Merge staging-next into staging

36 files changed, 518 insertions, 202 deletions

diff --git a/pkgs/applications/audio/mopidy/youtube.nix b/pkgs/applications/audio/mopidy/youtube.nix
index 7ae8e17c78e53..ecb8128032e58 100644
--- a/pkgs/applications/audio/mopidy/youtube.nix
+++ b/pkgs/applications/audio/mopidy/youtube.nix
@@ -1,29 +1,56 @@
-{ lib, python3Packages, mopidy }:
+{ lib
+, fetchFromGitHub
+, python3
+, mopidy
+}:
 
-python3Packages.buildPythonApplication rec {
+python3.pkgs.buildPythonApplication rec {
   pname = "mopidy-youtube";
   version = "3.4";
 
-  src = python3Packages.fetchPypi {
-    inherit version;
-    pname = "Mopidy-YouTube";
-    sha256 = "sha256-996MNByMcKq1woDGK6jsmAHS9TOoBrwSGgPmcShvTRw=";
-  };
+  disabled = python3.pythonOlder "3.7";
 
-  postPatch = "sed s/bs4/beautifulsoup4/ -i setup.cfg";
+  src = fetchFromGitHub {
+    owner = "natumbri";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "0lm6nn926qkrwzvj64yracdixfrnv5zk243msjskrnlzkhgk01rk";
+  };
 
-  propagatedBuildInputs = with python3Packages; [
+  propagatedBuildInputs = with python3.pkgs; [
     beautifulsoup4
     cachetools
+    pykka
+    requests
     youtube-dl
     ytmusicapi
-  ] ++ [ mopidy ];
+  ] ++ [
+    mopidy
+  ];
+
+  checkInputs = with python3.pkgs; [
+    vcrpy
+    pytestCheckHook
+  ];
+
+  disabledTests = [
+    # Test requires a YouTube API key
+    "test_get_default_config"
+  ];
+
+  disabledTestPaths = [
+    # Fails with an import error
+    "tests/test_backend.py"
+  ];
 
-  doCheck = false;
+  pythonImportsCheck = [
+    "mopidy_youtube"
+  ];
 
   meta = with lib; {
     description = "Mopidy extension for playing music from YouTube";
+    homepage = "https://github.com/natumbri/mopidy-youtube";
     license = licenses.asl20;
-    maintainers = [ maintainers.spwhitt ];
+    maintainers = with maintainers; [ spwhitt ];
   };
 }
diff --git a/pkgs/applications/blockchains/btcpayserver/default.nix b/pkgs/applications/blockchains/btcpayserver/default.nix
index 9c810036199ec..a5d9432b143ba 100644
--- a/pkgs/applications/blockchains/btcpayserver/default.nix
+++ b/pkgs/applications/blockchains/btcpayserver/default.nix
@@ -15,13 +15,13 @@ in
 
 stdenv.mkDerivation rec {
   pname = "btcpayserver";
-  version = "1.2.3";
+  version = "1.2.4";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-6ktlnbYb+pOXwl52QmnqDsPlXaiF1ghjQg1yfznulqo=";
+    sha256 = "sha256-vjNJ08twsJ036TTFF6srOGshDpP7ZwWCGN0XjrtFT/g=";
   };
 
   nativeBuildInputs = [ dotnetSdk dotnetPackages.Nuget makeWrapper ];
diff --git a/pkgs/applications/blockchains/nbxplorer/default.nix b/pkgs/applications/blockchains/nbxplorer/default.nix
index a0f1cfe87ee72..c55965054b7e4 100644
--- a/pkgs/applications/blockchains/nbxplorer/default.nix
+++ b/pkgs/applications/blockchains/nbxplorer/default.nix
@@ -15,13 +15,13 @@ in
 
 stdenv.mkDerivation rec {
   pname = "nbxplorer";
-  version = "2.2.5";
+  version = "2.2.11";
 
   src = fetchFromGitHub {
     owner = "dgarage";
     repo = "NBXplorer";
     rev = "v${version}";
-    sha256 = "sha256-EWT/1fQpqEyKBEDHvmguHV/8s30DxweYswy0QvMDzcQ=";
+    sha256 = "sha256-ZDqzkANGMdvv3e5gWCYcacUYKLJRquXRHLr8RAzT9hY=";
   };
 
   nativeBuildInputs = [ dotnetSdk dotnetPackages.Nuget makeWrapper ];
diff --git a/pkgs/applications/blockchains/nbxplorer/deps.nix b/pkgs/applications/blockchains/nbxplorer/deps.nix
index fe34d99f1d895..d53e784ea1185 100644
--- a/pkgs/applications/blockchains/nbxplorer/deps.nix
+++ b/pkgs/applications/blockchains/nbxplorer/deps.nix
@@ -1,8 +1,8 @@
 { fetchNuGet }: [
   (fetchNuGet {
     name = "DBTrie";
-    version = "1.0.38";
-    sha256 = "09n9f2j0pha2np9cpbgjfs19jwvfmrglws89izarq71gl8jia6d9";
+    version = "1.0.39";
+    sha256 = "0kbvl3kf73hrh1w2n3d2wshlxpqsv1pwydhwv2wxigmvs70fn1xp";
   })
   (fetchNuGet {
     name = "Microsoft.AspNetCore.JsonPatch";
@@ -181,23 +181,18 @@
   })
   (fetchNuGet {
     name = "NBitcoin.Altcoins";
-    version = "3.0.4";
-    sha256 = "03aia31sznw81jjr9k6dkwgvm9dc38fgp1z8y5i45vlkf5fp89pb";
+    version = "3.0.7";
+    sha256 = "0nrkdbsc4k9fd4588axnkfa9gmif9b59wxw8fnmpg0nf4x8scm4n";
   })
   (fetchNuGet {
     name = "NBitcoin.TestFramework";
-    version = "3.0.3";
-    sha256 = "1j3ajj4jrwqzlhzhkg7vicwab0aq2y50x53rindd8cq09jxvzk62";
+    version = "3.0.5";
+    sha256 = "09cgjzbkxvsi65qzns0ignp0x89z630vqacsgwj3b1h30dycwqdr";
   })
   (fetchNuGet {
     name = "NBitcoin";
-    version = "6.0.6";
-    sha256 = "1kf2rjrnh97zlh00affsv95f94bwgr2h7b00njqac4qgv9cac7sa";
-  })
-  (fetchNuGet {
-    name = "NBitcoin";
-    version = "6.0.8";
-    sha256 = "1f90zyrd35fzx0vgvd83jhd6hczd4037h2k198xiyxj04l4m3wm5";
+    version = "6.0.10";
+    sha256 = "00m0j74pqyjqal1wc28j6734rfd9zd7ajqb1p3fsdpqr16kfg56s";
   })
   (fetchNuGet {
     name = "NETStandard.Library";
diff --git a/pkgs/build-support/release/debian-build.nix b/pkgs/build-support/release/debian-build.nix
index bd54401e23562..9104bf2dce5cc 100644
--- a/pkgs/build-support/release/debian-build.nix
+++ b/pkgs/build-support/release/debian-build.nix
@@ -3,7 +3,7 @@
 
