`pkgs.fetchgit` uses `fetchSubmodules = true;` by default, however
`nix-prefetch-git` doesn't. This means that hashes for a Git repository
with fetched submodules will be wrong in `yarn.nix`.
Considering that this got unnoticed before, it seems as if this case is
an exception to a certain degree.
An exemplary problem is the last `hedgedoc` update[1] where
`js-sequence-diagrams` - a Git repo with submodules - from upstream's
package.json caused a hash mismatch. This got unnoticed because
`nix-build --check` doesn't seem to reveal these issues for fixed-output
derivations.
[1] https://github.com/NixOS/nixpkgs/pull/139238
(cherry picked from commit 46c98ae1327b7d14af1927fda971762e5ee53dfe)
- Use 1 line per input argument.
- Don't use let ... in if not needed.
- Use ${version} in url string.
- Run hooks in explicit installPhase.
(cherry picked from commit e1d6051d81835079f0e37e1d5fc5f029f32df512)
Changes: 3c56f62...bcd73eb
I figured that now with an actual 2.4 release around the corner[1] we
could bump it a bit more often considering that it seems to contain
mostly bugfixes, so that upstream receives a bit more feedback.
[1] https://discourse.nixos.org/t/tweag-nix-dev-update-17/15037
(cherry picked from commit 615d368aa000279f1c63d9c5521859181b5fbfe3)
Need to patch out the contextvars dependency (which is included in
python 3.7+).
The same patch is discussed in arch:
https://bugs.archlinux.org/task/71344
(cherry picked from commit c0b46c6b596dd25f32733ff01156d3d769640ab5)
ChangeLog: https://github.com/hedgedoc/hedgedoc/releases/tag/1.9.0
As documented in the Nix expression, I unfortunately had to patch
`yarn.lock` manually (the `yarn.nix` result isn't affected by this). By
adding a `git+https`-prefix to
`midi "https://github.com/paulrosen/MIDI.js.git#abcjs"` in the lock-file
I ensured that `yarn` actually uses the `MIDI.js` from the offline-cache
from `yarn2nix` rather than trying to download a tarball from GitHub.
Also, this release contains a fix for CVE-2021-39175 which doesn't seem
to be backported to 1.8. To quote NVD[1]:
> In versions prior to 1.9.0, an unauthenticated attacker can inject
> arbitrary JavaScript into the speaker-notes of the slide-mode feature
> by embedding an iframe hosting the malicious code into the slides or by
> embedding the HedgeDoc instance into another page.
Even though it "only" has a medium rating by NVD (6.1), this seems
rather problematic to me (also, GitHub rates this as "High"), so it's
actually a candidate for a backport.
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-39175
(cherry picked from commit 0a10c17c8d01e5f9fefa3d6dbb7802a3cbce7e23)
The src points to the obsidiansystems repo as it has the ghcjs ported from
8.10.5 to 8.10.7, and a bunch of other fixes (#812, #811, #809)
(cherry picked from commit ba25b274f4bb0240a8ffa71e41b55712930af3d8)
Modified the stm_2_5_0_1 -> stm_2_5_0_0
