Skip to content

[Backport release-25.05] pixi: 0.46.0 -> 0.59.0 #457576

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 13 commits into from
Closed

[Backport release-25.05] pixi: 0.46.0 -> 0.59.0 #457576

wants to merge 13 commits into from

Conversation

@mdaniels5757
Copy link
Contributor

@mdaniels5757 mdaniels5757 commented Nov 1, 2025
edited
Loading

Manual backport of many PRs, including #456779 (which has security fixes).

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

r-ryantm and others added 13 commits November 1, 2025 12:46
@r-ryantm @mdaniels5757
pixi: 0.46.0 -> 0.47.0
3a6aa83 
(cherry picked from commit 9beb192)
@r-ryantm @mdaniels5757
pixi: 0.47.0 -> 0.48.0
8d259d6 
(cherry picked from commit 1a9ad51)
@r-ryantm @mdaniels5757
pixi: 0.48.0 -> 0.48.2
84b07a7 
(cherry picked from commit 3bb4fd1)
@r-ryantm @mdaniels5757
pixi: 0.48.2 -> 0.49.0
c102209 
(cherry picked from commit 84d61a6)
@r-ryantm @mdaniels5757
pixi: 0.49.0 -> 0.51.0
dde72e4 
(cherry picked from commit 1f1a0cd)
@MisileLab @mdaniels5757
pixi: 0.51.0 -> 0.52.0
1805a86 
https://github.com/prefix-dev/pixi/releases/tag/v0.52.0

Signed-off-by: misilelab <[email protected]>
(cherry picked from commit 73fb7c4)
@MisileLab @mdaniels5757
pixi: 0.52.0 -> 0.53.0
83dc8f9 
https://github.com/prefix-dev/pixi/releases/tag/v0.53.0

Signed-off-by: misilelab <[email protected]>
(cherry picked from commit 976ca8e)
@MisileLab @mdaniels5757
pixi: 0.53.0 -> 0.54.2
c703970 
https://github.com/prefix-dev/pixi/releases/tag/v0.54.0
https://github.com/prefix-dev/pixi/releases/tag/v0.54.1
https://github.com/prefix-dev/pixi/releases/tag/v0.54.2
Signed-off-by: misilelab <[email protected]>
(cherry picked from commit 2ade9be)
@MisileLab @mdaniels5757
pixi: 0.54.2 -> 0.55.0
f8b0965 
https://github.com/prefix-dev/pixi/releases/tag/v0.55.0
Signed-off-by: misilelab <[email protected]>
(cherry picked from commit 197788b)
@MisileLab @mdaniels5757
pixi: 0.55.0 -> 0.56.0
0b85041 
https://github.com/prefix-dev/pixi/releases/tag/v0.56.0
Signed-off-by: misilelab <[email protected]>
(cherry picked from commit 5861175)
@MisileLab @mdaniels5757
pixi: 0.56.0 -> 0.57.0
fbd40cb 
https://github.com/prefix-dev/pixi/releases/tag/v0.57.0
Signed-off-by: misilelab <[email protected]>
(cherry picked from commit dc0378f)
@r-ryantm @mdaniels5757
pixi: 0.57.0 -> 0.58.0
0097488 
(cherry picked from commit 242c507)
@niklaskorz @mdaniels5757
pixi: 0.58.0 -> 0.59.0
b0a318e 
https://github.com/prefix-dev/pixi/releases/tag/v0.59.0

Fixes CVE-2025-62518

(cherry picked from commit 5141623)
@mdaniels5757 mdaniels5757 added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Nov 1, 2025
@niklaskorz niklaskorz mentioned this pull request Nov 1, 2025
Closed
15 tasks
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. 4.workflow: backport This targets a stable branch labels Nov 1, 2025
@nix-owners nix-owners bot requested a review from xiaoxiangmoe November 1, 2025 16:58
@mdaniels5757
Copy link
Contributor Author

mdaniels5757 commented Nov 1, 2025

nixpkgs-review result

Generated using nixpkgs-review-gha

Command: nixpkgs-review pr 457576
Commit: b0a318e26de9d8f3b04449cd038d9e95e72d749a (subsequent changes)
Merge: 7568b8672d08054d89ffa1dd2d30ec1405f3649d

Logs: https://github.com/mdaniels5757/nixpkgs-review-gha/actions/runs/18999774205

x86_64-linux

✅ 1 package built:
  • pixi

aarch64-linux

✅ 1 package built:
  • pixi

x86_64-darwin (sandbox = true)

✅ 1 package built:
  • pixi

aarch64-darwin (sandbox = true)

✅ 1 package built:
  • pixi

@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Nov 1, 2025
@LeSuisse
Copy link
Member

LeSuisse commented Nov 1, 2025

There are breaking changes in some of these releases. Can we only pull the dependency bump or craft a patch?

https://github.com/prefix-dev/pixi/releases/tag/v0.55.0
https://github.com/prefix-dev/pixi/releases/tag/v0.53.0
https://github.com/prefix-dev/pixi/releases/tag/v0.52.0
https://github.com/prefix-dev/pixi/releases/tag/v0.51.0

@mdaniels5757
Copy link
Contributor Author

mdaniels5757 commented Nov 2, 2025

Can we only pull the dependency bump?