 { name ? "debian-build"
 , diskImage
-, src, stdenv, vmTools, checkinstall
+, src, lib, stdenv, vmTools, checkinstall
 , fsTranslation ? false
 , # Features provided by this package.
   debProvides ? []
diff --git a/pkgs/data/themes/marwaita/default.nix b/pkgs/data/themes/marwaita/default.nix
index bdb14be0bdd85..809b45a0fda08 100644
--- a/pkgs/data/themes/marwaita/default.nix
+++ b/pkgs/data/themes/marwaita/default.nix
@@ -9,13 +9,13 @@
 
 stdenv.mkDerivation rec {
   pname = "marwaita";
-  version = "10.3";
+  version = "11.1";
 
   src = fetchFromGitHub {
     owner = "darkomarko42";
     repo = pname;
     rev = version;
-    sha256 = "0v9sxjy4x03y3hcgbkn9lj010kd5csiyc019dwxzvx5kg8xh8qca";
+    sha256 = "0jzjrx21i9bny4117nlwkrvjc4cg2w6r42ra66hxzaazcs9hvny2";
   };
 
   buildInputs = [
diff --git a/pkgs/development/libraries/opendht/default.nix b/pkgs/development/libraries/opendht/default.nix
index 2de005d885a1d..d785146ecb070 100644
--- a/pkgs/development/libraries/opendht/default.nix
+++ b/pkgs/development/libraries/opendht/default.nix
@@ -1,6 +1,22 @@
-{ lib, stdenv, fetchFromGitHub, darwin
-, cmake, pkg-config
-, asio, nettle, gnutls, msgpack, readline, libargon2
+{ lib
+, stdenv
+, fetchFromGitHub
+, Security
+, cmake
+, pkg-config
+, asio
+, nettle
+, gnutls
+, msgpack
+, readline
+, libargon2
+, jsoncpp
+, restinio
+, http-parser
+, openssl
+, fmt
+, enableProxyServerAndClient ? false
+, enablePushNotifications ? false
 }:
 
 stdenv.mkDerivation rec {
@@ -14,29 +30,42 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-Os5PRYTZMVekQrbwNODWsHANTx6RSC5vzGJ5JoYtvtE=";
   };
 
-  nativeBuildInputs =
-    [ cmake
-      pkg-config
-    ];
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+  ];
 
-  buildInputs =
-    [ asio
-      nettle
-      gnutls
-      msgpack
-      readline
-      libargon2
-    ] ++ lib.optionals stdenv.isDarwin [
-      darwin.apple_sdk.frameworks.Security
-    ];
+  buildInputs = [
+    asio
+    nettle
+    gnutls
+    msgpack
+    readline
+    libargon2
+  ] ++ lib.optionals enableProxyServerAndClient [
+    jsoncpp
+    restinio
+    http-parser
+    openssl
+    fmt
+  ] ++ lib.optionals stdenv.isDarwin [
+    Security
+  ];
+
+  cmakeFlags = lib.optionals enableProxyServerAndClient [
+    "-DOPENDHT_PROXY_SERVER=ON"
+    "-DOPENDHT_PROXY_CLIENT=ON"
+  ] ++ lib.optionals enablePushNotifications [
+    "-DOPENDHT_PUSH_NOTIFICATIONS=ON"
+  ];
 
   outputs = [ "out" "lib" "dev" "man" ];
 
   meta = with lib; {
     description = "A C++11 Kademlia distributed hash table implementation";
-    homepage    = "https://github.com/savoirfairelinux/opendht";
-    license     = licenses.gpl3Plus;
+    homepage = "https://github.com/savoirfairelinux/opendht";
+    license = licenses.gpl3Plus;
     maintainers = with maintainers; [ taeer olynch thoughtpolice ];
-    platforms   = platforms.unix;
+    platforms = platforms.unix;
   };
 }
diff --git a/pkgs/development/python-modules/apache-airflow/default.nix b/pkgs/development/python-modules/apache-airflow/default.nix
index 2d80b6a3984af..2ffe0b137528c 100644
--- a/pkgs/development/python-modules/apache-airflow/default.nix
+++ b/pkgs/development/python-modules/apache-airflow/default.nix
@@ -64,13 +64,13 @@
 }:
 let
 
-  version = "2.1.2";
+  version = "2.1.4";
 
   airflow-src = fetchFromGitHub rec {
     owner = "apache";
     repo = "airflow";
     rev = version;
-    sha256 = "sha256-Q0l2c1tuxcoE65zgdxnv/j1TIoQzaNoEFCYHvqN+Bzk=";
+    sha256 = "12nxjaz4afkq30s42x3rbsci8jiw2k5zjngsc8i190fasbacbnbs";
   };
 
   # airflow bundles a web interface, which is built using webpack by an undocumented shell script in airflow's source tree.
@@ -193,7 +193,9 @@ buildPythonPackage rec {
       --replace "sqlalchemy>=1.3.18, <1.4" "sqlalchemy" \
       --replace "sqlalchemy_jsonfield~=1.0" "sqlalchemy-jsonfield" \
       --replace "werkzeug~=1.0, >=1.0.1" "werkzeug" \
-      --replace "itsdangerous>=1.1.0, <2.0" "itsdangerous"
+      --replace "itsdangerous>=1.1.0, <2.0" "itsdangerous" \
+      --replace "python-slugify>=3.0.0,<5.0" "python-slugify" \
+      --replace "colorlog>=4.0.2, <6.0" "colorlog"
 
