diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index 7f5da547805..c0f36fcfd35 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -2514,6 +2514,16 @@ cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb"
           enabled.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          The Nextcloud module now allows setting the value of the
+          <literal>max-age</literal> directive of the
+          <literal>Strict-Transport-Security</literal> HTTP header,
+          which is now controlled by the
+          <literal>services.nextcloud.https</literal> option, rather
+          than <literal>services.nginx.recommendedHttpHeaders</literal>.
+        </para>
+      </listitem>
       <listitem>
         <para>
           The <literal>spark3</literal> package has been updated from
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index acead412048..5902957a535 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -892,6 +892,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 - The Nextcloud module now supports to create a Mysql database automatically
   with `services.nextcloud.database.createLocally` enabled.
 
+- The Nextcloud module now allows setting the value of the `max-age` directive of the `Strict-Transport-Security` HTTP header, which is now controlled by the `services.nextcloud.https` option, rather than `services.nginx.recommendedHttpHeaders`.
+
 - The `spark3` package has been updated from 3.1.2 to 3.2.1 ([#160075](https://github.com/NixOS/nixpkgs/pull/160075)):
 
   - Testing has been enabled for `aarch64-linux` in addition to `x86_64-linux`.
diff --git a/nixos/modules/misc/locate.nix b/nixos/modules/misc/locate.nix
index 192c9ec413c..50495eebe4c 100644
--- a/nixos/modules/misc/locate.nix
+++ b/nixos/modules/misc/locate.nix
@@ -250,7 +250,7 @@ in
     };
 
     warnings = optional (isMorPLocate && cfg.localuser != null)
-      "mlocate does not support the services.locate.localuser option; updatedb will run as root. (Silence with services.locate.localuser = null.)"
+      "mlocate and plocate do not support the services.locate.localuser option. updatedb will run as root. Silence this warning by setting services.locate.localuser = null."
     ++ optional (isFindutils && cfg.pruneNames != [ ])
       "findutils locate does not support pruning by directory component"
     ++ optional (isFindutils && cfg.pruneBindMounts)
diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix
index ceb2db1faef..41848c1c6d3 100644
--- a/nixos/modules/services/monitoring/prometheus/default.nix
+++ b/nixos/modules/services/monitoring/prometheus/default.nix
@@ -5,6 +5,9 @@ with lib;
 let
   json = pkgs.formats.json { };
   cfg = config.services.prometheus;
+  checkConfigEnabled =
+    (lib.isBool cfg.checkConfig && cfg.checkConfig)
+      || cfg.checkConfig == "syntax-only";
 
   workingDir = "/var/lib/" + cfg.stateDir;
 
@@ -27,7 +30,7 @@ let
 
   # a wrapper that verifies that the configuration is valid
   promtoolCheck = what: name: file:
-    if cfg.checkConfig then
+    if checkConfigEnabled then
       pkgs.runCommandLocal
         "${name}-${replaceStrings [" "] [""] what}-checked"
         { buildInputs = [ cfg.package ]; } ''
@@ -58,7 +61,7 @@ let
           pkgs.writeText "prometheus.yml" cfg.configText
         else generatedPrometheusYml;
     in
-    promtoolCheck "check config" "prometheus.yml" yml;
+    promtoolCheck "check config ${lib.optionalString (cfg.checkConfig == "syntax-only") "--syntax-only"}" "prometheus.yml" yml;
 
   cmdlineArgs = cfg.extraFlags ++ [
     "--storage.tsdb.path=${workingDir}/data/"
@@ -1726,16 +1729,20 @@ in
     };
 
     checkConfig = mkOption {
-      type = types.bool;
+      type = with types; either bool (enum [ "syntax-only" ]);
       default = true;
+      example = "syntax-only";
       description = ''
         Check configuration with <literal>promtool
         check</literal>. The call to <literal>promtool</literal> is
-        subject to sandboxing by Nix. When credentials are stored in
-        external files (<literal>password_file</literal>,
-        <literal>bearer_token_file</literal>, etc), they will not be
-        visible to <literal>promtool</literal> and it will report
-        errors, despite a correct configuration.
+        subject to sandboxing by Nix.
+
+        If you use credentials stored in external files
+        (<literal>password_file</literal>, <literal>bearer_token_file</literal>, etc),
+        they will not be visible to <literal>promtool</literal>
+        and it will report errors, despite a correct configuration.
+        To resolve this, you may set this option to <literal>"syntax-only"</literal>
+        in order to only syntax check the Prometheus configuration.
       '';
     };
 
diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix
index a4b886821eb..87270776f5a 100644
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@@ -546,10 +546,23 @@ in {
       '';
     };
 
-    nginx.recommendedHttpHeaders = mkOption {
-      type = types.bool;
-      default = true;
-      description = "Enable additional recommended HTTP response headers";
+    nginx = {
+      recommendedHttpHeaders = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enable additional recommended HTTP response headers";
+      };
+      hstsMaxAge = mkOption {
+        type = types.ints.positive;
+        default = 15552000;
+        description = ''
+          Value for the <code>max-age</code> directive of the HTTP
+          <code>Strict-Transport-Security</code> header.
+
+          See section 6.1.1 of IETF RFC 6797 for detailed information on this
+          directive and header.
+        '';
+      };
     };
   };
 
@@ -702,7 +715,7 @@ in {
               'skeletondirectory' => '${cfg.skeletonDirectory}',
               ${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"}
               'log_type' => 'syslog',
-              'log_level' => '${builtins.toString cfg.logLevel}',
+              'loglevel' => '${builtins.toString cfg.logLevel}',
               ${optionalString (c.overwriteProtocol != null) "'overwriteprotocol' => '${c.overwriteProtocol}',"}
               ${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"}
               ${optionalString (c.dbhost != null) "'dbhost' => '${c.dbhost}',"}
@@ -983,7 +996,9 @@ in {
             add_header X-Permitted-Cross-Domain-Policies none;
             add_header X-Frame-Options sameorigin;
             add_header Referrer-Policy no-referrer;
-            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+          ''}
+          ${optionalString (cfg.https) ''
+            add_header Strict-Transport-Security "max-age=${toString cfg.nginx.hstsMaxAge}; includeSubDomains" always;
           ''}
           client_max_body_size ${cfg.maxUploadSize};
           fastcgi_buffers 64 4K;
diff --git a/pkgs/applications/blockchains/wasabiwallet/default.nix b/pkgs/applications/blockchains/wasabiwallet/default.nix
index f8e20f1a05d..e3cea78629f 100644
--- a/pkgs/applications/blockchains/wasabiwallet/default.nix
+++ b/pkgs/applications/blockchains/wasabiwallet/default.nix
@@ -25,11 +25,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "wasabiwallet";
-  version = "1.1.12.9";
+  version = "1.1.13.1";
 
