- The default GHC version has been updated from 9.8 to 9.10.
`haskellPackages` correspondingly uses Stackage LTS 24 (instead of LTS 23) as a baseline.
-**This release of Nixpkgs requires macOS Sonoma 14.0 or newer, as announced in the 25.05 release notes.**
The default SDK is now 14.4, but the minimum version is 14.0.
cc-wrapper will enforce that availability annotations are used or an appropriate deployment target is set.
See the Darwin platform notes for details.
-**We expect to drop support for `x86_64-darwin` by Nixpkgs 26.11,** in light of Apple’s announcement that macOS 26 will be the final version to support Intel Macs.
When support is fully removed, we will no longer build packages for the platform or guarantee that it can build at all.
This may happen in stages, depending on our available build and maintenance resources and decisions made by projects we rely on.
By the time of 26.11’s release, Homebrew will offer only limited [Tier 3](https://docs.brew.sh/Support-Tiers#tier-3) support for the platform, but MacPorts will likely continue to support it for a long time.
We also recommend users consider installing NixOS, which should continue to run on essentially all Intel Macs, especially after Apple stops security support for macOS 26 in 2028.
- Darwin has switched to using the system libc++. This was done for improved compatibility and to avoid ODR violations.
If a newer C++ library feature is not available on the default deployment target, you will need to increase the deployment target.
See the Darwin platform documentation for more details.
@@ -49,6 +61,8 @@
- GHC 8.6, 8.10, 9.0, 9.2, and their package sets have been removed.
- The `haskellPackages.mkDerivation` builder now converts packages' cabal files to Unix line endings before `patchPhase`. This behavior can be disabled using `dontConvertCabalFileToUnix`.
-`webkitgtk_4_0` has been removed because it depends on an unmaintained version of security-critical libsoup library (`libsoup_2`) and the support will be [dropped upstream soon](https://webkitgtk.org/2025/10/07/webkitgtk-soup2-deprecation.html).
- Support for bootstrapping native GHC compilers on 32‐bit ARM and little‐endian 64‐bit PowerPC has been dropped.
@@ -104,6 +118,8 @@
-`forgejo` main program has been renamed to `bin/forgejo` from the previous `bin/gitea`.
- the "pie" hardening flag has been removed. compilers are expected to enable PIE by default, as has been common practice since 2016 outside of nixpkgs. If a package needs "pie" disabled pass `-no-pie` in `CFLAGS`. It is unlikely this will be necessary in many cases; due to the prevalance of default PIE toolchains most packages incompatible with PIE already pass no-pie.
-`wayclip` now uses the `ext-data-control-v1` Wayland protocol instead of `wlr-data-control-unstable-v1`.
-`cudaPackages.cudatoolkit-legacy-runfile` has been removed.
@@ -154,6 +170,8 @@
-`meilisearch_1_11` has been removed, as it is no longer supported.
-`budgie-desktop` has been updated [10.9.4](https://github.com/BuddiesOfBudgie/budgie-desktop/releases/tag/v10.9.4). This changes `XDG_CURRENT_DESKTOP` from `Budgie:GNOME` to `Budgie` and contains ABI bumps for libpeas2 migration.
- Greetd and its original greeters (`tuigreet`, `gtkgreet`, `qtgreet`, `regreet`, `wlgreet`) were moved from `greetd` namespace to top level (`greetd.tuigreet` -> `tuigreet`, `greetd.greetd` -> `greetd`, etc). The original attrs are available for compatibility as passthrus of `greetd`, but will emit a warning. They will be removed in future releases.
-`carla` no longer support `gtk2` override.
@@ -217,9 +235,10 @@
-`podofo` has been updated from `0.9.8` to `1.0.0`. These releases are by nature very incompatible due to major API changes. The legacy versions can be found under `podofo_0_10` and `podofo_0_9`.
- NetBox was updated to `>= 4.3.0`. Have a look at the breaking changes
of the [4.3 release](https://github.com/netbox-community/netbox/releases/tag/v4.2.0),
make the required changes to your database, if needed, then upgrade by setting `services.netbox.package = pkgs.netbox_4_3;` in your configuration.
