198 files changed, 2623 insertions, 1273 deletions

diff --git a/doc/languages-frameworks/python.section.md b/doc/languages-frameworks/python.section.md
index fa7f3eddf72c..4ca177bcdd26 100644
--- a/doc/languages-frameworks/python.section.md
+++ b/doc/languages-frameworks/python.section.md
@@ -2014,6 +2014,10 @@ example of such a situation is when `py.test` is used.
 
 * Tests that attempt to access `$HOME` can be fixed by using the following
   work-around before running tests (e.g. `preCheck`): `export HOME=$(mktemp -d)`
+* Compiling with Cython causes tests to fail with a `ModuleNotLoadedError`.
+  This can be fixed with two changes in the derivation: 1) replacing `pytest` with
+  `pytestCheckHook` and 2) adding a `preCheck` containing `cd $out` to run
+  tests within the built output.
 
 ## Contributing {#contributing}
 
diff --git a/lib/licenses.nix b/lib/licenses.nix
index 30ca31ff71f2..a60171e55c12 100644
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@@ -599,6 +599,11 @@ in mkLicense lset) ({
     url = "https://fedoraproject.org/wiki/Licensing/GPL_Classpath_Exception";
   };
 
+  giftware = {
+    spdxId = "Giftware";
+    fullName = "Giftware License";
+  };
+
   hpnd = {
     spdxId = "HPND";
     fullName = "Historic Permission Notice and Disclaimer";
@@ -609,6 +614,11 @@ in mkLicense lset) ({
     spdxId = "HPND-sell-variant";
   };
 
+  hpndUc = {
+    spdxId = "HPND-UC";
+    fullName = "Historical Permission Notice and Disclaimer - University of California variant";
+  };
+
   # Intel's license, seems free
   iasl = {
     spdxId = "Intel-ACPI";
@@ -894,6 +904,11 @@ in mkLicense lset) ({
     url = "https://raw.githubusercontent.com/netdata/netdata/master/web/gui/v2/LICENSE.md";
   };
 
+  nistSoftware = {
+    spdxId = "NIST-Software";
+    fullName = "NIST Software License";
+  };
+
   nlpl = {
     spdxId = "NLPL";
     fullName = "No Limit Public License";
diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
index 98d84131085b..559517277e5f 100644
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@@ -761,6 +761,11 @@
     githubId = 786394;
     name = "Alexander Krupenkin ";
   };
+  akshayka = {
+    github = "akshayka";
+    githubId = 1994308;
+    name = "Akshay Agrawal";
+  };
   akshgpt7 = {
     email = "akshgpt7@gmail.com";
     github = "akshgpt7";
@@ -2936,6 +2941,12 @@
     githubId = 37375448;
     name = "Buildit";
   };
+  bwc9876 = {
+    email = "bwc9876@gmail.com";
+    github = "Bwc9876";
+    githubId = 25644444;
+    name = "Ben C";
+  };
   bwlang = {
     email = "brad@langhorst.com";
     github = "bwlang";
@@ -5005,6 +5016,12 @@
     githubId = 283316;
     name = "Dane Lipscombe";
   };
+  dmadisetti = {
+    email = "nix@madisetti.me";
+    github = "dmadisetti";
+    githubId = 2689338;
+    name = "Dylan Madisetti";
+  };
   dmalikov = {
     email = "malikov.d.y@gmail.com";
     github = "dmalikov";
@@ -8654,6 +8671,12 @@
     githubId = 2179419;
     name = "Arseniy Seroka";
   };
+  jakedevs = {
+    email = "work@jakedevs.net";
+    github = "jakedevs";
+    githubId = 153585330;
+    name = "Jacob Levi";
+  };
   jakehamilton = {
     name = "Jake Hamilton";
     email = "jake.hamilton@hey.com";
@@ -9950,6 +9973,15 @@
     githubId = 1621930;
     name = "Kamil Chmielewski";
   };
+  kamillaova = {
+    name = "Kamilla Ova";
+    email = "me@kamillaova.dev";
+    github = "Kamillaova";
+    githubId = 54859825;
+    keys = [{
+      fingerprint = "B2D0 AA53 8DBE 60B0 0811  3FC0 2D52 5F67 791E 5834";
+    }];
+  };
   kampfschlaefer = {
     email = "arnold@arnoldarts.de";
     github = "kampfschlaefer";
@@ -15046,6 +15078,12 @@
     github = "pennae";
     githubId = 82953136;
   };
+  perchun = {
+    name = "Perchun Pak";
+    email = "nixpkgs@perchun.it";
+    github = "PerchunPak";
+    githubId = 68118654;
+  };
   peret = {
     name = "Peter Retzlaff";
     github = "peret";
@@ -16722,6 +16760,15 @@
     githubId = 1312525;
     name = "Rongcui Dong";
   };
+  rookeur = {
+    email = "adrien.langou@hotmail.com";
+    github = "Rookeur";
+    githubId = 57438432;
+    name = "Adrien Langou";
+    keys = [{
+      fingerprint = "3B8F FC41 0094 2CB4 5A2A  7DF2 5A44 DA8F 9071 91B0";
+    }];
+  };
   roosemberth = {
     email = "roosembert.palacios+nixpkgs@posteo.ch";
     matrix = "@roosemberth:orbstheorem.ch";
@@ -18362,6 +18409,11 @@
     githubId = 950799;
     name = "Tomasz Czyż";
   };
+  spoonbaker = {
+    github = "Spoonbaker";
+    githubId = 47164123;
+    name = "Spoonbaker";
+  };
   sprock = {
     email = "rmason@mun.ca";
     github = "sprock";
diff --git a/maintainers/scripts/luarocks-packages.csv b/maintainers/scripts/luarocks-packages.csv
index 325b2f30f047..fd6c59c0b46f 100644
--- a/maintainers/scripts/luarocks-packages.csv
+++ b/maintainers/scripts/luarocks-packages.csv
@@ -95,6 +95,7 @@ magick,,,,,5.1,donovanglover
 markdown,,,,,,
 mediator_lua,,,,,,
 middleclass,,,,,,
+mimetypes,,,,,,
 mpack,,,,,,
 moonscript,https://github.com/leafo/moonscript.git,dev-1,,,,arobyn
 nlua,,,,,,teto
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
index e737fe0e81df..eb4fe13472a5 100644
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -154,6 +154,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `idris2` was updated to v0.7.0. This version introduces breaking changes. Check out the [changelog](https://github.com/idris-lang/Idris2/blob/v0.7.0/CHANGELOG.md#v070) for details.
 
+- `nvtop` family of packages was reorganized into nested attrset. `nvtop` has been renamed to `nvtopPackages.full`, and all `nvtop-{amd,nvidia,intel,msm}` packages are now named as `nvtopPackages.{amd,nvidia,intel,msm}`
+
 - `neo4j` has been updated to 5, you may want to read the [release notes for Neo4j 5](https://neo4j.com/release-notes/database/neo4j-5/)
 
 - `services.neo4j.allowUpgrade` was removed and no longer has any effect. Neo4j 5 supports automatic rolling upgrades.
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 2ccaea466c6a..13e9868eab70 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1034,6 +1034,7 @@
   ./services/networking/multipath.nix
   ./services/networking/murmur.nix
   ./services/networking/mxisd.nix
+  ./services/networking/mycelium.nix
   ./services/networking/namecoind.nix
   ./services/networking/nar-serve.nix
   ./services/networking/nat.nix
diff --git a/nixos/modules/programs/starship.nix b/nixos/modules/programs/starship.nix
index 34f6f0882c61..7f8d9eb3363d 100644
--- a/nixos/modules/programs/starship.nix
+++ b/nixos/modules/programs/starship.nix
@@ -12,7 +12,7 @@ let
       nativeBuildInputs = [ pkgs.yq ];
     } ''
     tomlq -s -t 'reduce .[] as $item ({}; . * $item)' \
-      ${lib.concatStringsSep " " (map (f: "${pkgs.starship}/share/starship/presets/${f}.toml") cfg.presets)} \
+      ${lib.concatStringsSep " " (map (f: "${cfg.package}/share/starship/presets/${f}.toml") cfg.presets)} \
       ${userSettingsFile} \
       > $out
   '';
@@ -26,23 +26,20 @@ let
 in
 {
   options.programs.starship = {
-    enable = lib.mkEnableOption (lib.mdDoc "the Starship shell prompt");
+    enable = lib.mkEnableOption "the Starship shell prompt";
 
-    interactiveOnly = lib.mkOption {
-      default = true;
-      example = false;
-      type = lib.types.bool;
-      description = lib.mdDoc ''
-        Whether to enable starship only when the shell is interactive.
-        Some plugins require this to be set to false to function correctly.
-      '';
-    };
+    package = lib.mkPackageOption pkgs "starship" { };
+
+    interactiveOnly = lib.mkEnableOption ''
+      starship only when the shell is interactive.
+      Some plugins require this to be set to false to function correctly
+    '' // { default = true; };
 
     presets = lib.mkOption {
       default = [ ];
       example = [ "nerd-font-symbols" ];
       type = with lib.types; listOf str;
-      description = lib.mdDoc ''
+      description = ''
         Presets files to be merged with settings in order.
       '';
     };
@@ -50,7 +47,7 @@ in
     settings = lib.mkOption {
       inherit (settingsFormat) type;
       default = { };
-      description = lib.mdDoc ''
+      description = ''
         Configuration included in `starship.toml`.
 
         See https://starship.rs/config/#prompt for documentation.
@@ -68,7 +65,7 @@ in
         if [[ ! -f "$HOME/.config/starship.toml" ]]; then
           export STARSHIP_CONFIG=${settingsFile}
         fi
-        eval "$(${pkgs.starship}/bin/starship init bash)"
+        eval "$(${cfg.package}/bin/starship init bash)"
       fi
     '';
 
@@ -81,7 +78,7 @@ in
         if not test -f "$HOME/.config/starship.toml";
           set -x STARSHIP_CONFIG ${settingsFile}
         end
-        eval (${pkgs.starship}/bin/starship init fish)
+        eval (${cfg.package}/bin/starship init fish)
       end
     '';
 
@@ -94,7 +91,7 @@ in
         if [[ ! -f "$HOME/.config/starship.toml" ]]; then
           export STARSHIP_CONFIG=${settingsFile}
         fi
-        eval "$(${pkgs.starship}/bin/starship init zsh)"
+        eval "$(${cfg.package}/bin/starship init zsh)"
       fi
     '';
   };
diff --git a/nixos/modules/services/desktop-managers/plasma6.nix b/nixos/modules/services/desktop-managers/plasma6.nix
index 1cb7a7ea778b..611998768824 100644
--- a/nixos/modules/services/desktop-managers/plasma6.nix
+++ b/nixos/modules/services/desktop-managers/plasma6.nix
@@ -252,6 +252,7 @@ in {
     services.xserver.displayManager.sddm = {
       package = kdePackages.sddm;
       theme = mkDefault "breeze";
+      wayland.compositor = "kwin";
       extraPackages = with kdePackages; [
         breeze-icons
         kirigami
diff --git a/nixos/modules/services/misc/etebase-server.nix b/nixos/modules/services/misc/etebase-server.nix
index 546d52b1a3b5..6ec3807f0fb2 100644
--- a/nixos/modules/services/misc/etebase-server.nix
+++ b/nixos/modules/services/misc/etebase-server.nix
@@ -177,6 +177,7 @@ in
 
     systemd.tmpfiles.rules = [
       "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
+    ] ++ lib.optionals (cfg.unixSocket != null) [
       "d '${builtins.dirOf cfg.unixSocket}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
     ];
 
diff --git a/nixos/modules/services/networking/dnscache.nix b/nixos/modules/services/networking/dnscache.nix
index eff13f69f470..4f5b77a5b685 100644
--- a/nixos/modules/services/networking/dnscache.nix
+++ b/nixos/modules/services/networking/dnscache.nix
@@ -86,7 +86,11 @@ in {
 
   config = mkIf config.services.dnscache.enable {
     environment.systemPackages = [ pkgs.djbdns ];
-    users.users.dnscache.isSystemUser = true;
+    users.users.dnscache = {
+        isSystemUser = true;
+        group = "dnscache";
+    };
+    users.groups.dnscache = {};
 