   src = fetchurl {
     url = "https://github.com/zkSNACKs/WalletWasabi/releases/download/v${version}/Wasabi-${version}.tar.gz";
-    sha256 = "sha256-DtoLQbRXyR4xGm+M0xg9uj8wcbh1dOBJUG430OS8AS4=";
+    sha256 = "sha256-AtsNbUqEBQx0DPWR2LjNl7pdviYmvkv3bYKNBoeJHbw=";
   };
 
   dontBuild = true;
diff --git a/pkgs/applications/graphics/ImageMagick/7.0.nix b/pkgs/applications/graphics/ImageMagick/7.0.nix
index 44d54014976..66248ff5365 100644
--- a/pkgs/applications/graphics/ImageMagick/7.0.nix
+++ b/pkgs/applications/graphics/ImageMagick/7.0.nix
@@ -45,13 +45,13 @@ in
 
 stdenv.mkDerivation rec {
   pname = "imagemagick";
-  version = "7.1.0-33";
+  version = "7.1.0-34";
 
   src = fetchFromGitHub {
     owner = "ImageMagick";
     repo = "ImageMagick";
     rev = version;
-    hash = "sha256-qiXTSQcc48IIzz7RUcyOH2w8JUOTdU1zg43gJhoELXo=";
+    hash = "sha256-eASmIOTYupK5di3lggJ/8O5pkG88ZpFuvaYK23AWsq4=";
   };
 
   outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big
diff --git a/pkgs/applications/networking/cluster/terraform-providers/providers.json b/pkgs/applications/networking/cluster/terraform-providers/providers.json
index 94fcafcb48c..db7ca3cf386 100644
--- a/pkgs/applications/networking/cluster/terraform-providers/providers.json
+++ b/pkgs/applications/networking/cluster/terraform-providers/providers.json
@@ -420,10 +420,10 @@
     "owner": "integrations",
     "provider-source-address": "registry.terraform.io/integrations/github",
     "repo": "terraform-provider-github",
-    "rev": "v4.25.0-alpha",
-    "sha256": "sha256-9BE19VywtNIeDfjBKzle5nGFPmpS8lHV60w0h2xTztU=",
+    "rev": "v4.24.1",
+    "sha256": "sha256-1fwHMN2HIVl+8ZL7OtP1U5ORc41e7Tm3qEpMqIgWL20=",
     "vendorSha256": null,
-    "version": "4.25.0-alpha"
+    "version": "4.24.1"
   },
   "gitlab": {
     "owner": "gitlabhq",
@@ -719,10 +719,10 @@
     "owner": "equinix",
     "provider-source-address": "registry.terraform.io/equinix/metal",
     "repo": "terraform-provider-metal",
-    "rev": "v3.3.0-alpha.3",
-    "sha256": "sha256-wuZp0Be8a84y7JqpCGnBDPXgNG8JJcNWsIICP3ZjSVk=",
-    "vendorSha256": "sha256-Ln9EyycPduVuj+JefH9f+Q5KlNGvbcwcEDgaqH2M0So=",
-    "version": "3.3.0-alpha.3"
+    "rev": "v3.2.2",
+    "sha256": "193897farpyb3zxz6p79mfaf04ccin7xdirbkclqb3x3c56jy0xi",
+    "vendorSha256": null,
+    "version": "3.2.2"
   },
   "minio": {
     "owner": "aminueza",
diff --git a/pkgs/applications/networking/cluster/terraform-providers/update-provider b/pkgs/applications/networking/cluster/terraform-providers/update-provider
index 4310fcdcc27..fb506cefbe0 100755
--- a/pkgs/applications/networking/cluster/terraform-providers/update-provider
+++ b/pkgs/applications/networking/cluster/terraform-providers/update-provider
@@ -128,9 +128,12 @@ version="$(jq -r '.version' <<<"${registry_response}")"
 if [[ ${old_version} == "${version}" && ${force} != 1 && -z ${vendorSha256} && ${old_vendor_sha256} != "${vendorSha256}" ]]; then
   echo_provider "already at version ${version}"
   exit
-else
-  echo_provider "updating from ${old_version} to ${version}"
 fi
+if [[ ${version} =~ (alpha|beta|pre) && ${force} != 1 ]]; then
+  echo_provider "not updating to unstable version ${version}"
+  exit
+fi
+echo_provider "updating from ${old_version} to ${version}"
 update_attr version "${version}"
 
 provider_source_url="$(jq -r '.source' <<<"${registry_response}")"
diff --git a/pkgs/applications/science/biology/EZminc/default.nix b/pkgs/applications/science/biology/EZminc/default.nix
index a2ba038c059..6c140b03ee4 100644
--- a/pkgs/applications/science/biology/EZminc/default.nix
+++ b/pkgs/applications/science/biology/EZminc/default.nix
@@ -25,5 +25,6 @@ stdenv.mkDerivation rec {
     maintainers = with maintainers; [ bcdarwin ];
     platforms = platforms.unix;
     license = licenses.free;
+    broken = true;  # ITK5 compatibility issue (https://github.com/BIC-MNI/EZminc/issues/15)
   };
 }
diff --git a/pkgs/development/compilers/vlang/default.nix b/pkgs/development/compilers/vlang/default.nix
index 0601022df61..64ccb2fc16e 100644
--- a/pkgs/development/compilers/vlang/default.nix
+++ b/pkgs/development/compilers/vlang/default.nix
@@ -2,21 +2,21 @@
 
 stdenv.mkDerivation rec {
   pname = "vlang";
-  version = "weekly.2022.19";
+  version = "weekly.2022.20";
 
   src = fetchFromGitHub {
     owner = "vlang";
     repo = "v";
     rev = version;
-    sha256 = "1bl91j3ip3i84jq3wg03sflllxv38sv4dc072r302rl2g9f4dbg6";
+    sha256 = "1isbyfs98bdbm2qjf7q4bqbpsmdiqlavn3gznwr12bkvhnsf4j3x";
   };
 
