Merge staging-next into staging

38 files changed, 571 insertions, 118 deletions

diff --git a/pkgs/applications/graphics/imgbrd-grabber/default.nix b/pkgs/applications/graphics/imgbrd-grabber/default.nix
index 0fa08c31c0a68..72d9d9cc1e01b 100644
--- a/pkgs/applications/graphics/imgbrd-grabber/default.nix
+++ b/pkgs/applications/graphics/imgbrd-grabber/default.nix
@@ -1,4 +1,5 @@
-{ lib, stdenv
+{ lib
+, stdenv
 , cmake
 , fetchFromGitHub
 , wrapQtAppsHook
@@ -93,6 +94,7 @@ stdenv.mkDerivation rec {
     description = "Very customizable imageboard/booru downloader with powerful filenaming features";
     license = licenses.asl20;
     homepage = "https://bionus.github.io/imgbrd-grabber/";
+    mainProgram = "Grabber";
     maintainers = [ maintainers.evanjs ];
   };
 }
diff --git a/pkgs/applications/misc/blender/default.nix b/pkgs/applications/misc/blender/default.nix
index c0fb3b336d0fc..8266f4bfd067f 100644
--- a/pkgs/applications/misc/blender/default.nix
+++ b/pkgs/applications/misc/blender/default.nix
@@ -16,7 +16,6 @@
   cudaSupport ? config.cudaSupport,
   dbus,
   embree,
-  fetchpatch,
   fetchurl,
   fetchzip,
   ffmpeg,
@@ -68,7 +67,7 @@
   pkg-config,
   potrace,
   pugixml,
-  python310Packages, # must use instead of python3.pkgs, see https://github.com/NixOS/nixpkgs/issues/211340
+  python311Packages, # must use instead of python3.pkgs, see https://github.com/NixOS/nixpkgs/issues/211340
   rocmPackages, # comes with a significantly larger closure size
   runCommand,
   spaceNavSupport ? stdenv.isLinux,
@@ -82,7 +81,7 @@
 }:
 
 let
-  python3Packages = python310Packages;
+  python3Packages = python311Packages;
   python3 = python3Packages.python;
   pyPkgsOpenusd = python3Packages.openusd.override { withOsl = false; };
 
@@ -100,25 +99,14 @@ in
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "blender";
-  version = "4.0.2";
+  version = "4.1.0";
 
   src = fetchurl {
     url = "https://download.blender.org/source/${finalAttrs.pname}-${finalAttrs.version}.tar.xz";
-    hash = "sha256-qqDnKdp1kc+/RXcq92NFl32qp7EaCvNdmPkxPiRgd6M=";
+    hash = "sha256-3AAtguPDQMk4VcZoRzDQGAG2aaKbHMa3XuuZC6aecj8=";
   };
 
-  patches = [
-    ./draco.patch
-    (fetchpatch {
-      url = "https://projects.blender.org/blender/blender/commit/cf4365e555a759d5b3225bce77858374cb07faad.diff";
-      hash = "sha256-Nypd04yFSHYa7RBa8kNmoApqJrU4qpaOle3tkj44d4g=";
-    })
-    (fetchpatch {
-      # https://projects.blender.org/blender/blender/issues/117145
-      url = "https://projects.blender.org/blender/blender/commit/eb99895c972b6c713294f68a34798aa51d36034a.patch";
-      hash = "sha256-95nG5mW408lhKJ2BppgaUwBMMeXeGyBqho6mCfB53GI=";
-    })
-  ] ++ lib.optional stdenv.isDarwin ./darwin.patch;
+  patches = [ ./draco.patch ] ++ lib.optional stdenv.isDarwin ./darwin.patch;
 
   postPatch =
     (
@@ -247,7 +235,7 @@ stdenv.mkDerivation (finalAttrs: {
     ]
     ++ lib.optionals (!stdenv.isAarch64) [
       embree
-      openimagedenoise
+      (openimagedenoise.override { inherit cudaSupport; })
     ]
     ++ (
       if (!stdenv.isDarwin) then
diff --git a/pkgs/applications/version-management/gitea/default.nix b/pkgs/applications/version-management/gitea/default.nix
index e5d3d257684a8..ef0902443c8ff 100644
--- a/pkgs/applications/version-management/gitea/default.nix
+++ b/pkgs/applications/version-management/gitea/default.nix
@@ -20,12 +20,12 @@
 
 buildGoModule rec {
   pname = "gitea";
-  version = "1.21.9";
+  version = "1.21.10";
 
   # not fetching directly from the git repo, because that lacks several vendor files for the web UI
   src = fetchurl {
     url = "https://dl.gitea.com/gitea/${version}/gitea-src-${version}.tar.gz";
-    hash = "sha256-4o5pSkC9jl8rI68naorDrRE4Rm0/chj3+cRxZqoziIU=";
+    hash = "sha256-g/aDRIAKaPi8AWWJL4N8CZt2N4HBEWK7xSBvjrcPDD8=";
   };
 
