Merge master into haskell-updates

124 files changed, 2216 insertions, 498 deletions

diff --git a/pkgs/development/compilers/dotnet/8/default.nix b/pkgs/development/compilers/dotnet/8/default.nix
new file mode 100644
index 000000000000..8b98aa962dc9
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/8/default.nix
@@ -0,0 +1,9 @@
+{ callPackage
+, dotnetCorePackages
+, bootstrapSdk
+}: callPackage ../dotnet.nix {
+  releaseManifestFile = ./release.json;
+  releaseInfoFile = ./release-info.json;
+  depsFile = ./deps.nix;
+  inherit bootstrapSdk;
+}
diff --git a/pkgs/development/compilers/dotnet/8/deps.nix b/pkgs/development/compilers/dotnet/8/deps.nix
new file mode 100644
index 000000000000..ce7ee48bb102
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/8/deps.nix
@@ -0,0 +1,10 @@
+{ fetchNuGet }: [
+  (fetchNuGet { pname = "runtime.linux-arm64.Microsoft.NETCore.ILAsm"; sha256 = "8985f0b9855daaf8b4a38f32a91902bdbb99a2f1801a98c68a5013d94842524e"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.linux-arm64.microsoft.netcore.ilasm/8.0.1-servicing.23580.1/runtime.linux-arm64.microsoft.netcore.ilasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+  (fetchNuGet { pname = "runtime.linux-arm64.Microsoft.NETCore.ILDAsm"; sha256 = "0496a403691e50662c5aef598248d8cd92ad1da1e93a859aedee5bb91bb9c821"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.linux-arm64.microsoft.netcore.ildasm/8.0.1-servicing.23580.1/runtime.linux-arm64.microsoft.netcore.ildasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+  (fetchNuGet { pname = "runtime.linux-x64.Microsoft.NETCore.ILAsm"; sha256 = "0c5k9ckp7zjspyqqzz817jr8pglnn7wxhmv2hfk700swb96qhg0w"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.linux-x64.microsoft.netcore.ilasm/8.0.1-servicing.23580.1/runtime.linux-x64.microsoft.netcore.ilasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+  (fetchNuGet { pname = "runtime.linux-x64.Microsoft.NETCore.ILDAsm"; sha256 = "1pyydnypv9x25p7y35j85f8pxnyxq3w2vc8i84klq90kzgzig5a8"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.linux-x64.microsoft.netcore.ildasm/8.0.1-servicing.23580.1/runtime.linux-x64.microsoft.netcore.ildasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+  (fetchNuGet { pname = "runtime.osx-arm64.Microsoft.NETCore.ILAsm"; sha256 = "7609cfc7fd617a580caba18d458ed644ab799346139b3ead9df9502abe8d0541"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.osx-arm64.microsoft.netcore.ilasm/8.0.1-servicing.23580.1/runtime.osx-arm64.microsoft.netcore.ilasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+  (fetchNuGet { pname = "runtime.osx-arm64.Microsoft.NETCore.ILDAsm"; sha256 = "6a969c2f6261834ab8ec9829cffed5a1a1f35667bf382b7c902d1b26db192e27"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.osx-arm64.microsoft.netcore.ildasm/8.0.1-servicing.23580.1/runtime.osx-arm64.microsoft.netcore.ildasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+  (fetchNuGet { pname = "runtime.osx-x64.Microsoft.NETCore.ILAsm"; sha256 = "a8b90caa9ead7defdf8b9570dcb3e0cec146dff892a88fb825fedb7ee0fe620f"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.osx-x64.microsoft.netcore.ilasm/8.0.1-servicing.23580.1/runtime.osx-x64.microsoft.netcore.ilasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+  (fetchNuGet { pname = "runtime.osx-x64.Microsoft.NETCore.ILDAsm"; sha256 = "eade428d642bdbb2271610c5d781a61ab367dbd3e776477a7b5948bda62252b5"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.osx-x64.microsoft.netcore.ildasm/8.0.1-servicing.23580.1/runtime.osx-x64.microsoft.netcore.ildasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+]
diff --git a/pkgs/development/compilers/dotnet/8/release-info.json b/pkgs/development/compilers/dotnet/8/release-info.json
new file mode 100644
index 000000000000..2a316ed2de94
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/8/release-info.json
@@ -0,0 +1,5 @@
+{
+  "tarballHash": "sha256-OTCFPhQ9PHnQ0f7UzgHryEsBIaKCOm/L6pkURw/RY2s=",
+  "artifactsUrl": "https://dotnetcli.azureedge.net/source-built-artifacts/assets/Private.SourceBuilt.Artifacts.8.0.101-servicing.23601.1.centos.8-x64.tar.gz",
+  "artifactsHash": "sha256-RLrEPFkB9NvnzJFJ0zSFbGNpMKR4EsyBu3T/JwAxgzc="
+}
diff --git a/pkgs/development/compilers/dotnet/8/release.json b/pkgs/development/compilers/dotnet/8/release.json
new file mode 100644
index 000000000000..de0aaf95f3eb
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/8/release.json
@@ -0,0 +1,9 @@
+{
+  "release": "8.0.2",
+  "channel": "8.0",
+  "tag": "v8.0.2",
+  "sdkVersion": "8.0.102",
+  "runtimeVersion": "8.0.2",
+  "sourceRepository": "https://github.com/dotnet/dotnet",
+  "sourceVersion": "d396b0c4d3e51c2d8d679b2f7233912bc5bfc2fa"
+}
diff --git a/pkgs/development/compilers/dotnet/build-dotnet.nix b/pkgs/development/compilers/dotnet/build-dotnet.nix
index be2ec26c55a7..8ee0bd9e7b3a 100644
--- a/pkgs/development/compilers/dotnet/build-dotnet.nix
+++ b/pkgs/development/compilers/dotnet/build-dotnet.nix
@@ -24,6 +24,7 @@ assert if type == "sdk" then packages != null else true;
 , runCommand
 , writeShellScript
 , mkNugetDeps
+, callPackage
 }:
 
 let
@@ -41,13 +42,10 @@ let
     sdk = ".NET SDK ${version}";
   };
 
-  packageDeps = if type == "sdk" then mkNugetDeps {
-    name = "${pname}-${version}-deps";
-    nugetDeps = packages;
-  } else null;
+  mkCommon = callPackage ./common.nix {};
 
 in
-stdenv.mkDerivation (finalAttrs: rec {
+mkCommon type rec {
   inherit pname version;
 
   # Some of these dependencies are `dlopen()`ed.
@@ -88,11 +86,6 @@ stdenv.mkDerivation (finalAttrs: rec {
     runHook postInstall
   '';
 
-  doInstallCheck = true;
-  installCheckPhase = ''
-    $out/bin/dotnet --info
-  '';
-
   # Tell autoPatchelf about runtime dependencies.
   # (postFixup phase is run before autoPatchelfHook.)
   postFixup = lib.optionalString stdenv.isLinux ''
@@ -112,23 +105,15 @@ stdenv.mkDerivation (finalAttrs: rec {
       $out/packs/Microsoft.NETCore.App.Host.linux-x64/*/runtimes/linux-x64/native/singlefilehost
   '';
 
-  setupHook = writeText "dotnet-setup-hook" ''
-    if [ ! -w "$HOME" ]; then
-      export HOME=$(mktemp -d) # Dotnet expects a writable home directory for its configuration files
-    fi
-
-    export DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1 # Dont try to expand NuGetFallbackFolder to disk
-    export DOTNET_NOLOGO=1 # Disables the welcome message
-    export DOTNET_CLI_TELEMETRY_OPTOUT=1
-    export DOTNET_SKIP_WORKLOAD_INTEGRITY_CHECK=1 # Skip integrity check on first run, which fails due to read-only directory
-  '';
-
   passthru = {
     inherit icu;
-    packages = packageDeps;
+  } // lib.optionalAttrs (type == "sdk") {
+    packages = mkNugetDeps {
+      name = "${pname}-${version}-deps";
+      nugetDeps = packages;
+    };
 
     updateScript =
-      if type == "sdk" then
       let
         majorVersion =
           with lib;
@@ -137,40 +122,7 @@ stdenv.mkDerivation (finalAttrs: rec {
       writeShellScript "update-dotnet-${majorVersion}" ''
         pushd pkgs/development/compilers/dotnet
         exec ${./update.sh} "${majorVersion}"
-      '' else null;
-
-    tests = {
-      version = testers.testVersion {
-        package = finalAttrs.finalPackage;
-      };
-
-      console = runCommand "dotnet-test-console" {
-        nativeBuildInputs = [ finalAttrs.finalPackage ];
-      } ''
-        HOME=$(pwd)/fake-home
-        dotnet new nugetconfig
-        dotnet nuget disable source nuget
-        dotnet new console -n test -o .
-        output="$(dotnet run)"
-        # yes, older SDKs omit the comma
-        [[ "$output" =~ Hello,?\ World! ]] && touch "$out"
-      '';
-
-      single-file = let build = runCommand "dotnet-test-build-single-file" {
-        nativeBuildInputs = [ finalAttrs.finalPackage ];
-      } ''
-        HOME=$(pwd)/fake-home
-        dotnet new nugetconfig
-        dotnet nuget disable source nuget
-        dotnet nuget add source ${finalAttrs.finalPackage.packages}
-        dotnet new console -n test -o .
-        dotnet publish --use-current-runtime -p:PublishSingleFile=true -o $out
-      ''; in runCommand "dotnet-test-run-single-file" {} ''
-        output="$(${build}/test)"
-        # yes, older SDKs omit the comma
-        [[ "$output" =~ Hello,?\ World! ]] && touch "$out"
       '';
-    };
   };
 
   meta = with lib; {
@@ -181,4 +133,4 @@ stdenv.mkDerivation (finalAttrs: rec {
     mainProgram = "dotnet";
     platforms = attrNames srcs;
   };
-})
+}
diff --git a/pkgs/development/compilers/dotnet/combine-deps.nix b/pkgs/development/compilers/dotnet/combine-deps.nix
new file mode 100644
index 000000000000..a7c4356b34b0
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/combine-deps.nix
@@ -0,0 +1,40 @@
+{
+  list,
+  baseRid,
+  otherRids,
+  pkgs ? import ../../../.. {}
+}:
+with pkgs.lib;
+let
+  inherit (pkgs) writeText;
+
+  fns = map (file: import file) list;
+  packages = unique
+    (concatMap (fn: fn { fetchNuGet = package: package; }) fns);
+
+  changePackageRid = package: rid:
+    let replace = replaceStrings [".${baseRid}"] [".${rid}"];
+    in rec {
+      pname = replace package.pname;
+      inherit (package) version;
+      url = replace package.url;
+      sha256 = builtins.hashFile "sha256" (builtins.fetchurl url);
+    };
+
+  expandPackage = package:
+    [ package ] ++
+    optionals (strings.match ".*\\.${baseRid}(\\..*|$)" package.pname != null)
+    (map (changePackageRid package) otherRids);
+
+  allPackages =
+    sortOn (package: [ package.pname package.version package ])
+    (concatMap expandPackage packages);
+
+  fetchExpr = package:
+    "  (fetchNuGet ${generators.toPretty { multiline = false; } package})";
+
+in writeText "deps.nix" ''
+  { fetchNuGet }: [
+  ${concatMapStringsSep "\n" fetchExpr allPackages}
+  ]
+''
diff --git a/pkgs/development/compilers/dotnet/common.nix b/pkgs/development/compilers/dotnet/common.nix
new file mode 100644
index 000000000000..0d8890e61da2
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/common.nix
@@ -0,0 +1,63 @@
+# TODO: switch to stdenvNoCC
+{ stdenv
+, lib
+, writeText
+, testers
+, runCommand
+}: type: args: stdenv.mkDerivation (finalAttrs: args // {
+  doInstallCheck = true;
+
+  # TODO: this should probably be postInstallCheck
+  # TODO: send output to /dev/null
+  installCheckPhase = args.installCheckPhase or "" + ''
+    $out/bin/dotnet --info
+  '';
+
+  # TODO: move this to sdk section?
+  setupHook = writeText "dotnet-setup-hook" (''
+    if [ ! -w "$HOME" ]; then
+      export HOME=$(mktemp -d) # Dotnet expects a writable home directory for its configuration files
+    fi
+
+    export DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1 # Dont try to expand NuGetFallbackFolder to disk
+    export DOTNET_NOLOGO=1 # Disables the welcome message
+    export DOTNET_CLI_TELEMETRY_OPTOUT=1
+    export DOTNET_SKIP_WORKLOAD_INTEGRITY_CHECK=1 # Skip integrity check on first run, which fails due to read-only directory
+  '' + args.setupHook or "");
+
+} // lib.optionalAttrs (type == "sdk") {
+  passthru = {
+    tests = {
+      version = testers.testVersion {
+        package = finalAttrs.finalPackage;
+      };
+
+      console = runCommand "dotnet-test-console" {
+        nativeBuildInputs = [ finalAttrs.finalPackage ];
+      } ''
+        HOME=$(pwd)/fake-home
+        dotnet new nugetconfig
+        dotnet nuget disable source nuget
+        dotnet new console -n test -o .
+        output="$(dotnet run)"
+        # yes, older SDKs omit the comma
+        [[ "$output" =~ Hello,?\ World! ]] && touch "$out"
+      '';
+
+      single-file = let build = runCommand "dotnet-test-build-single-file" {
+        nativeBuildInputs = [ finalAttrs.finalPackage ];
+      } ''
+        HOME=$(pwd)/fake-home
+        dotnet new nugetconfig
+        dotnet nuget disable source nuget
+        dotnet nuget add source ${finalAttrs.finalPackage.packages}
+        dotnet new console -n test -o .
+        dotnet publish --use-current-runtime -p:PublishSingleFile=true -o $out
+      ''; in runCommand "dotnet-test-run-single-file" {} ''
+        output="$(${build}/test)"
+        # yes, older SDKs omit the comma
+        [[ "$output" =~ Hello,?\ World! ]] && touch "$out"
+      '';
+    } // args.passthru.tests or {};
+  } // args.passthru or {};
+})
diff --git a/pkgs/development/compilers/dotnet/default.nix b/pkgs/development/compilers/dotnet/default.nix
index 814560e49bee..1960488f840a 100644
--- a/pkgs/development/compilers/dotnet/default.nix
+++ b/pkgs/development/compilers/dotnet/default.nix
@@ -5,7 +5,7 @@ dotnetCombined = with dotnetCorePackages; combinePackages [ sdk_6_0 aspnetcore_7
 Hashes and urls are retrieved from:
 https://dotnet.microsoft.com/download/dotnet
 */
-{ lib, config, callPackage }:
+{ lib, config, callPackage, recurseIntoAttrs }:
 let
   buildDotnet = attrs: callPackage (import ./build-dotnet.nix attrs) {};
   buildAttrs = {
@@ -18,6 +18,7 @@ let
   dotnet_6_0 = import ./versions/6.0.nix buildAttrs;
   dotnet_7_0 = import ./versions/7.0.nix buildAttrs;
   dotnet_8_0 = import ./versions/8.0.nix buildAttrs;
+  dotnet_8_0_102 = import ./versions/8.0.102.nix buildAttrs;
 
   runtimeIdentifierMap = {
     "x86_64-linux" = "linux-x64";
@@ -35,6 +36,8 @@ in
   inherit systemToDotnetRid;
 
