce0fc65267d5 ---- /dev/null -+++ b/Misc/NEWS.d/next/Core and Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst -@@ -0,0 +1,2 @@ -+Fix crash when inserting into a split table dictionary with a non -+:class:`str` key that matches an existing key. -diff --git a/Objects/dictobject.c b/Objects/dictobject.c -index 4a88e08d1da52e..c987af31c45dd1 100644 ---- a/Objects/dictobject.c -+++ b/Objects/dictobject.c -@@ -1873,10 +1873,14 @@ insertdict(PyInterpreterState *interp, PyDictObject *mp, - uint64_t new_version = _PyDict_NotifyEvent( - interp, PyDict_EVENT_MODIFIED, mp, key, value); - assert(old_value != NULL); -- assert(!_PyDict_HasSplitTable(mp)); - if (DK_IS_UNICODE(mp->ma_keys)) { -- PyDictUnicodeEntry *ep = &DK_UNICODE_ENTRIES(mp->ma_keys)[ix]; -- STORE_VALUE(ep, value); -+ if (_PyDict_HasSplitTable(mp)) { -+ STORE_SPLIT_VALUE(mp, ix, value); -+ } -+ else { -+ PyDictUnicodeEntry *ep = &DK_UNICODE_ENTRIES(mp->ma_keys)[ix]; -+ STORE_VALUE(ep, value); -+ } - } - else { - PyDictKeyEntry *ep = &DK_ENTRIES(mp->ma_keys)[ix]; diff --git a/pkgs/development/interpreters/python/cpython/3.14/gh-142218.patch b/pkgs/development/interpreters/python/cpython/3.14/gh-142218.patch deleted file mode 100644 index 347ba638c1533..0000000000000 --- a/pkgs/development/interpreters/python/cpython/3.14/gh-142218.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 319c6a2ae1ea033d5aea09a43acbc8d451764869 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Thu, 4 Dec 2025 01:03:18 +0100 -Subject: [PATCH] [3.14] gh-142218: Fix split table dictionary crash - (gh-142229) (gh-142244) - -This fixes a regression introduced in gh-140558. The interpreter would -crash if we inserted a non `str` key into a split table that matches an -existing key. -(cherry picked from commit 547d8daf780646e2800bec598ed32085817c8606) - -Co-authored-by: Sam Gross ---- - Lib/test/test_dict.py | 8 ++++++++ - .../2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst | 2 ++ - Objects/dictobject.c | 10 +++++++--- - 3 files changed, 17 insertions(+), 3 deletions(-) - create mode 100644 Misc/NEWS.d/next/Core_and_Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst - -diff --git a/Lib/test/test_dict.py b/Lib/test/test_dict.py -index 2e6c2bbdf19409..665b3e843dd3a5 100644 ---- a/Lib/test/test_dict.py -+++ b/Lib/test/test_dict.py -@@ -1621,6 +1621,14 @@ def __eq__(self, other): - - self.assertEqual(len(d), 1) - -+ def test_split_table_update_with_str_subclass(self): -+ class MyStr(str): pass -+ class MyClass: pass -+ obj = MyClass() -+ obj.attr = 1 -+ obj.__dict__[MyStr('attr')] = 2 -+ self.assertEqual(obj.attr, 2) -+ - - class CAPITest(unittest.TestCase): - -diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst -new file mode 100644 -index 00000000000000..a8ce0fc65267d5 ---- /dev/null -+++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-12-03-11-03-35.gh-issue-142218.44Fq_J.rst -@@ -0,0 +1,2 @@ -+Fix crash when inserting into a split table dictionary with a non -+:class:`str` key that matches an existing key. -diff --git a/Objects/dictobject.c b/Objects/dictobject.c -index 1b4640f9649569..0eb00410cf41eb 100644 ---- a/Objects/dictobject.c -+++ b/Objects/dictobject.c -@@ -1863,10 +1863,14 @@ insertdict(PyInterpreterState *interp, PyDictObject *mp, - if (old_value != value) { - _PyDict_NotifyEvent(interp, PyDict_EVENT_MODIFIED, mp, key, value); - assert(old_value != NULL); -- assert(!_PyDict_HasSplitTable(mp)); - if (DK_IS_UNICODE(mp->ma_keys)) { -- PyDictUnicodeEntry *ep = &DK_UNICODE_ENTRIES(mp->ma_keys)[ix]; -- STORE_VALUE(ep, value); -+ if (_PyDict_HasSplitTable(mp)) { -+ STORE_SPLIT_VALUE(mp, ix, value); -+ } -+ else { -+ PyDictUnicodeEntry *ep = &DK_UNICODE_ENTRIES(mp->ma_keys)[ix]; -+ STORE_VALUE(ep, value); -+ } - } - else { - PyDictKeyEntry *ep = &DK_ENTRIES(mp->ma_keys)[ix]; diff --git a/pkgs/development/interpreters/python/cpython/default.nix b/pkgs/development/interpreters/python/cpython/default.nix index 3e8246250b5a9..32a636d8a9ff2 100644 --- a/pkgs/development/interpreters/python/cpython/default.nix +++ b/pkgs/development/interpreters/python/cpython/default.nix @@ -399,10 +399,6 @@ stdenv.mkDerivation (finalAttrs: { # backport fix for https://github.com/python/cpython/issues/95855 ./platform-triplet-detection.patch ] - ++ optionals (version == "3.13.10" || version == "3.14.1") [ - # https://github.com/python/cpython/issues/142218 - ./${lib.versions.majorMinor version}/gh-142218.patch - ] ++ optionals (version == "3.14.1") [ # https://github.com/python/cpython/issues/142214 ./3.14/gh-142214.patch From 04d146865ccd6b6d38bd625daf5906be8490e4aa Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 6 Dec 2025 00:01:10 +0100 Subject: [PATCH 16/70] Revert "cpython: fix gh-142214 on 3.14.1" This reverts commit 27dcfd3e044aea0bed1fe234a88ebf5d0efeadc6. This was fixed in 3.14.2 and as such this patch application has become obsolete. (cherry picked from commit 7b9787935aeb9c5357aa37d1e8a5bb943e042cef) --- .../python/cpython/3.14/gh-142214.patch | 114 ------------------ .../interpreters/python/cpython/default.nix | 6 +- 2 files changed, 3 insertions(+), 117 deletions(-) delete mode 100644 pkgs/development/interpreters/python/cpython/3.14/gh-142214.patch diff --git a/pkgs/development/interpreters/python/cpython/3.14/gh-142214.patch b/pkgs/development/interpreters/python/cpython/3.14/gh-142214.patch deleted file mode 100644 index d38eaee0c8bad..0000000000000 --- a/pkgs/development/interpreters/python/cpython/3.14/gh-142214.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 654e3c7435180d4aec8a2fcb16a16585cea7ab70 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Fri, 5 Dec 2025 09:08:15 +0100 -Subject: [PATCH] [3.14] gh-142214: Fix two regressions in dataclasses - (GH-142223) (#142277) - -gh-142214: Fix two regressions in dataclasses (GH-142223) -(cherry picked from commit 53ec7c8fc07eb6958869638a0cad70c52ad6fcf5) - -Co-authored-by: Jelle Zijlstra ---- - Lib/dataclasses.py | 14 +++++++--- - Lib/test/test_dataclasses/__init__.py | 28 +++++++++++++++++++ - ...-12-03-06-12-39.gh-issue-142214.appYNZ.rst | 12 ++++++++ - 3 files changed, 50 insertions(+), 4 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2025-12-03-06-12-39.gh-issue-142214.appYNZ.rst - -diff --git a/Lib/dataclasses.py b/Lib/dataclasses.py -index fb7e1701cce0a4..c8dbb247745ab7 100644 ---- a/Lib/dataclasses.py -+++ b/Lib/dataclasses.py -@@ -550,7 +550,12 @@ def __annotate__(format, /): - - new_annotations = {} - for k in annotation_fields: -- new_annotations[k] = cls_annotations[k] -+ # gh-142214: The annotation may be missing in unusual dynamic cases. -+ # If so, just skip it. -+ try: -+ new_annotations[k] = cls_annotations[k] -+ except KeyError: -+ pass - - if return_type is not MISSING: - if format == Format.STRING: -@@ -1398,9 +1403,10 @@ def _add_slots(cls, is_frozen, weakref_slot, defined_fields): - f.type = ann - - # Fix the class reference in the __annotate__ method -- init_annotate = newcls.__init__.__annotate__ -- if getattr(init_annotate, "__generated_by_dataclasses__", False): -- _update_func_cell_for__class__(init_annotate, cls, newcls) -+ init = newcls.__init__ -+ if init_annotate := getattr(init, "__annotate__", None): -+ if getattr(init_annotate, "__generated_by_dataclasses__", False): -+ _update_func_cell_for__class__(init_annotate, cls, newcls) - - return newcls - -diff --git a/Lib/test/test_dataclasses/__init__.py b/Lib/test/test_dataclasses/__init__.py -index 513dd78c4381b4..3b335429b98500 100644 ---- a/Lib/test/test_dataclasses/__init__.py -+++ b/Lib/test/test_dataclasses/__init__.py -@@ -927,6 +927,20 @@ class C: - - validate_class(C) - -+ def test_incomplete_annotations(self): -+ # gh-142214 -+ @dataclass -+ class C: -+ "doc" # needed because otherwise we fetch the annotations at the wrong time -+ x: int -+ -+ C.__annotate__ = lambda _: {} -+ -+ self.assertEqual( -+ annotationlib.get_annotations(C.__init__), -+ {"return": None} -+ ) -+ - def test_missing_default(self): - # Test that MISSING works the same as a default not being - # specified. -@@ -2578,6 +2592,20 @@ def __init__(self, x: int) -> None: - - self.assertFalse(hasattr(E.__init__.__annotate__, "__generated_by_dataclasses__")) - -+ def test_slots_true_init_false(self): -+ # Test that slots=True and init=False work together and -+ # that __annotate__ is not added to __init__. -+ -+ @dataclass(slots=True, init=False) -+ class F: -+ x: int -+ -+ f = F() -+ f.x = 10 -+ self.assertEqual(f.x, 10) -+ -+ self.assertFalse(hasattr(F.__init__, "__annotate__")) -+ - def test_init_false_forwardref(self): - # Test forward references in fields not required for __init__ annotations. - -diff --git a/Misc/NEWS.d/next/Library/2025-12-03-06-12-39.gh-issue-142214.appYNZ.rst b/Misc/NEWS.d/next/Library/2025-12-03-06-12-39.gh-issue-142214.appYNZ.rst -new file mode 100644 -index 00000000000000..b87430ec1a3d65 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2025-12-03-06-12-39.gh-issue-142214.appYNZ.rst -@@ -0,0 +1,12 @@ -+Fix two regressions in :mod:`dataclasses` in Python 3.14.1 related to -+annotations. -+ -+* An exception is no longer raised if ``slots=True`` is used and the -+ ``__init__`` method does not have an ``__annotate__`` attribute -+ (likely because ``init=False`` was used). -+ -+* An exception is no longer raised if annotations are requested on the -+ ``__init__`` method and one of the fields is not present in the class -+ annotations. This can occur in certain dynamic scenarios. -+ -+Patch by Jelle Zijlstra. diff --git a/pkgs/development/interpreters/python/cpython/default.nix b/pkgs/development/interpreters/python/cpython/default.nix index 32a636d8a9ff2..e7812913654b1 100644 --- a/pkgs/development/interpreters/python/cpython/default.nix +++ b/pkgs/development/interpreters/python/cpython/default.nix @@ -399,9 +399,9 @@ stdenv.mkDerivation (finalAttrs: { # backport fix for https://github.com/python/cpython/issues/95855 ./platform-triplet-detection.patch ] - ++ optionals (version == "3.14.1") [ - # https://github.com/python/cpython/issues/142214 - ./3.14/gh-142214.patch + ++ optionals (version == "3.13.10" || version == "3.14.1") [ + # https://github.com/python/cpython/issues/142218 + ./${lib.versions.majorMinor version}/gh-142218.patch ] ++ optionals (stdenv.hostPlatform.isMinGW) ( let From 7dd8be5146b429ab2009c684e7e25df426c8be92 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Sat, 6 Dec 2025 12:39:41 +0000 Subject: [PATCH 17/70] libxslt: 1.1.43 -> 1.1.45 (cherry picked from commit 42e60769abd8968950c000638c851229f40ba04a) --- pkgs/by-name/li/libxslt/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libxslt/package.nix b/pkgs/by-name/li/libxslt/package.nix index d31337777f262..e2a2e90656a06 100644 --- a/pkgs/by-name/li/libxslt/package.nix +++ b/pkgs/by-name/li/libxslt/package.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "libxslt"; - version = "1.1.43"; + version = "1.1.45"; outputs = [ "bin" @@ -31,7 +31,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "mirror://gnome/sources/libxslt/${lib.versions.majorMinor finalAttrs.version}/libxslt-${finalAttrs.version}.tar.xz"; - hash = "sha256-Wj1rODylr8I1sXERjpD1/2qifp/qMwMGUjGm1APwGDo="; + hash = "sha256-ms/mhBnE0GpFxVAyGzISdi2S9BRlBiyk6hnmMu5dIW4="; }; patches = [ From 65445a8abc68d60483160551e9d099ad5022a8fa Mon Sep 17 00:00:00 2001 From: Marcin Serwin Date: Wed, 3 Dec 2025 17:17:52 +0100 Subject: [PATCH 18/70] sdl3: 3.2.26 -> 3.2.28 Signed-off-by: Marcin Serwin (cherry picked from commit 95c583a64d975e9911f73c6b86810f547ee52974) --- pkgs/by-name/sd/sdl3/package.nix | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/pkgs/by-name/sd/sdl3/package.nix b/pkgs/by-name/sd/sdl3/package.nix index 0e5feb85776ad..48ef594995ad4 100644 --- a/pkgs/by-name/sd/sdl3/package.nix +++ b/pkgs/by-name/sd/sdl3/package.nix @@ -61,7 +61,7 @@ assert lib.assertMsg (ibusSupport -> dbusSupport) "SDL3 requires dbus support to stdenv.mkDerivation (finalAttrs: { pname = "sdl3"; - version = "3.2.26"; + version = "3.2.28"; outputs = [ "lib" @@ -74,18 +74,14 @@ stdenv.mkDerivation (finalAttrs: { owner = "libsdl-org"; repo = "SDL"; tag = "release-${finalAttrs.version}"; - hash = "sha256-edcub/zeho4mB3tItp+PSD5l+H6jUPm3seiBP6ppT0k="; + hash = "sha256-nfnvzog1bON2IaBOeWociV82lmRY+qXgdeXBe6GYlww="; }; postPatch = # Tests timeout on Darwin - # `testtray` loads assets from a relative path, which we are patching to be absolute lib.optionalString (finalAttrs.finalPackage.doCheck) '' substituteInPlace test/CMakeLists.txt \ --replace-fail 'set(noninteractive_timeout 10)' 'set(noninteractive_timeout 30)' - - substituteInPlace test/testtray.c \ - --replace-warn '../test/' '${placeholder "installedTests"}/share/assets/' '' + lib.optionalString waylandSupport '' substituteInPlace src/video/wayland/SDL_waylandmessagebox.c \ From fcf862f06be0d1ec1b3f245b6d2513c13facd34c Mon Sep 17 00:00:00 2001 From: Marcin Serwin Date: Wed, 3 Dec 2025 17:21:13 +0100 Subject: [PATCH 19/70] sdl2-compat: 2.32.58 -> 2.32.60 Signed-off-by: Marcin Serwin (cherry picked from commit 9081cd4c6df9c9b665057801f78442dab011c2c6) --- pkgs/by-name/sd/sdl2-compat/package.nix | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/pkgs/by-name/sd/sdl2-compat/package.nix b/pkgs/by-name/sd/sdl2-compat/package.nix index e16eb5927cec0..fde780a230426 100644 --- a/pkgs/by-name/sd/sdl2-compat/package.nix +++ b/pkgs/by-name/sd/sdl2-compat/package.nix @@ -2,7 +2,6 @@ cmake, lib, fetchFromGitHub, - fetchpatch2, ninja, sdl3, stdenv, @@ -31,13 +30,13 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "sdl2-compat"; - version = "2.32.58"; + version = "2.32.60"; src = fetchFromGitHub { owner = "libsdl-org"; repo = "sdl2-compat"; tag = "release-${finalAttrs.version}"; - hash = "sha256-Ngmr/KG5dQ1IDVafn2Jw/29hFCzPGKc9GOenT/4fsIM="; + hash = "sha256-8nhSyifEeYEZj9tqid1x67jhxqmrR61NwQ/g0Z8vbw8="; }; nativeBuildInputs = [ @@ -74,12 +73,6 @@ stdenv.mkDerivation (finalAttrs: { patches = [ ./find-headers.patch - - # https://github.com/libsdl-org/sdl2-compat/pull/545 - (fetchpatch2 { - url = "https://github.com/libsdl-org/sdl2-compat/commit/b799076c72c2492224e81544f58f92b737cccbd3.patch?full_index=1"; - hash = "sha256-fAc8yBlT+XFHDKcF4MFgBAz2WtXGmhYzNNrjaGSr+do="; - }) ]; setupHook = ./setup-hook.sh; From f7b93683d22342d507002b7de9dde73e12ba264d Mon Sep 17 00:00:00 2001 From: Marcin Serwin Date: Wed, 3 Dec 2025 17:22:26 +0100 Subject: [PATCH 20/70] python3Packages.pygame-ce: remove no longer needed patches Signed-off-by: Marcin Serwin (cherry picked from commit 3634e63bc2c87a1e155a188eecc4cd7e2bf20ce9) --- ...rmat-instead-of-creating-it-manually.patch | 151 ------------------ .../python-modules/pygame-ce/default.nix | 5 +- .../pygame-ce/skip-rle-tests.patch | 8 - 3 files changed, 1 insertion(+), 163 deletions(-) delete mode 100644 pkgs/development/python-modules/pygame-ce/0001-Use-SDL_AllocFormat-instead-of-creating-it-manually.patch diff --git a/pkgs/development/python-modules/pygame-ce/0001-Use-SDL_AllocFormat-instead-of-creating-it-manually.patch b/pkgs/development/python-modules/pygame-ce/0001-Use-SDL_AllocFormat-instead-of-creating-it-manually.patch deleted file mode 100644 index 1e1f407dbc193..0000000000000 --- a/pkgs/development/python-modules/pygame-ce/0001-Use-SDL_AllocFormat-instead-of-creating-it-manually.patch +++ /dev/null @@ -1,151 +0,0 @@ -From 3e3fbdc11ab00c4c04eb68c40b23979245c987fa Mon Sep 17 00:00:00 2001 -From: Marcin Serwin -Date: Sat, 8 Nov 2025 19:47:41 +0100 -Subject: [PATCH] Use SDL_AllocFormat instead of creating it manually - -According to the docs, `SDL_PixelFormat` is a read-only structure. -Creating it manually leaves out some important fields like `format` and -`next` pointer to be undefined. - -Signed-off-by: Marcin Serwin ---- - src_c/surface.c | 80 ++++++++++++++----------------------------------- - 1 file changed, 23 insertions(+), 57 deletions(-) - -diff --git a/src_c/surface.c b/src_c/surface.c -index f118a4db4..e51e80554 100644 ---- a/src_c/surface.c -+++ b/src_c/surface.c -@@ -1844,9 +1844,8 @@ surf_convert(pgSurfaceObject *self, PyObject *args) - */ - int bpp = 0; - SDL_Palette *palette = SDL_AllocPalette(default_palette_size); -- SDL_PixelFormat format; -+ Uint32 format_enum = 0; - -- memcpy(&format, surf->format, sizeof(format)); - if (pg_IntFromObj(argobject, &bpp)) { - Uint32 Rmask, Gmask, Bmask, Amask; - -@@ -1904,30 +1903,23 @@ surf_convert(pgSurfaceObject *self, PyObject *args) - "nonstandard bit depth given"); - } - } -- format.Rmask = Rmask; -- format.Gmask = Gmask; -- format.Bmask = Bmask; -- format.Amask = Amask; -+ format_enum = SDL_MasksToPixelFormatEnum(bpp, Rmask, Gmask, -+ Bmask, Amask); - } - else if (PySequence_Check(argobject) && - PySequence_Size(argobject) == 4) { -- Uint32 mask; -+ Uint32 Rmask, Gmask, Bmask, Amask; - -- if (!pg_UintFromObjIndex(argobject, 0, &format.Rmask) || -- !pg_UintFromObjIndex(argobject, 1, &format.Gmask) || -- !pg_UintFromObjIndex(argobject, 2, &format.Bmask) || -- !pg_UintFromObjIndex(argobject, 3, &format.Amask)) { -+ if (!pg_UintFromObjIndex(argobject, 0, &Rmask) || -+ !pg_UintFromObjIndex(argobject, 1, &Gmask) || -+ !pg_UintFromObjIndex(argobject, 2, &Bmask) || -+ !pg_UintFromObjIndex(argobject, 3, &Amask)) { - pgSurface_Unprep(self); - return RAISE(PyExc_ValueError, - "invalid color masks given"); - } -- mask = -- format.Rmask | format.Gmask | format.Bmask | format.Amask; -- for (bpp = 0; bpp < 32; ++bpp) { -- if (!