diff --git a/pkgs/applications/audio/mpg123/default.nix b/pkgs/applications/audio/mpg123/default.nix index 1d4c619fb3491..5a90ea44a14c5 100644 --- a/pkgs/applications/audio/mpg123/default.nix +++ b/pkgs/applications/audio/mpg123/default.nix @@ -23,11 +23,11 @@ assert withConplay -> !libOnly; stdenv.mkDerivation rec { pname = "${lib.optionalString libOnly "lib"}mpg123"; - version = "1.32.8"; + version = "1.32.9"; src = fetchurl { url = "mirror://sourceforge/mpg123/mpg123-${version}.tar.bz2"; - hash = "sha256-/u4TdMeVQODkBd8LxF/eIK1nARQlw2GidZ4hRolKJ6c="; + hash = "sha256-A7YeQATpYLrPKs2toD7ZTTduaqsnpgFEe9SQjYQHspE="; }; outputs = [ diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 1d9274781fde0..fb62b12125c5b 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -23,7 +23,7 @@ let lib.concatStringsSep "\n\n" extraCertificateStrings ); - srcVersion = "3.104"; + srcVersion = "3.107"; version = if nssOverride != null then nssOverride.version else srcVersion; meta = with lib; { homepage = "https://curl.haxx.se/docs/caextract.html"; @@ -47,7 +47,7 @@ let owner = "nss-dev"; repo = "nss"; rev = "NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM"; - hash = "sha256-TEGEKocapU5OTqx69n8nrn/X3SZr49d1alHM73UnDJw="; + hash = "sha256-c6ks/pBvZHipNkmBy784s96zMYP+D9q3VlVrPVSohLw="; }; dontBuild = true; diff --git a/pkgs/development/compilers/rust/rustfmt.nix b/pkgs/development/compilers/rust/rustfmt.nix index bf41bcc2f018b..8f9d83d548c3e 100644 --- a/pkgs/development/compilers/rust/rustfmt.nix +++ b/pkgs/development/compilers/rust/rustfmt.nix @@ -33,6 +33,11 @@ rustPlatform.buildRustPackage rec { install_name_tool -add_rpath "${rustc.unwrapped}/lib" "$out/bin/git-rustfmt" ''; + env = lib.optionalAttrs (asNightly && stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isx86_64) { + # give install_name_tool enough space so preFixup doesn't fail + NIX_LDFLAGS = "-headerpad_max_install_names"; + }; + # As of 1.0.0 and rustc 1.30 rustfmt requires a nightly compiler RUSTC_BOOTSTRAP = 1; diff --git a/pkgs/development/interpreters/python/cpython/3.12/CVE-2024-12254.patch b/pkgs/development/interpreters/python/cpython/3.12/CVE-2024-12254.patch new file mode 100644 index 0000000000000..1a19a41d8d4ab --- /dev/null +++ b/pkgs/development/interpreters/python/cpython/3.12/CVE-2024-12254.patch @@ -0,0 +1,45 @@ +From e991ac8f2037d78140e417cc9a9486223eb3e786 Mon Sep 17 00:00:00 2001 +From: "J. Nick Koston" +Date: Thu, 5 Dec 2024 22:33:03 -0600 +Subject: [PATCH] gh-127655: Ensure `_SelectorSocketTransport.writelines` + pauses the protocol if needed (#127656) + +Ensure `_SelectorSocketTransport.writelines` pauses the protocol if it reaches the high water mark as needed. + +Co-authored-by: Kumar Aditya + +diff --git a/Lib/asyncio/selector_events.py b/Lib/asyncio/selector_events.py +index f94bf10b4225e7..f1ab9b12d69a5d 100644 +--- a/Lib/asyncio/selector_events.py ++++ b/Lib/asyncio/selector_events.py +@@ -1175,6 +1175,7 @@ def writelines(self, list_of_data): + # If the entire buffer couldn't be written, register a write handler + if self._buffer: + self._loop._add_writer(self._sock_fd, self._write_ready) ++ self._maybe_pause_protocol() + + def can_write_eof(self): + return True +diff --git a/Lib/test/test_asyncio/test_selector_events.py b/Lib/test/test_asyncio/test_selector_events.py +index aaeda33dd0c677..efca30f37414f9 100644 +--- a/Lib/test/test_asyncio/test_selector_events.py ++++ b/Lib/test/test_asyncio/test_selector_events.py +@@ -805,6 +805,18 @@ def test_writelines_send_partial(self): + self.assertTrue(self.sock.send.called) + self.assertTrue(self.loop.writers) + ++ def test_writelines_pauses_protocol(self): ++ data = memoryview(b'data') ++ self.sock.send.return_value = 2 ++ self.sock.send.fileno.return_value = 7 ++ ++ transport = self.socket_transport() ++ transport._high_water = 1 ++ transport.writelines([data]) ++ self.assertTrue(self.protocol.pause_writing.called) ++ self.assertTrue(self.sock.send.called) ++ self.assertTrue(self.loop.writers) ++ + @unittest.skipUnless(selector_events._HAS_SENDMSG, 'no sendmsg') + def test_write_sendmsg_full(self): + data = memoryview(b'data') diff --git a/pkgs/development/interpreters/python/cpython/default.nix b/pkgs/development/interpreters/python/cpython/default.nix index 9244e2a2838ef..d14551cf5be44 100644 --- a/pkgs/development/interpreters/python/cpython/default.nix +++ b/pkgs/development/interpreters/python/cpython/default.nix @@ -345,6 +345,8 @@ in with passthru; stdenv.mkDerivation (finalAttrs: { ] ++ optionals (pythonOlder "3.12") [ # https://github.com/python/cpython/issues/90656 ./loongarch-support.patch + ] ++ optionals (pythonAtLeast "3.12") [ + ./3.12/CVE-2024-12254.patch ] ++ optionals (pythonAtLeast "3.11" && pythonOlder "3.13") [ # backport fix for https://github.com/python/cpython/issues/95855 ./platform-triplet-detection.patch diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index 15904c975ad56..f6976dacc0302 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -79,10 +79,10 @@ in { sourceVersion = { major = "3"; minor = "12"; - patch = "6"; + patch = "7"; suffix = ""; }; - hash = "sha256-GZllgpjPL7g33/7Y/zwDPvDJjvIM9zxdX2a+1auJaXw="; + hash = "sha256-JIh7kuKv1KKsYCQZrUtZY3L2esmwdxkPRZq6OQ+vVVA="; inherit (darwin) configd; inherit passthruFun; }; diff --git a/pkgs/development/libraries/avahi/default.nix b/pkgs/development/libraries/avahi/default.nix index e56b173e207d1..c622cd0887059 100644 --- a/pkgs/development/libraries/avahi/default.nix +++ b/pkgs/development/libraries/avahi/default.nix @@ -10,6 +10,7 @@ expat, gettext, glib, + autoreconfHook, libiconv, libevent, nixosTests, @@ -126,6 +127,12 @@ stdenv.mkDerivation rec { "fuzz/fuzz-packet.c" ]; }) + # https://github.com/avahi/avahi/pull/659 merged Nov 19 + (fetchpatch { + name = "CVE-2024-52616.patch"; + url = "https://github.com/avahi/avahi/commit/f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7.patch"; + hash = "sha256-BUQOQ4evKLBzV5UV8xW8XL38qk1rg6MJ/vcT5NBckfA="; + }) ]; depsBuildBuild = [ @@ -136,6 +143,7 @@ stdenv.mkDerivation rec { pkg-config gettext glib + autoreconfHook ]; buildInputs = diff --git a/pkgs/development/libraries/expat/default.nix b/pkgs/development/libraries/expat/default.nix index 12a54d278ce91..604d5d2d7d6f9 100644 --- a/pkgs/development/libraries/expat/default.nix +++ b/pkgs/development/libraries/expat/default.nix @@ -17,7 +17,7 @@ # files. let - version = "2.6.3"; + version = "2.6.4"; tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}"; in stdenv.mkDerivation (finalAttrs: { @@ -28,7 +28,7 @@ stdenv.mkDerivation (finalAttrs: { url = with finalAttrs; "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz"; - hash = "sha256-J02yVKaXm95arUBHY6cElWlA5GWEPyqb2e168i4sDvw="; + hash = "sha256-ppVina4EcFWzfVCg/0d20dRdCkyELPTM7hWEQfVf9+4="; }; strictDeps = true; diff --git a/pkgs/development/libraries/gstreamer/bad/darwin-old-sdk-fix.patch b/pkgs/development/libraries/gstreamer/bad/darwin-old-sdk-fix.patch new file mode 100644 index 0000000000000..b525eaa7d55b8 --- /dev/null +++ b/pkgs/development/libraries/gstreamer/bad/darwin-old-sdk-fix.patch @@ -0,0 +1,49 @@ +From 816f2ccad16413a4961a0001fc02d8874d4fde47 Mon Sep 17 00:00:00 2001 +From: Alessandro Bono +Date: Wed, 10 Jul 2024 15:33:34 +0200 +Subject: [PATCH] vtdec: Use kVTVideoDecoderReferenceMissingErr only when + defined + +The enum value is declared present since macOS 10.8+[1]. Howerver, +the compilation now fails with the 10.15 SDK: +``` +../sys/applemedia/vtdec.c:1219:12: error: use of undeclared identifier 'kVTVideoDecoderReferenceMissingErr'; did you mean 'kVTVideoDecoderMalfunctionErr'? + case kVTVideoDecoderReferenceMissingErr: + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + kVTVideoDecoderMalfunctionErr +/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/System/Library/Frameworks/VideoToolbox.framework/Headers/VTErrors.h:40:2: note: 'kVTVideoDecoderMalfunctionErr' declared here + kVTVideoDecoderMalfunctionErr = -12911, // c.f. -8960 + ^ +1 error generated. +``` + +Put the enum usage under #ifdef. When missing, the behavior will be +the same as before commit a5c437c6430cdce603e46e09400beb4c5b9f5374. + +[1] https://developer.apple.com/documentation/videotoolbox/kvtvideodecoderreferencemissingerr?language=objc +--- + sys/applemedia/vtdec.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sys/applemedia/vtdec.c b/sys/applemedia/vtdec.c +index 57fcbf9928a5..517c15365b52 100644 +--- a/sys/applemedia/vtdec.c ++++ b/sys/applemedia/vtdec.c +@@ -1216,12 +1216,14 @@ gst_vtdec_session_output_callback (void *decompression_output_ref_con, + + if (status != noErr) { + switch (status) { ++#ifdef kVTVideoDecoderReferenceMissingErr + case kVTVideoDecoderReferenceMissingErr: + /* ReferenceMissingErr is not critical, when it occurs the frame + * usually has the kVTDecodeInfo_FrameDropped flag set. Log only for debugging purposes. */ + GST_DEBUG_OBJECT (vtdec, "ReferenceMissingErr when decoding frame %d", + frame->decode_frame_number); + break; ++#endif + #ifndef HAVE_IOS + case codecBadDataErr: /* SW decoder on macOS uses a different code from the hardware one... */ + #endif +-- +GitLab + diff --git a/pkgs/development/libraries/gstreamer/bad/default.nix b/pkgs/development/libraries/gstreamer/bad/default.nix index 91639c441b481..02543b993edec 100644 --- a/pkgs/development/libraries/gstreamer/bad/default.nix +++ b/pkgs/development/libraries/gstreamer/bad/default.nix @@ -112,13 +112,13 @@ stdenv.mkDerivation rec { pname = "gst-plugins-bad"; - version = "1.24.3"; + version = "1.24.10"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-6Q8mx9ycdvSqWZt1jP1tjBDWoLnLJluiw8m984iFWPg="; + hash = "sha256-FwfjEDlQybrtNkqK8roEldaxE/zTbhBi3aX1grj4kE0="; }; patches = [ @@ -127,6 +127,11 @@ stdenv.mkDerivation rec { src = ./fix-paths.patch; inherit (addOpenGLRunpath) driverLink; }) + + # vtdec: Use kVTVideoDecoderReferenceMissingErr only when defined + # + # TODO: Remove this when the build with the newer SDK works. + ./darwin-old-sdk-fix.patch ]; nativeBuildInputs = [ diff --git a/pkgs/development/libraries/gstreamer/base/default.nix