   # Required for bootstrap.
   vc = fetchFromGitHub {
     owner = "vlang";
     repo = "vc";
-    rev = "a298ad7069f6333ef8ab59a616654fc74e04c847";
-    sha256 = "168cgq6451hcgsxzyd8vq11g01642bs5kkwxqh6rz3rnc86ajic0";
+    rev = "167f262866090493650f58832d62d910999dd5a4";
+    sha256 = "1xax8355qkrccjcmx24gcab88xnrqj15mhqy0bgp3v2rb1hw1n3a";
   };
 
   # Required for vdoc.
@@ -27,11 +27,6 @@ stdenv.mkDerivation rec {
     sha256 = "0cawzizr3rjz81blpvxvxrcvcdai1adj66885ss390444qq1fnv7";
   };
 
-  # vcreate_test.v requires git, so we must disable it.
-  patches = [
-    ./disable_vcreate_test.patch
-  ];
-
   propagatedBuildInputs = [ glfw freetype openssl ]
     ++ lib.optional stdenv.hostPlatform.isUnix upx;
 
@@ -42,9 +37,16 @@ stdenv.mkDerivation rec {
     "VC=${vc}"
   ];
 
-  prePatch = ''
+  preBuild = ''
     export HOME=$(mktemp -d)
-    cp cmd/tools/vcreate_test.v $HOME/vcreate_test.v
+  '';
+
+  # vcreate_test.v requires git, so we must remove it when building the tools.
+  # vtest.v fails on Darwin, so let's just disable it for now.
+  preInstall = ''
+    mv cmd/tools/vcreate_test.v $HOME/vcreate_test.v
+  '' + lib.optionalString stdenv.isDarwin ''
+    mv cmd/tools/vtest.v $HOME/vtest.v
   '';
 
   installPhase = ''
@@ -64,12 +66,16 @@ stdenv.mkDerivation rec {
     $out/lib/v -v $out/lib/cmd/tools/vast
     $out/lib/v -v $out/lib/cmd/tools/vvet
 
-    # Return the pre-patch vcreate_test.v now that we no longer need the alteration.
-    cp $HOME/vcreate_test.v $out/lib/cmd/tools/vcreate_test.v
-
     runHook postInstall
   '';
 
+  # Return vcreate_test.v and vtest.v, so the user can use it.
+  postInstall = ''
+    cp $HOME/vcreate_test.v $out/lib/cmd/tools/vcreate_test.v
+  '' + lib.optionalString stdenv.isDarwin ''
+    cp $HOME/vtest.v $out/lib/cmd/tools/vtest.v
+  '';
+
   meta = with lib; {
     homepage = "https://vlang.io/";
     description = "Simple, fast, safe, compiled language for developing maintainable software";
diff --git a/pkgs/development/compilers/vlang/disable_vcreate_test.patch b/pkgs/development/compilers/vlang/disable_vcreate_test.patch
deleted file mode 100644
index 85ed867c83e..00000000000
--- a/pkgs/development/compilers/vlang/disable_vcreate_test.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-diff --git a/cmd/tools/vcreate_test.v b/cmd/tools/vcreate_test.v
-index 3d07f4773..de8a202df 100644
---- a/cmd/tools/vcreate_test.v
-+++ b/cmd/tools/vcreate_test.v
-@@ -2,127 +2,6 @@ import os
- 
- const test_path = 'vcreate_test'
- 
--fn init_and_check() ? {
--	os.execute_or_exit('${os.quoted_path(@VEXE)} init')
--
--	assert os.read_file('vcreate_test.v') ? == [
--		'module main\n',
--		'fn main() {',
--		"	println('Hello World!')",
--		'}',
--		'',
--	].join_lines()
--
--	assert os.read_file('v.mod') ? == [
--		'Module {',
--		"	name: 'vcreate_test'",
--		"	description: ''",
--		"	version: ''",
--		"	license: ''",
--		'	dependencies: []',
--		'}',
--		'',
--	].join_lines()
--
--	assert os.read_file('.gitignore') ? == [
--		'# Binaries for programs and plugins',
--		'main',
--		'vcreate_test',
--		'*.exe',
--		'*.exe~',
--		'*.so',
--		'*.dylib',
--		'*.dll',
--		'vls.log',
--		'',
--	].join_lines()
--
--	assert os.read_file('.gitattributes') ? == [
--		'*.v linguist-language=V text=auto eol=lf',
--		'*.vv linguist-language=V text=auto eol=lf',
--		'*.vsh linguist-language=V text=auto eol=lf',
--		'**/v.mod linguist-language=V text=auto eol=lf',
--		'',
--	].join_lines()
--
--	assert os.read_file('.editorconfig') ? == [
--		'[*]',
--		'charset = utf-8',
--		'end_of_line = lf',
--		'insert_final_newline = true',
--		'trim_trailing_whitespace = true',
--		'',
--		'[*.v]',
--		'indent_style = tab',
--		'indent_size = 4',
--		'',
--	].join_lines()
--}
--
- fn test_v_init() ? {
--	dir := os.join_path(os.temp_dir(), test_path)
--	os.rmdir_all(dir) or {}
--	os.mkdir(dir) or {}
--	defer {
--		os.rmdir_all(dir) or {}
--	}
--	os.chdir(dir) ?
--
--	init_and_check() ?
--}
--
--fn test_v_init_in_git_dir() ? {
--	dir := os.join_path(os.temp_dir(), test_path)
--	os.rmdir_all(dir) or {}
--	os.mkdir(dir) or {}
--	defer {
--		os.rmdir_all(dir) or {}
--	}
--	os.chdir(dir) ?
--	os.execute_or_exit('git init .')
--	init_and_check() ?
--}
--
--fn test_v_init_no_overwrite_gitignore() ? {
--	dir := os.join_path(os.temp_dir(), test_path)
--	os.rmdir_all(dir) or {}
--	os.mkdir(dir) or {}
--	os.write_file('$dir/.gitignore', 'blah') ?
--	defer {
--		os.rmdir_all(dir) or {}
--	}
--	os.chdir(dir) ?
--
--	os.execute_or_exit('${os.quoted_path(@VEXE)} init')
--
--	assert os.read_file('.gitignore') ? == 'blah'
--}
--
--fn test_v_init_no_overwrite_gitattributes_and_editorconfig() ? {
--	git_attributes_content := '*.v linguist-language=V text=auto eol=lf'
--	editor_config_content := '[*]
--charset = utf-8
--end_of_line = lf
--insert_final_newline = true
--trim_trailing_whitespace = true
--
--[*.v]
--indent_style = tab
--indent_size = 4
--'
--
--	dir := os.join_path(os.temp_dir(), test_path)
--	os.rmdir_all(dir) or {}
--	os.mkdir(dir) or {}
--	os.write_file('$dir/.gitattributes', git_attributes_content) ?
--	os.write_file('$dir/.editorconfig', editor_config_content) ?
--	defer {
--		os.rmdir_all(dir) or {}
--	}
--	os.chdir(dir) ?
--
--	os.execute_or_exit('${os.quoted_path(@VEXE)} init')
--
--	assert os.read_file('.gitattributes') ? == git_attributes_content
--	assert os.read_file('.editorconfig') ? == editor_config_content
-+	println('vcreate_test disabled')
- }
diff --git a/pkgs/development/libraries/libnih/default.nix b/pkgs/development/libraries/libnih/default.nix
deleted file mode 100644
index fbe01bf4062..00000000000
--- a/pkgs/development/libraries/libnih/default.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ lib, stdenv, fetchurl, pkg-config, dbus, expat }:
-
-let version = "1.0.3"; in
-
-stdenv.mkDerivation {
-  pname = "libnih";
-  inherit version;
-
-  src = fetchurl {
-    url = "https://code.launchpad.net/libnih/1.0/${version}/+download/libnih-${version}.tar.gz";
-    sha256 = "01glc6y7z1g726zwpvp2zm79pyb37ki729jkh45akh35fpgp4xc9";
-  };
-
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ dbus expat ];
-
-  doCheck = false; # fails 1 of 17 test
-
-  meta = {
-    description = "A small library for C application development";
-    homepage = "https://launchpad.net/libnih";
-    license = lib.licenses.gpl2;
-    platforms = lib.platforms.linux;
-  };
-}
diff --git a/pkgs/development/libraries/podofo/default.nix b/pkgs/development/libraries/podofo/default.nix
index ee99ab5de6f..c4aab614915 100644
--- a/pkgs/development/libraries/podofo/default.nix
+++ b/pkgs/development/libraries/podofo/default.nix
@@ -3,12 +3,12 @@
 }:
 