     systemd.services.dnscache = {
       description = "djbdns dnscache server";
diff --git a/nixos/modules/services/networking/mycelium.nix b/nixos/modules/services/networking/mycelium.nix
new file mode 100644
index 000000000000..71ff8d1dd9af
--- /dev/null
+++ b/nixos/modules/services/networking/mycelium.nix
@@ -0,0 +1,126 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.mycelium;
+in
+{
+  options.services.mycelium = {
+    enable = lib.mkEnableOption "mycelium network";
+    peers = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = ''
+        List of peers to connect to in the format quic://1.2.3.4:9651.
+        If addHostedPublicNodes is set to true, the hosted public nodes will be added to this list.
+      '';
+      default = [];
+    };
+    keyFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      description = ''
+        optional path to a keyFile, if unset the default location (/var/lib/mycelium/key) will be used
+        If this key does not exist, it will be generated
+      '';
+    };
+    openFirewall = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Open the firewall for mycelium";
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.mycelium;
+      defaultText = lib.literalExpression ''"''${pkgs.mycelium}"'';
+      description = "The mycelium package to use";
+    };
+    addHostedPublicNodes = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = ''
+        add the hosted peers from https://github.com/threefoldtech/mycelium#hosted-public-nodes
+      '';
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ 9651 ];
+    networking.firewall.allowedUDPPorts = lib.optionals cfg.openFirewall [ 9650 9651 ];
+
+    systemd.services.mycelium = {
+      description = "Mycelium network";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      restartTriggers = [
+        cfg.keyFile
+      ];
+
+      unitConfig.Documentation = "https://github.com/threefoldtech/mycelium";
+
+      serviceConfig = {
+        User = "mycelium";
+        DynamicUser = true;
+        StateDirectory = "mycelium";
+        ProtectHome = true;
+        ProtectSystem = true;
+        LoadCredential = lib.mkIf (cfg.keyFile != null) "keyfile:${cfg.keyFile}";
+        SyslogIdentifier = "mycelium";
+        AmbientCapabilities = [ "CAP_NET_ADMIN" ];
+        MemoryDenyWriteExecute = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [ "@system-service" "~@privileged @keyring" ];
+        ExecStart = lib.concatStringsSep " " ([
+          (lib.getExe cfg.package)
+          (if (cfg.keyFile != null) then
+            "--key-file \${CREDENTIALS_DIRECTORY}/keyfile" else
+            "--key-file %S/mycelium/key.bin"
+          )
+          "--tun-name" "mycelium"
+        ] ++
+          (lib.optional (cfg.addHostedPublicNodes || cfg.peers != []) "--peers")
+        ++ cfg.peers ++ (lib.optionals cfg.addHostedPublicNodes [
+          "tcp://188.40.132.242:9651" # DE 01
+          "tcp://[2a01:4f8:221:1e0b::2]:9651"
+          "quic://188.40.132.242:9651"
+          "quic://[2a01:4f8:221:1e0b::2]:9651"
+
+          "tcp://136.243.47.186:9651" # DE 02
+          "tcp://[2a01:4f8:212:fa6::2]:9651"
+          "quic://136.243.47.186:9651"
+          "quic://[2a01:4f8:212:fa6::2]:9651"
+
+          "tcp://185.69.166.7:9651" # BE 03
+          "tcp://[2a02:1802:5e:0:8478:51ff:fee2:3331]:9651"
+          "quic://185.69.166.7:9651"
+          "quic://[2a02:1802:5e:0:8478:51ff:fee2:3331]:9651"
+
+          "tcp://185.69.166.8:9651" # BE 04
+          "tcp://[2a02:1802:5e:0:8c9e:7dff:fec9:f0d2]:9651"
+          "quic://185.69.166.8:9651"
+          "quic://[2a02:1802:5e:0:8c9e:7dff:fec9:f0d2]:9651"
+
+          "tcp://65.21.231.58:9651" # FI 05
+          "tcp://[2a01:4f9:6a:1dc5::2]:9651"
+          "quic://65.21.231.58:9651"
+          "quic://[2a01:4f9:6a:1dc5::2]:9651"
+
+          "tcp://65.109.18.113:9651" # FI 06
+          "tcp://[2a01:4f9:5a:1042::2]:9651"
+          "quic://65.109.18.113:9651"
+          "quic://[2a01:4f9:5a:1042::2]:9651"
+        ]));
+        Restart = "always";
+        RestartSec = 5;
+        TimeoutStopSec = 5;
+      };
+    };
+  };
+  meta = {
+    maintainers = with lib.maintainers; [ flokli lassulus ];
+  };
+}
+
diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix
index 5b7f4bc58d80..a315a3ebf322 100644
--- a/nixos/modules/services/x11/display-managers/sddm.nix
+++ b/nixos/modules/services/x11/display-managers/sddm.nix
@@ -1,19 +1,24 @@
 { config, lib, pkgs, ... }:
 
-with lib;
 let
   xcfg = config.services.xserver;
   dmcfg = xcfg.displayManager;
   cfg = dmcfg.sddm;
   xEnv = config.systemd.services.display-manager.environment;
 
-  sddm = cfg.package.override(old: {
+  sddm = cfg.package.override (old: {
     withWayland = cfg.wayland.enable;
-    extraPackages = old.extraPackages or [] ++ cfg.extraPackages;
+    extraPackages = old.extraPackages or [ ] ++ cfg.extraPackages;
   });
 
   iniFmt = pkgs.formats.ini { };
 
+  inherit (lib)
+    concatMapStrings concatStringsSep getExe
+    attrNames getAttr optionalAttrs optionalString
+    mkRemovedOptionModule mkRenamedOptionModule mkIf mkEnableOption mkOption mkPackageOption types
+    ;
+
   xserverWrapper = pkgs.writeShellScript "xserver-wrapper" ''
     ${concatMapStrings (n: "export ${n}=\"${getAttr n xEnv}\"\n") (attrNames xEnv)}
     exec systemd-cat -t xserver-wrapper ${dmcfg.xserverBin} ${toString dmcfg.xserverArgs} "$@"
@@ -38,12 +43,21 @@ let
       DefaultSession = optionalString (dmcfg.defaultSession != null) "${dmcfg.defaultSession}.desktop";
 
       DisplayServer = if cfg.wayland.enable then "wayland" else "x11";
+    } // optionalAttrs (cfg.wayland.compositor == "kwin") {
+      GreeterEnvironment = concatStringsSep " " [
+        "LANG=C.UTF-8"
+        "QT_WAYLAND_SHELL_INTEGRATION=layer-shell"
+      ];
+      InputMethod = ""; # needed if we are using --inputmethod with kwin
     };
 
     Theme = {
       Current = cfg.theme;
       ThemeDir = "/run/current-system/sw/share/sddm/themes";
       FacesDir = "/run/current-system/sw/share/sddm/faces";
+    } // optionalAttrs (cfg.theme == "breeze") {
+      CursorTheme = "breeze_cursors";
+      CursorSize = 24;
     };
 
     Users = {
@@ -69,7 +83,7 @@ let
       SessionDir = "${dmcfg.sessionData.desktops}/share/wayland-sessions";
       CompositorCommand = lib.optionalString cfg.wayland.enable cfg.wayland.compositorCommand;
     };
-  } // lib.optionalAttrs dmcfg.autoLogin.enable {
+  } // optionalAttrs dmcfg.autoLogin.enable {
     Autologin = {
       User = dmcfg.autoLogin.user;
       Session = autoLoginSessionName;
@@ -83,6 +97,34 @@ let
   autoLoginSessionName =
     "${dmcfg.sessionData.autologinSession}.desktop";
 
+  compositorCmds = {
+    kwin = concatStringsSep " " [
+      "${lib.getBin pkgs.kdePackages.kwin}/bin/kwin_wayland"
+      "--no-global-shortcuts"
+      "--no-kactivities"
+      "--no-lockscreen"
+      "--locale1"
+    ];
+    # This is basically the upstream default, but with Weston referenced by full path
+    # and the configuration generated from NixOS options.
+    weston =
+      let
+        westonIni = (pkgs.formats.ini { }).generate "weston.ini" {
+          libinput = {
+            enable-tap = xcfg.libinput.mouse.tapping;
+            left-handed = xcfg.libinput.mouse.leftHanded;
+          };
+          keyboard = {
+            keymap_model = xcfg.xkb.model;
+            keymap_layout = xcfg.xkb.layout;
+            keymap_variant = xcfg.xkb.variant;
+            keymap_options = xcfg.xkb.options;
+          };
+        };
+      in
+      "${getExe pkgs.weston} --shell=kiosk -c ${westonIni}";
+  };
+
 in
 {
   imports = [
@@ -111,7 +153,7 @@ in
         '';
       };
 
-      package = mkPackageOption pkgs [ "plasma5Packages" "sddm" ] {};
+      package = mkPackageOption pkgs [ "plasma5Packages" "sddm" ] { };
 
       enableHidpi = mkOption {
         type = types.bool;
@@ -145,7 +187,7 @@ in
 
       extraPackages = mkOption {
         type = types.listOf types.package;
-        default = [];
+        default = [ ];
         defaultText = "[]";
         description = lib.mdDoc ''
           Extra Qt plugins / QML libraries to add to the environment.
@@ -206,24 +248,16 @@ in
       wayland = {
         enable = mkEnableOption "experimental Wayland support";
 
+        compositor = mkOption {
+          description = lib.mdDoc "The compositor to use: ${lib.concatStringsSep ", " (builtins.attrNames compositorCmds)}";
+          type = types.enum (builtins.attrNames compositorCmds);
+          default = "weston";
+        };
+
         compositorCommand = mkOption {
           type = types.str;
           internal = true;
-
-          # This is basically the upstream default, but with Weston referenced by full path
-          # and the configuration generated from NixOS options.
-          default = let westonIni = (pkgs.formats.ini {}).generate "weston.ini" {
-              libinput = {
-                enable-tap = xcfg.libinput.mouse.tapping;
-                left-handed = xcfg.libinput.mouse.leftHanded;
-              };
-              keyboard = {
-                keymap_model = xcfg.xkb.model;
-                keymap_layout = xcfg.xkb.layout;
-                keymap_variant = xcfg.xkb.variant;
-                keymap_options = xcfg.xkb.options;
-              };
-            }; in "${pkgs.weston}/bin/weston --shell=kiosk -c ${westonIni}";
+          default = compositorCmds.${cfg.wayland.compositor};
           description = lib.mdDoc "Command used to start the selected compositor";
         };
       };
@@ -247,8 +281,6 @@ in
       }
     ];
 
-    services.xserver.displayManager.job.execCmd = "exec /run/current-system/sw/bin/sddm";
-
     security.pam.services = {
       sddm.text = ''
         auth      substack      login
@@ -293,30 +325,41 @@ in
       uid = config.ids.uids.sddm;
     };
 
-    environment.etc."sddm.conf".source = cfgFile;
-    environment.pathsToLink = [
-      "/share/sddm"
-    ];
+    environment = {
+      etc."sddm.conf".source = cfgFile;
+      pathsToLink = [
+        "/share/sddm"
+      ];
+      systemPackages = [ sddm ];
+    };
 
     users.groups.sddm.gid = config.ids.gids.sddm;
 
-    environment.systemPackages = [ sddm ];
-    services.dbus.packages = [ sddm ];
-    systemd.tmpfiles.packages = [ sddm ];
-
-    # We're not using the upstream unit, so copy these: https://github.com/sddm/sddm/blob/develop/services/sddm.service.in
-    systemd.services.display-manager.after = [
-      "systemd-user-sessions.service"
-      "getty@tty7.service"
-      "plymouth-quit.service"
-      "systemd-logind.service"
-    ];
-    systemd.services.display-manager.conflicts = [
-      "getty@tty7.service"
-    ];
+    services = {
+      dbus.packages = [ sddm ];
+      xserver = {
+        displayManager.job.execCmd = "exec /run/current-system/sw/bin/sddm";
+        # To enable user switching, allow sddm to allocate TTYs/displays dynamically.
+        tty = null;
+        display = null;
+      };
+    };
 
-    # To enable user switching, allow sddm to allocate TTYs/displays dynamically.
-    services.xserver.tty = null;
-    services.xserver.display = null;
+    systemd = {
+      tmpfiles.packages = [ sddm ];
+
+      # We're not using the upstream unit, so copy these: https://github.com/sddm/sddm/blob/develop/services/sddm.service.in
+      services.display-manager = {
+        after = [
+          "systemd-user-sessions.service"
+          "getty@tty7.service"
+          "plymouth-quit.service"
+          "systemd-logind.service"
+        ];
+        conflicts = [
+          "getty@tty7.service"
+        ];
+      };
+    };
   };
 }
diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix
index 3d7474e18263..4e0235f9ad1d 100644
--- a/nixos/modules/services/x11/xserver.nix
+++ b/nixos/modules/services/x11/xserver.nix
@@ -749,7 +749,7 @@ in
     boot.kernel.sysctl."fs.inotify.max_user_instances" = mkDefault 524288;
     boot.kernel.sysctl."fs.inotify.max_user_watches" = mkDefault 524288;
 