(mask >> bpp)) { -- break; -- } -- } -+ format_enum = SDL_MasksToPixelFormatEnum(bpp, Rmask, Gmask, -+ Bmask, Amask); - } - else { - pgSurface_Unprep(self); -@@ -1935,22 +1927,11 @@ surf_convert(pgSurfaceObject *self, PyObject *args) - PyExc_ValueError, - "invalid argument specifying new format to convert to"); - } -- format.BitsPerPixel = (Uint8)bpp; -- format.BytesPerPixel = (bpp + 7) / 8; -- if (PG_FORMAT_BitsPerPixel((&format)) > 8) { -- /* Allow a 8 bit source surface with an empty palette to be -- * converted to a format without a palette (pygame-ce issue -- * #146). If the target format has a non-NULL palette pointer -- * then SDL_ConvertSurface checks that the palette is not -- * empty-- that at least one entry is not black. -- */ -- format.palette = NULL; -- } -- if (SDL_ISPIXELFORMAT_INDEXED(SDL_MasksToPixelFormatEnum( -- PG_FORMAT_BitsPerPixel((&format)), format.Rmask, -- format.Gmask, format.Bmask, format.Amask))) { -+ SDL_PixelFormat *format = SDL_AllocFormat(format_enum); -+ -+ if (SDL_ISPIXELFORMAT_INDEXED(format_enum)) { - if (SDL_ISPIXELFORMAT_INDEXED(PG_SURF_FORMATENUM(surf))) { -- SDL_SetPixelFormatPalette(&format, surf->format->palette); -+ SDL_SetPixelFormatPalette(format, surf->format->palette); - } - else { - /* Give the surface something other than an all white -@@ -1958,12 +1939,13 @@ surf_convert(pgSurfaceObject *self, PyObject *args) - */ - SDL_SetPaletteColors(palette, default_palette_colors, 0, - default_palette_size); -- SDL_SetPixelFormatPalette(&format, palette); -+ SDL_SetPixelFormatPalette(format, palette); - } - } -- newsurf = PG_ConvertSurface(surf, &format); -+ newsurf = PG_ConvertSurface(surf, format); - SDL_SetSurfaceBlendMode(newsurf, SDL_BLENDMODE_NONE); - SDL_FreePalette(palette); -+ SDL_FreeFormat(format); - } - } - else { -@@ -4540,29 +4522,13 @@ pgSurface_Blit(pgSurfaceObject *dstobj, pgSurfaceObject *srcobj, - } - else { - SDL_PixelFormat *fmt = src->format; -- SDL_PixelFormat newfmt; -+ SDL_PixelFormat *newfmt = -+ SDL_AllocFormat(SDL_MasksToPixelFormatEnum( -+ fmt->BitsPerPixel, fmt->Rmask, fmt->Gmask, fmt->Bmask, 0)); - -- newfmt.palette = 0; /* Set NULL (or SDL gets confused) */ --#if SDL_VERSION_ATLEAST(3, 0, 0) -- newfmt.bits_per_pixel = fmt->bits_per_pixel; -- newfmt.bytes_per_pixel = fmt->bytes_per_pixel; --#else -- newfmt.BitsPerPixel = fmt->BitsPerPixel; -- newfmt.BytesPerPixel = fmt->BytesPerPixel; --#endif -- newfmt.Amask = 0; -- newfmt.Rmask = fmt->Rmask; -- newfmt.Gmask = fmt->Gmask; -- newfmt.Bmask = fmt->Bmask; -- newfmt.Ashift = 0; -- newfmt.Rshift = fmt->Rshift; -- newfmt.Gshift = fmt->Gshift; -- newfmt.Bshift = fmt->Bshift; -- newfmt.Aloss = 0; -- newfmt.Rloss = fmt->Rloss; -- newfmt.Gloss = fmt->Gloss; -- newfmt.Bloss = fmt->Bloss; -- src = PG_ConvertSurface(src, &newfmt); -+ src = PG_ConvertSurface(src, newfmt); -+ -+ SDL_FreeFormat(newfmt); - if (src) { - #if SDL_VERSION_ATLEAST(3, 0, 0) - result = SDL_BlitSurface(src, srcrect, dst, dstrect) ? 0 : -1; --- -2.51.0 - diff --git a/pkgs/development/python-modules/pygame-ce/default.nix b/pkgs/development/python-modules/pygame-ce/default.nix index 1f132ab7fab0c..ed120e12e7613 100644 --- a/pkgs/development/python-modules/pygame-ce/default.nix +++ b/pkgs/development/python-modules/pygame-ce/default.nix @@ -62,11 +62,8 @@ buildPythonPackage rec { ); }) - # Can be removed with the next SDL3 bump. + # Can be removed after the SDL 3.4.0 bump. ./skip-rle-tests.patch - - # https://github.com/pygame-community/pygame-ce/pull/3639 - ./0001-Use-SDL_AllocFormat-instead-of-creating-it-manually.patch ]; postPatch = '' diff --git a/pkgs/development/python-modules/pygame-ce/skip-rle-tests.patch b/pkgs/development/python-modules/pygame-ce/skip-rle-tests.patch index f7ecc1ccb3305..6b488f0c880a0 100644 --- a/pkgs/development/python-modules/pygame-ce/skip-rle-tests.patch +++ b/pkgs/development/python-modules/pygame-ce/skip-rle-tests.patch @@ -2,14 +2,6 @@ diff --git a/test/surface_test.py b/test/surface_test.py index c2c91f4f5..58d916de8 100644 --- a/test/surface_test.py +++ b/test/surface_test.py -@@ -404,6 +404,7 @@ class SurfaceTypeTest(unittest.TestCase): - finally: - pygame.display.quit() - -+ @unittest.skipIf(True, "https://github.com/libsdl-org/SDL/pull/14429") - def test_solarwolf_rle_usage_2(self): - """Test for RLE status after setting alpha""" - @@ -435,6 +436,7 @@ class SurfaceTypeTest(unittest.TestCase): finally: pygame.display.quit() From 5d2978f0547c7b42ee0e4f915f8127c440387a74 Mon Sep 17 00:00:00 2001 From: Arnout Engelen Date: Fri, 5 Dec 2025 09:10:33 +0100 Subject: [PATCH 21/70] elfutils: patch for run-sysroot test (cherry picked from commit 0ca2e4c851bbe491b16ffeddeca738f2ef251635) --- pkgs/by-name/el/elfutils/package.nix | 2 + .../test-run-sysroot-reliability.patch | 44 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 pkgs/by-name/el/elfutils/test-run-sysroot-reliability.patch diff --git a/pkgs/by-name/el/elfutils/package.nix b/pkgs/by-name/el/elfutils/package.nix index db1c0b053bd00..7bdfdfedd5c30 100644 --- a/pkgs/by-name/el/elfutils/package.nix +++ b/pkgs/by-name/el/elfutils/package.nix @@ -57,6 +57,8 @@ stdenv.mkDerivation rec { url = "https://git.alpinelinux.org/aports/plain/main/elfutils/musl-strndupa.patch?id=2e3d4976eeffb4704cf83e2cc3306293b7c7b2e9"; sha256 = "sha256-7daehJj1t0wPtQzTv+/Rpuqqs5Ng/EYnZzrcf2o/Lb0="; }) + # https://patchwork.sourceware.org/project/elfutils/patch/20251205145241.1165646-1-arnout@bzzt.net/ + ./test-run-sysroot-reliability.patch ] ++ lib.optionals stdenv.hostPlatform.isMusl [ ./musl-error_h.patch ]; diff --git a/pkgs/by-name/el/elfutils/test-run-sysroot-reliability.patch b/pkgs/by-name/el/elfutils/test-run-sysroot-reliability.patch new file mode 100644 index 0000000000000..6e5b5890a7583 --- /dev/null +++ b/pkgs/by-name/el/elfutils/test-run-sysroot-reliability.patch @@ -0,0 +1,44 @@ +commit 898804bed022d1ef26e5c0b12550f87fc86f29ed +Author: Arnout Engelen +Date: Thu Dec 4 21:42:40 2025 +0100 + + tests: improve reliability of run-sysroot.sh + + Previously, the 'second' test would test the `RESOLVE_IN_ROOT` feature + when the current libc supports it, even when the currently running + kernel did not yet support it. + + Signed-off-by: Arnout Engelen + +diff --git a/tests/run-sysroot.sh b/tests/run-sysroot.sh +index fe302446..d2041e8a 100755 +--- a/tests/run-sysroot.sh ++++ b/tests/run-sysroot.sh +@@ -46,10 +46,14 @@ TID 431185: + #8 0x0000aaaae56127f0 _start + EOF + +-HAVE_OPENAT2=$(grep '^#define HAVE_OPENAT2_RESOLVE_IN_ROOT' \ +- ${abs_builddir}/../config.h | awk '{print $3}') ++libc_has_openat2_resolve_in_root() { ++ grep '^#define HAVE_OPENAT2_RESOLVE_IN_ROOT' ${abs_builddir}/../config.h | awk '{print $3}' ++} ++kernel_has_openat2_resolve_in_root() { ++ printf "%s\n%s" "5.6.0" "$(uname -r)" | sort -V -C ++} + +-if [[ "$HAVE_OPENAT2" = 1 ]]; then ++if libc_has_openat2_resolve_in_root && kernel_has_openat2_resolve_in_root; then + # Change the layout of files in sysroot to test symlink escape scenario + rm -f "${tmpdir}/sysroot/bin" + mkdir "${tmpdir}/sysroot/bin" +@@ -57,7 +61,8 @@ if [[ "$HAVE_OPENAT2" = 1 ]]; then + ln -s /bin/bash "${tmpdir}/sysroot/usr/bin/bash" + + # Check that stack with --sysroot generates correct backtrace even if target +- # binary is actually absolute symlink pointing outside of sysroot directory ++ # binary is actually absolute symlink to be interpreted relative to the sysroot ++ # directory + testrun "${abs_top_builddir}"/src/stack --core "${tmpdir}/core.bash" \ + --sysroot "${tmpdir}/sysroot" >"${tmpdir}/stack.out" + From 1a6c3f9db201020f61800025f0f03bac812063cf Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 6 Dec 2025 20:11:53 +0100 Subject: [PATCH 22/70] cups: 2.4.15 -> 2.4.16 https://github.com/OpenPrinting/cups/releases/tag/v2.4.16 https://github.com/OpenPrinting/cups/compare/v2.4.15...v2.4.16 (cherry picked from commit 62224ff690371cd7a005290021ec41abb56bd7d8) --- pkgs/by-name/cu/cups/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/cu/cups/package.nix b/pkgs/by-name/cu/cups/package.nix index 3470fc8a334f6..ac5e47a0a53e3 100644 --- a/pkgs/by-name/cu/cups/package.nix +++ b/pkgs/by-name/cu/cups/package.nix @@ -25,11 +25,11 @@ stdenv.mkDerivation rec { pname = "cups"; - version = "2.4.15"; + version = "2.4.16"; src = fetchurl { url = "https://github.com/OpenPrinting/cups/releases/download/v${version}/cups-${version}-source.tar.gz"; - hash = "sha256-7/C71I/xq8u45G4o6Frvr/o5Gh2cTY3JKrOCKhMAjX8="; + hash = "sha256-AzlYcgS0+UKN0FkuswHewL+epuqNzl2WkNVr5YWrqS0="; }; outputs = [ From a2fe4cc75b6b0d9e4b6e3714b8f68473b9b55c51 Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Fri, 5 Dec 2025 07:14:26 -0500 Subject: [PATCH 23/70] libarchive: 3.8.2 -> 3.8.4 Version 3.8.3 lists 3 security fixes. No known CVEs. Changes: https://github.com/libarchive/libarchive/releases/tag/v3.8.3 Changes: https://github.com/libarchive/libarchive/releases/tag/v3.8.4 (cherry picked from commit 0f0117f43842017a15f4b1dd38485f243832aaf7) --- pkgs/by-name/li/libarchive/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libarchive/package.nix b/pkgs/by-name/li/libarchive/package.nix index f0bfd5355b44f..15c8ade4fa4b1 100644 --- a/pkgs/by-name/li/libarchive/package.nix +++ b/pkgs/by-name/li/libarchive/package.nix @@ -31,13 +31,13 @@ assert xarSupport -> libxml2 != null; stdenv.mkDerivation (finalAttrs: { pname = "libarchive"; - version = "3.8.2"; + version = "3.8.4"; src = fetchFromGitHub { owner = "libarchive"; repo = "libarchive"; rev = "v${finalAttrs.version}"; - hash = "sha256-s7duwuNFyYq8obTS3qc6JewJ9f8LJhItlEx8wxnMgwk="; + hash = "sha256-qNz7BAvi3dTNg6Bz2cfqaYGKFJlM4C+y/GARsQRRYsY="; }; outputs = [ From 8f342565c9ccab149f71689a6f96391eb0da0003 Mon Sep 17 00:00:00 2001 From: Ben Siraphob Date: Thu, 13 Nov 2025 23:59:30 -0800 Subject: [PATCH 24/70] gcc15: fix build on aarch64-darwin This fixes the GCC 15.2.0 build on aarch64-darwin by addressing two issues in the libgcc build process: 1. Update libgcc-darwin-detection.patch: - Catch arm64-apple-darwin (which lacks a version number) - Add t-darwin-libgccs1 to enable libgcc_s.1.dylib compatibility build 2. Added libgcc-darwin-fix-reexport.patch: - Remove reexport of darwin-unwind.ver symbols in libgcc_s.1.dylib - These symbols (___register_frame_info, etc.) don't exist in libgcc on modern macOS as they come from libSystem The original build failed with: Undefined symbols for architecture arm64: "___deregister_frame_info", referenced from: -reexported_symbols_list command line option ... This occurred because darwin-unwind.ver lists unwinder symbols that are excluded from libgcc (via libgcc-libsystem.ver) on macOS 11+ where they are provided by the system's libSystem. (cherry picked from commit 385a5e291736a41841967bd3b0662e8c2c997794) --- .../gcc/patches/15/libgcc-darwin-detection.patch | 5 +++-- .../gcc/patches/15/libgcc-darwin-fix-reexport.patch | 11 +++++++++++ pkgs/development/compilers/gcc/patches/default.nix | 13 +++++++------ 3 files changed, 21 insertions(+), 8 deletions(-) create mode 100644 pkgs/development/compilers/gcc/patches/15/libgcc-darwin-fix-reexport.patch diff --git a/pkgs/development/compilers/gcc/patches/15/libgcc-darwin-detection.patch b/pkgs/development/compilers/gcc/patches/15/libgcc-darwin-detection.patch index 810d8e6f69a12..41e1c4c89869d 100644 --- a/pkgs/development/compilers/gcc/patches/15/libgcc-darwin-detection.patch +++ b/pkgs/development/compilers/gcc/patches/15/libgcc-darwin-detection.patch @@ -1,11 +1,12 @@ --- a/libgcc/config.host +++ b/libgcc/config.host -@@ -239,7 +239,7 @@ case ${host} in +@@ -239,8 +239,8 @@ case ${host} in x86_64-*-darwin2[0-2]*) tmake_file="t-darwin-min-11 t-darwin-libgccs1 $tmake_file" ;; - *-*-darwin2*) +- tmake_file="t-darwin-min-11 $tmake_file" + *-*-darwin2* | *-*-darwin) - tmake_file="t-darwin-min-11 $tmake_file" ++ tmake_file="t-darwin-min-11 t-darwin-libgccs1 $tmake_file" ;; *-*-darwin1[89]*) diff --git a/pkgs/development/compilers/gcc/patches/15/libgcc-darwin-fix-reexport.patch b/pkgs/development/compilers/gcc/patches/15/libgcc-darwin-fix-reexport.patch new file mode 100644 index 0000000000000..dbb790e1eec3a --- /dev/null +++ b/pkgs/development/compilers/gcc/patches/15/libgcc-darwin-fix-reexport.patch @@ -0,0 +1,11 @@ +--- a/libgcc/config/t-slibgcc-darwin ++++ b/libgcc/config/t-slibgcc-darwin +@@ -139,8 +139,7 @@ libgcc_s.1.dylib: all-multi libgcc_s.$(SHLIB_SOVERSION)$(SHLIB_EXT) + $(CC) -arch $${arch} -nodefaultlibs -dynamiclib -nodefaultrpaths \ + -o libgcc_s.1$(SHLIB_EXT)_T_$${mlib} \ + -Wl,-reexport_library,libgcc_s.$(SHLIB_SOVERSION)$(SHLIB_EXT)_T_$${mlib} \ + -lSystem \ +- -Wl,-reexported_symbols_list,$(srcdir)/config/darwin-unwind.ver \ + -install_name $(SHLIB_RPATH)/libgcc_s.1.dylib \ + -compatibility_version 1 -current_version 1.1 ; \ + done diff --git a/pkgs/development/compilers/gcc/patches/default.nix b/pkgs/development/compilers/gcc/patches/default.nix index 93a1d4eb5cf35..0f7db57689e1b 100644 --- a/pkgs/development/compilers/gcc/patches/default.nix +++ b/pkgs/development/compilers/gcc/patches/default.nix @@ -160,13 +160,14 @@ optionals noSysDirs ( ## Darwin -# Fixes detection of Darwin on x86_64-darwin. Otherwise, GCC uses a deployment target of 10.5, which crashes ld64. -++ optional ( - is14 && stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isx86_64 -) ../patches/14/libgcc-darwin-detection.patch +# Fixes detection of Darwin on x86_64-darwin and aarch64-darwin. Otherwise, GCC uses a deployment target of 10.5, which crashes ld64. +++ optional (is14 && stdenv.hostPlatform.isDarwin) ../patches/14/libgcc-darwin-detection.patch +++ optional (atLeast15 && stdenv.hostPlatform.isDarwin) ../patches/15/libgcc-darwin-detection.patch + +# Fix libgcc_s.1.dylib build on Darwin 11+ by not reexporting unwind symbols that don't exist ++ optional ( - atLeast15 && stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isx86_64 -) ../patches/15/libgcc-darwin-detection.patch + atLeast15 && stdenv.hostPlatform.isDarwin +) ../patches/15/libgcc-darwin-fix-reexport.patch # Fix detection of bootstrap compiler Ada support (cctools as) on Nix Darwin ++ optional (stdenv.hostPlatform.isDarwin && langAda) ./ada-cctools-as-detection-configure.patch From 15475177b1d8d800b6d555874edfb0f0e78383e0 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Mon, 1 Dec 2025 23:20:07 +0000 Subject: [PATCH 25/70] re2c: 4.3 -> 4.3.1 Changes: https://re2c.org/releases/release_notes.html#release-4-3-1 (cherry picked from commit ccc5782d29bde168b4abecffcfcc6f66a6423b32) --- pkgs/by-name/re/re2c/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/re/re2c/package.nix b/pkgs/by-name/re/re2c/package.nix index e9d5c449ddd93..a93d10107db17 100644 --- a/pkgs/by-name/re/re2c/package.nix +++ b/pkgs/by-name/re/re2c/package.nix @@ -14,13 +14,13 @@ stdenv.mkDerivation rec { pname = "re2c"; - version = "4.3"; + version = "4.3.1"; src = fetchFromGitHub { owner = "skvadrik"; repo = "re2c"; rev = version; - hash = "sha256-zPOENMfXXgTwds1t+Lrmz9+GTHJf2yRpQsGT7nLRvcg="; + hash = "sha256-ihtAB6HLgYhX+FKPFy01RByy/M468YrHv2v5wB9bJws="; }; nativeBuildInputs = [ From 40bd4fdc290479317bc596632c503eeba02c5fdc Mon Sep 17 00:00:00 2001 From: Timothy Klim Date: Sat, 8 Nov 2025 13:57:10 +0700 Subject: [PATCH 26/70] llvmPackages_21: 21.1.2 -> 21.1.7 (cherry picked from commit 80757542e46207b8b51e2522526e8c1aea4f626a) --- pkgs/development/compilers/llvm/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/compilers/llvm/default.nix b/pkgs/development/compilers/llvm/default.nix index 15c1126cb496d..a1c803d9a72ef 100644 --- a/pkgs/development/compilers/llvm/default.nix +++ b/pkgs/development/compilers/llvm/default.nix @@ -25,7 +25,7 @@ let "18.1.8".officialRelease.sha256 = "sha256-iiZKMRo/WxJaBXct9GdAcAT3cz9d9pnAcO1mmR6oPNE="; "19.1.7".officialRelease.sha256 = "sha256-cZAB5vZjeTsXt9QHbP5xluWNQnAHByHtHnAhVDV0E6I="; "20.1.8".officialRelease.sha256 = "sha256-ysyB/EYxi2qE9fD5x/F2zI4vjn8UDoo1Z9ukiIrjFGw="; - "21.1.2".officialRelease.sha256 = "sha256-SgZdBL0ivfv6/4EqmPQ+I57qT2t6i/rqnm20+T1BsFY="; + "21.1.7".officialRelease.sha256 = "sha256-SaRJ7+iZMhhBdcUDuJpMAY4REQVhrvYMqI2aq3Kz08o="; "22.0.0-git".gitRelease = { rev = "25c2cc4b98092e8dccc8ff46162bea65e9a63bbc"; rev-version = "22.0.0-unstable-2025-11-23"; From 799d4bcef037efd1a50eaf283a8f96f47e4949e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Mon, 8 Dec 2025 19:11:47 -0800 Subject: [PATCH 27/70] imagemagick: 7.1.2-9 -> 7.1.2-10 Diff: https://github.com/ImageMagick/ImageMagick/compare/7.1.2-9...7.1.2-10 Changelog: https://github.com/ImageMagick/Website/blob/main/ChangeLog.md (cherry picked from commit d09a90b701c1a05ea3e590648e50cfe58bfe95f5) --- pkgs/applications/graphics/ImageMagick/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/graphics/ImageMagick/default.nix b/pkgs/applications/graphics/ImageMagick/default.nix index 8d983f5602a6e..99d4951ffa3be 100644 --- a/pkgs/applications/graphics/ImageMagick/default.nix +++ b/pkgs/applications/graphics/ImageMagick/default.nix @@ -85,13 +85,13 @@ in stdenv.mkDerivation (finalAttrs: { pname = "imagemagick"; - version = "7.1.2-9"; + version = "7.1.2-10"; src = fetchFromGitHub { owner = "ImageMagick"; repo = "ImageMagick"; tag = finalAttrs.version; - hash = "sha256-bXVVnjJhtmcbczZI9rsy2JQ3p2oYX5g5vp3YdsQkdrE="; + hash = "sha256-96lhd0B4yV2s/zVazKrqAcDZvn+yIiXxp8fqyKSfxLc="; }; outputs = [ From 9b2c8bd859d6565308cda0c80e31ea03bc931090 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Thu, 11 Dec 2025 18:13:43 +0100 Subject: [PATCH 28/70] haskellPackages.http2-tls: fix eval This broke via staging merge. (cherry picked from commit ee0923ac764941d89e4787a1d5339eaedab00008) --- pkgs/development/haskell-modules/configuration-common.