 stdenv.mkDerivation rec {
-  version = "0.9.7";
+  version = "0.9.8";
   pname = "podofo";
 
   src = fetchurl {
     url = "mirror://sourceforge/podofo/${pname}-${version}.tar.gz";
-    sha256 = "1f0yvkx6nf99fp741w2y706d8bs9824x1z2gqm3rdy5fv8bfgwkw";
+    sha256 = "sha256-XeYH4V8ZK4rZBzgwB1nYjeoPXM3OO/AASKDJMrxkUVQ=";
   };
 
   outputs = [ "out" "dev" "lib" ];
diff --git a/pkgs/development/libraries/science/math/lrs/default.nix b/pkgs/development/libraries/science/math/lrs/default.nix
index 063fead1165..ae5beb0f09e 100644
--- a/pkgs/development/libraries/science/math/lrs/default.nix
+++ b/pkgs/development/libraries/science/math/lrs/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "lrs";
-  version = "7.0";
+  version = "7.2";
 
   src = fetchurl {
-    url = "http://cgm.cs.mcgill.ca/~avis/C/lrslib/archive/lrslib-070.tar.gz";
-    sha256 = "1zjdmkjracz695k73c2pvipc0skpyn1wzagkhilsvcw9pqljpwg9";
+    url = "http://cgm.cs.mcgill.ca/~avis/C/lrslib/archive/lrslib-072.tar.gz";
+    sha256 = "1w1jsnfgny8cihndr5gfm99pvwp48qsvxkqfsi2q87gd3m57aj7w";
   };
 
   buildInputs = [ gmp ];
diff --git a/pkgs/development/python-modules/bc-python-hcl2/default.nix b/pkgs/development/python-modules/bc-python-hcl2/default.nix
index 8d5c2d7d4c2..56773e372b4 100644
--- a/pkgs/development/python-modules/bc-python-hcl2/default.nix
+++ b/pkgs/development/python-modules/bc-python-hcl2/default.nix
@@ -8,14 +8,14 @@
 
 buildPythonPackage rec {
   pname = "bc-python-hcl2";
-  version = "0.3.39";
+  version = "0.3.40";
   format = "setuptools";
 
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-JMQ2sLgAnMJ1/0nR8LgKbpPB43gVKtCtrZKr/T4p0O8=";
+    hash = "sha256-4we2Txk7kJ1SrCa82eQJ9OsqyTkFzocNi+GG7cV+OAc=";
   };
 
   # Nose is required during build process, so can not use `checkInputs`.
diff --git a/pkgs/development/python-modules/cvxpy/default.nix b/pkgs/development/python-modules/cvxpy/default.nix
index 73609966ba8..033af1fb5d9 100644
--- a/pkgs/development/python-modules/cvxpy/default.nix
+++ b/pkgs/development/python-modules/cvxpy/default.nix
@@ -16,14 +16,14 @@
 
 buildPythonPackage rec {
   pname = "cvxpy";
-  version = "1.2.0";
+  version = "1.2.1";
   format = "pyproject";
 
   disabled = pythonOlder "3.5";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-QURm/ehJovqr/ZRE7ILKLnvxQsAdcjdSTPlzCt60IBw=";
+    sha256 = "sha256-bWdkJkPR3bLyr1m0Zrh9QsSi42eDGte0PDO1nu+ltQ4=";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/ipympl/default.nix b/pkgs/development/python-modules/ipympl/default.nix
index 226fea5b621..d17a4a85c3b 100644
--- a/pkgs/development/python-modules/ipympl/default.nix
+++ b/pkgs/development/python-modules/ipympl/default.nix
@@ -8,12 +8,12 @@
 
 buildPythonPackage rec {
   pname = "ipympl";
-  version = "0.9.0";
+  version = "0.9.1";
   format = "wheel";
 
