Merge master into haskell-updates

maintainers/maintainer-list.nix

@@ -4969,6 +4969,12 @@
     githubId = 1498782;
     name = "Jesse Haber-Kucharsky";
   };
+  hamburger1984 = {
+    email = "hamburger1984@gmail.com";
+    github = "hamburger1984";
+    githubId = 438976;
+    name = "Andreas Krohn";
+  };
   hamhut1066 = {
     email = "github@hamhut1066.com";
     github = "moredhel";
@@ -9117,6 +9123,12 @@
     githubId = 166791;
     name = "Neil Mayhew";
   };
+  nek0 = {
+    email = "nek0@nek0.eu";
+    github = "nek0";
+    githubId = 1859691;
+    name = "Amedeo Molnár";
+  };
   nelsonjeppesen = {
     email = "nix@jeppesen.io";
     github = "NelsonJeppesen";

nixos/doc/manual/from_md/installation/installing-kexec.section.xml

@@ -0,0 +1,94 @@
+<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-booting-via-kexec">
+  <title><quote>Booting</quote> into NixOS via kexec</title>
+  <para>
+    In some cases, your system might already be booted into/preinstalled
+    with another Linux distribution, and booting NixOS by attaching an
+    installation image is quite a manual process.
+  </para>
+  <para>
+    This is particularly useful for (cloud) providers where you can’t
+    boot a custom image, but get some Debian or Ubuntu installation.
+  </para>
+  <para>
+    In these cases, it might be easier to use <literal>kexec</literal>
+    to <quote>jump into NixOS</quote> from the running system, which
+    only assumes <literal>bash</literal> and <literal>kexec</literal> to
+    be installed on the machine.
+  </para>
+  <para>
+    Note that kexec may not work correctly on some hardware, as devices
+    are not fully re-initialized in the process. In practice, this
+    however is rarely the case.
+  </para>
+  <para>
+    To build the necessary files from your current version of nixpkgs,
+    you can run:
+  </para>
+  <programlisting>
+nix-build -A kexec.x86_64-linux '&lt;nixpkgs/nixos/release.nix&gt;'
+</programlisting>
+  <para>
+    This will create a <literal>result</literal> directory containing
+    the following:
+  </para>
+  <itemizedlist spacing="compact">
+    <listitem>
+      <para>
+        <literal>bzImage</literal> (the Linux kernel)
+      </para>
+    </listitem>
+    <listitem>
+      <para>
+        <literal>initrd</literal> (the initrd file)
+      </para>
+    </listitem>
+    <listitem>
+      <para>
+        <literal>kexec-boot</literal> (a shellscript invoking
+        <literal>kexec</literal>)
+      </para>
+    </listitem>
+  </itemizedlist>
+  <para>
+    These three files are meant to be copied over to the other already
+    running Linux Distribution.
+  </para>
+  <para>
+    Note it’s symlinks pointing elsewhere, so <literal>cd</literal> in,
+    and use <literal>scp * root@$destination</literal> to copy it over,
+    rather than rsync.
+  </para>
+  <para>
+    Once you finished copying, execute <literal>kexec-boot</literal>
+    <emphasis>on the destination</emphasis>, and after some seconds, the
+    machine should be booting into an (ephemeral) NixOS installation
+    medium.
+  </para>
+  <para>
+    In case you want to describe your own system closure to kexec into,
+    instead of the default installer image, you can build your own
+    <literal>configuration.nix</literal>:
+  </para>
+  <programlisting language="bash">
+{ modulesPath, ... }: {
+  imports = [
+    (modulesPath + &quot;/installer/netboot/netboot-minimal.nix&quot;)
+  ];
+
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    &quot;my-ssh-pubkey&quot;
+  ];
+}
+</programlisting>
+  <programlisting>
+nix-build '&lt;nixpkgs/nixos&gt;' \
+  --arg configuration ./configuration.nix
+  --attr config.system.build.kexecTree
+</programlisting>
+  <para>
+    Make sure your <literal>configuration.nix</literal> does still
+    import <literal>netboot-minimal.nix</literal> (or
+    <literal>netboot-base.nix</literal>).
+  </para>
+</section>

nixos/doc/manual/from_md/installation/installing.chapter.xml

@@ -638,6 +638,7 @@ $ passwd eelco
     <title>Additional installation notes</title>
     <xi:include href="installing-usb.section.xml" />
     <xi:include href="installing-pxe.section.xml" />
+    <xi:include href="installing-kexec.section.xml" />
     <xi:include href="installing-virtualbox-guest.section.xml" />
     <xi:include href="installing-from-other-distro.section.xml" />
     <xi:include href="installing-behind-a-proxy.section.xml" />

nixos/doc/manual/installation/installing-kexec.section.md

@@ -0,0 +1,64 @@
+# "Booting" into NixOS via kexec {#sec-booting-via-kexec}
+
+In some cases, your system might already be booted into/preinstalled with
+another Linux distribution, and booting NixOS by attaching an installation
+image is quite a manual process.
+
+This is particularly useful for (cloud) providers where you can't boot a custom
+image, but get some Debian or Ubuntu installation.
+
+In these cases, it might be easier to use `kexec` to "jump into NixOS" from the
+running system, which only assumes `bash` and `kexec` to be installed on the
+machine.
+
+Note that kexec may not work correctly on some hardware, as devices are not
+fully re-initialized in the process. In practice, this however is rarely the
+case.
+
+To build the necessary files from your current version of nixpkgs,
+you can run:
+
+```ShellSession
+nix-build -A kexec.x86_64-linux '<nixpkgs/nixos/release.nix>'
+```
+
+This will create a `result` directory containing the following:
+ - `bzImage` (the Linux kernel)
+ - `initrd` (the initrd file)
+ - `kexec-boot` (a shellscript invoking `kexec`)
+
+These three files are meant to be copied over to the other already running
+Linux Distribution.
+
+Note it's symlinks pointing elsewhere, so `cd` in, and use
+`scp * root@$destination` to copy it over, rather than rsync.
+
+Once you finished copying, execute `kexec-boot` *on the destination*, and after
+some seconds, the machine should be booting into an (ephemeral) NixOS
+installation medium.
+
+In case you want to describe your own system closure to kexec into, instead of
+the default installer image, you can build your own `configuration.nix`:
+
+```nix
+{ modulesPath, ... }: {
+  imports = [
+    (modulesPath + "/installer/netboot/netboot-minimal.nix")
+  ];
+
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "my-ssh-pubkey"
+  ];
+}
+```
+
+
+```ShellSession
+nix-build '<nixpkgs/nixos>' \
+  --arg configuration ./configuration.nix
+  --attr config.system.build.kexecTree
+```
+
+Make sure your `configuration.nix` does still import `netboot-minimal.nix` (or
+`netboot-base.nix`).

nixos/doc/manual/installation/installing.chapter.md

@@ -476,6 +476,7 @@ With a partitioned disk.
 ```{=docbook}
 <xi:include href="installing-usb.section.xml" />
 <xi:include href="installing-pxe.section.xml" />
+<xi:include href="installing-kexec.section.xml" />
 <xi:include href="installing-virtualbox-guest.section.xml" />
 <xi:include href="installing-from-other-distro.section.xml" />
 <xi:include href="installing-behind-a-proxy.section.xml" />

nixos/modules/installer/kexec/kexec-boot.nix

@@ -1,51 +0,0 @@
-# This module exposes a config.system.build.kexecBoot attribute,
-# which returns a directory with kernel, initrd and a shell script
-# running the necessary kexec commands.
-
-# It's meant to be scp'ed to a machine with working ssh and kexec binary
-# installed.
-
-# This is useful for (cloud) providers where you can't boot a custom image, but
-# get some Debian or Ubuntu installation.
-
-{ pkgs
-, modulesPath
-, config
-, ...
-}:
-{
-  imports = [
-    (modulesPath + "/installer/netboot/netboot-minimal.nix")
-  ];
-
-  config = {
-    system.build.kexecBoot =
-      let
-        kexecScript = pkgs.writeScript "kexec-boot" ''
-          #!/usr/bin/env bash
-          if ! kexec -v >/dev/null 2>&1; then
-            echo "kexec not found: please install kexec-tools" 2>&1
-            exit 1
-          fi
-          SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-          kexec --load ''${SCRIPT_DIR}/bzImage \
-            --initrd=''${SCRIPT_DIR}/initrd.gz \
-            --command-line "init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
-          kexec -e
-        ''; in
-      pkgs.linkFarm "kexec-tree" [
-        {
-          name = "initrd.gz";
-          path = "${config.system.build.netbootRamdisk}/initrd";
-        }
-        {
-          name = "bzImage";
-          path = "${config.system.build.kernel}/${config.system.boot.loader.kernelFile}";
-        }
-        {
-          name = "kexec-boot";
-          path = kexecScript;
-        }
-      ];
-  };
-}

nixos/modules/installer/netboot/netboot.nix

@@ -101,6 +101,37 @@ with lib;
       boot
     '';
 
+    # A script invoking kexec on ./bzImage and ./initrd.gz.
+    # Usually used through system.build.kexecTree, but exposed here for composability.
+    system.build.kexecScript = pkgs.writeScript "kexec-boot" ''
+      #!/usr/bin/env bash
+      if ! kexec -v >/dev/null 2>&1; then
+        echo "kexec not found: please install kexec-tools" 2>&1
+        exit 1
+      fi
+      SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+      kexec --load ''${SCRIPT_DIR}/bzImage \
+        --initrd=''${SCRIPT_DIR}/initrd.gz \
+        --command-line "init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
+      kexec -e
+    '';
+
+    # A tree containing initrd.gz, bzImage and a kexec-boot script.
+    system.build.kexecTree = pkgs.linkFarm "kexec-tree" [
+      {
+        name = "initrd.gz";
+        path = "${config.system.build.netbootRamdisk}/initrd";
+      }
+      {
+        name = "bzImage";
+        path = "${config.system.build.kernel}/${config.system.boot.loader.kernelFile}";
+      }
+      {
+        name = "kexec-boot";
+        path = config.system.build.kexecScript;
+      }
+    ];
+
     boot.loader.timeout = 10;
 
     boot.postBootCommands =

nixos/modules/services/networking/wg-quick.nix

@@ -10,6 +10,18 @@ let
 
   interfaceOpts = { ... }: {
     options = {
+
+      configFile = mkOption {
+        example = "/secret/wg0.conf";
+        default = null;
+        type = with types; nullOr str;
+        description = ''
+          wg-quick .conf file, describing the interface.
+          This overrides any other configuration interface configuration options.
+          See wg-quick manpage for more details.
+        '';
+      };
+
       address = mkOption {
         example = [ "192.168.2.1/24" ];
         default = [];
@@ -205,7 +217,7 @@ let
   writeScriptFile = name: text: ((pkgs.writeShellScriptBin name text) + "/bin/${name}");
 
   generateUnit = name: values:
-    assert assertMsg ((values.privateKey != null) != (values.privateKeyFile != null)) "Only one of privateKey or privateKeyFile may be set";
+    assert assertMsg (values.configFile != null || ((values.privateKey != null) != (values.privateKeyFile != null))) "Only one of privateKey, configFile or privateKeyFile may be set";
     let
       preUpFile = if values.preUp != "" then writeScriptFile "preUp.sh" values.preUp else null;
       postUp =
@@ -247,7 +259,12 @@ let
           optionalString (peer.allowedIPs != []) "AllowedIPs = ${concatStringsSep "," peer.allowedIPs}\n"
         ) values.peers;
       };
-      configPath = "${configDir}/${name}.conf";
+      configPath =
+        if values.configFile != null then
+          # This uses bind-mounted private tmp folder (/tmp/systemd-private-***)
+          "/tmp/${name}.conf"
+        else
+          "${configDir}/${name}.conf";
     in
     nameValuePair "wg-quick-${name}"
       {
@@ -265,9 +282,17 @@ let
 
         script = ''
           ${optionalString (!config.boot.isContainer) "modprobe wireguard"}
+          ${optionalString (values.configFile != null) ''
+            cp ${values.configFile} ${configPath}
+          ''}
           wg-quick up ${configPath}
         '';
 
+        serviceConfig = {
+          # Used to privately store renamed copies of external config files during activation
+          PrivateTmp = true;
+        };
+
         preStop = ''
           wg-quick down ${configPath}
         '';

nixos/modules/services/networking/wpa_supplicant.nix

@@ -114,7 +114,7 @@ let
 
       script =
       ''
-        ${optionalString configIsGenerated ''
+        ${optionalString (configIsGenerated && !cfg.allowAuxiliaryImperativeNetworks) ''
           if [ -f /etc/wpa_supplicant.conf ]; then
             echo >&2 "<3>/etc/wpa_supplicant.conf present but ignored. Generated ${configFile} is used instead."