   combinePackages = attrs: callPackage (import ./combine-packages.nix attrs) {};
+
+  dotnet_8 = recurseIntoAttrs (callPackage ./8 { bootstrapSdk = dotnet_8_0_102.sdk_8_0; });
 } // lib.optionalAttrs config.allowAliases {
   # EOL
   sdk_2_1 = throw "Dotnet SDK 2.1 is EOL, please use 6.0 (LTS) or 7.0 (Current)";
diff --git a/pkgs/development/compilers/dotnet/dotnet.nix b/pkgs/development/compilers/dotnet/dotnet.nix
new file mode 100644
index 000000000000..90541215f949
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/dotnet.nix
@@ -0,0 +1,50 @@
+{ callPackage
+, lib
+, releaseManifestFile
+, releaseInfoFile
+, allowPrerelease ? false
+, depsFile
+, bootstrapSdk
+, pkgsBuildHost
+}:
+
+let
+  inherit (lib.importJSON releaseInfoFile) tarballHash artifactsUrl artifactsHash;
+
+  pkgs = callPackage ./stage1.nix {
+    inherit releaseManifestFile tarballHash depsFile;
+    bootstrapSdk =
+      { stdenvNoCC
+      , dotnetCorePackages
+      , fetchurl
+      }: bootstrapSdk.overrideAttrs (old: {
+        passthru = old.passthru or {} // {
+          artifacts = stdenvNoCC.mkDerivation rec {
+            name = lib.nameFromURL artifactsUrl ".tar.gz";
+
+            src = fetchurl {
+              url = artifactsUrl;
+              hash = artifactsHash;
+            };
+
+            sourceRoot = ".";
+
+            installPhase = ''
+              mkdir -p $out
+              cp -r * $out/
+              ln -fs ${old.passthru.packages}/* $out/
+            '';
+          };
+        };
+      });
+  };
+
+in pkgs // {
+  vmr = pkgs.vmr.overrideAttrs(old: {
+    passthru = old.passthru // {
+      updateScript = pkgsBuildHost.callPackage ./update.nix {
+        inherit releaseManifestFile releaseInfoFile allowPrerelease;
+      };
+    };
+  });
+}
diff --git a/pkgs/development/compilers/dotnet/fix-aspnetcore-portable-build.patch b/pkgs/development/compilers/dotnet/fix-aspnetcore-portable-build.patch
new file mode 100644
index 000000000000..47c6f997a811
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/fix-aspnetcore-portable-build.patch
@@ -0,0 +1,25 @@
+From ebc2540f8d0aba2e5ec2f0d5f5889100475ad93e Mon Sep 17 00:00:00 2001
+From: David McFarland <corngood@gmail.com>
+Date: Mon, 1 Jan 2024 12:45:41 -0400
+Subject: [PATCH] fix aspnetcore portable build
+
+https://github.com/dotnet/installer/pull/15163#issuecomment-1873396096
+---
+ repo-projects/aspnetcore.proj | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/repo-projects/aspnetcore.proj b/repo-projects/aspnetcore.proj
+index e3f4b1664a..947532add9 100644
+--- a/repo-projects/aspnetcore.proj
++++ b/repo-projects/aspnetcore.proj
+@@ -8,6 +8,7 @@
+     <OverrideTargetRid Condition="'$(TargetOS)' == 'Windows_NT'">win-$(Platform)</OverrideTargetRid>
+     <_portableRidOverridden Condition="'$(TargetRid)' != '$(OverrideTargetRid)'">true</_portableRidOverridden>
+     <_portableRidOverridden Condition="'$(TargetRid)' == '$(OverrideTargetRid)'">false</_portableRidOverridden>
++    <_portableRidOverridden Condition="'$(PortableBuild)' != ''">$(PortableBuild)</_portableRidOverridden>
+ 
+     <!-- StandardSourceBuildArgs include -publish which is not supported by the aspnetcore build script. -->
+     <BuildCommandArgs>$(StandardSourceBuildArgs.Replace('--publish', ''))</BuildCommandArgs>
+-- 
+2.40.1
+
diff --git a/pkgs/development/compilers/dotnet/fix-tmp-path.patch b/pkgs/development/compilers/dotnet/fix-tmp-path.patch
new file mode 100644
index 000000000000..54d7cf2c81df
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/fix-tmp-path.patch
@@ -0,0 +1,27 @@
+From e0bd79c04c3647dd5abec5e60c031b1f2762a84c Mon Sep 17 00:00:00 2001
+From: David McFarland <corngood@gmail.com>
+Date: Wed, 10 Jan 2024 02:25:46 -0400
+Subject: [PATCH] fix-tmp-path
+
+---
+ build.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/build.sh b/build.sh
+index a1224e4369..555a88fc95 100755
+--- a/build.sh
++++ b/build.sh
+@@ -211,8 +211,8 @@ elif [ -d "$packagesArchiveDir" ]; then
+   if [ -f "${packagesPreviouslySourceBuiltDir}}PackageVersions.props" ]; then
+     packageVersionsPath=${packagesPreviouslySourceBuiltDir}PackageVersions.props
+   elif [ -f "$sourceBuiltArchive" ]; then
+-    tar -xzf "$sourceBuiltArchive" -C /tmp PackageVersions.props
+-    packageVersionsPath=/tmp/PackageVersions.props
++    tar -xzf "$sourceBuiltArchive" PackageVersions.props
++    packageVersionsPath=$PWD/PackageVersions.props
+   fi
+ fi
+ 
+-- 
+2.40.1
+
diff --git a/pkgs/development/compilers/dotnet/packages.nix b/pkgs/development/compilers/dotnet/packages.nix
new file mode 100644
index 000000000000..3eef77ff7144
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/packages.nix
@@ -0,0 +1,99 @@
+{ stdenv
+, callPackage
+, vmr
+}:
+
+let
+  mkCommon = callPackage ./common.nix {};
+  inherit (vmr) targetRid releaseManifest;
+
+in {
+  inherit vmr;
+  sdk = mkCommon "sdk" rec {
+    pname = "dotnet-sdk";
+    version = releaseManifest.sdkVersion;
+
+    src = vmr;
+    dontUnpack = true;
+
+    outputs = [ "out" "packages" "artifacts" ];
+
+    installPhase = ''
+      runHook preInstall
+
+      cp -r "$src"/dotnet-sdk-${version}-${targetRid} "$out"
+      chmod +w "$out"
+      mkdir "$out"/bin
+      ln -s "$out"/dotnet "$out"/bin/dotnet
+
+      mkdir "$packages"
+      # this roughly corresponds to the {sdk,aspnetcore}_packages in ../update.sh
+      cp -r "$src"/Private.SourceBuilt.Artifacts.*.${targetRid}/*Microsoft.{NET.ILLink.Tasks,NETCore,DotNet,AspNetCore}.*.nupkg "$packages"
+
+      cp -r "$src"/Private.SourceBuilt.Artifacts.*.${targetRid} "$artifacts"
+
+      runHook postInstall
+    '';
+
+    passthru = {
+      inherit (vmr) icu targetRid updateScript;
+    };
+
+    meta = vmr.meta // {
+      mainProgram = "dotnet";
+    };
+  };
+
+  runtime = mkCommon "runtime" rec {
+    pname = "dotnet-runtime";
+    version = releaseManifest.runtimeVersion;
+
+    src = vmr;
+    dontUnpack = true;
+
+    outputs = [ "out" ];
+
+    installPhase = ''
+      runHook preInstall
+
+      cp -r "$src/dotnet-runtime-${version}-${targetRid}" "$out"
+      chmod +w "$out"
+      mkdir "$out"/bin
+      ln -s "$out"/dotnet "$out"/bin/dotnet
+
+      runHook postInstall
+    '';
+
+    meta = vmr.meta // {
+      mainProgram = "dotnet";
+    };
+  };
+
+  aspnetcore = mkCommon "aspnetcore" rec {
+    pname = "dotnet-aspnetcore-runtime";
+    version = releaseManifest.aspnetcoreRuntimeVersion or releaseManifest.runtimeVersion;
+
+    src = vmr;
+    dontUnpack = true;
+
+    outputs = [ "out" ];
+
+    installPhase = ''
+      runHook preInstall
+
+      cp -r "$src/dotnet-runtime-${releaseManifest.runtimeVersion}-${targetRid}" "$out"
+      chmod +w "$out"
+      mkdir "$out"/bin
+      ln -s "$out"/dotnet "$out"/bin/dotnet
+
+      chmod +w "$out"/shared
+      cp -Tr "$src/aspnetcore-runtime-${version}-${targetRid}" "$out"
+
+      runHook postInstall
+    '';
+
+    meta = vmr.meta // {
+      mainProgram = "dotnet";
+    };
+  };
+}
diff --git a/pkgs/development/compilers/dotnet/patch-nupkgs.nix b/pkgs/development/compilers/dotnet/patch-nupkgs.nix
new file mode 100644
index 000000000000..0f1173056f04
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/patch-nupkgs.nix
@@ -0,0 +1,62 @@
+{ stdenv
+, lib
+, dotnetCorePackages
+, zlib
+, curl
+, icu
+, libunwind
+, libuuid
+, openssl
+, lttng-ust_2_12
+, writeShellScriptBin
+}:
+
+let
+  buildRid = dotnetCorePackages.systemToDotnetRid stdenv.buildPlatform.system;
+
+  binaryRPath = lib.makeLibraryPath ([
+    stdenv.cc.cc
+    zlib
+    curl
+    icu
+    libunwind
+    libuuid
+    openssl
+  ] ++ lib.optional stdenv.isLinux lttng-ust_2_12);
+
+in writeShellScriptBin "patch-nupkgs" ''
+  set -euo pipefail
+  shopt -s nullglob
+  isELF() {
+      local fn="$1"
+      local fd
+      local magic
+      exec {fd}< "$fn"
+      read -r -n 4 -u "$fd" magic
+      exec {fd}<&-
+      if [ "$magic" = $'\177ELF' ]; then return 0; else return 1; fi
+  }
+  cd "$1"
+  for x in *.${buildRid}/* *.${buildRid}.*/*; do
+    [[ -d "$x" ]] && [[ ! -f "$x"/.nix-patched ]] || continue
+    echo "Patching package $x"
+    pushd "$x"
+    for p in $(find -type f); do
+      if [[ "$p" != *.nix-patched ]] && isELF "$p"; then
+        tmp="$p".$$.nix-patched
+        # if this fails to copy then another process must have patched it
+        cp --reflink=auto "$p" "$tmp" || continue
+        echo "Patchelfing $p as $tmp"
+        patchelf \
+          --set-interpreter "${stdenv.cc.bintools.dynamicLinker}" \
+          "$tmp" ||:
+        patchelf \
+          --set-rpath "${binaryRPath}" \
+          "$tmp" ||:
+        mv "$tmp" "$p"
+      fi
+    done
+    touch .nix-patched
+    popd
+  done
+''
diff --git a/pkgs/development/compilers/dotnet/patch-restored-packages.proj b/pkgs/development/compilers/dotnet/patch-restored-packages.proj
new file mode 100644
index 000000000000..bef12d6308f9
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/patch-restored-packages.proj
@@ -0,0 +1,8 @@
+<Project>
+  <Target Name="PatchIlasm" AfterTargets="ResolveIlToolPaths">
+    <Exec Command="patch-nupkgs $(NUGET_PACKAGES) 2>&amp;1"/>
+  </Target>
+  <Target Name="PatchCrossgen" AfterTargets="Restore;_PrepareForReadyToRunCompilation;PrepareForCrossGen">
+    <Exec Command="patch-nupkgs $(NUGET_PACKAGES) 2>&amp;1"/>
+  </Target>
+</Project>
diff --git a/pkgs/development/compilers/dotnet/record-downloaded-packages.patch b/pkgs/development/compilers/dotnet/record-downloaded-packages.patch
new file mode 100644
index 000000000000..4c5b45939d76
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/record-downloaded-packages.patch
@@ -0,0 +1,42 @@
+From a5a4a77dd77ed5c997bec6519adf7b6be3108af2 Mon Sep 17 00:00:00 2001
+From: David McFarland <corngood@gmail.com>
+Date: Sun, 31 Dec 2023 01:48:31 -0400
+Subject: [PATCH 2/2] record downloaded packages
+
+---
+ .../buildBootstrapPreviouslySB.csproj         |  6 +++++
+ repo-projects/Directory.Build.targets         | 27 +++++++++++++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/eng/bootstrap/buildBootstrapPreviouslySB.csproj b/eng/bootstrap/buildBootstrapPreviouslySB.csproj
+index d85e32ca76..280c9eaf89 100644
+--- a/eng/bootstrap/buildBootstrapPreviouslySB.csproj
++++ b/eng/bootstrap/buildBootstrapPreviouslySB.csproj
+@@ -102,6 +102,12 @@
+     </ItemGroup>
+   </Target>
+ 
++  <Target Name="NuGetToNix" AfterTargets="Restore">
++    <Exec
++        Command="nuget-to-nix $(RestorePackagesPath) >$(ArchiveDir)deps.nix 2>&amp;1"
++        WorkingDirectory="$(MSBuildProjectDirectory)"/>
++  </Target>
++
+   <Target Name="BuildBoostrapPreviouslySourceBuilt"
+           AfterTargets="Restore"
+           DependsOnTargets="GetPackagesToDownload">
+diff --git a/repo-projects/Directory.Build.targets b/repo-projects/Directory.Build.targets
+index 3fa15da862..afd7b87088 100644
+--- a/repo-projects/Directory.Build.targets
++++ b/repo-projects/Directory.Build.targets
+@@ -471,6 +497,7 @@
+     <ItemGroup>
+       <LogFilesToCopy Include="$(ProjectDirectory)artifacts/**/*.log" />
+       <LogFilesToCopy Include="$(ProjectDirectory)artifacts/**/*.binlog" />
++      <LogFilesToCopy Include="$(ProjectDirectory)artifacts/**/deps.nix" />
+       <ObjFilesToCopy Include="$(ProjectDirectory)artifacts/**/project.assets.json" />
+     </ItemGroup>
+     <MakeDir Directories="$(BuildLogsDir)" Condition="Exists('$(ProjectDirectory)artifacts')"/>
+-- 
+2.40.1
+
diff --git a/pkgs/development/compilers/dotnet/record-downloaded-packages.proj b/pkgs/development/compilers/dotnet/record-downloaded-packages.proj
new file mode 100644
index 000000000000..f85da42ec2be
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/record-downloaded-packages.proj
@@ -0,0 +1,13 @@
+<Project>
+  <Target Name="NuGetToNix"
+    BeforeTargets="CopyInnerBuildRestoredPackages">
+    <ItemGroup>
+      <_NuGetToNixPackageCache Include="$(ProjectDirectory)artifacts/sb/package-cache/"/>
+      <_NuGetToNixPackageCache Include="$(ProjectDirectory)artifacts/source-build/self/package-cache/"/>
+    </ItemGroup>
+    <Exec
+      Command="nuget-to-nix '@(_NuGetToNixPackageCache)' >'$(ProjectDirectory)deps.nix' 2>'$(ProjectDirectory)deps.out'"
+      WorkingDirectory="$(ProjectDirectory)"
+      Condition="Exists('%(Identity)')"/>
+  </Target>
+</Project>
diff --git a/pkgs/development/compilers/dotnet/sign-apphost.nix b/pkgs/development/compilers/dotnet/sign-apphost.nix
new file mode 100644
index 000000000000..f804ab79d332
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/sign-apphost.nix
@@ -0,0 +1,10 @@
+{ substituteAll
+, callPackage
+}:
+let
+  sigtool = callPackage ./sigtool.nix {};
+
+in substituteAll {
+  src = ./sign-apphost.proj;
+  codesign = "${sigtool}/bin/codesign";
+}
diff --git a/pkgs/development/compilers/dotnet/sign-apphost.proj b/pkgs/development/compilers/dotnet/sign-apphost.proj
new file mode 100644
index 000000000000..e401739bdd70
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/sign-apphost.proj
@@ -0,0 +1,11 @@
+<Project>
+  <Target Name="SignAppHost" AfterTargets="_CreateAppHost" Condition="'$(AppHostIntermediatePath)' != ''">
+    <Exec Command='@codesign@ -f -s - "$(AppHostIntermediatePath)" 2>&amp;1'/>
+  </Target>
+  <Target Name="UnsignBundle" BeforeTargets="GenerateSingleFileBundle" Condition="'$(PublishedSingleFileName)' != ''">
+    <Exec Command='@codesign@ --remove-signature "@(FilesToBundle)" 2>&amp;1' Condition="'%(FilesToBundle.RelativePath)' == '$(PublishedSingleFileName)'"/>
+  </Target>
+  <Target Name="SignBundle" AfterTargets="GenerateSingleFileBundle" Condition="'$(PublishedSingleFilePath)' != ''">
+    <Exec Command='@codesign@ -f -s - "$(PublishedSingleFilePath)" 2>&amp;1'/>
+  </Target>
+</Project>
diff --git a/pkgs/development/compilers/dotnet/sigtool.nix b/pkgs/development/compilers/dotnet/sigtool.nix
new file mode 100644
index 000000000000..658ee578ae98
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/sigtool.nix
@@ -0,0 +1,27 @@
+{ darwin
+, fetchFromGitHub
+, makeWrapper
+}:
+let
+  cctools = darwin.cctools;
+
+in darwin.sigtool.overrideAttrs (old: {
+  # this is a fork of sigtool that supports -v and --remove-signature, which are
+  # used by the dotnet sdk
+  src = fetchFromGitHub {
+    owner = "corngood";
+    repo = "sigtool";
+    rev = "new-commands";
+    sha256 = "sha256-EVM5ZG3sAHrIXuWrnqA9/4pDkJOpWCeBUl5fh0mkK4k=";
+  };
+
+  nativeBuildInputs = old.nativeBuildInputs or [] ++ [
+    makeWrapper
+  ];
+
+  postInstall = old.postInstall or "" + ''
+    wrapProgram $out/bin/codesign \
+      --set-default CODESIGN_ALLOCATE \
+        "${cctools}/bin/${cctools.targetPrefix}codesign_allocate"
+  '';
+})
diff --git a/pkgs/development/compilers/dotnet/stage0.nix b/pkgs/development/compilers/dotnet/stage0.nix
new file mode 100644
index 000000000000..d12d1a6c3d13
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/stage0.nix
@@ -0,0 +1,126 @@
+{ stdenv
+, stdenvNoCC
+, callPackage
+, lib
+, writeShellScript
+, pkgsBuildHost
+, mkNugetDeps
+, nix
+, cacert
+, nuget-to-nix
+, dotnetCorePackages
+, xmlstarlet
+
+, releaseManifestFile
+, tarballHash
+, depsFile
+, bootstrapSdk
+}:
+
+let
+  mkPackages = callPackage ./packages.nix;
+  mkVMR = callPackage ./vmr.nix;
+
+  dotnetSdk = pkgsBuildHost.callPackage bootstrapSdk {};
+
+  patchNupkgs = pkgsBuildHost.callPackage ./patch-nupkgs.nix {};
+
+  signAppHost = callPackage ./sign-apphost.nix {};
+
+  deps = mkNugetDeps {
+    name = "dotnet-vmr-deps";
+    sourceFile = depsFile;
+  };
+
+  vmr = (mkVMR {
+    inherit releaseManifestFile tarballHash dotnetSdk;
+  }).overrideAttrs (old: rec {
+    prebuiltPackages = mkNugetDeps {
+      name = "dotnet-vmr-deps";
+      sourceFile = depsFile;
+    };
+
+    nativeBuildInputs =
+      old.nativeBuildInputs or []
+      ++ [ xmlstarlet ]
+      ++ lib.optional stdenv.isLinux patchNupkgs;
+
+    postPatch = old.postPatch or "" + lib.optionalString stdenv.isLinux ''
+      xmlstarlet ed \
+        --inplace \
+        -s //Project -t elem -n Import \
+        -i \$prev -t attr -n Project -v "${./patch-restored-packages.proj}" \
+        src/*/Directory.Build.targets
+    '' + lib.optionalString stdenv.isDarwin ''
+      xmlstarlet ed \
+        --inplace \
+        -s //Project -t elem -n Import \
+        -i \$prev -t attr -n Project -v "${signAppHost}" \
+        src/runtime/Directory.Build.targets
+    '';
+
+    postConfigure = old.postConfigure or "" + ''
+      [[ ! -v prebuiltPackages ]] || ln -sf "$prebuiltPackages"/* prereqs/packages/prebuilt/
+    '';
+
+    passthru = old.passthru or {} // { fetch-deps =
+      let
+        inherit (vmr) targetRid updateScript;
+        otherRids =
+          lib.remove targetRid (
+            map (system: dotnetCorePackages.systemToDotnetRid system)
+              vmr.meta.platforms);
+
+        pkg = vmr.overrideAttrs (old: {
+          nativeBuildInputs = old.nativeBuildInputs ++ [
+            nix
+            cacert
+            (nuget-to-nix.override { dotnet-sdk = dotnetSdk; })
+          ];
+          postPatch = old.postPatch or "" + ''
+            xmlstarlet ed \
+              --inplace \
+              -s //Project -t elem -n Import \
+              -i \$prev -t attr -n Project -v "${./record-downloaded-packages.proj}" \
+              repo-projects/Directory.Build.targets
+            # make nuget-client use the standard arcade package-cache dir, which
+            # is where we scan for dependencies
+            xmlstarlet ed \
+              --inplace \
+              -s //Project -t elem -n ItemGroup \
+              -s \$prev -t elem -n EnvironmentVariables \
+              -i \$prev -t attr -n Include -v 'NUGET_PACKAGES=$(ProjectDirectory)artifacts/sb/package-cache/' \
+              repo-projects/nuget-client.proj
+          '';
+          buildFlags = [ "--online" ] ++ old.buildFlags;
+          prebuiltPackages = null;
+        });
+
+        drv = builtins.unsafeDiscardOutputDependency pkg.drvPath;
+      in
+        writeShellScript "fetch-dotnet-sdk-deps" ''
+          ${nix}/bin/nix-shell --pure --run 'source /dev/stdin' "${drv}" << 'EOF'
+          set -e
+
+          tmp=$(mktemp -d)
+          trap 'rm -fr "$tmp"' EXIT
+
+          HOME=$tmp/.home
+          cd "$tmp"
+
+          phases="''${prePhases[*]:-} unpackPhase patchPhase ''${preConfigurePhases[*]:-} \
+            configurePhase ''${preBuildPhases[*]:-} buildPhase checkPhase" \
+            genericBuild
+
+          depsFiles=(./src/*/deps.nix)
+
+          cat $(nix-build ${toString ./combine-deps.nix} \
+            --arg list "[ ''${depsFiles[*]} ]" \
+            --argstr baseRid ${targetRid} \
+            --arg otherRids '${lib.generators.toPretty { multiline = false; } otherRids}' \
+            ) > "${toString prebuiltPackages.sourceFile}"
+          EOF
+        '';
+    };
+  });
+in mkPackages { inherit vmr; }
diff --git a/pkgs/development/compilers/dotnet/stage1.nix b/pkgs/development/compilers/dotnet/stage1.nix
new file mode 100644
index 000000000000..4212aaaab024
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/stage1.nix
@@ -0,0 +1,27 @@
+{ stdenv
+, lib
+, callPackage
+, pkgsBuildHost
+
+, releaseManifestFile
+, tarballHash
+, depsFile
+, bootstrapSdk
+}@args:
+
+let
+  mkPackages = callPackage ./packages.nix;
+  mkVMR = callPackage ./vmr.nix;
+
+  stage0 = pkgsBuildHost.callPackage ./stage0.nix args;
+
+  vmr = (mkVMR {
+    inherit releaseManifestFile tarballHash;
+    dotnetSdk = stage0.sdk;
+  }).overrideAttrs (old: {
+    passthru = old.passthru or {} // {
+      inherit (stage0.vmr) fetch-deps;
+    };
+  });
+
+in mkPackages { inherit vmr; }
diff --git a/pkgs/development/compilers/dotnet/stop-passing-bare-sdk-arg-to-swiftc.patch b/pkgs/development/compilers/dotnet/stop-passing-bare-sdk-arg-to-swiftc.patch
new file mode 100644
index 000000000000..fa2606c0c6cd
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/stop-passing-bare-sdk-arg-to-swiftc.patch
@@ -0,0 +1,31 @@
+From 85a940f3f039704da73ee177c1848cd4b6ed029f Mon Sep 17 00:00:00 2001
+From: David McFarland <corngood@gmail.com>
+Date: Tue, 9 Jan 2024 15:10:00 -0400
+Subject: [PATCH] stop passing bare sdk arg to swiftc
+
+---
+ .../CMakeLists.txt                                          | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native.Apple/CMakeLists.txt b/src/runtime/src/native/libs/System.Security.Cryptography.Native.Apple/CMakeLists.txt
+index b847f5c3cd..cf8344ead0 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native.Apple/CMakeLists.txt
++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native.Apple/CMakeLists.txt
+@@ -49,9 +49,13 @@ if (NOT SWIFT_COMPILER_TARGET AND CLR_CMAKE_TARGET_OSX)
+     set(SWIFT_COMPILER_TARGET "${CMAKE_OSX_ARCHITECTURES}-apple-${SWIFT_PLATFORM}${SWIFT_DEPLOYMENT_TARGET}${SWIFT_PLATFORM_SUFFIX}")
+ endif()
+ 
++if (CMAKE_OSX_SYSROOT)
++    set(SWIFT_ARGS -sdk ${CMAKE_OSX_SYSROOT})
++endif()
++
+ add_custom_command(
+     OUTPUT pal_swiftbindings.o
+-    COMMAND xcrun swiftc -emit-object -static -parse-as-library -runtime-compatibility-version none -sdk ${CMAKE_OSX_SYSROOT} -target ${SWIFT_COMPILER_TARGET} ${CMAKE_CURRENT_SOURCE_DIR}/pal_swiftbindings.swift -o pal_swiftbindings.o
++    COMMAND xcrun swiftc -emit-object -static -parse-as-library -runtime-compatibility-version none ${SWIFT_ARGS} -target ${SWIFT_COMPILER_TARGET} ${CMAKE_CURRENT_SOURCE_DIR}/pal_swiftbindings.swift -o pal_swiftbindings.o
+     MAIN_DEPENDENCY ${CMAKE_CURRENT_SOURCE_DIR}/pal_swiftbindings.swift
+     COMMENT "Compiling Swift file pal_swiftbindings.swift"
+ )
+-- 
+2.42.0
+
diff --git a/pkgs/development/compilers/dotnet/update.nix b/pkgs/development/compilers/dotnet/update.nix
new file mode 100644
index 000000000000..89291d2461d8
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/update.nix
@@ -0,0 +1,123 @@
+{ stdenvNoCC
+, lib
+, fetchurl
+, writeScript
+, nix
+, runtimeShell
+, curl
+, cacert
+, jq
+, yq
+, gnupg
+
+, releaseManifestFile
+, releaseInfoFile
+, allowPrerelease
+}:
+
+let
+  inherit (lib.importJSON releaseManifestFile) channel release;
+
+  pkg = stdenvNoCC.mkDerivation {
+    name = "update-dotnet-vmr-env";
+
+    nativeBuildInputs = [
+      nix
+      curl
+      cacert
+      jq
+      yq
+      gnupg
+    ];
+  };
+
+  releaseKey = fetchurl {
+    url = "https://dotnet.microsoft.com/download/dotnet/release-key-2023.asc";
+    hash = "sha256-F668QB55md0GQvoG0jeA66Fb2RbrsRhFTzTbXIX3GUo=";
+  };
+
+  drv = builtins.unsafeDiscardOutputDependency pkg.drvPath;
+
+in writeScript "update-dotnet-vmr.sh" ''
+  #! ${nix}/bin/nix-shell
+  #! nix-shell -i ${runtimeShell} --pure ${drv}
+  set -euo pipefail
+
+  query=$(cat <<EOF
+      map(
+          select(
+              ${lib.optionalString (!allowPrerelease) ".prerelease == false and"}
+              .draft == false and
+              (.name | startswith(".NET ${channel}")))) |
+      first | (
+          .name,
+          .tag_name,
+          (.assets |
+              .[] |
+              select(.name == "release.json") |
+              .browser_download_url),
+          (.assets |
+              .[] |
+              select(.name | endswith(".tar.gz.sig")) |
+              .browser_download_url))
+  EOF
+  )
+
+  (
+      curl -fsL https://api.github.com/repos/dotnet/dotnet/releases | \
+      jq -r "$query" \
+  ) | (
+      read name
+      read tagName
+      read releaseUrl
+      read sigUrl
+
+      if [[ "$name" == ".NET ${release}" ]]; then
+          >&2 echo "release is already $name"
+          exit
+      fi
+
+      tmp="$(mktemp -d)"
+      trap 'rm -rf "$tmp"' EXIT
+
+      tarballUrl=https://github.com/dotnet/dotnet/archive/refs/tags/$tagName.tar.gz
+
+      mapfile -t prefetch < <(nix-prefetch-url --print-path "$tarballUrl")
+      tarballHash=$(nix-hash --to-sri --type sha256 "''${prefetch[0]}")
+      tarball=''${prefetch[1]}
+
+      cd "$tmp"
+      curl -L "$sigUrl" -o release.sig
+
+      export GNUPGHOME=$PWD/.gnupg
+      gpg --batch --import ${releaseKey}
+      gpg --batch --verify release.sig "$tarball"
+
+      tar --strip-components=1 --no-wildcards-match-slash --wildcards -xzf "$tarball" \*/eng/Versions.props
+      artifactsVersion=$(xq -r '.Project.PropertyGroup |
+          map(select(.PrivateSourceBuiltArtifactsVersion))
+          | .[] | .PrivateSourceBuiltArtifactsVersion' eng/Versions.props)
+
+      if [[ "$artifactsVersion" != "" ]]; then
+          artifactsUrl=https://dotnetcli.azureedge.net/source-built-artifacts/assets/Private.SourceBuilt.Artifacts.$artifactsVersion.centos.8-x64.tar.gz
+      else
+          artifactsUrl=$(xq -r '.Project.PropertyGroup |
+              map(select(.PrivateSourceBuiltArtifactsUrl))
+              | .[] | .PrivateSourceBuiltArtifactsUrl' eng/Versions.props)
+      fi
+
+      artifactsHash=$(nix-hash --to-sri --type sha256 "$(nix-prefetch-url "$artifactsUrl")")
+
+      jq --null-input \
+          --arg _0 "$tarballHash" \
+          --arg _1 "$artifactsUrl" \
+          --arg _2 "$artifactsHash" \
+          '{
+              "tarballHash": $_0,
+              "artifactsUrl": $_1,
+              "artifactsHash": $_2,
+          }' > "${toString releaseInfoFile}"
+
+      curl -fsL "$releaseUrl" -o ${toString releaseManifestFile}
+  )
+''
diff --git a/pkgs/development/compilers/dotnet/update.sh b/pkgs/development/compilers/dotnet/update.sh
index 6dbf3c1943b3..f9f198b05e2f 100755
--- a/pkgs/development/compilers/dotnet/update.sh
+++ b/pkgs/development/compilers/dotnet/update.sh
@@ -8,7 +8,7 @@ release () {
   local content="$1"
   local version="$2"
 
-  jq -r '.releases[] | select(."release-version" == "'"$version"'")' <<< "$content"
+  jq -r '.releases[] | select(.sdks[] | ."version" == "'"$version"'")' <<< "$content"
 }
 
 release_files () {
@@ -18,6 +18,14 @@ release_files () {
   jq -r '[."'"$type"'".files[] | select(.name | test("^.*.tar.gz$"))]' <<< "$release"
 }
 
+sdk_files () {
+  local release="$1"
+  local version="$2"
+
+  jq -r '[.sdks[] | select(.version == "'"$version"'") | .files[] | select(.name | test("^.*.tar.gz$"))]' <<< "$release"
+}
+
+
 release_platform_attr () {
   local release_files="$1"
   local platform="$2"
@@ -321,13 +329,13 @@ Examples:
     # Then get the json file and parse it to find the latest patch release.
     major_minor=$(sed 's/^\([0-9]*\.[0-9]*\).*$/\1/' <<< "$sem_version")
     content=$(curl -sL https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/"$major_minor"/releases.json)
-    major_minor_patch=$([ "$patch_specified" == true ] && echo "$sem_version" || jq -r '."latest-release"' <<< "$content")
+    major_minor_patch=$([ "$patch_specified" == true ] && echo "$sem_version" || jq -r '."latest-sdk"' <<< "$content")
     major_minor_underscore=${major_minor/./_}
 
-    release_content=$(release "$content" "$major_minor_patch")
+    sdk_version=$major_minor_patch
+    release_content=$(release "$content" "$sdk_version")
     aspnetcore_version=$(jq -r '."aspnetcore-runtime".version' <<< "$release_content")
     runtime_version=$(jq -r '.runtime.version' <<< "$release_content")
-    sdk_version=$(jq -r '.sdk.version' <<< "$release_content")
 
     # If patch was not specified, check if the package is already the latest version
     # If it is, exit early
@@ -346,7 +354,7 @@ Examples:
 
     aspnetcore_files="$(release_files "$release_content" "aspnetcore-runtime")"
     runtime_files="$(release_files "$release_content" "runtime")"
-    sdk_files="$(release_files "$release_content" "sdk")"
+    sdk_files="$(sdk_files "$release_content" "$sdk_version")"
 