-    programs.gnupg.agent.pinentryPackage = lib.mkDefault pkgs.pinentry-gnome3;
+    programs.gnupg.agent.pinentryPackage = lib.mkOverride 1100 pkgs.pinentry-gnome3;
 
     systemd.defaultUnit = mkIf cfg.autorun "graphical.target";
 
diff --git a/nixos/modules/system/boot/uki.nix b/nixos/modules/system/boot/uki.nix
index 0965b887c12e..c8d3c2f6605f 100644
--- a/nixos/modules/system/boot/uki.nix
+++ b/nixos/modules/system/boot/uki.nix
@@ -7,8 +7,6 @@ let
   inherit (pkgs.stdenv.hostPlatform) efiArch;
 
   format = pkgs.formats.ini { };
-  ukifyConfig = format.generate "ukify.conf" cfg.settings;
-
 in
 
 {
@@ -48,6 +46,15 @@ in
           contains and how it is built.
         '';
       };
+
+      configFile = lib.mkOption {
+        type = lib.types.path;
+        description = lib.mdDoc ''
+          The configuration file passed to {manpage}`ukify(1)` to create the UKI.
+
+          By default this configuration file is created from {option}`boot.uki.settings`.
+        '';
+      };
     };
 
     system.boot.loader.ukiFile = lib.mkOption {
@@ -80,6 +87,8 @@ in
       };
     };
 
+    boot.uki.configFile = lib.mkOptionDefault (format.generate "ukify.conf" cfg.settings);
+
     system.boot.loader.ukiFile =
       let
         name = config.boot.uki.name;
@@ -92,7 +101,7 @@ in
     system.build.uki = pkgs.runCommand config.system.boot.loader.ukiFile { } ''
       mkdir -p $out
       ${pkgs.buildPackages.systemdUkify}/lib/systemd/ukify build \
-        --config=${ukifyConfig} \
+        --config=${cfg.configFile} \
         --output="$out/${config.system.boot.loader.ukiFile}"
     '';
 
diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix
index d4fa707b2dd5..5db3a336f85d 100644
--- a/nixos/modules/virtualisation/nixos-containers.nix
+++ b/nixos/modules/virtualisation/nixos-containers.nix
@@ -509,6 +509,12 @@ in
                                 for details).
                               '';
                             }
+                            {
+                              assertion = !lib.strings.hasInfix "_" name;
+                              message = ''
+                                Names containing underscores are not allowed in nixos-containers. Please rename the container '${name}'
+                              '';
+                            }
                           ];
                         };
                       };
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index dd6c744a79ce..faff759f76c0 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -561,6 +561,7 @@ in {
   munin = handleTest ./munin.nix {};
   mutableUsers = handleTest ./mutable-users.nix {};
   mxisd = handleTest ./mxisd.nix {};
+  mycelium = handleTest ./mycelium {};
   mympd = handleTest ./mympd.nix {};
   mysql = handleTest ./mysql/mysql.nix {};
   mysql-autobackup = handleTest ./mysql/mysql-autobackup.nix {};
diff --git a/nixos/tests/drawterm.nix b/nixos/tests/drawterm.nix
index 1d444bb55433..3594343853c0 100644
--- a/nixos/tests/drawterm.nix
+++ b/nixos/tests/drawterm.nix
@@ -38,11 +38,24 @@ let
         def drawterm_running():
             machine.succeed("pgrep drawterm")
 
+        # cage is a bit wonky here.
+        # it seems to lag behind drawing
+        # and somehow needs a single input character
+        # in order to get the first prompt to show up.
+        # This is not present in any other compositor
+        # as far as I know, and after spending a couple
+        # hours with the upstream source trying to deduce
+        # how to perhaps fix it, I figured just polling is OK.
+        @polling_condition
+        def cpu_shown_up():
+            machine.send_chars(".")
+            machine.wait_for_text("cpu", 1)
+
         start_all()
 
         machine.wait_for_unit("graphical.target")
         drawterm_running.wait() # type: ignore[union-attr]
-        machine.wait_for_text("cpu")
+        cpu_shown_up.wait() # type: ignore[union-attr]
         machine.send_chars("cpu\n")
         machine.wait_for_text("auth")
         machine.send_chars("cpu\n")
diff --git a/nixos/tests/mycelium/default.nix b/nixos/tests/mycelium/default.nix
new file mode 100644
index 000000000000..f0d72436843c
--- /dev/null
+++ b/nixos/tests/mycelium/default.nix
@@ -0,0 +1,57 @@
+import ../make-test-python.nix ({ lib, ... }: let
+  peer1-ip = "531:c350:28c1:dfde:ea6d:77d1:a60b:7209";
+  peer2-ip = "49f:3942:3a55:d100:4c78:c558:c4f:695b";
+in
+  {
+    name = "mycelium";
+    meta.maintainers = with lib.maintainers; [ lassulus ];
+
+    nodes = {
+
+      peer1 = { config, pkgs, ... }: {
+        virtualisation.vlans = [ 1 ];
+        networking.interfaces.eth1.ipv4.addresses = [{
+          address = "192.168.1.11";
+          prefixLength = 24;
+        }];
+
+        services.mycelium = {
+          enable = true;
+          addHostedPublicNodes = false;
+          openFirewall = true;
+          keyFile = ./peer1.key;
+          peers = [
+            "quic://192.168.1.12:9651"
+            "tcp://192.168.1.12:9651"
+          ];
+        };
+      };
+
+      peer2 = { config, pkgs, ... }: {
+        virtualisation.vlans = [ 1 ];
+        networking.interfaces.eth1.ipv4.addresses = [{
+          address = "192.168.1.12";
+          prefixLength = 24;
+        }];
+
+        services.mycelium = {
+          enable = true;
+          addHostedPublicNodes = false;
+          openFirewall = true;
+          keyFile = ./peer2.key;
+        };
+      };
+    };
+
+    testScript = ''
+      start_all()
+
+      peer1.wait_for_unit("network-online.target")
+      peer2.wait_for_unit("network-online.target")
+      peer1.wait_for_unit("mycelium.service")
+      peer2.wait_for_unit("mycelium.service")
+
+      peer1.succeed("ping -c5 ${peer2-ip}")
+      peer2.succeed("ping -c5 ${peer1-ip}")
+    '';
+  })
diff --git a/nixos/tests/mycelium/peer1.key b/nixos/tests/mycelium/peer1.key
new file mode 100644
index 000000000000..db1cf9e72fe4
--- /dev/null
+++ b/nixos/tests/mycelium/peer1.key
@@ -0,0 +1 @@
+sì	B0㔟ŽdûR�æÈôÌH¶5œu?à»í…^
\ No newline at end of file
diff --git a/nixos/tests/mycelium/peer2.key b/nixos/tests/mycelium/peer2.key
new file mode 100644
index 000000000000..7e757de48efb
--- /dev/null
+++ b/nixos/tests/mycelium/peer2.key
@@ -0,0 +1 @@
+Ï
Xÿ1®yGÏÕ…ŸSAM»�eÈÀ«¾‡œÝ7]
\ No newline at end of file
diff --git a/pkgs/applications/audio/monkeys-audio/default.nix b/pkgs/applications/audio/monkeys-audio/default.nix
index d4da27dd3639..c68d14b28f99 100644
--- a/pkgs/applications/audio/monkeys-audio/default.nix
+++ b/pkgs/applications/audio/monkeys-audio/default.nix
@@ -5,13 +5,13 @@
 }:
 
 stdenv.mkDerivation (finalAttrs: {
-  version = "10.52";
+  version = "10.60";
   pname = "monkeys-audio";
 
   src = fetchzip {
     url = "https://monkeysaudio.com/files/MAC_${
       builtins.concatStringsSep "" (lib.strings.splitString "." finalAttrs.version)}_SDK.zip";
-    hash = "sha256-n+bQzvuCTt7dnqkPO592KKZeShmMlbp/KAXK0F2dlTg=";
+    hash = "sha256-llOo9G65UDDCzaSahq5qssw6SmOJ5C9qS2bdXB/pKF0=";
     stripRoot = false;
   };
   nativeBuildInputs = [
diff --git a/pkgs/applications/editors/android-studio/default.nix b/pkgs/applications/editors/android-studio/default.nix
index 785feeb98990..6f261ff51983 100644
--- a/pkgs/applications/editors/android-studio/default.nix
+++ b/pkgs/applications/editors/android-studio/default.nix
@@ -10,16 +10,16 @@ let
     inherit tiling_wm;
   };
   stableVersion = {
-    version = "2023.2.1.23"; # "Android Studio Iguana | 2023.2.1"
-    sha256Hash = "sha256-G2aPgMqBHNw1DetlaBQ9o3/VfX6QEh9VQqMZ5S/VoHM=";
+    version = "2023.2.1.24"; # "Android Studio Iguana | 2023.2.1 Patch 1"
+    sha256Hash = "sha256-ACZCdXKEnJy7DJTW+XGOoIvDRdzP47NytUEAqV//mbU=";
   };
   betaVersion = {
     version = "2023.2.1.23"; # "Android Studio Iguana | 2023.2.1"
     sha256Hash = "sha256-G2aPgMqBHNw1DetlaBQ9o3/VfX6QEh9VQqMZ5S/VoHM=";
   };
   latestVersion = {
-    version = "2023.3.1.12"; # "Android Studio Jellyfish | 2023.3.1 Canary 12"
-    sha256Hash = "sha256-yg84WBLHfb6q+OlHuh5SJ5P4Fuc8yqO9eZ8iecOhZj4=";
+    version = "2023.3.2.1"; # "Android Studio Jellyfish | 2023.3.2 Canary 1"
+    sha256Hash = "sha256-99EWGh3+3HV8yO29ANg1pwoo/1ktI2aCwKrdIqlcgVs=";
   };
 in {
   # Attributes are named by their corresponding release channels
diff --git a/pkgs/applications/editors/bluefish/default.nix b/pkgs/applications/editors/bluefish/default.nix
index 0ec47ceb9566..afcc62a28999 100644
--- a/pkgs/applications/editors/bluefish/default.nix
+++ b/pkgs/applications/editors/bluefish/default.nix
@@ -13,11 +13,11 @@
 
 stdenv.mkDerivation rec {
   pname = "bluefish";
-  version = "2.2.14";
+  version = "2.2.15";
 
   src = fetchurl {
     url = "mirror://sourceforge/bluefish/bluefish-${version}.tar.bz2";
-    sha256 = "sha256-IszfnOTlyWIQY+bPfXOr+wc2q3pyvOCG0Gxc9e4SXt4=";
+    sha256 = "sha256-YUPlHGtVedWW86moXg8NhYDJ9Y+ChXWxGYgODKHZQbw=";
   };
 
   nativeBuildInputs = [ pkg-config wrapGAppsHook ];
diff --git a/pkgs/applications/editors/rstudio/default.nix b/pkgs/applications/editors/rstudio/default.nix
index 82a572eaf4c5..d3ca7de1d6a1 100644
--- a/pkgs/applications/editors/rstudio/default.nix
+++ b/pkgs/applications/editors/rstudio/default.nix
@@ -7,7 +7,7 @@
 , makeDesktopItem
 , copyDesktopItems
 , cmake
-, boost
+, boost183
 , zlib
 , openssl
 , R
@@ -40,18 +40,19 @@
 
 let
   pname = "RStudio";
-  version =
-  "${RSTUDIO_VERSION_MAJOR}.${RSTUDIO_VERSION_MINOR}.${RSTUDIO_VERSION_PATCH}${RSTUDIO_VERSION_SUFFIX}";
-  RSTUDIO_VERSION_MAJOR  = "2023";
-  RSTUDIO_VERSION_MINOR  = "09";
-  RSTUDIO_VERSION_PATCH  = "0";
-  RSTUDIO_VERSION_SUFFIX = "+463";
+  version = "2023.12.1+402";
+  RSTUDIO_VERSION_MAJOR = lib.versions.major version;
+  RSTUDIO_VERSION_MINOR = lib.versions.minor version;
+  RSTUDIO_VERSION_PATCH = lib.versions.patch version;
+  RSTUDIO_VERSION_SUFFIX = "+" + toString (
+    lib.tail (lib.splitString "+" version)
+  );
 
   src = fetchFromGitHub {
     owner = "rstudio";
     repo = "rstudio";
-    rev = "v${version}";
-    hash = "sha256-FwNuU2rbE3GEhuwphvZISUMhvSZJ6FjjaZ1oQ9F8NWc=";
+    rev = version;
+    hash = "sha256-ecMzkpHazg8jEBz9wh8hqRX2UdziOC8b6F+3xxdugy0=";
   };
 
   mathJaxSrc = fetchurl {
@@ -62,8 +63,8 @@ let
   rsconnectSrc = fetchFromGitHub {
     owner = "rstudio";
     repo = "rsconnect";
-    rev = "5175a927a41acfd9a21d9fdecb705ea3292109f2";
-    hash = "sha256-c1fFcN6KAfxXv8bv4WnIqQKg1wcNP2AywhEmIbyzaBA=";
+    rev = "v1.2.0";
+    hash = "sha256-ghRz4Frd+I9ShRNNOE/kdk9KjRCj0Z1mPnThueriiUY=";
   };
 