     substituteInPlace tests/core/test_core.py \
       --replace "/bin/bash" "${stdenv.shell}"
diff --git a/pkgs/development/python-modules/commoncode/default.nix b/pkgs/development/python-modules/commoncode/default.nix
index 136a638c352c0..04921a618c253 100644
--- a/pkgs/development/python-modules/commoncode/default.nix
+++ b/pkgs/development/python-modules/commoncode/default.nix
@@ -1,24 +1,29 @@
 { lib
-, fetchPypi
+, attrs
+, beautifulsoup4
 , buildPythonPackage
-, setuptools-scm
 , click
-, requests
-, attrs
+, fetchPypi
 , intbitset
+, pytest-xdist
+, pytestCheckHook
+, pythonOlder
+, requests
 , saneyaml
+, setuptools-scm
 , text-unidecode
-, beautifulsoup4
-, pytestCheckHook
-, pytest-xdist
+, typing
 }:
+
 buildPythonPackage rec {
   pname = "commoncode";
-  version = "21.8.31";
+  version = "30.0.0";
+
+  disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "0e74c61226834393801e921ab125eae3b52361340278fb9a468c5c691d286c32";
+    sha256 = "sha256-6SeU4u6pfDuGCgCYAO5fdbWBxW9XN3WvM8j6DwUlFwM=";
   };
 
   dontConfigure = true;
@@ -28,13 +33,15 @@ buildPythonPackage rec {
   ];
 
   propagatedBuildInputs = [
-    click
-    requests
     attrs
+    beautifulsoup4
+    click
     intbitset
+    requests
     saneyaml
     text-unidecode
-    beautifulsoup4
+  ] ++ lib.optionals (pythonOlder "3.7") [
+    typing
   ];
 
   checkInputs = [
diff --git a/pkgs/development/python-modules/debian-inspector/default.nix b/pkgs/development/python-modules/debian-inspector/default.nix
index e19694bcf9c83..b91e26f714671 100644
--- a/pkgs/development/python-modules/debian-inspector/default.nix
+++ b/pkgs/development/python-modules/debian-inspector/default.nix
@@ -11,12 +11,12 @@
 
 buildPythonPackage rec {
   pname = "debian-inspector";
-  version = "21.5.25";
+  version = "30.0.0";
 
   src = fetchPypi {
     pname = "debian_inspector";
     inherit version;
-    sha256 = "1d3xaqw00kav85nk29qm2yqb73bkyqf185fs1q0vgd7bnap9wqaw";
+    sha256 = "sha256-0PT5sT6adaqgYQtWjks12ys0z1C3n116aeJaEKR/Wxg=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/extractcode/default.nix b/pkgs/development/python-modules/extractcode/default.nix
index a39205f5aeea7..c4f6ecc537bcf 100644
--- a/pkgs/development/python-modules/extractcode/default.nix
+++ b/pkgs/development/python-modules/extractcode/default.nix
@@ -9,6 +9,7 @@
 , pytestCheckHook
 , pytest-xdist
 }:
+
 buildPythonPackage rec {
   pname = "extractcode";
   version = "21.7.23";
@@ -36,7 +37,7 @@ buildPythonPackage rec {
     pytest-xdist
   ];
 
-  # cli test tests the cli which we can't do until after install
+  # CLI test tests the cli which we can't do until after install
   disabledTestPaths = [
     "tests/test_extractcode_cli.py"
   ];
@@ -45,6 +46,7 @@ buildPythonPackage rec {
   disabledTests = [
     "test_uncompress_lz4_basic"
     "test_extract_tarlz4_basic"
+    "test_extract_rar_with_trailing_data"
     # tries to parse /boot/vmlinuz-*, which is not available in the nix sandbox
     "test_can_extract_qcow2_vm_image_as_tarball"
     "test_can_extract_qcow2_vm_image_not_as_tarball"
@@ -56,7 +58,7 @@ buildPythonPackage rec {
   ];
 
   meta = with lib; {
-    description = "A mostly universal archive extractor using z7zip, libarchve, other libraries and the Python standard library for reliable archive extraction";
+    description = "Universal archive extractor using z7zip, libarchve, other libraries and the Python standard library";
     homepage = "https://github.com/nexB/extractcode";
     license = licenses.asl20;
     maintainers = teams.determinatesystems.members;
diff --git a/pkgs/development/python-modules/greeclimate/default.nix b/pkgs/development/python-modules/greeclimate/default.nix
index 5b2e86b5fb589..9e0086f3e2023 100644
--- a/pkgs/development/python-modules/greeclimate/default.nix
+++ b/pkgs/development/python-modules/greeclimate/default.nix
@@ -10,7 +10,7 @@
 
 buildPythonPackage rec {
   pname = "greeclimate";
-  version = "0.11.8";
+  version = "0.11.9";
 
   disabled = pythonOlder "3.6";
 
@@ -18,7 +18,7 @@ buildPythonPackage rec {
     owner = "cmroche";
     repo = "greeclimate";
     rev = version;
-    sha256 = "1n46klbhl0gpd5x995mrcr1qfd77hrfm501qns1zhvv0zk8mdsf4";
+    sha256 = "sha256-fyIx/w+jKIscPGbK6LqjMtjy43qJtzzITwtUeNurE+o=";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/guppy3/default.nix b/pkgs/development/python-modules/guppy3/default.nix
index b9db312d8716f..df409599cd1fa 100644
--- a/pkgs/development/python-modules/guppy3/default.nix
+++ b/pkgs/development/python-modules/guppy3/default.nix
@@ -7,14 +7,14 @@
 
 buildPythonPackage rec {
   pname = "guppy3";
-  version = "3.1.1";
+  version = "3.1.2";
   disabled = pythonOlder "3.6";
 
   src = fetchFromGitHub {
     owner = "zhuyifei1999";
     repo = pname;
     rev = "v${version}";
-    sha256 = "14iwah1i4dcn74zjj9sq3av1yh9q5nvgqwccnn71blp7gxcnxnvh";
+    sha256 = "sha256-f7YpaZ85PU/CSsDwSm2IJ/x2ZxzHoMOVbdbzT1i8y/w=";
   };
 
   propagatedBuildInputs = [ tkinter ];
diff --git a/pkgs/development/python-modules/license-expression/default.nix b/pkgs/development/python-modules/license-expression/default.nix
index e934c51942852..5ed61931a7d8b 100644
--- a/pkgs/development/python-modules/license-expression/default.nix
+++ b/pkgs/development/python-modules/license-expression/default.nix
@@ -1,25 +1,45 @@
-{ lib, buildPythonPackage, fetchFromGitHub
+{ lib
 , boolean-py
+, buildPythonPackage
+, fetchFromGitHub
+, pytestCheckHook
+, pythonOlder
+, setuptools-scm
 }:
 
 buildPythonPackage rec {
   pname = "license-expression";
-  version = "1.2";
+  version = "21.6.14";
+
+  disabled = pythonOlder "3.6";
 
   src = fetchFromGitHub {
     owner = "nexB";
     repo = "license-expression";
     rev = "v${version}";
-    sha256 = "0bbd7d90z58p9sd01b00g0vfd9bmwzksjb7pc8833s2jpja9mxz1";
+    sha256 = "sha256-hwfYKKalo8WYFwPCsRRXNz+/F8/42PXA8jxbIQjJH/g=";
   };
-  postPatch = "patchShebangs ./configure";
 