   vendorHash = null;
diff --git a/pkgs/by-name/bt/bt-migrate/package.nix b/pkgs/by-name/bt/bt-migrate/package.nix
new file mode 100644
index 0000000000000..289e15960c0fa
--- /dev/null
+++ b/pkgs/by-name/bt/bt-migrate/package.nix
@@ -0,0 +1,65 @@
+{ lib
+, boost
+, cmake
+, cxxopts
+, digestpp
+, fetchFromGitHub
+, fmt
+, jsoncons
+, pugixml
+, sqlite
+, sqlite_orm
+, stdenv
+}:
+stdenv.mkDerivation {
+  pname = "bt-migrate";
+  version = "0-unstable-2023-08-17";
+
+  src = fetchFromGitHub {
+    owner = "mikedld";
+    repo = "bt-migrate";
+    rev = "e15a489c0c76f98355586ebbee08223af4e9bf50";
+    hash = "sha256-kA6yxhbIh3ThmgF8Zyoe3I79giLVmdNr9IIrw5Xx4s0=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+  ];
+
+  buildInputs = [
+    boost
+    cxxopts
+    fmt
+    jsoncons
+    pugixml
+    sqlite_orm
+  ];
+
+  cmakeFlags = [
+    (lib.strings.cmakeBool "USE_VCPKG" false)
+    # NOTE: digestpp does not have proper CMake packaging (yet?)
+    (lib.strings.cmakeBool "USE_FETCHCONTENT" true)
+    (lib.strings.cmakeFeature "FETCHCONTENT_SOURCE_DIR_DIGESTPP" "${digestpp}/include/digestpp")
+  ];
+
+  # NOTE: no install target in CMake...
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/bin
+    cp BtMigrate $out/bin
+
+    runHook postInstall
+  '';
+
+  strictDeps = true;
+
+  meta = with lib; {
+    description = "Torrent state migration tool";
+    homepage = "https://github.com/mikedld/bt-migrate?tab=readme-ov-file";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ ambroisie ];
+    mainProgram = "BtMigrate";
+    platforms = platforms.all;
+  };
+}
diff --git a/pkgs/by-name/di/digestpp/package.nix b/pkgs/by-name/di/digestpp/package.nix
new file mode 100644
index 0000000000000..84d88d8b66233
--- /dev/null
+++ b/pkgs/by-name/di/digestpp/package.nix
@@ -0,0 +1,32 @@
+{ lib
+, fetchFromGitHub
+, stdenvNoCC
+}:
+stdenvNoCC.mkDerivation {
+  pname = "digestpp";
+  version = "0-unstable-2023-11-07";
+
+  src = fetchFromGitHub {
+    owner = "kerukuro";
+    repo = "digestpp";
+    rev = "ebb699402c244e22c3aff61d2239bcb2e87b8ef8";
+    hash = "sha256-9X/P7DgZB6bSYjQWRli4iAXEFjhmACOVv3EYQrXuH5c=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/include/digestpp
+    cp -r *.hpp algorithm/ detail/ $out/include/digestpp
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "C++11 header-only message digest library";
+    homepage = "https://github.com/kerukuro/digestpp";
+    license = licenses.unlicense;
+    maintainers = with maintainers; [ ambroisie ];
+    platforms = platforms.all;
+  };
+}
diff --git a/pkgs/by-name/fa/fastqc/package.nix b/pkgs/by-name/fa/fastqc/package.nix
new file mode 100644
index 0000000000000..e7973ab0d602c
--- /dev/null
+++ b/pkgs/by-name/fa/fastqc/package.nix
@@ -0,0 +1,83 @@
+{ lib,
+  stdenv,
+  fetchzip,
+  jre,
+  perl,
+  makeWrapper,
+  imagemagick,
+  makeDesktopItem,
+  copyDesktopItems,
+  desktopToDarwinBundle,
+  testers
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "fastqc";
+  version = "0.12.1";
+
+  src = fetchzip {
+    url = "https://www.bioinformatics.babraham.ac.uk/projects/fastqc/fastqc_v${finalAttrs.version}.zip";
+    hash = "sha256-TenRG2x8ivJ2HM2ZpLaJShp0yI0Qc6K5lW5/NJFAa1I";
+  };
+
+  dontBuild = true;
+
+  nativeBuildInputs = [ makeWrapper imagemagick ]
+                      ++ lib.optional stdenv.isLinux copyDesktopItems # postInstallHook
+                      ++ lib.optional stdenv.isDarwin desktopToDarwinBundle; #fixupOutputHook
+  buildInputs = [ jre perl];
+
+  desktopItem = (makeDesktopItem {
+    name = "FastQC";
+    exec = "fastqc";
+    icon = "fastqc";
+    desktopName = "FastQC";
+    comment = finalAttrs.meta.description;
+    categories = [ "Science" ];
+  });
+  desktopItems = [ finalAttrs.desktopItem ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/{bin,FastQC}
+    cp -r $src/* $out/FastQC
+
+    # Create desktop item
+    mkdir -p $out/share/{applications,icons}
+    # Freedesktop doesn't support windows ICO files. Use imagemagick to convert it to PNG
+    convert $out/FastQC/fastqc_icon.ico $out/share/icons/fastqc.png
+
+    runHook postInstall
+  '';
+
+  preFixup = ''
+    makeWrapper $out/FastQC/fastqc $out/bin/fastqc --prefix PATH : ${jre}/bin
+  '';
+
+  passthru.tests.version = testers.testVersion {
+    package = finalAttrs.finalPackage;
+    version = "v${finalAttrs.version}";
+  };
+
+  meta = {
+    description = "A quality control application for high throughput sequence data";
+    longDescription = ''
+    FastQC aims to provide a simple way to do some quality control checks on raw sequence data coming from high throughput sequencing pipelines. It provides a modular set of analyses which you can use to give a quick impression of whether your data has any problems of which you should be aware before doing any further analysis.
+
+    The main functions of FastQC are
+
+    - Import of data from BAM, SAM or FastQ files (any variant)
+    - Providing a quick overview to tell you in which areas there may be problems
+    - Summary graphs and tables to quickly assess your data
+    - Export of results to an HTML based permanent report
+    - Offline operation to allow automated generation of reports without running the interactive application
+    '';
+    homepage = "https://www.bioinformatics.babraham.ac.uk/projects/fastqc/";
+    sourceProvenance = [ lib.sourceTypes.binaryNativeCode ];
+    license = with lib.licenses; [ gpl3Plus asl20 ];
+    maintainers = [ lib.maintainers.dflores ];
+    mainProgram = "fastqc";
+    platforms = lib.platforms.unix;
+  };
+})
diff --git a/pkgs/by-name/gl/glas/package.nix b/pkgs/by-name/gl/glas/package.nix
new file mode 100644
index 0000000000000..40a0d7f556c83
--- /dev/null
+++ b/pkgs/by-name/gl/glas/package.nix
@@ -0,0 +1,36 @@
+{
+  lib,
+  rustPlatform,
+  fetchFromGitHub,
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "glas";
+  version = "0.2.2";
+
+  src = fetchFromGitHub {
+    owner = "maurobalbi";
+    repo = "glas";
+    rev = "v${version}";
+    sha256 = "sha256-y1sPDCHIfECEhKP6EQs3kDrX/yM+ni0irfPe1c50jJU=";
+  };
+
+  cargoHash = "sha256-h27NqsVOW+LM83xtSAV7cvlRbznGE87aJb2/WeSmfOY=";
+
+  doInstallCheck = true;
+  postInstallCheck = ''
+    $out/bin/glas --help > /dev/null
+  '';
+
+  meta = {
+    description = "A language server for the Gleam programming language.";
+    homepage = "https://github.com/maurobalbi/glas";
+    changelog = "https://github.com/maurobalbi/glas/tag/v${version}";
+    license = with lib.licenses; [
+      asl20
+      mit
+    ];
+    mainProgram = "glas";
+    maintainers = with lib.maintainers; [ payas ];
+  };
+}
diff --git a/pkgs/by-name/gt/gtkhash/package.nix b/pkgs/by-name/gt/gtkhash/package.nix
new file mode 100644
index 0000000000000..63d0c788c976b
--- /dev/null
+++ b/pkgs/by-name/gt/gtkhash/package.nix
@@ -0,0 +1,54 @@
+{ lib
+, fetchFromGitHub
+, stdenv
+, meson
+, ninja
+, cmake
+, pkg-config
+, wrapGAppsHook
+, gtk3
+, glib
+, openssl
+, nettle
+, libb2
+, libgcrypt
+}:
+
+stdenv.mkDerivation rec {
+  pname = "gtkhash";
+  version = "1.5";
+
+  src = fetchFromGitHub {
+    repo = "gtkhash";
+    owner = "gtkhash";
+    rev = "v${version}";
+    hash = "sha256-XpgTolpTSsW3i0xk19tt4cn9qANoeiq7YnBBR6g8ioU=";
+  };
+
+  nativeBuildInputs = [
+    meson
+    ninja
+    cmake
+    pkg-config
+    wrapGAppsHook
+  ];
+
+  buildInputs = [
+    gtk3
+    glib
+    openssl
+    nettle
+    libb2
+    libgcrypt
+  ];
+
+  strictDeps = true;
+  meta = with lib; {
+    description = "A cross-platform desktop utility for computing message digests or checksums";
+    homepage = "https://gtkhash.org";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ ByteSudoer ];
+    mainProgram = "gtkhash";
+    platforms = platforms.unix;
+  };
+}
diff --git a/pkgs/by-name/ja/jazz2/package.nix b/pkgs/by-name/ja/jazz2/package.nix
index ca7898848aa53..8db964b251448 100644
--- a/pkgs/by-name/ja/jazz2/package.nix
+++ b/pkgs/by-name/ja/jazz2/package.nix
@@ -16,13 +16,13 @@
 assert lib.assertOneOf "graphicsLibrary" graphicsLibrary [ "SDL2" "GLFW" ];
 stdenv.mkDerivation (finalAttrs: {
   pname = "jazz2";
-  version = "2.5.0";
+  version = "2.6.0";
 