No, https://github.com/prefix-dev/pixi/commit/66efc2b35f2b375444d69355af96b2f8d509b6a1.patch won't apply.

Can we craft a patch?

I dunno, maybe? I can run cargo update for the this, and the other thing that cargo audit tells me are vulnerable (not including tracing-subscriber, which was not updated by upstream in prefix-dev/pixi#4491). But there are also packages that are unmaintained or yanked, and those can't be removed without updating, I think.

@LeSuisse
Copy link
Member

LeSuisse commented Nov 2, 2025

The crates marked as unmaintained should be reasonable to keep.

I'm not against bumping to the latest version but I cannot evaluate if they can affect NixOS/nixpkgs users or not. We should not introduce breaking changes to our stable releases: https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases

Bumping the following 2 crates seems reasonable on 0.46.0:

  • openssl: 0.10.71 -> 0.10.74 (RUSTSEC-2025-0022)
  • astral-tokio-tar: 0.5.2 -> 0.5.6 (RUSTSEC-2025-0110)
diff --git a/Cargo.lock b/Cargo.lock
index 8db4baa4a..4a7bb82d4 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -164,9 +164,9 @@ checksum = "9b34d609dfbaf33d6889b2b7106d3ca345eacad44200913df5ba02bfd31d2ba9"
 
 [[package]]
 name = "astral-tokio-tar"
-version = "0.5.2"
+version = "0.5.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1abb2bfba199d9ec4759b797115ba6ae435bdd920ce99783bb53aeff57ba919b"
+checksum = "ec179a06c1769b1e42e1e2cbe74c7dcdb3d6383c838454d063eaac5bbb7ebbe5"
 dependencies = [
  "filetime",
  "futures-core",
@@ -3514,7 +3514,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34"
 dependencies = [
  "cfg-if",
- "windows-targets 0.52.6",
+ "windows-targets 0.48.5",
 ]
 
 [[package]]
@@ -4029,9 +4029,9 @@ checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
 
 [[package]]
 name = "openssl"
-version = "0.10.71"
+version = "0.10.74"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5e14130c6a98cd258fdcb0fb6d744152343ff729cbfcb28c656a9d12b999fbcd"
+checksum = "24ad14dd45412269e1a30f52ad8f0664f0f4f4a89ee8fe28c3b3527021ebb654"
 dependencies = [
  "bitflags 2.9.0",
  "cfg-if",
@@ -4061,9 +4061,9 @@ checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.106"
+version = "0.9.110"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8bb61ea9811cc39e3c2069f40b8b8e2e70d8569b361f879786cc7ed48b777cdd"
+checksum = "0a9f0075ba3c21b09f8e8b2026584b1d18d49388648f2fbbf3c97ea8deced8e2"
 dependencies = [
  "cc",
  "libc",
@@ -8894,7 +8894,7 @@ version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
 dependencies = [
- "windows-sys 0.59.0",
+ "windows-sys 0.48.0",
 ]
 
 [[package]]

@niklaskorz
Copy link
Contributor

niklaskorz commented Nov 2, 2025

Note that bumping the OpenSSL crate likely isn't needed in terms of security, we're not using their vendored OpenSSL library but the nixpkgs one for pixi.

@mdaniels5757 mdaniels5757 mentioned this pull request Nov 2, 2025
Merged
13 tasks
@niklaskorz
Copy link
Contributor

niklaskorz commented Nov 2, 2025

Superseded by #457802

@niklaskorz niklaskorz closed this Nov 2, 2025
@mdaniels5757 mdaniels5757 deleted the backport-456779-to-release-25.05 branch November 2, 2025 14:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@niklaskorz niklaskorz niklaskorz approved these changes

@xiaoxiangmoe xiaoxiangmoe Awaiting requested review from xiaoxiangmoe

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 4.workflow: backport This targets a stable branch 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mdaniels5757 @LeSuisse @niklaskorz @r-ryantm @MisileLab