   src = fetchPypi {
     inherit pname version format;
-    sha256 = "sha256-HpO3T/zRbimxd1+nUkbSmclj7nPsMYuSUK0VJItZQs4=";
+    sha256 = "sha256-NQW0ctQSF4/RFeJVdk0efnYy1sgunebWKyVDijU3RoA=";
   };
 
 
diff --git a/pkgs/development/python-modules/pg8000/default.nix b/pkgs/development/python-modules/pg8000/default.nix
index 9179448227f..b3ac256e0bb 100644
--- a/pkgs/development/python-modules/pg8000/default.nix
+++ b/pkgs/development/python-modules/pg8000/default.nix
@@ -8,14 +8,14 @@
 
 buildPythonPackage rec {
   pname = "pg8000";
-  version = "1.27.1";
+  version = "1.28.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-1qWDg0hZM0TyDrNa2kcqdy0yFFgm8u/ljb4bZeqZ6JA=";
+    sha256 = "sha256-Q1E949TjeOc6xEKpOQa6qdNWJFqmeqf2FgXFbjmn9ZE=";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/tools/analysis/checkov/default.nix b/pkgs/development/tools/analysis/checkov/default.nix
index eadeec8acce..743405be6a7 100644
--- a/pkgs/development/tools/analysis/checkov/default.nix
+++ b/pkgs/development/tools/analysis/checkov/default.nix
@@ -32,13 +32,13 @@ with py.pkgs;
 
 buildPythonApplication rec {
   pname = "checkov";
-  version = "2.0.1140";
+  version = "2.0.1143";
 
   src = fetchFromGitHub {
     owner = "bridgecrewio";
     repo = pname;
     rev = version;
-    hash = "sha256-aGO5mjBsUwpLIv73pZH1la6tyGByznTrjkW9dojkXwg=";
+    hash = "sha256-Kl9/wbjiQ46ysmnE24iQveTEzSTsVF5FHRqG3WWz3DQ=";
   };
 
   nativeBuildInputs = with py.pkgs; [
@@ -94,6 +94,7 @@ buildPythonApplication rec {
 
   postPatch = ''
     substituteInPlace setup.py \
+      --replace "bc-python-hcl2==0.3.39" "bc-python-hcl2>=0.3.39" \
       --replace "cyclonedx-python-lib>=0.11.0,<1.0.0" "cyclonedx-python-lib>=0.11.0" \
       --replace "prettytable>=3.0.0" "prettytable" \
       --replace "pycep-parser==0.3.4" "pycep-parser"
diff --git a/pkgs/development/tools/dump_syms/default.nix b/pkgs/development/tools/dump_syms/default.nix
index a8c6821f27f..08788878cc9 100644
--- a/pkgs/development/tools/dump_syms/default.nix
+++ b/pkgs/development/tools/dump_syms/default.nix
@@ -1,8 +1,12 @@
 { lib
+, stdenv
 , rustPlatform
 , fetchFromGitHub
 , pkg-config
 , openssl
+
+# darwin
+, Security
 }:
 
 let
@@ -27,6 +31,8 @@ rustPlatform.buildRustPackage {
 
   buildInputs = [
     openssl
+  ] ++ lib.optionals (stdenv.isDarwin) [
+    Security
   ];
 
   checkFlags = [
diff --git a/pkgs/development/tools/ocaml/dune/3.nix b/pkgs/development/tools/ocaml/dune/3.nix
index de661948b9c..009c3cb6fe2 100644
--- a/pkgs/development/tools/ocaml/dune/3.nix
+++ b/pkgs/development/tools/ocaml/dune/3.nix
@@ -6,11 +6,11 @@ else
 
 stdenv.mkDerivation rec {
   pname = "dune";
-  version = "3.1.1";
+  version = "3.2.0";
 
   src = fetchurl {
-    url = "https://github.com/ocaml/dune/releases/download/${version}/fiber-${version}.tbz";
-    sha256 = "sha256-AkhEVKsbmYhAx4c1CexrIwHrkmYsEy749fT1abNaa2A=";
+    url = "https://github.com/ocaml/dune/releases/download/${version}/chrome-trace-${version}.tbz";
+    sha256 = "sha256-vR+85q557R6yb6ibsuLiOXivzrP1P1V4zxvasIoa1bw=";
   };
 
   nativeBuildInputs = [ ocaml findlib ];
diff --git a/pkgs/servers/icingaweb2/ipl.nix b/pkgs/servers/icingaweb2/ipl.nix
index e9075d7d043..9d21951a299 100644
--- a/pkgs/servers/icingaweb2/ipl.nix
+++ b/pkgs/servers/icingaweb2/ipl.nix
@@ -2,13 +2,13 @@
 
 stdenvNoCC.mkDerivation rec {
   pname = "icingaweb2-ipl";
-  version = "0.8.0";
+  version = "0.8.1";
 
   src = fetchFromGitHub {
     owner = "Icinga";
     repo = "icinga-php-library";
     rev = "v${version}";
-    sha256 = "sha256:05k0qcd5c5xb124dpp6lvfdh4dzf6bkd34v4sy7aj776p4hrlqx2";
+    sha256 = "sha256:0ndd4gd26rglbz85izfvqc4ghcfa7wpq6ghrhggbzg819phndg5a";
   };
 
   installPhase = ''
diff --git a/pkgs/servers/invidious/lsquic.nix b/pkgs/servers/invidious/lsquic.nix
index 9c3bc68615c..ca04c97c128 100644
--- a/pkgs/servers/invidious/lsquic.nix
+++ b/pkgs/servers/invidious/lsquic.nix
@@ -1,11 +1,19 @@
-{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, cmake, zlib, perl, libevent, gcc10Stdenv, buildGoModule }:
+{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, fetchurl, cmake, zlib, perl, libevent }:
 let
   versions = builtins.fromJSON (builtins.readFile ./versions.json);
 
-  buildGoModuleGcc10 = buildGoModule.override { stdenv = gcc10Stdenv; };
+  fetchGitilesPatch = { name, url, sha256 }:
+    fetchurl {
+      url = "${url}%5E%21?format=TEXT";
+      inherit name sha256;
+      downloadToTemp = true;
+      postFetch = ''
+        base64 -d < $downloadedFile > $out
+      '';
+    };
 