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 370531e1ae693..218bebf7276a4 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -3020,7 +3020,7 @@ with haskellLib; http2-tls = lib.warnIf (lib.versionAtLeast self.tls.version "2.1.10") "haskellPackages.http2-tls: tls override can be removed" - (super.http2-tls.override { tls = self.tls_2_1_12; }); + (super.http2-tls.override { tls = self.tls_2_1_13; }); # Relax http2 version bound (5.3.9 -> 5.3.10) # https://github.com/well-typed/grapesy/issues/297 From d0f16e1f2ad4ebc1ecdcbb79285c95dc9006c779 Mon Sep 17 00:00:00 2001 From: Bobby Rong Date: Sat, 13 Dec 2025 10:14:49 +0800 Subject: [PATCH 29/70] =?UTF-8?q?glib:=202.86.2=20=E2=86=92=202.86.3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://gitlab.gnome.org/GNOME/glib/-/compare/2.86.2...2.86.3 CVE-2025-13601: https://gitlab.gnome.org/GNOME/glib/-/issues/3827 CVE-2025-14087: https://gitlab.gnome.org/GNOME/glib/-/issues/3834 CVE-2025-14512: https://gitlab.gnome.org/GNOME/glib/-/issues/3845 (cherry picked from commit aa380949308c50ed44a03073a674e189c6941af0) --- pkgs/by-name/gl/glib/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/gl/glib/package.nix b/pkgs/by-name/gl/glib/package.nix index fc5a310949577..887d6617d8ef8 100644 --- a/pkgs/by-name/gl/glib/package.nix +++ b/pkgs/by-name/gl/glib/package.nix @@ -74,7 +74,7 @@ in stdenv.mkDerivation (finalAttrs: { pname = "glib"; - version = "2.86.2"; + version = "2.86.3"; outputs = [ "bin" @@ -87,7 +87,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "mirror://gnome/sources/glib/${lib.versions.majorMinor finalAttrs.version}/glib-${finalAttrs.version}.tar.xz"; - hash = "sha256-inJOlwhVNX6oEB4ncnICOSoP/VQQqYM2rtVOxZET5hE="; + hash = "sha256-syEdjTS5313KBXh+8K1dfKdd7JmLlw4aqwAB0imXfGU="; }; patches = From 280547f78bf498241f517d85fb566914a5eb61ee Mon Sep 17 00:00:00 2001 From: Daudi Wampamba Date: Sat, 13 Dec 2025 16:30:34 +0000 Subject: [PATCH 30/70] folly: inline patch due errors fetching from AUR (cherry picked from commit d968f1be326bac4374c0e553958ba6511731ea3e) --- pkgs/by-name/fo/folly/folly-fix-glog-0.7.patch | 18 ++++++++++++++++++ pkgs/by-name/fo/folly/package.nix | 7 +------ 2 files changed, 19 insertions(+), 6 deletions(-) create mode 100644 pkgs/by-name/fo/folly/folly-fix-glog-0.7.patch diff --git a/pkgs/by-name/fo/folly/folly-fix-glog-0.7.patch b/pkgs/by-name/fo/folly/folly-fix-glog-0.7.patch new file mode 100644 index 0000000000000..4f03cf1541da0 --- /dev/null +++ b/pkgs/by-name/fo/folly/folly-fix-glog-0.7.patch @@ -0,0 +1,18 @@ +diff --git a/CMake/folly-deps.cmake b/CMake/folly-deps.cmake +index c72273a73..d0408f2b3 100644 +--- a/CMake/folly-deps.cmake ++++ b/CMake/folly-deps.cmake +@@ -61,10 +61,9 @@ if(LIBGFLAGS_FOUND) + set(FOLLY_LIBGFLAGS_INCLUDE ${LIBGFLAGS_INCLUDE_DIR}) + endif() + +-find_package(Glog MODULE) +-set(FOLLY_HAVE_LIBGLOG ${GLOG_FOUND}) +-list(APPEND FOLLY_LINK_LIBRARIES ${GLOG_LIBRARY}) +-list(APPEND FOLLY_INCLUDE_DIRECTORIES ${GLOG_INCLUDE_DIR}) ++find_package(Glog CONFIG REQUIRED) ++set(FOLLY_HAVE_LIBGLOG True) ++list(APPEND FOLLY_LINK_LIBRARIES glog::glog) + + find_package(LibEvent MODULE REQUIRED) + list(APPEND FOLLY_LINK_LIBRARIES ${LIBEVENT_LIB}) diff --git a/pkgs/by-name/fo/folly/package.nix b/pkgs/by-name/fo/folly/package.nix index 2e6584d324824..eca0493cc2f08 100644 --- a/pkgs/by-name/fo/folly/package.nix +++ b/pkgs/by-name/fo/folly/package.nix @@ -3,7 +3,6 @@ stdenv, fetchFromGitHub, - fetchpatch, cmake, ninja, @@ -139,11 +138,7 @@ stdenv.mkDerivation (finalAttrs: { ./char_traits.patch # - (fetchpatch { - name = "folly-fix-glog-0.7.patch"; - url = "https://aur.archlinux.org/cgit/aur.git/plain/fix-cmake-find-glog.patch?h=folly&id=4b68f47338d4b20111e3ffa1291433120bb899f0"; - hash = "sha256-QGNpS5UNEm+0PW9+agwUVILzpK9t020KXDGyP03OAwE="; - }) + ./folly-fix-glog-0.7.patch # Fix a GCC‐incompatible use of a private trait. # From 3233564c896cd4f4d261900fffd231b01f64ff2f Mon Sep 17 00:00:00 2001 From: Daudi Wampamba Date: Sat, 13 Dec 2025 19:28:51 +0000 Subject: [PATCH 31/70] w3m: inline patch due to errors fetching from AUR (cherry picked from commit 38b7d078e6c742994d1d67fa1ff772140cf4b612) --- pkgs/by-name/w3/w3m/https.patch | 19 +++++++++++++++++++ pkgs/by-name/w3/w3m/package.nix | 7 +------ 2 files changed, 20 insertions(+), 6 deletions(-) create mode 100644 pkgs/by-name/w3/w3m/https.patch diff --git a/pkgs/by-name/w3/w3m/https.patch b/pkgs/by-name/w3/w3m/https.patch new file mode 100644 index 0000000000000..31286a70d5ae2 --- /dev/null +++ b/pkgs/by-name/w3/w3m/https.patch @@ -0,0 +1,19 @@ +Fedora patch; see https://bugzilla.redhat.com/show_bug.cgi?id=707994 + +--- old/url.c 2011-01-04 14:52:24.000000000 +0530 ++++ new/url.c 2011-09-02 18:25:43.305652690 +0530 +@@ -82,11 +82,11 @@ + {"ftp", SCM_FTP}, + {"local", SCM_LOCAL}, + {"file", SCM_LOCAL}, +- /* {"exec", SCM_EXEC}, */ ++ {"exec", SCM_EXEC}, + {"nntp", SCM_NNTP}, +- /* {"nntp", SCM_NNTP_GROUP}, */ ++ {"nntp", SCM_NNTP_GROUP}, + {"news", SCM_NEWS}, +- /* {"news", SCM_NEWS_GROUP}, */ ++ {"news", SCM_NEWS_GROUP}, + {"data", SCM_DATA}, + #ifndef USE_W3MMAILER + {"mailto", SCM_MAILTO}, diff --git a/pkgs/by-name/w3/w3m/package.nix b/pkgs/by-name/w3/w3m/package.nix index c9d00588502aa..73e82859bf633 100644 --- a/pkgs/by-name/w3/w3m/package.nix +++ b/pkgs/by-name/w3/w3m/package.nix @@ -2,7 +2,6 @@ lib, stdenv, fetchFromSourcehut, - fetchpatch, ncurses, boehmgc, gettext, @@ -66,11 +65,7 @@ stdenv.mkDerivation (finalAttrs: { patches = [ ./RAND_egd.libressl.patch - (fetchpatch { - name = "https.patch"; - url = "https://aur.archlinux.org/cgit/aur.git/plain/https.patch?h=w3m-mouse&id=5b5f0fbb59f674575e87dd368fed834641c35f03"; - sha256 = "08skvaha1hjyapsh8zw5dgfy433mw2hk7qy9yy9avn8rjqj7kjxk"; - }) + ./https.patch ]; postPatch = lib.optionalString (stdenv.hostPlatform != stdenv.buildPlatform) '' From b7cdbc9b7628f4a429fd5ee58c577cc6727b5be9 Mon Sep 17 00:00:00 2001 From: Diego Date: Sun, 23 Nov 2025 18:35:20 +0100 Subject: [PATCH 32/70] prmers: init at 4.15.35-alpha (cherry picked from commit 41f8e4e78d3d82a29f43d9d5f4b4b8ac68387238) --- pkgs/by-name/pr/prmers/package.nix | 60 ++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 pkgs/by-name/pr/prmers/package.nix diff --git a/pkgs/by-name/pr/prmers/package.nix b/pkgs/by-name/pr/prmers/package.nix new file mode 100644 index 0000000000000..d412b811d699b --- /dev/null +++ b/pkgs/by-name/pr/prmers/package.nix @@ -0,0 +1,60 @@ +{ + curl, + fetchFromGitHub, + gmp, + lib, + ocl-icd, + opencl-headers, + stdenv, + versionCheckHook, +}: + +stdenv.mkDerivation (finalAttrs: { + pname = "prmers"; + version = "4.15.35-alpha"; + + src = fetchFromGitHub { + owner = "cherubrock-seb"; + repo = "PrMers"; + tag = "v${finalAttrs.version}"; + hash = "sha256-LAbWyz1FT9Zza4gewgKeMvQt8rwkfBhHRWBGpN+DIXE="; + }; + + enableParallelBuilding = true; + + buildInputs = [ + curl + gmp + ocl-icd + opencl-headers + ]; + + installPhase = '' + runHook preInstall + + make install PREFIX=$out KERNEL_PATH=$out/bin/kernels + + runHook postInstall + ''; + + doInstallCheck = true; + nativeInstallCheckInputs = [ + versionCheckHook + ]; + + versionCheckProgramArg = "-v"; + + meta = { + description = "GPU-accelerated Mersenne primality testing"; + longDescription = '' + PrMers is a high-performance GPU application for Lucas–Lehmer (LL), PRP, and P-1 testing of Mersenne numbers. + It uses OpenCL and integer NTT/IBDWT kernels and is built for long, reliable runs with checkpointing and PrimeNet submission. + ''; + homepage = "https://github.com/cherubrock-seb/PrMers"; + downloadPage = "https://github.com/cherubrock-seb/PrMers/releases/tag/v${finalAttrs.version}"; + maintainers = with lib.maintainers; [ dstremur ]; + license = lib.licenses.mit; + platforms = lib.platforms.linux; + mainProgram = "prmers"; + }; +}) From 5f1358edfbedf6f3f08dcbca6d3cf7d235451cb2 Mon Sep 17 00:00:00 2001 From: Emily Date: Mon, 15 Dec 2025 21:13:21 +0000 Subject: [PATCH 33/70] Revert "python313Packages.libxml2: force rebuild for code signing issue" Cleaning up on `staging-25.11`. This reverts commit 4256f8b82bf8f7756b2d867216440dc00abbd4b3. --- pkgs/development/libraries/libxml2/common.nix | 7 ------- 1 file changed, 7 deletions(-) diff --git a/pkgs/development/libraries/libxml2/common.nix b/pkgs/development/libraries/libxml2/common.nix index 88751671c479a..4b2f04bbc8f08 100644 --- a/pkgs/development/libraries/libxml2/common.nix +++ b/pkgs/development/libraries/libxml2/common.nix @@ -120,13 +120,6 @@ stdenv'.mkDerivation (finalAttrs: { moveToOutput lib/libxml2.a "$static" ''; - # TODO: Drop this; works around code signing issue on `staging-next-25.11`. - rebuildHack = - if stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64 && pythonSupport then - true - else - null; - passthru = { inherit pythonSupport; From 88af4845941bb4443c20fb2e2e015c3e598727ae Mon Sep 17 00:00:00 2001 From: Kirill Radzikhovskyy Date: Wed, 17 Dec 2025 14:11:16 +1100 Subject: [PATCH 34/70] python3Packages.filelock: 3.20.0 -> 3.20.1 https://github.com/tox-dev/py-filelock/releases/tag/3.20.1 --- pkgs/development/python-modules/filelock/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/filelock/default.nix b/pkgs/development/python-modules/filelock/default.nix index 926bc2ad5cfda..760286a19faf8 100644 --- a/pkgs/development/python-modules/filelock/default.nix +++ b/pkgs/development/python-modules/filelock/default.nix @@ -12,12 +12,12 @@ buildPythonPackage rec { pname = "filelock"; - version = "3.20.0"; + version = "3.20.1"; pyproject = true; src = fetchPypi { inherit pname version; - hash = "sha256-cR6UO07GvkLh1OZpC0jcF1yCKWdGa7McDCk/NDNME/Q="; + hash = "sha256-uDYJSLNRuA9CCHjYUWUZoiBLB6783P0kkSpdMxJ/GIw="; }; build-system = [ From 65fb84b40bcf6b00672e18bc290db92091163a79 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 18 Dec 2025 14:51:32 +0100 Subject: [PATCH 35/70] python3Packages.urllib3: backport 2.6.0 security fixes Fixes: CVE-2025-66471, CVE-2025-66418 --- .../urllib3/CVE-2025-66418.patch | 73 ++ .../urllib3/CVE-2025-66471.patch | 811 ++++++++++++++++++ .../python-modules/urllib3/default.nix | 7 + 3 files changed, 891 insertions(+) create mode 100644 pkgs/development/python-modules/urllib3/CVE-2025-66418.patch create mode 100644 pkgs/development/python-modules/urllib3/CVE-2025-66471.patch diff --git a/pkgs/development/python-modules/urllib3/CVE-2025-66418.patch b/pkgs/development/python-modules/urllib3/CVE-2025-66418.patch new file mode 100644 index 0000000000000..361430afc25e8 --- /dev/null +++ b/pkgs/development/python-modules/urllib3/CVE-2025-66418.patch @@ -0,0 +1,73 @@ +From 2284e948f74b40365ff772ef50d06a1930670537 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Fri, 5 Dec 2025 16:41:33 +0200 +Subject: [PATCH 2/2] Unbounded number of links in the decompression chain + +https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53 + +Fixes: CVE-2025-66418 +--- + changelog/GHSA-gm62-xv2j-4w53.security.rst | 4 ++++ + src/urllib3/response.py | 12 +++++++++++- + test/test_response.py | 10 ++++++++++ + 3 files changed, 25 insertions(+), 1 deletion(-) + create mode 100644 changelog/GHSA-gm62-xv2j-4w53.security.rst + +diff --git a/changelog/GHSA-gm62-xv2j-4w53.security.rst b/changelog/GHSA-gm62-xv2j-4w53.security.rst +new file mode 100644 +index 00000000..6646eaa3 +--- /dev/null ++++ b/changelog/GHSA-gm62-xv2j-4w53.security.rst +@@ -0,0 +1,4 @@ ++Fixed a security issue where an attacker could compose an HTTP response with ++virtually unlimited links in the ``Content-Encoding`` header, potentially ++leading to a denial of service (DoS) attack by exhausting system resources ++during decoding. The number of allowed chained encodings is now limited to 5. +diff --git a/src/urllib3/response.py b/src/urllib3/response.py +index 0303ce89..7ea7176f 100644 +--- a/src/urllib3/response.py ++++ b/src/urllib3/response.py +@@ -342,8 +342,18 @@ class MultiDecoder(ContentDecoder): + they were applied. + """ + ++ # Maximum allowed number of chained HTTP encodings in the ++ # Content-Encoding header. ++ max_decode_links = 5 ++ + def __init__(self, modes: str) -> None: +- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")] ++ encodings = [m.strip() for m in modes.split(",")] ++ if len(encodings) > self.max_decode_links: ++ raise DecodeError( ++ "Too many content encodings in the chain: " ++ f"{len(encodings)} > {self.max_decode_links}" ++ ) ++ self._decoders = [_get_decoder(e) for e in encodings] + + def flush(self) -> bytes: + return self._decoders[0].flush() +diff --git a/test/test_response.py b/test/test_response.py +index 301b04ce..3a728990 100644 +--- a/test/test_response.py ++++ b/test/test_response.py +@@ -843,6 +843,16 @@ class TestResponse: + assert r.read(9 * 37) == b"foobarbaz" * 37 + assert r.read() == b"" + ++ def test_read_multi_decoding_too_many_links(self) -> None: ++ fp = BytesIO(b"foo") ++ with pytest.raises( ++ DecodeError, match="Too many content encodings in the chain: 6 > 5" ++ ): ++ HTTPResponse( ++ fp, ++ headers={"content-encoding": "gzip, deflate, br, zstd, gzip, deflate"}, ++ ) ++ + def test_body_blob(self) -> None: + resp = HTTPResponse(b"foo") + assert resp.data == b"foo" +-- +2.51.2 + diff --git a/pkgs/development/python-modules/urllib3/CVE-2025-66471.patch b/pkgs/development/python-modules/urllib3/CVE-2025-66471.patch new file mode 100644 index 0000000000000..e38444bdb221e --- /dev/null +++ b/pkgs/development/python-modules/urllib3/CVE-2025-66471.patch @@ -0,0 +1,811 @@ +From 1c23a491ec4945a08f419f04f75ca7a0d13aef35 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Fri, 5 Dec 2025 16:40:41 +0200 +Subject: [PATCH 1/2] Streaming API improperly handles highly compressed data + +https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37 + +Fixes: CVE-2025-66471 +--- + pyproject.toml | 5 +- + src/urllib3/response.py | 278 ++++++++++++++++++++++++++++++++++------ + test/test_response.py | 269 +++++++++++++++++++++++++++++++++++++- + 3 files changed, 506 insertions(+), 46 deletions(-) + +diff --git a/pyproject.toml b/pyproject.toml +index 60fce65d..b785bf13 100644 +--- a/pyproject.toml ++++ b/pyproject.toml +@@ -41,8 +41,8 @@ dynamic = ["version"] + + [project.optional-dependencies] + brotli = [ +- "brotli>=1.0.9; platform_python_implementation == 'CPython'", +- "brotlicffi>=0.8.0; platform_python_implementation != 'CPython'" ++ "brotli>=1.2.0; platform_python_implementation == 'CPython'", ++ "brotlicffi>=1.2.0.0; platform_python_implementation != 'CPython'" + ] + # Once we drop support for Python 3.13 this extra can be removed. + # We'll need a deprecation period for the 'zstandard' module support +@@ -160,6 +160,7 @@ filterwarnings = [ + '''default:ssl\.PROTOCOL_TLSv1_1 is deprecated:DeprecationWarning''', + '''default:ssl\.PROTOCOL_TLSv1_2 is deprecated:DeprecationWarning''', + '''default:ssl NPN is deprecated, use ALPN instead:DeprecationWarning''', ++ '''default:Brotli >= 1.2.0 is required to prevent decompression bombs\.:urllib3.exceptions.DependencyWarning''', + # https://github.com/SeleniumHQ/selenium/issues/13328 + '''default:unclosed file <_io\.BufferedWriter name='/dev/null'>:ResourceWarning''', + # https://github.com/SeleniumHQ/selenium/issues/14686 +diff --git a/src/urllib3/response.py b/src/urllib3/response.py +index 5632dab3..0303ce89 100644 +--- a/src/urllib3/response.py ++++ b/src/urllib3/response.py +@@ -33,6 +33,7 @@ from .connection import BaseSSLError, HTTPConnection, HTTPException + from .exceptions import ( + BodyNotHttplibCompatible, + DecodeError, ++ DependencyWarning, + HTTPError, + IncompleteRead, + InvalidChunkLength, +@@ -52,7 +53,11 @@ log = logging.getLogger(__name__) + + + class ContentDecoder: +- def decompress(self, data: bytes) -> bytes: ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ raise NotImplementedError() ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: + raise NotImplementedError() + + def flush(self) -> bytes: +@@ -62,30 +67,57 @@ class ContentDecoder: + class DeflateDecoder(ContentDecoder): + def __init__(self) -> None: + self._first_try = True +- self._data = b"" ++ self._first_try_data = b"" ++ self._unfed_data = b"" + self._obj = zlib.decompressobj() + +- def decompress(self, data: bytes) -> bytes: +- if not data: ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ data = self._unfed_data + data ++ self._unfed_data = b"" ++ if not data and not self._obj.unconsumed_tail: + return data ++ original_max_length = max_length ++ if original_max_length < 0: ++ max_length = 0 ++ elif original_max_length == 0: ++ # We should not pass 0 to the zlib decompressor because 0 is ++ # the default value that will make zlib decompress without a ++ # length limit. ++ # Data should be stored for subsequent calls. ++ self._unfed_data = data ++ return b"" + ++ # Subsequent calls always reuse `self._obj`. zlib requires ++ # passing the unconsumed tail if decompression is to continue. + if not self._first_try: +- return self._obj.decompress(data) ++ return self._obj.decompress( ++ self._obj.unconsumed_tail + data, max_length=max_length ++ ) + +- self._data += data ++ # First call tries with RFC 1950 ZLIB format. ++ self._first_try_data += data + try: +- decompressed = self._obj.decompress(data) ++ decompressed = self._obj.decompress(data, max_length=max_length) + if decompressed: + self._first_try = False +- self._data = None # type: ignore[assignment] ++ self._first_try_data = b"" + return decompressed ++ # On failure, it falls back to RFC 1951 DEFLATE format. + except zlib.error: + self._first_try = False + self._obj = zlib.decompressobj(-zlib.MAX_WBITS) + try: +- return self.decompress(self._data) ++ return self.decompress( ++ self._first_try_data, max_length=original_max_length ++ ) + finally: +- self._data = None # type: ignore[assignment] ++ self._first_try_data = b"" ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ return bool(self._unfed_data) or ( ++ bool(self._obj.unconsumed_tail) and not self._first_try ++ ) + + def flush(self) -> bytes: + return self._obj.flush() +@@ -101,27 +133,61 @@ class GzipDecoder(ContentDecoder): + def __init__(self) -> None: + self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS) + self._state = GzipDecoderState.FIRST_MEMBER ++ self._unconsumed_tail = b"" + +- def decompress(self, data: bytes) -> bytes: ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: + ret = bytearray() +- if self._state == GzipDecoderState.SWALLOW_DATA or not data: ++ if self._state == GzipDecoderState.SWALLOW_DATA: ++ return bytes(ret) ++ ++ if max_length == 0: ++ # We should not pass 0 to the zlib decompressor because 0 is ++ # the default value that will make zlib decompress without a ++ # length limit. ++ # Data should be stored for subsequent calls. ++ self._unconsumed_tail += data ++ return b"" ++ ++ # zlib requires passing the unconsumed tail to the subsequent ++ # call if decompression is to continue. ++ data = self._unconsumed_tail + data ++ if not data and self._obj.eof: + return bytes(ret) ++ + while True: + try: +- ret += self._obj.decompress(data) ++ ret += self._obj.decompress( ++ data, max_length=max(max_length - len(ret), 0) ++ ) + except zlib.error: + previous_state = self._state + # Ignore data after the first error + self._state = GzipDecoderState.SWALLOW_DATA ++ self._unconsumed_tail = b"" + if previous_state == GzipDecoderState.OTHER_MEMBERS: + # Allow trailing garbage acceptable in other gzip clients + return bytes(ret) + raise +- data = self._obj.unused_data ++ ++ self._unconsumed_tail = data = ( ++ self._obj.unconsumed_tail or self._obj.unused_data ++ ) ++ if max_length > 0 and len(ret) >= max_length: ++ break ++ + if not data: + return bytes(ret) +- self._state = GzipDecoderState.OTHER_MEMBERS +- self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS) ++ # When the end of a gzip member is reached, a new decompressor ++ # must be created for unused (possibly future) data. ++ if self._obj.eof: ++ self._state = GzipDecoderState.OTHER_MEMBERS ++ self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS) ++ ++ return bytes(ret) ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ return bool(self._unconsumed_tail) + + def flush(self) -> bytes: + return self._obj.flush() +@@ -136,9 +202,35 @@ if brotli is not None: + def __init__(self) -> None: + self._obj = brotli.Decompressor() + if hasattr(self._obj, "decompress"): +- setattr(self, "decompress", self._obj.decompress) ++ setattr(self, "_decompress", self._obj.decompress) + else: +- setattr(self, "decompress", self._obj.process) ++ setattr(self, "_decompress", self._obj.process) ++ ++ # Requires Brotli >= 1.2.0 for `output_buffer_limit`. ++ def _decompress(self, data: bytes, output_buffer_limit: int = -1) -> bytes: ++ raise NotImplementedError() ++ ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ try: ++ if max_length > 0: ++ return self._decompress(data, output_buffer_limit=max_length) ++ else: ++ return self._decompress(data) ++ except TypeError: ++ # Fallback for Brotli/brotlicffi/brotlipy versions without ++ # the `output_buffer_limit` parameter. ++ warnings.warn( ++ "Brotli >= 1.2.0 is required to prevent decompression bombs.", ++ DependencyWarning, ++ ) ++ return self._decompress(data) ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ try: ++ return not self._obj.can_accept_more_data() ++ except AttributeError: ++ return False + + def flush(self) -> bytes: + if hasattr(self._obj, "flush"): +@@ -156,16 +248,46 @@ try: + def __init__(self) -> None: + self._obj = zstd.ZstdDecompressor() + +- def decompress(self, data: bytes) -> bytes: +- if not data: ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ if not data and not self.has_unconsumed_tail: + return b"" +- data_parts = [self._obj.decompress(data)] +- while self._obj.eof and self._obj.unused_data: +- unused_data = self._obj.unused_data ++ if self._obj.eof: ++ data = self._obj.unused_data + data + self._obj = zstd.ZstdDecompressor() +- data_parts.append(self._obj.decompress(unused_data)) ++ part = self._obj.decompress(data, max_length=max_length) ++ length = len(part) ++ data_parts = [part] ++ # Every loop iteration is supposed to read data from a separate frame. ++ # The loop breaks when: ++ # - enough data is read; ++ # - no more unused data is available; ++ # - end of the last read frame has not been reached (i.e., ++ # more data has to be fed). ++ while ( ++ self._obj.eof ++ and self._obj.unused_data ++ and (max_length < 0 or length < max_length) ++ ): ++ unused_data = self._obj.unused_data ++ if not self._obj.needs_input: ++ self._obj = zstd.ZstdDecompressor() ++ part = self._obj.decompress( ++ unused_data, ++ max_length=(max_length - length) if max_length > 0 else -1, ++ ) ++ if part_length := len(part): ++ data_parts.append(part) ++ length += part_length ++ elif self._obj.needs_input: ++ break + return b"".join(data_parts) + ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ return not (self._obj.needs_input or self._obj.eof) or bool( ++ self._obj.unused_data ++ ) ++ + def flush(self) -> bytes: + if not self._obj.eof: + raise DecodeError("Zstandard data is incomplete") +@@ -226,10 +348,35 @@ class MultiDecoder(ContentDecoder): + def flush(self) -> bytes: + return self._decoders[0].flush() + +- def decompress(self, data: bytes) -> bytes: +- for d in reversed(self._decoders): +- data = d.decompress(data) +- return data ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ if max_length <= 0: ++ for d in reversed(self._decoders): ++ data = d.decompress(data) ++ return data ++ ++ ret = bytearray() ++ # Every while loop iteration goes through all decoders once. ++ # It exits when enough data is read or no more data can be read. ++ # It is possible that the while loop iteration does not produce ++ # any data because we retrieve up to `max_length` from every ++ # decoder, and the amount of bytes may be insufficient for the ++ # next decoder to produce enough/any output. ++ while True: ++ any_data = False ++ for d in reversed(self._decoders): ++ data = d.decompress(data, max_length=max_length - len(ret)) ++ if data: ++ any_data = True ++ # We should not break when no data is returned because ++ # next decoders may produce data even with empty input. ++ ret += data ++ if not any_data or len(ret) >= max_length: ++ return bytes(ret) ++ data = b"" ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ return any(d.has_unconsumed_tail for d in self._decoders) + + + def _get_decoder(mode: str) -> ContentDecoder: +@@ -262,9 +409,6 @@ class BytesQueueBuffer: + + * self.buffer, which contains the full data + * the largest chunk that we will copy in get() +- +- The worst case scenario is a single chunk, in which case we'll make a full copy of +- the data inside get(). + """ + + def __init__(self) -> None: +@@ -286,6 +430,10 @@ class BytesQueueBuffer: + elif n < 0: + raise ValueError("n should be > 0") + ++ if len(self.buffer[0]) == n and isinstance(self.buffer[0], bytes): ++ self._size -= n ++ return self.buffer.popleft() ++ + fetched = 0 + ret = io.BytesIO() + while fetched < n: +@@ -492,7 +640,11 @@ class BaseHTTPResponse(io.IOBase): + self._decoder = _get_decoder(content_encoding) + + def _decode( +- self, data: bytes, decode_content: bool | None, flush_decoder: bool ++ self, ++ data: bytes, ++ decode_content: bool | None, ++ flush_decoder: bool, ++ max_length: int | None = None, + ) -> bytes: + """ + Decode the data passed in and potentially flush the decoder. +@@ -505,9 +657,12 @@ class BaseHTTPResponse(io.IOBase): + ) + return data + ++ if max_length is None or flush_decoder: ++ max_length = -1 ++ + try: + if self._decoder: +- data = self._decoder.decompress(data) ++ data = self._decoder.decompress(data, max_length=max_length) + self._has_decoded_content = True + except self.DECODER_ERROR_CLASSES as e: + content_encoding = self.headers.get("content-encoding", "").lower() +@@ -974,6 +1129,14 @@ class HTTPResponse(BaseHTTPResponse): + elif amt is not None: + cache_content = False + ++ if self._decoder and self._decoder.has_unconsumed_tail: ++ decoded_data = self._decode( ++ b"", ++ decode_content, ++ flush_decoder=False, ++ max_length=amt - len(self._decoded_buffer), ++ ) ++ self._decoded_buffer.put(decoded_data) + if len(self._decoded_buffer) >= amt: + return self._decoded_buffer.get(amt) + +@@ -981,7 +1144,11 @@ class HTTPResponse(BaseHTTPResponse): + + flush_decoder = amt is None or (amt != 0 and not data) + +- if not data and len(self._decoded_buffer) == 0: ++ if ( ++ not data ++ and len(self._decoded_buffer) == 0 ++ and not (self._decoder and self._decoder.has_unconsumed_tail) ++ ): + return data + + if amt is None: +@@ -998,7 +1165,12 @@ class HTTPResponse(BaseHTTPResponse): + ) + return data + +- decoded_data = self._decode(data, decode_content, flush_decoder) ++ decoded_data = self._decode( ++ data, ++ decode_content, ++ flush_decoder, ++ max_length=amt - len(self._decoded_buffer), ++ ) + self._decoded_buffer.put(decoded_data) + + while len(self._decoded_buffer) < amt and data: +@@ -1006,7 +1178,12 @@ class HTTPResponse(BaseHTTPResponse): + # For example, the GZ file header takes 10 bytes, we don't want to read + # it one byte at a time + data = self._raw_read(amt) +- decoded_data = self._decode(data, decode_content, flush_decoder) ++ decoded_data = self._decode( ++ data, ++ decode_content, ++ flush_decoder, ++ max_length=amt - len(self._decoded_buffer), ++ ) + self._decoded_buffer.put(decoded_data) + data = self._decoded_buffer.get(amt) + +@@ -1041,6 +1218,20 @@ class HTTPResponse(BaseHTTPResponse): + "Calling read1(decode_content=False) is not supported after " + "read1(decode_content=True) was called." + ) ++ if ( ++ self._decoder ++ and self._decoder.has_unconsumed_tail ++ and (amt is None or len(self._decoded_buffer) < amt) ++ ): ++ decoded_data = self._decode( ++ b"", ++ decode_content, ++ flush_decoder=False, ++ max_length=( ++ amt - len(self._decoded_buffer) if amt is not None else None ++ ), ++ ) ++ self._decoded_buffer.put(decoded_data) + if len(self._decoded_buffer) > 0: + if amt is None: + return self._decoded_buffer.get_all() +@@ -1056,7 +1247,9 @@ class HTTPResponse(BaseHTTPResponse): + self._init_decoder() + while True: + flush_decoder = not data +- decoded_data = self._decode(data, decode_content, flush_decoder) ++ decoded_data = self._decode( ++ data, decode_content, flush_decoder, max_length=amt ++ ) + self._decoded_buffer.put(decoded_data) + if decoded_data or flush_decoder: + break +@@ -1087,7 +1280,11 @@ class HTTPResponse(BaseHTTPResponse): + if self.chunked and self.supports_chunked_reads(): + yield from self.read_chunked(amt, decode_content=decode_content) + else: +- while not is_fp_closed(self._fp) or len(self._decoded_buffer) > 0: ++ while ( ++ not is_fp_closed(self._fp) ++ or len(self._decoded_buffer) > 0 ++ or (self._decoder and self._decoder.has_unconsumed_tail) ++ ): + data = self.read(amt=amt, decode_content=decode_content) + + if data: +@@ -1250,7 +1447,10 @@ class HTTPResponse(BaseHTTPResponse): + break + chunk = self._handle_chunk(amt) + decoded = self._decode( +- chunk, decode_content=decode_content, flush_decoder=False ++ chunk, ++ decode_content=decode_content, ++ flush_decoder=False, ++ max_length=amt, + ) + if decoded: + yield decoded +diff --git a/test/test_response.py b/test/test_response.py +index 9552689f..301b04ce 100644 +--- a/test/test_response.py ++++ b/test/test_response.py +@@ -1,6 +1,7 @@ + from __future__ import annotations + + import contextlib ++import gzip + import http.client as httplib + import socket + import ssl +@@ -43,6 +44,26 @@ def zstd_compress(data: bytes) -> bytes: + return zstd.compress(data) # type: ignore[no-any-return] + + ++def deflate2_compress(data: bytes) -> bytes: ++ compressor = zlib.compressobj(6, zlib.DEFLATED, -zlib.MAX_WBITS) ++ return compressor.compress(data) + compressor.flush() ++ ++ ++if brotli: ++ try: ++ brotli.Decompressor().process(b"", output_buffer_limit=1024) ++ _brotli_gte_1_2_0_available = True ++ except (AttributeError, TypeError): ++ _brotli_gte_1_2_0_available = False ++else: ++ _brotli_gte_1_2_0_available = False ++try: ++ zstd_compress(b"") ++ _zstd_available = True ++except ModuleNotFoundError: ++ _zstd_available = False ++ ++ + class TestBytesQueueBuffer: + def test_single_chunk(self) -> None: + buffer = BytesQueueBuffer() +@@ -118,12 +139,19 @@ class TestBytesQueueBuffer: + + assert len(get_func(buffer)) == 10 * 2**20 + ++ @pytest.mark.parametrize( ++ "get_func", ++ (lambda b: b.get(len(b)), lambda b: b.get_all()), ++ ids=("get", "get_all"), ++ ) + @pytest.mark.limit_memory("10.01 MB", current_thread_only=True) +- def test_get_all_memory_usage_single_chunk(self) -> None: ++ def test_memory_usage_single_chunk( ++ self, get_func: typing.Callable[[BytesQueueBuffer], bytes] ++ ) -> None: + buffer = BytesQueueBuffer() + chunk = bytes(10 * 2**20) # 10 MiB + buffer.put(chunk) +- assert buffer.get_all() is chunk ++ assert get_func(buffer) is chunk + + + # A known random (i.e, not-too-compressible) payload generated with: +@@ -426,7 +454,26 @@ class TestResponse: + assert r.data == b"foo" + + @onlyZstd() +- def test_decode_multiframe_zstd(self) -> None: ++ @pytest.mark.parametrize( ++ "read_amt", ++ ( ++ # Read all data at once. ++ None, ++ # Read one byte at a time, data of frames will be returned ++ # separately. ++ 1, ++ # Read two bytes at a time, the second read should return ++ # data from both frames. ++ 2, ++ # Read three bytes at a time, the whole frames will be ++ # returned separately in two calls. ++ 3, ++ # Read four bytes at a time, the first read should return ++ # data from the first frame and a part of the second frame. ++ 4, ++ ), ++ ) ++ def test_decode_multiframe_zstd(self, read_amt: int | None) -> None: + data = ( + # Zstandard frame + zstd_compress(b"foo") +@@ -441,8 +488,57 @@ class TestResponse: + ) + + fp = BytesIO(data) +- r = HTTPResponse(fp, headers={"content-encoding": "zstd"}) +- assert r.data == b"foobar" ++ result = bytearray() ++ r = HTTPResponse( ++ fp, headers={"content-encoding": "zstd"}, preload_content=False ++ ) ++ total_length = 6 ++ while len(result) < total_length: ++ chunk = r.read(read_amt, decode_content=True) ++ if read_amt is None: ++ assert len(chunk) == total_length ++ else: ++ assert len(chunk) == min(read_amt, total_length - len(result)) ++ result += chunk ++ assert bytes(result) == b"foobar" ++ ++ @onlyZstd() ++ def test_decode_multiframe_zstd_with_max_length_close_to_compressed_data_size( ++ self, ++ ) -> None: ++ """ ++ Test decoding when the first read from the socket returns all ++ the compressed frames, but then it has to be decompressed in a ++ couple of read calls. ++ """ ++ data = ( ++ # Zstandard frame ++ zstd_compress(b"x" * 1024) ++ # skippable frame (must be ignored) ++ + bytes.fromhex( ++ "50 2A 4D 18" # Magic_Number (little-endian) ++ "07 00 00 00" # Frame_Size (little-endian) ++ "00 00 00 00 00 00 00" # User_Data ++ ) ++ # Zstandard frame ++ + zstd_compress(b"y" * 1024) ++ ) ++ ++ fp = BytesIO(data) ++ r = HTTPResponse( ++ fp, headers={"content-encoding": "zstd"}, preload_content=False ++ ) ++ # Read the whole first frame. ++ assert r.read(1024) == b"x" * 1024 ++ assert len(r._decoded_buffer) == 0 ++ # Read the whole second frame in two reads. ++ assert r.read(512) == b"y" * 512 ++ assert len(r._decoded_buffer) == 0 ++ assert r.read(512) == b"y" * 512 ++ assert len(r._decoded_buffer) == 0 ++ # Ensure no more data is left. ++ assert r.read() == b"" ++ assert len(r._decoded_buffer) == 0 + + @onlyZstd() + def