   src = fetchFromGitHub {
     owner = "deathkiller";
     repo = "jazz2-native";
     rev = finalAttrs.version;
-    hash = "sha256-IFsSIfHmSE6B1bpc5RWetJnlkv/jjlAUvRFV1pvVVNo=";
+    hash = "sha256-ZTQz6+2myUIJr2HqiwYksM7qiwXrd4+3+h1TC6FuPFU=";
   };
 
   patches = [ ./nocontent.patch ];
diff --git a/pkgs/by-name/lu/lunar-client/package.nix b/pkgs/by-name/lu/lunar-client/package.nix
index 3b8102c2d9ee0..b675a0295b0aa 100644
--- a/pkgs/by-name/lu/lunar-client/package.nix
+++ b/pkgs/by-name/lu/lunar-client/package.nix
@@ -6,11 +6,11 @@
 
 appimageTools.wrapType2 rec {
   pname = "lunar-client";
-  version = "3.2.3";
+  version = "3.2.4";
 
   src = fetchurl {
     url = "https://launcherupdates.lunarclientcdn.com/Lunar%20Client-${version}.AppImage";
-    hash = "sha512-2zuVURKDw+Z/8I1AO8G5KPVOlPIZC/Mbt9jK5gn9CV1zmRiWKL+m1/Bw9/h7fanBdm0fhfLklplmlTTabPm7dg==";
+    hash = "sha512-KaQvjtSzQzebzPrcFBntCqP6fRbenH9tQo4LYO1TwDoJ7pAeZ8D4kSMRaRfFV0CPZ/pDnKECYdKXAuaujOpw8g==";
   };
 
   extraInstallCommands =
diff --git a/pkgs/os-specific/darwin/mousecape/default.nix b/pkgs/by-name/mo/mousecape/package.nix
index 39ee1e5ca072d..7604b360dd656 100644
--- a/pkgs/os-specific/darwin/mousecape/default.nix
+++ b/pkgs/by-name/mo/mousecape/package.nix
@@ -1,27 +1,22 @@
 { lib
 , stdenvNoCC
-, fetchurl
-, unzip
+, fetchzip
 }:
 
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "mousecape";
   version = "1813";
 
-  src = fetchurl {
+  src = fetchzip {
     url = "https://github.com/alexzielenski/Mousecape/releases/download/${finalAttrs.version}/Mousecape_${finalAttrs.version}.zip";
-    hash = "sha256-lp7HFGr1J+iQCUWVDplF8rFcTrGf+DX4baYzLsUi/9I=";
+    hash = "sha256-VjbvrXfsRFpbTJfIHFvyCxRdDcGNv0zzLToWn7lyLM8=";
   };
 
-  sourceRoot = ".";
-
-  nativeBuildInputs = [ unzip ];
-
   installPhase = ''
     runHook preInstall
 
-    mkdir -p $out/Applications
-    mv Mousecape.app $out/Applications
+    mkdir -p $out/Applications/Mousecape.app
+    cp -R . $out/Applications/Mousecape.app/
 
     runHook postInstall
   '';
@@ -30,7 +25,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
     description = "A cursor manager for macOS built using private, nonintrusive CoreGraphics APIs";
     homepage = "https://github.com/alexzielenski/Mousecape";
     license = with lib; licenses.free;
-    maintainers = with lib; with maintainers; [ DontEatOreo ];
+    maintainers = with lib; with maintainers; [ donteatoreo ];
     platforms = with lib; platforms.darwin;
     sourceProvenance = with lib; with sourceTypes; [ binaryNativeCode ];
   };
diff --git a/pkgs/by-name/sq/sqlite_orm/package.nix b/pkgs/by-name/sq/sqlite_orm/package.nix
new file mode 100644
index 0000000000000..82e11c6015b70
--- /dev/null
+++ b/pkgs/by-name/sq/sqlite_orm/package.nix
@@ -0,0 +1,35 @@
+{ lib
+, cmake
+, fetchFromGitHub
+, sqlite
+, stdenv
+}:
+stdenv.mkDerivation (finalAttrs: {
+  pname = "sqlite_orm";
+  version = "1.8.2";
+
+  src = fetchFromGitHub {
+    owner = "fnc12";
+    repo = "sqlite_orm";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-KqphGFcnR1Y11KqL7sxODSv7lEvcURdF6kLd3cg84kc=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+  ];
+
+  propagatedBuildInputs = [
+    sqlite
+  ];
+
+  strictDeps = true;
+
+  meta = with lib; {
+    description = "Light header only SQLite ORM";
+    homepage = "https://sqliteorm.com/";
+    license = licenses.agpl3Only; # MIT license is commercial
+    maintainers = with maintainers; [ ambroisie ];
+    platforms = platforms.all;
+  };
+})
diff --git a/pkgs/development/beam-modules/elixir-ls/default.nix b/pkgs/development/beam-modules/elixir-ls/default.nix
index c419b7f30411f..2324d641244f0 100644
--- a/pkgs/development/beam-modules/elixir-ls/default.nix
+++ b/pkgs/development/beam-modules/elixir-ls/default.nix
@@ -37,7 +37,7 @@ mixRelease {
   # of the no-deps-check requirement
   buildPhase = ''
     runHook preBuild
-    mix do compile --no-deps-check, elixir_ls.release
+    mix do compile --no-deps-check, elixir_ls.release${lib.optionalString (lib.versionAtLeast elixir.version "1.16.0") "2"}
     runHook postBuild
   '';
 
diff --git a/pkgs/development/compilers/llvm/17/default.nix b/pkgs/development/compilers/llvm/17/default.nix
index a9138e3c79b67..c8d9569253450 100644
--- a/pkgs/development/compilers/llvm/17/default.nix
+++ b/pkgs/development/compilers/llvm/17/default.nix
@@ -213,6 +213,7 @@ in let
           (!stdenv.targetPlatform.isWasm && stdenv.targetPlatform.useLLVM or false)
           "-lunwind"
         ++ lib.optional stdenv.targetPlatform.isWasm "-fno-exceptions";
+      nixSupport.cc-ldflags = lib.optionals (!stdenv.targetPlatform.isWasm) [ "-L${targetLlvmLibraries.libunwind}/lib" ];
     };
 