   # lsquic requires a specific boringssl version (noted in its README)
-  boringssl' = (boringssl.overrideAttrs (old: {
+  boringssl' = boringssl.overrideAttrs ({ preBuild, ... }: {
     version = versions.boringssl.rev;
     src = fetchgit {
       url = "https://boringssl.googlesource.com/boringssl";
@@ -15,10 +23,43 @@ let
     patches = [
       # Use /etc/ssl/certs/ca-certificates.crt instead of /etc/ssl/cert.pem
       ./use-etc-ssl-certs.patch
+
+      # because lsquic requires that specific boringssl version and that
+      # version does not yet include fixes for gcc11 build errors, they
+      # must be backported
+      (fetchGitilesPatch {
+        name = "fix-mismatch-between-header-and-implementation-of-bn_sqr_comba8.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/139adff9b27eaf0bdaac664ec4c9a7db2fe3f920";
+        sha256 = "05sp602dvh50v46jkzmh4sf4wqnq5bwy553596g2rhxg75bailjj";
+      })
+      (fetchGitilesPatch {
+        name = "use-an-unsized-helper-for-truncated-SHA-512-variants.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/a24ab549e6ae246b391155d7bed3790ac0e07de2";
+        sha256 = "0483jkpg4g64v23ln2blb74xnmzdjcn3r7w4zk7nfg8j3q5f9lxm";
+      })
+/*
+      # the following patch is too complex, so we will modify the build flags
+      # of crypto/fipsmodule/CMakeFiles/fipsmodule.dir/bcm.c.o in preBuild
+      # and turn off -Werror=stringop-overflow
+      (fetchGitilesPatch {
+        name = "make-md32_common.h-single-included-and-use-an-unsized-helper-for-SHA-256.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/597ffef971dd980b7de5e97a0c9b7ca26eec94bc";
+        sha256 = "1y0bkkdf1ccd6crx326agp01q22clm4ai4p982y7r6dkmxmh52qr";
+      })
+*/
+      (fetchGitilesPatch {
+        name = "fix-array-parameter-warnings.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/92c6fbfc4c44dc8462d260d836020d2b793e7804";
+        sha256 = "0h4sl95i8b0dj0na4ngf50wg54raxyjxl1zzwdc810abglp10vnv";
+      })
     ];
-  })).override {
-    buildGoModule = buildGoModuleGcc10;
-  };
+
+    preBuild = ''
+      ${preBuild}
+      sed -e '/^build crypto\/fipsmodule\/CMakeFiles\/fipsmodule\.dir\/bcm\.c\.o:/,/^ *FLAGS =/ s/^ *FLAGS = -Werror/& -Wno-error=stringop-overflow/' \
+          -i build.ninja
+    '';
+  });
 in
 stdenv.mkDerivation rec {
   pname = "lsquic";
diff --git a/pkgs/servers/invidious/shards.nix b/pkgs/servers/invidious/shards.nix
index 582a4083e7d..e5f297d902c 100644
--- a/pkgs/servers/invidious/shards.nix
+++ b/pkgs/servers/invidious/shards.nix
@@ -20,14 +20,14 @@
   exception_page = {
     owner = "crystal-loot";
     repo = "exception_page";
-    rev = "v0.2.0";
-    sha256 = "0nlgnh5iykbr1v2132342k2mz6s2laws6nkgqsqlwhhcr4gb4jcx";
+    rev = "v0.2.2";
+    sha256 = "1c8askb9b7621jjz5pjj6b8pdbhw3r1l3dym6swg1saspf5j3jwi";
   };
   kemal = {
     owner = "kemalcr";
     repo = "kemal";
-    rev = "v1.1.0";
-    sha256 = "07vlvddy4mba9li2bvskzqzywwq55cyvlgkz13q6dsl4zfgc96ca";
+    rev = "v1.1.2";
+    sha256 = "1149q4qw0zrws5asqqr4snrdi67xsmisdcq58zcrbgqgsxgly9d0";
   };
   kilt = {
     owner = "jeromegn";
diff --git a/pkgs/servers/invidious/update.sh b/pkgs/servers/invidious/update.sh
index 580d6136388..bf43fbb4b36 100755
--- a/pkgs/servers/invidious/update.sh
+++ b/pkgs/servers/invidious/update.sh
@@ -41,7 +41,7 @@ git -C "$git_dir" fetch origin "$git_branch"
 # because there might still be commits coming
 # use the day of the latest commit we picked as version
 new_rev=$(git -C "$git_dir" log -n 1 --format='format:%H' --before="${today}T00:00:00Z" "origin/$git_branch")
-new_version="unstable-$(git -C "$git_dir" log -n 1 --format='format:%cs' "$new_rev")"
+new_version="unstable-$(TZ=UTC git -C "$git_dir" log -n 1 --date='format-local:%Y-%m-%d' --format='%cd' "$new_rev")"
 info "latest commit before $today: $new_rev"
 
 if [ "$new_rev" = "$old_rev" ]; then
diff --git a/pkgs/servers/invidious/versions.json b/pkgs/servers/invidious/versions.json
index cec068a09bf..40f8bb04182 100644
--- a/pkgs/servers/invidious/versions.json
+++ b/pkgs/servers/invidious/versions.json
@@ -4,15 +4,15 @@
     "sha256": "sha256-EU6T9yQCdOLx98Io8o01rEsgxDFF/Xoy42LgPopD2/A="
   },
   "invidious": {
-    "rev": "ed265cfdcd131b9df5398d899cc5d7036a5b7846",
-    "sha256": "0hhnq4s0slwbgxra7gxapl7dcz60a7k71cndi4crqcikmazzac3b",
-    "version": "unstable-2022-03-16"
+    "rev": "ca27e096f3249533cc7a9b123a8a8378f3312bb7",
+    "sha256": "0xjdzxnw6b5lk8pr82sjj60wfzxqkyamh0gpf2wxby52jvlbdcka",
+    "version": "unstable-2022-05-11"
   },
   "lsquic": {
     "sha256": "sha256-hG8cUvhbCNeMOsKkaJlgGpzUrIx47E/WhmPIdI5F3qM=",
     "version": "2.18.1"
   },
   "videojs": {
-    "sha256": "0b4vxd29kpvy60yhqm376r1872gds17s6wljqw0zlr16j762k50r"
+    "sha256": "0m09pc9acpzhfwwvc9dayl60nn28skmmglgvmlp48dlkqgfbgc27"
   }
 }
diff --git a/pkgs/servers/monitoring/icinga2/default.nix b/pkgs/servers/monitoring/icinga2/default.nix
index a674aca2a37..643e505d794 100644
--- a/pkgs/servers/monitoring/icinga2/default.nix
+++ b/pkgs/servers/monitoring/icinga2/default.nix
@@ -9,13 +9,13 @@
 