     channel_version=$(jq -r '."channel-version"' <<< "$content")
     support_phase=$(jq -r '."support-phase"' <<< "$content")
diff --git a/pkgs/development/compilers/dotnet/versions/8.0.102.nix b/pkgs/development/compilers/dotnet/versions/8.0.102.nix
new file mode 100644
index 000000000000..2cbba9f84f37
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/versions/8.0.102.nix
@@ -0,0 +1,179 @@
+{ buildAspNetCore, buildNetRuntime, buildNetSdk }:
+
+# v8.0 (active)
+{
+  aspnetcore_8_0 = buildAspNetCore {
+    version = "8.0.2";
+    srcs = {
+      x86_64-linux = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/d6d79cc3-df2f-4680-96ff-a7198f461139/df025000eaf5beb85d9137274a8c53ea/aspnetcore-runtime-8.0.2-linux-x64.tar.gz";
+        sha512  = "c8d4f9ad45cc97570ac607c0d14064da6c1215ef864afd73688ec7470af774f80504a937cbb5aadbb0083250122aae361770d2bca68f30ac7b62b4717bee6fca";
+      };
+      aarch64-linux = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/bdfd0216-539e-4dfd-81ea-1b7a77dda929/59a62884bdb8684ef0e4f434eaea0ca3/aspnetcore-runtime-8.0.2-linux-arm64.tar.gz";
+        sha512  = "9e5733a0d40705df17a1c96025783fd2544ad344ac98525f9d11947ea6ef632a23b0d2bf536314e4aeda8ae9c0f65b8f8feee184e1a1aabfda30059f59b1b9a6";
+      };
+      x86_64-darwin = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/a44da2c3-cb74-4ffe-af5a-34286598a885/263f113228e88df3f654510c9092f68b/aspnetcore-runtime-8.0.2-osx-x64.tar.gz";
+        sha512  = "a7edf091509305d27275d5d7911c3c61a2546e0d3b5b0fe9fcb9e704daf3c550ea0a5ae659272a29b5e218d02f28b7d331ab0905e9459711624692f1589d7285";
+      };
+      aarch64-darwin = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/a5692569-6092-4db1-9d5c-4862265a7b5b/7173de926da466e21ab9c7666a31dee3/aspnetcore-runtime-8.0.2-osx-arm64.tar.gz";
+        sha512  = "9e79556cf58f9d0b0f302a50ef9724122a9b18daba70e715b7334f9ed97a4983be0386e4132f5273d120f00d18f8af8a8ad7ea1ef0a82c610e268a33e76a30e4";
+      };
+    };
+  };
+
+  runtime_8_0 = buildNetRuntime {
+    version = "8.0.2";
+    srcs = {
+      x86_64-linux = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/307e4bf7-53c1-4b03-a2e5-379151ab3a04/140e7502609d45dfd83e4750b4bb5178/dotnet-runtime-8.0.2-linux-x64.tar.gz";
+        sha512  = "f30f72f55b9e97e36107f920e932477183867726a963ea0d4d151f291981877ba253a7175614c60b386b6a37f9192d97d7402dafdad2529369f512698cb9d1dd";
+      };
+      aarch64-linux = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/9de452db-acbe-48eb-b3f0-305a4e48e32a/515bbe7e3e1deef5ab9a4b8123b901ca/dotnet-runtime-8.0.2-linux-arm64.tar.gz";
+        sha512  = "12c5f49b7bd63d73cae57949e1520eaebc47732f559f68199ecd3bcca597f2da702352313a20aa100c667ede1d701dc6822f7a4eee9063d1c73d1f451ed832ac";
+      };
+      x86_64-darwin = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/414af43f-fdc6-4e8e-bbff-8b544a6627a8/0719a2eafa1d0d5f73ee0a7aae4ce670/dotnet-runtime-8.0.2-osx-x64.tar.gz";
+        sha512  = "e8945057f5fdf55994675caeff07ff53ba96324edbfe148ea60f58c883548be59cd1d891552b55ed5a594c1cfa549bd783ce9e25b5467ae48ab3f97590f36003";
+      };
+      aarch64-darwin = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/c7b73f69-39ca-4d2a-bd02-a72abb3a4fc5/6d68aa25f4576b70fff4925fb4e69c4b/dotnet-runtime-8.0.2-osx-arm64.tar.gz";
+        sha512  = "c410f56283f0d51484d26755349a7b62364e2c54650c87dcee6fea0a370fa84b14b4ebc8c5e121e2b3ea4f0ac2880ebe40a43bcb02aa30ce360fd0dbc12fbfbb";
+      };
+    };
+  };
+
+  sdk_8_0 = buildNetSdk {
+    version = "8.0.102";
+    srcs = {
+      x86_64-linux = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/672cfd95-c7fe-42e3-8b68-30c74f7af88e/ecdaa65fe42b6572ed37d407c26de8a2/dotnet-sdk-8.0.102-linux-x64.tar.gz";
+        sha512  = "f5928f5b947441065f2f34b25ae8de1fbf7dbae2c0ba918bfb4224d2d08849c79cbdc1825c0d42a5822f12757f78efa58e295a8ee0f0e6fce39cc7c6ed977b8f";
+      };
+      aarch64-linux = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/23568042-614a-41d3-a6b9-51e178e42977/cb1e1f4f5fb5d46080a60cd14d631660/dotnet-sdk-8.0.102-linux-arm64.tar.gz";
+        sha512  = "5e0b5762ab2f038de50859a2e18a3964ea6b754faa01d72f9824100546a271148908e84d666bb63d25e5d9a92038bc8a2f944d0342bbf8834cb5d5e936878c76";
+      };
+      x86_64-darwin = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/e60574bc-0bb6-45c6-ad3f-5c5fa29c75b7/1d903893164d767b98e9998153ed4c88/dotnet-sdk-8.0.102-osx-x64.tar.gz";
+        sha512  = "963432c5c7d7d0b204a92248c61d1be227369c6bc1d47f977c913c416c61584451fd05d0e95a6fbe51f0e1958e1c1a71f2530f478dd036ed2b0e123944b3ce00";
+      };
+      aarch64-darwin = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/e89e4d12-89c6-419c-a2be-9b2ec96b209f/0f393a6b611b26d7e4599694dff857e2/dotnet-sdk-8.0.102-osx-arm64.tar.gz";
+        sha512  = "69d702b561ae7ddf4c47fe228c16472fd8d7065de1a4a206fc07c6906db49e7da25b21c06f0ef080f41658aeddc0f3c0a23ce1de7e65b830c308bfe13cf95fe8";
+      };
+    };
+    packages = { fetchNuGet }: [
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-arm"; version = "8.0.2"; sha256 = "06s21b9k4niwb2qlrz4faccfmqyxfv08vzd85izla3zjxmqv3jxb"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-arm64"; version = "8.0.2"; sha256 = "1bxsrlsyvia4v3fswxl9pnf9107zwf1n1hlwffyxs0kd5iq7jabr"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-musl-arm64"; version = "8.0.2"; sha256 = "14yysn896flzsisnc3bhfc98slj2xg3f5jr39m62w2p54km0jcrj"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-musl-x64"; version = "8.0.2"; sha256 = "1486lnpn9al764f4q9p2xry38qrk1127m62j5n8ikcx8iazrbkqm"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-x64"; version = "8.0.2"; sha256 = "0fh2lvjrl41r1r4q3v9mylr16arb190x4xs0m5nsg6qak93y6pip"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.osx-x64"; version = "8.0.2"; sha256 = "0ihhhsypb0f8lffl5lbm4nw0l9cwcv6dgylxbgvs10yfpvpix8av"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.win-arm64"; version = "8.0.2"; sha256 = "1pfwb7j3gg62z10k799w2hr8yqmiv9gjvqzw6g72navzk322901s"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.win-x64"; version = "8.0.2"; sha256 = "0anifybcb7yipazd0qsiz6g1kj7liw6qz3lmqhkw3ipbr0zip0vv"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.win-x86"; version = "8.0.2"; sha256 = "0ag84bb4p9w41njyf7yh5h2wgz49qgx1xzhb6q4ls0m03mknp2g6"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Ref"; version = "8.0.2"; sha256 = "1iv12b2pdngn9pzd9cx0n7v3q6dsw8c38vx1ypd6fb27qqwrdrr6"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-musl-arm"; version = "8.0.2"; sha256 = "1a0zy0sfd4k7pwwk7fkgyd4vph91nfbxhjzvha96ravdh8isxngx"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.osx-arm64"; version = "8.0.2"; sha256 = "0xfwnqbbzg1xb6zxlms5v1dj3jh46lh6vzfjbqxj55fj87qr73yi"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-arm"; version = "8.0.2"; sha256 = "1217mw4mw978f2d84h0vf0bbzl55kp8z1n4620rphqh6l4r1gr52"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-arm64"; version = "8.0.2"; sha256 = "1pi4s9sn64cyvarba1vgb17k92ank7q95xmn7dz9zb1z9n6v19hm"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-musl-arm64"; version = "8.0.2"; sha256 = "13ckd4w7ysa5ay5wmklsnws7hhzw6nnlblhcda7r11m0fjfly6lr"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-musl-x64"; version = "8.0.2"; sha256 = "0vy2r79sgr6p665943rb44d1m5xv8m6h96rqlr03g6ipk1gzz6xw"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-x64"; version = "8.0.2"; sha256 = "1kbdpqfq64h3dy2mj90sfi2pjks77fmp74fqkvps35fh3lacb3dq"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.osx-x64"; version = "8.0.2"; sha256 = "1xlnlp4ckqn0myl5pzsqhmpall1pnbmqhb62rr7m61dy83xhvm6l"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.win-arm64"; version = "8.0.2"; sha256 = "131kgy0787a38zmb3y002yr1lrnkfc4mk2xmh8jx5pqkl7bp5p67"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.win-x64"; version = "8.0.2"; sha256 = "1p7152v1wyhrxh1mqq29bm06xcfilzngr89cl8kxv5lcars3yc00"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.win-x86"; version = "8.0.2"; sha256 = "0yyix9cypm53b0q6zfw5bqbm18x2s54ns7a1w7apxfzs8cckjfp7"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-arm"; version = "8.0.2"; sha256 = "0j31y9qwcm76zsxbid52zn4350sbq489pa7znmkzdrxgbcn19dmq"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-arm64"; version = "8.0.2"; sha256 = "1g2n69s8sa9ik9jhkc6xcdjcvghwr5m9glbxr1f22dbj6nw433c4"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-musl-arm64"; version = "8.0.2"; sha256 = "0h148hmzrplhw2cx9yd2jmrw6ilpc9ys98w6jcaphzb7n184y374"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-musl-x64"; version = "8.0.2"; sha256 = "1xcfs5yxsxis9hx1dkp5bkhgl0n95ja2ibwwnxmg2agc8134y935"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-x64"; version = "8.0.2"; sha256 = "0zvivfiz8lja1k6vcmwswh4lz6ch8x0nlap3x35psfw3p7j51163"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.osx-x64"; version = "8.0.2"; sha256 = "0x3fsfkv2gcilhsj31pjgg2vfibq2xvqhprw3hpm4gig4c2qi4fg"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.win-arm64"; version = "8.0.2"; sha256 = "1w6bads6vyiikbfds95zpw91qmb87a20my67c5pri3q6qqwcny6d"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.win-x64"; version = "8.0.2"; sha256 = "1cfd2bq41y3m86528hxlh3cj975rvhj8gigalfxaw5jsv8hw6cdm"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.win-x86"; version = "8.0.2"; sha256 = "0s92zdr0midkjk5xip0l3s8md7gcfh4dz81pqz2p7wwhcm29k1hq"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0c99m8sh056wkk7h3f9bj8l67dxwzwnmz0ix398ff1w1pdpiabcm"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "13l2xa4fxnm6i6kpjwr173hyd61s2ks7sjzp2ah3l1n71wds3vag"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "16qhn61di7gz5a68sc2rg5y2y4293rsbks4rvplyjr68scnba4hb"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "0mz7h7silzjgf6p4f0qk8izvjf0dlppvxjf44f381kkamm6viiqd"; })
+      (fetchNuGet { pname = "runtime.linux-arm64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0bvivl9ffgpsq4rbv8n8ivw9jr8yykbsp8r77n23xjm5vz8fcaks"; })
+      (fetchNuGet { pname = "runtime.linux-arm64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "1k6vv7mpa81pjx1v8wd8d7ns3wr3ydql1ihx59s6cfg8fx18j5w9"; })
+      (fetchNuGet { pname = "runtime.linux-arm64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "05480dq2mzzfvk9whlz16lq0rs2kzy55d905cl832df6j36yzy9w"; })
+      (fetchNuGet { pname = "runtime.linux-arm64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "1gm5yrbyh6h09lsr7izbg7izqiq3nwf7cx4y12hwk63544hprh2j"; })
+      (fetchNuGet { pname = "runtime.linux-arm.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0wqdx4h3isn1la8wbm8mvip0ai3fspvr8q2g2hx04lylpilcwnfy"; })
+      (fetchNuGet { pname = "runtime.linux-arm.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "16l4dzmqsjnppl8ra3dz3062na1324zqpibcb9kk6aliayzkwjmp"; })
+      (fetchNuGet { pname = "runtime.linux-arm.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "0qzqbpwa79qizj7yzmmk2kr1ibwdg0m104rp2ava2qp8c9mxx1lq"; })
+      (fetchNuGet { pname = "runtime.linux-arm.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "10k85lqnczpdnzw43ylkma0iv1wxzqv9x4pfr31zwfb5z5p3m7ja"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0yd9vf8z1p264411p4y2aka4dnzhjvi7zhxc9dy6yfjwndlqfz03"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "1vhi86iwln4pv2k0v6xfx5rp2vk5l6l4p399rj63wmm928n3v2la"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "0i7l7zw99nfq1s43d4cyhs9p5bx719x0q1fmlkp8am4mwga554kf"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "1ny0hjyip2n9mv0iiv2rpikb3apk4cjhvcdi17xn6vf3m79xxbwi"; })
+      (fetchNuGet { pname = "runtime.linux-musl-x64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0cllix46qh7lxihkaaxhb3islwn8vqn5lkr4c8c3bynvyblskjvw"; })
+      (fetchNuGet { pname = "runtime.linux-musl-x64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "1f20gw4sq0s8idysdbpgrdh5l8ik3lry0i3nq60km9z9n183svxd"; })
+      (fetchNuGet { pname = "runtime.linux-musl-x64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "0c31vfab355bi27wlz18azpyir9y89nn8dcg43j074whc469q0vx"; })
+      (fetchNuGet { pname = "runtime.linux-musl-x64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "1xmy68m6vslqbl4njllgqscdslqj7xgkgjzpx4pq344mxh6r9agc"; })
+      (fetchNuGet { pname = "runtime.linux-x64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0s93dmisai8wgjid697rgdx3lw2a0s0krr1gcnaav8jz9dg9i8lc"; })
+      (fetchNuGet { pname = "runtime.linux-x64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "0ikwfn1q8jkvzyx77b8ycm7k7004j2w8zgjzkf8kgyw55gy8xfjm"; })
+      (fetchNuGet { pname = "runtime.linux-x64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "0gcwjjaw1lajqmwaji0x03w24721dczgnqrzqjw5ayjh8ib3dir2"; })
+      (fetchNuGet { pname = "runtime.linux-x64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "1i6wijgpksz81hg01c2pwi06k413x6vni4x8v3y38jyazg7qkfp0"; })
+      (fetchNuGet { pname = "runtime.osx-x64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0hsby9ssa974cqkcc29xrjrrqmxyhfkkssmmhrrimh46n7sxzqab"; })
+      (fetchNuGet { pname = "runtime.osx-x64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "0vwlfcpvbjhw0qmqnscnin75a5lb5llhzjizcp3nh5mjnkdghd8q"; })
+      (fetchNuGet { pname = "runtime.osx-x64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "00kv6ijg6yway8km36yj7jq9y1p87iw8b8ysga66qv05y4fvjch1"; })
+      (fetchNuGet { pname = "runtime.osx-x64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "05dz9mxc94y59y6ja05zamdp63qfdss831816y28kjjw4v4crz1q"; })
+      (fetchNuGet { pname = "runtime.win-arm64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0qbm5zgvcwmmqlcj4jaixbw4a1zzyrf8ap81nlqjfdxp03bv9zqa"; })
+      (fetchNuGet { pname = "runtime.win-arm64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "1jsnxh1hgy7jrjhbz4kf6gq2x3smfx071cb2w1fa3a740h3i0f4m"; })
+      (fetchNuGet { pname = "runtime.win-arm64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "1738mc91wy3yn2bf4srs2wxksd864hm565nmll396q6gw97a4df4"; })
+      (fetchNuGet { pname = "runtime.win-arm64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "152jc4v2zxcax55vmd9xrsxq76q4cqpjlgrd1mfszipnngrlrc71"; })
+      (fetchNuGet { pname = "runtime.win-x64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "1z9fa5ryi23sn163j7jry45f64rxqkgv7v91r04b9cpb4hc1qgym"; })
+      (fetchNuGet { pname = "runtime.win-x64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "14qz0ypylcwldyjn1ins8syjzbqpmfsy4nfkzri12mfn0626qmn2"; })
+      (fetchNuGet { pname = "runtime.win-x64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "136ss58j9wpxp6sj81mijlk32l2f6h81rvaq4l7x0s8wb9fzzbb5"; })
+      (fetchNuGet { pname = "runtime.win-x64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "02562zc9nrkfwikzff7km6mixxb1qf632r60jpzykizgx6w0nrck"; })
+      (fetchNuGet { pname = "runtime.win-x86.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "1sylbjvrr1jnlgd1215czr3xql2gdqy5h5sz7rnfq31hb1j5nc20"; })
+      (fetchNuGet { pname = "runtime.win-x86.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "0ia1igli2r5gnli0r0yzqm012l56zrjf1jk42viahlil2ic3i144"; })
+      (fetchNuGet { pname = "runtime.win-x86.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "0h1kydv3dxnd9s32fd68x44jhc2pm79gv44mb7jf4227lr1dcxss"; })
+      (fetchNuGet { pname = "runtime.win-x86.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "1njywfwlq2785yk4b0114nzdb33zsgsmqj5fhpr6ii1crym649hl"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-musl-arm"; version = "8.0.2"; sha256 = "16lp15z1msadrhiqlwwp0ni9k0slp3am05gqs5bagzwk35mcn27q"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.osx-arm64"; version = "8.0.2"; sha256 = "1v8nngksh0cp51g221bizz52jjpc4rzm1avcy5psl81ywmkwmj93"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-musl-arm"; version = "8.0.2"; sha256 = "142s1ricyk351nqg298w5qlzd4scz8pc66x5mw9qh75vcyxsr83f"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.osx-arm64"; version = "8.0.2"; sha256 = "116rkq5ri5dbhp5g7zyc71ml2v92vb5bw5f3nx96llb1pqk74grh"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Ref"; version = "8.0.2"; sha256 = "1c2n7cfc7b6sjgk84hxppv57sh1n4dy49cmdd16ki1l6yl2f3j9d"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.linux-arm"; version = "8.0.2"; sha256 = "0c6v2mdfshy5966fl2pfkfhgfs8y1sd0r47lfx7d4igy933dqfga"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.linux-arm64"; version = "8.0.2"; sha256 = "1g8asdz9f3i0mjyh1mkxzfc6x8x77z0d88fa6irpyhh0w45qfccw"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64"; version = "8.0.2"; sha256 = "14djb55i8nwsr3170b82lr89dqxjghnkkghxxy2sl4d2bxw0bsfa"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.linux-x64"; version = "8.0.2"; sha256 = "0h0cc31c1izakpx554kivjqw3s5030a9zy3q4a2apwyj16znv2cw"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.osx-arm64"; version = "8.0.2"; sha256 = "18599d4y8n4y0w489pg7zm4nd4a23iz4zwx317pr5z57b4wrk61k"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.osx-x64"; version = "8.0.2"; sha256 = "04wvf035rr5kw6bj46ici8353lx5k95slydpm42kv1fcy3slqb4p"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.win-x64"; version = "8.0.2"; sha256 = "1adxkh9y3y9cxisrn52c75dmzgfkbnz9aqs2p97ln9qdxxvhzhc2"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.win-x86"; version = "8.0.2"; sha256 = "0721kp5l7k25ivi2sdxx12kjpddas5l6y5qjmfw8pjcyximhqn0b"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "1kkjmyhrnghihhfvm3qjrkrjbml2nqv8vyslj0g79pjanaqv3prs"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "1j5qhbgy9d1d89xcgdyjcnww0ziad846nd6x5l8fa109z8wvsnki"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "12n0m0rbxp05ggrkxa9yr6kn46pnn3pc4c22p6kkv5ijyg8nhd74"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "1mhwggjfpwssyzxl2mj3j9017xc8qwnw4xlm2rn96yfgsd1pxfpv"; })
+      (fetchNuGet { pname = "runtime.osx-arm64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "1nvis5p0gvymv6sdrmgpgg94sr2w3maskm0c3d8p861wfiwwh0hv"; })
+      (fetchNuGet { pname = "runtime.osx-arm64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "1vjrnga6inham84hggkx1kkpx4yn7v7z1xnwxas9lisxd0ych7k1"; })
+      (fetchNuGet { pname = "runtime.osx-arm64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "0rrblgydpz3yf5gj9kpjc8b17x739nzr1956pwwyarhvh9y0vqrd"; })
+      (fetchNuGet { pname = "runtime.osx-arm64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "0xpsaxi54g0xac80gy5nv7qk5b513ak1s397b36vwg7mivwc4yhh"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.linux-musl-arm"; version = "8.0.2"; sha256 = "1nm6ibys303xlawqibqygpg1gqc8wm1nxb6pl6vgwmp5w4q02r5h"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.linux-musl-arm64"; version = "8.0.2"; sha256 = "0h6wwlz3mqb8758laczcaq7a0wmnmjf797dh5xwyiq50j1ss1mhw"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.linux-musl-x64"; version = "8.0.2"; sha256 = "09id8hnx0s4x5qvmvifb6jhkfaxzj53yvhl84pvrr4wv4p6ns7cm"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.linux-arm"; version = "8.0.2"; sha256 = "0cg7b57fysgw809m77nb9dqr56g48ya6bjlh7x880ih5b76bnlak"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.linux-arm64"; version = "8.0.2"; sha256 = "1rqr95ix3khc7mbaji520l2vv8vjbrg8zzpv6h1i3p3rdbzjm3l2"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.linux-x64"; version = "8.0.2"; sha256 = "0kzvyghyj95p2qxidp1g8nx5d9qd7wlchpg1a5dqbpv9skljdn7m"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.osx-x64"; version = "8.0.2"; sha256 = "0hmk25bvlpn3sfx4vlvysj2myx4dd8fc2pv3gmhfgb2y01dnswjh"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.osx-arm64"; version = "8.0.2"; sha256 = "1z76l5mpvik3517lcl3qygsfsws4yp37j37sslb4sq7gls4aa0w2"; })
+      (fetchNuGet { pname = "runtime.linux-arm64.Microsoft.DotNet.ILCompiler"; version = "8.0.2"; sha256 = "1kjlc67bqz7d04ga42l7jm9d3jm773a9i77zc5w7cd591wa8vbbv"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm64.Microsoft.DotNet.ILCompiler"; version = "8.0.2"; sha256 = "0bx7jv4q8dapx6fb6dbk1im057qmk43isvzygp5ci6nd07p419qf"; })
+      (fetchNuGet { pname = "runtime.linux-musl-x64.Microsoft.DotNet.ILCompiler"; version = "8.0.2"; sha256 = "1nf6m85f10j5qcyk0w18qxd06n79w0jvnifis08shdsq1isz403z"; })
+      (fetchNuGet { pname = "runtime.linux-x64.Microsoft.DotNet.ILCompiler"; version = "8.0.2"; sha256 = "0pl0w114qrlb8bv6d4jw1gv29dz2cs86y3r0nj5z2fxd1r30khym"; })
+      (fetchNuGet { pname = "runtime.osx-x64.Microsoft.DotNet.ILCompiler"; version = "8.0.2"; sha256 = "05bs32vhcvpd1dbvmk1rgqm2swp4gn5yv4mwfsisa4q5qi2xlaza"; })
+      (fetchNuGet { pname = "runtime.win-arm64.Microsoft.DotNet.ILCompiler"; version = "8.0.2"; sha256 = "12q0adp0hakl9qrf4bqzkvfsy4az55im6sm1nv7g3k5q4vwkqh30"; })
+      (fetchNuGet { pname = "runtime.win-x64.Microsoft.DotNet.ILCompiler"; version = "8.0.2"; sha256 = "1k1iwpsranma2mrljfz9yr63pxbv5l9j4n0zmancbsxlhx31m30s"; })
+      (fetchNuGet { pname = "Microsoft.NET.ILLink.Tasks"; version = "8.0.2"; sha256 = "1fd7ws4qf0354np3lvd735p5r1mdj3zy6gbmv5fzz5cx2bdlplwy"; })
+    ];
+  };
+}
diff --git a/pkgs/development/compilers/dotnet/vmr.nix b/pkgs/development/compilers/dotnet/vmr.nix
new file mode 100644
index 000000000000..36b75c40e6c8
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/vmr.nix
@@ -0,0 +1,332 @@
+{ clangStdenv
+, stdenvNoCC
+, lib
+, fetchurl
+, fetchFromGitHub
+, dotnetCorePackages
+, jq
+, curl
+, git
+, cmake
+, pkg-config
+, llvm
+, zlib
+, icu
+, lttng-ust_2_12
+, libkrb5
+, glibcLocales
+, ensureNewerSourcesForZipFilesHook
+, darwin
+, xcbuild
+, swiftPackages
+, openssl
+, getconf
+, makeWrapper
+, python3
+, xmlstarlet
+, callPackage
+
+, dotnetSdk
+, releaseManifestFile
+, tarballHash
+}:
+
+let
+  stdenv = if clangStdenv.isDarwin
+    then swiftPackages.stdenv
+    else clangStdenv;
+
+  inherit (stdenv)
+    isLinux
+    isDarwin
+    buildPlatform
+    targetPlatform;
+  inherit (darwin) cctools;
+  inherit (swiftPackages) apple_sdk swift;
+
+  releaseManifest = lib.importJSON releaseManifestFile;
+  inherit (releaseManifest) release sourceRepository tag;
+
+  buildRid = dotnetCorePackages.systemToDotnetRid buildPlatform.system;
+  targetRid = dotnetCorePackages.systemToDotnetRid targetPlatform.system;
+  targetArch = lib.elemAt (lib.splitString "-" targetRid) 1;
+
+  sigtool = callPackage ./sigtool.nix {};
+
+  # we need dwarfdump from cctools, but can't have e.g. 'ar' overriding stdenv
+  dwarfdump = stdenvNoCC.mkDerivation {
+    name = "dwarfdump-wrapper";
+    dontUnpack = true;
+    installPhase = ''
+      mkdir -p "$out/bin"
+      ln -s "${cctools}/bin/dwarfdump" "$out/bin"
+    '';
+  };
+
+  _icu = if isDarwin then darwin.ICU else icu;
+
+in stdenv.mkDerivation rec {
+  pname = "dotnet-vmr";
+  version = release;
+
+  # TODO: fix this in the binary sdk packages
+  preHook = lib.optionalString stdenv.isDarwin ''
+    addToSearchPath DYLD_LIBRARY_PATH "${_icu}/lib"
+    export DYLD_LIBRARY_PATH
+  '';
+
+  src = fetchurl {
+    url = "${sourceRepository}/archive/refs/tags/${tag}.tar.gz";
+    hash = tarballHash;
+  };
+
+  nativeBuildInputs = [
+    ensureNewerSourcesForZipFilesHook
+    jq
+    curl.bin
+    git
+    cmake
+    pkg-config
+    python3
+    xmlstarlet
+  ]
+  ++ lib.optionals isDarwin [
+    getconf
+  ];
+
+  buildInputs = [
+    # this gets copied into the tree, but we still want the hooks to run
+    dotnetSdk
+    # the propagated build inputs in llvm.dev break swift compilation
+    llvm.out
+    zlib
+    _icu
+    openssl
+  ]
+  ++ lib.optionals isLinux [
+    libkrb5
+    lttng-ust_2_12
+  ]
+  ++ lib.optionals isDarwin (with apple_sdk.frameworks; [
+    xcbuild.xcrun
+    swift
+    (libkrb5.overrideAttrs (old: {
+      # the propagated build inputs break swift compilation
+      buildInputs = old.buildInputs ++ old.propagatedBuildInputs;
+      propagatedBuildInputs = [];
+    }))
+    dwarfdump
+    sigtool
+    Foundation
+    CoreFoundation
+    CryptoKit
+    System
+  ]);
+
+  # This is required to fix the error:
+  # > CSSM_ModuleLoad(): One or more parameters passed to a function were not valid.
+  # The error occurs during
+  # AppleCryptoNative_X509ImportCollection -> ReadX509 -> SecItemImport
+  # while importing trustedroots/codesignctl.pem. This happens during any dotnet
+  # restore operation.
+  # Enabling com.apple.system.opendirectoryd.membership causes swiftc to use
+  # /var/folders for its default cache path, so the swiftc -module-cache-path
+  # patch below is required.
+  sandboxProfile = ''
+    (allow file-read* (subpath "/private/var/db/mds/system"))
+    (allow mach-lookup (global-name "com.apple.SecurityServer")
+                       (global-name "com.apple.system.opendirectoryd.membership"))
+  '';
+
+  patches = [
+    ./fix-aspnetcore-portable-build.patch
+    ./fix-tmp-path.patch
+  ]
+  ++ lib.optionals isDarwin [
+    ./stop-passing-bare-sdk-arg-to-swiftc.patch
+  ];
+
+  postPatch = ''
+    # set the sdk version in global.json to match the bootstrap sdk
+    jq '(.tools.dotnet=$dotnet)' global.json --arg dotnet "$(${dotnetSdk}/bin/dotnet --version)" > global.json~
+    mv global.json{~,}
+
+    patchShebangs $(find -name \*.sh -type f -executable)
+
+    # I'm not sure why this is required, but these files seem to use the wrong
+    # property name.
+    # TODO: not needed in 9.0?
+    [[ ! -f src/xliff-tasks/eng/Versions.props ]] || \
+      sed -i 's:\bVersionBase\b:VersionPrefix:g' \
+        src/xliff-tasks/eng/Versions.props
+
+    # at least in 9.0 preview 1, this package depends on a specific beta build
+    # of System.CommandLine
+    xmlstarlet ed \
+      --inplace \
+      -s //Project -t elem -n PropertyGroup \
+      -s \$prev -t elem -n NoWarn -v '$(NoWarn);NU1603' \
+      src/nuget-client/src/NuGet.Core/NuGet.CommandLine.XPlat/NuGet.CommandLine.XPlat.csproj
+
+    # AD0001 crashes intermittently in source-build-reference-packages with
+    # CSC : error AD0001: Analyzer 'Microsoft.NetCore.CSharp.Analyzers.Runtime.CSharpDetectPreviewFeatureAnalyzer' threw an exception of type 'System.NullReferenceException' with message 'Object reference not set to an instance of an object.'.
+    # possibly related to https://github.com/dotnet/runtime/issues/90356
+    xmlstarlet ed \
+      --inplace \
+      -s //Project -t elem -n PropertyGroup \
+      -s \$prev -t elem -n NoWarn -v '$(NoWarn);AD0001' \
+      src/source-build-reference-packages/src/referencePackages/Directory.Build.props
+
+    # https://github.com/microsoft/ApplicationInsights-dotnet/issues/2848
+    xmlstarlet ed \
+      --inplace \
+      -u //_:Project/_:PropertyGroup/_:BuildNumber -v 0 \
+      src/source-build-externals/src/application-insights/.props/_GlobalStaticVersion.props
+
+    # this fixes compile errors with clang 15 (e.g. darwin)
+    substituteInPlace \
+      src/runtime/src/native/libs/CMakeLists.txt \
+      --replace-fail 'add_compile_options(-Weverything)' 'add_compile_options(-Wall)'
+  ''
+  + lib.optionalString isLinux ''
+    substituteInPlace \
+      src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.c \
+      --replace-fail '"libssl.so"' '"${openssl.out}/lib/libssl.so"'
+
+    substituteInPlace \
+      src/runtime/src/native/libs/System.Net.Security.Native/pal_gssapi.c \
+      --replace-fail '"libgssapi_krb5.so.2"' '"${libkrb5}/lib/libgssapi_krb5.so.2"'
+
+    substituteInPlace \
+      src/runtime/src/native/libs/System.Globalization.Native/pal_icushim.c \
+      --replace-fail '"libicui18n.so"' '"${icu}/lib/libicui18n.so"' \
+      --replace-fail '"libicuuc.so"' '"${icu}/lib/libicuuc.so"'
+
+    # TODO: we should really make sure the first one (9.0) or the rest (8.0)
+    # works, but --replace-fail results in an empty file
+    substituteInPlace \
+      src/runtime/src/native/libs/System.Globalization.Native/pal_icushim.c \
+      --replace-warn '#define VERSIONED_LIB_NAME_LEN 64' '#define VERSIONED_LIB_NAME_LEN 256' \
+      --replace-warn 'libicuucName[64]' 'libicuucName[256]' \
+      --replace-warn 'libicui18nName[64]' 'libicui18nName[256]'
+  ''
+  + lib.optionalString isDarwin ''
+    substituteInPlace \
+      src/runtime/src/mono/CMakeLists.txt \
+      src/runtime/src/native/libs/System.Globalization.Native/CMakeLists.txt \
+      --replace-fail '/usr/lib/libicucore.dylib' '${darwin.ICU}/lib/libicucore.dylib'
+
+    substituteInPlace \
+      src/runtime/src/installer/managed/Microsoft.NET.HostModel/HostModelUtils.cs \
+      src/sdk/src/Tasks/Microsoft.NET.Build.Tasks/targets/Microsoft.NET.Sdk.targets \
+      --replace-fail '/usr/bin/codesign' '${sigtool}/bin/codesign'
+
+    # [...]/build.proj(123,5): error : Did not find PDBs for the following SDK files:
+    # [...]/build.proj(123,5): error : sdk/8.0.102/System.Resources.Extensions.dll
+    # [...]/build.proj(123,5): error : sdk/8.0.102/System.CodeDom.dll
+    # [...]/build.proj(123,5): error : sdk/8.0.102/FSharp/System.Resources.Extensions.dll
+    # [...]/build.proj(123,5): error : sdk/8.0.102/FSharp/System.CodeDom.dll
+    substituteInPlace \
+      build.proj \
+      --replace-warn 'FailOnMissingPDBs="true"' 'FailOnMissingPDBs="false"'
+
+    # [...]/installer.singlerid.targets(434,5): error MSB3073: The command "pkgbuild [...]" exited with code 127
+    xmlstarlet ed \
+      --inplace \
+      -s //Project -t elem -n PropertyGroup \
+      -s \$prev -t elem -n InnerBuildArgs -v '$(InnerBuildArgs) /p:SkipInstallerBuild=true' \
+      src/runtime/eng/SourceBuild.props
+
+    # fixes swift errors, see sandboxProfile
+    # <unknown>:0: error: unable to open output file '/var/folders/[...]/C/clang/ModuleCache/[...]/SwiftShims-[...].pcm': 'Operation not permitted'
+    # <unknown>:0: error: could not build Objective-C module 'SwiftShims'
+    substituteInPlace \
+      src/runtime/src/native/libs/System.Security.Cryptography.Native.Apple/CMakeLists.txt \
+      --replace-fail 'xcrun swiftc' 'xcrun swiftc -module-cache-path "$ENV{HOME}/.cache/module-cache"'
+  '';
+
+  prepFlags = [
+    "--no-artifacts"
+    "--no-prebuilts"
+  ];
+
+  configurePhase = ''
+    runHook preConfigure
+
+    # The build process tries to overwrite some things in the sdk (e.g.
+    # SourceBuild.MSBuildSdkResolver.dll), so it needs to be mutable.
+    cp -Tr ${dotnetSdk} .dotnet
+    chmod -R +w .dotnet
+
+    ./prep.sh $prepFlags
+
+    runHook postConfigure
+  '';
+
+  dontUseCmakeConfigure = true;
+
+  # https://github.com/NixOS/nixpkgs/issues/38991
+  # bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
+  LOCALE_ARCHIVE = lib.optionalString isLinux
+    "${glibcLocales}/lib/locale/locale-archive";
+
+  buildFlags = [
+    "--with-packages" dotnetSdk.artifacts
+    "--clean-while-building"
+    "--release-manifest" releaseManifestFile
+    "--"
+    "-p:PortableBuild=true"
+  ] ++ lib.optional (targetRid != buildRid) "-p:TargetRid=${targetRid}";
+
+  buildPhase = ''
+    runHook preBuild
+
+    # on darwin, in a sandbox, this causes:
+    # CSSM_ModuleLoad(): One or more parameters passed to a function were not valid.
+    export DOTNET_GENERATE_ASPNET_CERTIFICATE=0
+
+    # CLR_CC/CXX need to be set to stop the build system from using clang-11,
+    # which is unwrapped
+    version= \
+    CLR_CC=$(command -v clang) \
+    CLR_CXX=$(command -v clang++) \
+      ./build.sh $buildFlags
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir "$out"
+
+    pushd "artifacts/${targetArch}/Release"
+    for archive in *.tar.gz; do
+      target=$out/''${archive%.tar.gz}
+      mkdir "$target"
+      tar -C "$target" -xzf "$PWD/$archive"
+    done
+    popd
+
+    runHook postInstall
+  '';
+
+  passthru = {
+    inherit releaseManifest buildRid targetRid;
+    icu = _icu;
+  };
+
+  meta = with lib; {
+    description = "Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI";
+    homepage = "https://dotnet.github.io/";
+    license = licenses.mit;
+    maintainers = with maintainers; [ corngood ];
+    mainProgram = "dotnet";
+    platforms = [
+      "x86_64-linux"
+      "aarch64-linux"
+      "x86_64-darwin"
+      "aarch64-darwin"
+    ];
+  };
+}
diff --git a/pkgs/development/compilers/lobster/default.nix b/pkgs/development/compilers/lobster/default.nix
index e380cf735fb9..02748546d5aa 100644
--- a/pkgs/development/compilers/lobster/default.nix
+++ b/pkgs/development/compilers/lobster/default.nix
@@ -16,14 +16,14 @@
 , ForceFeedback
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "lobster";
   version = "2023.13";
 