- NetBox was updated to `>= 4.4.0`. Have a look at the breaking changes
of the [4.3 release](https://github.com/netbox-community/netbox/releases/tag/v4.3.0)
and the [4.4 release](https://github.com/netbox-community/netbox/releases/tag/v4.4.0),
make the required changes to your database, if needed, then upgrade by setting `services.netbox.package = pkgs.netbox_4_4;` in your configuration.
-`privatebin` has been updated to `2.0.0`. This release changes configuration defaults including switching the template and removing legacy features. See the [v2.0.0 changelog entry](https://github.com/PrivateBin/PrivateBin/releases/tag/2.0.0) for details on how to upgrade.
@@ -277,6 +296,8 @@
- Added `gitConfig` and `gitConfigFile` option to the nixpkgs `config`, to allow for setting a default `gitConfigFile` for all `fetchgit` invocations.
- Added `npmRegistryOverrides` and `npmRegistryOverridesString` option to the nixpkgs `config`, to allow for setting a default `npmRegistryOverridesString` for all `fetchNpmDeps` invocations.
- The `dockerTools.streamLayeredImage` builder now uses a better algorithm for generating layered docker images, such that much more sharing is possible when the number of store paths exceeds the layer limit. It gives each of the largest store paths its own layer and adds dependencies to those layers when they aren't used elsewhere.
- The systemd initrd will now respect `x-systemd.wants` and `x-systemd.requires` for reliably unlocking multi-disk bcachefs volumes.
@@ -297,7 +318,7 @@
-`idris2` supports being instantiated with a package environment with `idris.withPackages (p: [ ])`
- New hardening flags,`strictflexarrays1` and`strictflexarrays3` were made available, corresponding to the gcc/clang options `-fstrict-flex-arrays=1` and `-fstrict-flex-arrays=3` respectively.
- New hardening flags `strictflexarrays1`,`strictflexarrays3`, `glibcxxassertions`, `libcxxhardeningfast` and `libcxxhardeningextensive` were made available.
-`gramps` has been updated to 6.0.0
Upstream recommends [backing up your Family Trees](https://gramps-project.org/wiki/index.php/Gramps_6.0_Wiki_Manual_-_Manage_Family_Trees#Backing_up_a_Family_Tree) before upgrading.
@@ -322,8 +343,6 @@
and beware that the migration may take several hours depending on your library size and state.
The process must not be interrupted.
- A new hardening flag, `glibcxxassertions` was made available, corresponding to the glibc `_GLIBCXX_ASSERTIONS` option.
-`versionCheckHook`: Packages that previously relied solely on `pname` to locate the program used to version check, but have a differing `meta.mainProgram` entry, might now fail.
@@ -340,6 +359,8 @@
-`nix-prefetch-git`: Added a `--no-add-path` argument to disable adding the path to the store; this is useful when working with a [read-only store](https://nix.dev/manual/nix/2.28/command-ref/new-cli/nix3-help-stores#store-experimental-local-overlay-store-read-only).
-`fetchNpmDeps`: Add `npmRegistryOverridesString` argument to pass NPM registry overrides to the fetcher.
-`sftpman` has been updated to version 2, a rewrite in Rust which is mostly backward compatible but does include some changes to the CLI.
For more information, [check the project's README](https://github.com/spantaleev/sftpman-rs#is-sftpman-v2-compatible-with-sftpman-v1).
@@ -47,6 +47,17 @@ See below for how to use a newer deployment target.
For example, `std::print` depends on features that are only available on macOS 13.3 or newer.
To make them available, set the deployment target to 13.3 using `darwinMinVersionHook`.
#### Package fails to build due to missing API availability checks {#sec-darwin-availability-checks}
This is normally a bug in the package or a misconfigured deployment target.
* If it is using an API from a newer release (e.g., from macOS 26.0 while targeting macOS 14.0), it needs to use an availability check.
The code should be patched to use [`__builtin_available`](https://clang.llvm.org/docs/LanguageExtensions.html#objective-c-available).