           fi

nixos/modules/system/boot/systemd.nix

@@ -8,8 +8,6 @@ let
 
   cfg = config.systemd;
 
-  systemd = cfg.package;
-
   inherit (systemdUtils.lib)
     generateUnits
     targetToUnit
@@ -439,7 +437,7 @@ in
 
     system.build.units = cfg.units;
 
-    system.nssModules = [ systemd.out ];
+    system.nssModules = [ cfg.package.out ];
     system.nssDatabases = {
       hosts = (mkMerge [
         (mkOrder 400 ["mymachines"]) # 400 to ensure it comes before resolve (which is mkBefore'd)
@@ -453,7 +451,7 @@ in
       ]);
     };
 
-    environment.systemPackages = [ systemd ];
+    environment.systemPackages = [ cfg.package ];
 
     environment.etc = let
       # generate contents for /etc/systemd/system-${type} from attrset of links and packages

nixos/release.nix

@@ -151,6 +151,13 @@ in rec {
   # Build the initial ramdisk so Hydra can keep track of its size over time.
   initialRamdisk = buildFromConfig ({ ... }: { }) (config: config.system.build.initialRamdisk);
 
+  kexec = forMatchingSystems supportedSystems (system: (import lib/eval-config.nix {
+    inherit system;
+    modules = [
+      ./modules/installer/netboot/netboot-minimal.nix
+    ];
+  }).config.system.build.kexecTree);
+
   netboot = forMatchingSystems supportedSystems (system: makeNetboot {
     module = ./modules/installer/netboot/netboot-minimal.nix;
     inherit system;

nixos/tests/kernel-generic.nix

@@ -31,6 +31,7 @@ let
       linux_5_10_hardened
       linux_5_15_hardened
       linux_5_17_hardened
+      linux_5_18_hardened
 
       linux_testing;
   };

nixos/tests/kexec.nix

@@ -18,8 +18,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
       virtualisation.vlans = [ ];
       environment.systemPackages = [ pkgs.hello ];
       imports = [
-        "${modulesPath}/installer/kexec/kexec-boot.nix"
-        "${modulesPath}/profiles/minimal.nix"
+        "${modulesPath}/installer/netboot/netboot-minimal.nix"
       ];
     };
   };
@@ -33,14 +32,14 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
     node1.connect()
     node1.wait_for_unit("multi-user.target")
 
-    # Check if the machine with kexec-boot.nix profile boots up
+    # Check if the machine with netboot-minimal.nix profile boots up
     node2.wait_for_unit("multi-user.target")
     node2.shutdown()
 
     # Kexec node1 to the toplevel of node2 via the kexec-boot script
     node1.succeed('touch /run/foo')
     node1.fail('hello')
-    node1.execute('${nodes.node2.config.system.build.kexecBoot}/kexec-boot', check_return=False)
+    node1.execute('${nodes.node2.config.system.build.kexecTree}/kexec-boot', check_return=False)
     node1.succeed('! test -e /run/foo')
     node1.succeed('hello')
     node1.succeed('[ "$(hostname)" = "node2" ]')

pkgs/applications/graphics/krita/default.nix

@@ -1,7 +1,7 @@
 { callPackage, ... } @ args:
 
 callPackage ./generic.nix (args // {
-  version = "5.0.6";
+  version = "5.0.8";
   kde-channel = "stable";
-  sha256 = "sha256:0qhf7vm13v33yk67n7wdcgrqpk7yvajdlkqcp7zhrl2z7qdnvmzd";
+  sha256 = "sha256:7R0fpQc+4MQVDh/enhCTgpgOqU0y5YRShrv/ILa/XkU=";
 })

pkgs/applications/graphics/krita/generic.nix

@@ -54,16 +54,14 @@ mkDerivation rec {
     "-DCMAKE_BUILD_TYPE=RelWithDebInfo"
   ];
 
-  postInstall = ''
-    for i in $out/bin/*; do
-      wrapProgram $i --prefix PYTHONPATH : "$PYTHONPATH"
-    done
+  preInstall = ''
+    qtWrapperArgs+=(--prefix PYTHONPATH : "$PYTHONPATH")
   '';
 
   meta = with lib; {
     description = "A free and open source painting application";
     homepage = "https://krita.org/";
-    maintainers = with maintainers; [ abbradar sifmelcara ];
+    maintainers = with maintainers; [ abbradar sifmelcara nek0 ];
     platforms = platforms.linux;
     license = licenses.gpl3Only;
   };

pkgs/applications/networking/browsers/chromium/upstream-info.json

@@ -45,9 +45,9 @@
     }
   },
   "ungoogled-chromium": {
-    "version": "102.0.5005.61",
-    "sha256": "07vbi3gn9g4n04b2qi2hm34r122snrqaifa46yk3pyh1d79rfdqs",
-    "sha256bin64": "100n8k3d9k5bq58irc36ig6m5m0lxggffyk4crqqqcib2anqd0zv",
+    "version": "102.0.5005.115",
+    "sha256": "1rj7vy824vn513hiivc90lnxvxyi2s0qkdmfqsdssv9v6zjl079h",
+    "sha256bin64": "0b32sscbjnvr98lk962i9k2srckv2s7fp9pifmsv5jlwndjhzm7y",
     "deps": {
       "gn": {
         "version": "2022-04-14",
@@ -56,8 +56,8 @@
         "sha256": "0b5xs0chcv3hfhy71rycsmgxnqbm375a333hwav8929k9cbi5p9h"
       },
       "ungoogled-patches": {
-        "rev": "102.0.5005.61-1",
-        "sha256": "1hlyi6k894blkkqmqsizx72bag2vj6wlpza0fvi8db5wp6i5b58g"
+        "rev": "102.0.5005.115-1",
+        "sha256": "1z2xkxxviggyyksga74cqa4v73gynlgzi22ckg8yv84qxrklik6p"
       }
     }
   }

pkgs/applications/networking/browsers/firefox/common.nix

@@ -87,7 +87,7 @@
 , jackSupport ? stdenv.isLinux, libjack2
 , jemallocSupport ? true, jemalloc
 , ltoSupport ? (stdenv.isLinux && stdenv.is64bit), overrideCC, buildPackages
-, pgoSupport ? (stdenv.isLinux && stdenv.isx86_64 && stdenv.hostPlatform == stdenv.buildPlatform), xvfb-run
+, pgoSupport ? (stdenv.isLinux && stdenv.hostPlatform == stdenv.buildPlatform), xvfb-run
 , pipewireSupport ? waylandSupport && webrtcSupport
 , pulseaudioSupport ? stdenv.isLinux, libpulseaudio
 , sndioSupport ? stdenv.isLinux, sndio

pkgs/applications/networking/instant-messengers/element/element-desktop.nix

@@ -48,9 +48,9 @@ mkYarnPackage rec {
     runHook preBuild
     export HOME=$(mktemp -d)
     pushd deps/element-desktop/
-    npx tsc
+    yarn run build:ts
     yarn run i18n
-    node ./scripts/copy-res.js
+    yarn run build:res
     popd
     rm -rf node_modules/matrix-seshat node_modules/keytar
     ${lib.optionalString useKeytar "ln -s ${keytar} node_modules/keytar"}
@@ -91,11 +91,8 @@ mkYarnPackage rec {
     runHook postInstall
   '';
 
-  # Do not attempt generating a tarball for element-web again.
-  # note: `doDist = false;` does not work.
-  distPhase = ''
-    true
-  '';
+  # Do not attempt generating a tarball for element-desktop again.
+  doDist = false;
 
   # The desktop item properties should be kept in sync with data from upstream:
   # https://github.com/vector-im/element-desktop/blob/develop/package.json

pkgs/applications/networking/instant-messengers/element/element-web-package.json

@@ -0,0 +1,206 @@
+{
+  "name": "element-web",
+  "version": "1.10.13",
+  "description": "A feature-rich client for Matrix.org",
+  "author": "New Vector Ltd.",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/vector-im/element-web"
+  },
+  "license": "Apache-2.0",
+  "files": [
+    "lib",
+    "res",
+    "src",
+    "webpack.config.js",
+    "scripts",
+    "docs",
+    "release.sh",
+    "deploy",
+    "CHANGELOG.md",
+    "CONTRIBUTING.rst",
+    "LICENSE",
+    "README.md",
+    "AUTHORS.rst",
+    "package.json",
+    "contribute.json"
+  ],
+  "style": "bundle.css",
+  "scripts": {
+    "i18n": "matrix-gen-i18n",
+    "prunei18n": "matrix-prune-i18n",
+    "diff-i18n": "cp src/i18n/strings/en_EN.json src/i18n/strings/en_EN_orig.json && matrix-gen-i18n && matrix-compare-i18n-files src/i18n/strings/en_EN_orig.json src/i18n/strings/en_EN.json",
+    "clean": "rimraf lib webapp",
+    "build": "yarn clean && yarn build:genfiles && yarn build:bundle",
+    "build-stats": "yarn clean && yarn build:genfiles && yarn build:bundle-stats",
+    "build:jitsi": "node scripts/build-jitsi.js",
+    "build:res": "node scripts/copy-res.js",
+    "build:genfiles": "yarn build:res && yarn build:jitsi",
+    "build:modernizr": "modernizr -c .modernizr.json -d src/vector/modernizr.js",
+    "build:bundle": "webpack --progress --bail --mode production",
+    "build:bundle-stats": "webpack --progress --bail --mode production --json > webpack-stats.json",
+    "dist": "scripts/package.sh",
+    "start": "concurrently --kill-others-on-fail --prefix \"{time} [{name}]\" -n res,element-js \"yarn start:res\" \"yarn start:js\"",
+    "start:https": "concurrently --kill-others-on-fail --prefix \"{time} [{name}]\" -n res,element-js \"yarn start:res\" \"yarn start:js --https\"",
+    "start:res": "yarn build:jitsi && node scripts/copy-res.js -w",
+    "start:js": "webpack-dev-server --host=0.0.0.0 --output-filename=bundles/_dev_/[name].js --output-chunk-filename=bundles/_dev_/[name].js -w --mode development --disable-host-check --hot",
+    "lint": "yarn lint:types && yarn lint:js && yarn lint:style",
+    "lint:js": "eslint --max-warnings 0 src",
+    "lint:js-fix": "eslint --fix src",
+    "lint:types": "tsc --noEmit --jsx react",
+    "lint:style": "stylelint \"res/css/**/*.scss\"",
+    "test": "jest",
+    "coverage": "yarn test --coverage"
+  },
+  "dependencies": {
+    "@matrix-org/olm": "https://gitlab.matrix.org/api/v4/projects/27/packages/npm/@matrix-org/olm/-/@matrix-org/olm-3.2.8.tgz",
+    "browser-request": "^0.3.3",
+    "gfm.css": "^1.1.2",
+    "jsrsasign": "^10.2.0",
+    "katex": "^0.12.0",
+    "matrix-js-sdk": "18.0.0",
+    "matrix-react-sdk": "3.45.0",
+    "matrix-widget-api": "^0.1.0-beta.18",
+    "prop-types": "^15.7.2",
+    "react": "17.0.2",
+    "react-dom": "17.0.2",
+    "sanitize-html": "^2.3.2",
+    "ua-parser-js": "^0.7.24"
+  },
+  "devDependencies": {
+    "@babel/core": "^7.12.10",
+    "@babel/eslint-parser": "^7.12.10",
+    "@babel/eslint-plugin": "^7.12.10",
+    "@babel/plugin-proposal-class-properties": "^7.12.1",
+    "@babel/plugin-proposal-export-default-from": "^7.12.1",
+    "@babel/plugin-proposal-nullish-coalescing-operator": "^7.12.1",
+    "@babel/plugin-proposal-numeric-separator": "^7.12.7",
+    "@babel/plugin-proposal-object-rest-spread": "^7.12.1",
+    "@babel/plugin-proposal-optional-chaining": "^7.12.7",
+    "@babel/plugin-syntax-dynamic-import": "^7.8.3",
+    "@babel/plugin-transform-runtime": "^7.12.10",
+    "@babel/preset-env": "^7.12.11",
+    "@babel/preset-react": "^7.12.10",
+    "@babel/preset-typescript": "^7.12.7",
+    "@babel/register": "^7.12.10",
+    "@babel/runtime": "^7.12.5",
+    "@principalstudio/html-webpack-inject-preload": "^1.2.7",
+    "@sentry/webpack-plugin": "^1.18.1",
+    "@svgr/webpack": "^5.5.0",
+    "@types/flux": "^3.1.9",
+    "@types/jest": "^27.0.2",
+    "@types/modernizr": "^3.5.3",
+    "@types/node": "^14.14.22",
+    "@types/react": "17.0.14",
+    "@types/react-dom": "17.0.9",
+    "@types/sanitize-html": "^2.3.1",
+    "@types/ua-parser-js": "^0.7.36",
+    "@typescript-eslint/eslint-plugin": "^5.6.0",
+    "@typescript-eslint/parser": "^5.6.0",
+    "allchange": "^1.0.6",
+    "autoprefixer": "^9.8.6",
+    "babel-jest": "^26.6.3",
+    "babel-loader": "^8.2.2",