b/pkgs/development/libraries/gstreamer/base/default.nix index f48fe22f50001..f0543fb85cb37 100644 --- a/pkgs/development/libraries/gstreamer/base/default.nix +++ b/pkgs/development/libraries/gstreamer/base/default.nix @@ -46,7 +46,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "gst-plugins-base"; - version = "1.24.3"; + version = "1.24.10"; outputs = [ "out" "dev" ]; @@ -54,7 +54,7 @@ stdenv.mkDerivation (finalAttrs: { inherit (finalAttrs) pname version; in fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-8QlDl+qnky8G5X67sHWqM6osduS3VjChawLI1K9Ggy4="; + hash = "sha256-69V7G+kkxuJPMn3VW6udj7quvl4dyPynhBgqsrEtI+s="; }; strictDeps = true; diff --git a/pkgs/development/libraries/gstreamer/core/default.nix b/pkgs/development/libraries/gstreamer/core/default.nix index 3136b6f886755..368755237e17f 100644 --- a/pkgs/development/libraries/gstreamer/core/default.nix +++ b/pkgs/development/libraries/gstreamer/core/default.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "gstreamer"; - version = "1.24.3"; + version = "1.24.10"; outputs = [ "bin" @@ -37,7 +37,7 @@ stdenv.mkDerivation (finalAttrs: { inherit (finalAttrs) pname version; in fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-EiXvSjKfrhytxexyfaskmtVn6AcoeUk1Yc65HtNKpBQ="; + hash = "sha256-n8RbGjMuj4EvCelcKBzXWWn20WgtBiqBXbDnvAR1GP0="; }; depsBuildBuild = [ diff --git a/pkgs/development/libraries/gstreamer/devtools/default.nix b/pkgs/development/libraries/gstreamer/devtools/default.nix index 44a79bb2c998d..9c431dc51d0f0 100644 --- a/pkgs/development/libraries/gstreamer/devtools/default.nix +++ b/pkgs/development/libraries/gstreamer/devtools/default.nix @@ -17,11 +17,11 @@ stdenv.mkDerivation rec { pname = "gst-devtools"; - version = "1.24.3"; + version = "1.24.10"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-uREUov2Vj0Ks9EEYbofivsk1OO81qfgkgREZc2D/sjc="; + hash = "sha256-KYNTcUiwqNUrrSo/TJ3MqAj9WqEvzO4lrMSkJ38HgOw="; }; outputs = [ diff --git a/pkgs/development/libraries/gstreamer/ges/default.nix b/pkgs/development/libraries/gstreamer/ges/default.nix index 79ece373b57d0..1e7bdb1d611a8 100644 --- a/pkgs/development/libraries/gstreamer/ges/default.nix +++ b/pkgs/development/libraries/gstreamer/ges/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { pname = "gst-editing-services"; - version = "1.24.3"; + version = "1.24.10"; outputs = [ "out" @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-z3QyFWiLATkFzSyff+3aIeLTTIRDQJkMbqJdEKA3KT8="; + hash = "sha256-bwCxG05eNMKjLWTfUh3Kd1GdYm/MXjhjwCGL0SNn4XQ="; }; nativeBuildInputs = [ diff --git a/pkgs/development/libraries/gstreamer/good/default.nix b/pkgs/development/libraries/gstreamer/good/default.nix index bd301e7b45c22..7273b38eec1d1 100644 --- a/pkgs/development/libraries/gstreamer/good/default.nix +++ b/pkgs/development/libraries/gstreamer/good/default.nix @@ -58,13 +58,13 @@ assert raspiCameraSupport -> (stdenv.isLinux && stdenv.isAarch32); stdenv.mkDerivation rec { pname = "gst-plugins-good"; - version = "1.24.3"; + version = "1.24.10"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-FQ+RTmHcBWALaLiMoQPHzCJxMBWOOJ6p6hWfQFCi67A="; + hash = "sha256-/OdI+mbXqO4fsmFInlnQHj+nh2I9bVw1BoQW/nzQrLM="; }; patches = [ diff --git a/pkgs/development/libraries/gstreamer/libav/default.nix b/pkgs/development/libraries/gstreamer/libav/default.nix index 872627009e215..4721f5e894aad 