-  propagatedBuildInputs = [ boolean-py ];
+  dontConfigure = true;
+
+  nativeBuildInputs = [
+    setuptools-scm
+  ];
+
+  propagatedBuildInputs = [
+    boolean-py
+  ];
+
+  checkInputs = [
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [ "license_expression" ];
 
   meta = with lib; {
+    description = "Utility library to parse, normalize and compare License expressions for Python";
     homepage = "https://github.com/nexB/license-expression";
-    description = "Utility library to parse, normalize and compare License expressions for Python using a boolean logic engine";
     license = licenses.asl20;
+    maintainers = with maintainers; [ fab ];
   };
-
 }
diff --git a/pkgs/development/python-modules/parameter-expansion-patched/default.nix b/pkgs/development/python-modules/parameter-expansion-patched/default.nix
new file mode 100644
index 0000000000000..18511e1c70fde
--- /dev/null
+++ b/pkgs/development/python-modules/parameter-expansion-patched/default.nix
@@ -0,0 +1,33 @@
+{ lib
+, buildPythonPackage
+, fetchPypi
+, pytestCheckHook
+, pythonOlder
+}:
+
+buildPythonPackage rec {
+  pname = "parameter-expansion-patched";
+  version = "0.2.1b4";
+
+  disabled = pythonOlder "3.6";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "1vhshscjifi78qapzwn29gln6p8jhyc7cccszl8ai2jamhcph5zs";
+  };
+
+  checkInputs = [
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [
+    "parameter_expansion"
+  ];
+
+  meta = with lib; {
+    description = "POSIX parameter expansion in Python";
+    homepage = "https://github.com/nexB/commoncode";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ fab ];
+  };
+}
diff --git a/pkgs/development/python-modules/pg8000/default.nix b/pkgs/development/python-modules/pg8000/default.nix
index aadcec698ae23..272b9175fdc8b 100644
--- a/pkgs/development/python-modules/pg8000/default.nix
+++ b/pkgs/development/python-modules/pg8000/default.nix
@@ -8,12 +8,12 @@
 
 buildPythonPackage rec {
   pname = "pg8000";
-  version = "1.21.2";
+  version = "1.21.3";
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "36a3b517408334967c1fa0d29656da03608d63122a372ec92c85f49aed2d24e3";
+    sha256 = "f73f1d477cda12a7b784be73c8a0c06c71e4284ef90cae4883cbc7c524b95fbf";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/pglast/default.nix b/pkgs/development/python-modules/pglast/default.nix
index 38acf736b74fe..a4e50d1d46959 100644
--- a/pkgs/development/python-modules/pglast/default.nix
+++ b/pkgs/development/python-modules/pglast/default.nix
@@ -9,11 +9,11 @@
 
 buildPythonPackage rec {
   pname = "pglast";
-  version = "3.5";
+  version = "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "3bb74df084b149e8bf969380d88b1980fbd1aeda7f7057f4dee6751d854d6ae6";
+    sha256 = "1594d536137b888556b7187d25355ba88b3a14ef0d8aacccef15bfed74cf0af9";
   };
 
   disabled = !isPy3k;
diff --git a/pkgs/development/python-modules/pikepdf/default.nix b/pkgs/development/python-modules/pikepdf/default.nix
index 7b380627d75a0..2b0b9bc4999a4 100644
--- a/pkgs/development/python-modules/pikepdf/default.nix
+++ b/pkgs/development/python-modules/pikepdf/default.nix
@@ -24,12 +24,12 @@
 
 buildPythonPackage rec {
   pname = "pikepdf";
-  version = "3.1.1";
+  version = "3.2.0";
   disabled = ! isPy3k;
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-klSUszWsIIz7o0/Ql8K4CWYujBH0mAbqyUcabpn1SkQ=";
+    sha256 = "a0582f00440668c07edb8403e82724961c7812c8e6c30655e34825b2645f15cd";
   };
 
   patches = [
diff --git a/pkgs/development/python-modules/pygmars/default.nix b/pkgs/development/python-modules/pygmars/default.nix
new file mode 100644
index 0000000000000..e0764ecb3a4b3
--- /dev/null
+++ b/pkgs/development/python-modules/pygmars/default.nix
@@ -0,0 +1,42 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, pytestCheckHook
+, setuptools-scm
+, pythonOlder
+}:
+
+buildPythonPackage rec {
+  pname = "pygmars";
+  version = "0.7.0";
+
+  disabled = pythonOlder "3.6";
+
+  src = fetchFromGitHub {
+    owner = "nexB";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "0wghk4nzplpl26iwrgvm0n9x88nyxlcxz4ywss4nwdr4hfccl28l";
+  };
+
+  dontConfigure = true;
+
+  nativeBuildInputs = [
+    setuptools-scm
+  ];
+
+  checkInputs = [
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [
+    "pygmars"
+  ];
+
+  meta = with lib; {
+    description = "Python lexing and parsing library";
+    homepage = "https://github.com/nexB/pygmars";
+    license = with licenses; [ asl20 ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
diff --git a/pkgs/development/python-modules/pymavlink/default.nix b/pkgs/development/python-modules/pymavlink/default.nix
index 5de1776d82441..50dc87a926f2a 100644
--- a/pkgs/development/python-modules/pymavlink/default.nix
+++ b/pkgs/development/python-modules/pymavlink/default.nix
@@ -2,11 +2,11 @@
 
 buildPythonPackage rec {
   pname = "pymavlink";
-  version = "2.4.16";
+  version = "2.4.17";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "99b77fdc1389dea7c9dbbfb70143fed707238e00c961ada73b79bcf15b21ca19";
+    sha256 = "84e2af4d8099afd37c5d887261a168e7bde4ec2354f12f65c72dad1a4cd8f21d";
   };
 