     clangNoLibcxx = wrapCCWith rec {
diff --git a/pkgs/development/haskell-modules/configuration-nix.nix b/pkgs/development/haskell-modules/configuration-nix.nix
index 9897a6f2be0cf..4d83fac79a5e7 100644
--- a/pkgs/development/haskell-modules/configuration-nix.nix
+++ b/pkgs/development/haskell-modules/configuration-nix.nix
@@ -305,7 +305,13 @@ self: super: builtins.intersectAttrs super {
   ghc-debug-brick  = enableSeparateBinOutput super.ghc-debug-brick;
   nixfmt  = enableSeparateBinOutput super.nixfmt;
   calligraphy = enableSeparateBinOutput super.calligraphy;
-  niv = enableSeparateBinOutput (self.generateOptparseApplicativeCompletions [ "niv" ] super.niv);
+  niv = overrideCabal (drv: {
+      buildTools = (drv.buildTools or []) ++ [ pkgs.buildPackages.makeWrapper ];
+      postInstall = ''
+        wrapProgram ''${!outputBin}/bin/niv --prefix PATH : ${pkgs.lib.makeBinPath [ pkgs.nix ]}
+      '';
+    })
+    (enableSeparateBinOutput (self.generateOptparseApplicativeCompletions [ "niv" ] super.niv));
   ghcid = enableSeparateBinOutput super.ghcid;
   ormolu = self.generateOptparseApplicativeCompletions [ "ormolu" ] (enableSeparateBinOutput super.ormolu);
   hnix = self.generateOptparseApplicativeCompletions [ "hnix" ] super.hnix;
diff --git a/pkgs/development/libraries/openimagedenoise/cuda.patch b/pkgs/development/libraries/openimagedenoise/cuda.patch
new file mode 100644
index 0000000000000..4bc5172d88300
--- /dev/null
+++ b/pkgs/development/libraries/openimagedenoise/cuda.patch
@@ -0,0 +1,32 @@
+Remove upstream workarounds for CMake "limitations" that do not appear to exist
+in nixpkgs build environment, but rather break the build, presumably because
+CMAKE_INSTALL_{BIN,LIB}DIR is an absolute path in our build so
+CMAKE_INSTALL_PREFIX has no effect.
+
+diff --git a/devices/CMakeLists.txt b/devices/CMakeLists.txt
+index d5111cd..43986ad 100644
+--- a/devices/CMakeLists.txt
++++ b/devices/CMakeLists.txt
+@@ -53,7 +53,6 @@ if(OIDN_DEVICE_CUDA)
+       -DCMAKE_CXX_COMPILER:FILEPATH=${_host_compiler}
+       -DCMAKE_TOOLCHAIN_FILE:FILEPATH=${CMAKE_TOOLCHAIN_FILE}
+       -DCMAKE_BUILD_TYPE:STRING=${CMAKE_BUILD_TYPE}
+-      -DCMAKE_INSTALL_PREFIX:PATH=${CMAKE_CURRENT_BINARY_DIR}/cuda/preinstall
+       -DCMAKE_INSTALL_BINDIR:PATH=${CMAKE_INSTALL_BINDIR}
+       -DCMAKE_INSTALL_LIBDIR:PATH=${CMAKE_INSTALL_LIBDIR}
+       -DCUDAToolkit_ROOT:PATH=${CUDAToolkit_ROOT}
+@@ -69,14 +68,6 @@ if(OIDN_DEVICE_CUDA)
+     DEPENDS
+       OpenImageDenoise_core
+   )
+-
+-  # Due to limitations of CMake, the module is pre-installed at build time to a temporary location,
+-  # and then copied to the real install location at install time.
+-  install(DIRECTORY
+-    ${CMAKE_CURRENT_BINARY_DIR}/cuda/preinstall/
+-    DESTINATION "."
+-    USE_SOURCE_PERMISSIONS
+-  )
+ endif()
+ 
+ if(OIDN_DEVICE_HIP)
diff --git a/pkgs/development/libraries/openimagedenoise/default.nix b/pkgs/development/libraries/openimagedenoise/default.nix
index 532ee7a095718..e2d9b66004ed6 100644
--- a/pkgs/development/libraries/openimagedenoise/default.nix
+++ b/pkgs/development/libraries/openimagedenoise/default.nix
@@ -1,21 +1,45 @@
-{ lib, stdenv, fetchzip, cmake, tbb, python3, ispc }:
+{
+  cmake,
+  config,
+  cudaPackages,
+  cudaSupport ? config.cudaSupport,
+  fetchzip,
+  ispc,
+  lib,
+  python3,
+  stdenv,
+  tbb,
+}:
 
 stdenv.mkDerivation rec {
   pname = "openimagedenoise";
-  version = "1.4.3";
+  version = "2.2.2";
 
   # The release tarballs include pretrained weights, which would otherwise need to be fetched with git-lfs
   src = fetchzip {
     url = "https://github.com/OpenImageDenoise/oidn/releases/download/v${version}/oidn-${version}.src.tar.gz";
-    sha256 = "sha256-i73w/Vkr5TPLB1ulPbPU4OVGwdNlky1brfarueD7akE=";
+    sha256 = "sha256-ZIrs4oEb+PzdMh2x2BUFXKyu/HBlFb3CJX24ciEHy3Q=";
   };
 
-  nativeBuildInputs = [ cmake python3 ispc ];
-  buildInputs = [ tbb ];
+  patches = lib.optional cudaSupport ./cuda.patch;
+
+  nativeBuildInputs = [
+    cmake
+    python3
+    ispc
+  ] ++ lib.optional cudaSupport cudaPackages.cuda_nvcc;
+
+  buildInputs =
+    [ tbb ]
+    ++ lib.optionals cudaSupport [
+      cudaPackages.cuda_cudart
+      cudaPackages.cuda_cccl
+    ];
 
   cmakeFlags = [
-    "-DTBB_ROOT=${tbb}"
-    "-DTBB_INCLUDE_DIR=${tbb.dev}/include"
+    (lib.cmakeBool "OIDN_DEVICE_CUDA" cudaSupport)
+    (lib.cmakeFeature "TBB_INCLUDE_DIR" "${tbb.dev}/include")
+    (lib.cmakeFeature "TBB_ROOT" "${tbb}")
   ];
 
   meta = with lib; {
diff --git a/pkgs/development/libraries/opensubdiv/default.nix b/pkgs/development/libraries/opensubdiv/default.nix
index 17b7c286229b4..3ed10ef270f97 100644
--- a/pkgs/development/libraries/opensubdiv/default.nix
+++ b/pkgs/development/libraries/opensubdiv/default.nix
@@ -8,13 +8,13 @@
 
 stdenv.mkDerivation rec {
   pname = "opensubdiv";
-  version = "3.5.1";
+  version = "3.6.0";
 
