`pkgs.fetchgit` uses `fetchSubmodules = true;` by default, however
`nix-prefetch-git` doesn't. This means that hashes for a Git repository
with fetched submodules will be wrong in `yarn.nix`.
Considering that this got unnoticed before, it seems as if this case is
an exception to a certain degree.
An exemplary problem is the last `hedgedoc` update[1] where
`js-sequence-diagrams` - a Git repo with submodules - from upstream's
package.json caused a hash mismatch. This got unnoticed because
`nix-build --check` doesn't seem to reveal these issues for fixed-output
derivations.
[1] https://github.com/NixOS/nixpkgs/pull/139238
(cherry picked from commit 46c98ae1327b7d14af1927fda971762e5ee53dfe)
- Use 1 line per input argument.
- Don't use let ... in if not needed.
- Use ${version} in url string.
- Run hooks in explicit installPhase.
(cherry picked from commit e1d6051d81835079f0e37e1d5fc5f029f32df512)
Changes: 3c56f62...bcd73eb
I figured that now with an actual 2.4 release around the corner[1] we
could bump it a bit more often considering that it seems to contain
mostly bugfixes, so that upstream receives a bit more feedback.
[1] https://discourse.nixos.org/t/tweag-nix-dev-update-17/15037
(cherry picked from commit 615d368aa000279f1c63d9c5521859181b5fbfe3)
When restoring a backup, discourse decompresses the backup archive in
the /share/discourse/tmp dir. Before this change, it is linked to /run
which is typically backed by memory, so the backup will fail to
restore if you do not have enough memory on your system to contain the
backup. This has already happened to me on two small forums.
This moves tmp to the StateDirectory /var/lib/discourse/tmp which is
typically backed by disk.
(cherry picked from commit f933c68374b9c6195dc74d26c95fc9bf240fead8)
Need to patch out the contextvars dependency (which is included in
python 3.7+).
The same patch is discussed in arch:
https://bugs.archlinux.org/task/71344
(cherry picked from commit c0b46c6b596dd25f32733ff01156d3d769640ab5)
ChangeLog: https://github.com/hedgedoc/hedgedoc/releases/tag/1.9.0
As documented in the Nix expression, I unfortunately had to patch
`yarn.lock` manually (the `yarn.nix` result isn't affected by this). By
adding a `git+https`-prefix to
`midi "https://github.com/paulrosen/MIDI.js.git#abcjs"` in the lock-file
I ensured that `yarn` actually uses the `MIDI.js` from the offline-cache
from `yarn2nix` rather than trying to download a tarball from GitHub.
Also, this release contains a fix for CVE-2021-39175 which doesn't seem
to be backported to 1.8. To quote NVD[1]:
> In versions prior to 1.9.0, an unauthenticated attacker can inject
> arbitrary JavaScript into the speaker-notes of the slide-mode feature
> by embedding an iframe hosting the malicious code into the slides or by
> embedding the HedgeDoc instance into another page.
Even though it "only" has a medium rating by NVD (6.1), this seems
rather problematic to me (also, GitHub rates this as "High"), so it's
actually a candidate for a backport.
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-39175
(cherry picked from commit 0a10c17c8d01e5f9fefa3d6dbb7802a3cbce7e23)