   propagatedBuildInputs = [ future lxml ];
diff --git a/pkgs/development/python-modules/pyswitchbot/default.nix b/pkgs/development/python-modules/pyswitchbot/default.nix
index e850349b7a563..1f21d09d9504c 100644
--- a/pkgs/development/python-modules/pyswitchbot/default.nix
+++ b/pkgs/development/python-modules/pyswitchbot/default.nix
@@ -6,13 +6,13 @@
 
 buildPythonPackage rec {
   pname = "pyswitchbot";
-  version = "0.11.0";
+  version = "0.12.0";
 
   src = fetchFromGitHub {
     owner = "Danielhiversen";
     repo = "pySwitchbot";
     rev = version;
-    sha256 = "sha256-YqXR6zL8rM2p6YqK8BX82F9HZHgfpfEU4qBiVSud0hw=";
+    sha256 = "sha256-8u5KeWVaCOksag2CYE7GBl36crB4k9YdLZ5aHD9hlwU=";
   };
 
   propagatedBuildInputs = [ bluepy ];
diff --git a/pkgs/development/python-modules/pytest-rerunfailures/default.nix b/pkgs/development/python-modules/pytest-rerunfailures/default.nix
index a643e7dc5a540..9b16760b23b82 100644
--- a/pkgs/development/python-modules/pytest-rerunfailures/default.nix
+++ b/pkgs/development/python-modules/pytest-rerunfailures/default.nix
@@ -2,13 +2,13 @@
 
 buildPythonPackage rec {
   pname = "pytest-rerunfailures";
-  version = "10.1";
+  version = "10.2";
 
   disabled = pythonOlder "3.5";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "7617c06de13ee6dd2df9add7e275bfb2bcebbaaf3e450f5937cd0200df824273";
+    sha256 = "9e1e1bad51e07642c5bbab809fc1d4ec8eebcb7de86f90f1a26e6ef9de446697";
   };
 
   buildInputs = [ pytest ];
@@ -20,7 +20,7 @@ buildPythonPackage rec {
   '';
 
   meta = with lib; {
-    description = "pytest plugin to re-run tests to eliminate flaky failures";
+    description = "Pytest plugin to re-run tests to eliminate flaky failures";
     homepage = "https://github.com/pytest-dev/pytest-rerunfailures";
     license = licenses.mpl20;
     maintainers = with maintainers; [ das-g ];
diff --git a/pkgs/development/python-modules/scancode-toolkit/default.nix b/pkgs/development/python-modules/scancode-toolkit/default.nix
index 177032aea7f34..afde27967dbb4 100644
--- a/pkgs/development/python-modules/scancode-toolkit/default.nix
+++ b/pkgs/development/python-modules/scancode-toolkit/default.nix
@@ -1,105 +1,141 @@
 { lib
-, fetchPypi
+, attrs
+, beautifulsoup4
+, bitarray
+, boolean-py
 , buildPythonPackage
-, isPy3k
-, markupsafe
+, chardet
 , click
-, typecode
-, gemfileparser
-, pefile
-, fingerprints
-, spdx-tools
-, fasteners
-, pycryptodome
-, urlpy
-, dparse
-, jaraco_functools
-, pkginfo
+, colorama
+, commoncode
 , debian-inspector
+, dparse
 , extractcode
+, extractcode-7z
+, extractcode-libarchive
+, fasteners
+, fetchPypi
+, fingerprints
 , ftfy
-, pyahocorasick
-, colorama
+, gemfileparser
+, html5lib
+, importlib-metadata
+, intbitset
+, jaraco_functools
+, javaproperties
+, jinja2
 , jsonstreams
+, license-expression
+, lxml
+, markupsafe
 , packageurl-python
-, pymaven-patch
-, nltk
+, packaging
+, parameter-expansion-patched
+, pefile
+, pkginfo
+, pluggy
+, plugincode
+, publicsuffix2
+, pyahocorasick
+, pycryptodome
+, pygmars
 , pygments
-, bitarray
-, jinja2
-, javaproperties
-, boolean-py
-, license-expression
-, extractcode-7z
-, extractcode-libarchive
-, typecode-libmagic
+, pymaven-patch
 , pytestCheckHook
+, pythonOlder
+, requests
+, saneyaml
+, spdx-tools
+, text-unidecode
+, toml
+, typecode
+, typecode-libmagic
+, typing
+, urlpy
+, xmltodict
+, zipp
 }:
+
 buildPythonPackage rec {
   pname = "scancode-toolkit";
-  version = "21.8.4";
-  disabled = !isPy3k;
+  version = "30.1.0";
+
+  disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "c18340067244274c67e166f701c60e747e1d0bccb17efc99f277a4bc0a5a13c6";
+    sha256 = "sha256-UYQf+cBi2FmyZxIbQJo7vLjPuoePIMC8FugvoG1Ebj0=";
   };
 
   dontConfigure = true;
 
-  # https://github.com/nexB/scancode-toolkit/issues/2501
-  # * dparse2 is a "Temp fork for Python 2 support", but pdfminer requires
-  # Python 3, so it's "fine" to leave dparse2 unpackaged and use the "normal"
-  # version
-  # * ftfy was pinned for similar reasons (to support Python 2), but rather than
-  # packaging an older version, I figured it would be better to remove the
-  # erroneous (at least for our usage) version bound
-  # * bitarray's version bound appears to be unnecessary for similar reasons
-  postPatch = ''
-    substituteInPlace setup.cfg \
-      --replace "dparse2" "dparse" \
-      --replace "ftfy <  5.0.0" "ftfy" \
-      --replace "bitarray >= 0.8.1, < 1.0.0" "bitarray"
-  '';
-
   propagatedBuildInputs = [
-    markupsafe
+    attrs
+    beautifulsoup4
+    bitarray
+    boolean-py
+    chardet
     click
-    typecode
-    gemfileparser
-    pefile
-    fingerprints
-    spdx-tools
-    fasteners
-    pycryptodome
-    urlpy
-    dparse
-    jaraco_functools
-    pkginfo
+    colorama
+    commoncode
     debian-inspector
+    dparse
     extractcode
+    extractcode-7z
+    extractcode-libarchive
+    fasteners
+    fingerprints
     ftfy
-    pyahocorasick
-    colorama
+    gemfileparser
+    html5lib
+    intbitset
+    jaraco_functools
+    javaproperties
+    jinja2
     jsonstreams
+    license-expression
+    lxml
+    markupsafe
     packageurl-python
-    pymaven-patch
-    nltk
+    packaging
+    parameter-expansion-patched
+    pefile
+    pkginfo
+    pluggy
+    plugincode
+    publicsuffix2
+    pyahocorasick
+    pycryptodome
+    pygmars
     pygments
-    bitarray
-    jinja2
-    javaproperties
-    boolean-py
-    license-expression
-    extractcode-7z
-    extractcode-libarchive
+    pymaven-patch
+    requests
+    saneyaml
+    spdx-tools
+    text-unidecode
+    toml
+    typecode
     typecode-libmagic
+    urlpy
+    xmltodict
+    zipp
+  ] ++ lib.optionals (pythonOlder "3.9") [
+    importlib-metadata
+  ] ++ lib.optionals (pythonOlder "3.7") [
+    typing
   ];
 