+    "chokidar": "^3.5.1",
+    "concurrently": "^5.3.0",
+    "cpx": "^1.5.0",
+    "css-loader": "^3.6.0",
+    "dotenv": "^10.0.0",
+    "eslint": "8.9.0",
+    "eslint-config-google": "^0.14.0",
+    "eslint-plugin-import": "^2.25.4",
+    "eslint-plugin-matrix-org": "^0.4.0",
+    "eslint-plugin-react": "^7.28.0",
+    "eslint-plugin-react-hooks": "^4.3.0",
+    "extract-text-webpack-plugin": "^4.0.0-beta.0",
+    "fake-indexeddb": "^3.1.2",
+    "file-loader": "^5.1.0",
+    "fs-extra": "^0.30.0",
+    "html-webpack-plugin": "^4.5.2",
+    "jest": "^26.6.3",
+    "jest-environment-jsdom-sixteen": "^1.0.3",
+    "jest-raw-loader": "^1.0.1",
+    "jest-sonar-reporter": "^2.0.0",
+    "json-loader": "^0.5.7",
+    "loader-utils": "^1.4.0",
+    "matrix-mock-request": "^1.2.3",
+    "matrix-react-test-utils": "^0.2.3",
+    "matrix-web-i18n": "^1.2.0",
+    "mini-css-extract-plugin": "^0.12.0",
+    "minimist": "^1.2.6",
+    "mkdirp": "^1.0.4",
+    "modernizr": "^3.12.0",
+    "node-fetch": "^2.6.7",
+    "optimize-css-assets-webpack-plugin": "^5.0.4",
+    "postcss-easings": "^2.0.0",
+    "postcss-hexrgba": "^2.0.1",
+    "postcss-import": "^12.0.1",
+    "postcss-loader": "^3.0.0",
+    "postcss-mixins": "^6.2.3",
+    "postcss-nested": "^4.2.3",
+    "postcss-preset-env": "^6.7.0",
+    "postcss-scss": "^2.1.1",
+    "postcss-simple-vars": "^5.0.2",
+    "postcss-strip-inline-comments": "^0.1.5",
+    "raw-loader": "^4.0.2",
+    "rimraf": "^3.0.2",
+    "shell-escape": "^0.2.0",
+    "simple-proxy-agent": "^1.1.0",
+    "string-replace-loader": "2",
+    "style-loader": "2",
+    "stylelint": "^13.9.0",
+    "stylelint-config-standard": "^20.0.0",
+    "stylelint-scss": "^3.18.0",
+    "terser-webpack-plugin": "^2.3.8",
+    "typescript": "^4.5.3",
+    "webpack": "^4.46.0",
+    "webpack-cli": "^3.3.12",
+    "webpack-dev-server": "^3.11.2",
+    "worker-loader": "^2.0.0",
+    "worklet-loader": "^2.0.0"
+  },
+  "resolutions": {
+    "@types/react": "17.0.14"
+  },
+  "jest": {
+    "testEnvironment": "jest-environment-jsdom-sixteen",
+    "testMatch": [
+      "<rootDir>/test/**/*-test.[tj]s?(x)"
+    ],
+    "setupFilesAfterEnv": [
+      "<rootDir>/node_modules/matrix-react-sdk/test/setupTests.js"
+    ],
+    "moduleNameMapper": {
+      "\\.(css|scss)$": "<rootDir>/__mocks__/cssMock.js",
+      "\\.(gif|png|ttf|woff2)$": "<rootDir>/node_modules/matrix-react-sdk/__mocks__/imageMock.js",
+      "\\.svg$": "<rootDir>/node_modules/matrix-react-sdk/__mocks__/svg.js",
+      "\\$webapp/i18n/languages.json": "<rootDir>/node_modules/matrix-react-sdk/__mocks__/languages.json",
+      "^browser-request$": "<rootDir>/node_modules/matrix-react-sdk/__mocks__/browser-request.js",
+      "^react$": "<rootDir>/node_modules/react",
+      "^react-dom$": "<rootDir>/node_modules/react-dom",
+      "^matrix-js-sdk$": "<rootDir>/node_modules/matrix-js-sdk/src",
+      "^matrix-react-sdk$": "<rootDir>/node_modules/matrix-react-sdk/src",
+      "decoderWorker\\.min\\.js": "<rootDir>/node_modules/matrix-react-sdk/__mocks__/empty.js",
+      "decoderWorker\\.min\\.wasm": "<rootDir>/node_modules/matrix-react-sdk/__mocks__/empty.js",
+      "waveWorker\\.min\\.js": "<rootDir>/node_modules/matrix-react-sdk/__mocks__/empty.js",
+      "context-filter-polyfill": "<rootDir>/node_modules/matrix-react-sdk/__mocks__/empty.js",
+      "FontManager.ts": "<rootDir>/node_modules/matrix-react-sdk/__mocks__/FontManager.js",
+      "workers/(.+)\\.worker\\.ts": "<rootDir>/node_modules/matrix-react-sdk/__mocks__/workerMock.js",
+      "^!!raw-loader!.*": "jest-raw-loader",
+      "RecorderWorklet": "<rootDir>/node_modules/matrix-react-sdk/__mocks__/empty.js"
+    },
+    "transformIgnorePatterns": [
+      "/node_modules/(?!matrix-js-sdk).+$",
+      "/node_modules/(?!matrix-react-sdk).+$"
+    ],
+    "coverageReporters": [
+      "text-summary",
+      "lcov"
+    ],
+    "testResultsProcessor": "jest-sonar-reporter"
+  },
+  "jestSonar": {
+    "reportPath": "coverage",
+    "sonar56x": true
+  }
+}

pkgs/applications/networking/instant-messengers/element/element-web.nix

@@ -1,4 +1,15 @@
-{ lib, stdenv, fetchurl, writeText, jq, conf ? {} }:
+{ lib
+, mkYarnPackage
+, runCommand
+, fetchFromGitHub
+, fetchYarnDeps
+, writeText
+, jq
+, yarn
+, fixup_yarn_lock
+, nodejs
+, conf ? { }
+}:
 
 let
   pinData = lib.importJSON ./pin.json;
@@ -8,25 +19,61 @@ let
   };
   configOverrides = writeText "element-config-overrides.json" (builtins.toJSON (noPhoningHome // conf));
 
-in stdenv.mkDerivation rec {
+in
+mkYarnPackage rec {
   pname = "element-web";
   inherit (pinData) version;
 
-  src = fetchurl {
-    url = "https://github.com/vector-im/element-web/releases/download/v${version}/element-v${version}.tar.gz";
-    sha256 = pinData.webHash;
+  src = fetchFromGitHub {
+    owner = "vector-im";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = pinData.webSrcHash;
   };
 
+  packageJSON = ./element-web-package.json;
+  # Remove the matrix-analytics-events dependency from the matrix-react-sdk
+  # dependencies list. It doesn't seem to be necessary since we already are
+  # installing it individually, and it causes issues with the offline mode.
+  yarnLock = (runCommand "${pname}-modified-lock" {} ''
+    sed '/matrix-analytics-events "github/d' ${src}/yarn.lock > "$out"
+  '');
+  offlineCache = fetchYarnDeps {
+    inherit yarnLock;
+    sha256 = pinData.webYarnHash;
+  };
+
+  nativeBuildInputs = [ jq ];
+
+  configurePhase = ''
+    runHook preConfigure
+    ln -s $node_modules node_modules
+    runHook postConfigure
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+
+    export VERSION=${version}
+    yarn build:res --offline
+    yarn build:bundle --offline
+
+    runHook postBuild
+  '';
+
   installPhase = ''
     runHook preInstall
 
-    mkdir -p $out/
-    cp -R . $out/
-    ${jq}/bin/jq -s '.[0] * .[1]' "config.sample.json" "${configOverrides}" > "$out/config.json"
+    cp -R webapp $out
+    echo "${version}" > "$out/version"
+    jq -s '.[0] * .[1]' "config.sample.json" "${configOverrides}" > "$out/config.json"
 
     runHook postInstall
   '';
 
+  # Do not attempt generating a tarball for element-web again.
+  doDist = false;
+
   meta = {
     description = "A glossy Matrix collaboration client for the web";
     homepage = "https://element.io/";
@@ -34,6 +81,5 @@ in stdenv.mkDerivation rec {
     maintainers = lib.teams.matrix.members;
     license = lib.licenses.asl20;
     platforms = lib.platforms.all;
-    hydraPlatforms = [];
   };
 }

pkgs/applications/networking/instant-messengers/element/pin.json

@@ -2,5 +2,6 @@
   "version": "1.10.13",
   "desktopSrcHash": "tTvpjSIipvmJIfZF1RiRtlDjsKJYHoPQ6XSqI8TGH14=",
   "desktopYarnHash": "105bphn4ga4f0n60cvrlppf8wim2c1qy09g8arraadcxymds98n6",
-  "webHash": "1zxjlzlxh2gbswa1063zbw6ahwlcnvyqkvbwj92vk873c3g8ba72"
+  "webSrcHash": "+imju7ojpjttmOeDnA2L4QdBi1zzfRBoUdMMTA4Lba0=",
+  "webYarnHash": "19b1w2mrcn3mzw40d023wx1jxvr0jacn2ryzxlh7zsyj8w0v1dv7"
 }

pkgs/applications/networking/instant-messengers/element/update.sh

@@ -18,17 +18,29 @@ fi
 # strip leading "v"
 version="${version#v}"
 
-desktop_src="https://raw.githubusercontent.com/vector-im/element-desktop/v$version"
+# Element Web
+web_src="https://raw.githubusercontent.com/vector-im/element-web/v$version"
+web_src_hash=$(nix-prefetch-github vector-im element-web --rev v${version} | jq -r .sha256)
+wget "$web_src/package.json" -O element-web-package.json
+
+web_tmpdir=$(mktemp -d)
+trap 'rm -rf "$web_tmpdir"' EXIT
+
+pushd $web_tmpdir
+wget "$web_src/yarn.lock"
+sed -i '/matrix-analytics-events "github/d' yarn.lock
+web_yarn_hash=$(prefetch-yarn-deps yarn.lock)
+popd
 
+# Element Desktop
+desktop_src="https://raw.githubusercontent.com/vector-im/element-desktop/v$version"
 desktop_src_hash=$(nix-prefetch-github vector-im element-desktop --rev v${version} | jq -r .sha256)
-web_hash=$(nix-prefetch-url "https://github.com/vector-im/element-web/releases/download/v$version/element-v$version.tar.gz")
-
 wget "$desktop_src/package.json" -O element-desktop-package.json
 
-tmpdir=$(mktemp -d)
-trap 'rm -rf "$tmpdir"' EXIT
+desktop_tmpdir=$(mktemp -d)
+trap 'rm -rf "$desktop_tmpdir"' EXIT
 
-pushd $tmpdir
+pushd $desktop_tmpdir
 wget "$desktop_src/yarn.lock"
 desktop_yarn_hash=$(prefetch-yarn-deps yarn.lock)
 popd
@@ -38,6 +50,7 @@ cat > pin.json << EOF
   "version": "$version",
   "desktopSrcHash": "$desktop_src_hash",
   "desktopYarnHash": "$desktop_yarn_hash",
-  "webHash": "$web_hash"
+  "webSrcHash": "$web_src_hash",
+  "webYarnHash": "$web_yarn_hash"
 }
 EOF

pkgs/applications/office/gtg/default.nix

@@ -7,33 +7,27 @@
 , gtk3
 , wrapGAppsHook
 , glib
+, gtksourceview4
 , itstool
 , gettext
 , pango
 , gdk-pixbuf
+, libsecret
 , gobject-introspection
 , xvfb-run
 }:
 
 python3Packages.buildPythonApplication rec {
   pname = "gtg";
-  version = "0.5";
+  version = "0.6";
 
   src = fetchFromGitHub {
     owner = "getting-things-gnome";
     repo = "gtg";
     rev = "v${version}";
-    sha256 = "0b2slm7kjq6q8c7v4m7aqc8m1ynjxn3bl7445srpv1xc0dilq403";
+    sha256 = "sha256-O8qBD92P2g8QrBdMXa6j0Ozk+W80Ny5yk0KNTy7ekfE=";
   };
 
-  patches = [
-    # fix build with meson 0.60 (https://github.com/getting-things-gnome/gtg/pull/729)
-    (fetchpatch {
-      url = "https://github.com/getting-things-gnome/gtg/commit/1809d10663ae3d8f69c04138b66f9b4e66ee14f6.patch";
-      sha256 = "sha256-bYr5PAsuvcSqTf0vaJj2APtuBrwHdhXJxtXoAb7CfGk=";
-    })
-  ];
-
   nativeBuildInputs = [
     meson
     ninja
@@ -46,8 +40,10 @@ python3Packages.buildPythonApplication rec {
   buildInputs = [
     glib
     gtk3
+    gtksourceview4
     pango
     gdk-pixbuf
+    libsecret
   ];
 
   propagatedBuildInputs = with python3Packages; [
@@ -56,12 +52,14 @@ python3Packages.buildPythonApplication rec {
     lxml
     gst-python
     liblarch
+    caldav
   ];
 
   checkInputs = with python3Packages; [
     nose
     mock
     xvfb-run
+    pytest
   ];
 
   preBuild = ''
@@ -71,7 +69,7 @@ python3Packages.buildPythonApplication rec {
   format = "other";
   strictDeps = false; # gobject-introspection does not run with strictDeps (https://github.com/NixOS/nixpkgs/issues/56943)
 
-  checkPhase = "xvfb-run python3 ../run-tests";
+  checkPhase = "xvfb-run pytest ../tests/";
 
   meta = with lib; {
     description = " A personal tasks and TODO-list items organizer";

pkgs/applications/office/micropad/default.nix

@@ -72,10 +72,7 @@ in
     '';
 
     # Do not attempt generating a tarball for micropad again.
-    # note: `doDist = false;` does not work.