 stdenv.mkDerivation rec {
   pname = "icinga2${nameSuffix}";
-  version = "2.13.2";
+  version = "2.13.3";
 
   src = fetchFromGitHub {
     owner = "icinga";
     repo = "icinga2";
     rev = "v${version}";
-    sha256 = "sha256:1ijvav2ymgq1i8jycrqbp2y4r54y0dkwjnwxc20bmcixxh877zdn";
+    sha256 = "sha256:1z8wzhlhl8vb7m8axvayfyqgf86lz67gaa02n3r17049vwswdgmb";
   };
 
   patches = [
diff --git a/pkgs/tools/admin/syft/default.nix b/pkgs/tools/admin/syft/default.nix
index 0f7d3806182..4a74b851b34 100644
--- a/pkgs/tools/admin/syft/default.nix
+++ b/pkgs/tools/admin/syft/default.nix
@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "syft";
-  version = "0.45.1";
+  version = "0.46.1";
 
   src = fetchFromGitHub {
     owner = "anchore";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-oexsu52x9rAqwTVxTVHzKPuaIfvg5lvvuBmKcnb2Yew=";
+    sha256 = "sha256-ojjudnS0yJZ6YoHmq4m0YKyCqq9Ge+AFU7ejlPop71w=";
     # populate values that require us to use git. By doing this in postFetch we
     # can delete .git afterwards and maintain better reproducibility of the src.
     leaveDotGit = true;
@@ -20,11 +20,11 @@ buildGoModule rec {
       find "$out" -name .git -print0 | xargs -0 rm -rf
     '';
   };
-  vendorSha256 = "sha256-d6ZBWX4/lgh610fBLTE1EUqZmpctLfxi2PSRifH+1jg=";
+  vendorSha256 = "sha256-nb7QcdmwAfYDTzCFNjs7uKwK/gng2iMD36ANaFSsftk=";
 
   nativeBuildInputs = [ installShellFiles ];
 
-  subPackages = [ "." ];
+  subPackages = [ "cmd/syft" ];
 
   ldflags = [
     "-s"
@@ -52,6 +52,17 @@ buildGoModule rec {
       --zsh <($out/bin/syft completion zsh)
   '';
 
+  doInstallCheck = true;
+  installCheckPhase = ''
+    runHook preInstallCheck
+
+    export SYFT_CHECK_FOR_APP_UPDATE=false
+    $out/bin/syft --help
+    $out/bin/syft version | grep "${version}"
+
+    runHook postInstallCheck
+  '';
+
   meta = with lib; {
     homepage = "https://github.com/anchore/syft";
     changelog = "https://github.com/anchore/syft/releases/tag/v${version}";
diff --git a/pkgs/tools/misc/fontforge/default.nix b/pkgs/tools/misc/fontforge/default.nix
index 3de016bf6d6..aa3d16a5fa5 100644
--- a/pkgs/tools/misc/fontforge/default.nix
+++ b/pkgs/tools/misc/fontforge/default.nix
@@ -63,7 +63,6 @@ stdenv.mkDerivation rec {
     ++ lib.optional (!withGTK) "-DENABLE_X11=ON"
     ++ lib.optional withExtras "-DENABLE_FONTFORGE_EXTRAS=ON";
 
-  # work-around: git isn't really used, but configuration fails without it
   preConfigure = ''
     # The way $version propagates to $version of .pe-scripts (https://github.com/dejavu-fonts/dejavu-fonts/blob/358190f/scripts/generate.pe#L19)
     export SOURCE_DATE_EPOCH=$(date -d ${version} +%s)
diff --git a/pkgs/tools/nix/npins/default.nix b/pkgs/tools/nix/npins/default.nix
new file mode 100644
index 00000000000..8324a2d8900
--- /dev/null
+++ b/pkgs/tools/nix/npins/default.nix
@@ -0,0 +1,44 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+, nix-gitignore
+, makeWrapper
+, stdenv
+, darwin
+, callPackage
+
+  # runtime dependencies
+, nix # for nix-prefetch-url
+, nix-prefetch-git
+, git # for git ls-remote
+}:
+
+let
+  runtimePath = lib.makeBinPath [ nix nix-prefetch-git git ];
+  sources = (builtins.fromJSON (builtins.readFile ./sources.json)).pins;
+in rustPlatform.buildRustPackage rec {
+  pname = "npins";
+  version = src.version;
+  src = passthru.mkSource sources.npins;
+
+  cargoSha256 = "0rwnzkmx91cwcz9yw0rbbqv73ba6ggim9f4qgz5pgy6h696ld2k8";
+
+  buildInputs = lib.optional stdenv.isDarwin (with darwin.apple_sdk.frameworks; [ Security ]);
+  nativeBuildInputs = [ makeWrapper ];
+
+  # (Almost) all tests require internet
+  doCheck = false;
+
+  postFixup = ''
+    wrapProgram $out/bin/npins --prefix PATH : "${runtimePath}"
+  '';
+
+  meta = with lib; {
+    description = "Simple and convenient dependency pinning for Nix";
+    homepage = "https://github.com/andir/npins";
+    license = licenses.eupl12;
+    maintainers = with maintainers; [ piegames ];
+  };
+
+  passthru.mkSource = callPackage ./source.nix {};
+}
diff --git a/pkgs/tools/nix/npins/source.nix b/pkgs/tools/nix/npins/source.nix
new file mode 100644
index 00000000000..8c9e47204af
--- /dev/null
+++ b/pkgs/tools/nix/npins/source.nix
@@ -0,0 +1,57 @@
+# Not part of the public API – for use within nixpkgs only
+#
+# Usage:
+# ```nix
+# let
+#   sources = builtins.fromJSON (builtins.readFile ./sources.json);
+# in mkMyDerivation rec {
+#   version = src.version; # This obviously only works for releases
+#   src = pkgs.npins.mkSource sources.mySource;
+# }
+# ```
+
+{ fetchgit
+, fetchzip
+, fetchurl
+}:
+let
+  mkSource = spec:
+    assert spec ? type; let
+      path =
+        if spec.type == "Git" then mkGitSource spec
+        else if spec.type == "GitRelease" then mkGitSource spec
+        else if spec.type == "PyPi" then mkPyPiSource spec
+        else if spec.type == "Channel" then mkChannelSource spec
+        else throw "Unknown source type ${spec.type}";
+    in
+    spec // { outPath = path; };
+
+  mkGitSource = { repository, revision, url ? null, hash, ... }:
+    assert repository ? type;
+    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
+    # In the latter case, there we will always be an url to the tarball
+    if url != null then
+      (fetchzip {
+        inherit url;
+        sha256 = hash;
+        extension = "tar";
+      })
+    else assert repository.type == "Git"; fetchgit {
+      url = repository.url;
+      rev = revision;
+    };
+
+  mkPyPiSource = { url, hash, ... }:
+    fetchurl {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkChannelSource = { url, hash, ... }:
+    fetchzip {
+      inherit url;
+      sha256 = hash;
+      extension = "tar";
+    };
+in
+  mkSource
diff --git a/pkgs/tools/nix/npins/sources.json b/pkgs/tools/nix/npins/sources.json
new file mode 100644
index 00000000000..0481abe3f97
--- /dev/null
+++ b/pkgs/tools/nix/npins/sources.json
@@ -0,0 +1,19 @@
+{
+  "pins": {
+    "npins": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "andir",
+        "repo": "npins"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "version": "0.1.0",
+      "revision": "5c9253ff6010f435ab73fbe1e50ae0fdca0ec07b",
+      "url": "https://api.github.com/repos/andir/npins/tarball/0.1.0",
+      "hash": "019fr9xsirld8kap75k18in3krkikqhjn4mglpy3lyhbhc5n1kh6"
+    }
+  },
+  "version": 2
+}
diff --git a/pkgs/tools/security/witness/default.nix b/pkgs/tools/security/witness/default.nix
index 921d524be6a..f443d765b57 100644
--- a/pkgs/tools/security/witness/default.nix
+++ b/pkgs/tools/security/witness/default.nix
@@ -2,15 +2,15 @@
 
