Merge master into staging-next

.github/labeler-no-sync.yml

@@ -22,6 +22,13 @@
         - doc/**/*
         - nixos/doc/**/*
 
+"backport release-24.11":
+  - any:
+    - changed-files:
+      - any-glob-to-any-file:
+        - .github/workflows/*
+        - ci/**/*.*
+
 "backport release-25.05":
   - any:
     - changed-files:

.github/workflows/dismissed-review.yml

@@ -1,30 +0,0 @@
-name: Dismissed Review
-
-on:
-  pull_request_review:
-    types: [dismissed]
-
-permissions:
-  pull-requests: write
-
-jobs:
-  # The check-cherry-picks workflow creates review comments,
-  # that should sometimes be manually dismissed.
-  # When a CI-generated review is dismissed, this job automatically
-  # minimizes it, to prevent it from cluttering the PR.
-  minimize:
-    name: Minimize as resolved
-    if: github.event.review.user.login == 'github-actions[bot]'
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          script: |
-            await github.graphql(`mutation($node_id:ID!) {
-              minimizeComment(input: {
-                classifier: RESOLVED,
-                subjectId: $node_id
-              })
-              { clientMutationId }
-            }`, { node_id: context.payload.review.node_id })
-

ci/OWNERS

@@ -227,6 +227,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /nixos/tests/snapcast.nix @mweinelt
 
 # Browsers
+/pkgs/applications/networking/browsers/librewolf @squalus @DominicWrege @fpletz @LordGrimmauld
 /pkgs/applications/networking/browsers/firefox @mweinelt
 /pkgs/applications/networking/browsers/chromium @emilylange @networkException
 /nixos/tests/chromium.nix @emilylange @networkException

ci/README.md

@@ -7,9 +7,9 @@ This is in contrast with [`maintainers/scripts`](../maintainers/scripts) which i
 
 CI may need certain packages from Nixpkgs.
 In order to ensure that the needed packages are generally available without building,
-[`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra.
+[`pinned.json`](./pinned.json) contains a pinned Nixpkgs version tested by Hydra.
 
-Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it.
+Run [`update-pinned.sh`](./update-pinned.sh) to update it.
 
 ## `ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]`
 
@@ -20,23 +20,3 @@ Arguments:
 
 - `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05
 - `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>.
-
-## `ci/nixpkgs-vet`
-
-This directory contains scripts and files used and related to [`nixpkgs-vet`](https://github.com/NixOS/nixpkgs-vet/), which the CI uses to implement `pkgs/by-name` checks, along with many other Nixpkgs architecture rules.
-See also the [CI GitHub Action](../.github/workflows/nixpkgs-vet.yml).
-
-## `ci/nixpkgs-vet/update-pinned-tool.sh`
-
-Updates the pinned [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) in [`ci/nixpkgs-vet/pinned-version.txt`](./nixpkgs-vet/pinned-version.txt) to the latest [release](https://github.com/NixOS/nixpkgs-vet/releases).
-
-Each release contains a pre-built `x86_64-linux` version of the tool which is used by CI.
-
-This script currently needs to be called manually when the CI tooling needs to be updated.
-
-Why not just build the tooling right from the PRs Nixpkgs version?
-
-- Because it allows CI to check all PRs, even if they would break the CI tooling.
-- Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
-- Because it improves security, since we don't have to build potentially untrusted code from PRs.
-  The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).

ci/codeowners-validator/default.nix

@@ -20,7 +20,7 @@ buildGoModule {
     })
     # Undoes part of the above PR: We don't want to require write access
     # to the repository, that's only needed for GitHub's native CODEOWNERS.
-    # Furthermore, it removes an unneccessary check from the code
+    # Furthermore, it removes an unnecessary check from the code
     # that breaks tokens generated for GitHub Apps.
     ./permissions.patch
     # Allows setting a custom CODEOWNERS path using the OWNERS_FILE env var

ci/default.nix

@@ -1,5 +1,5 @@
 let
-  pinnedNixpkgs = builtins.fromJSON (builtins.readFile ./pinned-nixpkgs.json);
+  pinned = (builtins.fromJSON (builtins.readFile ./pinned.json)).pins;
 in
 {
   system ? builtins.currentSystem,
@@ -10,8 +10,8 @@ let
   nixpkgs' =
     if nixpkgs == null then
       fetchTarball {
-        url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz";
+        inherit (pinned.nixpkgs) url;
-        sha256 = pinnedNixpkgs.sha256;
+        sha256 = pinned.nixpkgs.hash;
       }
     else
       nixpkgs;
@@ -25,9 +25,8 @@ let
   fmt =
     let
       treefmtNixSrc = fetchTarball {
-        # Master at 2025-02-12
+        inherit (pinned.treefmt-nix) url;
-        url = "https://github.com/numtide/treefmt-nix/archive/4f09b473c936d41582dd744e19f34ec27592c5fd.tar.gz";
+        sha256 = pinned.treefmt-nix.hash;
-        sha256 = "051vh6raskrxw5k6jncm8zbk9fhbzgm1gxpq9gm5xw1b6wgbgcna";
       };
       treefmtEval = (import treefmtNixSrc).evalModule pkgs {
         # Important: The auto-rebase script uses `git filter-branch --tree-filter`,

ci/nixpkgs-vet.sh

@@ -61,9 +61,6 @@ trace "Done"
 trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "
 git -C "$tmp/merged" merge -q --no-edit "$baseSha"
 trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"
-trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
-toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
-trace -e "\e[34m$toolVersion\e[0m"
 
 trace "Running nixpkgs-vet.."
 nix-build ci -A nixpkgs-vet --argstr base "$tmp/base" --argstr head "$tmp/merged"

ci/nixpkgs-vet/pinned-version.txt

@@ -1 +0,0 @@
-0.1.4

ci/nixpkgs-vet/update-pinned-tool.sh

@@ -1,22 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p jq curl
-
-set -o pipefail -o errexit -o nounset
-
-trace() { echo >&2 "$@"; }
-
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-
-repository=NixOS/nixpkgs-vet
-pin_file=$SCRIPT_DIR/pinned-version.txt
-
-trace -n "Fetching latest release of $repository.. "
-latestRelease=$(curl -sSfL \
-  -H "Accept: application/vnd.github+json" \
-  -H "X-GitHub-Api-Version: 2022-11-28" \
-  https://api.github.com/repos/"$repository"/releases/latest)
-latestVersion=$(jq .tag_name -r <<< "$latestRelease")
-trace "$latestVersion"
-
-trace "Updating $pin_file"
-echo "$latestVersion" > "$pin_file"

ci/pinned-nixpkgs.json

@@ -1,4 +0,0 @@
-{
-  "rev": "3d1f29646e4b57ed468d60f9d286cde23a8d1707",
-  "sha256": "1wzvc9h9a6l9wyhzh892xb5x88kxmbzxb1k8s7fizyyw2q4nqw07"
-}

ci/pinned.json

@@ -0,0 +1,31 @@
+{
+  "pins": {
+    "nixpkgs": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "NixOS",
+        "repo": "nixpkgs"
+      },
+      "branch": "nixpkgs-unstable",
+      "submodules": false,
+      "revision": "8ca7ec685bbee55d6dcb326abe23945c0806c39e",
+      "url": "https://github.com/NixOS/nixpkgs/archive/8ca7ec685bbee55d6dcb326abe23945c0806c39e.tar.gz",
+      "hash": "1hkxm871m66mjsc4acdki32qqnpgk3n6vi3zrzns2bwlwp6ivcjx"
+    },
+    "treefmt-nix": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "numtide",
+        "repo": "treefmt-nix"
+      },
+      "branch": "main",
+      "submodules": false,
+      "revision": "1f3f7b784643d488ba4bf315638b2b0a4c5fb007",
+      "url": "https://github.com/numtide/treefmt-nix/archive/1f3f7b784643d488ba4bf315638b2b0a4c5fb007.tar.gz",
+      "hash": "13qisjalw9qvd6lkd9g8225r46j5wdjrp3zw6jrs81q2vxwdz37m"
+    }
+  },
+  "version": 5
+}

ci/update-pinned-nixpkgs.sh

@@ -1,17 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p jq
-
-set -euo pipefail
-
-# https://stackoverflow.com/a/246128
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-
-repo=https://github.com/nixos/nixpkgs
-branch=nixpkgs-unstable
-file=$SCRIPT_DIR/pinned-nixpkgs.json
-
-defaultRev=$(git ls-remote "$repo" refs/heads/"$branch" | cut -f1)
-rev=${1:-$defaultRev}
-sha256=$(nix-prefetch-url --unpack "$repo/archive/$rev.tar.gz" --name source)
-
-jq -n --arg rev "$rev" --arg sha256 "$sha256" '$ARGS.named' | tee /dev/stderr > $file

ci/update-pinned.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p npins
+
+set -euo pipefail
+
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+npins --lock-file pinned.json update

doc/languages-frameworks/go.section.md

@@ -195,6 +195,21 @@ Specifies the contents of the `go.sum` file and triggers rebuilds when it change
 Defaults to `null`
 