   src = fetchFromGitHub {
     owner = "aardappel";
     repo = "lobster";
-    rev = "v${version}";
+    rev = "v${finalAttrs.version}";
     sha256 = "sha256-7lMIIJ3iduyxZKwK65tle3c+az2G2Mpi4JwAeCCsTxw=";
   };
 
@@ -62,4 +62,4 @@ stdenv.mkDerivation rec {
     maintainers = with maintainers; [ fgaz ];
     platforms = platforms.all;
   };
-}
+})
diff --git a/pkgs/development/compilers/qbe/001-dont-hardcode-tmp.patch b/pkgs/development/compilers/qbe/001-dont-hardcode-tmp.patch
new file mode 100644
index 000000000000..556dc5aab2a6
--- /dev/null
+++ b/pkgs/development/compilers/qbe/001-dont-hardcode-tmp.patch
@@ -0,0 +1,43 @@
+diff --git a/minic/mcc b/minic/mcc
+index 492947e..5258aac 100755
+--- a/minic/mcc
++++ b/minic/mcc
+@@ -31,9 +31,9 @@ then
+ fi
+ 
+ 
+-$DIR/minic < $file          > /tmp/minic.ssa &&
+-$QBE       < /tmp/minic.ssa > /tmp/minic.s   &&
+-cc /tmp/minic.s $flags
++$DIR/minic < $file          > ${TMPDIR:-/tmp}/minic.ssa &&
++$QBE       < ${TMPDIR:-/tmp}/minic.ssa > ${TMPDIR:-/tmp}/minic.s   &&
++cc ${TMPDIR:-/tmp}/minic.s $flags
+ 
+ if test $? -ne 0
+ then
+diff --git a/tools/cra.sh b/tools/cra.sh
+index 5988267..57a4b34 100755
+--- a/tools/cra.sh
++++ b/tools/cra.sh
+@@ -2,7 +2,7 @@
+ 
+ DIR=`cd $(dirname "$0"); pwd`
+ QBE=$DIR/../qbe
+-BUGF=/tmp/bug.id
++BUGF=${TMPDIR:-/tmp}/bug.id
+ FIND=$1
+ FIND=${FIND:-afl-find}
+ 
+diff --git a/tools/test.sh b/tools/test.sh
+index 23c6663..fb36222 100755
+--- a/tools/test.sh
++++ b/tools/test.sh
+@@ -4,7 +4,7 @@ dir=`dirname "$0"`
+ bin=$dir/../qbe
+ binref=$dir/../qbe.ref
+ 
+-tmp=/tmp/qbe.zzzz
++tmp=${TMPDIR:-/tmp}/qbe.zzzz
+ 
+ drv=$tmp.c
+ asm=$tmp.s
diff --git a/pkgs/development/compilers/qbe/default.nix b/pkgs/development/compilers/qbe/default.nix
index d9694c9b4bce..aeb739bb84d0 100644
--- a/pkgs/development/compilers/qbe/default.nix
+++ b/pkgs/development/compilers/qbe/default.nix
@@ -16,6 +16,14 @@ stdenv.mkDerivation (finalAttrs: {
 
   doCheck = true;
 
+  enableParallelBuilding = true;
+
+  patches = [
+    # Use "${TMPDIR:-/tmp}" instead of the latter directly
+    # see <https://lists.sr.ht/~mpu/qbe/patches/49613>
+    ./001-dont-hardcode-tmp.patch
+  ];
+
   passthru = {
     tests.can-run-hello-world = callPackage ./test-can-run-hello-world.nix { };
   };
diff --git a/pkgs/development/interpreters/duktape/default.nix b/pkgs/development/interpreters/duktape/default.nix
index c296d013e3d1..8477aef9ca43 100644
--- a/pkgs/development/interpreters/duktape/default.nix
+++ b/pkgs/development/interpreters/duktape/default.nix
@@ -1,10 +1,10 @@
 { lib, stdenv, fetchurl, validatePkgConfig }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "duktape";
   version = "2.7.0";
   src = fetchurl {
-    url = "http://duktape.org/duktape-${version}.tar.xz";
+    url = "http://duktape.org/duktape-${finalAttrs.version}.tar.xz";
     sha256 = "sha256-kPjS+otVZ8aJmDDd7ywD88J5YLEayiIvoXqnrGE8KJA=";
   };
 
@@ -38,4 +38,4 @@ stdenv.mkDerivation rec {
     mainProgram = "duk";
     platforms = platforms.all;
   };
-}
+})
diff --git a/pkgs/development/interpreters/jimtcl/default.nix b/pkgs/development/interpreters/jimtcl/default.nix
index e478ff945472..c5ea2f3ec026 100644
--- a/pkgs/development/interpreters/jimtcl/default.nix
+++ b/pkgs/development/interpreters/jimtcl/default.nix
@@ -16,14 +16,14 @@
 , SDLSupport ? true
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "jimtcl";
   version = "0.82";
 
   src = fetchFromGitHub {
     owner = "msteveb";
     repo = "jimtcl";
-    rev = version;
+    rev = finalAttrs.version;
     sha256 = "sha256-CDjjrxpoTbLESAbCiCjQ8+E/oJP87gDv9SedQOzH3QY=";
   };
 
@@ -77,4 +77,4 @@ stdenv.mkDerivation rec {
     platforms = lib.platforms.all;
     maintainers = with lib.maintainers; [ dbohdan fgaz vrthra ];
   };
-}
+})
diff --git a/pkgs/development/libraries/armadillo/default.nix b/pkgs/development/libraries/armadillo/default.nix
index 412052c2e3df..e0c9f5b035e3 100644
--- a/pkgs/development/libraries/armadillo/default.nix
+++ b/pkgs/development/libraries/armadillo/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "armadillo";
-  version = "12.8.0";
+  version = "12.8.1";
 
   src = fetchurl {
     url = "mirror://sourceforge/arma/armadillo-${version}.tar.xz";
-    hash = "sha256-qJu2/s5c6f3R0BpLwUXPfMC5OcV3fMpG3mnC9eNBLPA=";
+    hash = "sha256-J4HdOmzF+aSckaRRnd4rHCQzWlv+DMHJiBtjYxQkUrQ=";
   };
 
   nativeBuildInputs = [ cmake ];
diff --git a/pkgs/development/libraries/audiality2/default.nix b/pkgs/development/libraries/audiality2/default.nix
index e0ab0accdfde..11625bc64f79 100644
--- a/pkgs/development/libraries/audiality2/default.nix
+++ b/pkgs/development/libraries/audiality2/default.nix
@@ -7,14 +7,14 @@
 , jack2
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "audiality2";
   version = "1.9.4";
 
   src = fetchFromGitHub {
     owner = "olofson";
     repo = "audiality2";
-    rev = "v${version}";
+    rev = "v${finalAttrs.version}";
     sha256 = "0ipqna7a9mxqm0fl9ggwhbc7i9yxz3jfyi0w3dymjp40v7jw1n20";
   };
 
@@ -35,5 +35,4 @@ stdenv.mkDerivation rec {
     platforms = platforms.all;
     maintainers = with maintainers; [ fgaz ];
   };
-}
-
+})
diff --git a/pkgs/development/libraries/impy/default.nix b/pkgs/development/libraries/impy/default.nix
index 6d148dd14639..8682e95a5758 100644
--- a/pkgs/development/libraries/impy/default.nix
+++ b/pkgs/development/libraries/impy/default.nix
@@ -9,14 +9,14 @@
 , libjpeg
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "impy";
   version = "0.2";
 
   src = fetchFromGitHub {
     owner = "bcampbell";
     repo = "impy";
-    rev = "v${version}";
+    rev = "v${finalAttrs.version}";
     sha256 = "sha256-0bHm3jawYgcIeF2COALWlypX7kvPw1hifB/W+TKcC4M=";
   };
 
@@ -40,5 +40,4 @@ stdenv.mkDerivation rec {
     maintainers = with maintainers; [ fgaz ];
     platforms = platforms.all;
   };
-}
-
+})
diff --git a/pkgs/development/libraries/libbap/default.nix b/pkgs/development/libraries/libbap/default.nix
index ebbf02603cbb..3ed92edd78e1 100644
--- a/pkgs/development/libraries/libbap/default.nix
+++ b/pkgs/development/libraries/libbap/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, bap, ocaml, findlib, ctypes, autoreconfHook,
+{ lib, stdenv, fetchFromGitHub, bap, ocaml, findlib, ctypes, ctypes-foreign, autoreconfHook,
   which }:
 
 stdenv.mkDerivation {
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
   };
 
   nativeBuildInputs = [ autoreconfHook which ocaml findlib ];
-  buildInputs = [ bap ctypes ];
+  buildInputs = [ bap ctypes ctypes-foreign ];
 
   preInstall = ''
     mkdir -p $out/lib
diff --git a/pkgs/development/libraries/libmediainfo/default.nix b/pkgs/development/libraries/libmediainfo/default.nix
index 94acb13205b5..ee81e63ba5e4 100644
--- a/pkgs/development/libraries/libmediainfo/default.nix
+++ b/pkgs/development/libraries/libmediainfo/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "libmediainfo";
-  version = "23.11";
+  version = "24.01";
 
   src = fetchurl {
     url = "https://mediaarea.net/download/source/libmediainfo/${version}/libmediainfo_${version}.tar.xz";
-    hash = "sha256-GX5U/MeePA1d9EqPWNxOAYvC+F0T+jvtVK89xW1ehT0=";
+    hash = "sha256-oC38Zon0hc7Ab6EqNBTDw6ooU7Td4YrqtLVKVsgxYlk=";
   };
 
   nativeBuildInputs = [ autoreconfHook pkg-config ];
diff --git a/pkgs/development/libraries/litehtml/default.nix b/pkgs/development/libraries/litehtml/default.nix
index 3927f7cce4a5..b1864f6497a9 100644
--- a/pkgs/development/libraries/litehtml/default.nix
+++ b/pkgs/development/libraries/litehtml/default.nix
@@ -5,14 +5,14 @@
 , gumbo
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "litehtml";
   version = "0.6";
 
   src = fetchFromGitHub {
     owner = "litehtml";
     repo = "litehtml";
-    rev = "v${version}";
+    rev = "v${finalAttrs.version}";
     hash = "sha256-9571d3k8RkzEpMWPuIejZ7njLmYstSwFUaSqT3sk6uQ=";
   };
 
@@ -43,4 +43,4 @@ stdenv.mkDerivation rec {
     platforms = platforms.all;
     maintainers = with maintainers; [ fgaz ];
   };
-}
+})
diff --git a/pkgs/development/libraries/lmdbxx/default.nix b/pkgs/development/libraries/lmdbxx/default.nix
index 4fc1573eea1a..c8b4dec313be 100644
--- a/pkgs/development/libraries/lmdbxx/default.nix
+++ b/pkgs/development/libraries/lmdbxx/default.nix
@@ -2,14 +2,14 @@
 , fetchFromGitHub
 , lmdb }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "lmdbxx";
   version = "1.0.0";
 
   src = fetchFromGitHub {
     owner = "hoytech";
     repo = "lmdbxx";
-    rev = version;
+    rev = finalAttrs.version;
     sha256 = "sha256-7CxQZdgHVvmof6wVR9Mzic6tg89XJT3Z1ICGRs7PZYo=";
   };
 
@@ -22,5 +22,4 @@ stdenv.mkDerivation rec {
     license = lib.licenses.unlicense;
     maintainers = with lib.maintainers; [ fgaz ];
   };
-}
-
+})
diff --git a/pkgs/development/libraries/rapidfuzz-cpp/default.nix b/pkgs/development/libraries/rapidfuzz-cpp/default.nix
index f24da2c899f1..1544eff83621 100644
--- a/pkgs/development/libraries/rapidfuzz-cpp/default.nix
+++ b/pkgs/development/libraries/rapidfuzz-cpp/default.nix
@@ -8,13 +8,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "rapidfuzz-cpp";
-  version = "3.0.0";
+  version = "3.0.1";
 
   src = fetchFromGitHub {
-    owner = "maxbachmann";
+    owner = "rapidfuzz";
     repo = "rapidfuzz-cpp";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-N9yGOxlk1+wgRXWLbDIXWQz+/pwbnYVs3ub4/16Nzws=";
+    hash = "sha256-v/apbqRyv93PZsO397lvyIMtA1JtYrOpbWAVAbMCmP4=";
   };
 
   nativeBuildInputs = [
@@ -43,8 +43,8 @@ stdenv.mkDerivation (finalAttrs: {
 
   meta = {
     description = "Rapid fuzzy string matching in C++ using the Levenshtein Distance";
-    homepage = "https://github.com/maxbachmann/rapidfuzz-cpp";
-    changelog = "https://github.com/maxbachmann/rapidfuzz-cpp/blob/${finalAttrs.src.rev}/CHANGELOG.md";
+    homepage = "https://github.com/rapidfuzz/rapidfuzz-cpp";
+    changelog = "https://github.com/rapidfuzz/rapidfuzz-cpp/blob/${finalAttrs.src.rev}/CHANGELOG.md";
     license = lib.licenses.mit;
     maintainers = with lib.maintainers; [ dotlambda ];
     platforms = lib.platforms.unix;
diff --git a/pkgs/development/libraries/termbox/default.nix b/pkgs/development/libraries/termbox/default.nix
index 51c2ca1c8084..22657cd663a2 100644
--- a/pkgs/development/libraries/termbox/default.nix
+++ b/pkgs/development/libraries/termbox/default.nix
@@ -1,12 +1,12 @@
 { lib, stdenv, fetchFromGitHub }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "termbox";
   version = "1.1.4";
   src = fetchFromGitHub {
     owner = "termbox";
     repo = "termbox";
-    rev = "v${version}";
+    rev = "v${finalAttrs.version}";
     sha256 = "075swv6ajx8m424dbmgbf6fs6nd5q004gjpvx48gkxmnf9spvykl";
   };
 
@@ -19,4 +19,4 @@ stdenv.mkDerivation rec {
     downloadPage = "https://github.com/termbox/termbox/releases";
     maintainers = with maintainers; [ fgaz ];
   };
-}
+})
diff --git a/pkgs/development/libraries/xgboost/default.nix b/pkgs/development/libraries/xgboost/default.nix
index 0af51a40dfb1..b700dd2581c4 100644
--- a/pkgs/development/libraries/xgboost/default.nix
+++ b/pkgs/development/libraries/xgboost/default.nix
@@ -45,14 +45,14 @@ stdenv.mkDerivation rec {
   #   in \
   #   rWrapper.override{ packages = [ xgb ]; }"
   pname = lib.optionalString rLibrary "r-" + pnameBase;
-  version = "2.0.1";
+  version = "2.0.3";
 
   src = fetchFromGitHub {
     owner = "dmlc";
     repo = pnameBase;
     rev = "v${version}";
     fetchSubmodules = true;
-    hash = "sha256-tRx6kJwIoVSN701ppuyZpIFUQIFy4LBMFyirLtwApjA=";
+    hash = "sha256-LWco3A6zwdnAf8blU4qjW7PFEeZaTcJlVTwVrs7nwWM=";
   };
 
   nativeBuildInputs = [ cmake ]
@@ -143,6 +143,7 @@ stdenv.mkDerivation rec {
       "Scalable, Portable and Distributed Gradient Boosting (GBDT, GBRT or GBM) Library";
     homepage = "https://github.com/dmlc/xgboost";
     license = licenses.asl20;
+    mainProgram = "xgboost";
     platforms = platforms.unix;
     maintainers = with maintainers; [ abbradar nviets ];
   };
diff --git a/pkgs/development/ocaml-modules/ctypes/default.nix b/pkgs/development/ocaml-modules/ctypes/default.nix
index fa9cde044e8a..fa7bf6a587f0 100644
--- a/pkgs/development/ocaml-modules/ctypes/default.nix
+++ b/pkgs/development/ocaml-modules/ctypes/default.nix
@@ -1,49 +1,35 @@
-{ lib, stdenv, fetchFromGitHub, ocaml, findlib, libffi, pkg-config, ncurses, integers, bigarray-compat }:
-
-if lib.versionOlder ocaml.version "4.02"
-then throw "ctypes is not available for OCaml ${ocaml.version}"
-else
-
-stdenv.mkDerivation rec {
-  pname = "ocaml${ocaml.version}-ctypes";
-  version = "0.20.2";
+{ lib
+, ocaml
+, fetchFromGitHub
+, buildDunePackage
+, dune-configurator
+, integers
+, bigarray-compat
+, ounit2
+}:
+
+buildDunePackage rec {
+  pname = "ctypes";
+  version = "0.22.0";
 
   src = fetchFromGitHub {
     owner = "ocamllabs";
     repo = "ocaml-ctypes";
     rev = version;
-    hash = "sha256-LzUrR8K88CjY/R5yUK3y6KG85hUMjbzuebHGqI8KhhM=";
+    hash = "sha256-xgDKupQuakjHTbjoap/r2aAjNQUpH9K4HmeLbbgw1x4=";
   };
 
-  nativeBuildInputs = [ pkg-config ocaml findlib ];
-  buildInputs = [ ncurses ];
-  propagatedBuildInputs = [ integers libffi bigarray-compat ];
-
-  strictDeps = true;
-
-  preConfigure = ''
-    substituteInPlace META --replace ' bytes ' ' '
-  '';
+  buildInputs = [ dune-configurator ];
 