-    distPhase = ''
-      true
-    '';
+    doDist = false;
 
     # The desktop item properties should be kept in sync with data from upstream:
     # https://github.com/MicroPad/MicroPad-Electron/blob/master/package.json

pkgs/applications/version-management/git-and-tools/lefthook/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "lefthook";
-  version = "0.7.7";
+  version = "0.8.0";
 
   src = fetchFromGitHub {
     rev = "v${version}";
     owner = "evilmartians";
     repo = "lefthook";
-    sha256 = "sha256-XyuXegCTJSW4uO6fEaRKq/jZnE+JbrxZw0kcDvhpsVo=";
+    sha256 = "sha256-ahkTxuBjMbvBzPuLtW7AhM2OUtL9Rw+ZqgnGGTkeCQQ=";
   };
 
   vendorSha256 = "sha256-Rp67FnFU27u85t02MIs7wZQoOa8oGsHVVPQ9OdIyTJg=";

pkgs/applications/video/kodi/addons/urllib3/default.nix

@@ -1,19 +1,23 @@
-{ lib, buildKodiAddon, fetchzip, addonUpdateScript }:
+{ lib, buildKodiAddon, fetchFromGitHub, addonUpdateScript }:
+
 buildKodiAddon rec {
   pname = "urllib3";
   namespace = "script.module.urllib3";
-  version = "1.26.4+matrix.1";
+  version = "1.26.8+matrix.1";
 
-  src = fetchzip {
-    url = "https://mirrors.kodi.tv/addons/matrix/${namespace}/${namespace}-${version}.zip";
-    sha256 = "1d2k6gbsnhdadcl1xc7igz4m71z2fcnpln5ppfjv455cmkk110vf";
+  # temporarily fetching from a PR because of CVE-2021-33503
+  # see https://github.com/xbmc/repo-scripts/pull/2193 for details
+  src = fetchFromGitHub {
+    owner = "xbmc";
+    repo = "repo-scripts";
+    rev = "f0bfacab4732e33c5669bedd1a86319fa9e38338";
+    sha256 = "sha256-UEMLrIvuuPARGHMsz6dOZrOuHIYVSpi0gBy2lK1Y2sk=";
   };
 
+  sourceRoot = "source/script.module.urllib3";
+
   passthru = {
     pythonPath = "lib";
-    updateScript = addonUpdateScript {
-      attrPath = "kodi.packages.urllib3";
-    };
   };
 
   meta = with lib; {

pkgs/desktops/xfce/core/exo/default.nix

@@ -4,9 +4,9 @@
 mkXfceDerivation {
   category = "xfce";
   pname = "exo";
-  version = "4.16.3";
+  version = "4.16.4";
 
-  sha256 = "sha256-PG3GWpZ04sX4HrgAy2Sqcb+vdhiNk7C3YP7KpwgHj+g=";
+  sha256 = "sha256-/BKgQYmDaiptzlTTFqDm2aHykTCHm4MIvWnjxKYi6Es=";
 
   nativeBuildInputs = [
     libxslt

pkgs/development/interpreters/clojure/default.nix

@@ -2,12 +2,12 @@
 
 stdenv.mkDerivation rec {
   pname = "clojure";
-  version = "1.11.1.1119";
+  version = "1.11.1.1124";
 
   src = fetchurl {
     # https://clojure.org/releases/tools
     url = "https://download.clojure.org/install/clojure-tools-${version}.tar.gz";
-    sha256 = "sha256-DPFLExCMWheI5IIa8aNz/ZggftJpxgOUIOYZZKBdvIc=";
+    sha256 = "sha256-QucUcLCzLPe/OpVyI8++Z+RFukNNRQ39imBaxZuH324=";
   };
 
   nativeBuildInputs = [

pkgs/development/libraries/catch2/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "catch2";
-  version = "2.13.8";
+  version = "2.13.9";
 
   src = fetchFromGitHub {
     owner = "catchorg";
     repo = "Catch2";
     rev = "v${version}";
-    sha256="sha256-jOA2TxDgaJUJ2Jn7dVGZUbjmphTDuVZahzSaxfJpRqE=";
+    sha256="sha256-G6rMTHvrBJbUaTNkR738YClAn2v2xVBr+tXLjpNzVZg=";
   };
 
   nativeBuildInputs = [ cmake ];

pkgs/development/libraries/libdigidocpp/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, fetchpatch, cmake, makeWrapper, minizip, pcsclite, opensc, openssl
+{ lib, stdenv, fetchurl, fetchpatch, cmake, minizip, pcsclite, opensc, openssl
 , xercesc, xml-security-c, pkg-config, xsd, zlib, xalanc, xxd }:
 
 stdenv.mkDerivation rec {
@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
     })
   ];
 
-  nativeBuildInputs = [ cmake makeWrapper pkg-config xxd ];
+  nativeBuildInputs = [ cmake pkg-config xxd ];
 
   buildInputs = [
     minizip pcsclite opensc openssl xercesc
@@ -31,11 +31,11 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "lib" "dev" "bin" ];
 
-  # replace this hack with a proper cmake variable or environment variable
-  # once https://github.com/open-eid/cmake/pull/34 (or #35) gets merged.
-  postInstall = ''
-    wrapProgram $bin/bin/digidoc-tool \
-      --prefix LD_LIBRARY_PATH : ${opensc}/lib/pkcs11/
+  # libdigidocpp.so's `PKCS11Signer::PKCS11Signer()` dlopen()s "opensc-pkcs11.so"
+  # itself, so add OpenSC to its DT_RUNPATH after the fixupPhase shrinked it.
+  # https://github.com/open-eid/cmake/pull/35 might be an alternative.
+  postFixup = ''
+    patchelf --add-rpath ${opensc}/lib/pkcs11 $lib/lib/libdigidocpp.so
   '';
 
   meta = with lib; {

pkgs/development/python-modules/afdko/default.nix

@@ -81,8 +81,8 @@ buildPythonPackage rec {
     "test_filename_without_dir"
     "test_overwrite"
     "test_options"
-  ] ++ lib.optionals (stdenv.hostPlatform.isAarch64 || stdenv.hostPlatform.isRiscV) [
-    # aarch64-only (?) failure, unknown reason so far
+  ] ++ lib.optionals (stdenv.hostPlatform.isAarch32 || stdenv.hostPlatform.isAarch64 || stdenv.hostPlatform.isRiscV) [
+    # unknown reason so far
     # https://github.com/adobe-type-tools/afdko/issues/1425
     "test_spec"
   ] ++ lib.optionals (stdenv.hostPlatform.isi686) [

pkgs/development/python-modules/aioskybell/default.nix

@@ -11,7 +11,7 @@
 
 buildPythonPackage rec {
   pname = "aioskybell";
-  version = "22.6.0";
+  version = "22.6.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.9";
@@ -19,8 +19,8 @@ buildPythonPackage rec {
   src = fetchFromGitHub {
     owner = "tkdrob";
     repo = pname;
-    rev = version;
-    hash = "sha256-2AsEVGZ4cA1GeoxtGFuvjZ05W4FjQ5GFSM8euu9iY4s==";
+    rev = "refs/tags/${version}";
+    hash = "sha256-VaG8r4ULbjI7LkIPCit3bILZgOi9k7ddRQXwVzplaCM=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/asf-search/default.nix

@@ -1,21 +1,57 @@
-{ lib, buildPythonPackage, fetchFromGitHub, pytz, shapely, importlib-metadata, requests, python-dateutil }:
+{ lib
+, buildPythonPackage
+, dateparser
+, fetchFromGitHub
+, importlib-metadata
+, numpy
+, pytestCheckHook
+, python-dateutil
+, pythonOlder
+, pytz
+, requests
+, requests-mock
+, shapely
+, wktutils
+}:
 
 buildPythonPackage rec {
-  pname = "asf_search";
-  version = "3.0.6";
+  pname = "asf-search";
+  version = "3.2.2";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "asfadmin";
     repo = "Discovery-asf_search";
-    rev = "v${version}";
-    sha256 = "1jzah2l1db1p2mv59w9qf0x3a9hk6s5rzy0jnp2smsddvyxfwcyn";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-9fJp4P2cD11ppU80Av/aJOcqpaBwuYgdWWBTMo/HCeo=";
   };
 
-  propagatedBuildInputs = [ pytz shapely importlib-metadata requests python-dateutil ];
+  propagatedBuildInputs = [
+    dateparser
+    importlib-metadata
+    numpy
+    python-dateutil
+    pytz
+    requests
+    shapely
+    wktutils
+  ];
+
+  checkInputs = [
+    pytestCheckHook
+    requests-mock
+  ];
 
-  doCheck = false;
+  postPatch = ''
+    substituteInPlace setup.py \
+      --replace "WKTUtils==" "WKTUtils>="
+  '';
 
-  pythonImportsCheck = [ "asf_search" ];
+  pythonImportsCheck = [
+    "asf_search"
+  ];
 
   meta = with lib; {
     description = "Python wrapper for the ASF SearchAPI";

pkgs/development/python-modules/asks/default.nix

@@ -0,0 +1,50 @@
+{ lib
+, buildPythonPackage
+, pythonOlder
+, fetchFromGitHub
+, anyio
+, async_generator
+, h11
+, curio
+, overly
+, pytestCheckHook
+, trio
+}:
+
+buildPythonPackage rec {
+  pname = "asks";
+  version = "3.0.0";
+
+  disabled = pythonOlder "3.6";
+
+  format = "setuptools";
+
+  src = fetchFromGitHub {
+    owner = "theelous3";
+    repo = "asks";
+    rev = "v${version}";
+    hash = "sha256-ipQ5n2386DqR3kNpmTVhNPG+LC7gfCbvrlZ97+UP55g=";
+  };
+
+  propagatedBuildInputs = [
+    anyio
+    async_generator
+    h11
+  ];
+
+  checkInputs = [
+    curio
+    overly
+    pytestCheckHook
+    trio
+  ];
+
+  pythonImportsCheck = [ "asks" ];
+
+  meta = {
+    description = "Async requests-like HTTP library for Python";
+    homepage = "https://github.com/theelous3/asks";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ dotlambda ];
+  };
+}

pkgs/development/python-modules/browser-cookie3/default.nix

@@ -12,14 +12,14 @@
 
 buildPythonPackage rec {
   pname = "browser-cookie3";
-  version = "0.14.2";
+  version = "0.14.3";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-YR5NcDmbLlnhxcDuyM6hjjuL/Ozw79ytbCF4/nmSZmQ=";
+    hash = "sha256-Ch8ho4T3R9qwQiaP+n5Q21x62Ip3ibtqDJIDnobbh5c=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/cyclonedx-python-lib/default.nix

@@ -9,6 +9,7 @@
 , python
 , pythonOlder
 , requirements-parser
+, sortedcontainers
 , setuptools
 , toml
 , types-setuptools
@@ -18,7 +19,7 @@
 
 buildPythonPackage rec {
   pname = "cyclonedx-python-lib";
-  version = "2.4.0";
+  version = "2.5.1";
   format = "pyproject";
 
   disabled = pythonOlder "3.9";
@@ -27,7 +28,7 @@ buildPythonPackage rec {
     owner = "CycloneDX";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-IrMXHWeksEmON3LxJvQ3WSKwQTY0aRZ8XItWMr3p4gw=";
+    hash = "sha256-w/av9U42fC4g7NUw7PSW+K822klH4e1xYFPh7I4jrRA=";
   };
 
   nativeBuildInputs = [
@@ -39,6 +40,7 @@ buildPythonPackage rec {
     packageurl-python
     requirements-parser
     setuptools
+    sortedcontainers
     toml
     types-setuptools
     types-toml

pkgs/development/python-modules/dogpile-cache/default.nix

@@ -11,13 +11,13 @@
 
 buildPythonPackage rec {
   pname = "dogpile-cache";
-  version = "1.1.5";
+  version = "1.1.6";
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     pname = "dogpile.cache";
     inherit version;
-    sha256 = "0f01bdc329329a8289af9705ff40fadb1f82a28c336f3174e12142b70d31c756";
+    sha256 = "sha256-7tweMn5myT8MFah0BWmrdO89iSkELxCPmP3tnjX6/1U=";
   };
 
   preCheck = ''

pkgs/development/python-modules/entrypoint2/default.nix

@@ -1,17 +1,33 @@
-{ lib, buildPythonPackage, fetchPypi, EasyProcess, path, pytestCheckHook }:
+{ lib
+, buildPythonPackage
+, fetchPypi
+, EasyProcess
+, path
+, pytestCheckHook
+, pythonOlder
+}:
 
 buildPythonPackage rec {
   pname = "entrypoint2";
-  version = "1.0";
+  version = "1.1";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-Z+kG9q2VjYP0i07ewo192CZw6SYZiPa0prY6vJ+zvlY=";
+    hash = "sha256-/At/57IazatHpYWrlAfKflxPlstoiFddtrDOuR8OEFo=";
   };
 
-  pythonImportsCheck = [ "entrypoint2" ];
+  checkInputs = [
+    EasyProcess
+    path
+    pytestCheckHook
+  ];
 
-  checkInputs = [ EasyProcess path pytestCheckHook ];
+  pythonImportsCheck = [
+    "entrypoint2"
+  ];
 
   meta = with lib; {
     description = "Easy to use command-line interface for python modules";

pkgs/development/python-modules/greeclimate/default.nix

@@ -11,7 +11,7 @@
 
 buildPythonPackage rec {
   pname = "greeclimate";
-  version = "1.2.0";
+  version = "1.2.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.6";
@@ -20,7 +20,7 @@ buildPythonPackage rec {
     owner = "cmroche";
     repo = "greeclimate";
     rev = "refs/tags/v${version}";
-    hash = "sha256-DRVCBbGj0NfQBn9qNRc0Gu3LNO6KDNF1/ZdSAuhCVsM=";
+    hash = "sha256-SvAvLxWk/IIlkv54cUVN6FXj9rrM0QPKHAk36+PuqP0=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/kml2geojson/default.nix

@@ -0,0 +1,46 @@
+{ lib
+, buildPythonPackage
+, poetry-core
+, fetchFromGitHub
+, pytestCheckHook
+, pythonOlder
+, click
+}:
+
+buildPythonPackage rec {
+  pname = "kml2geojson";
+  version = "5.1.0";
+  format = "pyproject";
+
+  disabled = pythonOlder "3.8";
+
+  src = fetchFromGitHub {
+    owner = "mrcagney";
+    repo = pname;
+    rev = version;
+    hash = "sha256-iJEcXpvy+Y3MkxAF2Q1Tkcx8GxUVjeVzv6gl134zdiI=";
+  };
+
+  nativeBuildInputs = [
+    poetry-core
+  ];
+
+  propagatedBuildInputs = [
+    click
+  ];
+
+  checkInputs = [
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [
+    "kml2geojson"
+  ];
+
+  meta = with lib; {
+    description = "Library to convert KML to GeoJSON";
+    homepage = "https://github.com/mrcagney/kml2geojson";
+    license = licenses.mit;
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/development/python-modules/mkdocs-material/default.nix

@@ -13,7 +13,7 @@
 
 buildPythonApplication rec {
   pname = "mkdocs-material";
-  version = "8.3.3";
+  version = "8.3.4";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -22,7 +22,7 @@ buildPythonApplication rec {
     owner = "squidfunk";
     repo = pname;
     rev = "refs/tags/${version}";
-    hash = "sha256-4rJ1fKYIQli4j6x1/xipQeCXMfbILyroxrwbpcPGYiU=";
+    hash = "sha256-UQGszU1ICundexXSHMdDm15FjlnzK1ifuRn2M5fp1sA=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/nextcord/default.nix

@@ -16,7 +16,7 @@
 
 buildPythonPackage rec {
   pname = "nextcord";
-  version = "2.0.0b2";
+  version = "2.0.0b3";
 
   format = "setuptools";
 
@@ -26,7 +26,7 @@ buildPythonPackage rec {
     owner = "nextcord";
     repo = "nextcord";
     rev = version;
-    hash = "sha256-yp24eOmwdi5X2Y20jqq88CDFvmc6P5omOsSWFr2MWGI=";
+    hash = "sha256-ygRbgL+px93Gx0Sv6d5AX+0CPYoOc2V1rnuViRa4Zy0=";
   };
 
   patches = [

pkgs/development/python-modules/overly/default.nix

@@ -0,0 +1,40 @@
+{ lib
+, stdenv
+, buildPythonPackage
+, pythonOlder
+, fetchPypi
+, h11
+, sansio-multipart
+}:
+
+buildPythonPackage rec {
+  pname = "overly";
+  version = "0.1.85";
+
+  disabled = pythonOlder "3.6";
+
+  format = "setuptools";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "20a99526c7859acc859e87afd97b5c4916405e7477834f727b49210e478370cb";
+  };
+
+  propagatedBuildInputs = [
+    h11
+    sansio-multipart
+  ];
+
+  # upstream has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [ "overly" ];
+
+  meta = {
+    description = "An overly configurable http server for client testing";
+    homepage = "https://github.com/theelous3/overly";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ dotlambda ];
+    broken = stdenv.isDarwin;  # https://github.com/theelous3/overly/issues/2
+  };
+}

pkgs/development/python-modules/peaqevcore/default.nix

@@ -6,14 +6,14 @@
 
 buildPythonPackage rec {
   pname = "peaqevcore";
-  version = "0.4.2";
+  version = "0.4.7";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-s7vJ4rAOQPZBhCA8Q+ZJl6RBTBmP90XA9c6B/xwoHU0=";
+    hash = "sha256-DEK8vOWHv+O6zpzluUkhozsihhM9Ad2lOCEf4YnT+Yk=";
   };
 
   postPatch = ''

pkgs/development/python-modules/plugwise/default.nix

@@ -21,7 +21,7 @@
 
 buildPythonPackage rec {
   pname = "plugwise";
-  version = "0.19.0";
+  version = "0.19.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -30,7 +30,7 @@ buildPythonPackage rec {
     owner = pname;
     repo = "python-plugwise";
     rev = "refs/tags/v${version}";
-    sha256 = "sha256-ST7eC7IXW47b1AlX25ubUPTi6Hkcjd+7L0tzht3fz9s=";
+    sha256 = "sha256-eytv61aTGL6rTLHfZD9Tsl9FycdExo+TGsVBCNu1fIo=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/pulumi-aws/default.nix

@@ -12,7 +12,7 @@
 buildPythonPackage rec {
   pname = "pulumi-aws";