   # Ideally, rev should match the rstudio release name.
@@ -93,7 +94,7 @@ in
     ];
 
     buildInputs = [
-      boost
+      boost183
       zlib
       openssl
       R
@@ -133,6 +134,7 @@ in
       ./fix-resources-path.patch
       ./pandoc-nix-path.patch
       ./use-system-quarto.patch
+      ./ignore-etc-os-release.patch
     ];
 
     postPatch = ''
diff --git a/pkgs/applications/editors/rstudio/ignore-etc-os-release.patch b/pkgs/applications/editors/rstudio/ignore-etc-os-release.patch
new file mode 100644
index 000000000000..7c67edd16fcb
--- /dev/null
+++ b/pkgs/applications/editors/rstudio/ignore-etc-os-release.patch
@@ -0,0 +1,77 @@
+diff --git a/CMakeGlobals.txt b/CMakeGlobals.txt
+index 5f96ffb..3f15687 100644
+--- a/CMakeGlobals.txt
++++ b/CMakeGlobals.txt
+@@ -29,11 +29,6 @@ endif()
+ get_filename_component(ROOT_SRC_DIR ${CMAKE_CURRENT_LIST_FILE} PATH)
+ set(CMAKE_MODULE_PATH "${ROOT_SRC_DIR}/cmake/modules/")
+ 
+-# read /etc/os-release
+-if(LINUX)
+-   include(OsRelease)
+-endif()
+-
+ # version info
+ if ("$ENV{RSTUDIO_VERSION_MAJOR}" STREQUAL "")
+   string(TIMESTAMP CPACK_PACKAGE_VERSION_MAJOR "%Y")
+diff --git a/cmake/modules/OsRelease.cmake b/cmake/modules/OsRelease.cmake
+deleted file mode 100644
+index 81a9e1f..0000000
+--- a/cmake/modules/OsRelease.cmake
++++ /dev/null
+@@ -1,24 +0,0 @@
+-#
+-# OsRelease.cmake
+-#
+-# Copyright (C) 2022 by Posit Software, PBC
+-#
+-# This program is licensed to you under the terms of version 3 of the
+-# GNU Affero General Public License. This program is distributed WITHOUT
+-# ANY EXPRESS OR IMPLIED WARRANTY, INCLUDING THOSE OF NON-INFRINGEMENT,
+-# MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Please refer to the
+-# AGPL (http://www.gnu.org/licenses/agpl-3.0.txt) for more details.
+-#
+-#
+-
+-# reads and parses /etc/os-release into CMake variables
+-file(STRINGS "/etc/os-release" OS_RELEASE)
+-foreach(LINE ${OS_RELEASE})
+-	string(FIND "${LINE}" "=" INDEX)
+-	string(SUBSTRING "${LINE}" 0 "${INDEX}" KEY)
+-	math(EXPR INDEX "${INDEX} + 1")
+-	string(SUBSTRING "${LINE}" "${INDEX}" -1 VALUE)
+-	separate_arguments(VALUE UNIX_COMMAND "${VALUE}")
+-	set("OS_RELEASE_${KEY}" "${VALUE}" CACHE INTERNAL "/etc/os-release: ${KEY}")
+-endforeach()
+-
+diff --git a/package/linux/CMakeLists.txt b/package/linux/CMakeLists.txt
+index 5d5c35e..a94f8fc 100644
+--- a/package/linux/CMakeLists.txt
++++ b/package/linux/CMakeLists.txt
+@@ -16,7 +16,7 @@
+ # configure cpack install location
+ set(CPACK_SET_DESTDIR "ON")
+ set(CPACK_INSTALL_PREFIX "${CMAKE_INSTALL_PREFIX}")
+-message(STATUS "Packaging RStudio for ${OS_RELEASE_PRETTY_NAME}")
++message(STATUS "Packaging RStudio for Nix")
+ 
+ # detect architecture (packaging platform specific)
+ find_program(DPKG_EXECUTABLE dpkg)
+@@ -42,17 +42,6 @@ if(EXISTS "/etc/redhat-release")
+    endif()
+ endif()
+ 
+-# set libssl dependency
+-if(OS_RELEASE_ID STREQUAL "ubuntu")
+-  if(OS_RELEASE_VERSION_ID VERSION_GREATER_EQUAL "22.04")
+-    set(RSTUDIO_DEBIAN_DEPENDS_SSL "libssl-dev")
+-  else()
+-    set(RSTUDIO_DEBIAN_DEPENDS_SSL "libssl1.0.0 | libssl1.0.2 | libssl1.1")
+-  endif()
+-else()
+-  set(RSTUDIO_DEBIAN_DEPENDS_SSL "libssl-dev")
+-endif()
+-
+ # configuration specific
+ if(RSTUDIO_SERVER)
+ 
diff --git a/pkgs/applications/editors/rstudio/use-system-node.patch b/pkgs/applications/editors/rstudio/use-system-node.patch
index bb4480b4ae5f..6e0acf46dda0 100644
--- a/pkgs/applications/editors/rstudio/use-system-node.patch
+++ b/pkgs/applications/editors/rstudio/use-system-node.patch
@@ -6,7 +6,7 @@ index d18362b..98cdd4c 100644
  external-pandoc-path=${RSTUDIO_DEPENDENCIES_PANDOC_DIR}
  external-quarto-path=${RSTUDIO_DEPENDENCIES_QUARTO_DIR}
  external-libclang-path=${RSTUDIO_DEPENDENCIES_DIR}/common/libclang
--external-node-path=${RSTUDIO_DEPENDENCIES_DIR}/common/node/16.14.0/bin/node
+-external-node-path=${RSTUDIO_DEPENDENCIES_DIR}/common/node/18.18.2/bin/node
 +external-node-path=@node@/bin/node
  
  # enable copilot
@@ -32,7 +32,7 @@ index 033d605..f1ee63d 100644
 +++ b/src/gwt/build.xml
 @@ -87,29 +87,7 @@
     <!-- ensure version matches RSTUDIO_NODE_VERSION -->
-    <property name="node.version" value="16.14.0"/>
+    <property name="node.version" value="18.18.2"/>
     <property name="node.dir" value="../../dependencies/common/node/${node.version}"/>
 -   <!-- use yarn from system but will prefer yarn from dependencies if available -->
 -   <condition property="yarn.bin" value="yarn">
@@ -58,15 +58,18 @@ index 033d605..f1ee63d 100644
 -      value="c:\rstudio-tools\dependencies\common\node\${node.version}\node_modules\yarn\bin\yarn.cmd"
 -      file="c:\rstudio-tools\dependencies\common\node\${node.version}\node_modules\yarn\bin\yarn.cmd"/>
 +   <property name="node.bin" value="@node@/bin/node"/>
- 
+
     <property name="panmirror.dir" value="./lib/quarto/apps/panmirror"/>
     <property name="panmirror.build.dir" value="./www/js/panmirror"/>
-@@ -126,21 +104,11 @@
-       file="c:\rstudio-tools\src\gwt\lib\quarto\apps\panmirror"/>
- 
-    <target name="panmirror" description="Compile panmirror library">
+@@ -133,28 +111,11 @@
+             <isset property="panmirror.minify" />
+          </not>
+       </condition>
+-
 -      <echo message="yarn location: ${yarn.bin}"/>
 -      <echo message="panmirror location: ${panmirror.dir}"/>
+-      <echo message="panmirror minify: ${panmirror.minify}"/>
+-
        <mkdir dir="${panmirror.build.dir}"/>
 -      <exec executable="${yarn.bin}" dir="${panmirror.dir}" resolveexecutable="true" failonerror="true">
 -         <arg value="install"/>
@@ -75,14 +78,19 @@ index 033d605..f1ee63d 100644
 -      </exec>
 -      <exec executable="${yarn.bin}" dir="${panmirror.dir}" resolveexecutable="true" failonerror="true">
 -         <arg value="build"/>
+-         <arg value="--minify"/>
+-         <arg value="${panmirror.minify}"/>
+-         <arg value="--sourcemap"/>
+-         <arg value="true"/>
 -         <env key="PANMIRROR_OUTDIR" value="dist-rstudio"/>
-+      <exec executable="${node.bin}" dir="${panmirror.dir}" spawn="${panmirror.spawn}">
-+         <arg value="fuse"/>
-+         <arg value="${panmirror.target}"/>
++     <exec executable="${node.bin}" dir="${panmirror.dir}" spawn="${panmirror.spawn}">
++          <arg value="fuse"/>
++          <arg value="${panmirror.target}"/>
        </exec>
 -      <copy todir="${panmirror.build.dir}">
 -         <fileset dir="${panmirror.dir}/dist-rstudio"/>
 -      </copy>
     </target>
- 
+
     <target name="javac" description="Compile java source">
+    
diff --git a/pkgs/applications/emulators/punes/default.nix b/pkgs/applications/emulators/punes/default.nix
index 73cdd865d172..ba5f1205a58b 100644
--- a/pkgs/applications/emulators/punes/default.nix
+++ b/pkgs/applications/emulators/punes/default.nix
@@ -1,7 +1,6 @@
 { stdenv
 , lib
 , fetchFromGitHub
-, fetchpatch
 , gitUpdater
 , cmake
 , pkg-config
@@ -17,26 +16,17 @@
 , wrapQtAppsHook
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "punes";
-  version = "0.110";
+  version = "0.111";
 
   src = fetchFromGitHub {
     owner = "punesemu";
     repo = "puNES";
-    rev = "v${version}";
-    sha256 = "sha256-+hL168r40aYUjyLbWFXWk9G2srrrG1TH1gLYMliHftU=";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-TIXjYkInWV3yVnvXrdHcmeWYeps5TcvkG2Xjg4roIds=";
   };
 
-  patches = [
-    # Fixes compilation on aarch64
-    # Remove when version > 0.110
-    (fetchpatch {
-      url = "https://github.com/punesemu/puNES/commit/90dd5bc90412bbd199c2716f67a24aa88b24d80f.patch";
-      hash = "sha256-/KNpTds4qjwyaTUebWWPlVXfuxVh6M4zOInxUfYztJg=";
-    })
-  ];
-
   nativeBuildInputs = [
     cmake
     pkg-config
@@ -73,8 +63,9 @@ stdenv.mkDerivation rec {
     description = "Qt-based Nintendo Entertainment System emulator and NSF/NSFe Music Player";
     mainProgram = "punes";
     homepage = "https://github.com/punesemu/puNES";
+    changelog = "https://github.com/punesemu/puNES/blob/v${finalAttrs.version}/ChangeLog";
     license = licenses.gpl2Plus;
     maintainers = with maintainers; [ OPNA2608 ];
     platforms = with platforms; linux ++ freebsd ++ openbsd ++ windows;
   };
-}
+})
diff --git a/pkgs/applications/graphics/drawio/default.nix b/pkgs/applications/graphics/drawio/default.nix
index 20f061c50e04..b9c56a01e006 100644
--- a/pkgs/applications/graphics/drawio/default.nix
+++ b/pkgs/applications/graphics/drawio/default.nix
@@ -6,6 +6,7 @@
 , copyDesktopItems
 , prefetch-yarn-deps
 , makeWrapper
+, autoSignDarwinBinariesHook
 , nodejs
 , yarn
 , electron
@@ -23,6 +24,11 @@ stdenv.mkDerivation rec {
     hash = "sha256-+TCnVXcmAEpa7MiL0dyeoh2aUfIIO8eze9pEaHgKnME=";
   };
 