-  buildPhase = ''
-    runHook preBuild
-    make XEN=false libffi.config ctypes-base ctypes-stubs
-    make XEN=false ctypes-foreign
-    runHook postBuild
-  '';
+  propagatedBuildInputs = [ integers bigarray-compat ];
 
-  installPhase = ''
-    runHook preInstall
-    mkdir -p $out/lib/ocaml/${ocaml.version}/site-lib/stublibs
-    make install XEN=false
-    runHook postInstall
-  '';
+  doCheck = lib.versionAtLeast ocaml.version "4.08";
+  checkInputs = [ ounit2 ];
 
   meta = with lib; {
     homepage = "https://github.com/ocamllabs/ocaml-ctypes";
     description = "Library for binding to C libraries using pure OCaml";
     license = licenses.mit;
     maintainers = [ maintainers.ericbmerritt ];
-    inherit (ocaml.meta) platforms;
   };
 }
diff --git a/pkgs/development/ocaml-modules/ctypes/foreign.nix b/pkgs/development/ocaml-modules/ctypes/foreign.nix
new file mode 100644
index 000000000000..5c9efad790f2
--- /dev/null
+++ b/pkgs/development/ocaml-modules/ctypes/foreign.nix
@@ -0,0 +1,23 @@
+{ buildDunePackage
+, ctypes
+, dune-configurator
+, libffi
+, ounit2
+, lwt
+}:
+
+buildDunePackage rec {
+  pname = "ctypes-foreign";
+
+  inherit (ctypes) version src doCheck;
+
+  buildInputs = [ dune-configurator ];
+
+  propagatedBuildInputs = [ ctypes libffi ];
+
+  checkInputs = [ ounit2 lwt ];
+
+  meta = ctypes.meta // {
+    description = "Dynamic access to foreign C libraries using Ctypes";
+  };
+}
diff --git a/pkgs/development/ocaml-modules/hacl-star/raw.nix b/pkgs/development/ocaml-modules/hacl-star/raw.nix
index 00b524606fcf..b4b8c1741535 100644
--- a/pkgs/development/ocaml-modules/hacl-star/raw.nix
+++ b/pkgs/development/ocaml-modules/hacl-star/raw.nix
@@ -27,7 +27,10 @@ stdenv.mkDerivation rec {
   # strictoverflow is disabled because it breaks aarch64-darwin
   hardeningDisable = [ "strictoverflow" ];
 
+  # Compatibility with ctypes ≥ 0.21
+  # see: https://github.com/cryspen/hacl-packages/commit/81303b83a54a92d3b5f54f1b8ddbea60438cc2bf
   postPatch = ''
+    substituteInPlace hacl-star-raw/META --replace-warn 'requires="ctypes"' 'requires="ctypes ctypes.stubs"'
     patchShebangs ./
   '';
 
diff --git a/pkgs/development/ocaml-modules/janestreet/0.14.nix b/pkgs/development/ocaml-modules/janestreet/0.14.nix
index 249f9c3115d6..7d8bdc4dfb7d 100644
--- a/pkgs/development/ocaml-modules/janestreet/0.14.nix
+++ b/pkgs/development/ocaml-modules/janestreet/0.14.nix
@@ -130,7 +130,7 @@ with self;
     hash = "0ykys3ckpsx5crfgj26v2q3gy6wf684aq0bfb4q8p92ivwznvlzy";
     meta.description = "Async wrappers for SSL";
     buildInputs = [ dune-configurator ];
-    propagatedBuildInputs = [ async ctypes openssl ];
+    propagatedBuildInputs = [ async ctypes ctypes-foreign openssl ];
     # in ctypes.foreign 0.18.0 threaded and unthreaded have been merged
     postPatch = ''
       substituteInPlace bindings/dune \
diff --git a/pkgs/development/ocaml-modules/janestreet/0.15.nix b/pkgs/development/ocaml-modules/janestreet/0.15.nix
index ccd2d4eab299..f64e228a2b81 100644
--- a/pkgs/development/ocaml-modules/janestreet/0.15.nix
+++ b/pkgs/development/ocaml-modules/janestreet/0.15.nix
@@ -144,7 +144,7 @@ with self;
     hash = "1b7f7p3xj4jr2n2dxy2lp7a9k7944w6x2nrg6524clvcsd1ax4hn";
     meta.description = "Async wrappers for SSL";
     buildInputs = [ dune-configurator ];
-    propagatedBuildInputs = [ async ctypes openssl ];
+    propagatedBuildInputs = [ async ctypes ctypes-foreign openssl ];
     # in ctypes.foreign 0.18.0 threaded and unthreaded have been merged
     postPatch = ''
       substituteInPlace bindings/dune \
diff --git a/pkgs/development/ocaml-modules/janestreet/0.16.nix b/pkgs/development/ocaml-modules/janestreet/0.16.nix
index bba99ebb29d1..562364df53bc 100644
--- a/pkgs/development/ocaml-modules/janestreet/0.16.nix
+++ b/pkgs/development/ocaml-modules/janestreet/0.16.nix
@@ -146,7 +146,7 @@ with self;
     hash = "sha256-83YKxvVb/JwBnQG4R/R1Ztik9T/hO4cbiNTfFnErpG4=";
     meta.description = "Async wrappers for SSL";
     buildInputs = [ dune-configurator ];
-    propagatedBuildInputs = [ async ctypes openssl ];
+    propagatedBuildInputs = [ async ctypes ctypes-foreign openssl ];
   };
 
   async_unix = janePackage {
diff --git a/pkgs/development/ocaml-modules/lilv/default.nix b/pkgs/development/ocaml-modules/lilv/default.nix
index 501182db7a96..a5def260eb29 100644
--- a/pkgs/development/ocaml-modules/lilv/default.nix
+++ b/pkgs/development/ocaml-modules/lilv/default.nix
@@ -1,4 +1,4 @@
-{ lib, buildDunePackage, fetchFromGitHub, dune-configurator, ctypes, lilv }:
+{ lib, buildDunePackage, fetchFromGitHub, dune-configurator, ctypes, ctypes-foreign, lilv }:
 
 buildDunePackage rec {
   pname = "lilv";
@@ -14,7 +14,7 @@ buildDunePackage rec {
   minimalOCamlVersion = "4.03.0";
 
   buildInputs = [ dune-configurator ];
-  propagatedBuildInputs = [ ctypes lilv ];
+  propagatedBuildInputs = [ ctypes ctypes-foreign lilv ];
 
   meta = with lib; {
     homepage = "https://github.com/savonet/ocaml-lilv";
diff --git a/pkgs/development/ocaml-modules/mariadb/default.nix b/pkgs/development/ocaml-modules/mariadb/default.nix
index 397402481839..3ac6027b22fd 100644
--- a/pkgs/development/ocaml-modules/mariadb/default.nix
+++ b/pkgs/development/ocaml-modules/mariadb/default.nix
@@ -15,10 +15,16 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-3/C1Gz6luUzS7oaudLlDHMT6JB2v5OdbLVzJhtayHGM=";
   };
 
-  patches = fetchpatch {
-    url = "https://github.com/andrenth/ocaml-mariadb/commit/9db2e4d8dec7c584213d0e0f03d079a36a35d9d5.patch";
-    hash = "sha256-heROtU02cYBJ5edIHMdYP1xNXcLv8h79GYGBuudJhgE=";
-  };
+  patches = lib.lists.map (x:
+    fetchpatch {
+      url = "https://github.com/andrenth/ocaml-mariadb/commit/${x.path}.patch";
+      inherit (x) hash;
+    })
+  [ { path = "9db2e4d8dec7c584213d0e0f03d079a36a35d9d5";
+      hash = "sha256-heROtU02cYBJ5edIHMdYP1xNXcLv8h79GYGBuudJhgE="; }
+    { path = "40cd3102bc7cce4ed826ed609464daeb1bbb4581";
+      hash = "sha256-YVsAMJiOgWRk9xPaRz2sDihBYLlXv+rhWtQIMOVLtSg="; }
+  ];
 
   postPatch = ''
     substituteInPlace setup.ml --replace '#use "topfind"' \
diff --git a/pkgs/development/ocaml-modules/srt/default.nix b/pkgs/development/ocaml-modules/srt/default.nix
index 92431fcb3489..d1e5ecd9ad55 100644
--- a/pkgs/development/ocaml-modules/srt/default.nix
+++ b/pkgs/development/ocaml-modules/srt/default.nix
@@ -2,6 +2,7 @@
 , dune-configurator
 , posix-socket
 , srt
+, ctypes-foreign
 }:
 
 buildDunePackage rec {
@@ -9,7 +10,6 @@ buildDunePackage rec {
   version = "0.3.0";
 
   minimalOCamlVersion = "4.08";
-  duneVersion = "3";
 
   src = fetchFromGitHub {
     owner = "savonet";
@@ -19,7 +19,7 @@ buildDunePackage rec {
   };
 
   buildInputs = [ dune-configurator ];
-  propagatedBuildInputs = [ posix-socket srt ];
+  propagatedBuildInputs = [ ctypes-foreign posix-socket srt ];
 
   meta = with lib; {
     description = "OCaml bindings for the libsrt library";
diff --git a/pkgs/development/ocaml-modules/torch/default.nix b/pkgs/development/ocaml-modules/torch/default.nix
index a22a9ea68ddc..5acef0f2a72c 100644
--- a/pkgs/development/ocaml-modules/torch/default.nix
+++ b/pkgs/development/ocaml-modules/torch/default.nix
@@ -5,6 +5,7 @@
 , fetchpatch
 , cmdliner
 , ctypes
+, ctypes-foreign
 , dune-configurator
 , npy
 , ocaml-compiler-libs
@@ -42,6 +43,7 @@ buildDunePackage rec {
   propagatedBuildInputs = [
     cmdliner
     ctypes
+    ctypes-foreign
     npy
     ocaml-compiler-libs
     ppx_custom_printf
diff --git a/pkgs/development/ocaml-modules/tsdl/default.nix b/pkgs/development/ocaml-modules/tsdl/default.nix
index 14c29f3daee0..2d35f76d5bf0 100644
--- a/pkgs/development/ocaml-modules/tsdl/default.nix
+++ b/pkgs/development/ocaml-modules/tsdl/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, ocaml, findlib, ocamlbuild, topkg, ctypes, result, SDL2, pkg-config
+{ lib, stdenv, fetchurl, ocaml, findlib, ocamlbuild, topkg, ctypes, ctypes-foreign, result, SDL2, pkg-config
 , AudioToolbox, Cocoa, CoreAudio, CoreVideo, ForceFeedback }:
 
 if lib.versionOlder ocaml.version "4.03"
@@ -24,7 +24,7 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ pkg-config ocaml findlib ocamlbuild topkg ];
   buildInputs = [ topkg ];
-  propagatedBuildInputs = [ SDL2 ctypes ]
+  propagatedBuildInputs = [ SDL2 ctypes ctypes-foreign ]
     ++ lib.optionals stdenv.isDarwin [ AudioToolbox Cocoa CoreAudio CoreVideo ForceFeedback ];
 
   preConfigure = ''
diff --git a/pkgs/development/ocaml-modules/xxhash/default.nix b/pkgs/development/ocaml-modules/xxhash/default.nix
index fe212dd0eb70..d8ef8f3d60ef 100644
--- a/pkgs/development/ocaml-modules/xxhash/default.nix
+++ b/pkgs/development/ocaml-modules/xxhash/default.nix
@@ -3,6 +3,7 @@
 , buildDunePackage
 , xxHash
 , ctypes
+, ctypes-foreign
 , dune-configurator
 , ppx_expect
 }:
@@ -20,12 +21,17 @@ buildDunePackage rec {
     hash = "sha256-0+ac5EWV9DCVMT4wOcXC95GVEwsUIZzFn2laSzmK6jE=";
   };
 
+  postPatch = ''
+    substituteInPlace stubs/dune --replace-warn 'ctypes))' 'ctypes ctypes.stubs))'
+  '';
+
   buildInputs = [
     dune-configurator
   ];
 
   propagatedBuildInputs = [
     ctypes
+    ctypes-foreign
     xxHash
   ];
 
diff --git a/pkgs/development/php-packages/composer/default.nix b/pkgs/development/php-packages/composer/default.nix
index 8a626f46181a..1f9a16b197be 100644
--- a/pkgs/development/php-packages/composer/default.nix
+++ b/pkgs/development/php-packages/composer/default.nix
@@ -1,11 +1,22 @@
-{ lib, callPackage, fetchFromGitHub, fetchpatch, php, unzip, _7zz, xz, git, curl, cacert, makeBinaryWrapper }:
+{ lib
+, callPackage
+, fetchFromGitHub
+, php
+, unzip
+, _7zz
+, xz
+, git
+, curl
+, cacert
+, makeBinaryWrapper
+}:
 
 php.buildComposerProject (finalAttrs: {
   # Hash used by ../../../build-support/php/pkgs/composer-phar.nix to
   # use together with the version from this package to keep the
   # bootstrap phar file up-to-date together with the end user composer
   # package.
-  passthru.pharHash = "sha256-cmACAcc8fEshjxwFEbNthTeWPjaq+iRHV/UjCfiFsxQ=";
+  passthru.pharHash = "sha256-H/0L4/J+I3sa5H+ejyn5asf1CgvZ7vT4jNvpTdBL//A=";
 
   composer = callPackage ../../../build-support/php/pkgs/composer-phar.nix {
     inherit (finalAttrs) version;
@@ -13,27 +24,15 @@ php.buildComposerProject (finalAttrs: {
   };
 
   pname = "composer";
-  version = "2.6.6";
+  version = "2.7.1";
 
   src = fetchFromGitHub {
     owner = "composer";
     repo = "composer";
     rev = finalAttrs.version;
-    hash = "sha256-KsTZi7dSlQcAxoen9rpofbptVdLYhK+bZeDSXQY7o5M=";
+    hash = "sha256-OThWqY3m/pIas4qvR/kiYgc/2QrAbnsYEOxpHxKhDfM=";
   };
 
-  patches = [
-    (fetchpatch {
-      name = "CVE-2024-24821.patch";
-      url = "https://github.com/composer/composer/commit/77e3982918bc1d886843dc3d5e575e7e871b27b7.patch";
-      hash = "sha256-Q7gkPLf59+p++DpfJZeOrAOiWePuGkdGYRaS/rK+Nv4=";
-      excludes = [
-        # Skipping test files, they are not included in the source tarball
-        "tests/*"
-      ];
-    })
-  ];
-
   nativeBuildInputs = [ makeBinaryWrapper ];
 
   postInstall = ''
@@ -41,7 +40,7 @@ php.buildComposerProject (finalAttrs: {
       --prefix PATH : ${lib.makeBinPath [ _7zz cacert curl git unzip xz ]}
   '';
 
-  vendorHash = "sha256-50M1yeAKl9KRsjs34cdb5ZTBFgbukgg0cMtHTYGJ/EM=";
+  vendorHash = "sha256-NJa6nu60HQeBJr7dd79ATptjcekgY35Jq9V40SrN9Ds";
 
   meta = {
     changelog = "https://github.com/composer/composer/releases/tag/${finalAttrs.version}";
diff --git a/pkgs/development/python-modules/adafruit-platformdetect/default.nix b/pkgs/development/python-modules/adafruit-platformdetect/default.nix
index dd5e90ef2e41..bee4d68d5d73 100644
--- a/pkgs/development/python-modules/adafruit-platformdetect/default.nix
+++ b/pkgs/development/python-modules/adafruit-platformdetect/default.nix
@@ -7,7 +7,7 @@
 
 buildPythonPackage rec {
   pname = "adafruit-platformdetect";
-  version = "3.61.0";
+  version = "3.62.0";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
@@ -15,7 +15,7 @@ buildPythonPackage rec {
   src = fetchPypi {
     pname = "Adafruit-PlatformDetect";
     inherit version;
-    hash = "sha256-hA10t/ZtMH2MjyHJJdJeOZLOF5NNTCOgGqxU6CCkZlQ=";
+    hash = "sha256-L2CbqWqyOo4mq+KsO8FYAyHClRKFXMLWWtfYEg0SD34=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/aioairzone/default.nix b/pkgs/development/python-modules/aioairzone/default.nix
index 78d572744aab..905232c065a3 100644
--- a/pkgs/development/python-modules/aioairzone/default.nix
+++ b/pkgs/development/python-modules/aioairzone/default.nix
@@ -8,7 +8,7 @@
 
 buildPythonPackage rec {
   pname = "aioairzone";
-  version = "0.7.5";
+  version = "0.7.6";
   pyproject = true;
 
   disabled = pythonOlder "3.11";
@@ -17,7 +17,7 @@ buildPythonPackage rec {
     owner = "Noltari";
     repo = "aioairzone";
     rev = "refs/tags/${version}";
-    hash = "sha256-mliyDKh+7M8GQ0ZJijoYrqKDeAqRHfKGyPJM/5no+fM=";
+    hash = "sha256-99Km1zizAA0BF4ZlLmKOBoOQzKS/QdWpWC9dzg2s3lU=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/aiomysensors/default.nix b/pkgs/development/python-modules/aiomysensors/default.nix
index 404a9c2c3a77..9ba8dae31c8a 100644
--- a/pkgs/development/python-modules/aiomysensors/default.nix
+++ b/pkgs/development/python-modules/aiomysensors/default.nix
@@ -15,7 +15,7 @@
 
 buildPythonPackage rec {
   pname = "aiomysensors";
-  version = "0.3.13";
+  version = "0.3.14";
   pyproject = true;
 
   disabled = pythonOlder "3.9";
@@ -24,7 +24,7 @@ buildPythonPackage rec {
     owner = "MartinHjelmare";
     repo = "aiomysensors";
     rev = "refs/tags/v${version}";
-    hash = "sha256-2i2QodEWOZ/nih6ap5ovWuKxILB5arusnqOiOlb4xWM=";
+    hash = "sha256-7Y7JE/GAX5gQrIGcErZTGQXyaf3QwsTFgviiHLWgGeI=";
   };
 
   postPatch = ''
diff --git a/pkgs/development/python-modules/apispec/default.nix b/pkgs/development/python-modules/apispec/default.nix
index e08df2ca1db9..d39d59325d17 100644
--- a/pkgs/development/python-modules/apispec/default.nix
+++ b/pkgs/development/python-modules/apispec/default.nix
@@ -1,6 +1,7 @@
 { lib
 , buildPythonPackage
 , fetchPypi
+, flit-core
 , marshmallow
 , mock
 , openapi-spec-validator
@@ -9,20 +10,25 @@
 , pytestCheckHook
 , pythonOlder
 , pyyaml
+, setuptools
 }:
 
 buildPythonPackage rec {
   pname = "apispec";
-  version = "6.4.0";
-  format = "setuptools";
+  version = "6.5.0";
+  pyproject = true;
 
-  disabled = pythonOlder "3.7";
+  disabled = pythonOlder "3.8";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-QrimgzzxVMnb0i0Aa1a/nEnJctMtJP5xb9c04Pa3Obg=";
+    hash = "sha256-wDpNhIrnDpuyJp3U5NMNjsfsBp0k756bQi48vRqf55Q=";
   };
 
+  nativeBuildInputs = [
+    flit-core
+  ];
+
   propagatedBuildInputs = [
     packaging
   ];
diff --git a/pkgs/development/python-modules/asyncua/default.nix b/pkgs/development/python-modules/asyncua/default.nix
index e2417b6a2463..3666d8716d96 100644
--- a/pkgs/development/python-modules/asyncua/default.nix
+++ b/pkgs/development/python-modules/asyncua/default.nix
@@ -19,7 +19,7 @@
 
 buildPythonPackage rec {
   pname = "asyncua";
-  version = "1.0.6";
+  version = "1.1.0";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -28,7 +28,7 @@ buildPythonPackage rec {
     owner = "FreeOpcUa";
     repo = "opcua-asyncio";
     rev = "refs/tags/v${version}";
-    hash = "sha256-16OzTxYafK1a/WVH46bL7VhxNI+XpkPHi2agbArpHUk=";
+    hash = "sha256-tHlo5oNsb8E6r0vmSi0eVbk4RCMg0xe97LITzW9FQWA=";
     fetchSubmodules = true;
   };
 
diff --git a/pkgs/development/python-modules/awkward-cpp/default.nix b/pkgs/development/python-modules/awkward-cpp/default.nix
index 18c0be822dea..ad54fd5e2d88 100644
--- a/pkgs/development/python-modules/awkward-cpp/default.nix
+++ b/pkgs/development/python-modules/awkward-cpp/default.nix
@@ -11,14 +11,14 @@
 
 buildPythonPackage rec {
   pname = "awkward-cpp";
-  version = "29";
+  version = "30";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-r0t4kbeLkDFxvONB6I0q3YQFn6Fn8I6KmTAFmZ0bnRs=";
+    hash = "sha256-W+lMpzUdjkIcuUeKm3EBb6dnNiH6Ei1HfQsHu2iqfUw=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/awkward/default.nix b/pkgs/development/python-modules/awkward/default.nix
index 5c174cb54d2b..a093cb5d8e40 100644
--- a/pkgs/development/python-modules/awkward/default.nix
+++ b/pkgs/development/python-modules/awkward/default.nix
@@ -24,7 +24,7 @@
 
 buildPythonPackage rec {
   pname = "awkward";
-  version = "2.6.1";
+  version = "2.6.2";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -33,7 +33,7 @@ buildPythonPackage rec {
     owner = "scikit-hep";
     repo = "awkward";
     rev = "refs/tags/v${version}";
-    hash = "sha256-G9jXAo37mhvXzn7cQ/DEUGauGs+P7JxBntfu7ZPfaHc=";
+    hash = "sha256-5wUTEB0iVffyCi671y4EsTum+7K1GDeAHlhdLpRgKnQ=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/boto3-stubs/default.nix b/pkgs/development/python-modules/boto3-stubs/default.nix
index 44442b29d77d..bdc53581027f 100644
--- a/pkgs/development/python-modules/boto3-stubs/default.nix
+++ b/pkgs/development/python-modules/boto3-stubs/default.nix
@@ -365,14 +365,14 @@
 
 buildPythonPackage rec {
   pname = "boto3-stubs";
-  version = "1.34.54";
+  version = "1.34.55";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-x7LouZ9Ils8SJt9H1Lraqo33QmAIyWpCi/ACBWlWaek=";
+    hash = "sha256-y7rhuBG5fk4fHQDrojf/mHZ45lJQIia4fmJ295Y5NbQ=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/botocore-stubs/default.nix b/pkgs/development/python-modules/botocore-stubs/default.nix
index 045954456c2b..9d2ba7735b96 100644
--- a/pkgs/development/python-modules/botocore-stubs/default.nix
+++ b/pkgs/development/python-modules/botocore-stubs/default.nix
@@ -9,7 +9,7 @@
 
 buildPythonPackage rec {
   pname = "botocore-stubs";
-  version = "1.34.54";
+  version = "1.34.55";
   format = "pyproject";
 
   disabled = pythonOlder "3.7";
@@ -17,7 +17,7 @@ buildPythonPackage rec {
   src = fetchPypi {
     pname = "botocore_stubs";
     inherit version;
-    hash = "sha256-lY8AhDItyeVJ9zFRtob6UbFYWPsrOlc7n0Nn8HP/9GM=";
+    hash = "sha256-hYAQjqR3KksDv4gogKL2O7p2Z0d9FwjwbMZSSViZNHE=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/celery/default.nix b/pkgs/development/python-modules/celery/default.nix
index fa7ebb248adb..587c17b3eca9 100644
--- a/pkgs/development/python-modules/celery/default.nix
+++ b/pkgs/development/python-modules/celery/default.nix
@@ -79,6 +79,9 @@ buildPythonPackage rec {
   disabledTests = [
     "msgpack"
     "test_check_privileges_no_fchown"
+    # seems to only fail on higher core counts
+    # AssertionError: assert 3 == 0
+    "test_setup_security_disabled_serializers"
     # fails with pytest-xdist
     "test_itercapture_limit"
     "test_stamping_headers_in_options"
diff --git a/pkgs/development/python-modules/cyclonedx-python-lib/default.nix b/pkgs/development/python-modules/cyclonedx-python-lib/default.nix
index c2e8eb3a48d5..7b04f6869252 100644
--- a/pkgs/development/python-modules/cyclonedx-python-lib/default.nix
+++ b/pkgs/development/python-modules/cyclonedx-python-lib/default.nix
@@ -23,7 +23,7 @@
 
 buildPythonPackage rec {
   pname = "cyclonedx-python-lib";
-  version = "6.4.2";
+  version = "6.4.3";
   pyproject = true;
 
   disabled = pythonOlder "3.9";
@@ -32,7 +32,7 @@ buildPythonPackage rec {
     owner = "CycloneDX";
     repo = "cyclonedx-python-lib";
     rev = "refs/tags/v${version}";
-    hash = "sha256-uDppmYJiQt2Yix5vaWYqMDbPcHOEPz2pBK11lUZ54fI=";
+    hash = "sha256-9enilHkZ07loBisKObUmVLhJeXgY/HUiVrf2scPFB60=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/django-storages/default.nix b/pkgs/development/python-modules/django-storages/default.nix
index 1bce8c0d751e..29b4aff06309 100644
--- a/pkgs/development/python-modules/django-storages/default.nix
+++ b/pkgs/development/python-modules/django-storages/default.nix
@@ -1,38 +1,33 @@
 { lib
-, buildPythonPackage
-, fetchFromGitHub
-
-# build-system
-, setuptools
-
-# dependencies
-, django
-
-# optional-dependencies
 , azure-storage-blob
 , boto3
+, buildPythonPackage
+, cryptography
+, django
 , dropbox
+, fetchFromGitHub
 , google-cloud-storage
 , libcloud
-, paramiko
-
-# tests
-, cryptography
 , moto
+, paramiko
 , pytestCheckHook
+, pythonOlder
 , rsa
+, setuptools
 }:
 
 buildPythonPackage rec {
   pname = "django-storages";
-  version = "1.14";
-  format = "pyproject";
+  version = "1.14.2";
+  pyproject = true;
+
+  disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "jschneier";
     repo = "django-storages";
     rev = "refs/tags/${version}";
-    hash = "sha256-q+vQm1T5/ueGPfwzuUOmSI/nESchqJc4XizJieBsLWc=";
+    hash = "sha256-V0uFZvnBi0B31b/j/u3Co6dd9XcdVefiSkl3XmCTJG4=";
   };
 
   nativeBuildInputs = [
@@ -67,12 +62,6 @@ buildPythonPackage rec {
     ];
   };
 