   src = fetchFromGitHub {
     owner = "PixarAnimationStudios";
     repo = "OpenSubdiv";
     rev = "v${lib.replaceStrings ["."] ["_"] version}";
-    sha256 = "sha256-uDKCT0Uoa5WQekMUFm2iZmzm+oWAZ6IWMwfpchkUZY0=";
+    sha256 = "sha256-liy6pQyWMk7rw0usrCoLGzZLO7RAg0z2pV/GF2NnOkE=";
   };
 
   outputs = [ "out" "dev" "static" ];
diff --git a/pkgs/development/python-modules/bases/default.nix b/pkgs/development/python-modules/bases/default.nix
new file mode 100644
index 0000000000000..9c25ffaa63f85
--- /dev/null
+++ b/pkgs/development/python-modules/bases/default.nix
@@ -0,0 +1,73 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+
+, pytestCheckHook
+
+, pythonOlder
+
+, setuptools
+, wheel
+, setuptools-scm
+
+  # for tests
+, base58
+
+, typing-extensions
+, typing-validation
+}:
+
+buildPythonPackage rec {
+  pname = "bases";
+  version = "0.3.0";
+  pyproject = true;
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchFromGitHub {
+    owner = "hashberg-io";
+    repo = "bases";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-CRXVxT9uYud1CKRcdRAD0OX5sTAttrUO9E4BaavTe6A=";
+  };
+
+  build-system = [
+    setuptools
+    wheel
+    setuptools-scm
+  ];
+
+  dependencies = [
+    typing-extensions
+    typing-validation
+  ];
+
+  nativeCheckInputs = [
+    pytestCheckHook
+    base58
+  ];
+
+  pythonImportsCheck = [
+    "bases"
+    "bases.alphabet"
+    "bases.alphabet.abstract"
+    "bases.alphabet.range_alphabet"
+    "bases.alphabet.string_alphabet"
+    "bases.encoding"
+    "bases.encoding.base"
+    "bases.encoding.block"
+    "bases.encoding.errors"
+    "bases.encoding.fixchar"
+    "bases.encoding.simple"
+    "bases.encoding.zeropad"
+    "bases.random"
+  ];
+
+  meta = {
+    description = "Python library for general Base-N encodings";
+    homepage = "https://github.com/hashberg-io/bases";
+    changelog = "https://github.com/hashberg-io/bases/releases/tag/v${version}";
+    license = lib.licenses.mit;
+    maintainers = [ lib.maintainers.vizid ];
+  };
+}
diff --git a/pkgs/development/python-modules/cocotb/0002-Patch-remove-test_unicode_handle_assignment_deprecated-test.patch b/pkgs/development/python-modules/cocotb/0002-Patch-remove-test_unicode_handle_assignment_deprecated-test.patch
new file mode 100644
index 0000000000000..f1a6c7f975fa0
--- /dev/null
+++ b/pkgs/development/python-modules/cocotb/0002-Patch-remove-test_unicode_handle_assignment_deprecated-test.patch
@@ -0,0 +1,25 @@
+diff --git a/tests/test_cases/test_cocotb/test_deprecated.py b/tests/test_cases/test_cocotb/test_deprecated.py
+index 523b93ba..b4f1701e 100644
+--- a/tests/test_cases/test_cocotb/test_deprecated.py
++++ b/tests/test_cases/test_cocotb/test_deprecated.py
+@@ -26,20 +26,6 @@ async def test_returnvalue_deprecated(dut):
+     assert val == 42
+ 
+ 
+-# strings are not supported on Icarus (gh-2585) or GHDL (gh-2584)
+-@cocotb.test(
+-    expect_error=AttributeError
+-    if cocotb.SIM_NAME.lower().startswith("icarus")
+-    else TypeError
+-    if cocotb.SIM_NAME.lower().startswith("ghdl")
+-    else ()
+-)
+-async def test_unicode_handle_assignment_deprecated(dut):
+-    with pytest.warns(DeprecationWarning, match=".*bytes.*"):
+-        dut.stream_in_string.value = "Bad idea"
+-        await cocotb.triggers.ReadWrite()
+-
+-
+ @cocotb.test()
+ async def test_convert_handle_to_string_deprecated(dut):
+     dut.stream_in_data.value = 0
diff --git a/pkgs/development/python-modules/cocotb/default.nix b/pkgs/development/python-modules/cocotb/default.nix
index 0e758490b8030..8d996a4ebb043 100644
--- a/pkgs/development/python-modules/cocotb/default.nix
+++ b/pkgs/development/python-modules/cocotb/default.nix
@@ -52,6 +52,10 @@ buildPythonPackage rec {
   patches = [
     # Fix "can't link with bundle (MH_BUNDLE) only dylibs (MH_DYLIB) file" error
     ./0001-Patch-LDCXXSHARED-for-macOS-along-with-LDSHARED.patch
+
+    # For the 1.8.1 release only: remove the test_unicode_handle_assignment_deprecated test
+    # It's more thoroughly removed upstream master with 425e1edb8e7133f4a891f2f87552aa2748cd8d2c
+    ./0002-Patch-remove-test_unicode_handle_assignment_deprecated-test.patch
   ];
 
   nativeCheckInputs = [ cocotb-bus pytestCheckHook swig verilog ghdl ];
diff --git a/pkgs/development/python-modules/glean-parser/default.nix b/pkgs/development/python-modules/glean-parser/default.nix
index 7f0dfe2d5e87b..86a4c6248f5d4 100644
--- a/pkgs/development/python-modules/glean-parser/default.nix
+++ b/pkgs/development/python-modules/glean-parser/default.nix
@@ -15,7 +15,7 @@
 
 buildPythonPackage rec {
   pname = "glean-parser";
-  version = "13.0.0";
+  version = "13.0.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.8";
@@ -23,7 +23,7 @@ buildPythonPackage rec {
   src = fetchPypi {
     pname = "glean_parser";
     inherit version;
-    hash = "sha256-gzeAyrfgVwNLNSeGIDr5TyGvywCUy+1gEEcfXcIaX5E=";
+    hash = "sha256-/urUy+xpMO04pI31uunrTuSGu0Am3fLzIGuF+AJ50ec=";
   };
 
   postPatch = ''
diff --git a/pkgs/development/python-modules/plotnine/default.nix b/pkgs/development/python-modules/plotnine/default.nix
index cc446f300bf14..bb39cae86c252 100644
--- a/pkgs/development/python-modules/plotnine/default.nix
+++ b/pkgs/development/python-modules/plotnine/default.nix
@@ -16,7 +16,7 @@
 
 buildPythonPackage rec {
   pname = "plotnine";
-  version = "0.13.2";
+  version = "0.13.3";
   pyproject = true;
 
   disabled = pythonOlder "3.9";
@@ -25,7 +25,7 @@ buildPythonPackage rec {
     owner = "has2k1";
     repo = "plotnine";
     rev = "refs/tags/v${version}";
-    hash = "sha256-GgkaFiRRVpr0TreAetpaiOjpsyLV2wfGQWvUdHJN2mg=";
+    hash = "sha256-dbfbXYYmVdufTtrrllrqwe87LL1nYRar4RMLef7ajTQ=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/tools/backblaze-b2/default.nix b/pkgs/development/tools/backblaze-b2/default.nix
index 76301b5f4820a..3ed49c05bec98 100644
--- a/pkgs/development/tools/backblaze-b2/default.nix
+++ b/pkgs/development/tools/backblaze-b2/default.nix
@@ -46,7 +46,9 @@ python3Packages.buildPythonApplication rec {
     backoff
     more-itertools
     pexpect
-    pytestCheckHook
+
+    # backblaze-b2 requires pytest 7 to complete tests.
+    (pytestCheckHook.override { pytest = pytest_7; })
   ];
 
   preCheck = ''
diff --git a/pkgs/development/tools/iferr/default.nix b/pkgs/development/tools/iferr/default.nix
index 9a7b25a4cb40a..34ee7eaa99dae 100644
--- a/pkgs/development/tools/iferr/default.nix
+++ b/pkgs/development/tools/iferr/default.nix
@@ -1,29 +1,29 @@
-{ buildGoPackage
+{ buildGoModule
 , lib
 , fetchFromGitHub
 }:
 
