Merge release-25.11 into staging-next-25.11

Author: nixpkgs-ci[bot]

pkgs/applications/virtualization/docker/default.nix

@@ -363,6 +363,8 @@ let
           # Exposed for tarsum build on non-linux systems (build-support/docker/default.nix)
           inherit moby-src;
           tests = lib.optionalAttrs (!clientOnly) { inherit (nixosTests) docker; };
+          # run with: nix-shell ./maintainers/scripts/update.nix --argstr package docker
+          updateScript = ./update.sh;
         };
 
         meta = docker-meta // {
@@ -432,14 +434,14 @@ in
 
   docker_29 =
     let
-      version = "29.2.0";
+      version = "29.2.1";
     in
     callPackage dockerGen {
       inherit version;
       cliRev = "v${version}";
-      cliHash = "sha256-GbXPe8DlhV4WnwJO8OVAdbXZ18IOUlXszenMGvPvSMQ=";
+      cliHash = "sha256-9foA1MThtq1sQnwki+cxPuU1dZbukOgdMg99Z1EElxk=";
       mobyRev = "docker-v${version}";
-      mobyHash = "sha256-Uilc5cxKuctSkjVxY3R5aezlmGHhLhHY4opVkTYRVIY=";
+      mobyHash = "sha256-LN/IVgKdBwpTR2fUq2Syi6zWP4YN7DQS4bfJVk8Agtg=";
       runcRev = "v1.3.4";
       runcHash = "sha256-1IfY08sBoDpbLrwz1AKBRSTuCZyOgQzYPHTDUI6fOZ8=";
       containerdRev = "v2.2.1";

pkgs/applications/virtualization/docker/update.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl jq nix-prefetch-github gawk
+
+set -euo pipefail
+
+# Updates docker packages (docker_29, docker_30, etc.)
+# Fetches component versions from moby's Dockerfile and updates all hashes
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+DEFAULT_NIX="$SCRIPT_DIR/default.nix"
+
+# Determine which docker version to update
+ATTR="${1:-${UPDATE_NIX_ATTR_PATH:-docker}}"
+
+# Handle "docker" alias -> use the last docker_XX in the file (latest version)
+if [[ "$ATTR" == "docker" ]]; then
+    ATTR=$(grep -oE 'docker_[0-9]+' "$DEFAULT_NIX" | tail -1)
+fi
+ATTR=$(echo "$ATTR" | grep -oE 'docker_[0-9]+' | head -1)
+
+[[ -z "$ATTR" ]] && { echo "Error: Could not determine docker version"; exit 1; }
+
+MAJOR="${ATTR#docker_}"
+echo "Updating $ATTR (major version: $MAJOR)"
+
+# Get current and latest versions
+CURRENT=$(awk -v a="$ATTR" '$0~a" ="{f=1} f&&/version = "/{match($0,/"[^"]+"/);print substr($0,RSTART+1,RLENGTH-2);exit}' "$DEFAULT_NIX")
+LATEST=$(curl -s ${GITHUB_TOKEN:+" -u \":$GITHUB_TOKEN\""} "https://api.github.com/repos/moby/moby/releases" | \
+    jq -r --arg m "$MAJOR" '[.[]|select(.tag_name|startswith("docker-v"+$m+"."))|select(.prerelease==false)][0].tag_name|sub("docker-v";"")')
+
+echo "Current: $CURRENT, Latest: $LATEST"
+[[ "$CURRENT" == "$LATEST" ]] && { echo "Already up to date!"; exit 0; }
+
+# Fetch component versions from Dockerfile
+DOCKERFILE=$(curl -sL "https://raw.githubusercontent.com/moby/moby/docker-v$LATEST/Dockerfile")
+RUNC_REV=$(echo "$DOCKERFILE" | sed -n 's/^ARG RUNC_VERSION=//p' | head -1)
+CONTAINERD_REV=$(echo "$DOCKERFILE" | sed -n 's/^ARG CONTAINERD_VERSION=//p' | head -1)
+
+echo "Components: runc=$RUNC_REV, containerd=$CONTAINERD_REV"
+
+# Prefetch helper
+prefetch() { nix-prefetch-github "$1" "$2" --rev "$3" 2>/dev/null | jq -r '.hash'; }
+
+echo "Prefetching sources..."
+CLI_HASH=$(prefetch docker cli "v$LATEST")
+MOBY_HASH=$(prefetch moby moby "docker-v$LATEST")
+RUNC_HASH=$(prefetch opencontainers runc "$RUNC_REV")
+CONTAINERD_HASH=$(prefetch containerd containerd "$CONTAINERD_REV")
+
+# Validate all hashes
+for h in "$CLI_HASH" "$MOBY_HASH" "$RUNC_HASH" "$CONTAINERD_HASH"; do
+    [[ -z "$h" || "$h" == "null" ]] && { echo "Failed to prefetch a source"; exit 1; }
+done
+
+# Update default.nix
+echo "Updating $DEFAULT_NIX..."
+awk -v attr="$ATTR" -v ver="$LATEST" -v cli="$CLI_HASH" -v moby="$MOBY_HASH" \
+    -v runcR="$RUNC_REV" -v runcH="$RUNC_HASH" -v ctrdR="$CONTAINERD_REV" -v ctrdH="$CONTAINERD_HASH" \
+    -v old="$CURRENT" '
+    $0 ~ attr" =" { in_block=1 }
+    in_block && /^  docker_[0-9]/ && $0 !~ attr { in_block=0 }
+    in_block && /^}$/ { in_block=0 }
+    in_block && /version = "/ { gsub(old, ver) }
+    in_block && /cliHash = "sha256-/ { gsub(/sha256-[^"]*/, cli) }
+    in_block && /mobyHash = "sha256-/ { gsub(/sha256-[^"]*/, moby) }
+    in_block && /runcRev = "/ { gsub(/"v[^"]*"/, "\"" runcR "\"") }
+    in_block && /runcHash = "sha256-/ { gsub(/sha256-[^"]*/, runcH) }
+    in_block && /containerdRev = "/ { gsub(/"v[^"]*"/, "\"" ctrdR "\"") }
+    in_block && /containerdHash = "sha256-/ { gsub(/sha256-[^"]*/, ctrdH) }
+    { print }
+' "$DEFAULT_NIX" > "$DEFAULT_NIX.tmp" && mv "$DEFAULT_NIX.tmp" "$DEFAULT_NIX"
+
+echo "Updated $ATTR to $LATEST (cli=$CLI_HASH, moby=$MOBY_HASH, runc=$RUNC_REV, containerd=$CONTAINERD_REV)"