 
+## Versioned toolchains and builders {#ssec-go-toolchain-versions}
+
+Beside `buildGoModule`, there are also versioned builders available that pin a specific Go version, like `buildGo124Module` for Go 1.24.
+Similar, versioned toolchains are available, like `go_1_24` for Go 1.24.
+Both builder and toolchain of a certain version will be removed as soon as the Go version reaches end of life.
+
+As toolchain updates in nixpkgs cause mass rebuilds and must go through the staging cycle, it can take a while until a new Go minor version is available to consumers of nixpkgs.
+If you want quicker access to the latest minor, use `go_latest` toolchain and `buildGoLatestModule` builder.
+To learn more about the Go maintenance and upgrade procedure in nixpkgs, check out the [Go toolchain/builder upgrade policy](https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/go/README.md#go-toolchainbuilder-upgrade-policy).
+
+::: {.warning}
+The use of `go_latest` and `buildGoLatestModule` is restricted within nixpkgs.
+The [Go toolchain/builder upgrade policy](https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/go/README.md#go-toolchainbuilder-upgrade-policy) must be followed.
+:::
+
 ## Overriding `goModules` {#buildGoModule-goModules-override}
 
 Overriding `<pkg>.goModules` by calling `goModules.overrideAttrs` is unsupported. Still, it is possible to override the `vendorHash` (`goModules`'s `outputHash`) and the `pre`/`post` hooks for both the build and patch phases of the primary and `goModules` derivation.

doc/redirects.json

@@ -3012,6 +3012,9 @@
   "ex-buildGoModule": [
     "index.html#ex-buildGoModule"
   ],
+  "ssec-go-toolchain-versions" : [
+    "index.html#ssec-go-toolchain-versions"
+  ],
   "buildGoModule-goModules-override": [
     "index.html#buildGoModule-goModules-override"
   ],

doc/release-notes/rl-2505.section.md

@@ -230,6 +230,11 @@
 
 - `buildGoModule` now supports a `goSum` attribute (`null` by default) to optionally provide a path to `go.sum` and correctly enabling rebuilds when the file changes.
 
+- The newly added aliases `go_latest` and `buildGoLatestModule` are now available and can be use to prevent packages like `gopls` from breaking whenever the default toolchain minor version is lagging behind.
+  It can also be used _outside of nixpkgs_ to get fast access to new Go minor versions without having to wait for a staging cycle that will update the default builder/toolchain.
+
+- A [policy documenting the details of Go toolchain and builder upgrades](https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/go/README.md#go-toolchainbuilder-upgrade-policy) in nixpkgs, as well as rules related to using non-default builders like `buildGo1xxModule` and `buildGoLatestModule` has been added in-tree.
+
 - top-level `playwright` now refers to the github Microsoft/playwright package
   instead of the python tester launcher. You can still refer to the python
   launcher via `python3Packages.toPythonApplication python3Packages.playwright`

lib/attrsets.nix

@@ -1747,7 +1747,7 @@ rec {
 
   /**
     Get the first of the `outputs` provided by the package, or the default.
-    This function is alligned with `_overrideFirst()` from the `multiple-outputs.sh` setup hook.
+    This function is aligned with `_overrideFirst()` from the `multiple-outputs.sh` setup hook.
     Like `getOutput`, the function is idempotent.
 
     # Inputs

lib/fixed-points.nix

@@ -389,7 +389,7 @@ rec {
 
       extensions = composeManyExtensions [ overlayA overlayB ];
 
-      # Caluculate the fixed point of all composed overlays.
+      # Calculate the fixed point of all composed overlays.
       fixedpoint = lib.fix (lib.extends extensions original );
 
     in fixedpoint

lib/options.nix

@@ -404,7 +404,7 @@ rec {
     ```nix
     myType = mkOptionType {
       name = "myType";
-      merge = mergeDefaultOption; # <- This line is redundant. It is the default aready.
+      merge = mergeDefaultOption; # <- This line is redundant. It is the default already.
     };
     ```
 
@@ -470,7 +470,7 @@ rec {
     args@{
       message,
       # WARNING: the default merge function assumes that the definition is a valid (option) value. You MUST pass a merge function if the return value needs to be
-      #   - type checked beyond what .check does (which should be very litte; only on the value head; not attribute values, etc)
+      #   - type checked beyond what .check does (which should be very little; only on the value head; not attribute values, etc)
       #   - if you want attribute values to be checked, or list items
       #   - if you want coercedTo-like behavior to work
       merge ? loc: defs: (head defs).value,

lib/types.nix

@@ -75,7 +75,7 @@ let
     if pos == null then "" else " at ${pos.file}:${toString pos.line}:${toString pos.column}";
 
   # Internal functor to help for migrating functor.wrapped to functor.payload.elemType
-  # Note that individual attributes can be overriden if needed.
+  # Note that individual attributes can be overridden if needed.
   elemTypeFunctor =
     name:
     { elemType, ... }@payload:
@@ -1455,8 +1455,14 @@ let
           nestedTypes.coercedType = coercedType;
           nestedTypes.finalType = finalType;
         };
+      /**
+        Augment the given type with an additional type check function.
 
-      # Augment the given type with an additional type check function.
+        :::{.warning}
+        This function has some broken behavior see: [#396021](https://github.com/NixOS/nixpkgs/issues/396021)
+        Fixing is not trivial, we appreciate any help!
+        :::
+      */
       addCheck = elemType: check: elemType // { check = x: elemType.check x && check x; };
 
     };

nixos/lib/make-options-doc/default.nix

@@ -45,7 +45,7 @@
 
   Documentation rendered as AsciiDoc. This is useful for e.g. man pages.
 
-  > Note: NixOS itself uses this ouput to to build the configuration.nix man page"
+  > Note: NixOS itself uses this output to to build the configuration.nix man page"
 
   ## optionsNix
 
@@ -59,7 +59,7 @@
   let
     # Evaluate a NixOS configuration
     eval = import (pkgs.path + "/nixos/lib/eval-config.nix") {
-      # Overriden explicitly here, this would include all modules from NixOS otherwise.
+      # Overridden explicitly here, this would include all modules from NixOS otherwise.
       # See: docs of eval-config.nix for more details
       baseModules = [];
       modules = [

nixos/lib/systemd-unit-options.nix

@@ -15,7 +15,6 @@ let
   inherit (lib)
     any
     concatMap
-    filterOverrides
     isList
     literalExpression
     mergeEqualOption
@@ -56,13 +55,10 @@ rec {
     name = "systemd option";
     merge =
       loc: defs:
-      let
+      if any (def: isList def.value) defs then
-        defs' = filterOverrides defs;
+        concatMap (def: toList def.value) defs
-      in
-      if any (def: isList def.value) defs' then
-        concatMap (def: toList def.value) defs'
       else
-        mergeEqualOption loc defs';
+        mergeEqualOption loc defs;
   };
 
   sharedOptions = {

nixos/lib/testing/network.nix

@@ -130,7 +130,7 @@ let
         virtualisation.test.nodeName = mkOption {
           internal = true;
           default = name;
-          # We need to force this in specilisations, otherwise it'd be
+          # We need to force this in specialisations, otherwise it'd be
           # readOnly = true;
           description = ''
             The `name` in `nodes.<name>`; stable across `specialisations`.

nixos/maintainers/option-usages.nix

@@ -60,7 +60,7 @@ let
   inherit (eval) pkgs;
 
   excludedTestOptions = [
-    # We cannot evluate _module.args, as it is used during the computation
+    # We cannot evaluate _module.args, as it is used during the computation
     # of the modules list.
     "_module.args"
 

nixos/modules/config/sysctl.nix

@@ -9,7 +9,7 @@ let
         checkType = x: lib.isBool x || lib.isString x || lib.isInt x || x == null;
       in
       checkType val || (val._type or "" == "override" && checkType val.content);
-    merge = loc: defs: lib.mergeOneOption loc (lib.filterOverrides defs);
+    merge = loc: defs: lib.mergeOneOption loc defs;
   };
 
 in
@@ -22,9 +22,7 @@ in
       type =
         let
           highestValueType = lib.types.ints.unsigned // {
-            merge =
+            merge = loc: defs: lib.foldl (a: b: if b.value == null then null else lib.max a b.value) 0 defs;
-              loc: defs:
-              lib.foldl (a: b: if b.value == null then null else lib.max a b.value) 0 (lib.filterOverrides defs);
           };
         in
         lib.types.submodule {

nixos/modules/misc/ids.nix

@@ -273,7 +273,7 @@ in
       caddy = 239;
       taskd = 240;
       # factorio = 241; # DynamicUser = true
-      # emby = 242; # unusued, removed 2019-05-01
+      # emby = 242; # unused, removed 2019-05-01
       #graylog = 243;# dynamically allocated as of 2021-09-03
       sniproxy = 244;
       nzbget = 245;
@@ -371,7 +371,7 @@ in
       # system user or group of the same id in someone else's NixOS.
       # This could break their system and make that person upset for a whole day.
       #
-      # Sidenote: the default is defined in `shadow` module[2], and the relavent change
+      # Sidenote: the default is defined in `shadow` module[2], and the relevant change
       # was made way back in 2014[3].
       #
       # [1]: https://man7.org/linux/man-pages/man5/login.defs.5.html#:~:text=SYS_UID_MAX%20(number)%2C%20SYS_UID_MIN%20(number)
@@ -700,7 +700,7 @@ in
       # system user or group of the same id in someone else's NixOS.
       # This could break their system and make that person upset for a whole day.
       #
-      # Sidenote: the default is defined in `shadow` module[2], and the relavent change
+      # Sidenote: the default is defined in `shadow` module[2], and the relevant change
       # was made way back in 2014[3].
       #
       # [1]: https://man7.org/linux/man-pages/man5/login.defs.5.html#:~:text=SYS_UID_MAX%20(number)%2C%20SYS_UID_MIN%20(number)

nixos/modules/profiles/image-based-appliance.nix

@@ -1,4 +1,4 @@
-# This profile sets up a sytem for image based appliance usage. An appliance is
+# This profile sets up a system for image based appliance usage. An appliance is
 # installed as an image, cannot be re-built, has no Nix available, and is
 # generally not meant for interactive use. Updates to such an appliance are
 # handled by updating whole partition images via a tool like systemd-sysupdate.