   # Version is independant of pulumi's.
-  version = "5.7.2";
+  version = "5.8.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -21,7 +21,7 @@ buildPythonPackage rec {
     owner = "pulumi";
     repo = "pulumi-aws";
     rev = "refs/tags/v${version}";
-    hash = "sha256-oy2TBxE9zDbRc6cSml4nwibAAEq3anWngoxj6h4sYbU=";
+    hash = "sha256-exMPHz5sq6AW3hyv+pl66RmHR4nEBIeDu7NPPyH1mig=";
   };
 
   sourceRoot = "${src.name}/sdk/python";

pkgs/development/python-modules/py-sneakers/default.nix

@@ -0,0 +1,32 @@
+{ lib
+, buildPythonPackage
+, fetchPypi
+, pythonOlder
+}:
+
+buildPythonPackage rec {
+  pname = "py-sneakers";
+  version = "1.0.1";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-bIhkYTzRe4uM0kbNhbDTr6TiaOEBSiCSkPJKKCivDZY=";
+  };
+
+  # Module has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [
+    "py_sneakers"
+  ];
+
+  meta = with lib; {
+    description = "Library to emulate the Sneakers movie effect";
+    homepage = "https://github.com/aenima-x/py-sneakers";
+    license = licenses.mit;
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/development/python-modules/pydal/default.nix

@@ -6,12 +6,12 @@
 
 buildPythonPackage rec {
   pname = "pydal";
-  version = "20220213.2";
+  version = "20220609.1";
   format = "setuptools";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-7DBLcHSEkoT8wV6824TGWRLi9vK2t+r1RwwWmRBYD9I=";
+    sha256 = "sha256-c9cWdQ+V1Phw1cfe5MUif2edXIrFQaDZC9qGBDevedI=";
   };
 
   postPatch = ''

pkgs/development/python-modules/pyhiveapi/default.nix

@@ -14,7 +14,7 @@
 
 buildPythonPackage rec {
   pname = "pyhiveapi";
-  version = "0.5.9";
+  version = "0.5.10";
 
   format = "pyproject";
 
@@ -23,8 +23,8 @@ buildPythonPackage rec {
   src = fetchFromGitHub {
     owner = "Pyhass";
     repo = "Pyhiveapi";
-    rev = "v${version}";
-    hash = "sha256-bJ9PI16m8JiXbhhNWtSJwwE+GRUbnSiCrcVhxnVeqQY=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-WhUZP6g9KVWIB6QYPDX1X5JQ9ymVX3wR3kzMtTEjEfs=";
   };
 
   postPatch = ''

pkgs/development/python-modules/pytest-annotate/default.nix

@@ -8,12 +8,12 @@
 
 buildPythonPackage rec {
   pname = "pytest-annotate";
-  version = "1.0.4";
+  version = "1.0.5";
   format = "setuptools";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "d0da4c3d872a7d5796ac85016caa1da38ae902bebdc759e1b6c0f6f8b5802741";
+    sha256 = "09269320f8d218728247436f7ade96f33cf3fe85840b40632142d9f8968c1fd0";
   };
 
   buildInputs = [

pkgs/development/python-modules/pyvesync/default.nix

@@ -7,14 +7,14 @@
 
 buildPythonPackage rec {
   pname = "pyvesync";
-  version = "2.0.3";
+  version = "2.0.4";
   format = "setuptools";
 
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-/hPDCqTeqEzxfqv8B5wdDzmzzNuXYqOVHX32N/J6nmU=";
+    sha256 = "sha256-1Svz/9ZS5ynr88/We1fa+H1IGdC5ljUa4M5O8X+muX4=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/rmcl/default.nix

@@ -0,0 +1,50 @@
+{ lib
+, buildPythonPackage
+, pythonOlder
+, fetchPypi
+, poetry-core
+, asks
+, trio
+, xdg
+}:
+
+buildPythonPackage rec {
+  pname = "rmcl";
+  version = "0.4.2";
+
+  disabled = pythonOlder "3.7";
+
+  format = "pyproject";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "58de4758e7e3cb7acbf28fcfa80f4155252afdfb191beb4ba4aa36961f66cc67";
+  };
+
+  postPatch = ''
+    substituteInPlace pyproject.toml \
+      --replace '= "^' '= ">='
+  '';
+
+  nativeBuildInputs = [
+    poetry-core
+  ];
+
+  propagatedBuildInputs = [
+    asks
+    trio
+    xdg
+  ];
+
+  # upstream has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [ "rmcl" ];
+
+  meta = {
+    description = "ReMarkable Cloud Library";
+    homepage = "https://github.com/rschroll/rmcl";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ dotlambda ];
+  };
+}

pkgs/development/python-modules/rmrl/default.nix

@@ -0,0 +1,47 @@
+{ lib
+, buildPythonPackage
+, pythonOlder
+, fetchPypi
+, poetry-core
+, pdfrw
+, reportlab
+, svglib
+, xdg
+}:
+
+buildPythonPackage rec {
+  pname = "rmrl";
+  version = "0.2.1";
+
+  disabled = pythonOlder "3.7";
+
+  format = "pyproject";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "c532bef4168350e6ab17cf37c6481dc12b6a78e007c073503f082f36215b71c9";
+  };
+
+  nativeBuildInputs = [
+    poetry-core
+  ];
+
+  propagatedBuildInputs = [
+    pdfrw
+    reportlab
+    svglib
+    xdg
+  ];
+
+  # upstream has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [ "rmrl" ];
+
+  meta = {
+    description = "Render reMarkable documents to PDF";
+    homepage = "https://github.com/rschroll/rmrl";
+    license = lib.licenses.gpl3Plus;
+    maintainers = with lib.maintainers; [ dotlambda ];
+  };
+}

pkgs/development/python-modules/sansio-multipart/default.nix

@@ -0,0 +1,32 @@
+{ lib
+, buildPythonPackage
+, isPy27
+, fetchPypi
+}:
+
+buildPythonPackage rec {
+  pname = "sansio-multipart";
+  version = "0.3";
+
+  disabled = isPy27;
+
+  format = "setuptools";
+
+  src = fetchPypi {
+    pname = "sansio_multipart";
+    inherit version;
+    sha256 = "6e95b2e64039a95d0f2cd8f3360eaf418d6b9018fb2215d82d399d62d6122dc3";
+  };
+
+  # upstream has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [ "sansio_multipart" ];
+
+  meta = {
+    description = "Parser for multipart/form-data";
+    homepage = "https://github.com/theelous3/sansio-multipart-parser";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ dotlambda ];
+  };
+}

pkgs/development/python-modules/svglib/default.nix

@@ -1,11 +1,11 @@
 { lib
 , buildPythonPackage
+, pythonOlder
 , fetchPypi
-, isPy3k
 , cssselect2
 , lxml
 , pillow
-, pytest
+, pytestCheckHook
 , reportlab
 , tinycss2
 }:
@@ -14,13 +14,15 @@ buildPythonPackage rec {
   pname = "svglib";
   version = "1.3.0";
 
+  disabled = pythonOlder "3.7";
+
+  format = "setuptools";
+
   src = fetchPypi {
     inherit pname version;
     sha256 = "sha256-o4mYuV0buZVk3J3/rxXk6UU3YfJ5DS3UFHpK1fusEHg=";
   };
 
-  disabled = !isPy3k;
-
   propagatedBuildInputs = [
     cssselect2
     lxml
@@ -30,14 +32,16 @@ buildPythonPackage rec {
   ];
 
   checkInputs = [
-    pytest
+    pytestCheckHook
   ];
 
   # Ignore tests that require network access (TestWikipediaFlags and TestW3CSVG), and tests that
   # require files missing in the 1.0.0 PyPI release (TestOtherFiles).
-  checkPhase = ''
-    py.test svglib tests -k 'not TestWikipediaFlags and not TestW3CSVG and not TestOtherFiles'
-  '';
+  pytestFlagsArray = [
+    "-k 'not TestWikipediaFlags and not TestW3CSVG and not TestOtherFiles'"
+  ];
+
+  pythonImportsCheck = [ "svglib.svglib" ];
 
   meta = with lib; {
     homepage = "https://github.com/deeplook/svglib";

pkgs/development/python-modules/transformers/default.nix

@@ -24,7 +24,7 @@
 
 buildPythonPackage rec {
   pname = "transformers";
-  version = "4.19.3";
+  version = "4.19.4";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -33,7 +33,7 @@ buildPythonPackage rec {
     owner = "huggingface";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-kXgxIjU5L4YYCqHGvhqjX4YZ3VKNLYIxIKqT1Nmv/GU=";
+    hash = "sha256-MxP87tmRsjAOkTkJ7VmlUjG4RE3mh/wF76TZQE/UOoQ=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/uvloop/default.nix

@@ -46,7 +46,7 @@ buildPythonPackage rec {
     "--assert=plain"
     "--strict"
     "--tb=native"
-  ] ++ lib.optionals (stdenv.isAarch64) [
+  ] ++ lib.optionals (stdenv.isAarch32 || stdenv.isAarch64) [
     # test gets stuck in epoll_pwait on hydras aarch64 builders
     # https://github.com/MagicStack/uvloop/issues/412
     "--deselect" "tests/test_tcp.py::Test_AIO_TCPSSL::test_remote_shutdown_receives_trailing_data"

pkgs/development/python-modules/wktutils/default.nix

@@ -0,0 +1,66 @@
+{ lib
+, buildPythonPackage
+, dateparser
+, defusedxml
+, fetchFromGitHub
+, fiona
+, geomet
+, geopandas
+, kml2geojson
+, pyshp
+, pythonOlder
+, pyyaml
+, regex
+, requests
+, shapely
+, scikit-learn
+}:
+
+buildPythonPackage rec {
+  pname = "wktutils";
+  version = "1.1.4";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchFromGitHub {
+    owner = "asfadmin";
+    repo = "Discovery-WKTUtils";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-/gcMnZ+wWflbvLlyfIaEoSYaLrsosMyD60ei/5Iis6E=";
+  };
+
+  propagatedBuildInputs = [
+    dateparser
+    defusedxml
+    fiona
+    geomet
+    geopandas
+    kml2geojson
+    pyshp
+    pyyaml
+    regex
+    requests
+    shapely
+    scikit-learn
+  ];
+
+  postPatch = ''
+    substituteInPlace setup.py \
+      --replace "sklearn" "scikit-learn"
+  '';
+
+  # Module doesn't have tests
+  doCheck = false;
+
+  pythonImportsCheck = [
+    "WKTUtils"
+  ];
+
+  meta = with lib; {
+    description = "Collection of tools for handling WKTs";
+    homepage = "https://github.com/asfadmin/Discovery-WKTUtils";
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/development/python-modules/xmlschema/default.nix

@@ -9,7 +9,7 @@
 
 buildPythonPackage rec {
   pname = "xmlschema";
-  version = "1.11.1";
+  version = "1.11.2";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -18,7 +18,7 @@ buildPythonPackage rec {
     owner = "sissaschool";
     repo = "xmlschema";
     rev = "refs/tags/v${version}";
-    hash = "sha256-ccbVYvQBM4U8wgNXlgi5qYxUZHpajWs/eVXbCFdG5bU=";
+    hash = "sha256-coQbO5XrFjU9rAN5Vw/BlMHpkQzQy6t0dNfFsMeO2+o=";
   };
 
   propagatedBuildInputs = [

pkgs/development/tools/database/pgweb/default.nix

@@ -1,17 +1,24 @@
-{ buildGoPackage, fetchFromGitHub, lib }:
+{ buildGoModule, fetchFromGitHub, lib }:
 
-buildGoPackage rec {
+buildGoModule rec {
   pname = "pgweb";
-  version = "0.11.7";
+  version = "0.11.11";
 
   src = fetchFromGitHub {
     owner = "sosedoff";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1df3vixxca80i040apbim80nqni94q882ykn3cglyccyl0iz59ix";
+    sha256 = "sha256-oKUmBrGxExppJ5y4fZOmMOT5XDMsyMvtE9czotdlMPM=";
   };
 
-  goPackagePath = "github.com/sosedoff/pgweb";
+  postPatch = ''
+    # Disable tests require network access.