pkgs/by-name/cc/ccextractor/package.nix

@@ -2,6 +2,7 @@
   lib,
   stdenv,
   fetchFromGitHub,
+  fetchpatch,
   writeTextFile,
 
   pkg-config,
@@ -43,6 +44,11 @@ stdenv.mkDerivation (finalAttrs: {
     ./remove-default-commit-hash.patch
     ./remove-vendored-libraries.patch
     ./fix-avcodec-close.patch
+    (fetchpatch {
+      name = "CVE-2026-2245.patch";
+      url = "https://github.com/CCExtractor/ccextractor/commit/fd7271bae238ccb3ae8a71304ea64f0886324925.patch";
+      hash = "sha256-wZiJob5v4SVa5YBmiHuNvgphSi4PhTTb3hg4vs1lhVg=";
+    })
   ]
   ++ finalAttrs.cargoDeps.vendorStaging.patches;
 

pkgs/by-name/di/discordchatexporter-cli/package.nix

@@ -23,6 +23,12 @@ buildDotnetModule rec {
   dotnet-sdk = dotnetCorePackages.sdk_8_0;
   dotnet-runtime = dotnetCorePackages.runtime_8_0;
 
+  dotnetBuildFlags = [
+    # workaround for https://github.com/belav/csharpier/pull/1696
+    # remove when csharpier is updated
+    "-p:FirstTargetFrameworks=workaround-for-csharpier-pr-1696"
+  ];
+
   postFixup = ''
     ln -s $out/bin/DiscordChatExporter.Cli $out/bin/discordchatexporter-cli
   '';

pkgs/by-name/di/discordo/package.nix

@@ -11,16 +11,16 @@
 
 buildGoModule (finalAttrs: {
   pname = "discordo";
-  version = "0-unstable-2026-02-01";
+  version = "0-unstable-2026-02-17";
 
   src = fetchFromGitHub {
     owner = "ayn2op";
     repo = "discordo";
-    rev = "5f884cdf288d9950c9ef4bbced100458af89ca46";
-    hash = "sha256-+6jfxVLJxGzDnIJD1P8dGOKf3DJKwoYCYhycrNXrJtg=";
+    rev = "f1650a0df751e40a589ceda4ec19626e109bac2b";
+    hash = "sha256-+1XK5Zri7DiKzaqsFHYjzde1XEFlp4cj878+FzLaibg=";
   };
 
-  vendorHash = "sha256-IGPQkfM/wNsgbyUtwGhjJNfTbpa/Xge5/wU0Rj/QZZY=";
+  vendorHash = "sha256-eltE7RkxqjYMWMv8/YmCC+WlntBTF8zO7UE0MQsG8Is=";
 
   env.CGO_ENABLED = 1;
 

pkgs/by-name/gi/git-gr/package.nix

@@ -14,7 +14,7 @@ let
   canRunGitGr = stdenv.hostPlatform.emulatorAvailable buildPackages;
   gitGr = "${stdenv.hostPlatform.emulator buildPackages} $out/bin/git-gr";
   pname = "git-gr";
-  version = "1.4.3";
+  version = "1.4.5";
 in
 rustPlatform.buildRustPackage {
   inherit pname version;
@@ -23,12 +23,12 @@ rustPlatform.buildRustPackage {
     owner = "9999years";
     repo = "git-gr";
     tag = "v${version}";
-    hash = "sha256-t308Ep27iRvRHSdvVMOrRGVoajBtnTutHAkKbZkO7Wg=";
+    hash = "sha256-8eZCJdGWuUk5l/OSmMVozL7SKyibtaZK3YlVzw/ZYsU=";
   };
 
   buildFeatures = [ "clap_mangen" ];
 
-  cargoHash = "sha256-5YHE1NVUcZ5NeOl3Z87l3PVsmlkswhnT83Oi9loJjdM=";
+  cargoHash = "sha256-OyNdp9uskLXZEsMx9NcKwmkWgepUIAyi+woFYEK66OY=";
 
   OPENSSL_NO_VENDOR = true;
 

pkgs/by-name/ko/koboredux/package.nix

@@ -65,7 +65,14 @@ stdenv.mkDerivation rec {
     })
   ];
 
-  postPatch = optionalString useProprietaryAssets ''
+  postPatch = ''
+    # CMake 4 support
+    # https://github.com/olofson/koboredux/pull/562
+    substituteInPlace CMakeLists.txt --replace-fail \
+      'cmake_minimum_required(VERSION 2.8)' \
+      'cmake_minimum_required(VERSION 2.8...4.1)'
+  ''
+  + optionalString useProprietaryAssets ''
     cp -r ../koboredux-${version}-Linux/sfx/redux data/sfx/
     cp -r ../koboredux-${version}-Linux/gfx/redux data/gfx/
     cp -r ../koboredux-${version}-Linux/gfx/redux_fullscreen data/gfx/