-buildGoPackage rec {
-  pname = "iferr-unstable";
-  version = "2018-06-15";
-  rev = "bb332a3b1d9129b6486c7ddcb7030c11b05cfc88";
-
-  goPackagePath = "github.com/koron/iferr";
+buildGoModule {
+  pname = "iferr";
+  version = "0-unstable-2024-01-22";
 
   src = fetchFromGitHub {
-    inherit rev;
-
     owner = "koron";
     repo = "iferr";
-    sha256 = "1nyqy1sgq2afiama4wy7wap8s03c0hiwwa0f6kwq3y59097rfc0c";
+    rev = "9c3e2fbe4bd19a7f0338e42bb483562ed4cf4d50";
+    hash = "sha256-qGuSsdQorb407rDl2o7w7kPCLng3W7YQsqo5JpoZFW8=";
   };
 
+  vendorHash = null;
+
+  ldflags = [ "-s" "-w" ];
+
   meta = with lib; {
     description = ''Generate "if err != nil {" block'';
     mainProgram = "iferr";
     homepage = "https://github.com/koron/iferr";
     license = licenses.mit;
     maintainers = with maintainers; [ kalbasit ];
-    platforms = platforms.linux ++ platforms.darwin;
+    mainProgram = "iferr";
   };
 }
diff --git a/pkgs/development/web/flyctl/default.nix b/pkgs/development/web/flyctl/default.nix
index 0d7f9f2c38f6b..84caa116eea47 100644
--- a/pkgs/development/web/flyctl/default.nix
+++ b/pkgs/development/web/flyctl/default.nix
@@ -2,16 +2,16 @@
 
 buildGo122Module rec {
   pname = "flyctl";
-  version = "0.2.17";
+  version = "0.2.25";
 
   src = fetchFromGitHub {
     owner = "superfly";
     repo = "flyctl";
     rev = "v${version}";
-    hash = "sha256-XE1kZdR9ZbWMqp0neouZBvNtIJbOdzp/aMe+uA85zL8=";
+    hash = "sha256-yMkTLUM/1P9VrsYaF4m9YyRLV6qz6uMiYlhUN5S58uU=";
   };
 
-  vendorHash = "sha256-ZX7hcxQJdSLwY37DnV3vKcBW+K9F5RMPUeMtWzm48Dc=";
+  vendorHash = "sha256-TMlJbh9tMRNdeZlem27lgknuJ/YNFkVaWS9BNTTuXic=";
 
   subPackages = [ "." ];
 
diff --git a/pkgs/os-specific/linux/kernel/xanmod-kernels.nix b/pkgs/os-specific/linux/kernel/xanmod-kernels.nix
index 08e6f83a2ffe3..7477ba323ca7b 100644
--- a/pkgs/os-specific/linux/kernel/xanmod-kernels.nix
+++ b/pkgs/os-specific/linux/kernel/xanmod-kernels.nix
@@ -6,14 +6,14 @@ let
   # NOTE: When updating these, please also take a look at the changes done to
   # kernel config in the xanmod version commit
   ltsVariant = {
-    version = "6.6.22";
-    hash = "sha256-vpWUdzgI8i/1r5nMp0tx+x67GDTnjQF5ueITIl36lvA=";
+    version = "6.6.23";
+    hash = "sha256-RaHM7eZDuOtEdISO6trTLE1QN91VFyXe0NuwLvvz9p4=";
     variant = "lts";
   };
 
   mainVariant = {
-    version = "6.7.10";
-    hash = "sha256-uwlvQh11uf1skSdlIz7XdjRkdI/wf3VqEeOP20JO5OU=";
+    version = "6.7.11";
+    hash = "sha256-QmboeWBdhAgesgYoVUbBWrP8toY6fMt9+FhzglEmtiE=";
     variant = "main";
   };
 
@@ -29,6 +29,10 @@ let
     };
 
     structuredExtraConfig = with lib.kernel; {
+      # CPUFreq governor Performance
+      CPU_FREQ_DEFAULT_GOV_PERFORMANCE = lib.mkOverride 60 yes;
+      CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = lib.mkOverride 60 no;
+
       # Google's BBRv3 TCP congestion Control
       TCP_CONG_BBR = yes;
       DEFAULT_BBR = yes;
diff --git a/pkgs/servers/mail/mailpit/default.nix b/pkgs/servers/mail/mailpit/default.nix
index 55be7d208822d..e64e1c7fcbbbc 100644
--- a/pkgs/servers/mail/mailpit/default.nix
+++ b/pkgs/servers/mail/mailpit/default.nix
@@ -12,13 +12,13 @@
 }:
 
 let
-  version = "1.13.1";
+  version = "1.15.0";
 
   src = fetchFromGitHub {
     owner = "axllent";
     repo = "mailpit";
     rev = "v${version}";
-    hash = "sha256-50amJ4pFNVcV7WT303ObPJiCx6tNYWNks3oFnexHRoA=";
+    hash = "sha256-Gu2LKuXzJSOvLZZrxOKwusALkMmNOnb3gyBqxbmZbfI=";
   };
 
   # Separate derivation, because if we mix this in buildGoModule, the separate
@@ -30,7 +30,7 @@ let
 
     npmDeps = fetchNpmDeps {
       inherit src;
-      hash = "sha256-KleFztYmbgIPg/3acXJTg1J5uyWsVZUQ0caK+hT1uxQ=";
+      hash = "sha256-5F68ia2V8mw4iPAjSoz0b8z1lplWtAg98BgDXYOmMKs=";
     };
 
     env = lib.optionalAttrs (stdenv.isDarwin && stdenv.isx86_64) {
@@ -56,7 +56,7 @@ buildGoModule {
   pname = "mailpit";
   inherit src version;
 
-  vendorHash = "sha256-iNNs9vLvOKqVpLKt65wVmffgq1l/9KOtnbRPg+2kbsM=";
+  vendorHash = "sha256-e2mlOwGDU5NlKZSstHMdTidSfhNeeY6cBgtW+W9nwV8=";
 