test_chunked_decoding_zstd(self) -> None: +@@ -535,6 +631,169 @@ class TestResponse: + decoded_data += part + assert decoded_data == data + ++ _test_compressor_params: list[ ++ tuple[str, tuple[str, typing.Callable[[bytes], bytes]] | None] ++ ] = [ ++ ("deflate1", ("deflate", zlib.compress)), ++ ("deflate2", ("deflate", deflate2_compress)), ++ ("gzip", ("gzip", gzip.compress)), ++ ] ++ if _brotli_gte_1_2_0_available: ++ _test_compressor_params.append(("brotli", ("br", brotli.compress))) ++ else: ++ _test_compressor_params.append(("brotli", None)) ++ if _zstd_available: ++ _test_compressor_params.append(("zstd", ("zstd", zstd_compress))) ++ else: ++ _test_compressor_params.append(("zstd", None)) ++ ++ @pytest.mark.parametrize("read_method", ("read", "read1")) ++ @pytest.mark.parametrize( ++ "data", ++ [d[1] for d in _test_compressor_params], ++ ids=[d[0] for d in _test_compressor_params], ++ ) ++ def test_read_with_all_data_already_in_decompressor( ++ self, ++ request: pytest.FixtureRequest, ++ read_method: str, ++ data: tuple[str, typing.Callable[[bytes], bytes]] | None, ++ ) -> None: ++ if data is None: ++ pytest.skip(f"Proper {request.node.callspec.id} decoder is not available") ++ original_data = b"bar" * 1000 ++ name, compress_func = data ++ compressed_data = compress_func(original_data) ++ fp = mock.Mock(read=mock.Mock(return_value=b"")) ++ r = HTTPResponse(fp, headers={"content-encoding": name}, preload_content=False) ++ # Put all data in the decompressor's buffer. ++ r._init_decoder() ++ assert r._decoder is not None # for mypy ++ decoded = r._decoder.decompress(compressed_data, max_length=0) ++ if name == "br": ++ # It's known that some Brotli libraries do not respect ++ # `max_length`. ++ r._decoded_buffer.put(decoded) ++ else: ++ assert decoded == b"" ++ # Read the data via `HTTPResponse`. ++ read = getattr(r, read_method) ++ assert read(0) == b"" ++ assert read(2500) == original_data[:2500] ++ assert read(500) == original_data[2500:] ++ assert read(0) == b"" ++ assert read() == b"" ++ ++ @pytest.mark.parametrize( ++ "delta", ++ ( ++ 0, # First read from socket returns all compressed data. ++ -1, # First read from socket returns all but one byte of compressed data. ++ ), ++ ) ++ @pytest.mark.parametrize("read_method", ("read", "read1")) ++ @pytest.mark.parametrize( ++ "data", ++ [d[1] for d in _test_compressor_params], ++ ids=[d[0] for d in _test_compressor_params], ++ ) ++ def test_decode_with_max_length_close_to_compressed_data_size( ++ self, ++ request: pytest.FixtureRequest, ++ delta: int, ++ read_method: str, ++ data: tuple[str, typing.Callable[[bytes], bytes]] | None, ++ ) -> None: ++ """ ++ Test decoding when the first read from the socket returns all or ++ almost all the compressed data, but then it has to be ++ decompressed in a couple of read calls. ++ """ ++ if data is None: ++ pytest.skip(f"Proper {request.node.callspec.id} decoder is not available") ++ ++ original_data = b"foo" * 1000 ++ name, compress_func = data ++ compressed_data = compress_func(original_data) ++ fp = BytesIO(compressed_data) ++ r = HTTPResponse(fp, headers={"content-encoding": name}, preload_content=False) ++ initial_limit = len(compressed_data) + delta ++ read = getattr(r, read_method) ++ initial_chunk = read(amt=initial_limit, decode_content=True) ++ assert len(initial_chunk) == initial_limit ++ assert ( ++ len(read(amt=len(original_data), decode_content=True)) ++ == len(original_data) - initial_limit ++ ) ++ ++ # Prepare 50 MB of compressed data outside of the test measuring ++ # memory usage. ++ _test_memory_usage_decode_with_max_length_params: list[ ++ tuple[str, tuple[str, bytes] | None] ++ ] = [ ++ ( ++ params[0], ++ (params[1][0], params[1][1](b"A" * (50 * 2**20))) if params[1] else None, ++ ) ++ for params in _test_compressor_params ++ ] ++ ++ @pytest.mark.parametrize( ++ "data", ++ [d[1] for d in _test_memory_usage_decode_with_max_length_params], ++ ids=[d[0] for d in _test_memory_usage_decode_with_max_length_params], ++ ) ++ @pytest.mark.parametrize("read_method", ("read", "read1", "read_chunked", "stream")) ++ # Decoders consume different amounts of memory during decompression. ++ # We set the 10 MB limit to ensure that the whole decompressed data ++ # is not stored unnecessarily. ++ # ++ # FYI, the following consumption was observed for the test with ++ # `read` on CPython 3.14.0: ++ # - deflate: 2.3 MiB ++ # - deflate2: 2.1 MiB ++ # - gzip: 2.1 MiB ++ # - brotli: ++ # - brotli v1.2.0: 9 MiB ++ # - brotlicffi v1.2.0.0: 6 MiB ++ # - brotlipy v0.7.0: 105.8 MiB ++ # - zstd: 4.5 MiB ++ @pytest.mark.limit_memory("10 MB", current_thread_only=True) ++ def test_memory_usage_decode_with_max_length( ++ self, ++ request: pytest.FixtureRequest, ++ read_method: str, ++ data: tuple[str, bytes] | None, ++ ) -> None: ++ if data is None: ++ pytest.skip(f"Proper {request.node.callspec.id} decoder is not available") ++ ++ name, compressed_data = data ++ limit = 1024 * 1024 # 1 MiB ++ if read_method in ("read_chunked", "stream"): ++ httplib_r = httplib.HTTPResponse(MockSock) # type: ignore[arg-type] ++ httplib_r.fp = MockChunkedEncodingResponse([compressed_data]) # type: ignore[assignment] ++ r = HTTPResponse( ++ httplib_r, ++ preload_content=False, ++ headers={"transfer-encoding": "chunked", "content-encoding": name}, ++ ) ++ next(getattr(r, read_method)(amt=limit, decode_content=True)) ++ else: ++ fp = BytesIO(compressed_data) ++ r = HTTPResponse( ++ fp, headers={"content-encoding": name}, preload_content=False ++ ) ++ getattr(r, read_method)(amt=limit, decode_content=True) ++ ++ # Check that the internal decoded buffer is empty unless brotli ++ # is used. ++ # Google's brotli library does not fully respect the output ++ # buffer limit: https://github.com/google/brotli/issues/1396 ++ # And unmaintained brotlipy cannot limit the output buffer size. ++ if name != "br" or brotli.__name__ == "brotlicffi": ++ assert len(r._decoded_buffer) == 0 ++ + def test_multi_decoding_deflate_deflate(self) -> None: + data = zlib.compress(zlib.compress(b"foo")) + +-- +2.51.2 + diff --git a/pkgs/development/python-modules/urllib3/default.nix b/pkgs/development/python-modules/urllib3/default.nix index ca51c00796914..09a9be4ef4c79 100644 --- a/pkgs/development/python-modules/urllib3/default.nix +++ b/pkgs/development/python-modules/urllib3/default.nix @@ -32,6 +32,13 @@ let hash = "sha256-P8R3M8fkGdS8P2s9wrT4kLt0OQajDVa6Slv6S7/5J2A="; }; + patches = [ + # https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37 + ./CVE-2025-66471.patch + # https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53 + ./CVE-2025-66418.patch + ]; + build-system = [ hatchling hatch-vcs From d3e1989d57dce9a7e0700e01d713a7ac8813e766 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 9 Dec 2025 01:01:52 +0100 Subject: [PATCH 36/70] c-ares: 1.34.5 -> 1.34.6 https://c-ares.org/changelog.html#1_34_6 https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5 Fixes: CVE-2025-62408 (cherry picked from commit 9999bd59d0785859cf4472900448f98ae533c634) --- pkgs/development/libraries/c-ares/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/c-ares/default.nix b/pkgs/development/libraries/c-ares/default.nix index 03cebad999426..4e7a3b2e97ba0 100644 --- a/pkgs/development/libraries/c-ares/default.nix +++ b/pkgs/development/libraries/c-ares/default.nix @@ -18,12 +18,12 @@ stdenv.mkDerivation rec { pname = "c-ares"; - version = "1.34.5"; + version = "1.34.6"; src = fetchurl { # Note: tag name varies in some versions, e.g. v1.30.0, c-ares-1_17_0. url = "https://github.com/c-ares/c-ares/releases/download/v${version}/c-ares-${version}.tar.gz"; - hash = "sha256-fZNXkOmvCBwlxJX9E8LPzaR5KYNBjpY1jvbnMg7gY0Y="; + hash = "sha256-kS3XzDs+innFL9f7nA9Ozwqqc+Re/aiAJmotbia4TvU="; }; outputs = [ From 11f28b1d9038b075c912bd7cfea737d029509eeb Mon Sep 17 00:00:00 2001 From: Vikingnope Date: Sun, 14 Dec 2025 21:18:45 +0100 Subject: [PATCH 37/70] jellyfin-media-player: rename to jellyfin-desktop (cherry picked from commit 108c36953a75771675e0056bb94f2467784353cf) --- .../default.nix | 42 +++++++++++++------ .../non-fatal-unique-app.patch | 19 +++++++++ pkgs/top-level/aliases.nix | 1 + pkgs/top-level/all-packages.nix | 2 +- 4 files changed, 51 insertions(+), 13 deletions(-) rename pkgs/applications/video/{jellyfin-media-player => jellyfin-desktop}/default.nix (53%) create mode 100644 pkgs/applications/video/jellyfin-desktop/non-fatal-unique-app.patch diff --git a/pkgs/applications/video/jellyfin-media-player/default.nix b/pkgs/applications/video/jellyfin-desktop/default.nix similarity index 53% rename from pkgs/applications/video/jellyfin-media-player/default.nix rename to pkgs/applications/video/jellyfin-desktop/default.nix index 4927d2c563f0f..2e3cbdbec8198 100644 --- a/pkgs/applications/video/jellyfin-media-player/default.nix +++ b/pkgs/applications/video/jellyfin-desktop/default.nix @@ -4,40 +4,48 @@ stdenv, cmake, ninja, + python3, wrapQtAppsHook, qtbase, qtdeclarative, qtwebchannel, qtwebengine, + mpv-unwrapped, mpvqt, libcec, SDL2, libXrandr, + cacert, + nix-update-script, }: stdenv.mkDerivation rec { - pname = "jellyfin-media-player"; + pname = "jellyfin-desktop"; version = "2.0.0"; src = fetchFromGitHub { owner = "jellyfin"; - repo = "jellyfin-media-player"; + repo = "jellyfin-desktop"; rev = "v${version}"; - hash = "sha256-tdjmOeuC3LFEIDSH8X9LG/myvE1FoxwR1zpDQRyaTkQ="; + hash = "sha256-ITlYOrMS6COx9kDRSBi4wM6mzL/Q2G5X9GbABwDIOe4="; + fetchSubmodules = true; }; + patches = [ + ./non-fatal-unique-app.patch + ]; nativeBuildInputs = [ cmake ninja wrapQtAppsHook - ]; + ] + ++ lib.optional stdenv.hostPlatform.isDarwin python3; buildInputs = [ qtbase qtdeclarative qtwebchannel qtwebengine - - mpvqt + mpv-unwrapped # input sources libcec @@ -45,23 +53,33 @@ stdenv.mkDerivation rec { # frame rate switching libXrandr - ]; + cacert + ] + ++ lib.optional (!stdenv.hostPlatform.isDarwin) mpvqt; cmakeFlags = [ "-DCHECK_FOR_UPDATES=OFF" - "-DUSE_STATIC_MPVQT=OFF" # workaround for Qt cmake weirdness "-DQT_DISABLE_NO_DEFAULT_PATH_IN_QT_PACKAGES=ON" + ] + ++ lib.optional stdenv.hostPlatform.isDarwin "-DUSE_STATIC_MPVQT=ON" + ++ lib.optional (!stdenv.hostPlatform.isDarwin) "-DUSE_STATIC_MPVQT=OFF"; + + qtWrapperArgs = [ + "--set QT_STYLE_OVERRIDE Fusion" + "--set NIX_SSL_CERT_FILE ${cacert}/etc/ssl/certs/ca-bundle.crt" ]; postInstall = lib.optionalString stdenv.hostPlatform.isDarwin '' mkdir -p $out/bin $out/Applications - mv "$out/Jellyfin Media Player.app" $out/Applications - ln -s "$out/Applications/Jellyfin Media Player.app/Contents/MacOS/Jellyfin Media Player" $out/bin/jellyfinmediaplayer + mv "$out/Jellyfin Desktop.app" $out/Applications + ln -s "$out/Applications/Jellyfin Desktop.app/Contents/MacOS/Jellyfin Desktop" $out/bin/jellyfindesktop ''; + passthru.updateScript = nix-update-script { }; + meta = { - homepage = "https://github.com/jellyfin/jellyfin-media-player"; + homepage = "https://github.com/jellyfin/jellyfin-desktop"; description = "Jellyfin Desktop Client"; license = with lib.licenses; [ gpl2Only @@ -78,6 +96,6 @@ stdenv.mkDerivation rec { kranzes paumr ]; - mainProgram = "jellyfinmediaplayer"; + mainProgram = "jellyfin-desktop"; }; } diff --git a/pkgs/applications/video/jellyfin-desktop/non-fatal-unique-app.patch b/pkgs/applications/video/jellyfin-desktop/non-fatal-unique-app.patch new file mode 100644 index 0000000000000..de50edd43f966 --- /dev/null +++ b/pkgs/applications/video/jellyfin-desktop/non-fatal-unique-app.patch @@ -0,0 +1,19 @@ +--- a/src/shared/UniqueApplication.h ++++ b/src/shared/UniqueApplication.h +@@ -6,6 +6,7 @@ + #define KONVERGO_UNIQUEAPPLICATION_H + + #include ++#include + #include "Paths.h" + #include "LocalJsonServer.h" + #include "LocalJsonClient.h" +@@ -35,7 +36,7 @@ + }); + + if (!m_server->listen()) +- throw FatalException("Failed to listen to uniqueApp socket: " + m_server->errorString()); ++ qWarning() << "Failed to listen to uniqueApp socket: " << m_server->errorString(); + } + + bool ensureUnique() diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index b920753c98f85..4a19be91e117f 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -751,6 +751,7 @@ mapAliases { jdk23_headless = throw "OpenJDK 23 was removed as it has reached its end of life"; # Added 2025-11-04 jdk24 = throw "OpenJDK 24 was removed as it has reached its end of life"; # Added 2025-10-04 jdk24_headless = throw "OpenJDK 24 was removed as it has reached its end of life"; # Added 2025-10-04 + jellyfin-media-player = jellyfin-desktop; # Added 2025-12-14 jesec-rtorrent = throw "'jesec-rtorrent' has been removed due to lack of maintenance upstream."; # Added 2025-11-20 jikespg = throw "'jikespg' has been removed due to lack of maintenance upstream."; # Added 2025-06-10 jing = jing-trang; # Added 2025-09-18 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 9a22b0da0825c..f05e893653bdf 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -2081,7 +2081,7 @@ with pkgs; intensity-normalization = with python3Packages; toPythonApplication intensity-normalization; - jellyfin-media-player = kdePackages.callPackage ../applications/video/jellyfin-media-player { }; + jellyfin-desktop = kdePackages.callPackage ../applications/video/jellyfin-desktop { }; jellyfin-mpv-shim = python3Packages.callPackage ../applications/video/jellyfin-mpv-shim { }; From 6d36c44ca1a7f00f2171286c516aae042511c1b2 Mon Sep 17 00:00:00 2001 From: Randy Eckenrode Date: Thu, 27 Nov 2025 11:27:55 -0500 Subject: [PATCH 38/70] apple-sdk: drop `FamilyDisplayName` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The correct setting name is actually `PlatformFamilyDisplayName`, which comes from the SDK in `SDKSettings.json`. It’s not part of `Info.plist`. (cherry picked from commit 50776d0e56eb99bbe1401e13489091186dbd445e) --- pkgs/by-name/ap/apple-sdk/common/plists.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/by-name/ap/apple-sdk/common/plists.nix b/pkgs/by-name/ap/apple-sdk/common/plists.nix index 70184d89429ba..a79581e7767d9 100644 --- a/pkgs/by-name/ap/apple-sdk/common/plists.nix +++ b/pkgs/by-name/ap/apple-sdk/common/plists.nix @@ -16,7 +16,6 @@ let STRIP_PNG_TEXT = "NO"; }; Description = if stdenvNoCC.hostPlatform.isMacOS then "macOS" else "iOS"; - FamilyDisplayName = Description; FamilyIdentifier = lib.toLower xcodePlatform; FamilyName = Description; Identifier = CFBundleIdentifier; From 902ebf72bbd79f87c07137c90366af87db3218d4 Mon Sep 17 00:00:00 2001 From: Alois Wohlschlager Date: Mon, 8 Dec 2025 17:25:16 +0100 Subject: [PATCH 39/70] nixos/nix-daemon: remove obsolete compatibility code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * util-linux was used for ionice, replaced by systemd directives in 2012 [1]. * gzip was used for compressing stuff sent over ssh, replaced by the `-C` option in Nix 1.8 [2]. * Conditionals for versions less than 2.8 (or 2.3) can be removed, as they are not supported any more [3]. * Some systemd directives are already in the upstream service file of all supported Nix and Lix versions, and are removed. For cgroup delegation, this is only strictly true for Lix ≥2.94; Lix 2.93 does not support it at all yet, and Nix doesn't use the supervisor group at all (I haven't investigated whether it creates one itself or is just broken entirely, but in any case the creation of the empty cgroup in the module will not help). [1] https://github.com/NixOS/nixpkgs/commit/88f94d76bcce27b42c748e6f2a7691d0659e5513 [2] https://github.com/NixOS/nix/commit/7f7d4ab68649b2f5530143e8cfa95fc785ae9937 [3] https://github.com/NixOS/nixpkgs/commit/fa0cba1c398faad0b810555daea3bfeb05719a8c (cherry picked from commit 8165c8d96a0a114b6455cce23d31f94e26eee63f) --- nixos/modules/services/system/nix-daemon.nix | 29 ++------------------ 1 file changed, 3 insertions(+), 26 deletions(-) diff --git a/nixos/modules/services/system/nix-daemon.nix b/nixos/modules/services/system/nix-daemon.nix index 2c4769da57645..9c3fba3f6dbaf 100644 --- a/nixos/modules/services/system/nix-daemon.nix +++ b/nixos/modules/services/system/nix-daemon.nix @@ -16,10 +16,6 @@ let nixPackage = cfg.package.out; - # nixVersion is an attribute which defines the implementation version. - # This is useful for Nix implementations which don't follow Nix's versioning. - isNixAtLeast = lib.versionAtLeast (nixPackage.nixVersion or (lib.getVersion nixPackage)); - makeNixBuildUser = nr: { name = "nixbld${toString nr}"; value = { @@ -196,26 +192,15 @@ in systemd.packages = [ nixPackage ]; - systemd.tmpfiles = lib.mkMerge [ - (lib.mkIf (isNixAtLeast "2.8") { - packages = [ nixPackage ]; - }) - (lib.mkIf (!isNixAtLeast "2.8") { - rules = [ - "d /nix/var/nix/daemon-socket 0755 root root - -" - ]; - }) - ]; + systemd.tmpfiles.packages = [ nixPackage ]; systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ]; systemd.services.nix-daemon = { path = [ nixPackage - pkgs.util-linux config.programs.ssh.package - ] - ++ lib.optionals cfg.distributedBuilds [ pkgs.gzip ]; + ]; environment = cfg.envVars @@ -224,15 +209,10 @@ in } // config.networking.proxy.envVars; - unitConfig.RequiresMountsFor = "/nix/store"; - serviceConfig = { CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy; IOSchedulingClass = cfg.daemonIOSchedClass; IOSchedulingPriority = cfg.daemonIOSchedPriority; - LimitNOFILE = 1048576; - Delegate = "yes"; - DelegateSubgroup = "supervisor"; }; restartTriggers = [ config.environment.etc."nix/nix.conf".source ]; @@ -287,10 +267,7 @@ in services.displayManager.hiddenUsers = lib.attrNames nixbldUsers; # Legacy configuration conversion. - nix.settings = lib.mkMerge [ - (lib.mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; }) - ]; - + nix.settings.sandbox-fallback = false; }; } From 8f144d184a980251da5c40be6b9836977565e56f Mon Sep 17 00:00:00 2001 From: Alois Wohlschlager Date: Mon, 8 Dec 2025 17:25:16 +0100 Subject: [PATCH 40/70] nixos/lix: init Over time, it is expected that the setups for Lix and Nix will diverge in some ways. To prevent cluttering the modules too much, we will introduce a separate Lix module. It begins its existence as a fork of the nix-daemon module, right now without major changes, although this will change soon. It is also slightly weird due to not having any option definitions on its own and instead dispatching on the pname of `nix.package`, which is done for backwards compatibility (particularly on 25.11), and will also change soon by the gradual introduction of a separate `programs.lix` option subtree. (cherry picked from commit a6c7a5b4b5f7df210bbe079fa649dc96e0f8518f) --- nixos/modules/module-list.nix | 1 + nixos/modules/programs/lix.nix | 115 +++++++++++++++++++ nixos/modules/services/system/nix-daemon.nix | 2 +- 3 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 nixos/modules/programs/lix.