+    rm -f pkg/client/{client,dump}_test.go
+  '';
+
+  vendorSha256 = "sha256-Svy0aZKOGL0vrT058szlpS5t7NvzcyRCHRksdmdkckI=";
+
+  ldflags = [ "-s" "-w" ];
 
   meta = with lib; {
     description = "A web-based database browser for PostgreSQL";

pkgs/development/tools/gox/default.nix

@@ -1,11 +1,14 @@
-{ lib, buildGoPackage, fetchFromGitHub }:
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, makeWrapper
+, go
+}:
 
-buildGoPackage rec {
+buildGoModule rec {
   pname = "gox";
   version = "1.0.1";
 
-  goPackagePath = "github.com/mitchellh/gox";
-
   src = fetchFromGitHub {
     owner = "mitchellh";
     repo = "gox";
@@ -13,9 +16,21 @@ buildGoPackage rec {
     sha256 = "0mkh81hd7kn45dz7b6yhzqsg2mvg1g6pwx89jjigxrnqhyg9vrl7";
   };
 
+  vendorSha256 = null;
+
+  # This is required for wrapProgram.
+  allowGoReference = true;
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  postFixup = ''
+    wrapProgram $out/bin/gox --prefix PATH : ${lib.makeBinPath [ go ]}
+  '';
+
   meta = with lib; {
     homepage = "https://github.com/mitchellh/gox";
     description = "A dead simple, no frills Go cross compile tool";
     license = licenses.mpl20;
+    maintainers = with maintainers; [ azahi ];
   };
 }

pkgs/development/tools/okteto/default.nix

@@ -2,23 +2,23 @@
 
 buildGoModule rec {
   pname = "okteto";
-  version = "2.3.1";
+  version = "2.3.3";
 
   src = fetchFromGitHub {
     owner = "okteto";
     repo = "okteto";
     rev = version;
-    sha256 = "sha256-2L6Ky7Mbky6VYx4kdBuYTtaJ9AzNufuYLrgERxLYpg8=";
+    sha256 = "sha256-rKhXzmBV59bj/Dj2ORU1ggOohAs56iB15es924pHXp4=";
   };
 
+  vendorSha256 = "sha256-XT/ZLydN1oeuRupD3gjvY6+hOB/Lq5CQwhfr9/iT7JI=";
+
   postPatch = ''
     # Disable some tests that need file system & network access.
     find cmd -name "*_test.go" | xargs rm -f
     rm -f pkg/analytics/track_test.go
   '';
 
-  vendorSha256 = "sha256-XT/ZLydN1oeuRupD3gjvY6+hOB/Lq5CQwhfr9/iT7JI=";
-
   nativeBuildInputs = [ installShellFiles ];
 
   ldflags = [

pkgs/development/tools/yarn/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "yarn";
-  version = "1.22.18";
+  version = "1.22.19";
 
   src = fetchzip {
     url = "https://github.com/yarnpkg/yarn/releases/download/v${version}/yarn-v${version}.tar.gz";
-    sha256 = "sha256-gI4v/WPWrNa2i2oct8Ns7bpDzmDCy+c86pGKpNznhh0=";
+    sha256 = "sha256-12wUuWH+kkqxAgVYkyhIYVtexjv8DFP9kLpFLWg+h0o=";
   };
 
   buildInputs = [ nodejs ];

pkgs/development/tools/yarn2nix-moretea/yarn2nix/default.nix

@@ -359,7 +359,7 @@ in rec {
         runHook postInstall
       '';
 
-      doDist = true;
+      doDist = attrs.doDist or true;
 
       distPhase = attrs.distPhase or ''
         # pack command ignores cwd option

pkgs/os-specific/linux/firejail/default.nix

@@ -11,13 +11,13 @@
 
 stdenv.mkDerivation rec {
   pname = "firejail";
-  version = "0.9.68";
+  version = "0.9.70";
 
   src = fetchFromGitHub {
     owner = "netblue30";
     repo = "firejail";
     rev = version;
-    sha256 = "18yy1mykx7h78yj7sz729i3dlsrgi25m17m5x9gbrvsx7f87rw7j";
+    sha256 = "sha256-x1txt0uER66bZN6BD6c/31Zu6fPPwC9kl/3bxEE6Ce8=";
   };
 
   nativeBuildInputs = [
@@ -41,41 +41,6 @@ stdenv.mkDerivation rec {
     # By default fbuilder hardcodes the firejail binary to the install path.
     # On NixOS the firejail binary is a setuid wrapper available in $PATH.
     ./fbuilder-call-firejail-on-path.patch
-
-    # NixOS specific whitelist to resolve binary paths in user environment
-    # Fixes https://github.com/NixOS/nixpkgs/issues/170784
-    # Upstream fix https://github.com/netblue30/firejail/pull/5131
-    # Upstream hopefully fixed in later versions > 0.9.68
-   ./whitelist-nix-profile.patch
-
-    # Fix OpenGL support for various applications including Firefox
-    # Issue: https://github.com/NixOS/nixpkgs/issues/55191
-    # Upstream fix: https://github.com/netblue30/firejail/pull/5132
-    # Hopefully fixed upstream in version > 0.9.68
-    ./fix-opengl-support.patch
-
-    # Fix CVE-2022-31214 by patching in 4 commits from upstream
-    # https://seclists.org/oss-sec/2022/q2/188
-    (fetchpatch {
-      name = "CVE-2022-31214-patch1"; # "fixing CVE-2022-31214"
-      url  = "https://github.com/netblue30/firejail/commit/27cde3d7d1e4e16d4190932347c7151dc2a84c50.patch";
-      sha256 = "sha256-XXmnYCn4TPUvU43HifZDk4tEZQvOho9/7ehU6889nN4=";
-    })
-    (fetchpatch {
-      name = "CVE-2022-31214-patch2"; # "shutdown testing"
-      url  = "https://github.com/netblue30/firejail/commit/04ff0edf74395ddcbbcec955279c74ed9a6c0f86.patch";
-      sha256 = "sha256-PV73hRlvYEQihuljSCQMNO34KJ0hDVFexhirpHcTK1I=";
-    })
-    (fetchpatch {
-      name = "CVE-2022-31214-patch3"; # "CVE-2022-31214: fixing the fix"
-      url  = "https://github.com/netblue30/firejail/commit/dab835e7a0eb287822016f5ae4e87f46e1d363e7.patch";
-      sha256 = "sha256-6plBIliW/nLKR7TdGeB88eQ65JHEasnaRsP3HPXAFyA=";
-    })
-    (fetchpatch {
-      name = "CVE-2022-31214-patch4"; # "CVE-2022-31214: fixing the fix, one more time "
-      url  = "https://github.com/netblue30/firejail/commit/1884ea22a90d225950d81c804f1771b42ae55f54.patch";
-      sha256 = "sha256-inkpcdC5rl5w+CTAwwQVBOELlHTXb8UGlpU+8kMY95s=";
-    })
   ];
 
   prePatch = ''

pkgs/os-specific/linux/kernel/hardened/patches.json

@@ -2,61 +2,71 @@
     "4.14": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-4.14.281-hardened1.patch",
-            "sha256": "1i70qrv9dfpp0szl2m6icrnzpgw1r21nr4b6bbpdf1gmq22y9gf1",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.281-hardened1/linux-hardened-4.14.281-hardened1.patch"
+            "name": "linux-hardened-4.14.282-hardened1.patch",
+            "sha256": "0f7av5llr1ccx0k6z2p2spaqk4jfaw9555gf59303zgxsvakavmi",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.282-hardened1/linux-hardened-4.14.282-hardened1.patch"
         },
-        "sha256": "0pivb1m2cwqnlm8bhd4ccnlq9pwp2r5lmn77gp91k6vbjv3gkqis",
-        "version": "4.14.281"
+        "sha256": "18sp2qvk8dkjrlxwf4d470282m9wyvhajvyys9vs94rh1i3whdv6",
+        "version": "4.14.282"
     },
     "4.19": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-4.19.245-hardened1.patch",
-            "sha256": "181bsz4zzw1hmk3l0cxrgfxlf1z5gy86bxrnwxh08n3j35biywf2",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.245-hardened1/linux-hardened-4.19.245-hardened1.patch"
+            "name": "linux-hardened-4.19.246-hardened1.patch",
+            "sha256": "00827r0hiiia95z4nwvbqi1jxj5bzh8hna3d4p08gj2pvq5rwvxk",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.246-hardened1/linux-hardened-4.19.246-hardened1.patch"
         },
-        "sha256": "1s58qci6xhmss12glzkqk41kp60pqmzh4d84kyz4m4nf4xhdvzcr",
-        "version": "4.19.245"
+        "sha256": "0fmsglkvdgdmrkm53vyi9d4hvdl4py9qn1z0mni224n96rd2zb80",
+        "version": "4.19.246"
     },
     "5.10": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.10.118-hardened1.patch",
-            "sha256": "0kn33lzb92p80rvy3jzkhnv5izr8h082x400s6ihxp1sqdal0fb7",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.118-hardened1/linux-hardened-5.10.118-hardened1.patch"
+            "name": "linux-hardened-5.10.121-hardened1.patch",
+            "sha256": "1a7mvfnm15ci81129mpvh3gn6w75bq0i1ydv02zyngk9cz5mgjc1",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.121-hardened1/linux-hardened-5.10.121-hardened1.patch"
         },
-        "sha256": "0jqbzvgbvaldwwarvg27mcv2kfcgmfw72zpy4h4sp5d1hzqj1q65",
-        "version": "5.10.118"
+        "sha256": "1iljaaiwqg30rqb9zxrxc4l1p56q75jf0zvsrmn67z2a12sffi4h",
+        "version": "5.10.121"
     },
     "5.15": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.15.43-hardened1.patch",
-            "sha256": "03ilpzhr01567aaadwwk3qdnh9hlm427ihyrr59dwlwsfcqy2fd9",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.43-hardened1/linux-hardened-5.15.43-hardened1.patch"
+            "name": "linux-hardened-5.15.46-hardened1.patch",
+            "sha256": "1ndvrr98mn40705dsfkyda9ny5r273bl9f6n1xb5ndx34j396wrh",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.46-hardened1/linux-hardened-5.15.46-hardened1.patch"
         },
-        "sha256": "04hwaykdjdqhcdk1pr6p4kkyw6h3z6ig4qpsra2klxsqklx92jq6",
-        "version": "5.15.43"
+        "sha256": "0srp0wypl24gf5yz91mpk1c2kllabq6wvby1wqrrbdwvfx35figb",
+        "version": "5.15.46"
     },
     "5.17": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.17.11-hardened1.patch",
-            "sha256": "01l4k1j23ckkifjxwaq9lcfp7ynpasyn5f7nqsff6xx2wcg0qyxf",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.17.11-hardened1/linux-hardened-5.17.11-hardened1.patch"
+            "name": "linux-hardened-5.17.14-hardened1.patch",
+            "sha256": "017dq8ngg3mxnfffjkf1knkzii8hsf1gsi65zla34n7kjyajlchq",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.17.14-hardened1/linux-hardened-5.17.14-hardened1.patch"
         },
-        "sha256": "0c8vz02lbfm0zkgsr1gvdp8bzxz255dk863pnakw6d77z9bfc22p",
-        "version": "5.17.11"
+        "sha256": "0r2skbgxzw42cn29mr7i9w7fczzxhc1lx3xvri44ljjyfdqn7r0b",
+        "version": "5.17.14"
+    },
+    "5.18": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-5.18.3-hardened1.patch",
+            "sha256": "1kfnknpw2g39j7gqy6mqjmkaxkmdigx617rz2vpqvjxddfv59764",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.18.3-hardened1/linux-hardened-5.18.3-hardened1.patch"
+        },
+        "sha256": "1sngy576db1zl2284kd0j8ds4biln0q98wnywirzsg3c0w2v8367",
+        "version": "5.18.3"
     },
     "5.4": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.4.196-hardened1.patch",
-            "sha256": "11q9sadncbz84yhsai7xdbrgmcbghj0hc1lqc45767v1f3snmpyi",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.196-hardened1/linux-hardened-5.4.196-hardened1.patch"
+            "name": "linux-hardened-5.4.197-hardened1.patch",
+            "sha256": "0kqfviyx5aigadm051y9xkbyscnn9f92zwqxkjkxhpn0y684i7n5",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.197-hardened1/linux-hardened-5.4.197-hardened1.patch"
         },
-        "sha256": "1x5irgki792f21hm5146xary0260cl9r475kvw8vm9w32vyx18ig",
-        "version": "5.4.196"
+        "sha256": "1a1nzrx873vwlpm018l6rk19yh59badvwsknw3chbkbhzjrigbf2",
+        "version": "5.4.197"
     }
 }

pkgs/os-specific/linux/kernel/linux-4.14.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "4.14.281";
+  version = "4.14.282";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0pivb1m2cwqnlm8bhd4ccnlq9pwp2r5lmn77gp91k6vbjv3gkqis";
+    sha256 = "18sp2qvk8dkjrlxwf4d470282m9wyvhajvyys9vs94rh1i3whdv6";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-4.19.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "4.19.245";
+  version = "4.19.246";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1s58qci6xhmss12glzkqk41kp60pqmzh4d84kyz4m4nf4xhdvzcr";
+    sha256 = "0fmsglkvdgdmrkm53vyi9d4hvdl4py9qn1z0mni224n96rd2zb80";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-4.9.nix

@@ -1,12 +1,12 @@
 { buildPackages, fetchurl, perl, buildLinux, nixosTests, stdenv, ... } @ args:
 
 buildLinux (args // rec {
-  version = "4.9.316";
+  version = "4.9.317";
   extraMeta.branch = "4.9";
   extraMeta.broken = stdenv.isAarch64;
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "05yd7djm6dcxv3vaylhmj3p0yml421azv8qabmhv4ric1f99idjp";
+    sha256 = "06qdqcplslnp1ncaqvp5yjr294rz3x4qrxnv522v76awj6dkd8vy";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-5.10.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.10.118";
+  version = "5.10.121";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "0jqbzvgbvaldwwarvg27mcv2kfcgmfw72zpy4h4sp5d1hzqj1q65";
+    sha256 = "1iljaaiwqg30rqb9zxrxc4l1p56q75jf0zvsrmn67z2a12sffi4h";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-5.15.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.15.43";
+  version = "5.15.46";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -15,6 +15,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "04hwaykdjdqhcdk1pr6p4kkyw6h3z6ig4qpsra2klxsqklx92jq6";
+    sha256 = "0srp0wypl24gf5yz91mpk1c2kllabq6wvby1wqrrbdwvfx35figb";
   };
 } // (args.argsOverride or { }))

pkgs/os-specific/linux/kernel/linux-5.17.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.17.11";
+  version = "5.17.14";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "0c8vz02lbfm0zkgsr1gvdp8bzxz255dk863pnakw6d77z9bfc22p";
+    sha256 = "0r2skbgxzw42cn29mr7i9w7fczzxhc1lx3xvri44ljjyfdqn7r0b";
   };
 } // (args.argsOverride or { }))

pkgs/os-specific/linux/kernel/linux-5.18.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.18";
+  version = "5.18.3";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "1vjwhl4s8qxfg1aabn8xnpjza3qzrjcp5450h9qpjvl999lg3wsi";
+    sha256 = "1sngy576db1zl2284kd0j8ds4biln0q98wnywirzsg3c0w2v8367";
   };
 } // (args.argsOverride or { }))

pkgs/os-specific/linux/kernel/linux-5.4.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.4.196";
+  version = "5.4.197";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "1x5irgki792f21hm5146xary0260cl9r475kvw8vm9w32vyx18ig";
+    sha256 = "1a1nzrx873vwlpm018l6rk19yh59badvwsknw3chbkbhzjrigbf2";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-libre.nix

@@ -1,8 +1,8 @@
 { stdenv, lib, fetchsvn, linux
 , scripts ? fetchsvn {
     url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/";
-    rev = "18738";
-    sha256 = "024iw4352h8b1kbbimqgid95h868swiw45wn91sjkpmwr612v6kd";
+    rev = "18777";
+    sha256 = "0ycg799pdi3rarkdgrrxcfjl15n8i24d9zc54xhg79wpgxcv39n3";
   }
 , ...