   CGO_ENABLED = 0;
 
diff --git a/pkgs/servers/search/quickwit/default.nix b/pkgs/servers/search/quickwit/default.nix
index f4d75be434ecb..5e205b40bac5d 100644
--- a/pkgs/servers/search/quickwit/default.nix
+++ b/pkgs/servers/search/quickwit/default.nix
@@ -10,7 +10,7 @@
 
 let
   pname = "quickwit";
-  version = "0.6.4";
+  version = "0.8.0";
 in
 rustPlatform.buildRustPackage rec {
   inherit pname version;
@@ -19,16 +19,16 @@ rustPlatform.buildRustPackage rec {
     owner = "quickwit-oss";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-stlm3oDMQVoMza3s4JApynXbzhrarfXw3uAxGMZQJqs=";
+    hash = "sha256-FZVGQfDuQYIdRnCsBZvXeLbJBdcLugZeHNm+kf6L9SY=";
   };
 
   postPatch = ''
     substituteInPlace ./quickwit-ingest/build.rs \
-      --replace '&[]' '&["."]'
+      --replace-fail '.with_protos' '.with_includes(&["."]).with_protos'
     substituteInPlace ./quickwit-codegen/example/build.rs \
-      --replace '&[]' '&["."]'
+      --replace-fail '.with_protos' '.with_includes(&["."]).with_protos'
     substituteInPlace ./quickwit-proto/build.rs \
-      --replace '&[]' '&["."]'
+      --replace-fail '.with_protos' '.with_includes(&["."]).with_protos'
   '';
 
   sourceRoot = "${src.name}/quickwit";
@@ -40,9 +40,9 @@ rustPlatform.buildRustPackage rec {
   cargoLock = {
     lockFile = ./Cargo.lock;
     outputHashes = {
-      "chitchat-0.5.0" = "sha256-gGWMzTzQNb9JXSbPIanMJpEKhKen1KsIrWQz6wvypDY=";
-      "ownedbytes-0.5.0" = "sha256-ZuWwj5EzDm4YOUU/MhmR7CBOHM444ljBFSkC+wLBia4=";
-      "path-0.1.0" = "sha256-f+Iix+YuKy45zoQXH7ctzANaL96s7HNUBOhcM1ZV0Ko=";
+      "chitchat-0.8.0" = "sha256-cjwKaBXoztYUXgnJvtFH+OSQU6tl2U3zKFWX324+9wo=";
+      "mrecordlog-0.4.0" = "sha256-9LIVs+BqK9FLSfHL3vm9LL+/FXIXJ6v617QLv4luQik=";
+      "ownedbytes-0.6.0" = "sha256-in18/NYYIgUiZ9sm8NgJlebWidRp34DR7AhOD1Nh0aw=";
       "pulsar-5.0.2" = "sha256-j7wpsAro6x4fk3pvSL4fxLkddJFq8duZ7jDj0Edf3YQ=";
       "sasl2-sys-0.1.20+2.1.28" = "sha256-u4BsfmTDFxuY3i1amLCsr7MDv356YPThMHclura0Sxs=";
       "whichlang-0.1.0" = "sha256-7AvLGjtWHjG0TnZdg9p5D+O0H19uo2sqPxJMn6mOU0k=";
diff --git a/pkgs/servers/sql/postgresql/ext/lantern.nix b/pkgs/servers/sql/postgresql/ext/lantern.nix
index bd5f1098f8d66..2d30227ed5a5d 100644
--- a/pkgs/servers/sql/postgresql/ext/lantern.nix
+++ b/pkgs/servers/sql/postgresql/ext/lantern.nix
@@ -8,13 +8,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "lantern";
-  version = "0.2.1";
+  version = "0.2.2";
 
   src = fetchFromGitHub {
     owner = "lanterndata";
     repo = "lantern";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-UP3txEBBJV/iOOBDVpRCrsoiAp6QEOHTomlLmbeTQdU=";
+    hash = "sha256-crN1KEzhiRLhQbv2O1vvjtHDV41yLyrwDpHa7mUFW64=";
     fetchSubmodules = true;
   };
 
diff --git a/pkgs/servers/tailscale/default.nix b/pkgs/servers/tailscale/default.nix
index 4e6976d5310d3..7da355cf4a92f 100644
--- a/pkgs/servers/tailscale/default.nix
+++ b/pkgs/servers/tailscale/default.nix
@@ -12,7 +12,7 @@
 }:
 
 let
-  version = "1.62.0";
+  version = "1.62.1";
 in
 buildGoModule {
   pname = "tailscale";
@@ -22,7 +22,7 @@ buildGoModule {
     owner = "tailscale";
     repo = "tailscale";
     rev = "v${version}";
-    hash = "sha256-qotoCKUb5INgdSELvJpDaDvCuzVqet5zeIazzRnYoqo=";
+    hash = "sha256-gV1k+8n6vuL9q4hNaMdQLf6083Em+CC7/uTdUpehbUU=";
   };
   vendorHash = "sha256-jyRjT/CQBlmjHzilxJvMuzZQlGyJB4X/yISgWjBVDxc=";
 
diff --git a/pkgs/tools/audio/catnip/default.nix b/pkgs/tools/audio/catnip/default.nix
index de8a609dfd618..fea82e71cd865 100644
--- a/pkgs/tools/audio/catnip/default.nix
+++ b/pkgs/tools/audio/catnip/default.nix
@@ -9,13 +9,13 @@
 
 buildGoModule rec {
   pname = "catnip";
-  version = "1.8.0";
+  version = "1.8.5";
 
   src = fetchFromGitHub {
     owner = "noriah";
     repo = "catnip";
     rev = "v${version}";
-    hash = "sha256-eVEoQrI8NycEV/dPUNFqkzgjOYaGmH1+lLRRkOybXDU=";
+    hash = "sha256-9gneteQIzbMNjg/08uq+pCbs2a32He2gL+hovxcJFzE=";
   };
 
   vendorHash = "sha256-Hj453+5fhbUL6YMeupT5D6ydaEMe+ZQNgEYHtCUtTx4=";
diff --git a/pkgs/tools/misc/coreboot-utils/default.nix b/pkgs/tools/misc/coreboot-utils/default.nix
index 5af1d23c5442c..50045b7855741 100644
--- a/pkgs/tools/misc/coreboot-utils/default.nix
+++ b/pkgs/tools/misc/coreboot-utils/default.nix
@@ -1,7 +1,7 @@
 { lib, stdenv, fetchgit, pkg-config, zlib, pciutils, openssl, coreutils, acpica-tools, makeWrapper, gnugrep, gnused, file, buildEnv }:
 
 let
-  version = "4.21";
+  version = "24.02";
 
   commonMeta = with lib; {
     description = "Various coreboot-related tools";
@@ -16,8 +16,8 @@ let
 
     src = fetchgit {
       url = "https://review.coreboot.org/coreboot";
-      rev = "c1386ef6128922f49f93de5690ccd130a26eecf2";
-      sha256 = "sha256-n/bo3hoY7DEP103ftWu3uCLFXEsz+F9rWS22kcF7Ah8=";
+      rev = "4845b69db29107ce8d9cd2969b4aad5c7daa6399";
+      sha256 = "sha256-whALKP9MetyMJSmXVf0WYd9dP8AGa+ADAB8cmIqt4HU=";
     };
 