-  pythonImportsCheck = [
-    "storages"
-  ];
-
-  env.DJANGO_SETTINGS_MODULE = "tests.settings";
-
   nativeCheckInputs = [
     cryptography
     moto
@@ -80,9 +69,20 @@ buildPythonPackage rec {
     rsa
   ] ++ lib.flatten (builtins.attrValues passthru.optional-dependencies);
 
+  pythonImportsCheck = [
+    "storages"
+  ];
+
+  env.DJANGO_SETTINGS_MODULE = "tests.settings";
+
+  disabledTests = [
+    # AttributeError: 'str' object has no attribute 'universe_domain'
+    "test_storage_save_gzip"
+  ];
+
   meta = with lib; {
-    changelog = "https://github.com/jschneier/django-storages/blob/${version}/CHANGELOG.rst";
     description = "Collection of custom storage backends for Django";
+    changelog = "https://github.com/jschneier/django-storages/blob/${version}/CHANGELOG.rst";
     downloadPage = "https://github.com/jschneier/django-storages/";
     homepage = "https://django-storages.readthedocs.io";
     license = licenses.bsd3;
diff --git a/pkgs/development/python-modules/dm-haiku/default.nix b/pkgs/development/python-modules/dm-haiku/default.nix
index cb97e2f837af..e35baffb4066 100644
--- a/pkgs/development/python-modules/dm-haiku/default.nix
+++ b/pkgs/development/python-modules/dm-haiku/default.nix
@@ -23,14 +23,14 @@
 
 let dm-haiku = buildPythonPackage rec {
   pname = "dm-haiku";
-  version = "0.0.11";
+  version = "0.0.12";
   format = "setuptools";
 
   src = fetchFromGitHub {
     owner = "deepmind";
     repo = "dm-haiku";
     rev = "refs/tags/v${version}";
-    hash = "sha256-xve1vNsVOC6/HVtzmzswM/Sk3uUNaTtqNAKheFb/tmI=";
+    hash = "sha256-aJRXlMq4CNMH3ZSTDP8MgnVltdSc8l5raw4//KccL48=";
   };
 
   patches = [
diff --git a/pkgs/development/python-modules/easydict/default.nix b/pkgs/development/python-modules/easydict/default.nix
index 2a06fe02d133..14aae92ef5c4 100644
--- a/pkgs/development/python-modules/easydict/default.nix
+++ b/pkgs/development/python-modules/easydict/default.nix
@@ -5,12 +5,12 @@
 
 buildPythonPackage rec {
   pname = "easydict";
-  version = "1.11";
+  version = "1.13";
   format = "setuptools";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-3LHS7SjrMAyORs03E0A3Orxi98FNbep0/fxvEGkGHHg=";
+    hash = "sha256-sRNd7bxByAEOK8H3fsl0TH+qQrzhoch0FnkUSdbId4A=";
   };
 
   doCheck = false; # No tests in archive
diff --git a/pkgs/development/python-modules/environs/default.nix b/pkgs/development/python-modules/environs/default.nix
index 8c179349e18e..67bca70171e4 100644
--- a/pkgs/development/python-modules/environs/default.nix
+++ b/pkgs/development/python-modules/environs/default.nix
@@ -4,16 +4,16 @@
 , dj-email-url
 , django-cache-url
 , fetchFromGitHub
+, flit-core
 , marshmallow
 , pytestCheckHook
 , python-dotenv
 , pythonOlder
-, setuptools
 }:
 
 buildPythonPackage rec {
   pname = "environs";
-  version = "10.3.0";
+  version = "11.0.0";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -22,11 +22,11 @@ buildPythonPackage rec {
     owner = "sloria";
     repo = "environs";
     rev = "refs/tags/${version}";
-    hash = "sha256-D6Kp8aHiUls7+cACJ3DwrS4OftA5uMbAu4l5IyR4F5U=";
+    hash = "sha256-9BqIlA2HcUlBiyTB7zxaLO0CzBRkx5mKMMdhvdr2Uqg=";
   };
 
   nativeBuildInputs = [
-    setuptools
+    flit-core
   ];
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/flask-limiter/default.nix b/pkgs/development/python-modules/flask-limiter/default.nix
index ff532ffd12d9..3aab9046cdc8 100644
--- a/pkgs/development/python-modules/flask-limiter/default.nix
+++ b/pkgs/development/python-modules/flask-limiter/default.nix
@@ -13,13 +13,14 @@
 , pythonOlder
 , redis
 , rich
+, setuptools
 , typing-extensions
 }:
 
 buildPythonPackage rec {
   pname = "flask-limiter";
-  version = "3.5.0";
-  format = "setuptools";
+  version = "3.5.1";
+  pyproject = true;
 
   disabled = pythonOlder "3.7";
 
@@ -27,7 +28,7 @@ buildPythonPackage rec {
     owner = "alisaifee";
     repo = "flask-limiter";
     rev = "refs/tags/${version}";
-    hash = "sha256-ZaHw8+l1sBCeNj0tYdUw1f4BUvEj6plOSoH0GUzNg+0=";
+    hash = "sha256-U7qgl8yg0ddKDPXqYE2Vqyc2ofxSP+6liWs5j4qD6fM=";
   };
 
   postPatch = ''
@@ -37,6 +38,10 @@ buildPythonPackage rec {
     sed -i "/import flask_restful/d" tests/test_views.py
   '';
 
+  nativeBuildInputs = [
+    setuptools
+  ];
+
   propagatedBuildInputs = [
     flask
     limits
diff --git a/pkgs/development/python-modules/flask-marshmallow/default.nix b/pkgs/development/python-modules/flask-marshmallow/default.nix
index be74af2d5f9a..fdc40c244303 100644
--- a/pkgs/development/python-modules/flask-marshmallow/default.nix
+++ b/pkgs/development/python-modules/flask-marshmallow/default.nix
@@ -1,13 +1,13 @@
 { lib
 , buildPythonPackage
 , fetchFromGitHub
-, pythonOlder
-, flit-core
 , flask
-, marshmallow
-, pytestCheckHook
 , flask-sqlalchemy
+, flit-core
+, marshmallow
 , marshmallow-sqlalchemy
+, pytestCheckHook
+, pythonOlder
 }:
 
 buildPythonPackage rec {
@@ -33,6 +33,13 @@ buildPythonPackage rec {
     marshmallow
   ];
 
+  passthru.optional-dependencies = {
+    sqlalchemy = [
+      flask-sqlalchemy
+      marshmallow-sqlalchemy
+    ];
+  };
+
   nativeCheckInputs = [
     pytestCheckHook
   ] ++ passthru.optional-dependencies.sqlalchemy;
@@ -41,12 +48,10 @@ buildPythonPackage rec {
     "flask_marshmallow"
   ];
 
-  passthru.optional-dependencies = {
-    sqlalchemy = [
-      flask-sqlalchemy
-      marshmallow-sqlalchemy
-    ];
-  };
+  pytestFlagsArray = [
+    "-W"
+    "ignore::DeprecationWarning"
+  ];
 
   meta = {
     description = "Flask + marshmallow for beautiful APIs";
diff --git a/pkgs/development/python-modules/google-cloud-bigquery/default.nix b/pkgs/development/python-modules/google-cloud-bigquery/default.nix
index b59372f294a0..0a7c67ec7aa7 100644
--- a/pkgs/development/python-modules/google-cloud-bigquery/default.nix
+++ b/pkgs/development/python-modules/google-cloud-bigquery/default.nix
@@ -28,14 +28,14 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-bigquery";
-  version = "3.17.1";
+  version = "3.18.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-CuB7kNUFK6OilqIhCiFEwoRpMA1x9vRViB+Uwt9UMFc=";
+    hash = "sha256-dPD8bwupR3+AjSWSTcigUsVffKkQZOg+FtPuX7fKd6s=";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/google-cloud-securitycenter/default.nix b/pkgs/development/python-modules/google-cloud-securitycenter/default.nix
index 83634833d4cb..d27b35b56b1e 100644
--- a/pkgs/development/python-modules/google-cloud-securitycenter/default.nix
+++ b/pkgs/development/python-modules/google-cloud-securitycenter/default.nix
@@ -13,14 +13,14 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-securitycenter";
-  version = "1.27.0";
+  version = "1.28.0";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-ALdAT+C5LBTrSAXk6ko9KidutN5Tub+ufDAxfZsSGtk=";
+    hash = "sha256-80syqWoK2J+CjsBFO6LJEuF+pimJGpufgRLObHSKcAw=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/google-cloud-storage/default.nix b/pkgs/development/python-modules/google-cloud-storage/default.nix
index 525af0451f1c..b999d28147f8 100644
--- a/pkgs/development/python-modules/google-cloud-storage/default.nix
+++ b/pkgs/development/python-modules/google-cloud-storage/default.nix
@@ -18,14 +18,14 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-storage";
-  version = "2.14.0";
+  version = "2.15.0";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-LSP89ZtV57RTNnKcFIuxxGRGjGnV77ruMPcgHdkOuX4=";
+    hash = "sha256-dWCjxIoD1mxVPcVSFdNYg8aA/gq0TCOqSDKADMyFXHQ=";
   };
 
   nativeBuildInputs = [
@@ -72,6 +72,7 @@ buildPythonPackage rec {
     "test_open"
     "test_anonymous_client_access_to_public_bucket"
     "test_ctor_w_custom_endpoint_use_auth"
+    "test_ctor_w_api_endpoint_override"
   ];
 
   disabledTestPaths = [
diff --git a/pkgs/development/python-modules/griffe/default.nix b/pkgs/development/python-modules/griffe/default.nix
index 8f2884a5b6c6..8802b5b4cae4 100644
--- a/pkgs/development/python-modules/griffe/default.nix
+++ b/pkgs/development/python-modules/griffe/default.nix
@@ -12,7 +12,7 @@
 
 buildPythonPackage rec {
   pname = "griffe";
-  version = "0.41.0";
+  version = "0.41.2";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -21,7 +21,7 @@ buildPythonPackage rec {
     owner = "mkdocstrings";
     repo = "griffe";
     rev = "refs/tags/${version}";
-    hash = "sha256-or0kXc8YJl7+95gM54MaviDdErN0vqBnCtAavZM938k=";
+    hash = "sha256-SelsCh72tcvOfiH6tGxXK0X9mNuB2mFBBqJ+Ji5uCSs=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/habluetooth/default.nix b/pkgs/development/python-modules/habluetooth/default.nix
index 02e336c8bc1f..e84fa94ae0c1 100644
--- a/pkgs/development/python-modules/habluetooth/default.nix
+++ b/pkgs/development/python-modules/habluetooth/default.nix
@@ -16,7 +16,7 @@
 
 buildPythonPackage rec {
   pname = "habluetooth";
-  version = "2.4.1";
+  version = "2.4.2";
   pyproject = true;
 
   disabled = pythonOlder "3.10";
@@ -25,7 +25,7 @@ buildPythonPackage rec {
     owner = "Bluetooth-Devices";
     repo = "habluetooth";
     rev = "refs/tags/v${version}";
-    hash = "sha256-Ka8WqOYsZFvNl7uOsGR6S4entw7GTnF9MZcOB3uJMvg=";
+    hash = "sha256-IoVXmq9ShwLpGtoxVOtoirSirJJ1DqBI/mP7PmK7OUs=";
   };
 
   postPatch = ''
diff --git a/pkgs/development/python-modules/hstspreload/default.nix b/pkgs/development/python-modules/hstspreload/default.nix
index badfd107962d..30ebd93208ea 100644
--- a/pkgs/development/python-modules/hstspreload/default.nix
+++ b/pkgs/development/python-modules/hstspreload/default.nix
@@ -7,7 +7,7 @@
 
 buildPythonPackage rec {
   pname = "hstspreload";
-  version = "2024.2.1";
+  version = "2024.3.1";
   pyproject = true;
 
   disabled = pythonOlder "3.6";
@@ -16,7 +16,7 @@ buildPythonPackage rec {
     owner = "sethmlarson";
     repo = "hstspreload";
     rev = "refs/tags/${version}";
-    hash = "sha256-e0PQpnzYWl8IMtLFdnYPMCBioriumc3vc1ExRjCYoc8=";
+    hash = "sha256-TlPZg1IbgOODbkgJHWI6dNdk3jsyL2L/3qhLtXvQjqI=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/httpx-socks/default.nix b/pkgs/development/python-modules/httpx-socks/default.nix
index 1daf600f4d84..a2fac2691b9d 100644
--- a/pkgs/development/python-modules/httpx-socks/default.nix
+++ b/pkgs/development/python-modules/httpx-socks/default.nix
@@ -23,16 +23,16 @@
 
 buildPythonPackage rec {
   pname = "httpx-socks";
-  version = "0.8.1";
-  format = "pyproject";
+  version = "0.9.0";
+  pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "romis2012";
-    repo = pname;
+    repo = "httpx-socks";
     rev = "refs/tags/v${version}";
-    hash = "sha256-L2nyVADDjPrHwhZRm+RAvfBdpP9sIvc9cakDiLVA7xw=";
+    hash = "sha256-x+4J+uxICYdjpwr/chHIr/BeFGITCR8F9W1kqAliv38=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/idasen/default.nix b/pkgs/development/python-modules/idasen/default.nix
index 5fee7d5c9f0d..e6950edaa127 100644
--- a/pkgs/development/python-modules/idasen/default.nix
+++ b/pkgs/development/python-modules/idasen/default.nix
@@ -12,7 +12,7 @@
 
 buildPythonPackage rec {
   pname = "idasen";
-  version = "0.11.1";
+  version = "0.12.0";
   format = "pyproject";
 
   disabled = pythonOlder "3.8";
@@ -21,7 +21,7 @@ buildPythonPackage rec {
     owner = "newAM";
     repo = "idasen";
     rev = "refs/tags/v${version}";
-    hash = "sha256-nduag5ubgwhOcprdZppLIPQPDE06dk9OzniIIJpM12s=";
+    hash = "sha256-TQ+DBFpG+IeZ4/dN+YKMw3AM4Dl1rpqA1kRcb3Tb3jA=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/imread/default.nix b/pkgs/development/python-modules/imread/default.nix
index 4e3b4294991c..69eb79ddbcaa 100644
--- a/pkgs/development/python-modules/imread/default.nix
+++ b/pkgs/development/python-modules/imread/default.nix
@@ -1,8 +1,9 @@
 { lib
 , buildPythonPackage
 , fetchPypi
-, nose
+, pytestCheckHook
 , pkg-config
+, setuptools
 , libjpeg
 , libpng
 , libtiff
@@ -13,18 +14,48 @@
 buildPythonPackage rec {
   pname = "python-imread";
   version = "0.7.5";
+  pyproject = true;
 
   src = fetchPypi {
     inherit version;
     pname = "imread";
-    sha256 = "sha256-GiWpA128GuLlbBW1CQQHHVVeoZfu9Yyh2RFzSdtHDbc=";
+    hash = "sha256-GiWpA128GuLlbBW1CQQHHVVeoZfu9Yyh2RFzSdtHDbc=";
   };
 
+  nativeBuildInputs = [
+    pkg-config
+    setuptools
+  ];
+
+  buildInputs = [
+    libjpeg
+    libpng
+    libtiff
+    libwebp
+  ];
 
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ nose libjpeg libpng libtiff libwebp ];
   propagatedBuildInputs = [ numpy ];
 
+  nativeCheckInputs = [
+    pytestCheckHook
+  ];
+
+  pytestFlagsArray = [
+    # verbose build outputs needed to debug hard-to-reproduce hydra failures
+    "-v"
+    "--pyargs" "imread"
+  ];
+
+  pythonImportsCheck = [
+    "imread"
+  ];
+
+  preCheck = ''
+    cd $TMPDIR
+    export HOME=$TMPDIR
+    export OMP_NUM_THREADS=1
+  '';
+
   meta = with lib; {
     description = "Python package to load images as numpy arrays";
     homepage = "https://imread.readthedocs.io/en/latest/";
diff --git a/pkgs/development/python-modules/marshmallow-oneofschema/default.nix b/pkgs/development/python-modules/marshmallow-oneofschema/default.nix
index 3e4faf8c6031..933f5cc4c8b9 100644
--- a/pkgs/development/python-modules/marshmallow-oneofschema/default.nix
+++ b/pkgs/development/python-modules/marshmallow-oneofschema/default.nix
@@ -4,26 +4,29 @@
 , marshmallow
 , pytestCheckHook
 , pythonOlder
-, setuptools
+, flit-core
 }:
 
 buildPythonPackage rec {
   pname = "marshmallow-oneofschema";
-  version = "3.0.2";
-  format = "setuptools";
+  version = "3.1.1";
+  pyproject = true;
 
-  disabled = pythonOlder "3.6";
+  disabled = pythonOlder "3.8";
 
   src = fetchFromGitHub {
     owner = "marshmallow-code";
-    repo = pname;
-    rev = version;
-    hash = "sha256-Em2jQmvI5IiWREeOX/JAcdOQlpwP7k+cbCirkh82sf0=";
+    repo = "marshmallow-oneofschema";
+    rev = "refs/tags/${version}";
+    hash = "sha256-HXuyUxU8bT5arpUzmgv7m+X2fNT0qHY8S8Rz6klOGiA=";
   };
 
+  nativeBuildInputs = [
+    flit-core
+  ];
+
   propagatedBuildInputs = [
     marshmallow
-    setuptools
   ];
 
   nativeCheckInputs = [
@@ -35,8 +38,8 @@ buildPythonPackage rec {
   ];
 
   meta = with lib; {
-    changelog = "https://github.com/marshmallow-code/marshmallow-oneofschema/blob/${src.rev}/CHANGELOG.rst";
     description = "Marshmallow library extension that allows schema (de)multiplexing";
+    changelog = "https://github.com/marshmallow-code/marshmallow-oneofschema/blob/${version}/CHANGELOG.rst";
     homepage = "https://github.com/marshmallow-code/marshmallow-oneofschema";
     license = licenses.mit;
     maintainers = with maintainers; [ ivan-tkatchev ];
diff --git a/pkgs/development/python-modules/marshmallow/default.nix b/pkgs/development/python-modules/marshmallow/default.nix
index 880e3c869aab..bbb336884c19 100644
--- a/pkgs/development/python-modules/marshmallow/default.nix
+++ b/pkgs/development/python-modules/marshmallow/default.nix
@@ -1,17 +1,17 @@
 { lib
 , buildPythonPackage
 , fetchFromGitHub
+, flit-core
+, packaging
 , pytestCheckHook
 , pythonOlder
 , pytz
 , simplejson
-, packaging
-, setuptools
 }:
 
 buildPythonPackage rec {
   pname = "marshmallow";
-  version = "3.20.2";
+  version = "3.21.1";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -20,11 +20,11 @@ buildPythonPackage rec {
     owner = "marshmallow-code";
     repo = "marshmallow";
     rev = "refs/tags/${version}";
-    hash = "sha256-z6Quf6uTelGwB/uYayVXtVmculwaoI5LL8I0kKiM/e8=";
+    hash = "sha256-KhXasYKooZRokRoFlWKOaQzSUe6tXDtUlrf65eGGUi8=";
   };
 
   nativeBuildInputs = [
-    setuptools
+    flit-core
   ];
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/microsoft-kiota-abstractions/default.nix b/pkgs/development/python-modules/microsoft-kiota-abstractions/default.nix
index c8927fb8d108..f05ac402503e 100644
--- a/pkgs/development/python-modules/microsoft-kiota-abstractions/default.nix
+++ b/pkgs/development/python-modules/microsoft-kiota-abstractions/default.nix
@@ -13,7 +13,7 @@
 
 buildPythonPackage rec {
   pname = "microsoft-kiota-abstractions";
-  version = "1.2.0";
+  version = "1.3.0";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -22,7 +22,7 @@ buildPythonPackage rec {
     owner = "microsoft";
     repo = "kiota-abstractions-python";
     rev = "refs/tags/v${version}";
-    hash = "sha256-ubDbpQhrqoyiBNne15nlO44lXg2wG+wrL8EJasMUocc=";
+    hash = "sha256-PAomuAOwpX5/ijVOi0hjTlUnSWgF+qsb3kpuydIV6nc=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/microsoft-kiota-http/default.nix b/pkgs/development/python-modules/microsoft-kiota-http/default.nix
index 111bbc8302d6..a84613b82e3b 100644
--- a/pkgs/development/python-modules/microsoft-kiota-http/default.nix
+++ b/pkgs/development/python-modules/microsoft-kiota-http/default.nix
@@ -15,7 +15,7 @@
 
 buildPythonPackage rec {
   pname = "microsoft-kiota-http";
-  version = "1.3.0";
+  version = "1.3.1";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -24,7 +24,7 @@ buildPythonPackage rec {
     owner = "microsoft";
     repo = "kiota-http-python";
     rev = "refs/tags/v${version}";
-    hash = "sha256-N3+oAH3yWgrl0v2fm4xdCxzj7u/0fbQI3xHFht39vzA=";
+    hash = "sha256-I16WARk6YBr8KgE9MtHcA5VdsnLXBKcZOaqRL/eqwKE=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/nbdime/default.nix b/pkgs/development/python-modules/nbdime/default.nix
index 582d46b52108..3f58201e2c92 100644
--- a/pkgs/development/python-modules/nbdime/default.nix
+++ b/pkgs/development/python-modules/nbdime/default.nix
@@ -1,20 +1,11 @@
 { lib
 , buildPythonPackage
-, fetchPypi
 , pythonOlder
-, hypothesis
-, setuptools-scm
-, six
-, attrs
-, py
-, setuptools
-, pytest-timeout
-, pytest-tornado
-, mock
-, tabulate
+, fetchPypi
+, hatch-jupyter-builder
+, hatchling
+, jupyterlab
 , nbformat
-, jsonschema
-, pytestCheckHook
 , colorama
 , pygments
 , tornado
@@ -22,14 +13,16 @@
 , gitpython
 , jupyter-server
 , jupyter-server-mathjax
-, notebook
 , jinja2
+, git
+, pytest-tornado
+, pytestCheckHook
 }:
 
 buildPythonPackage rec {
   pname = "nbdime";
   version = "4.0.1";
-  format = "setuptools";
+  pyproject = true;
 
   disabled = pythonOlder "3.6";
 
@@ -39,48 +32,42 @@ buildPythonPackage rec {
   };
 
   nativeBuildInputs = [
-    setuptools-scm
+    hatch-jupyter-builder
+    hatchling
+    jupyterlab
   ];
 
   propagatedBuildInputs = [
-    attrs
-    py
-    setuptools
-    six
-    jupyter-server-mathjax
     nbformat
     colorama
     pygments
     tornado
     requests
     gitpython
-    notebook
+    jupyter-server
+    jupyter-server-mathjax
     jinja2
   ];
 
   nativeCheckInputs = [
-    hypothesis
-    pytest-timeout
+    git
     pytest-tornado
-    jsonschema
-    mock
-    tabulate
     pytestCheckHook
   ];
 
   disabledTests = [
-    "test_apply_filter_no_repo"
-    "test_diff_api_checkpoint"
-    "test_filter_cmd_invalid_filter"
-    "test_inline_merge_source_add"
-    "test_inline_merge_source_patches"
-    "test_inline_merge_source_replace"
-    "test_inline_merge_cells_insertion"
-    "test_inline_merge_cells_replacement"
-    "test_interrogate_filter_no_repo"
-    "test_merge_input_strategy_inline"
+    "test_git_diffdriver"
+    "test_git_difftool"
+    "test_git_mergedriver"
+    "test_git_mergetool"
   ];
 
+  preCheck = ''
+    export HOME="$TEMP"
+    git config --global user.email "janedoe@example.com"
+    git config --global user.name "Jane Doe"
+  '';
+
   __darwinAllowLocalNetworking = true;
 
   pythonImportsCheck = [
@@ -89,7 +76,8 @@ buildPythonPackage rec {
 
   meta = with lib; {
     homepage = "https://github.com/jupyter/nbdime";
-    description = "Tools for diffing and merging of Jupyter notebooks.";
+    changelog = "https://github.com/jupyter/nbdime/blob/${version}/CHANGELOG.md";
+    description = "Tools for diffing and merging of Jupyter notebooks";
     license = licenses.bsd3;
     maintainers = with maintainers; [ tbenst ];
   };
diff --git a/pkgs/development/python-modules/nbxmpp/default.nix b/pkgs/development/python-modules/nbxmpp/default.nix
index d070b4317eed..22cc74504f67 100644
--- a/pkgs/development/python-modules/nbxmpp/default.nix
+++ b/pkgs/development/python-modules/nbxmpp/default.nix
@@ -15,7 +15,7 @@
 
 buildPythonPackage rec {
   pname = "nbxmpp";
-  version = "4.5.3";
+  version = "4.5.4";
   format = "pyproject";
 
   disabled = pythonOlder "3.10";
@@ -25,7 +25,7 @@ buildPythonPackage rec {
     owner = "gajim";
     repo = "python-nbxmpp";
     rev = "refs/tags/${version}";
-    hash = "sha256-vAuHfG2/DVUDCxUb7UMRejIh4fQHGl67A+dncvcJ8jQ=";
+    hash = "sha256-n5Pzw8aikzCml+dOhkLoHR0ytFkEb4AYpw/bIpo6Wd4=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/nikola/default.nix b/pkgs/development/python-modules/nikola/default.nix
index e4990ff4af31..461d65a00f8f 100644
--- a/pkgs/development/python-modules/nikola/default.nix
+++ b/pkgs/development/python-modules/nikola/default.nix
@@ -1,11 +1,12 @@
 { lib
+, stdenv
 , aiohttp
 , babel
 , blinker
 , buildPythonPackage
-, python-dateutil
 , docutils
 , doit
+, feedparser
 , fetchPypi
 , freezegun
 , ghp-import
@@ -28,10 +29,11 @@
 , pyphen
 , pyrss2gen
 , pytestCheckHook
+, python-dateutil
 , pythonOlder
 , requests
 , ruamel-yaml
-, stdenv
+, setuptools
 , toml
 , typogrify
 , unidecode
@@ -41,24 +43,33 @@
 
 buildPythonPackage rec {
   pname = "nikola";
-  version = "8.2.4";
-  format = "setuptools";
+  version = "8.3.0";
+  pyproject = true;
 