 buildGoModule rec {
   pname = "witness";
-  version = "0.1.7";
+  version = "0.1.8";
 
   src = fetchFromGitHub {
     owner = "testifysec";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-fkY3/UmHzggmysrae8VCY3NMBxC/LcWoQcXBELEzJlM=";
+    sha256 = "sha256-i76sw5ysWDZwuNt7CYtpVy9mEV643i4YaMxksglyPWw=";
   };
-  vendorSha256 = "sha256-ajWIjQXLvFQB1AVYyGjyWMrWIyue/d1uU5HHNf4/UcU=";
+  vendorSha256 = "sha256-A3fnAWEJ7SeUnDfIIOkbHIhUBRB8INcqMleOLL3LHF0=";
 
   nativeBuildInputs = [ installShellFiles ];
 
diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix
index b93ba9744ca..7c660e81d18 100644
--- a/pkgs/top-level/aliases.nix
+++ b/pkgs/top-level/aliases.nix
@@ -679,6 +679,7 @@ mapAliases ({
   liblastfm = libsForQt5.liblastfm; # Added 2020-06-14
   liblrdf = throw "'liblrdf' has been renamed to/replaced by 'lrdf'"; # Converted to throw 2022-02-22
   libmsgpack = throw "'libmsgpack' has been renamed to/replaced by 'msgpack'"; # Converted to throw 2022-02-22
+  libnih = throw "'libnih' has been removed"; # Converted to throw 2022-05-17
   libosmpbf = throw "libosmpbf was removed because it is no longer required by osrm-backend";
   libpng_apng = throw "libpng_apng has been removed, because it is equivalent to libpng"; # Added 2021-03-21
   libpulseaudio-vanilla = libpulseaudio; # Added 2022-04-20
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 53c335dc5a9..f647eb86a16 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -4015,6 +4015,8 @@ with pkgs;
 
   notify = callPackage ../tools/misc/notify { };
 
+  npins = callPackage ../tools/nix/npins { };
+
   nrsc5 = callPackage ../applications/misc/nrsc5 { };
 
   nsync = callPackage ../development/libraries/nsync { };
@@ -5309,7 +5311,9 @@ with pkgs;
     autoreconfHook = buildPackages.autoreconfHook269;
   };
 
-  dump_syms = callPackage ../development/tools/dump_syms { };
+  dump_syms = callPackage ../development/tools/dump_syms {
+    inherit (darwin.apple_sdk.frameworks) Security;
+  };
 
   dumptorrent = callPackage ../tools/misc/dumptorrent { };
 
@@ -19009,8 +19013,6 @@ with pkgs;
 
   libnftnl = callPackage ../development/libraries/libnftnl { };
 
-  libnih = callPackage ../development/libraries/libnih { };
-
   libnova = callPackage ../development/libraries/science/astronomy/libnova { };
 
   libnxml = callPackage ../development/libraries/libnxml { };
@@ -23246,6 +23248,8 @@ with pkgs;
   linux_5_10_hardened = linuxKernel.kernels.linux_5_10_hardened;
   linuxPackages_5_15_hardened = linuxKernel.packages.linux_5_15_hardened;
   linux_5_15_hardened = linuxKernel.kernels.linux_5_15_hardened;
+  linuxPackages_5_17_hardened = linuxKernel.packages.linux_5_17_hardened;
+  linux_5_17_hardened = linuxKernel.kernels.linux_5_17_hardened;
 
   # Hardkernel (Odroid) kernels.
   linuxPackages_hardkernel_latest = linuxKernel.packageAliases.linux_hardkernel_latest;
diff --git a/pkgs/top-level/linux-kernels.nix b/pkgs/top-level/linux-kernels.nix
index 7c892035e7f..8196811a7b2 100644
--- a/pkgs/top-level/linux-kernels.nix
+++ b/pkgs/top-level/linux-kernels.nix
@@ -236,6 +236,7 @@ in {
     linux_5_4_hardened = hardenedKernelFor kernels.linux_5_4 { };
     linux_5_10_hardened = hardenedKernelFor kernels.linux_5_10 { };
     linux_5_15_hardened = hardenedKernelFor kernels.linux_5_15 { };
+    linux_5_17_hardened = hardenedKernelFor kernels.linux_5_17 { };
 
   }));
   /*  Linux kernel modules are inherently tied to a specific kernel.  So