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 50323f0dd8881..8c298322ec7dc 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -255,6 +255,7 @@ ./programs/less.nix ./programs/liboping.nix ./programs/light.nix + ./programs/lix.nix ./programs/localsend.nix ./programs/mdevctl.nix ./programs/mepo.nix diff --git a/nixos/modules/programs/lix.nix b/nixos/modules/programs/lix.nix new file mode 100644 index 0000000000000..7499121b862a7 --- /dev/null +++ b/nixos/modules/programs/lix.nix @@ -0,0 +1,115 @@ +{ + config, + lib, + pkgs, + ... +}: +let + + cfg = config.nix; + + nixPackage = cfg.package.out; + + makeNixBuildUser = nr: { + name = "nixbld${toString nr}"; + value = { + description = "Lix build user ${toString nr}"; + uid = builtins.add config.ids.uids.nixbld nr; + isSystemUser = true; + group = "nixbld"; + extraGroups = [ "nixbld" ]; + }; + }; + + nixbldUsers = lib.listToAttrs (map makeNixBuildUser (lib.range 1 cfg.nrBuildUsers)); + +in + +{ + config = lib.mkIf (cfg.enable && nixPackage.pname == "lix") { + environment.systemPackages = [ + nixPackage + pkgs.nix-info + ] + ++ lib.optional (config.programs.bash.completion.enable) pkgs.nix-bash-completions; + + systemd.packages = [ nixPackage ]; + + systemd.tmpfiles.packages = [ nixPackage ]; + + systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ]; + + systemd.services.nix-daemon = { + path = [ + nixPackage + config.programs.ssh.package + ]; + + environment = + cfg.envVars + // { + CURL_CA_BUNDLE = config.security.pki.caBundle; + } + // config.networking.proxy.envVars; + + serviceConfig = { + CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy; + IOSchedulingClass = cfg.daemonIOSchedClass; + IOSchedulingPriority = cfg.daemonIOSchedPriority; + }; + + restartTriggers = [ config.environment.etc."nix/nix.conf".source ]; + + # `stopIfChanged = false` changes to switch behavior + # from stop -> update units -> start + # to update units -> restart + # + # The `stopIfChanged` setting therefore controls a trade-off between a + # more predictable lifecycle, which runs the correct "version" of + # the `ExecStop` line, and on the other hand the availability of + # sockets during the switch, as the effectiveness of the stop operation + # depends on the socket being stopped as well. + # + # As `nix-daemon.service` does not make use of `ExecStop`, we prefer + # to keep the socket up and available. This is important for machines + # that run Nix-based services, such as automated build, test, and deploy + # services, that expect the daemon socket to be available at all times. + # + # Notably, the Nix client does not retry on failure to connect to the + # daemon socket, and the in-process RemoteStore instance will disable + # itself. This makes retries infeasible even for services that are + # aware of the issue. Failure to connect can affect not only new client + # processes, but also new RemoteStore instances in existing processes, + # as well as existing RemoteStore instances that have not saturated + # their connection pool. + # + # Also note that `stopIfChanged = true` does not kill existing + # connection handling daemons, as one might wish to happen before a + # breaking Nix upgrade (which is rare). The daemon forks that handle + # the individual connections split off into their own sessions, causing + # them not to be stopped by systemd. + # If a Nix upgrade does require all existing daemon processes to stop, + # nix-daemon must do so on its own accord, and only when the new version + # starts and detects that Nix's persistent state needs an upgrade. + stopIfChanged = false; + + }; + + # Set up the environment variables for running Nix. + environment.sessionVariables = cfg.envVars; + + nix.nrBuildUsers = lib.mkDefault ( + if cfg.settings.auto-allocate-uids or false then + 0 + else + lib.max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs) + ); + + users.users = nixbldUsers; + + services.displayManager.hiddenUsers = lib.attrNames nixbldUsers; + + # Legacy configuration conversion. + nix.settings.sandbox-fallback = false; + }; +} diff --git a/nixos/modules/services/system/nix-daemon.nix b/nixos/modules/services/system/nix-daemon.nix index 9c3fba3f6dbaf..ef740b9ba8d94 100644 --- a/nixos/modules/services/system/nix-daemon.nix +++ b/nixos/modules/services/system/nix-daemon.nix @@ -183,7 +183,7 @@ in ###### implementation - config = lib.mkIf cfg.enable { + config = lib.mkIf (cfg.enable && nixPackage.pname != "lix") { environment.systemPackages = [ nixPackage pkgs.nix-info From 5a6288b85354f3586f8f088da7f1beb0946d9998 Mon Sep 17 00:00:00 2001 From: Alois Wohlschlager Date: Sun, 14 Dec 2025 14:29:33 +0100 Subject: [PATCH 41/70] nixos/lix: prepare for socket activation changes After [1], nix-daemon will be socket-activated, and the service options need to be set on the template unit. In the meantime, it does approximately nothing and is harmless. [1] https://gerrit.lix.systems/c/lix/+/4719 (cherry picked from commit d82e12e0dd8f7a969ab95fc6d7195ffcc2c4e62f) --- nixos/modules/programs/lix.nix | 123 ++++++++++++++++++--------------- 1 file changed, 68 insertions(+), 55 deletions(-) diff --git a/nixos/modules/programs/lix.nix b/nixos/modules/programs/lix.nix index 7499121b862a7..d87ff84eafba1 100644 --- a/nixos/modules/programs/lix.nix +++ b/nixos/modules/programs/lix.nix @@ -10,6 +10,26 @@ let nixPackage = cfg.package.out; + commonNixDaemonConfig = { + path = [ + nixPackage + config.programs.ssh.package + ]; + + environment = + cfg.envVars + // { + CURL_CA_BUNDLE = config.security.pki.caBundle; + } + // config.networking.proxy.envVars; + + serviceConfig = { + CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy; + IOSchedulingClass = cfg.daemonIOSchedClass; + IOSchedulingPriority = cfg.daemonIOSchedPriority; + }; + }; + makeNixBuildUser = nr: { name = "nixbld${toString nr}"; value = { @@ -39,61 +59,54 @@ in systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ]; - systemd.services.nix-daemon = { - path = [ - nixPackage - config.programs.ssh.package - ]; - - environment = - cfg.envVars - // { - CURL_CA_BUNDLE = config.security.pki.caBundle; - } - // config.networking.proxy.envVars; - - serviceConfig = { - CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy; - IOSchedulingClass = cfg.daemonIOSchedClass; - IOSchedulingPriority = cfg.daemonIOSchedPriority; - }; - - restartTriggers = [ config.environment.etc."nix/nix.conf".source ]; - - # `stopIfChanged = false` changes to switch behavior - # from stop -> update units -> start - # to update units -> restart - # - # The `stopIfChanged` setting therefore controls a trade-off between a - # more predictable lifecycle, which runs the correct "version" of - # the `ExecStop` line, and on the other hand the availability of - # sockets during the switch, as the effectiveness of the stop operation - # depends on the socket being stopped as well. - # - # As `nix-daemon.service` does not make use of `ExecStop`, we prefer - # to keep the socket up and available. This is important for machines - # that run Nix-based services, such as automated build, test, and deploy - # services, that expect the daemon socket to be available at all times. - # - # Notably, the Nix client does not retry on failure to connect to the - # daemon socket, and the in-process RemoteStore instance will disable - # itself. This makes retries infeasible even for services that are - # aware of the issue. Failure to connect can affect not only new client - # processes, but also new RemoteStore instances in existing processes, - # as well as existing RemoteStore instances that have not saturated - # their connection pool. - # - # Also note that `stopIfChanged = true` does not kill existing - # connection handling daemons, as one might wish to happen before a - # breaking Nix upgrade (which is rare). The daemon forks that handle - # the individual connections split off into their own sessions, causing - # them not to be stopped by systemd. - # If a Nix upgrade does require all existing daemon processes to stop, - # nix-daemon must do so on its own accord, and only when the new version - # starts and detects that Nix's persistent state needs an upgrade. - stopIfChanged = false; - - }; + systemd.services."nix-daemon@" = lib.mkMerge [ + commonNixDaemonConfig + { + # Do not kill connections serving established connections on upgrade. + restartIfChanged = false; + } + ]; + + systemd.services.nix-daemon = lib.mkMerge [ + commonNixDaemonConfig + { + restartTriggers = [ config.environment.etc."nix/nix.conf".source ]; + + # `stopIfChanged = false` changes to switch behavior + # from stop -> update units -> start + # to update units -> restart + # + # The `stopIfChanged` setting therefore controls a trade-off between a + # more predictable lifecycle, which runs the correct "version" of + # the `ExecStop` line, and on the other hand the availability of + # sockets during the switch, as the effectiveness of the stop operation + # depends on the socket being stopped as well. + # + # As `nix-daemon.service` does not make use of `ExecStop`, we prefer + # to keep the socket up and available. This is important for machines + # that run Nix-based services, such as automated build, test, and deploy + # services, that expect the daemon socket to be available at all times. + # + # Notably, the Nix client does not retry on failure to connect to the + # daemon socket, and the in-process RemoteStore instance will disable + # itself. This makes retries infeasible even for services that are + # aware of the issue. Failure to connect can affect not only new client + # processes, but also new RemoteStore instances in existing processes, + # as well as existing RemoteStore instances that have not saturated + # their connection pool. + # + # Also note that `stopIfChanged = true` does not kill existing + # connection handling daemons, as one might wish to happen before a + # breaking Nix upgrade (which is rare). The daemon forks that handle + # the individual connections split off into their own sessions, causing + # them not to be stopped by systemd. + # If a Nix upgrade does require all existing daemon processes to stop, + # nix-daemon must do so on its own accord, and only when the new version + # starts and detects that Nix's persistent state needs an upgrade. + stopIfChanged = false; + + } + ]; # Set up the environment variables for running Nix. environment.sessionVariables = cfg.envVars; From 01e9ec9df0bb0d29a8f7918b981e60561b382055 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 19 Dec 2025 21:37:05 +0000 Subject: [PATCH 42/70] libopenmpt: 0.8.3 -> 0.8.4 (cherry picked from commit 9c57c24adef0bc733b363b11280f5a411124ab27) --- pkgs/by-name/li/libopenmpt/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libopenmpt/package.nix b/pkgs/by-name/li/libopenmpt/package.nix index 23a5ea99f42ec..59c06637b4831 100644 --- a/pkgs/by-name/li/libopenmpt/package.nix +++ b/pkgs/by-name/li/libopenmpt/package.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { pname = "libopenmpt"; - version = "0.8.3"; + version = "0.8.4"; outputs = [ "out" @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-${version}+release.autotools.tar.gz"; - hash = "sha256-JdSGpNqXKIGSdO0JWf15ocY1iVRxDVTBQEfGRXyMqKw="; + hash = "sha256-Yn+b8RqsrmFaHyyYLH6IyyHxGy1vAmeUb3yCxerklDs="; }; enableParallelBuilding = true; From 22fb5a0e6c65687e9ebc4424bf6ac6be1019310b Mon Sep 17 00:00:00 2001 From: Kirill Radzikhovskyy Date: Sat, 20 Dec 2025 12:58:22 +1100 Subject: [PATCH 43/70] python3Packages.werkzeug: 3.1.3 -> 3.1.4 https://github.com/pallets/werkzeug/releases/tag/3.1.4 Security fix: - CVE-2025-66221 (cherry picked from commit 4456d48f6c61e6bf9e5df82dab77480cb33397d7) --- pkgs/development/python-modules/werkzeug/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/werkzeug/default.nix b/pkgs/development/python-modules/werkzeug/default.nix index 70829aecb81ab..8b5be89bbafab 100644 --- a/pkgs/development/python-modules/werkzeug/default.nix +++ b/pkgs/development/python-modules/werkzeug/default.nix @@ -28,14 +28,14 @@ buildPythonPackage rec { pname = "werkzeug"; - version = "3.1.3"; + version = "3.1.4"; pyproject = true; disabled = pythonOlder "3.9"; src = fetchPypi { inherit pname version; - hash = "sha256-YHI86UXBkyhnl5DjKCzHWKpKYEDkuzMPU9MPpUbUR0Y="; + hash = "sha256-zTzZixuS3Dt7OZUDiCbGgJfcsW+bqmOr418g6v65/l4="; }; build-system = [ flit-core ]; From bf4593a913990679393a45d968c363da1f2a5189 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 19 Dec 2025 13:08:42 +0000 Subject: [PATCH 44/70] cryptsetup: 2.8.1 -> 2.8.2 (cherry picked from commit 0abd4eeb911157b4ba2ebab029dd2900dbe2aa66) --- pkgs/by-name/cr/cryptsetup/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/cr/cryptsetup/package.nix b/pkgs/by-name/cr/cryptsetup/package.nix index 5ab95727c063e..f7ffd4f8d031e 100644 --- a/pkgs/by-name/cr/cryptsetup/package.nix +++ b/pkgs/by-name/cr/cryptsetup/package.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "cryptsetup"; - version = "2.8.1"; + version = "2.8.2"; outputs = [ "bin" @@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: { url = "mirror://kernel/linux/utils/cryptsetup/v${lib.versions.majorMinor finalAttrs.version}/" + "cryptsetup-${finalAttrs.version}.tar.xz"; - hash = "sha256-LDN563ZZfcq1CRFEmwE+JpfEv/zHFtu/DZsOj7u0b7Q="; + hash = "sha256-3Z7emHWXbLJfPSm/q/NDscYPYYZka2fvXkDmCrSTXsE="; }; patches = [ From f7f8963cad752bc8f37c41adf237a1c8a25936db Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Wed, 24 Dec 2025 12:58:24 +0000 Subject: [PATCH 45/70] cryptsetup: 2.8.2 -> 2.8.3 Changes: https://gitlab.com/cryptsetup/cryptsetup/-/compare/v2.8.2...v2.8.3?from_project_id=195655 (cherry picked from commit b8ced9471d40a0cdad2aa740501503a907bf5632) --- pkgs/by-name/cr/cryptsetup/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/cr/cryptsetup/package.nix b/pkgs/by-name/cr/cryptsetup/package.nix index f7ffd4f8d031e..d310ed986ca9b 100644 --- a/pkgs/by-name/cr/cryptsetup/package.nix +++ b/pkgs/by-name/cr/cryptsetup/package.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "cryptsetup"; - version = "2.8.2"; + version = "2.8.3"; outputs = [ "bin" @@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: { url = "mirror://kernel/linux/utils/cryptsetup/v${lib.versions.majorMinor finalAttrs.version}/" + "cryptsetup-${finalAttrs.version}.tar.xz"; - hash = "sha256-3Z7emHWXbLJfPSm/q/NDscYPYYZka2fvXkDmCrSTXsE="; + hash = "sha256-SoojuLnRoyUEUuQKzq1EIaA+RaOJVK0FlWNPQmaqgA8="; }; patches = [ From 4c254672b58888464268f62871f0fa10f8e46780 Mon Sep 17 00:00:00 2001 From: Morgan Jones Date: Tue, 23 Dec 2025 14:51:20 -0800 Subject: [PATCH 46/70] util-linux: 2.41.2 -> 2.41.3 (cherry picked from commit ce227d4c5d91fcafee956481446bb1fea041eb25) --- pkgs/by-name/ut/util-linux/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ut/util-linux/package.nix b/pkgs/by-name/ut/util-linux/package.nix index cd354611f9acd..0b1cb579bfd34 100644 --- a/pkgs/by-name/ut/util-linux/package.nix +++ b/pkgs/by-name/ut/util-linux/package.nix @@ -40,11 +40,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "util-linux" + lib.optionalString isMinimal "-minimal"; - version = "2.41.2"; + version = "2.41.3"; src = fetchurl { url = "mirror://kernel/linux/utils/util-linux/v${lib.versions.majorMinor finalAttrs.version}/util-linux-${finalAttrs.version}.tar.xz"; - hash = "sha256-YGKh2JtXGmGTLm/AIR82BgxBg1aLge6GbPNjvOn2WD4="; + hash = "sha256-MzDYc/D861VguJp9wU5PMoi72IDpaQPtm1DsK1eZ5Ys="; }; patches = [ From 72258134b5832c593aba47d9a4631b47a0e08e12 Mon Sep 17 00:00:00 2001 From: Ben Siraphob Date: Mon, 17 Nov 2025 09:42:53 -0800 Subject: [PATCH 47/70] gnugrep: disable gnulib tests to fix Darwin cross (cherry picked from commit f5ab93698da8b54218f1bd8f9e0cc930108bfb63) --- pkgs/tools/text/gnugrep/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/text/gnugrep/default.nix b/pkgs/tools/text/gnugrep/default.nix index b0f1cbc803c9b..71b06d4273f35 100644 --- a/pkgs/tools/text/gnugrep/default.nix +++ b/pkgs/tools/text/gnugrep/default.nix @@ -38,8 +38,9 @@ stdenv.mkDerivation { # Some gnulib tests fail # - on Musl: https://github.com/NixOS/nixpkgs/pull/228714 # - on x86_64-darwin: https://github.com/NixOS/nixpkgs/pull/228714#issuecomment-1576826330 + # - when building on Darwin (cross-compilation): test-nl_langinfo-mt fails postPatch = - if stdenv.hostPlatform.isMusl || (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isx86_64) then + if stdenv.hostPlatform.isMusl || stdenv.buildPlatform.isDarwin then '' sed -i 's:gnulib-tests::g' Makefile.in '' From f19693ced15c4f315996117f219aaf5dac9b2ad7 Mon Sep 17 00:00:00 2001 From: Ben Siraphob Date: Mon, 17 Nov 2025 13:40:28 -0800 Subject: [PATCH 48/70] diffutils: disable gnulib tests to fix Darwin cross (cherry picked from commit 3794fda5edc189e1aa791442e94b01640ff1bdde) https://hydra.nixos.org/build/317386859/nixlog/135/tail --- pkgs/tools/text/diffutils/default.