+  # `@electron/fuses` tries to run `codesign` and fails. Disable and use autoSignDarwinBinariesHook instead
+  postPatch = ''
+    sed -i -e 's/resetAdHocDarwinSignature:.*/resetAdHocDarwinSignature: false,/' build/fuses.js
+  '';
+
   offlineCache = fetchYarnDeps {
     yarnLock = src + "/yarn.lock";
     hash = "sha256-QS0bkDDQq3sn79TQ+pTZsmbmXgMccyLmlPLTsko7eGg=";
@@ -35,6 +41,8 @@ stdenv.mkDerivation rec {
     yarn
   ] ++ lib.optionals (!stdenv.isDarwin) [
     copyDesktopItems
+  ] ++ lib.optionals stdenv.isDarwin [
+    autoSignDarwinBinariesHook
   ];
 
   ELECTRON_SKIP_BINARY_DOWNLOAD = true;
diff --git a/pkgs/applications/misc/electrum/grs.nix b/pkgs/applications/misc/electrum/grs.nix
index b615a61f5a19..4ca911126c5b 100644
--- a/pkgs/applications/misc/electrum/grs.nix
+++ b/pkgs/applications/misc/electrum/grs.nix
@@ -10,7 +10,7 @@
 }:
 
 let
-  version = "4.4.4";
+  version = "4.5.4";
 
   libsecp256k1_name =
     if stdenv.isLinux then "libsecp256k1.so.{v}"
@@ -32,11 +32,11 @@ python3.pkgs.buildPythonApplication {
     owner = "Groestlcoin";
     repo = "electrum-grs";
     rev = "refs/tags/v${version}";
-    sha256 = "0fl01qdvb1z6l6kwipj1lj0qmjk3mzw25wv7yh5j1hh1f5lng0s8";
+    sha256 = "1k078jg3bw4n3kcxy917m30x1skxm679w8hcw8mlxb94ikrjc66h";
   };
 
   nativeBuildInputs = lib.optionals enableQt [ wrapQtAppsHook ];
-  buildInputs = lib.optional stdenv.isLinux qtwayland;
+  buildInputs = lib.optional (stdenv.isLinux && enableQt) qtwayland;
 
   propagatedBuildInputs = with python3.pkgs; [
     aiohttp
@@ -56,17 +56,25 @@ python3.pkgs.buildPythonApplication {
     requests
     tlslite-ng
     certifi
+    jsonpatch
     # plugins
     btchip-python
     ledger-bitcoin
     ckcc-protocol
     keepkey
     trezor
+    bitbox02
+    cbor
+    pyserial
   ] ++ lib.optionals enableQt [
     pyqt5
     qdarkstyle
   ];
 
+  checkInputs = with python3.pkgs; lib.optionals enableQt [
+    pyqt6
+  ];
+
   postPatch = ''
     # make compatible with protobuf4 by easing dependencies ...
     substituteInPlace ./contrib/requirements/requirements.txt \
@@ -104,7 +112,6 @@ python3.pkgs.buildPythonApplication {
 
   meta = with lib; {
     description = "Lightweight Groestlcoin wallet";
-    mainProgram = "electrum-grs";
     longDescription = ''
       An easy-to-use Groestlcoin client featuring wallets generated from
       mnemonic seeds (in addition to other, more advanced, wallet options)
@@ -116,5 +123,6 @@ python3.pkgs.buildPythonApplication {
     license = licenses.mit;
     platforms = platforms.all;
     maintainers = with maintainers; [ gruve-p ];
+    mainProgram = "electrum-grs";
   };
 }
diff --git a/pkgs/applications/misc/kuro/default.nix b/pkgs/applications/misc/kuro/default.nix
index 50a773b5c518..55a2e04c9326 100644
--- a/pkgs/applications/misc/kuro/default.nix
+++ b/pkgs/applications/misc/kuro/default.nix
@@ -5,18 +5,21 @@
 , makeDesktopItem
 , copyDesktopItems
 , mkYarnPackage
-, electron
+, electron_29
 }:
 
+let
+  electron = electron_29;
+in
 mkYarnPackage rec {
   pname = "kuro";
   version = "9.0.0";
 
   src = fetchFromGitHub {
     owner = "davidsmorais";
-    repo = pname;
+    repo = "kuro";
     rev = "v${version}";
-    sha256 = "sha256-9Z/r5T5ZI5aBghHmwiJcft/x/wTRzDlbIupujN2RFfU=";
+    hash = "sha256-9Z/r5T5ZI5aBghHmwiJcft/x/wTRzDlbIupujN2RFfU=";
   };
 
   packageJSON = ./package.json;
@@ -26,7 +29,7 @@ mkYarnPackage rec {
     hash = "sha256-GTiNv7u1QK/wjQgpka7REuoLn2wjZG59kYJQaZZPycI=";
   };
 
-  ELECTRON_SKIP_BINARY_DOWNLOAD = "1";
+  env.ELECTRON_SKIP_BINARY_DOWNLOAD = "1";
 
   nativeBuildInputs = [
     makeWrapper
@@ -68,21 +71,23 @@ mkYarnPackage rec {
 
   desktopItems = [
     (makeDesktopItem {
-      name = pname;
-      exec = pname;
-      icon = pname;
+      name = "kuro";
+      exec = "kuro";
+      icon = "kuro";
       desktopName = "Kuro";
       genericName = "Microsoft To-Do Client";
       comment = meta.description;
       categories = [ "Office" ];
-      startupWMClass = pname;
+      startupWMClass = "kuro";
     })
   ];
 
   meta = with lib; {
+    changelog = "https://github.com/davidsmorais/kuro/releases/tag/${src.rev}";
     description = "An unofficial, featureful, open source, community-driven, free Microsoft To-Do app";
     homepage = "https://github.com/davidsmorais/kuro";
     license = licenses.mit;
+    mainProgram = "kuro";
     maintainers = with maintainers; [ ChaosAttractor ];
     inherit (electron.meta) platforms;
   };
diff --git a/pkgs/applications/misc/obinskit/default.nix b/pkgs/applications/misc/obinskit/default.nix
deleted file mode 100644
index 043ff2352e90..000000000000
--- a/pkgs/applications/misc/obinskit/default.nix
+++ /dev/null
@@ -1,65 +0,0 @@
-{ stdenv
-, lib
-, fetchurl
-, libxkbcommon
-, systemd
-, xorg
-, electron_13
-, makeWrapper
-, makeDesktopItem
-}:
-let
-  desktopItem = makeDesktopItem rec {
-    name = "Obinskit";
-    exec = "obinskit";
-    icon = "obinskit";
-    desktopName = "Obinskit";
-    genericName = "Obinskit keyboard configurator";
-    categories = [ "Utility" ];
-  };
-  electron = electron_13;
-in
-stdenv.mkDerivation rec {
-  pname = "obinskit";
-  version = "1.2.11";
-
-  src = fetchurl {
-    url = "https://s3.hexcore.xyz/occ/linux/tar/ObinsKit_${version}_x64.tar.gz";
-    curlOptsList = [ "--header" "Referer: https://www.hexcore.xyz/" ];
-    hash = "sha256-KhCu1TZsJmcXRSWSTaYOMjt+IA4qqavBwaYzXnkgls0=";
-  };
-
-  unpackPhase = "tar -xzf $src";
-
-  sourceRoot = "ObinsKit_${version}_x64";
-
-  nativeBuildInputs = [ makeWrapper ];
-
-  dontConfigure = true;
-  dontBuild = true;
-
-  installPhase = ''
-    mkdir -p $out/opt/obinskit
-
-    cp -r resources $out/opt/obinskit/
-    cp -r locales $out/opt/obinskit/
-
-    mkdir -p $out/share/{applications,pixmaps}
-    install resources/icons/tray-darwin@2x.png $out/share/pixmaps/obinskit.png
-    ln -s ${desktopItem}/share/applications/* $out/share/applications
-  '';
-
-  postFixup = ''
-    makeWrapper ${electron}/bin/electron $out/bin/${pname} \
-      --add-flags $out/opt/obinskit/resources/app.asar \
-      --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ stdenv.cc.cc.lib libxkbcommon (lib.getLib systemd) xorg.libXt xorg.libXtst ]}"
-  '';
-
-  meta = with lib; {
-    description = "Graphical configurator for Anne Pro and Anne Pro II keyboards";
-    homepage = "https://www.hexcore.xyz/obinskit";
-    license = licenses.unfree;
-    maintainers = with maintainers; [ shou ];
-    platforms = [ "x86_64-linux" ];
-  };
-}
diff --git a/pkgs/applications/misc/passky-desktop/default.nix b/pkgs/applications/misc/passky-desktop/default.nix
index 927035ed8167..ec45bc3efaea 100644
--- a/pkgs/applications/misc/passky-desktop/default.nix
+++ b/pkgs/applications/misc/passky-desktop/default.nix
@@ -1,12 +1,15 @@
 { lib
 , stdenv
 , fetchFromGitHub
-, electron_22
+, electron_29
 , makeWrapper
 , makeDesktopItem
 , copyDesktopItems
 }:
 
+let
+  electron = electron_29;
+in
 stdenv.mkDerivation rec {
   pname = "passky-desktop";
   version = "8.1.1";
@@ -18,7 +21,10 @@ stdenv.mkDerivation rec {
     sha256 = "1ma8s1bngjdzclcc4m5pcmavk38sidaskmz7dgfnv84y35si18dr";
   };
 
-  nativeBuildInputs = [ makeWrapper copyDesktopItems ];
+  nativeBuildInputs = [
+    makeWrapper
+    copyDesktopItems
+  ];
 
   installPhase = ''
     runHook preInstall
@@ -35,7 +41,7 @@ stdenv.mkDerivation rec {
     done
 
     mkdir "$out/share/applications"
-    makeWrapper ${electron_22}/bin/electron "$out/bin/passky" \
+    makeWrapper ${electron}/bin/electron "$out/bin/passky" \
       --add-flags "$out/share/passky/electron/" \
       --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}"
 
@@ -45,12 +51,13 @@ stdenv.mkDerivation rec {
   desktopItems = [
     (
       makeDesktopItem {
-        name = "Passky";
+        name = "passky";
         type = "Application";
-        desktopName = "passky";
+        desktopName = "Passky";
         comment = "Simple, modern, open source and secure password manager.";
         icon = "passky";
         exec = "passky %U";
+        terminal = false;
         categories = [ "Utility" ];
         startupWMClass = "Passky";
       }
diff --git a/pkgs/applications/misc/sl1-to-photon/default.nix b/pkgs/applications/misc/sl1-to-photon/default.nix
index e76dff0ca570..901265016f8e 100644
--- a/pkgs/applications/misc/sl1-to-photon/default.nix
+++ b/pkgs/applications/misc/sl1-to-photon/default.nix
@@ -8,34 +8,34 @@
 , shiboken2
 }:
 let
-  version = "0.1.3";
+  version = "0.1.3+";
 in
  buildPythonApplication rec {
   pname = "sl1-to-photon";
   inherit version;
 
   src = fetchFromGitHub {
-    owner = "fookatchu";
+    owner = "cab404";
     repo = "SL1toPhoton";
-    rev = "v${version}";
-    sha256 = "1hmb74rcky3nax4lxn7pw6lcd5a66fdbwrm11c84zb31xb51bakw";
+    rev = "7edc6ea99818622f5d49ac7af80ddd4916b8c19f";
+    sha256 = "ssFfjlBMi3FHosDBUA2gs71VUIBkEdPVcV3STNxmOIM=";
   };
 
-  propagatedBuildInputs = [ pyphotonfile pillow numpy pyside2 shiboken2 ];
+  pythonPath = [ pyphotonfile pillow numpy pyside2 shiboken2 ];
 
-  format = "other";
+  format = "setuptools";
+  dontUseSetuptoolsCheck = true;
 
   installPhase = ''
     install -D -m 0755 SL1_to_Photon.py $out/bin/${pname}
-    sed -i '1i#!/usr/bin/env python' $out/bin/${pname}
   '';
 
   meta = with lib; {
     maintainers = [ maintainers.cab404 ];
     license = licenses.gpl3Plus;
     description = "Tool for converting Slic3r PE's SL1 files to Photon files for the Anycubic Photon 3D-Printer";
+    homepage = "https://github.com/cab404/SL1toPhoton";
     mainProgram = "sl1-to-photon";
-    homepage = "https://github.com/fookatchu/SL1toPhoton";
   };
 