-  disabled = pythonOlder "3.7";
+  disabled = pythonOlder "3.8";
 
   src = fetchPypi {
     pname = "Nikola";
     inherit version;
-    hash = "sha256-LNVk2zfNwY4CC4qulqfNXwi3mWyFxzWIeMykh6gFOL8=";
+    hash = "sha256-VYuhiGLMTHcOZM8/bGZT7Xx5BOHo9gsMPjufYglrBL0=";
   };
 
+  postPatch = ''
+    substituteInPlace setup.cfg \
+      --replace-fail "--cov nikola --cov-report term-missing" ""
+  '';
+
+  nativeBuildInputs = [
+    setuptools
+  ];
+
   propagatedBuildInputs = [
     aiohttp
     babel
     blinker
-    python-dateutil
     docutils
     doit
+    feedparser
     ghp-import
     hsluv
     html5lib
@@ -77,6 +88,7 @@ buildPythonPackage rec {
     pygments
     pyphen
     pyrss2gen
+    python-dateutil
     requests
     ruamel-yaml
     toml
@@ -92,11 +104,6 @@ buildPythonPackage rec {
     pytestCheckHook
   ];
 
-  postPatch = ''
-    substituteInPlace setup.cfg \
-      --replace "--cov nikola --cov-report term-missing" ""
-  '';
-
   disabledTests = [
     # AssertionError
     "test_compiling_markdown"
@@ -107,7 +114,9 @@ buildPythonPackage rec {
     "test_format_date_locale_variants"
   ];
 
-  pythonImportsCheck = [ "nikola" ];
+  pythonImportsCheck = [
+    "nikola"
+  ];
 
   meta = with lib; {
     description = "Static website and blog generator";
diff --git a/pkgs/development/python-modules/oauthenticator/default.nix b/pkgs/development/python-modules/oauthenticator/default.nix
index 9bc3ced1208b..de26b60caac2 100644
--- a/pkgs/development/python-modules/oauthenticator/default.nix
+++ b/pkgs/development/python-modules/oauthenticator/default.nix
@@ -10,12 +10,13 @@
 , pytest-asyncio
 , pytestCheckHook
 , requests-mock
+, setuptools
 }:
 
 buildPythonPackage rec {
   pname = "oauthenticator";
   version = "16.2.1";
-  format = "setuptools";
+  pyproject = true;
 
   disabled = pythonOlder "3.7";
 
@@ -26,9 +27,13 @@ buildPythonPackage rec {
 
   postPatch = ''
     substituteInPlace pyproject.toml \
-      --replace " --cov=oauthenticator" ""
+      --replace-fail " --cov=oauthenticator" ""
   '';
 
+  nativeBuildInputs = [
+    setuptools
+  ];
+
   propagatedBuildInputs = [
     jupyterhub
   ];
@@ -56,6 +61,16 @@ buildPythonPackage rec {
     # Tests are outdated, https://github.com/jupyterhub/oauthenticator/issues/432
     "test_azuread"
     "test_mediawiki"
+    # Tests require network access
+    "test_allowed"
+    "test_auth0"
+    "test_bitbucket"
+    "test_cilogon"
+    "test_github"
+    "test_gitlab"
+    "test_globus"
+    "test_google"
+    "test_openshift"
   ];
 
   pythonImportsCheck = [
@@ -67,5 +82,6 @@ buildPythonPackage rec {
     homepage =  "https://github.com/jupyterhub/oauthenticator";
     changelog = "https://github.com/jupyterhub/oauthenticator/blob/${version}/docs/source/reference/changelog.md";
     license = licenses.bsd3;
+    maintainers = with maintainers; [ ];
   };
 }
diff --git a/pkgs/development/python-modules/pandas-stubs/default.nix b/pkgs/development/python-modules/pandas-stubs/default.nix
index 6fa2978ceb4b..c0a753f5c02a 100644
--- a/pkgs/development/python-modules/pandas-stubs/default.nix
+++ b/pkgs/development/python-modules/pandas-stubs/default.nix
@@ -27,7 +27,7 @@
 
 buildPythonPackage rec {
   pname = "pandas-stubs";
-  version = "2.1.4.231227";
+  version = "2.2.0.240218";
   pyproject = true;
 
   disabled = pythonOlder "3.9";
@@ -36,7 +36,7 @@ buildPythonPackage rec {
     owner = "pandas-dev";
     repo = "pandas-stubs";
     rev = "refs/tags/v${version}";
-    hash = "sha256-AkgMesDesKkVkwxNnGYG71IuIgF3G+BecpfWNWVucC8=";
+    hash = "sha256-416vyaHcSfTfkSNKZ05edozfsMmNKcpOZAoPenCLFzQ=";
   };
 
   nativeBuildInputs = [
@@ -70,55 +70,11 @@ buildPythonPackage rec {
 
   disabledTests = [
     # AttributeErrors, missing dependencies, error and warning checks
-    "test_aggregate_frame_combinations"
-    "test_aggregate_series_combinations"
-    "test_all_read_without_lxml_dtype_backend"
-    "test_arrow_dtype"
-    "test_attribute_conflict_warning"
-    "test_categorical_conversion_warning"
-    "test_clipboard_iterator"
-    "test_clipboard"
-    "test_closed_file_error"
-    "test_compare_150_changes"
-    "test_crosstab_args"
-    "test_css_warning"
-    "test_data_error"
-    "test_database_error"
-    "test_dummies"
-    "test_from_dummies_args"
-    "test_hdf_context_manager"
-    "test_hdfstore"
-    "test_incompatibility_warning"
-    "test_index_astype"
-    "test_indexing_error"
-    "test_invalid_column_name"
-    "test_isetframe"
-    "test_join"
-    "test_numexpr_clobbering_error"
-    "test_orc_buffer"
-    "test_orc_bytes"
-    "test_orc_columns"
-    "test_orc_path"
+    "test_types_groupby"
+    "test_frame_groupby_resample"
     "test_orc"
-    "test_possible_data_loss_error"
-    "test_possible_precision_loss"
-    "test_pyperclip_exception"
-    "test_quantile_150_changes"
-    "test_read_hdf_iterator"
-    "test_read_sql_via_sqlalchemy_connection"
-    "test_read_sql_via_sqlalchemy_engine"
-    "test_resample_150_changes"
-    "test_reset_index_150_changes"
-    "test_reset_index"
-    "test_rolling_step_method"
-    "test_setting_with_copy_error"
-    "test_setting_with_copy_warning"
+    "test_all_read_without_lxml_dtype_backend"
     "test_show_version"
-    "test_specification_error"
-    "test_types_assert_series_equal"
-    "test_types_rank"
-    "test_undefined_variable_error"
-    "test_value_label_type_mismatch"
   ] ++ lib.optionals stdenv.isDarwin [
     "test_plotting" # Fatal Python error: Illegal instruction
   ];
diff --git a/pkgs/development/python-modules/peaqevcore/default.nix b/pkgs/development/python-modules/peaqevcore/default.nix
index f0213c041ec2..720cb3f5a650 100644
--- a/pkgs/development/python-modules/peaqevcore/default.nix
+++ b/pkgs/development/python-modules/peaqevcore/default.nix
@@ -7,14 +7,14 @@
 
 buildPythonPackage rec {
   pname = "peaqevcore";
-  version = "19.7.1";
+  version = "19.7.2";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-BVUnSKmLOF6DKirAI2lv8/tpcSGus2XZTPn3WSJjwgg=";
+    hash = "sha256-k9MiYJZN4TLY+HP1NfJER3upnQ//JBgrsERJ2JF+Xvw=";
   };
 
   postPatch = ''
diff --git a/pkgs/development/python-modules/posthog/default.nix b/pkgs/development/python-modules/posthog/default.nix
index 6795ebf1f691..03372065aedd 100644
--- a/pkgs/development/python-modules/posthog/default.nix
+++ b/pkgs/development/python-modules/posthog/default.nix
@@ -14,7 +14,7 @@
 }:
 let
   pname = "posthog";
-  version = "3.4.2";
+  version = "3.5.0";
 in
 buildPythonPackage {
   inherit pname version;
@@ -24,7 +24,7 @@ buildPythonPackage {
     owner = "PostHog";
     repo = "posthog-python";
     rev = "refs/tags/v${version}";
-    hash = "sha256-PhZBpcMwU7fjmE0g+l83zHm+95N60Sbd9pNNc4Roa2A=";
+    hash = "sha256-+nYMQxqI9RZ5vVL6KgiRLcx0JHWJTs/rZ6U6jIuaz+w=";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/prometheus-api-client/default.nix b/pkgs/development/python-modules/prometheus-api-client/default.nix
new file mode 100644
index 000000000000..842b4c0b22ab
--- /dev/null
+++ b/pkgs/development/python-modules/prometheus-api-client/default.nix
@@ -0,0 +1,62 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, pytestCheckHook
+, dateparser
+, httmock
+, matplotlib
+, numpy
+, pandas
+, requests
+}:
+
+buildPythonPackage rec {
+  pname = "prometheus-api-client";
+  version = "0.5.5";
+  format = "setuptools";
+
+  src = fetchFromGitHub {
+    owner = "4n4nd";
+    repo = "prometheus-api-client-python";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-tUu0+ZUOFxBCj//lHhNm88rhFbS01j1x508+nqIkCfQ=";
+  };
+
+  propagatedBuildInputs = [
+    dateparser
+    matplotlib
+    numpy
+    pandas
+    requests
+  ];
+
+  nativeCheckInputs = [
+    pytestCheckHook
+  ];
+
+  checkInputs = [
+    httmock
+  ];
+
+  disabledTestPaths = [
+    "tests/test_prometheus_connect.py"
+  ];
+
+  pythonImportsCheck = [
+    "prometheus_api_client"
+  ];
+
+
+  meta = with lib; {
+    description = "A Python wrapper for the Prometheus HTTP API";
+    longDescription = ''
+      The prometheus-api-client library consists of multiple modules which
+      assist in connecting to a Prometheus host, fetching the required metrics
+      and performing various aggregation operations on the time series data.
+    '';
+    homepage = "https://github.com/4n4nd/prometheus-api-client-python";
+    changelog = "https://github.com/4n4nd/prometheus-api-client-python/blob/${src.rev}/CHANGELOG.md";
+    license = licenses.mit;
+    maintainers = with maintainers; [ azahi ];
+  };
+}
diff --git a/pkgs/development/python-modules/prometrix/default.nix b/pkgs/development/python-modules/prometrix/default.nix
new file mode 100644
index 000000000000..58b3ac27361e
--- /dev/null
+++ b/pkgs/development/python-modules/prometrix/default.nix
@@ -0,0 +1,62 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, boto3
+, botocore
+, dateparser
+, matplotlib
+, numpy
+, pandas
+, poetry-core
+, prometheus-api-client
+, pydantic_1
+, requests
+}:
+
+buildPythonPackage rec {
+  pname = "prometrix";
+  version = "unstable-2024-02-20";
+  format = "pyproject";
+
+  src = fetchFromGitHub {
+    owner = "robusta-dev";
+    repo = "prometrix";
+    rev = "ab2dad2192ed3df91c1a25446a4f54b8f2f6742f";
+    hash = "sha256-/72Qkd2BojYgiQi5rq7dVsEje7M0aQQXhenvIM7lSy4=";
+  };
+
+  postPatch = ''
+    substituteInPlace pyproject.toml \
+      --replace-fail 'pydantic = "^1.8.1"' 'pydantic = "*"'
+  '';
+
+  propagatedBuildInputs = [
+    boto3
+    botocore
+    dateparser
+    matplotlib
+    numpy
+    pandas
+    prometheus-api-client
+    pydantic_1
+    requests
+  ];
+
+  nativeBuildInputs = [
+    poetry-core
+  ];
+
+  pythonImportsCheck = [
+    "prometrix"
+  ];
+
+  meta = with lib; {
+    description = "Unified Prometheus client";
+    longDescription = ''
+      This Python package provides a unified Prometheus client that can be used
+      to connect to and query various types of Prometheus instances.
+    '';
+    license = licenses.mit;
+    maintainers = with maintainers; [ azahi ];
+  };
+}
diff --git a/pkgs/development/python-modules/publicsuffixlist/default.nix b/pkgs/development/python-modules/publicsuffixlist/default.nix
index ffcaacd62476..2e197ba9300d 100644
--- a/pkgs/development/python-modules/publicsuffixlist/default.nix
+++ b/pkgs/development/python-modules/publicsuffixlist/default.nix
@@ -10,14 +10,14 @@
 
 buildPythonPackage rec {
   pname = "publicsuffixlist";
-  version = "0.10.0.20240303";
+  version = "0.10.0.20240305";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-nzDc1cKz29OILImnuh5fBDTJ5IsRjlhcdGWfM5IIqzo=";
+    hash = "sha256-bnnqc7AnjOGxAvOtaBXypbaDhk2plIugsOqzGAxBn38=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/pykeepass/default.nix b/pkgs/development/python-modules/pykeepass/default.nix
index 2b482295e422..da2e8d5bc837 100644
--- a/pkgs/development/python-modules/pykeepass/default.nix
+++ b/pkgs/development/python-modules/pykeepass/default.nix
@@ -1,32 +1,51 @@
-{ lib, fetchFromGitHub, buildPythonPackage
-, lxml, pycryptodomex, construct
-, argon2-cffi, python-dateutil
-, python
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, setuptools
+, argon2-cffi
+, construct
+, lxml
+, pycryptodomex
+, pyotp
+, unittestCheckHook
 }:
 
 buildPythonPackage rec {
-  pname   = "pykeepass";
-  version = "4.0.6";
-
-  format = "setuptools";
+  pname = "pykeepass";
+  version = "4.0.7";
+  pyproject = true;
 
   src = fetchFromGitHub {
     owner = "libkeepass";
     repo = "pykeepass";
     rev = "v${version}";
-    hash = "sha256-832cTVzI/MFdwiw6xWzRG35z3iwqb5Qpf6W6XYBIFWs=";
+    hash = "sha256-qUNMjnIhQpUSQY0kN9bA4IxQx8fiFIA6p8rPqNqdjNo=";
   };
 
+  postPatch = ''
+    # https://github.com/libkeepass/pykeepass/pull/378
+    substituteInPlace pyproject.toml \
+      --replace-fail 'packages = ["pykeepass"]' 'packages = ["pykeepass", "pykeepass.kdbx_parsing"]'
+  '';
+
+  nativeBuildInputs = [
+    setuptools
+  ];
+
   propagatedBuildInputs = [
-    lxml pycryptodomex construct
-    argon2-cffi python-dateutil
+    argon2-cffi
+    construct
+    lxml
+    pycryptodomex
+    setuptools
   ];
 
   propagatedNativeBuildInputs = [ argon2-cffi ];
 
-  checkPhase = ''
-    ${python.interpreter} -m unittest tests.tests
-  '';
+  nativeCheckInputs = [
+    pyotp
+    unittestCheckHook
+  ];
 
   pythonImportsCheck = [ "pykeepass" ];
 
diff --git a/pkgs/development/python-modules/pyocd-pemicro/default.nix b/pkgs/development/python-modules/pyocd-pemicro/default.nix
new file mode 100644
index 000000000000..74dee58903cd
--- /dev/null
+++ b/pkgs/development/python-modules/pyocd-pemicro/default.nix
@@ -0,0 +1,43 @@
+{ lib
+, buildPythonPackage
+, pythonOlder
+, fetchFromGitHub
+, setuptools-scm
+, pyocd
+, pypemicro
+}:
+
+buildPythonPackage rec {
+  pname = "pyocd-pemicro";
+  version = "1.1.5";
+  pyproject = true;
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchFromGitHub {
+    owner = "pyocd";
+    repo = "pyocd-pemicro";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-qi803s8fkrLizcCLeDRz7CTQ56NGLQ4PPwCbxiRigwc=";
+  };
+
+  nativeBuildInputs = [
+    setuptools-scm
+  ];
+
+  propagatedBuildInputs = [
+    pyocd
+    pypemicro
+  ];
+
+  # upstream has no tests
+  doCheck = false;
+
+  meta = {
+    changelog = "https://github.com/pyocd/pyocd-pemicro/releases/tag/v${version}";
+    description = "PEMicro probe plugin for pyOCD";
+    homepage = "https://github.com/pyocd/pyocd-pemicro";
+    license = lib.licenses.bsd3;
+    maintainers = with lib.maintainers; [ dotlambda ];
+  };
+}
diff --git a/pkgs/development/python-modules/pytest-notebook/default.nix b/pkgs/development/python-modules/pytest-notebook/default.nix
new file mode 100644
index 000000000000..b20006641057
--- /dev/null
+++ b/pkgs/development/python-modules/pytest-notebook/default.nix
@@ -0,0 +1,82 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, flit-core
+, pythonRelaxDepsHook
+, attrs
+, jsonschema
+, nbclient
+, nbdime
+, nbformat
+, pytest
+, black
+, coverage
+, ipykernel
+, pytest-cov
+, pytest-regressions
+, pytestCheckHook
+}:
+
+buildPythonPackage rec {
+  pname = "pytest-notebook";
+  version = "0.10.0";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "chrisjsewell";
+    repo = "pytest-notebook";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-LoK0wb7rAbVbgyURCbSfckWvJDef3tPY+7V4YU1IBRU=";
+  };
+
+  nativeBuildInputs = [
+    flit-core
+    pythonRelaxDepsHook
+  ];
+
+  pythonRelaxDeps = [
+    "attrs"
+    "nbclient"
+  ];
+
+  propagatedBuildInputs = [
+    attrs
+    jsonschema
+    nbclient
+    nbdime
+    nbformat
+  ];
+
+  buildInputs = [
+    pytest
+  ];
+
+  pythonImportsCheck = [ "pytest_notebook" ];
+
+  nativeCheckInputs = [
+    black
+    coverage
+    ipykernel
+    pytest-cov
+    pytest-regressions
+    pytestCheckHook
+  ];
+
+  preCheck = ''
+    export HOME="$TEMP"
+  '';
+
+  disabledTests = [
+    "test_diff_to_string"
+    "test_execute_notebook_with_coverage"
+    "test_regression_coverage"
+  ];
+
+  meta = {
+    changelog = "https://github.com/chrisjsewell/pytest-notebook/blob/${src.rev}/docs/source/changelog.md";
+    description = "Pytest plugin for regression testing and regenerating Jupyter Notebooks";
+    homepage = "https://github.com/chrisjsewell/pytest-notebook";
+    license = lib.licenses.bsd3;
+    maintainers = with lib.maintainers; [ dotlambda ];
+  };
+}
diff --git a/pkgs/development/python-modules/python-benedict/default.nix b/pkgs/development/python-modules/python-benedict/default.nix
index 9b6ffe4e0fe8..1757de4c851b 100644
--- a/pkgs/development/python-modules/python-benedict/default.nix
+++ b/pkgs/development/python-modules/python-benedict/default.nix
@@ -25,7 +25,7 @@
 
 buildPythonPackage rec {
   pname = "python-benedict";
-  version = "0.33.1";
+  version = "0.33.2";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
@@ -34,7 +34,7 @@ buildPythonPackage rec {
     owner = "fabiocaccamo";
     repo = "python-benedict";
     rev = "refs/tags/${version}";
-    hash = "sha256-QRWyMqHW4C3+718mgp9z/dQ1loesm0Vaf2TzW3yqF3A=";
+    hash = "sha256-1/eLJFXACn1W5Yz43BIhdqqUVk3t9285d8aLwH+VmAE=";
   };
 
   pythonRelaxDeps = [
diff --git a/pkgs/development/python-modules/python-keystoneclient/default.nix b/pkgs/development/python-modules/python-keystoneclient/default.nix
index 74ef6316e23c..81d3d3d217a7 100644
--- a/pkgs/development/python-modules/python-keystoneclient/default.nix
+++ b/pkgs/development/python-modules/python-keystoneclient/default.nix
@@ -15,14 +15,14 @@
 
 buildPythonPackage rec {
   pname = "python-keystoneclient";
-  version = "5.3.0";
+  version = "5.4.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.8";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-vF53GfQVZCXex311w6eZGOPQtRk3ihbY1++ohJ5MKnk=";
+    hash = "sha256-srS9vp2vews1O4gHZy7u0B+H3QO0+LQtDQYbCbiTH0E=";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/python-rapidjson/default.nix b/pkgs/development/python-modules/python-rapidjson/default.nix
index c131a3b0c0eb..6c6aea0f161c 100644
--- a/pkgs/development/python-modules/python-rapidjson/default.nix
+++ b/pkgs/development/python-modules/python-rapidjson/default.nix
@@ -6,7 +6,8 @@
 , rapidjson
 , pytestCheckHook
 , pytz
-, glibcLocales
+, setuptools
+, substituteAll
 }:
 
 let
@@ -25,25 +26,30 @@ let
         hash = "sha256-BjSZEwfCXA/9V+kxQ/2JPWbc26jQn35CfN8+8NW24s4=";
       })
     ];
-    # valgrind_unittest failed
-    cmakeFlags = old.cmakeFlags ++ [ "-DCMAKE_CTEST_ARGUMENTS=-E;valgrind_unittest" ];
   });
 in buildPythonPackage rec {
-  version = "1.14";
+  version = "1.16";
   pname = "python-rapidjson";
   disabled = pythonOlder "3.8";
 
-  format = "setuptools";
+  pyproject = true;
 
   src = fetchFromGitHub {
     owner = "python-rapidjson";
     repo = "python-rapidjson";
     rev = "refs/tags/v${version}";
-    hash = "sha256-fCC6jYUIB89HlEnbsmL0MeCBOO4NAZtePuPgZKYxoM8=";
+    hash = "sha256-4Z8cNu6tK5/yAu6b9Vb/EdXQj+fQgeT0QIszTEUurVM=";
   };
 
-  setupPyBuildFlags = [
-    "--rj-include-dir=${lib.getDev rapidjson'}/include"
+  patches = [
+    (substituteAll {
+      src = ./rapidjson-include-dir.patch;
+      rapidjson = lib.getDev rapidjson';
+    })
+  ];
+
+  nativeBuildInputs = [
+    setuptools
   ];
 
   nativeCheckInputs = [
diff --git a/pkgs/development/python-modules/python-rapidjson/rapidjson-include-dir.patch b/pkgs/development/python-modules/python-rapidjson/rapidjson-include-dir.patch
new file mode 100644
index 000000000000..da15fec61ac6
--- /dev/null
+++ b/pkgs/development/python-modules/python-rapidjson/rapidjson-include-dir.patch
@@ -0,0 +1,25 @@
+diff --git a/setup.py b/setup.py
+index e86b1b2..9d34d0d 100644
+--- a/setup.py
++++ b/setup.py
+@@ -29,19 +29,7 @@ if sys.version_info < (3, 6):
+ 
+ ROOT_PATH = os.path.abspath(os.path.dirname(__file__))
+ 
+-rj_include_dir = './rapidjson/include'
+-
+-for idx, arg in enumerate(sys.argv[:]):
+-    if arg.startswith('--rj-include-dir='):
+-        sys.argv.pop(idx)
+-        rj_include_dir = arg.split('=', 1)[1]
+-        break
+-else:
+-    if not os.path.isdir(os.path.join(ROOT_PATH, 'rapidjson', 'include')):
+-        raise RuntimeError("RapidJSON sources not found: if you cloned the git"
+-                           " repository, you should initialize the rapidjson submodule"
+-                           " as explained in the README.rst; in all other cases you may"
+-                           " want to report the issue.")
++rj_include_dir = '@rapidjson@/include'
+ 
+ with open('version.txt', encoding='utf-8') as f:
+     VERSION = f.read()
diff --git a/pkgs/development/python-modules/scikit-hep-testdata/default.nix b/pkgs/development/python-modules/scikit-hep-testdata/default.nix
index fd4e5100c287..94531f8a2213 100644
--- a/pkgs/development/python-modules/scikit-hep-testdata/default.nix
+++ b/pkgs/development/python-modules/scikit-hep-testdata/default.nix
@@ -11,7 +11,7 @@
 
 buildPythonPackage rec {
   pname = "scikit-hep-testdata";
-  version = "0.4.38";
+  version = "0.4.39";
   format = "pyproject";
 
   disabled = pythonOlder "3.6";
@@ -20,7 +20,7 @@ buildPythonPackage rec {
     owner = "scikit-hep";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-/+1eENbpng/X1g108cEGiTZlIkdcqqnm9wyN9ECH5D4=";
+    hash = "sha256-tcKEJrqB7cblcmH4PtSmx0heUew2+aDE4+mk2v9cUuo=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/sectools/default.nix b/pkgs/development/python-modules/sectools/default.nix
index 2fdc27283f08..f65c80aabdc1 100644
--- a/pkgs/development/python-modules/sectools/default.nix
+++ b/pkgs/development/python-modules/sectools/default.nix
@@ -3,22 +3,27 @@
 , fetchFromGitHub
 , ldap3
 , pythonOlder
+, setuptools
 }:
 
 buildPythonPackage rec {
   pname = "sectools";
-  version = "1.3.9";
-  format = "setuptools";
+  version = "1.4.3";
+  pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "p0dalirius";
-    repo = pname;
+    repo = "sectools";
     rev = "refs/tags/${version}";
-    hash = "sha256-F9mmPSlfSSS7UDNuX9OPrqDsEpqq0bD3eROG8D9CC78=";
+    hash = "sha256-k3k1/DFmv0resnsNht/C+2Xh6qbSQmk83eN/3vtDU00=";
   };
 