   checkInputs = [
     pytestCheckHook
   ];
 
+  postPatch = ''
+    substituteInPlace setup.cfg \
+      --replace "pluggy >= 0.12.0, < 1.0" "pluggy" \
+      --replace "pygmars >= 0.7.0" "pygmars" \
+      --replace "license_expression >= 21.6.14" "license_expression"
+  '';
+
   # Importing scancode needs a writeable home, and preCheck happens in between
   # pythonImportsCheckPhase and pytestCheckPhase.
   postInstall = ''
@@ -114,7 +150,7 @@ buildPythonPackage rec {
   dontStrip = true;
 
   meta = with lib; {
-    description = "A tool to scan code for license, copyright, package and their documented dependencies and other interesting facts";
+    description = "Tool to scan code for license, copyright, package and their documented dependencies and other interesting facts";
     homepage = "https://github.com/nexB/scancode-toolkit";
     license = with licenses; [ asl20 cc-by-40 ];
     maintainers = teams.determinatesystems.members;
diff --git a/pkgs/development/python-modules/spdx-tools/default.nix b/pkgs/development/python-modules/spdx-tools/default.nix
index 53d6d51d2d280..d35846a110177 100644
--- a/pkgs/development/python-modules/spdx-tools/default.nix
+++ b/pkgs/development/python-modules/spdx-tools/default.nix
@@ -1,39 +1,31 @@
 { lib
 , buildPythonPackage
+, click
 , fetchPypi
-, fetchpatch
-, six
 , pyyaml
 , rdflib
 , ply
 , xmltodict
 , pytestCheckHook
-, pythonAtLeast
+, pythonOlder
 }:
+
 buildPythonPackage rec {
   pname = "spdx-tools";
-  version = "0.6.1";
+  version = "0.7.0a3";
+
+  disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "9a1aaae051771e865705dd2fd374c3f73d0ad595c1056548466997551cbd7a81";
+    sha256 = "sha256-afV1W1n5ubHhqfLFpPO5fxaIy5TaZdw9eDy3JYOJ1oE=";
   };
 
-  patches = lib.optionals (pythonAtLeast "3.9") [
-    # https://github.com/spdx/tools-python/pull/159
-    # fixes tests on Python 3.9
-    (fetchpatch {
-      name = "drop-encoding-argument.patch";
-      url = "https://github.com/spdx/tools-python/commit/6c8b9a852f8a787122c0e2492126ee8aa52acff0.patch";
-      sha256 = "RhvLhexsQRjqYqJg10SAM53RsOW+R93G+mns8C9g5E8=";
-    })
-  ];
-
   propagatedBuildInputs = [
-    six
+    click
+    ply
     pyyaml
     rdflib
-    ply
     xmltodict
   ];
 
diff --git a/pkgs/development/python-modules/tasklib/default.nix b/pkgs/development/python-modules/tasklib/default.nix
index 8cb2a2f0278d5..ebc2d46fd989a 100644
--- a/pkgs/development/python-modules/tasklib/default.nix
+++ b/pkgs/development/python-modules/tasklib/default.nix
@@ -8,11 +8,11 @@ wsl_stub = writeShellScriptBin "wsl" "true";
 
 in buildPythonPackage rec {
   pname = "tasklib";
-  version = "2.4.0";
+  version = "2.4.3";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "3645594147107c92780e19ac437f09eb8b8eac950209fb92d3f71869a721234e";
+    sha256 = "b523bc12893d26c8173a6b8d84b16259c9a9c5acaaf8932bc018117f907b3bc5";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/servers/clickhouse/default.nix b/pkgs/servers/clickhouse/default.nix
index ce514ea31c03b..28a6536cfaed5 100644
--- a/pkgs/servers/clickhouse/default.nix
+++ b/pkgs/servers/clickhouse/default.nix
@@ -22,10 +22,10 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ cmake libtool llvm-bintools ninja ];
   buildInputs = [
     boost brotli capnproto cctz clang-unwrapped double-conversion
-    icu jemalloc libcpuid libxml2 lld llvm lz4 libmysqlclient openssl perl
+    icu jemalloc libxml2 lld llvm lz4 libmysqlclient openssl perl
     poco protobuf python3 rapidjson re2 rdkafka readline sparsehash unixODBC
     xxHash zstd
-  ];
+  ] ++ lib.optional stdenv.hostPlatform.isx86 libcpuid;
 