 }
diff --git a/pkgs/applications/misc/sweethome3d/default.nix b/pkgs/applications/misc/sweethome3d/default.nix
index 2c8f9993fed5..ddb649e3c359 100644
--- a/pkgs/applications/misc/sweethome3d/default.nix
+++ b/pkgs/applications/misc/sweethome3d/default.nix
@@ -53,6 +53,9 @@ let
     nativeBuildInputs = [ makeWrapper unzip autoPatchelfHook ];
     buildInputs = [ ant jdk p7zip gtk3 gsettings-desktop-schemas libXxf86vm ];
 
+    # upstream targets Java 7 by default
+    env.ANT_ARGS = "-DappletClassSource=8 -DappletClassTarget=8 -DclassSource=8 -DclassTarget=8";
+
     buildPhase = ''
       runHook preBuild
 
diff --git a/pkgs/applications/misc/sweethome3d/editors.nix b/pkgs/applications/misc/sweethome3d/editors.nix
index d5cdebb76282..926d75fe5c7a 100644
--- a/pkgs/applications/misc/sweethome3d/editors.nix
+++ b/pkgs/applications/misc/sweethome3d/editors.nix
@@ -44,6 +44,9 @@ let
     nativeBuildInputs = [ makeWrapper unzip ];
     buildInputs = [ ant jdk gtk3 gsettings-desktop-schemas ];
 
+    # upstream targets Java 7 by default
+    env.ANT_ARGS = "-DappletClassSource=8 -DappletClassTarget=8 -DclassSource=8 -DclassTarget=8";
+
     postPatch = ''
       sed -i -e 's,../SweetHome3D,${applicationSrc},g' build.xml
       sed -i -e 's,lib/macosx/java3d-1.6/jogl-all.jar,lib/java3d-1.6/jogl-all.jar,g' build.xml
diff --git a/pkgs/applications/misc/waycorner/default.nix b/pkgs/applications/misc/waycorner/default.nix
index 01b1b80277cb..2cffde8cfc37 100644
--- a/pkgs/applications/misc/waycorner/default.nix
+++ b/pkgs/applications/misc/waycorner/default.nix
@@ -8,14 +8,14 @@
 }:
 rustPlatform.buildRustPackage rec {
   pname = "waycorner";
-  version = "0.2.1";
+  version = "0.2.2";
   src = fetchFromGitHub {
     owner = "AndreasBackx";
     repo = "waycorner";
     rev = version;
-    hash = "sha256-xvmvtn6dMqt8kUwvn5d5Nl1V84kz1eWa9BSIN/ONkSQ=";
+    hash = "sha256-b0wGqtCvWzCV9mj2eZ0SXzxM02fbyQ+OfKcbZ2MhLOE=";
   };
-  cargoHash = "sha256-Dl+GhJywWhaC4QMS70klazPsFipGVRW+6jrXH2XsEAI=";
+  cargoHash = "sha256-Xl2nBBcfWjULKG2L+qX4ruw7gux6+qfFg/dTAarqgAU=";
   buildInputs = [
     wayland
   ];
diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.nix b/pkgs/applications/networking/browsers/chromium/upstream-info.nix
index ad3913aedb2b..c2f21bd8b700 100644
--- a/pkgs/applications/networking/browsers/chromium/upstream-info.nix
+++ b/pkgs/applications/networking/browsers/chromium/upstream-info.nix
@@ -1,23 +1,23 @@
 {
   stable = {
     chromedriver = {
-      hash_darwin = "sha256-QdL9KamluVX6kIIY6F7zxKL5l7clhsE7QWGWw4YRUtM=";
+      hash_darwin = "sha256-yRLbe3xl0L/PfRcVB4LA6JeDvLpgUhtKZiAfyB2v/ZE=";
       hash_darwin_aarch64 =
-        "sha256-GKqk6GMitz0uud65iPCUMdOtIEhmWyHPbtrO+V2f8XU=";
-      hash_linux = "sha256-QKr2BjydiP5D3T5becwQHeFmK0LMrIFhbssDELqSEQM=";
-      version = "122.0.6261.128";
+        "sha256-TMreCFF9Lo+9gy7kzZWd9Mjep0CYa3Cxn4kr9BNTdkE=";
+      hash_linux = "sha256-rM2usA0zDZ1aXvkbvm+l0xalViEJIxu8ZYZvoTkNiis=";
+      version = "123.0.6312.58";
     };
     deps = {
       gn = {
-        hash = "sha256-UhdDsq9JyP0efGpAaJ/nLp723BbjM6pkFPcAnQbgMKY=";
-        rev = "f99e015ac35f689cfdbf46e4eb174e5d2da78d8e";
+        hash = "sha256-JvilCnnb4laqwq69fay+IdAujYC1EHD7uWpkF/C8tBw=";
+        rev = "d4f94f9a6c25497b2ce0356bb99a8d202c8c1d32";
         url = "https://gn.googlesource.com/gn";
-        version = "2024-01-22";
+        version = "2024-02-19";
       };
     };
-    hash = "sha256-BzLSwDQrmKavh4s2uOSfP935NnB5+Hw7oD7YDbSWp2g=";
-    hash_deb_amd64 = "sha256-SxdYfWhV3ZpiGWmagOM6JUfjAmU9pzFGDQDinXrweas=";
-    version = "122.0.6261.128";
+    hash = "sha256-GrCYCUjxV16tinqrIqW4DQD51dKIgKNu2fLLz9Yqq7k=";
+    hash_deb_amd64 = "sha256-z+UC7wUsWAX7kPIgk8S9ujW2n6HlUp0m3zHTvsAiTps=";
+    version = "123.0.6312.58";
   };
   ungoogled-chromium = {
     deps = {
diff --git a/pkgs/applications/networking/browsers/firefox/wrapper.nix b/pkgs/applications/networking/browsers/firefox/wrapper.nix
index a2b97577c8d3..0f62075439c5 100644
--- a/pkgs/applications/networking/browsers/firefox/wrapper.nix
+++ b/pkgs/applications/networking/browsers/firefox/wrapper.nix
@@ -18,6 +18,7 @@
 , sndio
 , libjack2
 , speechd
+, removeReferencesTo
 }:
 
 ## configurability of the wrapper itself
@@ -238,7 +239,7 @@ let
               };
             }));
 
-      nativeBuildInputs = [ makeWrapper lndir jq ];
+      nativeBuildInputs = [ makeWrapper lndir jq removeReferencesTo ];
       buildInputs = [ browser.gtk3 ];
 
 
@@ -413,7 +414,9 @@ let
       passthru = { unwrapped = browser; };
 
       disallowedRequisites = [ stdenv.cc ];
-
+      postInstall = ''
+        find "$out" -type f -exec remove-references-to -t ${stdenv.cc} '{}' +
+      '';
       meta = browser.meta // {
         inherit (browser.meta) description;
         mainProgram = launcherName;
diff --git a/pkgs/applications/networking/browsers/mullvad-browser/default.nix b/pkgs/applications/networking/browsers/mullvad-browser/default.nix
index 9bb6fe779832..a016ce839ed6 100644
--- a/pkgs/applications/networking/browsers/mullvad-browser/default.nix
+++ b/pkgs/applications/networking/browsers/mullvad-browser/default.nix
@@ -90,7 +90,7 @@ let
       ++ lib.optionals mediaSupport [ ffmpeg ]
   );
 
-  version = "13.0.10";
+  version = "13.0.12";
 
   sources = {
     x86_64-linux = fetchurl {
@@ -102,7 +102,7 @@ let
         "https://tor.eff.org/dist/mullvadbrowser/${version}/mullvad-browser-linux-x86_64-${version}.tar.xz"
         "https://tor.calyxinstitute.org/dist/mullvadbrowser/${version}/mullvad-browser-linux-x86_64-${version}.tar.xz"
       ];
-      hash = "sha256-+8b3K3XLSPlndR12KNUH0lsPquhTupxQrLBuSEGac7Y=";
+      hash = "sha256-qqz3tdic2muBQI6JXc0/uxBeenWFYHN43K7qJee9q78=";
     };
   };
 
diff --git a/pkgs/applications/networking/browsers/tor-browser/default.nix b/pkgs/applications/networking/browsers/tor-browser/default.nix
index 5e150662274b..79d21a0cbc76 100644
--- a/pkgs/applications/networking/browsers/tor-browser/default.nix
+++ b/pkgs/applications/networking/browsers/tor-browser/default.nix
@@ -101,7 +101,7 @@ lib.warnIf (useHardenedMalloc != null)
       ++ lib.optionals mediaSupport [ ffmpeg ]
   );
 
-  version = "13.0.11";
+  version = "13.0.12";
 
   sources = {
     x86_64-linux = fetchurl {
@@ -111,7 +111,7 @@ lib.warnIf (useHardenedMalloc != null)
         "https://tor.eff.org/dist/torbrowser/${version}/tor-browser-linux-x86_64-${version}.tar.xz"
         "https://tor.calyxinstitute.org/dist/torbrowser/${version}/tor-browser-linux-x86_64-${version}.tar.xz"
       ];
-      hash = "sha256-a8BAesBp85oaHJrkQYcYufH9cy7OrFrfnljZZrFPlGE=";
+      hash = "sha256-2AzcDYngLr+J+s12tAMdB9SjDzOWPnQY9WL7/3+N0FA=";
     };
 
     i686-linux = fetchurl {
@@ -121,7 +121,7 @@ lib.warnIf (useHardenedMalloc != null)
         "https://tor.eff.org/dist/torbrowser/${version}/tor-browser-linux-i686-${version}.tar.xz"
         "https://tor.calyxinstitute.org/dist/torbrowser/${version}/tor-browser-linux-i686-${version}.tar.xz"
       ];
-      hash = "sha256-cyZnLcJmXNjBJhBLwBoW09K6dsT6Og+h0ufc4/6zxac=";
+      hash = "sha256-ect++2xZe00Hlikz6eMNMiiHnVoETSvjD0Cf1oBgj9E=";
     };
   };
 
diff --git a/pkgs/applications/networking/cluster/argocd/default.nix b/pkgs/applications/networking/cluster/argocd/default.nix
index 3139252e65c7..d40532db8a16 100644
--- a/pkgs/applications/networking/cluster/argocd/default.nix
+++ b/pkgs/applications/networking/cluster/argocd/default.nix
@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "argocd";
-  version = "2.10.3";
+  version = "2.10.4";
 
   src = fetchFromGitHub {
     owner = "argoproj";
     repo = "argo-cd";
     rev = "v${version}";
-    hash = "sha256-DaM3vNmZTz4zJTsmtgWwKPhHeUdqe2ZdlXYTppdhiJs=";
+    hash = "sha256-D7vkVvYLImC9dtqPU3Gxe5sQO92qxnx4533ykBm7u7c=";
   };
 
   proxyVendor = true; # darwin/linux hash mismatch
diff --git a/pkgs/applications/networking/cluster/tftui/default.nix b/pkgs/applications/networking/cluster/tftui/default.nix
index 3a9d657dbdd2..5ef3142ee69d 100644
--- a/pkgs/applications/networking/cluster/tftui/default.nix
+++ b/pkgs/applications/networking/cluster/tftui/default.nix
@@ -1,27 +1,33 @@
 { lib
-, buildPythonApplication
-, fetchPypi
+, fetchFromGitHub
 , makeWrapper
-, poetry-core
-, posthog
-, pyperclip
-, requests
-, rich
-, textual
+, python3
 , enableUsageTracking ? false
 }:
 
-buildPythonApplication rec {
+python3.pkgs.buildPythonApplication rec {
   pname = "tftui";
-  version = "0.12.4";
+  version = "0.12.6";
   pyproject = true;
 
-  src = fetchPypi {
-    inherit pname version;
-    hash = "sha256-E4Y0qA7SooMlHh+oSFUl1hfblpirr/Jdb1C2fqU43t0=";
+  src = fetchFromGitHub {
+    owner = "idoavrah";
+    repo = "terraform-tui";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-vK1qKf8+RxwHUpuEQ97PcwGvObNVpd88kAb3DFRoRG0=";
   };
 
-  propagatedBuildInputs = [
+  pythonRelaxDeps = [
+    "textual"
+  ];
+
+  nativeBuildInputs = with python3.pkgs; [
+    makeWrapper
+    poetry-core
+    pythonRelaxDepsHook
+  ];
+
+  propagatedBuildInputs = with python3.pkgs; [
     posthog
     pyperclip
     requests
@@ -29,11 +35,6 @@ buildPythonApplication rec {
     textual
   ];
 