nixos/modules/programs/turbovnc.nix

@@ -45,7 +45,7 @@ in
     # software rendering to implement GLX (OpenGL on Xorg).
     # However, just building TurboVNC with support for that is not enough
     # (it only takes care of the X server side part of OpenGL);
-    # the indiviudual applications (e.g. `glxgears`) also need to directly load
+    # the individual applications (e.g. `glxgears`) also need to directly load
     # the OpenGL libs.
     # Thus, this creates `/run/opengl-driver` populated by Mesa so that the applications
     # can find the llvmpipe `swrast.so` software rendering DRI lib via `libglvnd`.

nixos/modules/services/cluster/k3s/default.nix

@@ -139,7 +139,7 @@ let
       [
         (yamlFormat.generate "helm-chart-manifest-${name}.yaml" (mkHelmChartCR name value))
       ]
-      # alternate the YAML doc seperator (---) and extraDeploy manifests to create
+      # alternate the YAML doc separator (---) and extraDeploy manifests to create
       # multi document YAMLs
       ++ (lib.concatMap (x: [
         yamlDocSeparator

nixos/modules/services/desktops/bonsaid.nix

@@ -143,7 +143,7 @@ in
       lib.mkDefault (json.generate "bonsai_tree.json" (filterNulls cfg.settings));
 
     # bonsaid is controlled by bonsaictl, so place the latter in the environment by default.
-    # bonsaictl is typically invoked by scripts or a DE so this isn't strictly necesssary,
+    # bonsaictl is typically invoked by scripts or a DE so this isn't strictly necessary,
     # but it's helpful while administering the service generally.
     environment.systemPackages = [ cfg.package ];
 

nixos/modules/services/games/crossfire-server.nix

@@ -176,7 +176,7 @@ in
       # need to be writeable, so we can't just point at the ones in the nix
       # store. Instead we take the approach of copying them out of the store
       # on first run. If `bookarch` already exists, we assume the rest of the
-      # files do as well, and copy nothing -- otherwise we risk ovewriting
+      # files do as well, and copy nothing -- otherwise we risk overwriting
       # server state information every time the server is upgraded.
       preStart = ''
         if [ ! -e "${cfg.stateDir}"/bookarch ]; then

nixos/modules/services/hardware/kmonad.nix

@@ -201,7 +201,7 @@ let
       # the old service and then starts the new service after config updates.
       # Since we use path-based activation[1] here, the service unit will
       # immediately[2] be started by the path unit.  Probably that start is
-      # before config updates, whcih causes the service unit to use the old
+      # before config updates, which causes the service unit to use the old
       # config after nixos-rebuild switch.  Setting stopIfChanged to false works
       # around this issue by restarting the service after config updates.
       # [0]: https://nixos.org/manual/nixos/unstable/#sec-switching-systems

nixos/modules/services/misc/ntfy-sh.nix

@@ -107,7 +107,7 @@ in
           RestrictNamespaces = true;
           RestrictRealtime = true;
           MemoryDenyWriteExecute = true;
-          # Upstream Recommandation
+          # Upstream Recommendation
           LimitNOFILE = 20500;
         };
       };

nixos/modules/services/monitoring/below.nix

@@ -91,7 +91,7 @@ in
 
   config = lib.mkIf cfg.enable {
     environment.systemPackages = [ pkgs.below ];
-    # /etc/below.conf is also refered to by the `below` CLI tool,
+    # /etc/below.conf is also referred to by the `below` CLI tool,
     #  so this can't be a store-only file whose path is passed to the service
     environment.etc."below/below.conf".text = cfgContents;
 

nixos/modules/services/networking/cato-client.nix

@@ -55,7 +55,7 @@ in
       wantedBy = [ "multi-user.target" ];
     };
 
-    # set up Security wrapper Same as inteded in deb post install
+    # set up Security wrapper Same as intended in deb post install
     security.wrappers.cato-clientd = {
       source = "${cfg.package}/bin/cato-clientd";
       owner = "root";

nixos/modules/services/networking/fedimintd.nix

@@ -289,7 +289,7 @@ in
 
             {
               # Note: we want by default to enable OpenSSL, but it seems anything 100 and above is
-              # overriden by default value from vhost-options.nix
+              # overridden by default value from vhost-options.nix
               enableACME = mkOverride 99 true;
               forceSSL = mkOverride 99 true;
               locations.${cfg.nginx.path} = {

nixos/modules/services/networking/netbird.nix

@@ -550,7 +550,7 @@ in
               User = client.user.name;
               Group = client.user.group;
 
-              # settings implied by DynamicUser=true, without actully using it,
+              # settings implied by DynamicUser=true, without actually using it,
               # see https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser=
               RemoveIPC = true;
               PrivateTmp = true;

nixos/modules/services/networking/netbird/dashboard.nix

@@ -102,7 +102,7 @@ in
           # special options as its public anyway
           # As far as I know leaking this secret is just
           # an information leak as one can fetch some basic app
-          # informations from the IDP
+          # information from the IDP
           # To actually do something one still needs to have login
           # data and this secret so this being public will not
           # suffice for anything just decreasing security

nixos/modules/services/networking/ssh/sshd.nix

@@ -42,7 +42,7 @@ let
       # values must be separated by whitespace or even commas.
       # Consult either sshd_config(5) or, as last resort, the OpehSSH source for parsing
       # the options at servconf.c:process_server_config_line_depth() to determine the right "mode"
-      # for each. But fortunaly this fact is documented for most of them in the manpage.
+      # for each. But fortunately this fact is documented for most of them in the manpage.
       commaSeparated = [
         "Ciphers"
         "KexAlgorithms"

nixos/modules/services/networking/yggdrasil-jumper.nix

@@ -133,7 +133,7 @@ in
 
       services.yggdrasil.settings.Listen =
         let
-          # By default linux dynamically alocates ports in range 32768..60999
+          # By default linux dynamically allocates ports in range 32768..60999
           # `sysctl net.ipv4.ip_local_port_range`
           # See: https://xkcd.com/221/
           prot_port = {

nixos/modules/services/security/tor.nix

@@ -295,7 +295,7 @@ let
       (
         lib.mapAttrs (
           k: v:
-          # Not necesssary, but prettier rendering
+          # Not necessary, but prettier rendering
           if
             lib.elem k [
               "AutomapHostsSuffixes"

nixos/modules/services/web-apps/davis.nix

@@ -348,7 +348,7 @@ in
                 else if
                   pgsqlLocal
                 # note: davis expects a non-standard postgres uri (due to the underlying doctrine library)
-                # specifically the dummy hostname which is overriden by the host query parameter
+                # specifically the dummy hostname which is overridden by the host query parameter
                 then
                   "postgres://${user}@localhost/${db.name}?host=/run/postgresql"
                 else if mysqlLocal then

nixos/modules/services/web-apps/plausible.nix

@@ -224,7 +224,7 @@ in
               # Thus, disable distribution for improved simplicity and security:
               #
               # When distribution is enabled,
-              # Elixir spwans the Erlang VM, which will listen by default on all
+              # Elixir spawns the Erlang VM, which will listen by default on all
               # interfaces for messages between Erlang nodes (capable of
               # remote code execution); it can be protected by a cookie; see
               # https://erlang.org/doc/reference_manual/distributed.html#security).

nixos/modules/services/web-apps/windmill.nix

@@ -132,7 +132,7 @@ in
       {
 
         # coming from https://github.com/windmill-labs/windmill/blob/main/init-db-as-superuser.sql
-        # modified to not grant priviledges on all tables
+        # modified to not grant privileges on all tables
         # create role windmill_user and windmill_admin only if they don't exist
         postgresql.postStart = lib.mkIf cfg.database.createLocally (
           lib.mkAfter ''

nixos/modules/virtualisation/azure-common.nix

@@ -26,7 +26,7 @@ in
 
     # Enable cloud-init by default for waagent.
     # Otherwise waagent would try manage networking using ifupdown,
-    # which is currently not availeble in nixpkgs.
+    # which is currently not available in nixpkgs.
     services.cloud-init.enable = true;
     services.cloud-init.network.enable = true;
     systemd.services.cloud-config.serviceConfig.Restart = "on-failure";

nixos/modules/virtualisation/azure-image.nix

@@ -105,7 +105,7 @@ in
       splashImage = null;
       # For Gen 1 VM, configurate grub output to serial_com0.
       # Not needed for Gen 2 VM wbere serial_com0 does not exist,
-      # and outputing to console is enough to make Azure Serial Console working
+      # and outputting to console is enough to make Azure Serial Console working
       extraConfig = lib.mkIf (!efiSupport) ''
         serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
         terminal_input --append serial

nixos/modules/virtualisation/waagent.nix

@@ -67,7 +67,7 @@ let
         convert =
           attrs:
           pipe (recurse [ ] attrs) [
-            # Filter out null values and emoty lists
+            # Filter out null values and empty lists
             (filter (kv: kv.value != null && kv.value != [ ]))
             # Transform to Key=Value form, then concatenate
             (map (kv: "${kv.name}=${transform kv.value}"))

nixos/tests/appliance-repart-image.nix

@@ -65,8 +65,8 @@ in
             repartConfig = {
               Type = "esp";
               Format = "vfat";
-              # Minimize = "guess" seems to not work very vell for vfat
+              # Minimize = "guess" seems to not work very well for vfat
-              # partitons. It's better to set a sensible default instead. The
+              # partitions. It's better to set a sensible default instead. The
               # aarch64 kernel seems to generally be a little bigger than the
               # x86_64 kernel. To stay on the safe side, leave some more slack
               # for every platform other than x86_64.