Note that while the linked documentation is for Objective-C, it is applicable to C and C++ except that you use `__builtin_available` in place of `@available`.
* If the package intends to require the newer platform (i.e., it does not support running on older versions with reduced functionality), use `darwinMinVersionHook` to set the deployment target to the required version.
See below for how to use a newer deployment target.
* If the package actually handles this through some other mechanism (e.g., MoltenVK relies on the running platform’s MSL version), the error can be suppressed.
To suppress the error, add `-Wno-error=unguarded-availability` to `env.NIX_CFLAGS_COMPILE`.
#### Package requires a non-default SDK or fails to build due to missing frameworks or symbols {#sec-darwin-troubleshooting-using-sdks}
In some cases, you may have to use a non-default SDK.
@@ -107,11 +118,8 @@ Check your package’s documentation (platform support or installation instructi
Generally, only the last SDK release for a major version is packaged.
| Xcode version | SDK version | Nixpkgs attribute |
@@ -1631,19 +1631,6 @@ The following flags are disabled by default and should be enabled with `hardenin
This flag adds the `-fno-strict-aliasing` compiler option, which prevents the compiler from assuming code has been written strictly following the standard in regards to pointer aliasing and therefore performing optimizations that may be unsafe for code that has not followed these rules.
#### `pie` {#pie}
This flag is disabled by default for normal `glibc` based NixOS package builds, but enabled by default for
- `musl`-based package builds, except on Aarch64 and Aarch32, where there are issues.
- Statically-linked for OpenBSD builds, where it appears to be required to get a working binary.
Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Executables are needed to take advantage of Address Space Layout Randomization, supported by modern kernel versions. While ASLR can already be enforced for data areas in the stack and heap (brk and mmap), the code areas must be compiled as position-independent. Shared libraries already do this with the `pic` flag, so they gain ASLR automatically, but binary .text regions need to be build with `pie` to gain ASLR. When this happens, ROP attacks are much harder since there are no static locations to bounce off of during a memory corruption attack.
Static libraries need to be compiled with `-fPIE` so that executables can link them in with the `-pie` linker option.
If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`.
#### `strictflexarrays1` {#strictflexarrays1}
This flag adds the `-fstrict-flex-arrays=1` compiler option, which reduces the cases the compiler treats as "flexible arrays" to those declared with length `[1]`, `[0]` or (the correct) `[]`. This increases the coverage of fortify checks, because such arrays declared as the trailing element of a structure can normally not have their intended length determined by the compiler.
@@ -1688,6 +1675,18 @@ Adds the `-D_GLIBCXX_ASSERTIONS` compiler flag. This flag only has an effect on
These checks may have an impact on performance in some cases.
#### `libcxxhardeningfast` {#libcxxhardeningfast}
Adds the `-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_FAST` compiler flag. This flag only has an effect on libc++ targets, and when defined, enables a set of assertions that prevent undefined behavior caused by violating preconditions of the standard library. libc++ provides several hardening modes, and this "fast" mode contains a set of security-critical checks that can be done with relatively little overhead in constant time.
Disabling `libcxxhardeningfast` implies disablement of checks from `libcxxhardeningextensive`.
Adds the `-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE` compiler flag. This flag only has an effect on libc++ targets, and when defined, enables a set of assertions that prevent undefined behavior caused by violating preconditions of the standard library. libc++ provides several hardening modes, and this "extensive" mode adds checks for undefined behavior that incur relatively little overhead but aren’t security-critical. The additional rigour impacts performance more than fast mode: benchmarking is recommended to determine if it is acceptable for a particular application.
Enabling this flag implies enablement of checks from `libcxxhardeningfast`. Disabling this flag does not imply disablement of checks from `libcxxhardeningfast`.
#### `pacret` {#pacret}
This flag adds the `-mbranch-protection=pac-ret` compiler option on aarch64-linux targets. This uses ARM v8.3's Pointer Authentication feature to sign function return pointers before adding them to the stack. The pointer's authenticity is then validated before returning to its destination. This dramatically increases the difficulty of ROP exploitation techniques.