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/text/diffutils/default.nix b/pkgs/tools/text/diffutils/default.nix index a681ff46aef86..3a39749b5a1c5 100644 --- a/pkgs/tools/text/diffutils/default.nix +++ b/pkgs/tools/text/diffutils/default.nix @@ -44,8 +44,14 @@ stdenv.mkDerivation rec { # Disable stack-related gnulib tests on x86_64-darwin because they have problems running under # Rosetta 2: test-c-stack hangs, test-sigsegv-catch-stackoverflow and test-sigaction fail. + # Disable all gnulib tests when building on Darwin due to test-nl_langinfo-mt failure + # known by upstream https://www.mail-archive.com/bug-gnulib@gnu.org/msg50806.html postPatch = - if + if stdenv.buildPlatform.isDarwin then + '' + sed -i 's:gnulib-tests::g' Makefile.in + '' + else if ((stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isx86_64) || (stdenv.hostPlatform.isAarch32)) then '' From fc4b78cb080332b46acb2e53c401d30484524808 Mon Sep 17 00:00:00 2001 From: Michael Daniels Date: Sat, 27 Dec 2025 22:35:59 -0500 Subject: [PATCH 49/70] Revert "[Backport staging-25.11] c-ares: fix IPv6 link-local DNS server support" --- pkgs/development/libraries/c-ares/default.nix | 5 -- .../c-ares/fix-link-local-dns-servers.patch | 50 ------------------- 2 files changed, 55 deletions(-) delete mode 100644 pkgs/development/libraries/c-ares/fix-link-local-dns-servers.patch diff --git a/pkgs/development/libraries/c-ares/default.nix b/pkgs/development/libraries/c-ares/default.nix index 2d9cf349b94ed..4e7a3b2e97ba0 100644 --- a/pkgs/development/libraries/c-ares/default.nix +++ b/pkgs/development/libraries/c-ares/default.nix @@ -26,11 +26,6 @@ stdenv.mkDerivation rec { hash = "sha256-kS3XzDs+innFL9f7nA9Ozwqqc+Re/aiAJmotbia4TvU="; }; - patches = [ - # Fix being unable to use Ipv6 link-local DNS servers. See: https://github.com/c-ares/c-ares/pull/997. - ./fix-link-local-dns-servers.patch - ]; - outputs = [ "out" "dev" diff --git a/pkgs/development/libraries/c-ares/fix-link-local-dns-servers.patch b/pkgs/development/libraries/c-ares/fix-link-local-dns-servers.patch deleted file mode 100644 index 07a5b5f2084c5..0000000000000 --- a/pkgs/development/libraries/c-ares/fix-link-local-dns-servers.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 0fbeb87f65ad9e9e6cead10d778291db71489f34 Mon Sep 17 00:00:00 2001 -From: iucoen <68678186+iucoen@users.noreply.github.com> -Date: Thu, 5 Jun 2025 20:08:43 -0700 -Subject: [PATCH] Fix IPv6 link-local nameservers in /etc/resolv.conf (#997) - -There are two issues that broke link-local nameservers in resolv.conf -1. channel->sock_funcs needs to be initialized before -ares_init_by_sysconfig() -2. The aif_nametoindex and aif_indextoname function pointers were not -initlized at all. ---- - src/lib/ares_init.c | 4 ++-- - src/lib/ares_set_socket_functions.c | 2 ++ - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c -index ae78262a11..ce6181833c 100644 ---- a/src/lib/ares_init.c -+++ b/src/lib/ares_init.c -@@ -271,6 +271,8 @@ int ares_init_options(ares_channel_t **channelptr, - goto done; - } - -+ ares_set_socket_functions_def(channel); -+ - /* Initialize Server List */ - channel->servers = - ares_slist_create(channel->rand_state, server_sort_cb, server_destroy_cb); -@@ -346,8 +348,6 @@ int ares_init_options(ares_channel_t **channelptr, - goto done; - } - -- ares_set_socket_functions_def(channel); -- - /* Initialize the event thread */ - if (channel->optmask & ARES_OPT_EVENT_THREAD) { - ares_event_thread_t *e = NULL; -diff --git a/src/lib/ares_set_socket_functions.c b/src/lib/ares_set_socket_functions.c -index cfe434327d..9994e81df5 100644 ---- a/src/lib/ares_set_socket_functions.c -+++ b/src/lib/ares_set_socket_functions.c -@@ -127,6 +127,8 @@ ares_status_t - channel->sock_funcs.asendto = funcs->asendto; - channel->sock_funcs.agetsockname = funcs->agetsockname; - channel->sock_funcs.abind = funcs->abind; -+ channel->sock_funcs.aif_nametoindex = funcs->aif_nametoindex; -+ channel->sock_funcs.aif_indextoname = funcs->aif_indextoname; - } - - /* Implement newer versions here ...*/ \ No newline at end of file From ecfa357f596cc27577f43f4832f94c8a2b30accf Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sat, 13 Dec 2025 17:18:32 +0100 Subject: [PATCH 50/70] wolfssl: 5.8.2 -> 5.8.4 Fixes CVE-2025-12888, CVE-2025-11936, CVE-2025-11935, CVE-2025-11934, CVE-2025-11933, CVE-2025-11931, CVE-2025-11932 and CVE-2025-12889. Fixes #470470 Fixes #470471 Changes: https://github.com/wolfSSL/wolfssl/releases/tag/v5.8.4-stable (cherry picked from commit b4bdc1b3773e487a577b57b4daaf91157fa47026) (cherry picked from commit bd688bfbcdc0439824d9fb255cacf811260b5eb0) --- pkgs/by-name/wo/wolfssl/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/wo/wolfssl/package.nix b/pkgs/by-name/wo/wolfssl/package.nix index b85e2c2016e06..e904c4dfefcca 100644 --- a/pkgs/by-name/wo/wolfssl/package.nix +++ b/pkgs/by-name/wo/wolfssl/package.nix @@ -17,13 +17,13 @@ }: stdenv.mkDerivation (finalAttrs: { pname = "wolfssl-${variant}"; - version = "5.8.2"; + version = "5.8.4"; src = fetchFromGitHub { owner = "wolfSSL"; repo = "wolfssl"; tag = "v${finalAttrs.version}-stable"; - hash = "sha256-rWBfpI6tdpKvQA/XdazBvU5hzyai5PtKRBpM4iplZDU="; + hash = "sha256-vfJKmDdM0r591t5GnuSS7NyiUYXCQOTKbWLVydB3N9s="; }; postPatch = '' From 50aa448e97304c6175b308b78e41094b294d6e70 Mon Sep 17 00:00:00 2001 From: aleksana Date: Wed, 24 Dec 2025 21:57:37 +0800 Subject: [PATCH 51/70] python3Packages.uvloop: skip flakey test_cancel_post_init On this branch I see 5/7 failures. Quite annoying. --- pkgs/development/python-modules/uvloop/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/uvloop/default.nix b/pkgs/development/python-modules/uvloop/default.nix index ed4c643c22455..8b1fd4ff32798 100644 --- a/pkgs/development/python-modules/uvloop/default.nix +++ b/pkgs/development/python-modules/uvloop/default.nix @@ -4,7 +4,6 @@ buildPythonPackage, pythonOlder, fetchFromGitHub, - fetchpatch, # build-system cython, @@ -70,6 +69,9 @@ buildPythonPackage rec { "tests/test_tcp.py::Test_AIO_TCP::test_create_connection_open_con_addr" # ConnectionAbortedError: SSL handshake is taking longer than 15.0 seconds "tests/test_tcp.py::Test_AIO_TCPSSL::test_create_connection_ssl_1" + # Fails randomly on hydra + # https://github.com/MagicStack/uvloop/issues/709 + "tests/test_process.py::TestAsyncio_AIO_Process::test_cancel_post_init" ] ++ lib.optionals (pythonOlder "3.11") [ "tests/test_tcp.py::Test_UV_TCPSSL::test_create_connection_ssl_failed_certificat" From bc75773a2be37fcb2a1239cde1f11afccc449af4 Mon Sep 17 00:00:00 2001 From: Yureka Date: Tue, 16 Dec 2025 08:00:25 +0100 Subject: [PATCH 52/70] python3.pkgs.beautifulsoup4: 4.13.4 -> 4.14.3 Changelog: https://git.launchpad.net/beautifulsoup/tree/CHANGELOG?h=4.14.2&id=fc02060f68535fa478cf8301bb7ee5ce95a70ffd (pypi release 4.13.3 does not have a git tag) (cherry picked from commit 0f5049b654b471125f90ca15fe3fa56da378ebc6) Unfortunately we need to recover from Python patch-level update :-/ https://hydra.nixos.org/build/317665659/nixlog/1/tail --- .../python-modules/beautifulsoup4/default.nix | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/pkgs/development/python-modules/beautifulsoup4/default.nix b/pkgs/development/python-modules/beautifulsoup4/default.nix index 2e4c4078f8822..a174298263a1c 100644 --- a/pkgs/development/python-modules/beautifulsoup4/default.nix +++ b/pkgs/development/python-modules/beautifulsoup4/default.nix @@ -35,7 +35,7 @@ buildPythonPackage rec { pname = "beautifulsoup4"; - version = "4.13.4"; + version = "4.14.3"; pyproject = true; outputs = [ @@ -45,18 +45,9 @@ buildPythonPackage rec { src = fetchPypi { inherit pname version; - hash = "sha256-27PE4c6uau/r2vJCMkcmDNBiQwpBDjjGbyuqUKhDcZU="; + hash = "sha256-YpKxxRhtNWu6Zp759/BRdXCZVlrZraXdYwvZ3l+n+4Y="; }; - patches = [ - # backport test fix for behavior changes in libxml 2.14.3 - (fetchpatch { - url = "https://git.launchpad.net/beautifulsoup/patch/?id=53d328406ec8c37c0edbd00ace3782be63e2e7e5"; - excludes = [ "CHANGELOG" ]; - hash = "sha256-RtavbpnfT6x0A8L3tAvCXwKUpty1ASPGJKdks7evBr8="; - }) - ]; - build-system = [ hatchling ]; nativeBuildInputs = [ sphinxHook ]; From a2609395cda32bdb3461504edd8252959604f87a Mon Sep 17 00:00:00 2001 From: Yureka Date: Tue, 16 Dec 2025 08:08:06 +0100 Subject: [PATCH 53/70] python3.pkgs.beautifulsoup4: add patch for python 3.14.1 Fixes #470964 (cherry picked from commit 960ddd7b27f09fe758a0373897423234dc6283e1) --- .../python-modules/beautifulsoup4/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/development/python-modules/beautifulsoup4/default.nix b/pkgs/development/python-modules/beautifulsoup4/default.nix index a174298263a1c..e81d3040df6a2 100644 --- a/pkgs/development/python-modules/beautifulsoup4/default.nix +++ b/pkgs/development/python-modules/beautifulsoup4/default.nix @@ -48,6 +48,15 @@ buildPythonPackage rec { hash = "sha256-YpKxxRhtNWu6Zp759/BRdXCZVlrZraXdYwvZ3l+n+4Y="; }; + patches = [ + # Fix tests with python 3.13.10 / 3.14.1 + (fetchpatch { + url = "https://git.launchpad.net/beautifulsoup/patch/?id=55f655ffb7ef03bdd1df0f013743831fe54e3c7a"; + excludes = [ "CHANGELOG" ]; + hash = "sha256-DJl1pey0NdJH+SyBH9+y6gwUvQCmou0D9xcRAEV8OBw="; + }) + ]; + build-system = [ hatchling ]; nativeBuildInputs = [ sphinxHook ]; From 1551a606a7030a90d9681e00f997dfe4c62a9ced Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Wed, 7 Jan 2026 09:45:37 +0100 Subject: [PATCH 54/70] man-db: disable checks on aarch64-darwin https://hydra.nixos.org/build/317425367/nixlog/8/tail We don't seem to have anyone willing to dig deeper into the issue, and it's surely not worth blocking everything on man tests. --- pkgs/by-name/ma/man-db/package.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ma/man-db/package.nix b/pkgs/by-name/ma/man-db/package.nix index 0b173b013f7bf..1ce7bf29d9858 100644 --- a/pkgs/by-name/ma/man-db/package.nix +++ b/pkgs/by-name/ma/man-db/package.nix @@ -113,8 +113,12 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - doCheck = - !stdenv.hostPlatform.isMusl # iconv binary + doCheck = with stdenv.hostPlatform; + !isMusl # iconv binary + # It's unclear what exactly is happening here, but system log shows lines like: + # XprotectService: [com.apple.xprotect:xprotect] File $buildDir/$name/src/.libs/mandb failed on + # loadCmd $out/lib/man-db/libmandb-$version.dylib (loadCmd resolved to: (path not found), bundleURL: (null)) + && !(isDarwin && isAarch64) ; passthru.tests = { From a4ff1fdb4558c6b74c211a631d526e9d75bdbb71 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 14 Nov 2025 23:12:25 +0100 Subject: [PATCH 55/70] python314Packages.twisted: fix tests, modernize (cherry picked from commit c94b6d13abd2d7792acad1ab12589c9e31840945) --- .../python-modules/twisted/default.nix | 19 ++++++++++++++----- .../twisted/python314-urljoin-compat.patch | 13 +++++++++++++ 2 files changed, 27 insertions(+), 5 deletions(-) create mode 100644 pkgs/development/python-modules/twisted/python314-urljoin-compat.patch diff --git a/pkgs/development/python-modules/twisted/default.nix b/pkgs/development/python-modules/twisted/default.nix index 4078baca698ab..a2287075c9759 100644 --- a/pkgs/development/python-modules/twisted/default.nix +++ b/pkgs/development/python-modules/twisted/default.nix @@ -5,6 +5,7 @@ pythonAtLeast, pythonOlder, fetchPypi, + fetchpatch, python, # build-system @@ -56,9 +57,7 @@ buildPythonPackage rec { pname = "twisted"; version = "25.5.0"; - format = "pyproject"; - - disabled = pythonOlder "3.6"; + pyproject = true; src = fetchPypi { inherit pname version; @@ -66,15 +65,25 @@ buildPythonPackage rec { hash = "sha256-HesnI1jLa+Hj6PxvnIs2946w+nwiM9Lb4R7G/uBOoxY="; }; + patches = [ + (fetchpatch { + # https://github.com/twisted/twisted/pull/12508 + url = "https://github.com/twisted/twisted/commit/ef6160aa2595adfba0c71da6db65b7a7252f23e9.patch"; + hash = "sha256-zHkEWT0lvWf86RlkzU5Wx6R5ear04cfpxB7wjgdpw5c="; + }) + # https://github.com/twisted/twisted/pull/12511 + ./python314-urljoin-compat.patch + ]; + __darwinAllowLocalNetworking = true; - nativeBuildInputs = [ + build-system = [ hatchling hatch-fancy-pypi-readme incremental ]; - propagatedBuildInputs = [ + dependencies = [ attrs automat constantly diff --git a/pkgs/development/python-modules/twisted/python314-urljoin-compat.patch b/pkgs/development/python-modules/twisted/python314-urljoin-compat.patch new file mode 100644 index 0000000000000..dbae3bf605fab --- /dev/null +++ b/pkgs/development/python-modules/twisted/python314-urljoin-compat.patch @@ -0,0 +1,13 @@ +diff --git a/src/twisted/web/client.py b/src/twisted/web/client.py +index d3cd11fb84..5f18965759 100644 +--- a/src/twisted/web/client.py ++++ b/src/twisted/web/client.py +@@ -220,7 +220,7 @@ def _urljoin(base, url): + """ + base, baseFrag = urldefrag(base) + url, urlFrag = urldefrag(urljoin(base, url)) +- return urljoin(url, b"#" + (urlFrag or baseFrag)) ++ return urljoin(url, b"#" + (urlFrag or baseFrag)).strip(b"#") + + + def _makeGetterFactory(url, factoryFactory, contextFactory=None, *args, **kwargs): From 2f0d2314b2f1bd9be6e93c791af8b186e45c1ede Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 18 Dec 2025 02:32:03 +0100 Subject: [PATCH 56/70] python3Packages.twisted: fix python 3.14.2 compat (cherry picked from commit 928cae63265d8797f0439585a9dc36702cb9234e) --- pkgs/development/python-modules/twisted/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/development/python-modules/twisted/default.nix b/pkgs/development/python-modules/twisted/default.nix index a2287075c9759..35cfabc35dc10 100644 --- a/pkgs/development/python-modules/twisted/default.nix +++ b/pkgs/development/python-modules/twisted/default.nix @@ -73,6 +73,11 @@ buildPythonPackage rec { }) # https://github.com/twisted/twisted/pull/12511 ./python314-urljoin-compat.patch + (fetchpatch { + # https://github.com/twisted/twisted/pull/12551 + url = "https://github.com/twisted/twisted/commit/b1173fa307a9752eedd63890113eb610c3cca4a0.patch"; + hash = "sha256-DWEygdo1b8uQOeFLy0/zcRNuuKJdSsF7cQM7RH04Puw="; + }) ]; __darwinAllowLocalNetworking = true; From 9530546339aae544d9ed762f326b49f1852e27f3 Mon Sep 17 00:00:00 2001 From: Sizhe Zhao Date: Thu, 1 Jan 2026 18:08:52 +0800 Subject: [PATCH 57/70] python3Packages.twisted: fix build on darwin (cherry picked from commit 9526462ebbbe0a348310a217574c975cfda32e57) --- pkgs/development/python-modules/twisted/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/development/python-modules/twisted/default.nix b/pkgs/development/python-modules/twisted/default.nix index 35cfabc35dc10..316a281a106fb 100644 --- a/pkgs/development/python-modules/twisted/default.nix +++ b/pkgs/development/python-modules/twisted/default.nix @@ -186,6 +186,12 @@ buildPythonPackage rec { "ProcessTestsBuilder_AsyncioSelectorReactorTests.test_processEnded" "ProcessTestsBuilder_SelectReactorTests.test_processEnded" ]; + "src/twisted/internet/test/test_tcp.py" = [ + # marked as flaky on macOS by upstream + # https://github.com/twisted/twisted/blob/twisted-25.5.0/src/twisted/internet/test/test_tcp.py + "AbortConnectionTests_AsyncioSelectorReactorTests.test_resumeProducingAbort" + "AbortConnectionTests_AsyncioSelectorReactorTests.test_resumeProducingAbortLater" + ]; }; in lib.concatStringsSep "\n" ( From 2fa8863bdc75732d256b4001d2bda910402e6de7 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 18 Dec 2025 01:32:20 +0100 Subject: [PATCH 58/70] python3Package.django_4: disable on 3.13 and newer Django 4.2.x does not support Python 3.13 and newer. (cherry picked from commit 652c49568846f7cc9bf354c6b25950efd9c7eb5f) --- pkgs/development/python-modules/django/4.