nixos/tests/common/acme/server/default.nix

@@ -94,7 +94,7 @@ in
                   ) cfg.configuration.security.acme.certs
                 )
                 # A specialisation's config is nested under its configuration attribute.
-                # For ease of use, nest the root node's configuration simiarly.
+                # For ease of use, nest the root node's configuration similarly.
                 ([ { configuration = node; } ] ++ (builtins.attrValues node.specialisation))
             )
           );

nixos/tests/ntfy-sh-migration.nix

@@ -4,7 +4,7 @@
 # this test works doing a migration and asserting ntfy-sh runs properly. first,
 # ntfy-sh is configured to use a static user and group. then ntfy-sh is
 # started and tested. after that, ntfy-sh is shut down and a systemd drop
-# in configuration file is used to upate the service configuration to use
+# in configuration file is used to update the service configuration to use
 # DynamicUser=true. then the ntfy-sh is started again and tested.
 
 import ./make-test-python.nix {

nixos/tests/sftpgo.nix

@@ -6,7 +6,7 @@
 # - downloading the file over sftp
 # - assert that the ACLs are respected
 # - share a file between alice and bob (using sftp)
-# - assert that eve cannot acceess the shared folder between alice and bob.
+# - assert that eve cannot access the shared folder between alice and bob.
 #
 # Additional test coverage for the remaining protocols (i.e. ftp, http and webdav)
 # would be a nice to have for the future.
@@ -333,7 +333,7 @@ in
   testScript =
     { nodes, ... }:
     let
-      # A function to generate test cases for wheter
+      # A function to generate test cases for whether
       # a specified username is expected to access the shared folder.
       accessSharedFoldersSubtest =
         {

nixos/tests/systemd-sysupdate.nix

@@ -1,4 +1,4 @@
-# Tests downloading a signed update aritfact from a server to a target machine.
+# Tests downloading a signed update artifact from a server to a target machine.
 # This test does not rely on the `systemd.timer` units provided by the
 # `systemd-sysupdate` module but triggers the `systemd-sysupdate` service
 # manually to make the test more robust.

nixos/tests/systemd-timesyncd-nscd-dnssec.nix

@@ -4,7 +4,7 @@
 # correct time, we need to connect to an NTP server, which usually requires resolving its hostname.
 #
 # This test does the following:
-# - Sets up a DNS server (tinydns) listening on the eth1 ip addess, serving .ntp and fake.ntp records.
+# - Sets up a DNS server (tinydns) listening on the eth1 ip address, serving .ntp and fake.ntp records.
 # - Configures that DNS server as a resolver and enables DNSSEC in systemd-resolved settings.
 # - Configures systemd-timesyncd to use fake.ntp hostname as an NTP server.
 # - Performs a regular DNS lookup, to ensure it fails due to broken DNSSEC.

pkgs/applications/editors/emacs/elisp-packages/melpa-packages.nix

@@ -17,7 +17,7 @@
   ./update-from-overlay
 
   It will update both melpa and elpa packages using
-  https://github.com/nix-community/emacs-overlay. It's almost instantenous and
+  https://github.com/nix-community/emacs-overlay. It's almost instantaneous and
   formats commits for you.
 */
 
@@ -1355,7 +1355,7 @@ let
           hyperbole = ignoreCompilationError (addPackageRequires (mkHome super.hyperbole) [ self.el-mock ]); # elisp error
 
           # needs non-existent "browser database directory" during compilation
-          # TODO report to upsteam about missing dependency websocket
+          # TODO report to upstream about missing dependency websocket
           ibrowse = ignoreCompilationError (addPackageRequires super.ibrowse [ self.websocket ]);
 
           # elisp error and missing optional dependencies
@@ -1368,7 +1368,7 @@ let
 
           indium = mkHome super.indium;
 
-          # TODO report to upsteam
+          # TODO report to upstream
           inlineR = addPackageRequires super.inlineR [ self.ess ];
 
           # https://github.com/duelinmarkers/insfactor.el/issues/7
@@ -1547,7 +1547,7 @@ let
 
           org-gtd = ignoreCompilationError super.org-gtd; # elisp error
 
-          # needs newer org than the Eamcs 29.4 builtin one
+          # needs newer org than the Emacs 29.4 builtin one
           org-link-beautify = addPackageRequires super.org-link-beautify [
             self.org
             self.qrencode

pkgs/applications/editors/vscode/extensions/default.nix

@@ -1240,8 +1240,8 @@ let
         mktplcRef = {
           name = "dart-code";
           publisher = "dart-code";
-          version = "3.110.0";
+          version = "3.112.0";
-          hash = "sha256-YLdhL5xNj8sidZUzMVZgOK6zTXgQnWdKWRrDg0on90s=";
+          hash = "sha256-nnEEKijl5ZdsHyBAWCL+MucjNGIuup75xSJaVzNawrs=";
         };
 
         meta.license = lib.licenses.mit;
@@ -1251,8 +1251,8 @@ let
         mktplcRef = {
           name = "flutter";
           publisher = "dart-code";
-          version = "3.110.0";
+          version = "3.112.0";
-          hash = "sha256-Zi+q56XcHZGUKgF3TNpaYSwwdqLT8Q1fxf8dFVAEuQY=";
+          hash = "sha256-S+srv0zUCobM3IPXOME5oT0xdXdPmMHSs7rwNTBcnhk=";
         };
 
         meta.license = lib.licenses.mit;
@@ -5709,7 +5709,7 @@ let
   };
 
   # TODO: add overrides overlay, so that we can have a generated.nix
-  # then apply extension specific modifcations to packages.
+  # then apply extension specific modifications to packages.
 
   # overlays will be applied left to right, overrides should come after aliases.
   overlays = lib.optionals config.allowAliases [

pkgs/applications/editors/vscode/extensions/ms-vscode.cpptools/default.nix

@@ -33,7 +33,7 @@
 
   <https://github.com/Microsoft/vscode-cpptools/issues/35>
 
-  Once the symbolic link temporary solution taken, everything shoud run smootly.
+  Once the symbolic link temporary solution taken, everything should run smootly.
 */
 
 let

pkgs/applications/graphics/yacreader/default.nix

@@ -49,7 +49,7 @@ stdenv.mkDerivation rec {
       libsForQt5.qtmacextras # can be removed when using qt6
     ];
 
-  # custom Darwin install instructions taken from the upsteam compileOSX.sh script
+  # custom Darwin install instructions taken from the upstream compileOSX.sh script
   installPhase = lib.optionalString stdenv.hostPlatform.isDarwin ''
     runHook preInstall
 

pkgs/applications/networking/browsers/librewolf/default.nix

@@ -29,6 +29,7 @@ in
     description = "Fork of Firefox, focused on privacy, security and freedom";
     homepage = "https://librewolf.net/";
     maintainers = with lib.maintainers; [
+      # Also update ci/OWNERS entry when changing maintainers
       squalus
       dwrege
       fpletz

pkgs/applications/networking/ktailctl/default.nix

@@ -26,13 +26,13 @@
 }:
 
 let
-  version = "0.20.1";
+  version = "0.20.2";
 
   src = fetchFromGitHub {
     owner = "f-koehler";
     repo = "KTailctl";
     rev = "v${version}";
-    hash = "sha256-8vtNAqCDXbzEuGXqUZL26EMmVLJqSFu+E/zhK8VafLE=";
+    hash = "sha256-yMP+oAc1ZHr402j3NQOFLGFT/AK/PQ+figoVyOMEaus=";
   };
 
   goDeps =
@@ -40,7 +40,7 @@ let
       pname = "ktailctl-go-wrapper";
       inherit src version;
       modRoot = "src/wrapper";
-      vendorHash = "sha256-F0fY9ZqibZNIUQSIlLRO3rX4gYAFHWMdFtwRNigpGZE=";
+      vendorHash = "sha256-kX2L/ET6saxn73T4414ShRSeOIpX8i1HHjKkPbdjse0=";
     }).goModules;
 in
 stdenv.mkDerivation {

pkgs/applications/virtualization/OVMF/default.nix

@@ -96,8 +96,8 @@ let
       "debian/python"
       "debian/PkKek-1-*.pem"
     ];
-    rev = "refs/tags/debian/2024.05-1";
+    rev = "refs/tags/debian/2025.02-8";
-    hash = "sha256-uAjXJaHOVh944ZxcA2IgCsrsncxuhc0JKlsXs0E03s0=";
+    hash = "sha256-kAwfS8TBdN1PTm5kxTvqFuA9edBfBuMt6XmRWnFnolQ=";
   };
 
   buildPrefix = "Build/*/*";

pkgs/build-support/go/README.md

@@ -3,14 +3,13 @@
 Go promises that "programs written to the Go 1 specification will continue to compile and run correctly, unchanged, over the lifetime of that specification" [1].
 Newer toolchain versions should build projects developed against older toolchains without problems.
 
+**Definition(a "toolchain-breaking" package):**
 There are however Go packages depending on internal APIs of the toolchain/runtime/stdlib that are not covered by the Go compatibility promise.
-These packages may break on toolchain updates.
+These packages may break on toolchain minor version upgrades.
-We name packages that (often) break on toolchain updates `toolchain-breaking`.
 