 }:

pkgs/os-specific/linux/kernel/linux-rt-5.10.nix

@@ -6,7 +6,7 @@
 , ... } @ args:
 
 let
-  version = "5.10.115-rt67"; # updated by ./update-rt.sh
+  version = "5.10.120-rt70"; # updated by ./update-rt.sh
   branch = lib.versions.majorMinor version;
   kversion = builtins.elemAt (lib.splitString "-" version) 0;
 in buildLinux (args // {
@@ -18,14 +18,14 @@ in buildLinux (args // {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
-    sha256 = "0w9gwizyqjgsj93dqqvlh6bqkmpzjajhj09319nqncc95yrigr7m";
+    sha256 = "12qfgmzif2dy3kj4rqrnlx1if87c4fjmnya1bqpwx3hm0ih7ayjv";
   };
 
   kernelPatches = let rt-patch = {
     name = "rt";
     patch = fetchurl {
       url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
-      sha256 = "16igpdqq8nqzf98pkrs9v692d1r1fpnwrh3qxrkja0fgzswdwc0j";
+      sha256 = "0l0fp7bqfj11qcq3dqd5lv468z1hha0y774dfiliv97lx7gq34m9";
     };
   }; in [ rt-patch ] ++ kernelPatches;
 

pkgs/os-specific/linux/rtl8821cu/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "rtl8821cu";
-  version = "${kernel.version}-unstable-2022-03-08";
+  version = "${kernel.version}-unstable-2022-05-07";
 
   src = fetchFromGitHub {
     owner = "morrownr";
     repo = "8821cu-20210118";
-    rev = "4bdd7c8668562e43564cd5d786055633e591ad4d";
-    sha256 = "sha256-dfvDpjsra/nHwIGywOkZICTEP/Ex7ooH4zzkXqAaDkI=";
+    rev = "e3cf788e1dddaba3273190755ce424f93fe593e4";
+    hash = "sha256-VUZU/oFSaxewy/BF/2k4OssAi4AWSWweqXYZPHmsQvY=";
   };
 
   hardeningDisable = [ "pic" ];

pkgs/servers/matrix-appservice-discord/default.nix

@@ -62,10 +62,7 @@ in mkYarnPackage rec {
   '';
 
   # don't generate the dist tarball
-  # (`doDist = false` does not work in mkYarnPackage)
-  distPhase = ''
-    true
-  '';
+  doDist = false;
 
   passthru = {
     nodeAppDir = "libexec/${pname}/deps/${pname}";

pkgs/tools/admin/pebble/default.nix

@@ -1,15 +1,13 @@
-{ buildGoPackage
+{ lib
+, buildGoModule
 , fetchFromGitHub
-, lib
 , nixosTests
 }:
 
-buildGoPackage rec {
+buildGoModule rec {
   pname = "pebble";
   version = "2.3.1";
 
-  goPackagePath = "github.com/letsencrypt/${pname}";
-
   src = fetchFromGitHub {
     owner = "letsencrypt";
     repo = pname;
@@ -17,6 +15,8 @@ buildGoPackage rec {
     sha256 = "sha256-S9+iRaTSRt4F6yMKK0OJO6Zto9p0dZ3q/mULaipudVo=";
   };
 
+  vendorSha256 = null;
+
   passthru.tests = {
     smoke-test = nixosTests.acme;
   };

pkgs/tools/audio/abcmidi/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "abcMIDI";
-  version = "2022.05.20";
+  version = "2022.06.07";
 
   src = fetchzip {
     url = "https://ifdo.ca/~seymour/runabc/${pname}-${version}.zip";
-    hash = "sha256-mTIpy5HHKQxpqN5mHnDvmq6lA0++etj93WCcX1i046I=";
+    hash = "sha256-gMEqcdpJ4dFnxmGJHayM6ZH+n6osHvZ8Tlxk0Vvm1qI=";
   };
 
   meta = with lib; {

pkgs/tools/bluetooth/bluewalker/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "bluewalker";
-  version = "0.3.0";
+  version = "0.3.1";
 
   src = fetchFromGitLab {
     owner = "jtaimisto";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-spuJRiNiaBV4EsetUq8vUfR6ejUNZxLhVzS3AZZyrrQ=";
+    sha256 = "sha256-wAzBlCczsLfHboGYIsyN7dGwz52CMw+L3XQ0njfLVR0=";
   };
 
   vendorSha256 = "189qs6vmx63vwsjmc4qgf1y8xjsi7x6l1f5c3kd8j8jnagl26z4h";

pkgs/tools/cd-dvd/ventoy-bin/default.nix

@@ -24,7 +24,7 @@ let
   }.${stdenv.hostPlatform.system} or (throw "Unsupported platform ${stdenv.hostPlatform.system}");
 in stdenv.mkDerivation rec {
   pname = "ventoy-bin";
-  version = "1.0.75";
+  version = "1.0.76";
 
   nativeBuildInputs = [ autoPatchelfHook makeWrapper ]
     ++ lib.optional withQt5 qt5.wrapQtAppsHook;
@@ -40,7 +40,7 @@ in stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "https://github.com/ventoy/Ventoy/releases/download/v${version}/ventoy-${version}-linux.tar.gz";
-    sha256 = "64487c11da3be1aa95ae5631c12fcfefbabf3d27c80d8992145e572c5e44a535";
+    sha256 = "f13c3c81eafe15ae4b3de3d98d240d94eabba7cda8e3330ff1769502ecfa33c0";
   };
   patches = [
     (fetchpatch {

pkgs/tools/filesystems/sshfs-fuse/default.nix

@@ -22,7 +22,7 @@ in if stdenv.isDarwin then
   }
 else
   mkSSHFS {
-    version = "3.7.2";
-    sha256 = "0i0ycgwdxja8313hlkrlwrl85a4ykkyqddgg484jkr4rnr7ylk8w";
+    version = "3.7.3";
+    sha256 = "0s2hilqixjmv4y8n67zaq374sgnbscp95lgz5ignp69g3p1vmhwz";
     platforms = lib.platforms.linux;
   }

pkgs/tools/misc/fclones/default.nix

@@ -8,16 +8,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "fclones";
-  version = "0.25.0";
+  version = "0.26.0";
 
   src = fetchFromGitHub {
     owner = "pkolaczk";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-7MNVLfBH6hWoNy+UQzK6gwZuPbBPMfG660my+E6FT5Q=";
+    sha256 = "sha256-GimCHMUUjD1q5CfKXKtucIs/HLIJZnIbp+wtN+/jjhY=";
   };
 
-  cargoSha256 = "sha256-8Ur3KwGuIY8QAGNTcyTpFg2C1CBcIpZJp6EO9g8XuE8=";
+  cargoSha256 = "sha256-/qSaPvI4K9AinewMlsCp2funJrZtwvoBUQ6816NQ8zw=";
 
   buildInputs = lib.optionals stdenv.isDarwin [
     AppKit

pkgs/tools/misc/fluent-bit/default.nix

@@ -19,7 +19,13 @@ stdenv.mkDerivation rec {
   cmakeFlags = [ "-DFLB_METRICS=ON" "-DFLB_HTTP_SERVER=ON" ];
 
   # _FORTIFY_SOURCE requires compiling with optimization (-O)
-  NIX_CFLAGS_COMPILE = lib.optionalString stdenv.cc.isGNU "-O";
+  NIX_CFLAGS_COMPILE = lib.optionals stdenv.cc.isGNU [ "-O" ]
+    # Workaround build failure on -fno-common toolchains:
+    #   ld: /monkey/mk_tls.h:81: multiple definition of `mk_tls_server_timeout';
+    #     flb_config.c.o:include/monkey/mk_tls.h:81: first defined here
+    # TODO: drop when upstream gets a fix for it:
+    #   https://github.com/fluent/fluent-bit/issues/5537
+    ++ lib.optionals stdenv.isDarwin [ "-fcommon" ];
 
   outputs = [ "out" "dev" ];
 

pkgs/tools/misc/hwatch/default.nix

@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, rustPlatform }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "hwatch";
+  version = "0.3.6";
+
+  src = fetchFromGitHub {
+    owner = "blacknon";
+    repo = pname;
+    # prefix, because just "0.3.6' causes the download to silently fail:
+    # $ curl -v https://github.com/blacknon/hwatch/archive/0.3.6.tar.gz
+    # ...
+    # < HTTP/2 300
+    # ...
+    # the given path has multiple possibilities: #<Git::Ref:0x00007fbb2e52bed0>, #<Git::Ref:0x00007fbb2e52ae40>
+    rev = "refs/tags/${version}";
+    sha256 = "sha256-uaAgA6DWwYVT9mQh55onW+qxIC2i9GVuimctTJpUgfA=";
+  };
+
+  cargoSha256 = "sha256-Xt3Z6ax3Y45KZhTYMBr/Rfx1o+ZAoPYj51SN5hnrXQM=";
+
+  meta = with lib; {
+    homepage = "https://github.com/blackmon/hwatch";
+    description= "Modern alternative to the watch command";
+    longDescription = ''
+      A modern alternative to the watch command, records the differences in
+      execution results and can check this differences at after.