+  nativeBuildInputs = [
+    setuptools
+  ];
+
   propagatedBuildInputs = [
     ldap3
   ];
diff --git a/pkgs/development/python-modules/spsdk/default.nix b/pkgs/development/python-modules/spsdk/default.nix
index d0803c6dc729..0764e6c6ccd0 100644
--- a/pkgs/development/python-modules/spsdk/default.nix
+++ b/pkgs/development/python-modules/spsdk/default.nix
@@ -9,21 +9,19 @@
 , click
 , click-command-tree
 , click-option-group
-, cmsis-pack-manager
-, commentjson
+, colorama
 , crcmod
 , cryptography
 , deepmerge
 , fastjsonschema
 , hexdump
-, importlib-metadata
-, jinja2
 , libusbsio
 , oscrypto
-, pycryptodome
-, pyftdi
+, platformdirs
+, prettytable
 , pylink-square
 , pyocd
+, pyocd-pemicro
 , pypemicro
 , pyserial
 , requests
@@ -33,20 +31,22 @@
 , spsdk
 , testers
 , typing-extensions
+, ipykernel
+, pytest-notebook
 , pytestCheckHook
 , voluptuous
 }:
 
 buildPythonPackage rec {
   pname = "spsdk";
-  version = "2.0.1";
+  version = "2.1.0";
   pyproject = true;
 
   src = fetchFromGitHub {
     owner = "nxp-mcuxpresso";
-    repo = pname;
-    rev = version;
-    hash = "sha256-C6cz5jhIHI4WkCYT0rURFa4kBAu6cMcKpQHiHACIiu8=";
+    repo = "spsdk";
+    rev = "refs/tags/${version}";
+    hash = "sha256-ZXNqger5WBk2AjTszJLmemYDPClUPy+kNtBWSPcTDro=";
   };
 
   nativeBuildInputs = [
@@ -55,21 +55,7 @@ buildPythonPackage rec {
   ];
 
   pythonRelaxDeps = [
-    "bincopy"
-    "bitstring"
-    "cmsis-pack-manager"
-    "deepmerge"
-    "jinja2"
-    "pycryptodome"
-    "pylink-square"
-    "pyocd"
-    "typing-extensions"
     "click"
-    "ruamel.yaml"
-  ];
-
-  pythonRemoveDeps = [
-    "pyocd-pemicro"
   ];
 
   propagatedBuildInputs = [
@@ -80,20 +66,19 @@ buildPythonPackage rec {
     click
     click-command-tree
     click-option-group
-    cmsis-pack-manager
-    commentjson
+    colorama
     crcmod
     cryptography
     deepmerge
     fastjsonschema
     hexdump
-    importlib-metadata
-    jinja2
     libusbsio
     oscrypto
-    pycryptodome
+    platformdirs
+    prettytable
     pylink-square
     pyocd
+    pyocd-pemicro
     pypemicro
     pyserial
     requests
@@ -103,16 +88,23 @@ buildPythonPackage rec {
   ];
 
   nativeCheckInputs = [
-    pyftdi
+    ipykernel
+    pytest-notebook
     pytestCheckHook
     voluptuous
   ];
 
+  disabledTests = [
+    "test_nxpcrypto_create_signature_algorithm"
+    "test_nxpimage_sb31_kaypair_not_matching"
+  ];
+
   pythonImportsCheck = [ "spsdk" ];
 
   passthru.tests.version = testers.testVersion { package = spsdk; };
 
   meta = with lib; {
+    broken = versionAtLeast cryptography.version "41.1";
     changelog = "https://github.com/nxp-mcuxpresso/spsdk/blob/${src.rev}/docs/release_notes.rst";
     description = "NXP Secure Provisioning SDK";
     homepage = "https://github.com/nxp-mcuxpresso/spsdk";
diff --git a/pkgs/development/python-modules/tencentcloud-sdk-python/default.nix b/pkgs/development/python-modules/tencentcloud-sdk-python/default.nix
index 2dc2ebbf9238..c7d2fdc8a70b 100644
--- a/pkgs/development/python-modules/tencentcloud-sdk-python/default.nix
+++ b/pkgs/development/python-modules/tencentcloud-sdk-python/default.nix
@@ -9,7 +9,7 @@
 
 buildPythonPackage rec {
   pname = "tencentcloud-sdk-python";
-  version = "3.0.1098";
+  version = "3.0.1100";
   pyproject = true;
 
   disabled = pythonOlder "3.9";
@@ -18,7 +18,7 @@ buildPythonPackage rec {
     owner = "TencentCloud";
     repo = "tencentcloud-sdk-python";
     rev = "refs/tags/${version}";
-    hash = "sha256-5BG5WizkBP/KYHS00v949uQgiCChR3DWW0MnMXRBDAs=";
+    hash = "sha256-TaEsYIRYKOSPrUVE1tMy8GjewG7KYoQLXbwJGA//Z9c=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/tesla-fleet-api/default.nix b/pkgs/development/python-modules/tesla-fleet-api/default.nix
index faed23aa2d14..a9f70fdf92d9 100644
--- a/pkgs/development/python-modules/tesla-fleet-api/default.nix
+++ b/pkgs/development/python-modules/tesla-fleet-api/default.nix
@@ -1,14 +1,15 @@
 { lib
+, aiohttp
+, aiolimiter
 , buildPythonPackage
 , fetchFromGitHub
-, setuptools
 , pythonOlder
-, aiohttp
+, setuptools
 }:
 
 buildPythonPackage rec {
   pname = "tesla-fleet-api";
-  version = "0.4.6";
+  version = "0.4.9";
   pyproject = true;
 
   disabled = pythonOlder "3.10";
@@ -17,7 +18,7 @@ buildPythonPackage rec {
     owner = "Teslemetry";
     repo = "python-tesla-fleet-api";
     rev = "refs/tags/v${version}";
-    hash = "sha256-4IXLtQyEi4R7aakaLCl9jpm3D/Es3wLIwigSTYK12kg=";
+    hash = "sha256-GiDhVN6aBj0yeIg596ox2ES28Dca81pVnsYWvc1SZ+A=";
   };
 
   nativeBuildInputs = [
@@ -26,6 +27,7 @@ buildPythonPackage rec {
 
   propagatedBuildInputs = [
     aiohttp
+    aiolimiter
   ];
 
   # Module has no tests
diff --git a/pkgs/development/python-modules/urwid/default.nix b/pkgs/development/python-modules/urwid/default.nix
index 35ed3e78faff..e6141601cbdd 100644
--- a/pkgs/development/python-modules/urwid/default.nix
+++ b/pkgs/development/python-modules/urwid/default.nix
@@ -19,7 +19,7 @@
 
 buildPythonPackage rec {
   pname = "urwid";
-  version = "2.6.2";
+  version = "2.6.8";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
@@ -28,7 +28,7 @@ buildPythonPackage rec {
     owner = "urwid";
     repo = "urwid";
     rev = "refs/tags/${version}";
-    hash = "sha256-d9tgKjZMVdaMrxQT6sJsVb812NuFYkA1hLlo/6XgwAo=";
+    hash = "sha256-KtIcmAPOcxC9wTq6mKRZWcohH0skYMHlq4mehpn6raY=";
   };
 
   postPatch = ''
diff --git a/pkgs/development/tools/algolia-cli/default.nix b/pkgs/development/tools/algolia-cli/default.nix
index 75f69e021e1f..86135d232bc0 100644
--- a/pkgs/development/tools/algolia-cli/default.nix
+++ b/pkgs/development/tools/algolia-cli/default.nix
@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "algolia-cli";
-  version = "1.5.0";
+  version = "1.6.1";
 
   src = fetchFromGitHub {
     owner = "algolia";
     repo = "cli";
     rev = "v${version}";
-    hash = "sha256-iaqr8/jPYEnOhGoiUC5lmd7l+AAOFh3iYVW+mbBV/V8=";
+    hash = "sha256-XcsVU/yV6c6jzuJdZvqs+kAu6XwR8ygVcJ6KEI04x9I=";
   };
 
   vendorHash = "sha256-cNuBTH7L2K4TgD0H9FZ9CjhE5AGXADaniGLD9Lhrtrk=";
diff --git a/pkgs/development/tools/analysis/checkov/default.nix b/pkgs/development/tools/analysis/checkov/default.nix
index b673a1fd4411..effd832f84ce 100644
--- a/pkgs/development/tools/analysis/checkov/default.nix
+++ b/pkgs/development/tools/analysis/checkov/default.nix
@@ -5,14 +5,14 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "checkov";
-  version = "3.2.29";
+  version = "3.2.31";
   pyproject = true;
 
   src = fetchFromGitHub {
     owner = "bridgecrewio";
     repo = "checkov";
     rev = "refs/tags/${version}";
-    hash = "sha256-Y3lT2udrVzQZlZY/R27wFkIiI52PyJac6STnAz6Zvsk=";
+    hash = "sha256-GJh58fTBtjhOsSlwu9687qVdceGF9iMkZ2VViH2Wmp4=";
   };
 
   patches = [
diff --git a/pkgs/development/tools/database/sqlite-web/default.nix b/pkgs/development/tools/database/sqlite-web/default.nix
index 351c5475ea0e..01c4712440ca 100644
--- a/pkgs/development/tools/database/sqlite-web/default.nix
+++ b/pkgs/development/tools/database/sqlite-web/default.nix
@@ -5,11 +5,11 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "sqlite-web";
-  version = "0.6.2";
+  version = "0.6.3";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-VIbmYN6KjCRpE+kvJyBV75deYmh+zRjcQXZ2/7mseYU=";
+    sha256 = "sha256-cDSlSh0vnwvbJZFDPqvJ5oXz68gN9yzodcQYkXUAytE=";
   };
 
   propagatedBuildInputs = with python3Packages; [ flask peewee pygments ];
diff --git a/pkgs/development/tools/ginkgo/default.nix b/pkgs/development/tools/ginkgo/default.nix
index a894a65271a3..4805760ec3e3 100644
--- a/pkgs/development/tools/ginkgo/default.nix
+++ b/pkgs/development/tools/ginkgo/default.nix
@@ -2,15 +2,15 @@
 
 buildGoModule rec {
   pname = "ginkgo";
-  version = "2.15.0";
+  version = "2.16.0";
 
   src = fetchFromGitHub {
     owner = "onsi";
     repo = "ginkgo";
     rev = "v${version}";
-    sha256 = "sha256-0Fwn62VORPmaufd7RqTkXjlXygXPVVixf8WwHgE57Lg=";
+    sha256 = "sha256-7pxGDWNVTB7N91yYnGvxo7h2xvYWeBdbceU2F/opRTs=";
   };
-  vendorHash = "sha256-F3z6gowVkei782qaSIOh7Ymeq1SFGxBaHM9fTSPG6qI=";
+  vendorHash = "sha256-XtO7HiaE/xCT3tjVZzzMcO9y8Yk8Wyy1S3S1qioMaQU=";
 
   # integration tests expect more file changes
   # types tests are missing CodeLocation
diff --git a/pkgs/development/tools/github/github-release/default.nix b/pkgs/development/tools/github/github-release/default.nix
index 4326d4bf71ca..40fe1575d045 100644
--- a/pkgs/development/tools/github/github-release/default.nix
+++ b/pkgs/development/tools/github/github-release/default.nix
@@ -1,6 +1,6 @@
-{ buildGoPackage, fetchFromGitHub, lib }:
+{ buildGoModule, fetchFromGitHub, fetchpatch, lib, testers, github-release }:
 
-buildGoPackage rec {
+buildGoModule rec {
   pname = "github-release";
   version = "0.10.0";
 
@@ -8,10 +8,32 @@ buildGoPackage rec {
     owner = "github-release";
     repo = "github-release";
     rev = "v${version}";
-    sha256 = "sha256-J5Y0Kvon7DstTueCsoYvw6x4cOH/C1IaVArE0bXtZts=";
+    hash = "sha256-J5Y0Kvon7DstTueCsoYvw6x4cOH/C1IaVArE0bXtZts=";
   };
 
-  goPackagePath = "github.com/github-release/github-release";
+  vendorHash = null;
+
+  patches = [
+    # Update version info
+    (fetchpatch {
+      url = "https://github.com/github-release/github-release/commit/ee13bb17b74135bfe646d9be1807a6bc577ba7c6.patch";
+      hash = "sha256-9ZcHwai0HOgapDcpvn3xssrVP9cuNAz9rTgrR4Jfdfg=";
+    })
+
+    # Add Go Modules support.
+    # See https://github.com/Homebrew/homebrew-core/pull/162414.
+    (fetchpatch {
+      url = "https://github.com/github-release/github-release/pull/129/commits/074f4e8e1688642f50a7a3cc92b5777c7b484139.patch";
+      hash = "sha256-OBFbOvNhqcNiuSCP0AfClntj7y5habn+r2eBkmClsgI=";
+    })
+  ];
+
+  ldflags = [ "-s" "-w" ];
+
+  passthru.tests.version = testers.testVersion {
+    package = github-release;
+    version = "v${version}";
+  };
 
   meta = with lib; {
     description = "Commandline app to create and edit releases on Github (and upload artifacts)";
diff --git a/pkgs/development/tools/misc/editorconfig-checker/default.nix b/pkgs/development/tools/misc/editorconfig-checker/default.nix
index 699f6c91978c..3aedd876de6d 100644
--- a/pkgs/development/tools/misc/editorconfig-checker/default.nix
+++ b/pkgs/development/tools/misc/editorconfig-checker/default.nix
@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "editorconfig-checker";
-  version = "2.8.0";
+  version = "3.0.0";
 
   src = fetchFromGitHub {
     owner = "editorconfig-checker";
     repo = "editorconfig-checker";
-    rev = version;
-    hash = "sha256-CVstdtFPt/OlvJE27O+CqqDpUqp9bQl18IGyf8nputM=";
+    rev = "v${version}";
+    hash = "sha256-T2+IqHDRGpmMFOL2V6y5BbF+rfaMsKaXvQ48CFpc52I=";
   };
 
-  vendorHash = "sha256-t2h9jtGfips+cpN1ckVhVgpg4egIYVXd89ahyDzV060=";
+  vendorHash = "sha256-vHIv3a//EfkYE/pHUXgFBgV3qvdkMx9Ka5xCk1J5Urw=";
 
   doCheck = false;
 
diff --git a/pkgs/development/tools/oh-my-posh/default.nix b/pkgs/development/tools/oh-my-posh/default.nix
index e1797a606ca4..92cc9ac1803a 100644
--- a/pkgs/development/tools/oh-my-posh/default.nix
+++ b/pkgs/development/tools/oh-my-posh/default.nix
@@ -6,13 +6,13 @@
 
 buildGoModule rec {
   pname = "oh-my-posh";
-  version = "19.11.6";
+  version = "19.11.7";
 
   src = fetchFromGitHub {
     owner = "jandedobbeleer";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-wo8ngZ/rWugYESc1/0WjOa8Zs6aEfXv7VJ7fqqbmSCE=";
+    hash = "sha256-CBAIojr+J84spnd0SQHT0xLoLuOPQsZEhWfKZMuj12Q=";
   };
 
   vendorHash = "sha256-OkcwcQfI1CeKIQaaS/Bd1Hct2yebp0TB98lsGAVRWqk=";
diff --git a/pkgs/development/tools/parsing/antlr/4.nix b/pkgs/development/tools/parsing/antlr/4.nix
index a4b2034852f2..79db5301add9 100644
--- a/pkgs/development/tools/parsing/antlr/4.nix
+++ b/pkgs/development/tools/parsing/antlr/4.nix
@@ -38,7 +38,7 @@ let
 
       installPhase = ''
         mkdir -p "$out"/{share/java,bin}
-        cp "$src" "$out/share/java/antlr-${version}-complete.jar"
+        ln -s "$src" "$out/share/java/antlr-${version}-complete.jar"
 
         echo "#! ${stdenv.shell}" >> "$out/bin/antlr"
         echo "'${jre}/bin/java' -cp '$out/share/java/antlr-${version}-complete.jar:$CLASSPATH' -Xmx500M org.antlr.v4.Tool \"\$@\"" >> "$out/bin/antlr"
@@ -58,7 +58,7 @@ let
 
       passthru = {
         inherit runtime;
-        jarLocation = "${antlr}/share/java/antlr-${version}-complete.jar";
+        jarLocation = antlr.src;
       };
 
       meta = with lib; {
diff --git a/pkgs/development/tools/parsing/spicy/default.nix b/pkgs/development/tools/parsing/spicy/default.nix
index 4b6db0adb731..7476e57bedff 100644
--- a/pkgs/development/tools/parsing/spicy/default.nix
+++ b/pkgs/development/tools/parsing/spicy/default.nix
@@ -11,7 +11,7 @@
 
 stdenv.mkDerivation rec {
   pname = "spicy";
-  version = "1.9.0";
+  version = "1.10.0";
 
   strictDeps = true;
 
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
     owner = "zeek";
     repo = "spicy";
     rev = "v${version}";
-    hash = "sha256-nVHm0JJsFXGnYlBBlcR5zBS46PZuALle3ik3GMTPYTQ=";
+    hash = "sha256-LFAeZ1UsnOKaXlnSd/cMfJQk0ZfaNAzSbvSuoKmmOoI=";
     fetchSubmodules = true;
   };
 
diff --git a/pkgs/development/tools/pscale/default.nix b/pkgs/development/tools/pscale/default.nix
index de78dcbc1aa5..06a152e8fcb1 100644
--- a/pkgs/development/tools/pscale/default.nix
+++ b/pkgs/development/tools/pscale/default.nix
@@ -8,13 +8,13 @@
 
 buildGoModule rec {
   pname = "pscale";
-  version = "0.183.0";
+  version = "0.185.0";
 
   src = fetchFromGitHub {
     owner = "planetscale";
     repo = "cli";
     rev = "v${version}";
-    sha256 = "sha256-+zmfMOp+ygVUErggHz+9AkpJ7AjfUBjCRcE4Uqusjz4=";
+    sha256 = "sha256-UzNfNuOt6ZmzxVx/H8aEmQL6b4PPyNkQzxSqhBtoLT8=";
   };
 
   vendorHash = "sha256-oENe7OGAW/i5LJbqPn7PJDemdxfSsLwmpER28R6zza4=";
diff --git a/pkgs/development/tools/rain/default.nix b/pkgs/development/tools/rain/default.nix
index f400bf192cd4..2f263848e020 100644
--- a/pkgs/development/tools/rain/default.nix
+++ b/pkgs/development/tools/rain/default.nix
@@ -7,13 +7,13 @@
 
 buildGoModule rec {
   pname = "rain";
-  version = "1.8.0";
+  version = "1.8.1";
 
   src = fetchFromGitHub {
     owner = "aws-cloudformation";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-kU+eNw27jv+yhBIR09zVRedZM5WSIMU68jCkIDWvhgw=";
+    sha256 = "sha256-II+SJkdlmtPuVEK+s9VLAwoe7+jYYXA+6uxAXD5NZHU=";
   };
 
   vendorHash = "sha256-Ea83gPSq7lReS2KXejY9JlDDEncqS1ouVyIEKbn+VAw=";
diff --git a/pkgs/development/tools/ruff/default.nix b/pkgs/development/tools/ruff/default.nix
index ce737d343b70..b51b7b6e578d 100644
--- a/pkgs/development/tools/ruff/default.nix
+++ b/pkgs/development/tools/ruff/default.nix
@@ -10,16 +10,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "ruff";
-  version = "0.2.2";
+  version = "0.3.0";
 
   src = fetchFromGitHub {
     owner = "astral-sh";
     repo = "ruff";
     rev = "refs/tags/v${version}";
-    hash = "sha256-wCjPlKlw0IAh5oH4W7DUw3KBxR4bt9Ho7ncRL5TbD/0=";
+    hash = "sha256-U77Bwgbt2T8xkamrWOnOpNRF+8skLWhX8JqgPqowcQw=";
   };
 
-  cargoHash = "sha256-EHAlsEh3YnAhjIGC9rSgyK3gbKPCJqI6F3uAqZxv2nU=";
+  cargoHash = "sha256-IBcZRElbeu7Ab/7Q7N5TLhAznXxKsupifR83gfpY61Q=";
 
   nativeBuildInputs = [
     installShellFiles
diff --git a/pkgs/development/tools/rust/cargo-codspeed/default.nix b/pkgs/development/tools/rust/cargo-codspeed/default.nix
index 1ae11e276056..23880c2480fc 100644
--- a/pkgs/development/tools/rust/cargo-codspeed/default.nix
+++ b/pkgs/development/tools/rust/cargo-codspeed/default.nix
@@ -12,16 +12,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "cargo-codspeed";
-  version = "2.3.3";
+  version = "2.4.0";
 
   src = fetchFromGitHub {
     owner = "CodSpeedHQ";
     repo = "codspeed-rust";
     rev = "v${version}";
-    hash = "sha256-8wbJFvAXicchxI8FTthCiuYCZ2WA4nMUJTUD4WKG5FI=";
+    hash = "sha256-pi02Bn5m4JoTtCIZvxkiUVKkjmtCShKqZw+AyhaVdyY=";
   };
 
-  cargoHash = "sha256-HkFROhjx4bh9QMUlCT1xj3s7aUQxn0ef3FCXoEsYCnY=";
+  cargoHash = "sha256-5Ps31Hdis+N/MT/o0IDHSJgHBM3F/ve50ovfFSviMtA=";
 
   nativeBuildInputs = [
     curl
diff --git a/pkgs/development/tools/sentry-cli/default.nix b/pkgs/development/tools/sentry-cli/default.nix
index be37733dfda3..738a2c659ddb 100644
--- a/pkgs/development/tools/sentry-cli/default.nix
+++ b/pkgs/development/tools/sentry-cli/default.nix
@@ -11,13 +11,13 @@
 }:
 rustPlatform.buildRustPackage rec {
   pname = "sentry-cli";
-  version = "2.28.6";
+  version = "2.29.1";
 
   src = fetchFromGitHub {
     owner = "getsentry";
     repo = "sentry-cli";
     rev = version;
-    sha256 = "sha256-cynq7w0xLnLafStcfrG27PNHVoMu4TxFIwwrWjj9ynM=";
+    sha256 = "sha256-hSAd+fGEVpCAyG2HzrF0W09yk6ghxX/lwdPQNuGsZW0=";
   };
   doCheck = false;
 
@@ -27,7 +27,7 @@ rustPlatform.buildRustPackage rec {
   buildInputs = [ openssl ] ++ lib.optionals stdenv.isDarwin [ CoreServices Security SystemConfiguration ];
   nativeBuildInputs = [ installShellFiles pkg-config ];
 
-  cargoHash = "sha256-MChhtWbwi5/1GMXxlKov8LrO+kp7D6u4u1lmEjZvyP8=";
+  cargoHash = "sha256-g+rGWS/wZncyq9zPOOI+Zq1WEsQarMK2TkccVohJTUs=";
 
   postInstall = ''
     installShellCompletion --cmd sentry-cli \
diff --git a/pkgs/development/tools/taplo/default.nix b/pkgs/development/tools/taplo/default.nix
index 43026331f5c7..2f497d6eb931 100644
--- a/pkgs/development/tools/taplo/default.nix
+++ b/pkgs/development/tools/taplo/default.nix
@@ -1,6 +1,8 @@
 { lib
 , rustPlatform
 , fetchCrate
+, pkg-config
+, openssl
 , stdenv
 , Security
 , withLsp ? true
@@ -8,17 +10,25 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "taplo";
-  version = "0.8.1";
+  version = "0.9.0";
 
   src = fetchCrate {
     inherit version;
     pname = "taplo-cli";
-    sha256 = "sha256-evNW6OA7rArj0TvOaQgktcQy0tWnel3ZL+ic78e6lOk=";
+    hash = "sha256-vvb00a6rppx9kKx+pzObT/hW/IsG6RyYFEDp9M5gvqc=";
   };
 
-  cargoSha256 = "sha256-jeLjoqEieR96mUZQmQtv7P78lmOaF18ruVhZLi/TieQ=";
+  cargoHash = "sha256-oT7U9htu7J22MqLZb+YXohlB1CVGxHGQvHJu18PeLf8=";
 
-  buildInputs = lib.optional stdenv.isDarwin Security;
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    openssl
+  ] ++ lib.optionals stdenv.isDarwin [
+    Security
+  ];
 
   buildFeatures = lib.optional withLsp "lsp";
 
diff --git a/pkgs/development/tools/typos/default.nix b/pkgs/development/tools/typos/default.nix
index c1f31c07c6cc..6aa8e5558dcc 100644
--- a/pkgs/development/tools/typos/default.nix
+++ b/pkgs/development/tools/typos/default.nix
@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "typos";
-  version = "1.16.25";
+  version = "1.19.0";
 
   src = fetchFromGitHub {
     owner = "crate-ci";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-prmMj8tVOm9P5EKkenero4YM9ccVU3JskTiHjup0oeQ=";
+    hash = "sha256-2beVIS6vzaX9k+M6545F/QDq6mxPTpmDDD2B9+eLxTk=";
   };
 
-  cargoHash = "sha256-OBbLWsG22Rs4veQRDUgoFKcMnOKNOxK6rqBah8y3CnY=";
+  cargoHash = "sha256-GpooXnJc3ADQRhvVSnDjj6OOuQW+emVo5TGoshPI+WY=";
 
   meta = with lib; {
     description = "Source code spell checker";
diff --git a/pkgs/development/tools/vsce/default.nix b/pkgs/development/tools/vsce/default.nix
index 5ba007818e3b..065821afbf10 100644
--- a/pkgs/development/tools/vsce/default.nix
+++ b/pkgs/development/tools/vsce/default.nix
@@ -12,16 +12,16 @@
 
 buildNpmPackage rec {
   pname = "vsce";
-  version = "2.23.0";
+  version = "2.24.0";
 
   src = fetchFromGitHub {
     owner = "microsoft";
     repo = "vscode-vsce";
     rev = "v${version}";
-    hash = "sha256-2s8hG3HNDQnuwFXZX1mCTSbKCm4n7YAzhHDaWVYTyys=";
+    hash = "sha256-MX+tGjz/Nn18ivfjQeOlQtQiyRkB1cGnLl2jlz5Str8=";
   };
 
-  npmDepsHash = "sha256-1PVUDEecFW+lFmZOZUTlgeKsLwLK9O4vFHi6gOLjBfo=";
+  npmDepsHash = "sha256-Difk9a9TYmfwzP9SawEuaxm7iHVjdfO+FxFCE7aEMzM=";
 
   postPatch = ''
     substituteInPlace package.json --replace '"version": "0.0.0"' '"version": "${version}"'