-There is another set of packages that depends on the toolchain, but in another way:
+**Definition(a "toolchain-latest" package):**
-Packages providing development support for the Go language (like `gopls`, `golangci-lint`,...) must be compiled with the version they should be used for.
+Packages providing development support for the Go language (like `gopls`, `golangci-lint`,...) depend on the toolchain in another way: they must be compiled at least with the version they should be used for.
 If `gopls` is compiled for Go 1.23, it won't work for projects that require Go 1.24.
-We name packages that must be built with the latest toolchain to work as expected `toolchain-latest`.
 
 Go only ever has two supported toolchains. With a new minor release, the second last Go toolchain is automatically end of life, meaning it won't receive security updates anymore.
 
@@ -26,7 +25,9 @@ Based on this, we align on the following policy for toolchain/builder upgrades:
     A comment MUST be added explaining why this is the case for a certain package.
     It is important to keep the number of packages using this builder within nixpkgs low, so the bump won't cause a mass rebuild.
 
-    Consumer outside of nixpkgs on the other hand MAY rely on this toolchain/builder if they prefer being upgraded earlier to the newest toolchain.
+    `go_latest` MUST not point to release candidates of Go.
+
+    Consumer outside of nixpkgs on the other hand MAY rely on this toolchain/builder if they prefer being upgraded earlier to the newest toolchain minor version.
 
 3. Packages in `toolchain-breaking` SHOULD pin a toolchain version by using a builder with a fixed Go version (`buildGo1xxModule`).
   The use of `buildGo1xxModule` MUST be accompanied with a comment explaining why this has a dependency on a specific Go version.

pkgs/build-support/rust/build-rust-crate/default.nix

@@ -15,7 +15,7 @@
   jq,
   libiconv,
   # Controls codegen parallelization for all crates.
-  # May be overriden on a per-crate level.
+  # May be overridden on a per-crate level.
   # See <https://doc.rust-lang.org/rustc/codegen-options/index.html#codegen-units>
   defaultCodegenUnits ? 1,
 }:

pkgs/build-support/rust/build-rust-crate/test/rcgen-crates.nix

@@ -20,7 +20,7 @@
   defaultCrateOverrides ? pkgs.defaultCrateOverrides,
   # The features to enable for the root_crate or the workspace_members.
   rootFeatures ? [ "default" ],
-  # If true, throw errors instead of issueing deprecation warnings.
+  # If true, throw errors instead of issuing deprecation warnings.
   strictDeprecation ? false,
   # Used for conditional compilation based on CPU feature detection.
   targetFeatures ? [ ],
@@ -4485,9 +4485,9 @@ rec {
         runTests ? false,
         testCrateFlags ? [ ],
         testInputs ? [ ],
-        # Any command to run immediatelly before a test is executed.
+        # Any command to run immediately before a test is executed.
         testPreRun ? "",
-        # Any command run immediatelly after a test is executed.
+        # Any command run immediately after a test is executed.
         testPostRun ? "",
       }:
       lib.makeOverridable

pkgs/by-name/ad/adios2/package.nix

@@ -85,7 +85,7 @@ stdenv.mkDerivation (finalAttrs: {
       yaml-cpp
       nlohmann_json
 
-      # Todo: add these optional dependcies in nixpkgs.
+      # Todo: add these optional dependencies in nixpkgs.
       # sz
       # mgard
       # catalyst

pkgs/by-name/am/amp-cli/package-lock.json

@@ -5,7 +5,7 @@
   "packages": {
     "": {
       "dependencies": {
-        "@sourcegraph/amp": "^0.0.1748404992-ga3f78f"
+        "@sourcegraph/amp": "^0.0.1748865683-g71e54e"
       }
     },
     "node_modules/@colors/colors": {
@@ -29,9 +29,9 @@
       }
     },
     "node_modules/@sourcegraph/amp": {
-      "version": "0.0.1748404992-ga3f78f",
+      "version": "0.0.1748865683-g71e54e",
-      "resolved": "https://registry.npmjs.org/@sourcegraph/amp/-/amp-0.0.1748404992-ga3f78f.tgz",
+      "resolved": "https://registry.npmjs.org/@sourcegraph/amp/-/amp-0.0.1748865683-g71e54e.tgz",
-      "integrity": "sha512-+BvCW8zrbO7ENRzMg0LdAeKigjzL+ASIDBjJ/m2uL2CVT8WPk1h34FTNCbvnO6kssimEtdP8FcxR/2O4AHwUbA==",
+      "integrity": "sha512-ZiNbIbgCb/l7Q7wRT0sva6Ju7VDtq7+lijMWK8jotPorTq1DYUy3h7XJIOjyJEdvqlQkEfwrnbOfREmsnwlPyg==",
       "dependencies": {
         "@types/runes": "^0.4.3",
         "@vscode/ripgrep": "1.15.11",

pkgs/by-name/am/amp-cli/package.nix

@@ -4,15 +4,16 @@
   fetchzip,
   ripgrep,
   makeWrapper,
+  testers,
 }:
 
-buildNpmPackage rec {
+buildNpmPackage (finalAttrs: {
   pname = "amp-cli";
-  version = "0.0.1748404992-ga3f78f";
+  version = "0.0.1748865683-g71e54e";
 
   src = fetchzip {
-    url = "https://registry.npmjs.org/@sourcegraph/amp/-/amp-${version}.tgz";
+    url = "https://registry.npmjs.org/@sourcegraph/amp/-/amp-${finalAttrs.version}.tgz";
-    hash = "sha256-axd5VP7afa4ptAl/y8CEVguqoRKVRhWfRDSI0sgyXqA=";
+    hash = "sha256-kkQKjw1SzDjV8/206i+NUyxeDhZ/35My9gyXRe/U7I8=";
   };
 
   postPatch = ''
@@ -25,7 +26,7 @@ buildNpmPackage rec {
       "version": "0.0.0",
       "license": "UNLICENSED",
       "dependencies": {
-        "@sourcegraph/amp": "${version}"
+        "@sourcegraph/amp": "${finalAttrs.version}"
       },
       "bin": {
         "amp": "./bin/amp-wrapper.js"
@@ -44,7 +45,7 @@ buildNpmPackage rec {
     chmod +x bin/amp-wrapper.js
   '';
 
-  npmDepsHash = "sha256-05+hBr+eX3I92U9TsqPQrYcJCmKXTvz3n6ZTxR1XvC8=";
+  npmDepsHash = "sha256-yeZ5UCVUCbVjpYTYYN5mI6eCkShtnCKxumjpb5GRCws=";
 
   propagatedBuildInputs = [
     ripgrep
@@ -69,6 +70,10 @@ buildNpmPackage rec {
   '';
 
   passthru.updateScript = ./update.sh;
+  passthru.tests.version = testers.testVersion {
+    package = finalAttrs.finalPackage;
+    command = "HOME=$(mktemp -d) amp --version";
+  };
 
   meta = {
     description = "CLI for Amp, an agentic coding agent in research preview from Sourcegraph";
@@ -81,4 +86,4 @@ buildNpmPackage rec {
     ];
     mainProgram = "amp";
   };
-}
+})

pkgs/by-name/co/containerlab/package.nix

@@ -6,26 +6,29 @@
   versionCheckHook,
 }:
 
-buildGoModule rec {
+buildGoModule (finalAttrs: {
   pname = "containerlab";
   version = "0.68.0";
 
   src = fetchFromGitHub {
     owner = "srl-labs";
     repo = "containerlab";
-    rev = "v${version}";
+    tag = "v${finalAttrs.version}";
     hash = "sha256-x6QDwduAMCD+Trj0awQXW0Tdleb2U6YBi/7mdMB6V/8=";
   };
 
   vendorHash = "sha256-XRgKfRw6VGg+lkbtPWUVNfAk5a7ZdFwVmhjtM7uSwHs=";
 
-  nativeBuildInputs = [ installShellFiles ];
+  nativeBuildInputs = [
+    installShellFiles
+    versionCheckHook
+  ];
 
   ldflags = [
     "-s"
     "-w"
-    "-X github.com/srl-labs/containerlab/cmd/version.Version=${version}"
+    "-X github.com/srl-labs/containerlab/cmd/version.Version=${finalAttrs.version}"
-    "-X github.com/srl-labs/containerlab/cmd/version.commit=${src.rev}"
+    "-X github.com/srl-labs/containerlab/cmd/version.commit=${finalAttrs.src.rev}"
     "-X github.com/srl-labs/containerlab/cmd/version.date=1970-01-01T00:00:00Z"
   ];
 
@@ -42,19 +45,16 @@ buildGoModule rec {
       --zsh <($out/bin/containerlab completion zsh)
   '';
 