+    '';
+    license = licenses.mit;
+    maintainers = with maintainers; [ hamburger1984 ];
+    platforms = platforms.linux;
+  };
+}

pkgs/tools/misc/lsd/default.nix

@@ -9,16 +9,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "lsd";
-  version = "0.21.0";
+  version = "0.22.0";
 
   src = fetchFromGitHub {
     owner = "Peltoche";
     repo = pname;
     rev = version;
-    sha256 = "sha256-4pa8yJjUTO5MUDuljfU9Vo2ZjbsIwWJsJj6VVNfN25A=";
+    sha256 = "sha256-YeSEaamtIjip2nLBw/1/RSkr6ZL0p1GG2pHU14Ry6XU=";
   };
 
-  cargoSha256 = "sha256-P0HJVp2ReJuLSZrArw/EAfLFDOZqswI0nD1SCHwegoE=";
+  cargoSha256 = "sha256-JsPGw5hjNy+yTZiSBeF05o9Zl6pYXxEI4kIDLY6Q54Q=";
 
   nativeBuildInputs = [ installShellFiles pandoc ];
   postInstall = ''

pkgs/tools/networking/libreswan/default.nix

@@ -43,11 +43,11 @@ in
 
 stdenv.mkDerivation rec {
   pname = "libreswan";
-  version = "4.6";
+  version = "4.7";
 
   src = fetchurl {
     url = "https://download.libreswan.org/${pname}-${version}.tar.gz";
-    sha256 = "1zsnsfx18pf5dy1p4jva2sfl0bdfx5y9ls54f9bp70m64r46yf96";
+    sha256 = "0i7wyfgkaq6kcfhh1yshb1v7q42n3zvdkhq10f3ks1h075xk7mnx";
   };
 
   strictDeps = true;
@@ -112,6 +112,7 @@ stdenv.mkDerivation rec {
     "INITSYSTEM=systemd"
     "UNITDIR=$(out)/etc/systemd/system/"
     "TMPFILESDIR=$(out)/lib/tmpfiles.d/"
+    "LINUX_VARIANT=nixos"
   ];
 
   # Hack to make install work

pkgs/tools/networking/ooniprobe-cli/default.nix

@@ -5,16 +5,16 @@
 
 buildGoModule rec {
   pname = "ooniprobe-cli";
-  version = "3.15.0";
+  version = "3.15.1";
 
   src = fetchFromGitHub {
     owner = "ooni";
     repo = "probe-cli";
     rev = "v${version}";
-    hash = "sha256-lIRU6TM76/uX2LA4hdWbF4fbbcfGMUzmGz4e1PTyH3c=";
+    hash = "sha256-s1q9QgdbLmMaEV2ovGRKWHRhUFvbTHhFvo7ALdhUG4Y=";
   };
 
-  vendorSha256 = "h06WoKykuVzNgco74YbpSP+1nu/bOEf2mT4rUEX8MxU=";
+  vendorSha256 = "sha256-h06WoKykuVzNgco74YbpSP+1nu/bOEf2mT4rUEX8MxU=";
 
   subPackages = [ "cmd/ooniprobe" ];
 

pkgs/tools/networking/vopono/default.nix

@@ -5,14 +5,14 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "vopono";
-  version = "0.8.10";
+  version = "0.9.1";
 
   src = fetchCrate {
     inherit pname version;
-    sha256 = "sha256-+ZRvuUA7BvM8YW1QZQ7iJrLvleitl1hqEOrTkrLVSes";
+    sha256 = "sha256-6fK4A7/Ezi6MZxDec565g2LnDkTyGgQhiqzZznwG3s8=";
   };
 
-  cargoHash = "sha256-zM5JufS0qEYPEEwl6iPZYge3cssrsLu835AhAd8F3vc";
+  cargoHash = "sha256-lNBmX8UyGPQARjxYF9ECzVfgDtqXdHyB4GvjCgXoiLo=";
 
   meta = with lib; {
     description = "Run applications through VPN connections in network namespaces";

pkgs/tools/package-management/nix/default.nix

@@ -89,19 +89,17 @@ in lib.makeExtensible (self: {
   nix_2_9 = common {
     version = "2.9.1";
     sha256 = "sha256-qNL3lQPBsnStkru3j1ajN/H+knXI+X3dku8/dBfSw3g=";
+    patches = [
+      # add missing --git-dir flags
+      # remove once 2.9.2 is out
+      (fetchpatch {
+        url = "https://github.com/NixOS/nix/commit/1a994cc35b33dcfd484e7a96be0e76e23bfb9029.patch";
+        sha256 = "sha256-7rDlqWRSVPijbvrTm4P+YykbMWyJryorXqGLEgg8/Wo=";
+      })
+    ];
   };
 
   stable = self.nix_2_9;
 
-  # remember to backport updates to the stable branch!
-  unstable = lib.lowPrio (common rec {
-    version = "2.9";
-    suffix = "pre20220610_${lib.substring 0 7 src.rev}";
-    src = fetchFromGitHub {
-      owner = "NixOS";
-      repo = "nix";
-      rev = "45ebaab66594692035f028796200a6db2b1fedaf";
-      sha256 = "sha256-82M5jKdGUxQBfYj+8nK2SvfVv4Uo0YrPxiuWV/fnvtI=";
-    };
-  });
+  unstable = self.stable;
 })

pkgs/tools/security/faraday-cli/default.nix

@@ -5,13 +5,14 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "faraday-cli";
-  version = "2.0.2";
+  version = "2.1.5";
+  format = "setuptools";
 
   src = fetchFromGitHub {
     owner = "infobyte";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-J3YlFsX/maOqWo4ILEMXzIJeQ8vr47ApGGiaBWrUCMs=";
+    hash = "sha256-kl5yOJTMobccZoaIoWwQubCrswPa69I5Kmuox7JqAXs=";
   };
 
   propagatedBuildInputs = with python3.pkgs; [
@@ -22,8 +23,10 @@ python3.pkgs.buildPythonApplication rec {
     faraday-plugins
     jsonschema
     log-symbols
+    luddite
     packaging
     pyyaml
+    py-sneakers
     simple-rest-client
     spinners
     tabulate

pkgs/tools/security/qdigidoc/default.nix

@@ -35,10 +35,14 @@ mkDerivation rec {
     qttranslations
   ];
 
-  # replace this hack with a proper cmake variable or environment variable
-  # once https://github.com/open-eid/cmake/pull/34 (or #35) gets merged.
+  # qdigidoc4's `QPKCS11::reload()` dlopen()s "opensc-pkcs11.so" in QLibrary,
+  # i.e. OpenSC's module is searched for in libQt5Core's DT_RUNPATH and fixing
+  # qdigidoc4's DT_RUNPATH has no effect on Linux (at least OpenBSD's ld.so(1)
+  # searches the program's runtime path as well).
+  # LD_LIBRARY_PATH takes precedence for all calling objects, see dlopen(3).
+  # https://github.com/open-eid/cmake/pull/35 might be an alternative.
   qtWrapperArgs = [
-      "--prefix LD_LIBRARY_PATH : ${opensc}/lib/pkcs11/"
+    "--prefix LD_LIBRARY_PATH : ${opensc}/lib/pkcs11/"
   ];
 
   meta = with lib; {

pkgs/tools/security/sudo/default.nix

@@ -14,11 +14,11 @@
 
 stdenv.mkDerivation rec {
   pname = "sudo";
-  version = "1.9.10";
+  version = "1.9.11p1";
 
   src = fetchurl {
     url = "https://www.sudo.ws/dist/${pname}-${version}.tar.gz";
-    sha256 = "sha256-RKFGEJjnx7jmrFl0mcJPsuQ3SMDBOai0lE5X0TSaZPQ=";
+    sha256 = "sha256-64tsGmmprfS4IDC2bZnXkhTXy6UDGgvkMQOmF2sWJUs=";
   };
 
   prePatch = ''

pkgs/tools/security/vault/default.nix

@@ -6,16 +6,16 @@
 
 buildGoModule rec {
   pname = "vault";
-  version = "1.10.3";
+  version = "1.10.4";
 
   src = fetchFromGitHub {
     owner = "hashicorp";
     repo = "vault";
     rev = "v${version}";
-    sha256 = "sha256-12LOYp2ffTC/IOyNyT2PMnkP4FOKT8HROZNRWyTHxhA=";
+    sha256 = "sha256-RJCFbhpFx84R9CIU1OaaZbjBXltNY/1GC2gwgydX4n8=";
   };
 
-  vendorSha256 = "sha256-w5nUkCNo9xfalbc/U7uYaHZsUdyMV3tKDypQM9MnwE4=";
+  vendorSha256 = "sha256-8fTAU/K0WkkS6an5Ffaxpnz8vABQXpiWaCroc8DTYmc=";
 
   subPackages = [ "." ];
 

pkgs/tools/security/vault/vault-bin.nix

@@ -2,7 +2,7 @@
 
 stdenv.mkDerivation rec {
   pname = "vault-bin";
-  version = "1.10.3";
+  version = "1.10.4";
 
   src =
     let
@@ -16,11 +16,11 @@ stdenv.mkDerivation rec {
         aarch64-darwin = "darwin_arm64";
       };
       sha256 = selectSystem {
-        x86_64-linux = "sha256-hz7u6sW415h/AsGlyghImo3K54gbAS92N6L0dI8vV8Q=";
-        aarch64-linux = "sha256-DIrVgHeVvDNx0vRwXt2gzf3HDYzDeYQ2JVy+7KlrLUo=";
-        i686-linux = "sha256-B0xamHI6GnHrKLjhIBvs89keShJ45fRgyM7M214S9jY=";
-        x86_64-darwin = "sha256-ubPcl/e0nwYYw5SrN2jfrGSwLHbi99jklYMDZuVdf6s=";
-        aarch64-darwin = "sha256-4CKrelIzaXu2GccWo2ZTzGSqCMTM1qmJ0drGD8F3c0k=";
+        x86_64-linux = "sha256-cLCRZDOMx1bk+sZnArR9oOxuCowqFDwPINxWnONIqUU=";
+        aarch64-linux = "sha256-5MdszdDr+qK1RZnhXnAZjZ9+pal3ju6XMV6NnjVSUIg=";
+        i686-linux = "sha256-srlyVhh4j005kLdLdJoEjHbXw0DLHH4G/rUH+b4EdDE=";
+        x86_64-darwin = "sha256-Bep4LAm1/8PDA+fiWfR0nDUezP0VADKwry2rjYv8dTU=";
+        aarch64-darwin = "sha256-2mLIOun03SiXeSEFD+qRPOCj4LJB6LjB6aneJ78A5OQ=";
       };
     in
     fetchzip {

pkgs/tools/text/ugrep/default.nix

@@ -11,13 +11,13 @@
 
 stdenv.mkDerivation rec {
   pname = "ugrep";
-  version = "3.7.9";
+  version = "3.8.2";
 
   src = fetchFromGitHub {
     owner = "Genivia";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-ZY3pihHU5FLu41vKrM/U06iZZ6D/LSuoyy2gHJJqRFY=";
+    sha256 = "sha256-Y6Ed1xPguiDPWrZCxcnJOZxvUHlS6fl2jyjaC3AmG68=";
   };
 
   buildInputs = [

pkgs/top-level/all-packages.nix

@@ -404,6 +404,8 @@ with pkgs;
 
   gpick = callPackage ../tools/misc/gpick { };
 
+  hwatch = callPackage ../tools/misc/hwatch { };
+
   hobbes = callPackage ../development/tools/hobbes { stdenv = gcc10StdenvCompat; };
 
   html5validator = python3Packages.callPackage ../applications/misc/html5validator { };
@@ -23352,6 +23354,8 @@ with pkgs;
   linux_5_15_hardened = linuxKernel.kernels.linux_5_15_hardened;
   linuxPackages_5_17_hardened = linuxKernel.packages.linux_5_17_hardened;
   linux_5_17_hardened = linuxKernel.kernels.linux_5_17_hardened;
+  linuxPackages_5_18_hardened = linuxKernel.packages.linux_5_18_hardened;
+  linux_5_18_hardened = linuxKernel.kernels.linux_5_18_hardened;
 
   # Hardkernel (Odroid) kernels.
   linuxPackages_hardkernel_latest = linuxKernel.packageAliases.linux_hardkernel_latest;

pkgs/top-level/linux-kernels.nix

@@ -244,6 +244,7 @@ in {
     linux_5_10_hardened = hardenedKernelFor kernels.linux_5_10 { };
     linux_5_15_hardened = hardenedKernelFor kernels.linux_5_15 { };
     linux_5_17_hardened = hardenedKernelFor kernels.linux_5_17 { };
+    linux_5_18_hardened = hardenedKernelFor kernels.linux_5_18 { };
 
   }));
   /*  Linux kernel modules are inherently tied to a specific kernel.  So
@@ -551,6 +552,7 @@ in {
     linux_5_10_hardened = recurseIntoAttrs (hardenedPackagesFor kernels.linux_5_10 { });
     linux_5_15_hardened = recurseIntoAttrs (hardenedPackagesFor kernels.linux_5_15 { });
     linux_5_17_hardened = recurseIntoAttrs (hardenedPackagesFor kernels.linux_5_17 { });
+    linux_5_18_hardened = recurseIntoAttrs (hardenedPackagesFor kernels.linux_5_18 { });
 
     linux_zen = recurseIntoAttrs (packagesFor kernels.linux_zen);
     linux_lqx = recurseIntoAttrs (packagesFor kernels.linux_lqx);
@@ -565,7 +567,7 @@ in {
   });
 
   packageAliases = {
-    linux_default = if stdenv.hostPlatform.isi686 then packages.linux_5_10 else packages.linux_5_15;
+    linux_default = if stdenv.hostPlatform.is32bit then packages.linux_5_10 else packages.linux_5_15;
     # Update this when adding the newest kernel major version!
     linux_latest = packages.linux_5_18;
     linux_mptcp = packages.linux_mptcp_95;

pkgs/top-level/metrics.nix

@@ -4,8 +4,7 @@ with pkgs;
 
 runCommand "nixpkgs-metrics"
   { nativeBuildInputs = with pkgs.lib; map getBin [ nix time jq ];
-    # see https://github.com/NixOS/nixpkgs/issues/52436
-    #requiredSystemFeatures = [ "benchmark" ]; # dedicated `t2a` machine, by @vcunat
+    requiredSystemFeatures = [ "benchmark" ]; # dedicated `t2a` machine, by @vcunat
   }
   ''
     export NIX_STORE_DIR=$TMPDIR/store