   postPatch = ''
     patchShebangs src/
diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix
index d7311ef440030..49f5a24eaaeae 100644
--- a/pkgs/servers/x11/xorg/default.nix
+++ b/pkgs/servers/x11/xorg/default.nix
@@ -1902,11 +1902,11 @@ lib.makeScope newScope (self: with self; {
   # THIS IS A GENERATED FILE.  DO NOT EDIT!
   xev = callPackage ({ stdenv, pkg-config, fetchurl, libX11, xorgproto, libXrandr }: stdenv.mkDerivation {
     pname = "xev";
-    version = "1.2.3";
+    version = "1.2.4";
     builder = ./builder.sh;
     src = fetchurl {
-      url = "mirror://xorg/individual/app/xev-1.2.3.tar.bz2";
-      sha256 = "02ddsdx138g7szhwklpbzi0cxr34871iay3k28kdcihrz8f4zg36";
+      url = "mirror://xorg/individual/app/xev-1.2.4.tar.bz2";
+      sha256 = "1ql592pdhddhkipkrsxn929y9l2nn02a5fh2z3dx47kmzs5y006p";
     };
     hardeningDisable = [ "bindnow" "relro" ];
     nativeBuildInputs = [ pkg-config ];
diff --git a/pkgs/servers/x11/xorg/tarballs.list b/pkgs/servers/x11/xorg/tarballs.list
index b3a4aedfeb6a4..bc9344f66cb3d 100644
--- a/pkgs/servers/x11/xorg/tarballs.list
+++ b/pkgs/servers/x11/xorg/tarballs.list
@@ -35,7 +35,7 @@ mirror://xorg/individual/app/xcursorgen-1.0.7.tar.bz2
 mirror://xorg/individual/app/xdm-1.1.12.tar.bz2
 mirror://xorg/individual/app/xdpyinfo-1.3.2.tar.bz2
 mirror://xorg/individual/app/xdriinfo-1.0.6.tar.bz2
-mirror://xorg/individual/app/xev-1.2.3.tar.bz2
+mirror://xorg/individual/app/xev-1.2.4.tar.bz2
 mirror://xorg/individual/app/xeyes-1.2.0.tar.bz2
 mirror://xorg/individual/app/xfd-1.1.3.tar.bz2
 mirror://xorg/individual/app/xfontsel-1.0.6.tar.bz2
diff --git a/pkgs/tools/filesystems/lfs/default.nix b/pkgs/tools/filesystems/lfs/default.nix
new file mode 100644
index 0000000000000..d1988183bf198
--- /dev/null
+++ b/pkgs/tools/filesystems/lfs/default.nix
@@ -0,0 +1,25 @@
+{ lib
+, fetchFromGitHub
+, rustPlatform
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "lfs";
+  version = "1.1.0";
+
+  src = fetchFromGitHub {
+    owner = "Canop";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "gez5q1niIhzWJpsEkbVRuQFILo3tTO8aJq7ewZArJ5M=";
+  };
+
+  cargoSha256 = "2U1xDG4bTimtmjwZ1z9ErlaOcBNJdRcHlEWVaiGg01M=";
+
+  meta = with lib; {
+    description = "Get information on your mounted disks";
+    homepage = "https://github.com/Canop/lfs";
+    license = licenses.mit;
+    maintainers = with maintainers; [ koral ];
+  };
+}
diff --git a/pkgs/tools/misc/mapcidr/default.nix b/pkgs/tools/misc/mapcidr/default.nix
new file mode 100644
index 0000000000000..2c8a80b28d0c7
--- /dev/null
+++ b/pkgs/tools/misc/mapcidr/default.nix
@@ -0,0 +1,34 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+}:
+
+buildGoModule rec {
+  pname = "mapcidr";
+  version = "0.0.8";
+
+  src = fetchFromGitHub {
+    owner = "projectdiscovery";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-hlMIgSsSqvMx6Y7JnR7L9muTLWPfxDN5raJRezt99G0=";
+  };
+
+  vendorSha256 = "sha256-zp+XaSZgSMwJK+EEiTaJKBTPiKYaYpTtArnGBmHUGzE=";
+
+  modRoot = ".";
+  subPackages = [
+    "cmd/mapcidr"
+  ];
+
+  meta = with lib; {
+    description = "Small utility program to perform multiple operations for a given subnet/CIDR ranges";
+    longDescription = ''
+      mapCIDR is developed to ease load distribution for mass scanning
+      operations, it can be used both as a library and as independent CLI tool.
+    '';
+    homepage = "https://github.com/projectdiscovery/mapcidr";
+    license = licenses.mit;
+    maintainers = with maintainers; [ hanemile ];
+  };
+}
diff --git a/pkgs/tools/misc/synth/default.nix b/pkgs/tools/misc/synth/default.nix
new file mode 100644
index 0000000000000..31d0b6e7d32fb
--- /dev/null
+++ b/pkgs/tools/misc/synth/default.nix
@@ -0,0 +1,36 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+, pkg-config
+, openssl
+, stdenv
+, Security
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "synth";
+  version = "0.5.6";
+
+  src = fetchFromGitHub {
+    owner = "getsynth";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "06kgzaja04553gaxrfz6d1rqi3xwa6ijl0q6425fg0mqq9ifv7xk";
+  };
+
+  cargoSha256 = "sha256-bjda4uE5K+cJkS2TsTv7FN3H6q3cElRr674FTKaIexA=";
+
+  nativeBuildInputs = [ pkg-config ];
+
+  buildInputs = [ openssl ] ++ lib.optional stdenv.isDarwin Security;
+
+  # requires unstable rust features
+  RUSTC_BOOTSTRAP = 1;
+
+  meta = with lib; {
+    description = "A tool for generating realistic data using a declarative data model";
+    homepage = "https://github.com/getsynth/synth";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ figsoda ];
+  };
+}
diff --git a/pkgs/tools/security/kubescape/default.nix b/pkgs/tools/security/kubescape/default.nix
index 43046ab903789..22ef43d36f906 100644
--- a/pkgs/tools/security/kubescape/default.nix
+++ b/pkgs/tools/security/kubescape/default.nix
@@ -5,16 +5,16 @@
 
 buildGoModule rec {
   pname = "kubescape";
-  version = "1.0.88";
+  version = "1.0.109";
 
   src = fetchFromGitHub {
     owner = "armosec";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-ITN/HsXZWH1v23R5TSEd8vq/DkhiCypJM+hg879ZWlc=";
+    sha256 = "sha256-aPy0FcDFoBK02pCmDTe5T1QyB9+WC++cBuOI7CtaXtY=";
   };
 
-  vendorSha256 = "18mvv70g65pq1c7nn752j26d0vasx6cl2rqp5g1hg3cb61hjbn0n";
+  vendorSha256 = "sha256-vN+ci2vCbtDuEEVzZQiFkdi1QkMgnnbbJgD9g6DS7qs=";
 