-  nativeInstallCheckInputs = [
-    versionCheckHook
-  ];
   doInstallCheck = true;
   versionCheckProgramArg = "version";
 
   meta = {
     description = "Container-based networking lab";
     homepage = "https://containerlab.dev/";
-    changelog = "https://github.com/srl-labs/containerlab/releases/tag/${src.rev}";
+    changelog = "https://github.com/srl-labs/containerlab/releases/tag/v${finalAttrs.version}";
     license = lib.licenses.bsd3;
     platforms = lib.platforms.linux;
     maintainers = with lib.maintainers; [ aaronjheng ];
     mainProgram = "containerlab";
   };
-}
+})

pkgs/by-name/du/duplicity/package.nix

@@ -22,13 +22,13 @@
 let
   self = python3.pkgs.buildPythonApplication rec {
     pname = "duplicity";
-    version = "3.0.4";
+    version = "3.0.4.1";
 
     src = fetchFromGitLab {
       owner = "duplicity";
       repo = "duplicity";
       rev = "rel.${version}";
-      hash = "sha256-FoaKuB0mo2RFksMHnIUx984+h/U0tdvk+bvsuYt3r5g=";
+      hash = "sha256-cVzGdn3a9/Kvu/QYWaTXJ1llkPRvj0g8qb7TUjennws=";
     };
 
     patches = [

pkgs/by-name/fl/fly/package.nix

@@ -8,13 +8,13 @@
 
 buildGoModule rec {
   pname = "fly";
-  version = "7.13.0";
+  version = "7.13.2";
 
   src = fetchFromGitHub {
     owner = "concourse";
     repo = "concourse";
     rev = "v${version}";
-    hash = "sha256-myvYACdTqnEb8aBpBeCA1qvcnF0lwYbSo6kMgSz7iiA=";
+    hash = "sha256-onowKvN8YLDWRRn3rGEMoMxc6XaAcBKJcFOHSVh9Yy8=";
   };
 
   vendorHash = "sha256-WC4uzTgvW15IumwmsWXXeiF5qagbeb5XWRaSjd1XLvA=";

pkgs/by-name/hy/hyperhdr/package.nix

@@ -45,7 +45,7 @@ stdenv.mkDerivation rec {
   ];
 
   patches = [
-    # Allow completly unvendoring hyperhdr
+    # Allow completely unvendoring hyperhdr
     # This can be removed on the next hyperhdr release
     ./unvendor.patch
   ];

pkgs/by-name/il/ilmbase/package.nix

@@ -3,7 +3,7 @@
   lib,
   buildPackages,
   cmake,
-  # explicitely depending on openexr_2 because ilmbase doesn't exist for v3
+  # explicitly depending on openexr_2 because ilmbase doesn't exist for v3
   openexr_2,
 }:
 

pkgs/by-name/im/imlib2/package.nix

@@ -75,7 +75,7 @@ stdenv.mkDerivation (finalAttrs: {
   enableParallelBuilding = true;
 
   # Do not build amd64 assembly code on Darwin, because it fails to compile
-  # with unknow directive errors
+  # with unknown directive errors
   configureFlags =
     optional stdenv.hostPlatform.isDarwin "--enable-amd64=no"
     ++ optional (!svgSupport) "--without-svg"

pkgs/by-name/ki/kissfft/package.nix

@@ -57,7 +57,7 @@ stdenv.mkDerivation (finalAttrs: {
     (lib.cmakeFeature "KISSFFT_DATATYPE" datatype)
     (lib.cmakeBool "KISSFFT_STATIC" enableStatic)
     # `test/testkiss.py` expects this…
-    (lib.cmakeFeature "KISSFFT_OPENMP" (if enableOpenmp then "ON" else "OFF"))
+    (lib.cmakeBool "KISSFFT_OPENMP" enableOpenmp)
   ];
 
   # Required for `test/testcpp.c`.

pkgs/by-name/li/libcredis/package.nix

@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
     sha256 = "1l3hlw9rrc11qggbg9a2303p3bhxxx2vqkmlk8avsrbqw15r1ayr";
   };
 
-  # credis build system has no install actions, provide our own.
+  # credits build system has no install actions, provide our own.
   installPhase = ''
     mkdir -p "$out/bin"
     mkdir -p "$out/lib"

pkgs/by-name/mi/miktex/package.nix

@@ -106,7 +106,7 @@ stdenv.mkDerivation (finalAttrs: {
   patches = [
     ./startup-config-support-nix-store.patch
     # Miktex will search exectables in "GetMyPrefix(true)/bin".
-    # The path evalutate to "/usr/bin" in FHS style linux distrubution,
+    # The path evaluate to "/usr/bin" in FHS style linux distribution,
     # compared to "/nix/store/.../bin" in NixOS.
     # As a result, miktex will fail to find e.g. 'pkexec','ksudo','gksu'
     # under /run/wrappers/bin in NixOS.

pkgs/by-name/mx/mxnet/package.nix

@@ -14,7 +14,7 @@
   perl,
   # mxnet cuda support is turned off, but dependencies like opencv can still be built with cudaSupport
   # and fail to compile without the cudatoolkit
-  # mxnet cuda support will not be availaible, as mxnet requires version <=11
+  # mxnet cuda support will not be available, as mxnet requires version <=11
   cudaSupport ? config.cudaSupport,
   cudaPackages ? { },
 }:

pkgs/by-name/na/namespace-cli/package.nix

@@ -6,16 +6,16 @@
 
 buildGoModule rec {
   pname = "namespace-cli";
-  version = "0.0.415";
+  version = "0.0.416";
 
   src = fetchFromGitHub {
     owner = "namespacelabs";
     repo = "foundation";
     rev = "v${version}";
-    hash = "sha256-mWiY2HbOE7R9ltunpSLiM84iscTuSJTQtWCbk2O/HIQ=";
+    hash = "sha256-Te2BFbzrGU7iw+CqDafOiIByUfHEb8QGBAci+6imIm4=";
   };
 
-  vendorHash = "sha256-waO9D0wSluzLl0pULeWMCYKh5IUqcS+VIvwDVwedx64=";
+  vendorHash = "sha256-hPZmNH4bhIds+Ps0pQCjYPfvVBaX8e3Bq/onq91Fzq8=";
 
   subPackages = [
     "cmd/nsc"

pkgs/by-name/ne/neothesia/package.nix

@@ -12,13 +12,13 @@
   xorg,
 }:
 let
-  version = "0.3.0";
+  version = "0.3.1";
 
   src = fetchFromGitHub {
     owner = "PolyMeilex";
     repo = "Neothesia";
     rev = "v${version}";
-    hash = "sha256-JD1jQ/a6GHtB/d/fRMCiE4ZOO676BIiZ980VIYUloU0=";
+    hash = "sha256-qYwBSye6RYClSlWmHwuy/rxq9w5932tR33Z+o2S1l8k=";
   };
 in
 rustPlatform.buildRustPackage {
@@ -38,7 +38,7 @@ rustPlatform.buildRustPackage {
   ];
 
   useFetchCargoVendor = true;
-  cargoHash = "sha256-OYdKuYOL3X6eqVYANvmfTRA8TGd4+QLg0zodDH0jxXk=";
+  cargoHash = "sha256-mXeNAVYqPsBWiUZFV/atx/xjLgFNarm2HwI7k/NaAbc=";
 
   cargoBuildFlags = [
     "-p neothesia -p neothesia-cli"

pkgs/by-name/oc/ocenaudio/package.nix

@@ -14,12 +14,12 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "ocenaudio";
-  version = "3.14.11";
+  version = "3.15";
 
   src = fetchurl {
     name = "ocenaudio.deb";
     url = "https://www.ocenaudio.com/downloads/index.php/ocenaudio_debian12.deb?version=v${finalAttrs.version}";
-    hash = "sha256-+UQ4veSoqwNC6ENQVWmOFebiI6RQlV7rBL7n238xxyc=";
+    hash = "sha256-MZjgdCBE+3dG6Ov+wwDKa/0Y8XIihwM50Gc/cgEf2FQ=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/pd/pdfarranger/package.nix

@@ -12,14 +12,14 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "pdfarranger";
-  version = "1.11.1";
+  version = "1.12.0";
   pyproject = true;
 
   src = fetchFromGitHub {
     owner = "pdfarranger";
     repo = "pdfarranger";
     tag = version;
-    hash = "sha256-94qziqJaKW8/L/6+U1yojxdG8BmeAStn+qbfGemTrVA=";
+    hash = "sha256-//JjIPDeyI+JZoFT2GU+wCP+tkKCchgS9ftMT5rUEOM=";
   };
 
   nativeBuildInputs = [ wrapGAppsHook3 ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ gettext ];
@@ -64,6 +64,6 @@ python3Packages.buildPythonApplication rec {
       endle
     ];
     license = lib.licenses.gpl3Plus;
-    changelog = "https://github.com/pdfarranger/pdfarranger/releases/tag/${version}";
+    changelog = "https://github.com/pdfarranger/pdfarranger/releases/tag/${src.tag}";
   };
 }

pkgs/by-name/ph/phel/package.nix

@@ -7,16 +7,16 @@
 
 php.buildComposerProject2 (finalAttrs: {
   pname = "phel";
-  version = "0.16.1";
+  version = "0.17.0";
 
   src = fetchFromGitHub {
     owner = "phel-lang";
     repo = "phel-lang";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-irN1Dnov6vDiU4xGsf2nxz7/kz1YOMq0yOLYt4HY1EM=";
+    hash = "sha256-iS887QNUphe+czx1IEz+uESBqee73/mHzmg2Fvi26do=";
   };
 