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/django/4.nix b/pkgs/development/python-modules/django/4.nix index 3cbbdcb1333ff..f72ad94e052d5 100644 --- a/pkgs/development/python-modules/django/4.nix +++ b/pkgs/development/python-modules/django/4.nix @@ -48,7 +48,7 @@ buildPythonPackage rec { version = "4.2.27"; format = "pyproject"; - disabled = pythonOlder "3.8"; + disabled = pythonOlder "3.8" || pythonAtLeast "3.13"; src = fetchFromGitHub { owner = "django"; From 99db8c64c365565ec59879154b0c44ceadadc0da Mon Sep 17 00:00:00 2001 From: K900 Date: Thu, 18 Dec 2025 16:52:32 +0300 Subject: [PATCH 59/70] python313Packages.tabulate: skip broken test (cherry picked from commit 8add175eeeaf4525fe65eccb908795b85527535c) --- pkgs/development/python-modules/tabulate/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/development/python-modules/tabulate/default.nix b/pkgs/development/python-modules/tabulate/default.nix index ac3450f87e1e8..b845af0e46054 100644 --- a/pkgs/development/python-modules/tabulate/default.nix +++ b/pkgs/development/python-modules/tabulate/default.nix @@ -35,6 +35,11 @@ buildPythonPackage rec { ] ++ lib.flatten (builtins.attrValues optional-dependencies); + # Tests against stdlib behavior which changed in https://github.com/python/cpython/pull/139070 + disabledTests = [ + "test_wrap_multiword_non_wide" + ]; + meta = { description = "Pretty-print tabular data"; mainProgram = "tabulate"; From 6e9f9986a11e6cfa68bf3e580047985c4dcaa77e Mon Sep 17 00:00:00 2001 From: aleksana Date: Wed, 24 Dec 2025 17:34:59 +0800 Subject: [PATCH 60/70] python313Packages.blessed:1.21.0 -> 1.25-unstable-2025-12-05 (cherry picked from commit 3f7118e216ce159a6615836a5b3237cbb1adb5b7) --- .../python-modules/blessed/default.nix | 39 +++++++++++-------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/pkgs/development/python-modules/blessed/default.nix b/pkgs/development/python-modules/blessed/default.nix index 98e27dccac5b9..659f3523d5b3f 100644 --- a/pkgs/development/python-modules/blessed/default.nix +++ b/pkgs/development/python-modules/blessed/default.nix @@ -1,41 +1,46 @@ { lib, buildPythonPackage, - fetchPypi, - six, + fetchFromGitHub, + flit-core, wcwidth, - pytest, + six, + pytestCheckHook, mock, glibcLocales, }: -buildPythonPackage rec { +buildPythonPackage { pname = "blessed"; - version = "1.21.0"; - format = "setuptools"; + # We need https://github.com/jquast/blessed/pull/311 to fix 3.13 + version = "1.25-unstable-2025-12-05"; + pyproject = true; - src = fetchPypi { - inherit pname version; - hash = "sha256-7Oi7xHWKuRdkUvTjpxnXAIjrVzl5jNVYLJ4F8qKDN+w="; + src = fetchFromGitHub { + owner = "jquast"; + repo = "blessed"; + rev = "cee680ff7fb3ad31f42ae98582ba74629f1fd6b0"; + hash = "sha256-4K1W0LXJKkb2wKE6D+IkX3oI5KxkpKbO661W/VTHgts="; }; + build-system = [ flit-core ]; + + dependencies = [ + wcwidth + six + ]; + nativeCheckInputs = [ - pytest + pytestCheckHook mock glibcLocales ]; # Default tox.ini parameters not needed - checkPhase = '' + preCheck = '' rm tox.ini - pytest ''; - propagatedBuildInputs = [ - wcwidth - six - ]; - meta = { homepage = "https://github.com/jquast/blessed"; description = "Thin, practical wrapper around terminal capabilities in Python"; From 7779e46205576918a369a971f5f1052d95c6b85b Mon Sep 17 00:00:00 2001 From: Gaetan Lepage Date: Tue, 30 Dec 2025 23:41:28 +0000 Subject: [PATCH 61/70] python3Packages.blessed: disable test_sixel on darwin (cherry picked from commit 83e69397be1d13c5f5580e3ef8972efcd204aa6d) --- pkgs/development/python-modules/blessed/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/development/python-modules/blessed/default.nix b/pkgs/development/python-modules/blessed/default.nix index 659f3523d5b3f..82c357dfdb8a5 100644 --- a/pkgs/development/python-modules/blessed/default.nix +++ b/pkgs/development/python-modules/blessed/default.nix @@ -1,5 +1,6 @@ { lib, + stdenv, buildPythonPackage, fetchFromGitHub, flit-core, @@ -41,6 +42,11 @@ buildPythonPackage { rm tox.ini ''; + disabledTestPaths = lib.optionals stdenv.hostPlatform.isDarwin [ + # Fail with several AssertionError + "tests/test_sixel.py" + ]; + meta = { homepage = "https://github.com/jquast/blessed"; description = "Thin, practical wrapper around terminal capabilities in Python"; From 2027d15f4183e3f491a305049b0a655e93e84e07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Thu, 8 Jan 2026 08:07:44 +0100 Subject: [PATCH 62/70] man: nixfmt fixup I forgot this, I guess. --- pkgs/by-name/ma/man-db/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/ma/man-db/package.nix b/pkgs/by-name/ma/man-db/package.nix index 1ce7bf29d9858..99f20e044eae6 100644 --- a/pkgs/by-name/ma/man-db/package.nix +++ b/pkgs/by-name/ma/man-db/package.nix @@ -113,13 +113,13 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - doCheck = with stdenv.hostPlatform; + doCheck = + with stdenv.hostPlatform; !isMusl # iconv binary # It's unclear what exactly is happening here, but system log shows lines like: # XprotectService: [com.apple.xprotect:xprotect] File $buildDir/$name/src/.libs/mandb failed on # loadCmd $out/lib/man-db/libmandb-$version.dylib (loadCmd resolved to: (path not found), bundleURL: (null)) - && !(isDarwin && isAarch64) - ; + && !(isDarwin && isAarch64); passthru.tests = { nixos = nixosTests.man; From 746aac3ff2e6049f07278613e79dc83f149406f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Thu, 8 Jan 2026 07:57:17 +0100 Subject: [PATCH 63/70] gcc14: fixup build on aarch64-darwin https://hydra.nixos.org/build/317993814 Same for gfortran14 and perhaps other derivatives. This is a partial revert of 385a5e291736 from PR #461497 (with added comment to explain) (cherry picked from commit 6ea24aa5c3d8a8ca8cdde74e34d7f3b0d230acee) --- pkgs/development/compilers/gcc/patches/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/development/compilers/gcc/patches/default.nix b/pkgs/development/compilers/gcc/patches/default.nix index 0f7db57689e1b..d439a4133e78b 100644 --- a/pkgs/development/compilers/gcc/patches/default.nix +++ b/pkgs/development/compilers/gcc/patches/default.nix @@ -161,7 +161,10 @@ optionals noSysDirs ( ## Darwin # Fixes detection of Darwin on x86_64-darwin and aarch64-darwin. Otherwise, GCC uses a deployment target of 10.5, which crashes ld64. -++ optional (is14 && stdenv.hostPlatform.isDarwin) ../patches/14/libgcc-darwin-detection.patch +++ optional ( + # this one would conflict with gcc-14-darwin-aarch64-support.patch + is14 && stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isx86_64 +) ../patches/14/libgcc-darwin-detection.patch ++ optional (atLeast15 && stdenv.hostPlatform.isDarwin) ../patches/15/libgcc-darwin-detection.patch # Fix libgcc_s.1.dylib build on Darwin 11+ by not reexporting unwind symbols that don't exist From 3c7fe074662f64f53d78e9225414083bf9d319ed Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 18 Dec 2025 01:18:34 +0100 Subject: [PATCH 64/70] python3Packages.django: fix 3.13.10/3.14.1 compat (cherry picked from commit 12713400c5eb0716247feb222d1b6ced00093a9b) --- pkgs/development/python-modules/django/5_2.nix | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/django/5_2.nix b/pkgs/development/python-modules/django/5_2.nix index 1d0e0399a90c0..699678257061c 100644 --- a/pkgs/development/python-modules/django/5_2.nix +++ b/pkgs/development/python-modules/django/5_2.nix @@ -3,7 +3,7 @@ stdenv, buildPythonPackage, fetchFromGitHub, - pythonAtLeast, + fetchpatch, pythonOlder, replaceVars, @@ -63,6 +63,18 @@ buildPythonPackage rec { ./django_5_tests_pythonpath.patch # disable test that expects timezone issues ./django_5_disable_failing_tests.patch + + # 3.14.1/3.13.10 comapt + (fetchpatch { + # https://github.com/django/django/pull/20390 + url = "https://github.com/django/django/commit/5ca0f62213911a77dd4a62e843db7e420cc98b78.patch"; + hash = "sha256-SpVdbS4S5wqvrrUOoZJ7d2cIbtmgI0mvxwwCveSA068="; + }) + (fetchpatch { + # https://github.com/django/django/pull/20392 + url = "https://github.com/django/django/commit/9cc231e8243091519f5d627cd02ee40bbb853ced.patch"; + hash = "sha256-/aimmqxurMCCntraxOtybEq8qNgZgQWLD5Gxs/3pkIU="; + }) ] ++ lib.optionals withGdal [ (replaceVars ./django_5_set_geos_gdal_lib.patch { From 185c8c7effa0105a6b8e7d0a9a42afdc5326337b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Thu, 8 Jan 2026 17:23:16 +0100 Subject: [PATCH 65/70] awscli2: fixup build, but it might be insecure https://hydra.nixos.org/build/317553777/nixlog/7/tail --- pkgs/by-name/aw/awscli2/package.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/by-name/aw/awscli2/package.nix b/pkgs/by-name/aw/awscli2/package.nix index c6bac261b91a4..8e08cf80c910c 100644 --- a/pkgs/by-name/aw/awscli2/package.nix +++ b/pkgs/by-name/aw/awscli2/package.nix @@ -61,6 +61,7 @@ let setuptools ]; postPatch = null; + patches = []; # FIXME: we might be missing security patches! src = prev.src.override { inherit version; hash = "sha256-+OzBu6VmdBNFfFKauVW/jGe0XbeZ0VkGYmFxnjKFgKA="; From aa5c93e06bf7d8a59d36fad693177d79899dd8ef Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 8 Jan 2026 22:35:26 +0100 Subject: [PATCH 66/70] Revert "python3Package.django_4: disable on 3.13 and newer" This reverts commit 2fa8863bdc75732d256b4001d2bda910402e6de7. Tihs disable is unsuitable for nixpkgs 25.11, where django 4.2 is the default django version. --- pkgs/development/python-modules/django/4.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/django/4.nix b/pkgs/development/python-modules/django/4.nix index f72ad94e052d5..3cbbdcb1333ff 100644 --- a/pkgs/development/python-modules/django/4.nix +++ b/pkgs/development/python-modules/django/4.nix @@ -48,7 +48,7 @@ buildPythonPackage rec { version = "4.2.27"; format = "pyproject"; - disabled = pythonOlder "3.8" || pythonAtLeast "3.13"; + disabled = pythonOlder "3.8"; src = fetchFromGitHub { owner = "django"; From 12e9e8511e9d99e4b8f37edd597d8bfe399c3a32 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 8 Jan 2026 22:38:59 +0100 Subject: [PATCH 67/70] python3Packages.django: disable failing test --- pkgs/development/python-modules/django/4.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/development/python-modules/django/4.nix b/pkgs/development/python-modules/django/4.nix index 3cbbdcb1333ff..8438091346f9a 100644 --- a/pkgs/development/python-modules/django/4.nix +++ b/pkgs/development/python-modules/django/4.nix @@ -92,6 +92,10 @@ buildPythonPackage rec { postPatch = '' substituteInPlace tests/utils_tests/test_autoreload.py \ --replace "/usr/bin/python" "${python.interpreter}" + + # test broke in 3.13 and django 4.2 is eol + substituteInPlace tests/utils_tests/test_html.py \ + --replace test_strip_tags do_not_test_strip_tags '' + lib.optionalString (pythonAtLeast "3.12" && stdenv.hostPlatform.system == "aarch64-linux") '' # Test regression after xz was reverted from 5.6.0 to 5.4.6 From 1480a708ab1f8f52227531c1b52b75eff1cb8758 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 8 Jan 2026 22:45:25 +0100 Subject: [PATCH 68/70] awscli2: fix formatting --- pkgs/by-name/aw/awscli2/package.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/by-name/aw/awscli2/package.nix b/pkgs/by-name/aw/awscli2/package.nix index 8e08cf80c910c..27a45d59650e7 100644 --- a/pkgs/by-name/aw/awscli2/package.nix +++ b/pkgs/by-name/aw/awscli2/package.nix @@ -61,7 +61,7 @@ let setuptools ]; postPatch = null; - patches = []; # FIXME: we might be missing security patches! + patches = [ ]; # FIXME: we might be missing security patches! src = prev.src.override { inherit version; hash = "sha256-+OzBu6VmdBNFfFKauVW/jGe0XbeZ0VkGYmFxnjKFgKA="; From e5a9ffee5ecf175ad2dc87afc90acba0c01b48ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Fri, 9 Jan 2026 09:59:38 +0100 Subject: [PATCH 69/70] nix: skip failing test on aarch64-darwin Patch applied to all nixVersions.* as multiple of them seem to suffer from this issue. (cherry picked from commit bb6e37f48fd13e16f07f24fb733191fabaddae7b) --- pkgs/tools/package-management/nix/default.nix | 75 +++++++++++-------- .../nix/patches/skip-nix-shell.patch | 5 ++ 2 files changed, 47 insertions(+), 33 deletions(-) create mode 100644 pkgs/tools/package-management/nix/patches/skip-nix-shell.patch diff --git a/pkgs/tools/package-management/nix/default.nix b/pkgs/tools/package-management/nix/default.nix index 0096d2f8dffca..faaf7b2c01e24 100644 --- a/pkgs/tools/package-management/nix/default.nix +++ b/pkgs/tools/package-management/nix/default.nix @@ -126,6 +126,8 @@ let ]; teams = [ lib.teams.nix ]; + # FIXME: https://github.com/NixOS/nixpkgs/issues/476794 + patches_common = lib.optional (stdenv.system == "aarch64-darwin") ./patches/skip-nix-shell.patch; in lib.makeExtensible ( self: @@ -135,6 +137,7 @@ lib.makeExtensible ( version = "2.28.5"; hash = "sha256-oIfAHxO+BCtHXJXLHBnsKkGl1Pw+Uuq1PwNxl+lZ+Oc="; self_attribute_name = "nix_2_28"; + patches = patches_common; }; nixComponents_2_29 = nixDependencies.callPackage ./modular/packages.nix rec { @@ -151,45 +154,51 @@ lib.makeExtensible ( nix_2_29 = addTests "nix_2_29" self.nixComponents_2_29.nix-everything; - nixComponents_2_30 = nixDependencies.callPackage ./modular/packages.nix rec { - version = "2.30.3"; - inherit maintainers teams; - otherSplices = generateSplicesForNixComponents "nixComponents_2_30"; - src = fetchFromGitHub { - owner = "NixOS"; - repo = "nix"; - tag = version; - hash = "sha256-kBuwzMgIE9Tmve0Rpp+q+YCsE2mw9d62M/950ViWeJ0="; - }; - }; + nixComponents_2_30 = + (nixDependencies.callPackage ./modular/packages.nix rec { + version = "2.30.3"; + inherit maintainers teams; + otherSplices = generateSplicesForNixComponents "nixComponents_2_30"; + src = fetchFromGitHub { + owner = "NixOS"; + repo = "nix"; + tag = version; + hash = "sha256-kBuwzMgIE9Tmve0Rpp+q+YCsE2mw9d62M/950ViWeJ0="; + }; + }).appendPatches + patches_common; nix_2_30 = addTests "nix_2_30" self.nixComponents_2_30.nix-everything; - nixComponents_2_31 = nixDependencies.callPackage ./modular/packages.nix rec { - version = "2.31.2"; - inherit (self.nix_2_30.meta) maintainers teams; - otherSplices = generateSplicesForNixComponents "nixComponents_2_31"; - src = fetchFromGitHub { - owner = "NixOS"; - repo = "nix"; - tag = version; - hash = "sha256-NLGXPLjENLeKVOg3OZgHXZ+1x6sPIKq9FHH8pxbCrDI="; - }; - }; + nixComponents_2_31 = + (nixDependencies.callPackage ./modular/packages.nix rec { + version = "2.31.2"; + inherit (self.nix_2_30.meta) maintainers teams; + otherSplices = generateSplicesForNixComponents "nixComponents_2_31"; + src = fetchFromGitHub { + owner = "NixOS"; + repo = "nix"; + tag = version; + hash = "sha256-NLGXPLjENLeKVOg3OZgHXZ+1x6sPIKq9FHH8pxbCrDI="; + }; + }).appendPatches + patches_common; nix_2_31 = addTests "nix_2_31" self.nixComponents_2_31.nix-everything; - nixComponents_2_32 = nixDependencies.callPackage ./modular/packages.nix rec { - version = "2.32.4"; - inherit (self.nix_2_31.meta) maintainers teams; - otherSplices = generateSplicesForNixComponents "nixComponents_2_32"; - src = fetchFromGitHub { - owner = "NixOS"; - repo = "nix"; - tag = version; - hash = "sha256-8QYnRyGOTm3h/Dp8I6HCmQzlO7C009Odqyp28pTWgcY="; - }; - }; + nixComponents_2_32 = + (nixDependencies.callPackage ./modular/packages.nix rec { + version = "2.32.4"; + inherit (self.nix_2_31.meta) maintainers teams; + otherSplices = generateSplicesForNixComponents "nixComponents_2_32"; + src = fetchFromGitHub { + owner = "NixOS"; + repo = "nix"; + tag = version; + hash = "sha256-8QYnRyGOTm3h/Dp8I6HCmQzlO7C009Odqyp28pTWgcY="; + }; + }).appendPatches + patches_common; nix_2_32 = addTests "nix_2_32" self.nixComponents_2_32.nix-everything; diff --git a/pkgs/tools/package-management/nix/patches/skip-nix-shell.patch b/pkgs/tools/package-management/nix/patches/skip-nix-shell.patch new file mode 100644 index 0000000000000..1a54a291bf357 --- /dev/null +++ b/pkgs/tools/package-management/nix/patches/skip-nix-shell.patch @@ -0,0 +1,5 @@ +--- a/tests/functional/meson.build ++++ b/tests/functional/meson.build +@@ -90 +90 @@ suites = [ +- 'nix-shell.sh', ++ #'nix-shell.sh', From dfbb794785f4288a05277024648010d5be71173b Mon Sep 17 00:00:00 2001 From: Gaetan Lepage Date: Fri, 2 Jan 2026 21:51:58 +0000 Subject: [PATCH 70/70] python3Packages.flax: skip failing tests (cherry picked from commit bb9d89b1f65b99e2e8ba8e3a6499389a5210c550) https://hydra.nixos.org/build/318588726/nixlog/1/tail --- pkgs/development/python-modules/flax/default.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/pkgs/development/python-modules/flax/default.nix b/pkgs/development/python-modules/flax/default.nix index 57f649c2d58b5..6ddfd0f8e20fe 100644 --- a/pkgs/development/python-modules/flax/default.nix +++ b/pkgs/development/python-modules/flax/default.nix @@ -102,6 +102,18 @@ buildPythonPackage rec { # AssertionError: nnx_model.kernel.value.sharding = NamedSharding(... "test_linen_to_nnx_metadata" + + # AssertionError: 'Linear_0' not found in State({}) + "test_compact_basic" + # KeyError: 'intermediates' + "test_linen_submodule" + "test_pure_nnx_submodule" + # KeyError: 'counts + "test_mutable_state" + # AttributeError: 'Top' object has no attribute '_pytree__state'. Did you mean: '_pytree__flatten'? + "test_shared_modules" + # AttributeError: 'MLP' object has no attribute 'scope + "test_transforms" ]; passthru = {