   # One test is failing, disabling for now
   doCheck = false;
diff --git a/pkgs/tools/security/scorecard/default.nix b/pkgs/tools/security/scorecard/default.nix
index d0908c3595028..0cc94c63c9f00 100644
--- a/pkgs/tools/security/scorecard/default.nix
+++ b/pkgs/tools/security/scorecard/default.nix
@@ -1,16 +1,33 @@
-{ lib, buildGoModule, fetchFromGitHub, installShellFiles }:
+{ lib, buildGoModule, fetchFromGitHub, fetchgit, installShellFiles }:
 
 buildGoModule rec {
   pname = "scorecard";
-  version = "2.2.8";
+  version = "3.0.1";
 
   src = fetchFromGitHub {
     owner = "ossf";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-U29NCZFXOhu0xLfDlJ1Q7m8TbAm+C6+ecYFhcI5gg6s=";
+    sha256 = "sha256-19XDAgv9ARCZ7eNlWUPcsbGNyKA9vYFry8m6D3+vQP8=";
+    # populate values otherwise taken care of by goreleaser,
+    # unfortunately these require us to use git. By doing
+    # this in postFetch we can delete .git afterwards and
+    # maintain better reproducibility of the src.
+    leaveDotGit = true;
+    postFetch = ''
+      cd "$out"
+
+      commit="$(git rev-parse HEAD)"
+      source_date_epoch=$(git log --date=iso8601-strict -1 --pretty=%ct)
+
+      substituteInPlace "$out/pkg/scorecard_version.go" \
+        --replace 'gitCommit = "unknown"' "gitCommit = \"$commit\"" \
+        --replace 'buildDate = "unknown"' "buildDate = \"$source_date_epoch\""
+
+      find "$out" -name .git -print0 | xargs -0 rm -rf
+    '';
   };
-  vendorSha256 = "sha256-hOATCXjBE0doHnY2BaRKZocQ6SIigL0q4m9eEJGKh6Q=";
+  vendorSha256 = "sha256-ucF26pTEvG8tkzsyC9WNbvl8QCeetKBvBIcQL2NTfjo=";
 
   # Install completions post-install
   nativeBuildInputs = [ installShellFiles ];
@@ -20,8 +37,8 @@ buildGoModule rec {
   ldflags = [
     "-s"
     "-w"
-    "-X github.com/ossf/scorecard/v2/pkg.gitVersion=v${version}"
-    "-X github.com/ossf/scorecard/v2/pkg.gitTreeState=clean"
+    "-X github.com/ossf/scorecard/v${lib.versions.major version}/pkg.gitVersion=v${version}"
+    "-X github.com/ossf/scorecard/v${lib.versions.major version}/pkg.gitTreeState=clean"
   ];
 
   preCheck = ''
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index ec51d470621de..831d03b8ec43d 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -894,7 +894,7 @@ with pkgs;
 
   airfield = callPackage ../tools/networking/airfield { };
 
-  apache-airflow = with python37.pkgs; toPythonApplication apache-airflow;
+  apache-airflow = with python3.pkgs; toPythonApplication apache-airflow;
 
   airsonic = callPackage ../servers/misc/airsonic { };
 
@@ -3151,6 +3151,8 @@ with pkgs;
 
   lynis = callPackage ../tools/security/lynis { };
 
+  mapcidr = callPackage ../tools/misc/mapcidr { };
+
   mapproxy = callPackage ../applications/misc/mapproxy { };
 
   marl = callPackage ../development/libraries/marl {};
@@ -3449,6 +3451,10 @@ with pkgs;
 
   sydbox = callPackage ../os-specific/linux/sydbox { };
 
+  synth = callPackage ../tools/misc/synth {
+    inherit (darwin.apple_sdk.frameworks) Security;
+  };
+
   syscall_limiter = callPackage ../os-specific/linux/syscall_limiter {};
 
   syslogng = callPackage ../tools/system/syslog-ng { };
@@ -6688,6 +6694,8 @@ with pkgs;
     ffmpeg = ffmpeg-full;
   };
 
+  lfs = callPackage ../tools/filesystems/lfs { };
+
   lksctp-tools = callPackage ../os-specific/linux/lksctp-tools { };
 
   lldpd = callPackage ../tools/networking/lldpd { };
@@ -7972,7 +7980,9 @@ with pkgs;
 
   opendbx = callPackage ../development/libraries/opendbx { };
 
-  opendht = callPackage ../development/libraries/opendht {};
+  opendht = callPackage ../development/libraries/opendht  {
+    inherit (darwin.apple_sdk.frameworks) Security;
+  };
 
   opendkim = callPackage ../development/libraries/opendkim { };
 
diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix
index 1a40d9b754ef5..1c3bb9f43a503 100644
--- a/pkgs/top-level/perl-packages.nix
+++ b/pkgs/top-level/perl-packages.nix
@@ -11358,11 +11358,16 @@ let
       url = "mirror://cpan/authors/id/B/BR/BRMILLER/${pname}-${version}.tar.gz";
       sha256 = "1ccvdq7asxq6iw8x8ihwf5xs2mp7fkwm467xy7g8spkznr8wcacm";
     };
+    patches = [
+      (fetchpatch {
+        # https://github.com/brucemiller/LaTeXML/issues/1669
+        name = "downgrade-security-FileTemp.patch";
+        url = "https://github.com/brucemiller/LaTeXML/commit/c3d6b9b88f9eafce6eee52b1634ea33085ba9ec6.patch";
+        sha256 = "12w6nfv0bkj2mr4xwcqzkdngrpbq4fn52n85r9njdg913cvfirm7";
+      })
+    ];
     outputs = [ "out" "tex" ];
     propagatedBuildInputs = [ ArchiveZip DBFile FileWhich IOString ImageMagick ImageSize JSONXS LWP ParseRecDescent PodParser TextUnidecode XMLLibXSLT ];
-    preCheck = ''
-      rm t/931_epub.t # https://github.com/brucemiller/LaTeXML/issues/1669
-    '';
     nativeBuildInputs = [ pkgs.makeWrapper ] ++ lib.optional stdenv.isDarwin shortenPerlShebang;
     makeMakerFlags = "TEXMF=\${tex} NOMKTEXLSR";
     # shebangs need to be patched before executables are copied to $out
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 9055300e09adc..3d5d90db0f275 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -5340,6 +5340,8 @@ in {
 
   param = callPackage ../development/python-modules/param { };
 
+  parameter-expansion-patched = callPackage ../development/python-modules/parameter-expansion-patched { };
+
   parameterized = callPackage ../development/python-modules/parameterized { };
 
   paramiko = callPackage ../development/python-modules/paramiko { };
@@ -6326,6 +6328,8 @@ in {
 
   pygls = callPackage ../development/python-modules/pygls { };
 
+  pygmars = callPackage ../development/python-modules/pygmars { };
+
   pygments-better-html = callPackage ../development/python-modules/pygments-better-html { };
 
   pygments = callPackage ../development/python-modules/Pygments { };