-  vendorHash = "sha256-SDLpl2gBvtVjREfcy1WDFqsGRK1fKr2wKPuBkPhApNI=";
+  vendorHash = "sha256-lhxgL41gyHVOv1MqjwwnWQTQZz4WU2kWGCSV2EZoJrg=";
 
   doInstallCheck = true;
   nativeInstallCheckInputs = [ versionCheckHook ];

pkgs/by-name/sc/scalafmt/package.nix

@@ -9,7 +9,7 @@
 
 let
   baseName = "scalafmt";
-  version = "3.9.6";
+  version = "3.9.7";
   deps = stdenv.mkDerivation {
     name = "${baseName}-deps-${version}";
     buildCommand = ''
@@ -19,7 +19,7 @@ let
       cp $(< deps) $out/share/java/
     '';
     outputHashMode = "recursive";
-    outputHash = "sha256-qn3by++aYx/azaoDJFQfo8PHyjd3w4qI7g6NMIzLiPE=";
+    outputHash = "sha256-x1hEJtzZ0DmFDc7X5Tua3F0BcWz/Atm2zmMr7GgfkUM=";
   };
 in
 stdenv.mkDerivation {

pkgs/by-name/sd/sdl2-compat/package.nix

@@ -2,20 +2,24 @@
   cmake,
   lib,
   fetchFromGitHub,
-  monado,
   ninja,
+  sdl3,
+  stdenv,
+  testers,
+  libX11,
+  libGL,
   nix-update-script,
+
+  # passthru tests
   SDL2_ttf,
   SDL2_net,
   SDL2_gfx,
   SDL2_sound,
   SDL2_mixer,
   SDL2_image,
-  sdl3,
+  SDL_compat,
-  stdenv,
+  ffmpeg,
-  testers,
+  qemu,
-  libX11,
-  libGL,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
@@ -76,16 +80,18 @@ stdenv.mkDerivation (finalAttrs: {
         pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
 
         inherit
+          SDL_compat
           SDL2_ttf
           SDL2_net
           SDL2_gfx
           SDL2_sound
           SDL2_mixer
           SDL2_image
+          ffmpeg
           ;
       }
       // lib.optionalAttrs stdenv.hostPlatform.isLinux {
-        inherit monado;
+        inherit qemu;
       };
 
     updateScript = nix-update-script {

pkgs/by-name/si/signal-desktop/dont-strip-absolute-paths.patch

@@ -0,0 +1,14 @@
+diff --git a/node/build_node_bridge.py b/node/build_node_bridge.py
+index c983fc3..2ab06dc 100755
+--- a/node/build_node_bridge.py
++++ b/node/build_node_bridge.py
+@@ -138,9 +138,6 @@ def main(args: Optional[List[str]] = None) -> int:
+     cargo_env['CARGO_PROFILE_RELEASE_LTO'] = 'thin'
+     # Enable ARMv8 cryptography acceleration when available
+     cargo_env['RUSTFLAGS'] += ' --cfg aes_armv8'
+-    # Strip absolute paths
+-    for path in build_helpers.rust_paths_to_remap():
+-        cargo_env['RUSTFLAGS'] += f' --remap-path-prefix {path}='
+ 
+     # If set (below), will post-process the build library using this instead of just `cp`-ing it.
+     objcopy = None

pkgs/by-name/si/signal-desktop/libsignal-node.nix

@@ -24,23 +24,23 @@ let
 in
 rustPlatform.buildRustPackage (finalAttrs: {
   pname = "libsignal-node";
-  version = "0.70.0";
+  version = "0.72.1";
 
   src = fetchFromGitHub {
     owner = "signalapp";
     repo = "libsignal";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-6CBhLvD0UflLzJHAMB21wSH8MWTUNx0uPdqOUo/Eq44=";
+    hash = "sha256-A8EAHHcBFSD4ZlvFig64g4+eoZQCuqE/qv509hA3I4s=";
   };
   useFetchCargoVendor = true;
-  cargoHash = "sha256-4bSPPf16nUQTl6INa3mLhPIe8iiFfpPw1E5fpNvnKqs=";
+  cargoHash = "sha256-+vJrywIi/RcGGGns42XlN6S63RBil3fB4XByTLsaFVc=";
 
   npmRoot = "node";
   npmDeps = fetchNpmDeps {
     name = "${finalAttrs.pname}-npm-deps";
     inherit (finalAttrs) version src;
     sourceRoot = "${finalAttrs.src.name}/${finalAttrs.npmRoot}";
-    hash = "sha256-djk+YGZ/eUq6MXjUEE47bgKnQlUSuaoUPx8hUMtjvyQ=";
+    hash = "sha256-ZD0ZN2b7KReGbnvarqvGpOlQ5TsJfnaHmmOWQ42Y48E=";
   };
 
   nativeBuildInputs = [
@@ -56,9 +56,12 @@ rustPlatform.buildRustPackage (finalAttrs: {
   env.BORING_BSSL_PATH = "${boringssl-wrapper}";
   env.NIX_LDFLAGS = if stdenv.hostPlatform.isDarwin then "-lc++" else "-lstdc++";
 
-  patchPhase = ''
+  patches = [
-    runHook prePatch
+    # This is used to strip absolute paths of dependencies to avoid leaking info about build machine. Nix builders
-
+    # already solve this problem by chrooting os this is not needed.
+    ./dont-strip-absolute-paths.patch
+  ];
+  postPatch = ''
     substituteInPlace node/binding.gyp \
       --replace-fail "'--out-dir', '<(PRODUCT_DIR)/'," \
                      "'--out-dir', '$out/lib/<(NODE_OS_NAME)-<(target_arch)/'," \
@@ -68,8 +71,6 @@ rustPlatform.buildRustPackage (finalAttrs: {
     substituteInPlace node/build_node_bridge.py \
       --replace-fail "dst_base = 'libsignal_client_%s_%s' % (node_os_name, node_arch)" \
                      "dst_base = '@signalapp+libsignal-client'"
-
-    runHook postPatch
   '';
 
   buildPhase = ''

pkgs/by-name/si/signal-desktop/package.nix

@@ -3,7 +3,7 @@
   lib,
   nodejs_22,
   pnpm_10,
-  electron_35,
+  electron_36,
   python3,
   makeWrapper,
   callPackage,
@@ -19,7 +19,7 @@
 let
   nodejs = nodejs_22;
   pnpm = pnpm_10.override { inherit nodejs; };
-  electron = electron_35;
+  electron = electron_36;
 
   libsignal-node = callPackage ./libsignal-node.nix { inherit nodejs; };
   signal-sqlcipher = callPackage ./signal-sqlcipher.nix { inherit pnpm nodejs; };
@@ -48,13 +48,13 @@ let
     '';
   });
 
-  version = "7.54.0";
+  version = "7.56.0";
 
   src = fetchFromGitHub {
     owner = "signalapp";
     repo = "Signal-Desktop";
     tag = "v${version}";
-    hash = "sha256-dv1Yi7gSd7kY3MSrsPjcaf2hAEq6Y+XoWtlBfvd86ac=";
+    hash = "sha256-BrgBlDEgb08oX7Mh/P4nuoM+dkSDpB45zOtDNMYeZr0=";
   };
 
   sticker-creator = stdenv.mkDerivation (finalAttrs: {
@@ -64,7 +64,7 @@ let
 
     pnpmDeps = pnpm.fetchDeps {
       inherit (finalAttrs) pname src version;
-      hash = "sha256-TuPyRVNFIlR0A4YHMpQsQ6m+lm2fsp79FzQ1P5qqjIc=";
+      hash = "sha256-cT7Ixl/V/mesPHvJUsG63Y/wXwKjbjkjdjP3S7uEOa0=";
     };
 
     strictDeps = true;
@@ -116,15 +116,15 @@ stdenv.mkDerivation (finalAttrs: {
       ;
     hash =
       if withAppleEmojis then
-        "sha256-Kdg0+kLEDFobWEEhJgKuaou/pYwn1dTugye7OcMYfEQ="
+        "sha256-RP3d1t4bbvehdCDSL3bHrlJEnn65TDViI5jVjSiuJw8="
       else
-        "sha256-cit/Hn7L6qmfIJCDF2wlx/4aKygRYy+zvBQGX6Mg+og=";
+        "sha256-KJvc+kVcwRKsUVW3lK7fPXUSqDQlJFPbYAzQjhFtfoU=";
   };
 
   env = {
     ELECTRON_SKIP_BINARY_DOWNLOAD = "1";
     SIGNAL_ENV = "production";
-    SOURCE_DATE_EPOCH = 1747170390;
+    SOURCE_DATE_EPOCH = 1748456277;
   };
 
   preBuild = ''

pkgs/by-name/si/signal-desktop/ringrtc.nix

@@ -19,16 +19,16 @@ let
 in
 rustPlatform.buildRustPackage (finalAttrs: {
   pname = "ringrtc";
-  version = "2.51.0";
+  version = "2.52.0";
 
   src = fetchFromGitHub {
     owner = "signalapp";
     repo = "ringrtc";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-PLrGLW6pDoCNpbWASxAqockAJRoeBrkBdxNOHYrQu4s=";
+    hash = "sha256-Ao1mFJYPnV3lfg4SERwq4dGnBhOVI9pwsqPAsUtV/iY=";
   };
   useFetchCargoVendor = true;
-  cargoHash = "sha256-u38VOV2xdNG1WFox+SWT9ejJD1TjK0yAI6lCB9r75iY=";
+  cargoHash = "sha256-mO9t4ZDDM5Y9cMkmdrYrdGYukN1xfGogPSNq+S1t4Us=";
 
   cargoBuildFlags = [
     "-p"

pkgs/by-name/si/signal-desktop/signal-sqlcipher.nix

@@ -11,13 +11,13 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "node-sqlcipher";
-  version = "2.0.1";
+  version = "2.0.3";
 
   src = fetchFromGitHub {
     owner = "signalapp";
     repo = "node-sqlcipher";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-15t2HuEYdCxShK703/z3bb1VCgSNpziaK5+wM3TqSHg=";
+    hash = "sha256-H5/+XcXnINRL5BWItWx6YaPP46+k1xTbyfDqHPCRDXk=";
   };
 