-  nativeBuildInputs = [
-    makeWrapper
-    poetry-core
-  ];
-
   pythonImportsCheck = [
     "tftui"
   ];
@@ -46,7 +47,7 @@ buildPythonApplication rec {
   meta = with lib; {
     description = "Textual UI to view and interact with Terraform state";
     homepage = "https://github.com/idoavrah/terraform-tui";
-    changelog = "https://github.com/idoavrah/terraform-tui/releases";
+    changelog = "https://github.com/idoavrah/terraform-tui/releases/tag/v${version}";
     license = licenses.asl20;
     maintainers = with maintainers; teams.bitnomial.members;
     mainProgram = "tftui";
diff --git a/pkgs/applications/networking/cluster/werf/default.nix b/pkgs/applications/networking/cluster/werf/default.nix
index 85b97faabd3d..27e527b97066 100644
--- a/pkgs/applications/networking/cluster/werf/default.nix
+++ b/pkgs/applications/networking/cluster/werf/default.nix
@@ -10,16 +10,16 @@
 
 buildGoModule rec {
   pname = "werf";
-  version = "1.2.296";
+  version = "1.2.297";
 
   src = fetchFromGitHub {
     owner = "werf";
     repo = "werf";
     rev = "v${version}";
-    hash = "sha256-D0bWva6Y0x9uMdKMONsiGC3SV2ktGPzfMq9BELqgk3E=";
+    hash = "sha256-AFuEpMSsfwjqoiLCiSyXecIe/UA72BEHs+kUaUtZU2U=";
   };
 
-  vendorHash = "sha256-6q13vMxu0iQgaXS+Z6V0jjSIhxMscw6sLANzK07gAlI=";
+  vendorHash = "sha256-mOHrNXaLnTt0WRVJI8GD48pxLvbSa6oWoxa4YFaIA6Y=";
 
   proxyVendor = true;
 
diff --git a/pkgs/applications/networking/instant-messengers/chatty/default.nix b/pkgs/applications/networking/instant-messengers/chatty/default.nix
index 11ac39c32f80..adacea2d019a 100644
--- a/pkgs/applications/networking/instant-messengers/chatty/default.nix
+++ b/pkgs/applications/networking/instant-messengers/chatty/default.nix
@@ -15,6 +15,7 @@
 , gnome-desktop
 , gspell
 , gtk4
+, gst_all_1
 , json-glib
 , libgcrypt
 , libadwaita
@@ -29,7 +30,7 @@
 
 stdenv.mkDerivation rec {
   pname = "chatty";
-  version = "0.8.1";
+  version = "0.8.2";
 
   src = fetchFromGitLab {
     domain = "gitlab.gnome.org";
@@ -37,7 +38,7 @@ stdenv.mkDerivation rec {
     repo = "Chatty";
     rev = "v${version}";
     fetchSubmodules = true;
-    hash = "sha256-5IkQnXAKl0duy/B6+z7PXYv5zxakxJCgQhWBw5wioWg=";
+    hash = "sha256-7SdoN9JjGwELOdISJwS1Afcydp/rE2uq/tHO/UrFKNU=";
   };
 
   nativeBuildInputs = [
@@ -58,6 +59,7 @@ stdenv.mkDerivation rec {
     gnome-desktop
     gspell
     gtk4
+    gst_all_1.gstreamer
     json-glib
     libgcrypt
     libadwaita
diff --git a/pkgs/applications/networking/protonmail-bridge/default.nix b/pkgs/applications/networking/protonmail-bridge/default.nix
index 1414543d4cc4..add40cac8f18 100644
--- a/pkgs/applications/networking/protonmail-bridge/default.nix
+++ b/pkgs/applications/networking/protonmail-bridge/default.nix
@@ -37,17 +37,14 @@ buildGoModule rec {
 
   postInstall = ''
     mv $out/bin/Desktop-Bridge $out/bin/protonmail-bridge # The cli is named like that in other distro packages
-    install -Dm444 dist/proton-bridge.desktop -t $out/share/applications
-    install -Dm444 dist/bridge.svg $out/share/icons/hicolor/scalable/apps/protonmail-bridge.svg
   '';
 
-  meta = with lib; {
-    homepage = "https://github.com/ProtonMail/proton-bridge";
+  meta = {
     changelog = "https://github.com/ProtonMail/proton-bridge/blob/${src.rev}/Changelog.md";
-    downloadPage = "https://github.com/ProtonMail/proton-bridge/releases";
-    license = licenses.gpl3Plus;
-    maintainers = with maintainers; [ mrfreezeex ];
     description = "Use your ProtonMail account with your local e-mail client";
+    downloadPage = "https://github.com/ProtonMail/proton-bridge/releases";
+    homepage = "https://github.com/ProtonMail/proton-bridge";
+    license = lib.licenses.gpl3Plus;
     longDescription = ''
       An application that runs on your computer in the background and seamlessly encrypts
       and decrypts your mail as it enters and leaves your computer.
@@ -55,5 +52,6 @@ buildGoModule rec {
       To work, use secret-service freedesktop.org API (e.g. Gnome keyring) or pass.
     '';
     mainProgram = "protonmail-bridge";
+    maintainers = with lib.maintainers; [ mrfreezeex daniel-fahey ];
   };
 }
diff --git a/pkgs/applications/office/qownnotes/default.nix b/pkgs/applications/office/qownnotes/default.nix
index 272c4d1f1fdf..4509242a239c 100644
--- a/pkgs/applications/office/qownnotes/default.nix
+++ b/pkgs/applications/office/qownnotes/default.nix
@@ -19,14 +19,14 @@
 let
   pname = "qownnotes";
   appname = "QOwnNotes";
-  version = "24.3.3";
+  version = "24.3.4";
 in
 stdenv.mkDerivation {
   inherit pname version;
 
   src = fetchurl {
     url = "https://github.com/pbek/QOwnNotes/releases/download/v${version}/qownnotes-${version}.tar.xz";
-    hash = "sha256-1PnGccbEKkFZGE7mxMD8onMkFd/f9qyvERSu+VL3yUE=";
+    hash = "sha256-PQoZKb0kf/tMQBJ5OpL9XqXv7fAftGTVsg3tZYe3j5c=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/science/biology/astral/default.nix b/pkgs/applications/science/biology/astral/default.nix
index ffe0326239cc..34077949b97d 100644
--- a/pkgs/applications/science/biology/astral/default.nix
+++ b/pkgs/applications/science/biology/astral/default.nix
@@ -2,49 +2,67 @@
 , stdenvNoCC
 , fetchFromGitHub
 , jdk8
-, makeWrapper
 , jre8
+, strip-nondeterminism
+, makeWrapper
 , zip
 }:
+
 let
   jdk = jdk8;
   jre = jre8;
 in
-stdenvNoCC.mkDerivation rec {
+stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "astral";
   version = "5.7.1";
 
   src = fetchFromGitHub {
     owner = "smirarab";
     repo = "ASTRAL";
-    rev = "v${version}";
-    sha256 = "043w2z6gbrisqirdid022f4b8jps1pp5syi344krv2bis1gjq5sn";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-VhcsX9BxiZ0nISN6Xe4N+kq0iBMCtNhyxDrm9cwXfBA=";
   };
 
-  nativeBuildInputs = [ jdk makeWrapper jre zip ];
+  patches = [
+    # we can't use stripJavaArchivesHook here, because the build process puts a .jar file into a zip file
+    # this patch calls strip-nondeterminism manually
+    ./make-deterministic.patch
+  ];
+
+  nativeBuildInputs = [
+    jdk
+    zip
+    strip-nondeterminism
+    makeWrapper
+  ];
 
   buildPhase = ''
+    runHook preBuild
     patchShebangs ./make.sh
     ./make.sh
+    runHook postBuild
   '';
 
   doCheck = true;
 
   checkPhase = ''
     runHook preCheck
-    java -jar astral.${version}.jar -i main/test_data/song_primates.424.gene.tre
+    java -jar astral.${finalAttrs.version}.jar -i main/test_data/song_primates.424.gene.tre
     runHook postCheck
   '';
 
   installPhase = ''
-    mkdir -p $out/share/lib
-    mkdir -p $out/bin
-    mv astral.${version}.jar $out/share/
-    mv lib/*.jar $out/share/lib
-    mv Astral.${version}.zip $out/share/
-    cp -a  main/test_data $out/share/
+    runHook preInstall
+
+    install -Dm644 astral.${finalAttrs.version}.jar -t $out/share
+    install -Dm644 lib/*.jar -t $out/share/lib
+    install -Dm644 Astral.${finalAttrs.version}.zip -t $out/share
+    cp -a main/test_data $out/share
+
     makeWrapper ${jre}/bin/java $out/bin/astral \
-        --add-flags "-jar $out/share/astral.${version}.jar"
+        --add-flags "-jar $out/share/astral.${finalAttrs.version}.jar"
+
+    runHook postInstall
   '';
 
   meta = with lib; {
@@ -53,9 +71,9 @@ stdenvNoCC.mkDerivation rec {
     mainProgram = "astral";
     sourceProvenance = with sourceTypes; [
       fromSource
-      binaryBytecode  # source bundles dependencies as jars
+      binaryBytecode # source bundles dependencies as jars
     ];
     license = licenses.asl20;
-    maintainers = with maintainers; [ bzizou ];
+    maintainers = with maintainers; [ bzizou tomasajt ];
   };
-}
+})
diff --git a/pkgs/applications/science/biology/astral/make-deterministic.patch b/pkgs/applications/science/biology/astral/make-deterministic.patch
new file mode 100644
index 000000000000..940182e2f49f
--- /dev/null
+++ b/pkgs/applications/science/biology/astral/make-deterministic.patch
@@ -0,0 +1,21 @@
+diff --git a/make.sh b/make.sh
+index 3ff6529..937b1a2 100644
+--- a/make.sh
++++ b/make.sh
+@@ -17,6 +17,8 @@ jar cvfm ../astral.$version.jar ../manifest.text phylonet/util/BitSet.* phylonet
+ 
+ cd ..
+ 
++strip-nondeterminism --type jar astral.$version.jar
++
+ chmod +x astral.$version.jar
+ sed -e "s/__astral.jar__/astral.$version.jar/g" -e "s/__astral.zip__/Astral.$version.zip/g" README.template.md > README.md
+ sed -e "s/__astral.jar__/astral.$version.jar/g" -e "s/__astral.zip__/Astral.$version.zip/g" astral-tutorial-template.md > astral-tutorial.md
+@@ -32,6 +34,7 @@ ln -s ../astral-tutorial.pdf .
+ cd ..
+ rm -f Astral.$version.zip
+ zip -r Astral.$version.zip Astral 
++strip-nondeterminism --type zip Astral.$version.zip
+ 
+ set +x
+ echo "
diff --git a/pkgs/applications/science/biology/conglomerate/default.nix b/pkgs/applications/science/biology/conglomerate/default.nix
index fe1c1f5511d1..d9092b9eeb11 100644
--- a/pkgs/applications/science/biology/conglomerate/default.nix
+++ b/pkgs/applications/science/biology/conglomerate/default.nix
@@ -32,6 +32,6 @@ stdenv.mkDerivation rec {
     description = "More command-line utilities for working with MINC files";
     maintainers = with maintainers; [ bcdarwin ];
     platforms = platforms.unix;
-    license   = licenses.free;
+    license   = licenses.hpndUc;
   };
 }
diff --git a/pkgs/applications/science/math/nauty/default.nix b/pkgs/applications/science/math/nauty/default.nix
index ef8c041039b1..c1feeffdcb6d 100644
--- a/pkgs/applications/science/math/nauty/default.nix
+++ b/pkgs/applications/science/math/nauty/default.nix
@@ -4,11 +4,11 @@
 }:
 stdenv.mkDerivation rec {
   pname = "nauty";
-  version = "2.7r4";
+  version = "2.8.8";
 
   src = fetchurl {
-    url = "https://pallini.di.uniroma1.it/nauty${builtins.replaceStrings ["."] [""] version}.tar.gz";
-    sha256 = "sha256-uBDIWm/imfO0yfJKr5KcrH+VRsLzXCDh3Qrbx0CISKY=";
+    url = "https://pallini.di.uniroma1.it/nauty${builtins.replaceStrings ["."] ["_"] version}.tar.gz";
+    sha256 = "sha256-FZ0hVoEKa7JAQQzWHrZBrdhQiNnxXIiM2qN7hoH5Kc4=";
   };
 
   outputs = [ "out" "dev" ];
@@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
     # I'm not sure if the filename will remain the same for future changelog or
     # if it will track changes to minor releases. Lets see. Better than nothing
     # in any case.
-    changelog = "https://pallini.di.uniroma1.it/changes24-27.txt";
+    changelog = "https://pallini.di.uniroma1.it/changes24-28.txt";
     homepage = "https://pallini.di.uniroma1.it/";
   };
 }
diff --git a/pkgs/applications/science/math/sage/default.nix b/pkgs/applications/science/math/sage/default.nix
index 765c691c9555..6624dcc36528 100644
--- a/pkgs/applications/science/math/sage/default.nix
+++ b/pkgs/applications/science/math/sage/default.nix
@@ -15,7 +15,7 @@ let
     pkgs = pkgs.python3.pkgs.overrideScope (self: super: {
       # `sagelib`, i.e. all of sage except some wrappers and runtime dependencies
       sagelib = self.callPackage ./sagelib.nix {
-        inherit flint arb;
+        inherit flint3;
         inherit sage-src env-locations singular;
         inherit (maxima) lisp-compiler;
         linbox = pkgs.linbox.override { withSage = true; };
@@ -73,7 +73,7 @@ let
     sagelib = python3.pkgs.sagelib;
     sage-docbuild = python3.pkgs.sage-docbuild;
     inherit env-locations;
-    inherit python3 singular palp flint pythonEnv maxima;
+    inherit python3 singular palp flint3 pythonEnv maxima;
     pkg-config = pkgs.pkg-config; # not to confuse with pythonPackages.pkg-config
   };
 