     enableParallelBuilding = true;
diff --git a/pkgs/tools/security/cryptomator/default.nix b/pkgs/tools/security/cryptomator/default.nix
index 39654ae0ceafe..2766a4e88ac27 100644
--- a/pkgs/tools/security/cryptomator/default.nix
+++ b/pkgs/tools/security/cryptomator/default.nix
@@ -14,13 +14,13 @@ in
 assert stdenv.isLinux; # better than `called with unexpected argument 'enableJavaFX'`
 mavenJdk.buildMavenPackage rec {
   pname = "cryptomator";
-  version = "1.12.3";
+  version = "1.12.4";
 
   src = fetchFromGitHub {
     owner = "cryptomator";
     repo = "cryptomator";
     rev = version;
-    hash = "sha256-pVQ3xlNgJIDz8dnNoiLJaG6y4kNHNLL7zYq1sl6rleY=";
+    hash = "sha256-i5TrWXOkRR+1iqSzMTJEe5xMJ3iM5kdI3fXb/Z5/Gb0=";
   };
 
   mvnParameters = "-Dmaven.test.skip=true -Plinux";
diff --git a/pkgs/tools/security/semgrep/common.nix b/pkgs/tools/security/semgrep/common.nix
index 57f5163f4cbf3..3436d4267964f 100644
--- a/pkgs/tools/security/semgrep/common.nix
+++ b/pkgs/tools/security/semgrep/common.nix
@@ -1,9 +1,9 @@
 { lib }:
 
 rec {
-  version = "1.63.0";
+  version = "1.66.2";
 
-  srcHash = "sha256-VMB+slexCXxv9z6kOxbYQrnet6sb4ZKTATXWkLix9u4=";
+  srcHash = "sha256-xonZzZsAkAPMVINGEA10CvQ1diYgHBowNsR2pk4tYr8=";
 
   # submodule dependencies
   # these are fetched so we:
@@ -13,8 +13,8 @@ rec {
     "cli/src/semgrep/semgrep_interfaces" = {
       owner = "semgrep";
       repo = "semgrep-interfaces";
-      rev = "8751faab89f23f7af3a92f5d4d4e6451ccaa205a";
-      hash = "sha256-0Si4wUymwA2k/u953GifYgHKi6gvu3FiaDHm1Kj30sA=";
+      rev = "215a54782174de84f97188632b4a37e35ba0f827";
+      hash = "sha256-Q8E5LkC/NV0wvt9ZwhkoPGjPlDavVHHMnX0sVNK3dAM=";
     };
   };
 
@@ -25,15 +25,15 @@ rec {
   core = {
     x86_64-linux = {
       platform = "any";
-      hash = "sha256-KBiYd1zWDxs5T2AGR49o/X2J6espuqi7ykCh3Zsg8i4=";
+      hash = "sha256-f/RcuJyd8y2bMclMxZ1BdNTVixhjLz0UxSKGZm+H8yI=";
     };
     x86_64-darwin = {
       platform = "macosx_10_14_x86_64";
-      hash = "sha256-EfVpKdRE5qvEVMGu8QUM183YPNDjgxQlca3nUb3m1tw=";
+      hash = "sha256-4H9PT41lPydMFl51O2CgeMQiTE66fZ8RP26CVT7Y7Ok=";
     };
     aarch64-darwin = {
       platform = "macosx_11_0_arm64";
-      hash = "sha256-ksqkVdE7aIbeETSxLpDXef6Hmv7G5LxQ0+v+/G9OpKk=";
+      hash = "sha256-WxQ0ohojzhWmPo208xN98F5GwbNzQuxCjSwP7h3rBGA=";
     };
   };
 
diff --git a/pkgs/tools/security/semgrep/default.nix b/pkgs/tools/security/semgrep/default.nix
index 70e6b8641ee8c..6b62ab80e7ea6 100644
--- a/pkgs/tools/security/semgrep/default.nix
+++ b/pkgs/tools/security/semgrep/default.nix
@@ -27,14 +27,6 @@ buildPythonApplication rec {
     hash = common.srcHash;
   };
 
-  patches = [
-    (fetchpatch {
-      name = "fix-test_dump_engine-test-for-nix-store-path.patch";
-      url = "https://github.com/semgrep/semgrep/commit/c7553c1a61251146773617f80a2d360e6b6ab3f9.patch";
-      hash = "sha256-A3QdL0DDh/pbDpRIBACUie7PEvC17iG4t6qTnmPIwA4=";
-    })
-  ];
-
   # prepare a subset of the submodules as we only need a handful
   # and there are many many submodules total
   postPatch = (lib.concatStringsSep "\n" (lib.mapAttrsToList
@@ -94,6 +86,12 @@ buildPythonApplication rec {
     types-freezegun
   ]);
 
+  disabledTestPaths = [
+    "tests/default/e2e"
+    "tests/default/e2e-pro"
+    "tests/default/e2e-pysemgrep"
+  ];
+
   disabledTests = [
     # requires networking
     "test_send"
@@ -117,14 +115,6 @@ buildPythonApplication rec {
     # replace old semgrep with wrapped one
     rm ./bin/semgrep
     ln -s $out/bin/semgrep ./bin/semgrep
-
-    # disabledTestPaths doesn't manage to avoid the e2e tests
-    # remove them from pyproject.toml
-    # and remove need for pytest-split
-    substituteInPlace pyproject.toml \
-      --replace '"tests/e2e",' "" \
-      --replace '"tests/e2e-pro",' "" \
-      --replace 'addopts = "--splitting-algorithm=least_duration"' ""
   '';
 
   postCheck = ''
diff --git a/pkgs/tools/system/mediawriter/default.nix b/pkgs/tools/system/mediawriter/default.nix
index bf2b4ce27ff47..8740a9b8a1e1b 100644
--- a/pkgs/tools/system/mediawriter/default.nix
+++ b/pkgs/tools/system/mediawriter/default.nix
@@ -11,13 +11,13 @@
 
 stdenv.mkDerivation rec {
   pname = "mediawriter";
-  version = "5.0.9";
+  version = "5.1.1";
 
   src = fetchFromGitHub {
     owner = "FedoraQt";
     repo = "MediaWriter";
     rev = "refs/tags/${version}";
-    hash = "sha256-FmMiv78r95shCpqN5PV6Oxms/hQY9ycqRn9L61aR8n4=";
+    hash = "sha256-I4q9VARQiZf+Qz83EToyUj+eS3CTPsxEw0paACS8lmE=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 7acda5b7144ee..94a27ec09da64 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -1390,6 +1390,8 @@ self: super: with self; {
 
   basemap-data = callPackage ../development/python-modules/basemap-data { };
 
+  bases = callPackage ../development/python-modules/bases { };
+
   bash-kernel = callPackage ../development/python-modules/bash-kernel { };
 
   bashlex = callPackage ../development/python-modules/bashlex { };