   pnpmDeps = pnpm.fetchDeps {

pkgs/by-name/si/signal-desktop/webrtc-sources.json

@@ -1,10 +1,10 @@
 {
     "src": {
         "args": {
-            "hash": "sha256-yomovlwRmrzsN+dvmUgOM6pzBTH41QuHQXnEJBhQglY=",
+            "hash": "sha256-AFMJmIo7O4fYrVWABciQphTxHQSj4CdfhluIIPpPWAw=",
             "owner": "signalapp",
             "repo": "webrtc",
-            "tag": "6998b"
+            "tag": "6998c"
         },
         "fetcher": "fetchFromGitHub"
     },

pkgs/by-name/ty/typical/package.nix

@@ -30,7 +30,7 @@ rustPlatform.buildRustPackage rec {
 
   patches = [
     # Related to https://github.com/stepchowfun/typical/pull/501
-    # Commiting a slightly different patch because the upstream one doesn't apply cleanly
+    # Committing a slightly different patch because the upstream one doesn't apply cleanly
     ./lifetime.patch
   ];
 

pkgs/by-name/us/usb-reset/package.nix

@@ -8,7 +8,7 @@
 stdenv.mkDerivation {
   pname = "usb-reset";
   # not tagged, but changelog has this with the date of the e9a9d6c commit
-  # and no significant change occured between bumping the version in the Makefile and that
+  # and no significant change occurred between bumping the version in the Makefile and that
   # and the changes since then (up to ff822d8) seem snap related
   version = "0.3";
 

pkgs/by-name/va/vanillatd/package.nix

@@ -66,10 +66,10 @@ stdenv.mkDerivation (finalAttrs: {
     ];
 
   cmakeFlags = [
-    (lib.cmakeFeature "BUILD_VANILLATD" (if appName == "vanillatd" then "ON" else "OFF"))
+    (lib.cmakeBool "BUILD_VANILLATD" (appName == "vanillatd"))
-    (lib.cmakeFeature "BUILD_VANILLARA" (if appName == "vanillara" then "ON" else "OFF"))
+    (lib.cmakeBool "BUILD_VANILLARA" (appName == "vanillara"))
-    (lib.cmakeFeature "BUILD_REMASTERTD" (if appName == "remastertd" then "ON" else "OFF"))
+    (lib.cmakeBool "BUILD_REMASTERTD" (appName == "remastertd"))
-    (lib.cmakeFeature "BUILD_REMASTERRA" (if appName == "remasterra" then "ON" else "OFF"))
+    (lib.cmakeBool "BUILD_REMASTERRA" (appName == "remasterra"))
     (lib.cmakeFeature "CMAKE_BUILD_TYPE" CMAKE_BUILD_TYPE)
   ];
 

pkgs/by-name/ve/vectorcode/package.nix

@@ -10,14 +10,14 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "vectorcode";
-  version = "0.6.9";
+  version = "0.6.10";
   pyproject = true;
 
   src = fetchFromGitHub {
     owner = "Davidyz";
     repo = "VectorCode";
     tag = version;
-    hash = "sha256-qXrXNt5uI/gePFyJ79y+zksSekq7BzsbL+1tvMQ/zKM=";
+    hash = "sha256-k9YpsVFV1HkIIIFPB7Iz7Jar+lY5vK6gpzNIlX55ZDY=";
   };
 
   build-system = with python3Packages; [

pkgs/by-name/wa/watchexec/package.nix

@@ -4,21 +4,22 @@
   rustPlatform,
   fetchFromGitHub,
   installShellFiles,
+  nix-update-script,
 }:
 
-rustPlatform.buildRustPackage rec {
+rustPlatform.buildRustPackage (finalAttrs: {
   pname = "watchexec";
-  version = "2.3.1";
+  version = "2.3.2";
 
   src = fetchFromGitHub {
     owner = "watchexec";
     repo = "watchexec";
-    rev = "v${version}";
+    tag = "v${finalAttrs.version}";
-    hash = "sha256-ldxB1/WgOe1uGfKXkMEtGHIlWiKJgnZz6j/7eCOGD8s=";
+    hash = "sha256-BJRvz3rFLaOCNhOsEo0rSOgB9BCJ2LMB9XEw8RBWXXs=";
   };
 
   useFetchCargoVendor = true;
-  cargoHash = "sha256-LdjJlf4HPN+kZOQKPNSdbYApGBD4Z6tKV9Y0FFKpAf0=";
+  cargoHash = "sha256-VtSRC4lyjMo2O9dNbVllcDEx08zQWJMQmQ/2bNMup6U=";
 
   nativeBuildInputs = [ installShellFiles ];
 
@@ -35,14 +36,22 @@ rustPlatform.buildRustPackage rec {
 
   postInstall = ''
     installManPage doc/watchexec.1
-    installShellCompletion --zsh --name _watchexec completions/zsh
+    installShellCompletion --cmd watchexec \
+      --bash completions/bash \
+      --fish completions/fish \
+      --zsh completions/zsh
   '';
 
-  meta = with lib; {
+  passthru.updateScript = nix-update-script { };
+
+  meta = {
     description = "Executes commands in response to file modifications";
     homepage = "https://watchexec.github.io/";
-    license = with licenses; [ asl20 ];
+    license = with lib.licenses; [ asl20 ];
-    maintainers = [ maintainers.michalrus ];
+    maintainers = with lib.maintainers; [
+      michalrus
+      prince213
+    ];
     mainProgram = "watchexec";
   };
-}
+})

pkgs/by-name/wh/whisper-ctranslate2/package.nix

@@ -7,7 +7,7 @@
 }:
 let
   pname = "whisper-ctranslate2";
-  version = "0.5.2";
+  version = "0.5.3";
 in
 python3Packages.buildPythonApplication {
   inherit pname version;
@@ -17,7 +17,7 @@ python3Packages.buildPythonApplication {
     owner = "Softcatala";
     repo = "whisper-ctranslate2";
     tag = version;
-    hash = "sha256-53sKuaZJcH/i2C4oeKcvxRs3OmkvR3USw6nnPh+i+Eo=";
+    hash = "sha256-rRxadVYv69Jgzai+ANS6oKHOArTI9vPDPeTybtOySww=";
   };
 
   build-system = [ python3Packages.setuptools ];

pkgs/by-name/yt/ytmdesktop/package.nix

@@ -38,7 +38,7 @@ stdenv.mkDerivation (finalAttrs: {
   };
 
   patches = [
-    # instead of runnning git during the build process
+    # instead of running git during the build process
     # use the .COMMIT file generated in the fetcher FOD
     ./git-rev-parse.patch
   ];

pkgs/by-name/za/zashboard/package.nix

@@ -9,13 +9,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "zashboard";
-  version = "1.90.0";
+  version = "1.93.0";
 
   src = fetchFromGitHub {
     owner = "Zephyruso";
     repo = "zashboard";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-LxA0X2E9Xue79xLAYuCz0ZA0v8hYVxkb+1h6qB4MiDI=";
+    hash = "sha256-0YlFDmn5XAQiGxGpFJtVgtFdPbxApVlsqRLwIun0YtI=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/ze/zepp-simulator/package.nix

@@ -6,7 +6,7 @@
   copyDesktopItems,
   autoPatchelfHook,
 
-  # Upstream is officialy built with Electron 18
+  # Upstream is officially built with Electron 18
   # (but it works with latest Electron with minor changes, see HACK below)
   electron,
   asar,

pkgs/development/compilers/gcc/common/configure-flags.nix

@@ -38,7 +38,7 @@ assert !enablePlugin -> disableGdbPlugin;
 
 # Note [Windows Exception Handling]
 # sjlj (short jump long jump) exception handling makes no sense on x86_64,
-# it's forcably slowing programs down as it produces a constant overhead.
+# it's forcibly slowing programs down as it produces a constant overhead.
 # On x86_64 we have SEH (Structured Exception Handling) and we should use
 # that. On i686, we do not have SEH, and have to use sjlj with dwarf2.
 # Hence it's now conditional on x86_32 (i686 is 32bit).

pkgs/development/haskell-modules/configuration-common.nix

@@ -21,7 +21,7 @@ with haskellLib;
 # To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead.
 self: super:
 {
-  # Hackage's accelerate is from 2020 and incomptible with our GHC.
+  # Hackage's accelerate is from 2020 and incompatible with our GHC.
   # The existing derivation also has missing dependencies
   # compared to the source from github.
   # https://github.com/AccelerateHS/accelerate/issues/553
@@ -820,7 +820,7 @@ self: super:
   katt = dontCheck super.katt;
   language-slice = dontCheck super.language-slice;
 
-  # Bogus lower bound on data-default-class added via Hackage revison
+  # Bogus lower bound on data-default-class added via Hackage revision
   # https://github.com/mrkkrp/req/pull/180#issuecomment-2628201485
   req = overrideCabal {
     revision = null;
@@ -1979,7 +1979,7 @@ self: super:
     license = lib.licenses.bsd3;
     # ghc-bignum is not buildable if none of the three backends
     # is explicitly enabled. We enable Native for now as it doesn't
-    # depend on anything else as oppossed to GMP and FFI.
+    # depend on anything else as opposed to GMP and FFI.
     # Apply patch which fixes a compilation failure we encountered.
     # Will need to be kept until we can drop ghc-bignum entirely,
     # i. e. if GHC 8.10.* and 8.8.* have been removed.
@@ -2542,7 +2542,7 @@ self: super:
   # Missing test files https://github.com/kephas/xdg-basedir-compliant/issues/1
   xdg-basedir-compliant = dontCheck super.xdg-basedir-compliant;
 
-  # Test failure after libxcrypt migration, reported upstrem at
+  # Test failure after libxcrypt migration, reported upstream at
   # https://github.com/phadej/crypt-sha512/issues/13
   crypt-sha512 = dontCheck super.crypt-sha512;