100644 --- a/pkgs/development/libraries/gstreamer/libav/default.nix +++ b/pkgs/development/libraries/gstreamer/libav/default.nix @@ -18,11 +18,11 @@ stdenv.mkDerivation rec { pname = "gst-libav"; - version = "1.24.3"; + version = "1.24.10"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-2cWxUkaKRcH6g1FBBCIJCnGScHrXTS4aQ2f1JU4YjZE="; + hash = "sha256-TPLi2CBOVLqK+VGai5t/+m6VGnCHr6Df6DwSXUm7tfs="; }; outputs = [ "out" "dev" ]; diff --git a/pkgs/development/libraries/gstreamer/rtsp-server/default.nix b/pkgs/development/libraries/gstreamer/rtsp-server/default.nix index db56d895f7876..3967ad1696523 100644 --- a/pkgs/development/libraries/gstreamer/rtsp-server/default.nix +++ b/pkgs/development/libraries/gstreamer/rtsp-server/default.nix @@ -15,11 +15,11 @@ stdenv.mkDerivation rec { pname = "gst-rtsp-server"; - version = "1.24.3"; + version = "1.24.10"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-YmKOzKeLj1tRxZpNYCxl6SBf/FDDyDzWH6sfY0i2NWU="; + hash = "sha256-2yHf3Xvy5xhWTVVzeK2lNYtBHv4qPonp8Ph6dFN+Ktw="; }; outputs = [ diff --git a/pkgs/development/libraries/gstreamer/ugly/default.nix b/pkgs/development/libraries/gstreamer/ugly/default.nix index 0b39bad01020b..781ef18724010 100644 --- a/pkgs/development/libraries/gstreamer/ugly/default.nix +++ b/pkgs/development/libraries/gstreamer/ugly/default.nix @@ -25,13 +25,13 @@ stdenv.mkDerivation rec { pname = "gst-plugins-ugly"; - version = "1.24.3"; + version = "1.24.10"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-TJUTQcTGSGMLb+EjTsET2B3S0khSm/K1R44K0HfIDtM="; + hash = "sha256-nfb9haclYkHvuyX4SzN1deOzRSZvXas4STceRpR3nxg="; }; nativeBuildInputs = [ diff --git a/pkgs/development/libraries/gstreamer/vaapi/default.nix b/pkgs/development/libraries/gstreamer/vaapi/default.nix index cdad2eaf232d9..fc23aaa23998d 100644 --- a/pkgs/development/libraries/gstreamer/vaapi/default.nix +++ b/pkgs/development/libraries/gstreamer/vaapi/default.nix @@ -24,11 +24,11 @@ stdenv.mkDerivation rec { pname = "gstreamer-vaapi"; - version = "1.24.3"; + version = "1.24.10"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-hF8u/g3KjasjTd6PsJHaLNBqnSpoNCK1bctoiVT5Bw4="; + hash = "sha256-IVk9veXGvNz+mRld7748P02gHLhfjsEKrpQ4h9Odikw="; }; outputs = [ diff --git a/pkgs/development/libraries/libsoup/default.nix b/pkgs/development/libraries/libsoup/default.nix index 5694dc91b0e84..2ec45b27dd376 100644 --- a/pkgs/development/libraries/libsoup/default.nix +++ b/pkgs/development/libraries/libsoup/default.nix @@ -2,6 +2,7 @@ stdenv, lib, fetchurl, + fetchpatch, glib, libxml2, meson, @@ -35,6 +36,34 @@ stdenv.mkDerivation rec { sha256 = "sha256-5Ld8Qc/EyMWgNfzcMgx7xs+3XvfFoDQVPfFBP6HZLxM="; }; + patches = [ + (fetchpatch { + name = "CVE-2024-52530.patch"; + url = "https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b.patch"; + hash = "sha256-WRLiW2B/xxr3hW0nmeRNrXtZL44S0nTptPRdTqBV8Iw="; + }) + (fetchpatch { + name = "CVE-2024-52531_1.patch"; + url = "https://git.launchpad.net/ubuntu/+source/libsoup2.4/patch/?id=4ce2f2dc8ba0c458edce0f039a087fb3ac57787e"; + hash = "sha256-wg1qz8xHcnTiinBTF0ECMkrsD8W6M4IbiKGgbJ1gp9o="; + }) + (fetchpatch { + name = "CVE-2024-52531_2.patch"; + url = "https://git.launchpad.net/ubuntu/+source/libsoup2.4/patch/?id=5866d63aed3500700c5f1d2868ff689bb2ba8b82"; + hash = "sha256-e/VXtKX+agCw+ESGbgQ83NaVNbB3jLTxL7+VgNGbZ7U="; + }) + (fetchpatch { + name = "CVE-2024-52532_1.patch"; + url = "https://git.launchpad.net/ubuntu/+source/libsoup2.4/patch/?id=98e096a0d2142e3c63de2cca7d4023f9c52ed2c6"; + hash = "sha256-h7k+HpcKlsVYlAONxTOiupMhsMkf2v246ouxLejurcY="; + }) + (fetchpatch { + name = "CVE-2024-52532_2.patch"; + url = "https://git.launchpad.net/ubuntu/+source/libsoup2.4/patch/?id=030e72420e8271299c324273f393d92f6d4bb53e"; + hash = "sha256-0BEJpEKgjmKACf53lHMglxhmevKsSXR4ejEoTtr4wII="; + }) + ]; + depsBuildBuild = [ pkg-config ]; diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix index 0c6bf3fd424a5..3c2ffaec69142 100644 --- a/pkgs/development/libraries/libxml2/default.nix +++ b/pkgs/development/libraries/libxml2/default.nix @@ -32,7 +32,7 @@ stdenv.mkDerivation (finalAttrs: rec { pname = "libxml2"; - version = "2.12.7"; + version = "2.12.9"; outputs = [ @@ -47,7 +47,7 @@ stdenv.mkDerivation (finalAttrs: rec { src = fetchurl { url = "mirror://gnome/sources/libxml2/${lib.versions.majorMinor version}/libxml2-${version}.tar.xz"; - hash = "sha256-JK54/xNjqXPm2L66lBp5RdoqwFbhm1OVautpJ/1s+1Y="; + hash = "sha256-WZEttTarVqOZZInqApl2jHvP/lcWnwI15/liqR9INZA="; }; strictDeps = true; diff --git a/pkgs/development/libraries/openldap/default.nix b/pkgs/development/libraries/openldap/default.nix index f4f2e17e6c5e4..1488144dee93a 100644 --- a/pkgs/development/libraries/openldap/default.nix +++ b/pkgs/development/libraries/openldap/default.nix @@ -18,11 +18,11 @@ stdenv.mkDerivation rec { pname = "openldap"; - version = "2.6.8"; + version = "2.6.9"; src = fetchurl { url = "https://www.openldap.org/software/download/OpenLDAP/openldap-release/${pname}-${version}.tgz"; - hash = "sha256-SJaTI+lOO+OwPGoTKULcun741UXyrTVAFwkBn2lsPE4="; + hash = "sha256-LLfcc+nINA3/DZk1f7qleKvzDMZhnwUhlyxVVoHmsv8="; }; # TODO: separate "out" and "bin" diff --git a/pkgs/development/libraries/p11-kit/default.nix b/pkgs/development/libraries/p11-kit/default.nix index c4221404b1298..79aed33e8ac2a 100644 --- a/pkgs/development/libraries/p11-kit/default.nix +++ b/pkgs/development/libraries/p11-kit/default.nix @@ -67,6 +67,11 @@ stdenv.mkDerivation rec { )) ]; + ${if stdenv.buildPlatform.isDarwin && stdenv.buildPlatform.isx86_64 then "mesonCheckFlags" else null} = [ + # Tests regularly exceed the default timeout on `x86_64-darwin`. + "--timeout-multiplier=0" + ]; + doCheck = stdenv.buildPlatform.canExecute stdenv.hostPlatform; postPatch = '' diff --git a/pkgs/development/python-modules/gst-python/default.nix b/pkgs/development/python-modules/gst-python/default.nix index f2cc5a2edfac1..a5fd895521d62 100644 --- a/pkgs/development/python-modules/gst-python/default.nix +++ b/pkgs/development/python-modules/gst-python/default.nix @@ -15,7 +15,7 @@ buildPythonPackage rec { pname = "gst-python"; - version = "1.24.3"; + version = "1.24.10"; format = "other"; @@ -26,7 +26,7 @@ buildPythonPackage rec { src = fetchurl { url = "https://gstreamer.freedesktop.org/src/gst-python/${pname}-${version}.tar.xz"; - hash = "sha256-7Ns+K6lOosgrk6jHFdWn4E+XJqiDjAprF2lJKP0ehZU="; + hash = "sha256-E1vPi28UaLwx5WYECf6O04EJ8B3sRHQ1FKovprOGMwk"; }; # Python 2.x is not supported. diff --git a/pkgs/development/python-modules/jinja2/default.nix b/pkgs/development/python-modules/jinja2/default.nix index ba8f7048c5b6b..c8ceb94da0d9f 100644 --- a/pkgs/development/python-modules/jinja2/default.nix +++ b/pkgs/development/python-modules/jinja2/default.nix @@ -20,19 +20,29 @@ buildPythonPackage rec { pname = "jinja2"; - version = "3.1.4"; + version = "3.1.5"; pyproject = true; disabled = pythonOlder "3.7"; src = fetchPypi { inherit pname version; - hash = "sha256-Sjruesu+cwOu3o6WSNE7i/iKQpKCqmEiqZPwrIAMs2k="; + hash = "sha256-j+//jcMDTie7gNZ8Zx64qbxCTA70wIJu2/8wTM7/Q7s="; }; - nativeBuildInputs = [ flit-core ]; + postPatch = '' + # Do not test with trio, it increases jinja2's dependency closure by a lot + # and everyone consuming these dependencies cannot rely on sphinxHook, + # because sphinx itself depends on jinja2. + substituteInPlace tests/test_async{,_filters}.py \ + --replace-fail "import trio" "" \ + --replace-fail ", trio.run" "" \ + --replace-fail ", \"trio\"" "" + ''; - propagatedBuildInputs = [ markupsafe ]; + build-system = [ flit-core ]; + + dependencies = [ markupsafe ]; passthru.optional-dependencies = { i18n = [ babel ]; diff --git a/pkgs/development/python-modules/mypy/default.nix b/pkgs/development/python-modules/mypy/default.nix index 8d55e3009416a..f0bdc7b36f310 100644 --- a/pkgs/development/python-modules/mypy/default.nix +++ b/pkgs/development/python-modules/mypy/default.nix @@ -3,6 +3,7 @@ stdenv, buildPythonPackage, fetchFromGitHub, + fetchpatch2, pythonAtLeast, pythonOlder, @@ -42,6 +43,15 @@ buildPythonPackage rec { hash = "sha256-uOOZX8bKRunTOgYVbmetu2m0B7kijxBgWdNiLCAhiQ4="; }; + patches = [ + (fetchpatch2 { + name = "python3.12.7-compat.patch"; + url = "https://github.com/python/mypy/commit/1a2c8e2a4df21532e4952191cad74ae50083f4ad.patch"; + hash = "sha256-GBQPTkdoLeErjbRUjZBFEwvCcN/WzC3OYVvou6M+f80="; + }) + ]; + + build-system = [ mypy-extensions setuptools diff --git a/pkgs/development/python-modules/werkzeug/default.nix b/pkgs/development/python-modules/werkzeug/default.nix index dbd79284dd6f4..5fcf13a5e2d15 100644 --- a/pkgs/development/python-modules/werkzeug/default.nix +++ b/pkgs/development/python-modules/werkzeug/default.nix @@ -29,14 +29,14 @@ buildPythonPackage rec { pname = "werkzeug"; - version = "3.0.4"; + version = "3.0.6"; pyproject = true; disabled = pythonOlder "3.8"; src = fetchPypi { inherit pname version; - hash = "sha256-NPI3FQayUN9NT4S/57CSHkdiUldiu9k2YUkJ/iXNcwY="; + hash = "sha256-qN1Z1N4oynBHGjTLp5vtX37y4Danazqwg1R0JG60H40="; }; build-system = [ flit-core ]; diff --git a/pkgs/development/web/nodejs/v20.nix b/pkgs/development/web/nodejs/v20.nix index f4ae56ff397f9..084e590315254 100644 --- a/pkgs/development/web/nodejs/v20.nix +++ b/pkgs/development/web/nodejs/v20.nix @@ -17,8 +17,8 @@ let in buildNodejs { inherit enableNpm; - version = "20.17.0"; - sha256 = "9abf03ac23362c60387ebb633a516303637145cb3c177be3348b16880fd8b28c"; + version = "20.18.1"; + sha256 = "91df43f8ab6c3f7be81522d73313dbdd5634bbca228ef0e6d9369fe0ab8cccd0"; patches = [ ./disable-darwin-v8-system-instrumentation-node19.patch ./bypass-darwin-xcrun-node16.patch diff --git a/pkgs/misc/ghostscript/default.nix b/pkgs/misc/ghostscript/default.nix index 3ed6aee3e2675..9781457eaa875 100644 --- a/pkgs/misc/ghostscript/default.nix +++ b/pkgs/misc/ghostscript/default.nix @@ -178,10 +178,6 @@ stdenv.mkDerivation rec { done ''; - # FIXME: remove on rebuild - dylib_version = if stdenv.isLinux then lib.versions.majorMinor version else null; - preFixup = ""; - # validate dynamic linkage doInstallCheck = true; installCheckPhase = '' diff --git a/pkgs/servers/sql/postgresql/12.nix b/pkgs/servers/sql/postgresql/12.nix index ebd358dc01a1d..1b572a8e7ef92 100644 --- a/pkgs/servers/sql/postgresql/12.nix +++ b/pkgs/servers/sql/postgresql/12.nix @@ -1,4 +1,4 @@ import ./generic.nix { - version = "12.21"; - hash = "sha256-bHEVUKwcx4KIZeWCPZ9Ffjva1vQyAXcWn5DkGb4MJ/I="; + version = "12.22"; + hash = "sha256-jfPAR0eCWJ08bzdLUTOxvRTRaAhu28E8bnLmfdRSejs="; } diff --git a/pkgs/servers/sql/postgresql/13.nix b/pkgs/servers/sql/postgresql/13.nix index 46dadcab65408..0219da508d093 100644 --- a/pkgs/servers/sql/postgresql/13.nix +++ b/pkgs/servers/sql/postgresql/13.nix @@ -1,6 +1,6 @@ import ./generic.nix { - version = "13.17"; - hash = "sha256-AisKbnvDdKd37s4zcIiV17YMrgfUkrKGspaknXOV14s="; + version = "13.18"; + hash = "sha256-zuqSq+4qjBlAjSeLaN5qeLa9PbtPotZT+nynRdZmqrE="; muslPatches = { disable-test-collate-icu-utf8 = { url = "https://git.alpinelinux.org/aports/plain/main/postgresql13/disable-test-collate.icu.utf8.patch?id=69faa146ec9fff3b981511068f17f9e629d4688b"; diff --git a/pkgs/servers/sql/postgresql/14.nix b/pkgs/servers/sql/postgresql/14.nix index f2b5449d99c5f..500de98086833 100644 --- a/pkgs/servers/sql/postgresql/14.nix +++ b/pkgs/servers/sql/postgresql/14.nix @@ -1,6 +1,6 @@ import ./generic.nix { - version = "14.14"; - hash = "sha256-hHJ/vM29Hv4B2N5kvBszCV23c60kV8787cLYJY68CdY="; + version = "14.15"; + hash = "sha256-AuiR4xS06e4ky9eAKNq3xz+cG6PjCDW8vvcf4iBAH8U="; muslPatches = { disable-test-collate-icu-utf8 = { url = "https://git.alpinelinux.org/aports/plain/main/postgresql14/disable-test-collate.icu.utf8.patch?id=56999e6d0265ceff5c5239f85fdd33e146f06cb7"; diff --git a/pkgs/servers/sql/postgresql/15.nix b/pkgs/servers/sql/postgresql/15.nix index 63f4928401ac6..a65def57b1ca9 100644 --- a/pkgs/servers/sql/postgresql/15.nix +++ b/pkgs/servers/sql/postgresql/15.nix @@ -1,4 +1,4 @@ import ./generic.nix { - version = "15.8"; - hash = "sha256-RANRX5pp7rPv68mPMLjGlhIr/fiV6Ss7I/W452nty2o="; + version = "15.10"; + hash = "sha256-VavnONRB8OWGWLPsb4gJenE7XjtzE59iMNe1xMOJ5XM="; } diff --git a/pkgs/servers/sql/postgresql/16.nix b/pkgs/servers/sql/postgresql/16.nix index c02f02fc832e2..2b6e248625bd5 100644 --- a/pkgs/servers/sql/postgresql/16.nix +++ b/pkgs/servers/sql/postgresql/16.nix @@ -1,4 +1,4 @@ import ./generic.nix { - version = "16.5"; - hash = "sha256-psu7cDf5jLivp9OXC3xIBAzwKxFeOSU6DAN6i7jnePA="; + version = "16.6"; + hash = "sha256-Izac2szUUnCsXcww+p2iBdW+M/pQXh8XoEGNLK7KR3s="; } diff --git a/pkgs/servers/sql/postgresql/generic.nix b/pkgs/servers/sql/postgresql/generic.nix index 1f2af4fdf8dd7..57412a3b48744 100644 --- a/pkgs/servers/sql/postgresql/generic.nix +++ b/pkgs/servers/sql/postgresql/generic.nix @@ -168,14 +168,6 @@ let locale = "${if stdenv.isDarwin then darwin.adv_cmds else lib.getBin stdenv.cc.libc}/bin/locale"; }) ] - ++ lib.optionals (atLeast "15" && olderThan "16") [ - # TODO: Remove this with the next set of minor releases - (fetchpatch ({ - url = "https://github.com/postgres/postgres/commit/b27622c90869aab63cfe22159a459c57768b0fa4.patch"; - hash = "sha256-7G+BkJULhyx6nlMEjClcr2PJg6awgymZHr2JgGhXanA="; - excludes = [ "doc/*" ]; - })) - ] ++ lib.optionals stdenv'.hostPlatform.isMusl ( # Using fetchurl instead of fetchpatch on purpose: https://github.com/NixOS/nixpkgs/issues/240141 map fetchurl (lib.attrValues muslPatches)