@@ -125,9 +125,7 @@ let
     ignoreCollisions = true;
   } // { extraLibs = pythonRuntimeDeps; }; # make the libs accessible
 
-  arb = pkgs.arb.override { inherit flint; };
-
-  singular = pkgs.singular.override { inherit flint; };
+  singular = pkgs.singular.override { inherit flint3; };
 
   maxima = pkgs.maxima-ecl.override {
     lisp-compiler = pkgs.ecl.override {
@@ -149,7 +147,7 @@ let
   # openblas instead of openblasCompat. Apparently other packages somehow use flints
   # blas when it is available. Alternative would be to override flint to use
   # openblasCompat.
-  flint = pkgs.flint.override { withBlas = false; };
+  flint3 = pkgs.flint3.override { withBlas = false; };
 
   # Multiple palp dimensions need to be available and sage expects them all to be
   # in the same folder.
diff --git a/pkgs/applications/science/math/sage/env-locations.nix b/pkgs/applications/science/math/sage/env-locations.nix
index 39d358a1f9a8..1ca0f471a7ee 100644
--- a/pkgs/applications/science/math/sage/env-locations.nix
+++ b/pkgs/applications/science/math/sage/env-locations.nix
@@ -3,7 +3,6 @@
 , pari
 , singular
 , maxima
-, conway_polynomials
 , graphs
 , elliptic_curves
 , polytopes_db
@@ -27,16 +26,13 @@ writeTextFile rec {
     export GPDOCDIR="${pari}/share/pari/doc"
     export SINGULARPATH='${singular}/share/singular'
     export SINGULAR_SO='${singular}/lib/libSingular.so'
-    export GAP_SO='${gap}/lib/libgap.so'
     export SINGULAR_EXECUTABLE='${singular}/bin/Singular'
     export MAXIMA_FAS='${maxima}/lib/maxima/${maxima.version}/binary-ecl/maxima.fas'
     export MAXIMA_PREFIX="${maxima}"
-    export CONWAY_POLYNOMIALS_DATA_DIR='${conway_polynomials}/share/conway_polynomials'
     export GRAPHS_DATA_DIR='${graphs}/share/graphs'
     export ELLCURVE_DATA_DIR='${elliptic_curves}/share/ellcurves'
     export POLYTOPE_DATA_DIR='${polytopes_db}/share/reflexive_polytopes'
-    export GAP_LIB_DIR='${gap}/lib/gap'
-    export GAP_SHARE_DIR='${gap}/share/gap'
+    export GAP_ROOT_PATHS='${gap}/lib/gap;${gap}/share/gap'
     export ECLDIR='${maxima.lisp-compiler}/lib/${maxima.lisp-compiler.pname}-${maxima.lisp-compiler.version}/'
     export COMBINATORIAL_DESIGN_DATA_DIR="${combinatorial_designs}/share/combinatorial_designs"
     export CREMONA_MINI_DATA_DIR="${elliptic_curves}/share/cremona"
diff --git a/pkgs/applications/science/math/sage/python-modules/sage-docbuild.nix b/pkgs/applications/science/math/sage/python-modules/sage-docbuild.nix
index fb8c3ec8a204..b45998bbcb86 100644
--- a/pkgs/applications/science/math/sage/python-modules/sage-docbuild.nix
+++ b/pkgs/applications/science/math/sage/python-modules/sage-docbuild.nix
@@ -4,6 +4,7 @@
 , jupyter-sphinx
 , sphinx
 , sphinx-copybutton
+, sphinx-inline-tabs
 }:
 
 buildPythonPackage rec {
@@ -15,6 +16,7 @@ buildPythonPackage rec {
     jupyter-sphinx
     sphinx
     sphinx-copybutton
+    sphinx-inline-tabs
   ];
 
   preBuild = ''
diff --git a/pkgs/applications/science/math/sage/sage-env.nix b/pkgs/applications/science/math/sage/sage-env.nix
index 4c22470de910..4f179ea3a42b 100644
--- a/pkgs/applications/science/math/sage/sage-env.nix
+++ b/pkgs/applications/science/math/sage/sage-env.nix
@@ -42,7 +42,7 @@
 , flintqs
 , blas
 , lapack
-, flint
+, flint3
 , gmp
 , mpfr
 , zlib
@@ -155,7 +155,7 @@ writeTextFile rec {
     # cython needs to find these libraries, otherwise will fail with `ld: cannot find -lflint` or similar
     export LDFLAGS='${
       lib.concatStringsSep " " (map (pkg: "-L${pkg}/lib") [
-        flint
+        flint3
         gap
         glpk
         gmp
@@ -174,7 +174,7 @@ writeTextFile rec {
         singular
         gmp.dev
         glpk
-        flint
+        flint3
         gap
         mpfr.dev
       ])
diff --git a/pkgs/applications/science/math/sage/sage-src.nix b/pkgs/applications/science/math/sage/sage-src.nix
index a77565e4072a..11bcc9ee3d5a 100644
--- a/pkgs/applications/science/math/sage/sage-src.nix
+++ b/pkgs/applications/science/math/sage/sage-src.nix
@@ -10,14 +10,14 @@
 # all get the same sources with the same patches applied.
 
 stdenv.mkDerivation rec {
-  version = "10.2";
+  version = "10.3";
   pname = "sage-src";
 
   src = fetchFromGitHub {
     owner = "sagemath";
     repo = "sage";
     rev = version;
-    sha256 = "sha256-VXnPdJhtw5Y/anecrVpevJDCyBVfnjksyuuZslNipm4=";
+    hash = "sha256-OHtMv8t0RrP6R8XIREU+C1vpazeQLWa75wx9Mv6BN1U=";
   };
 
   # contains essential files (e.g., setup.cfg) generated by the bootstrap script.
@@ -25,8 +25,8 @@ stdenv.mkDerivation rec {
   configure-src = fetchurl {
     # the hash below is the tagged commit's _parent_. it can also be found by looking for
     # the "configure" asset at https://github.com/sagemath/sage/releases/tag/${version}
-    url = "mirror://sageupstream/configure/configure-b2813506039143e6f0abe859ab67a343abf72c2e.tar.gz";
-    sha256 = "sha256-a1v0XyoKI+zO6Sjm8DzEwItRHbIgRDbpj4UfwVH+/hw=";
+    url = "mirror://sageupstream/configure/configure-ab1a517b64b02bf15bbcb8d7c2d4d643bd5eff9b.tar.gz";
+    hash = "sha256-pe9AxTM+gFSR4/eVfUzay+4bwjoubbYeDPc+avKjlaw=";
   };
 
   # Patches needed because of particularities of nix or the way this is packaged.
@@ -62,11 +62,11 @@ stdenv.mkDerivation rec {
   # should come from or be proposed to upstream. This list will probably never
   # be empty since dependencies update all the time.
   packageUpgradePatches = [
-    # https://github.com/sagemath/sage/pull/37123, to land in 10.3.beta7
+    # https://github.com/sagemath/sage/pull/37492
     (fetchpatch {
-      name = "scipy-1.12-upgrade.patch";
-      url = "https://github.com/sagemath/sage/commit/54eec464e9fdf18b411d9148aecb918178e95909.diff";
-      sha256 = "sha256-9wyNrcSfF6mYFTIV4ev2OdD7igb0AeyZZYWSc/+JrIU=";
+      name = "singular-4.3.2p14-upgrade.patch";
+      url = "https://github.com/sagemath/sage/commit/a0c56816b051e97da44ac0a4e4d4f6915cf7fa0f.diff";
+      sha256 = "sha256-WGMmPeBoj2LUC+2qxWuaJL89QUuGt6axGvxWkpM9LYg=";
     })
   ];
 
diff --git a/pkgs/applications/science/math/sage/sagelib.nix b/pkgs/applications/science/math/sage/sagelib.nix
index 5a1f4ee473c9..b67b74e3a0f2 100644
--- a/pkgs/applications/science/math/sage/sagelib.nix
+++ b/pkgs/applications/science/math/sage/sagelib.nix
@@ -10,7 +10,6 @@
 , iml
 , libpng
 , readline
-, arb
 , blas
 , boost
 , brial
@@ -18,7 +17,7 @@
 , eclib
 , ecm
 , fflas-ffpack
-, flint
+, flint3
 , gap
 , giac
 , givaro
@@ -45,6 +44,7 @@
 , singular
 , sqlite
 , symmetrica
+, conway-polynomials
 , cvxopt
 , cypari2
 , cysignals
@@ -92,6 +92,7 @@ buildPythonPackage rec {
   version = src.version;
   pname = "sagelib";
   src = sage-src;
+  pyproject = true;
 
   nativeBuildInputs = [
     iml
@@ -112,7 +113,6 @@ buildPythonPackage rec {
 
   propagatedBuildInputs = [
     # native dependencies (TODO: determine which ones need to be propagated)
-    arb
     blas
     boost
     brial
@@ -120,7 +120,7 @@ buildPythonPackage rec {
     eclib
     ecm
     fflas-ffpack
-    flint
+    flint3
     gap
     giac
     givaro
@@ -149,6 +149,7 @@ buildPythonPackage rec {
     symmetrica
 
     # from src/sage/setup.cfg and requirements.txt
+    conway-polynomials
     cvxopt
     cypari2
     cysignals
@@ -202,11 +203,7 @@ buildPythonPackage rec {
     mkdir -p "$SAGE_SHARE/sage/ext/notebook-ipython"
     mkdir -p "var/lib/sage/installed"
 
-    # version lower bounds are useful, but upper bounds are a hassle because
-    # Sage tests already catch any relevant API breakage.
-    # according to the discussion at https://trac.sagemath.org/ticket/33520,
-    # upper bounds will be less noisy starting from Sage 9.6.
-    sed -i 's/, <[^, ]*//' build/pkgs/*/install-requires.txt
+    sed -i "/sage-conf/d" src/{setup.cfg,pyproject.toml,requirements.txt}
 
     cd build/pkgs/sagelib/src
   '';
diff --git a/pkgs/applications/science/math/singular/default.nix b/pkgs/applications/science/math/singular/default.nix
index f77bd5a92243..a6c64066d88e 100644
--- a/pkgs/applications/science/math/singular/default.nix
+++ b/pkgs/applications/science/math/singular/default.nix
@@ -5,7 +5,7 @@
 , sharutils
 , file
 , getconf
-, flint
+, flint3
 , ntl
 , cddlib
 , gfan
@@ -18,13 +18,13 @@
 # want it to match the upstream format because sage depends on it.
 , texinfo4
 , texliveSmall
-, enableDocs ? !stdenv.isDarwin
+, enableDocs ? true
 , enableGfanlib ? true
 }:
 
 stdenv.mkDerivation rec {
   pname = "singular";
-  version = "4.3.2p2";
+  version = "4.3.2p16";
 
   # since the tarball does not contain tests, we fetch from GitHub.
   src = fetchFromGitHub {
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
     # if a release is tagged (which sometimes does not happen), it will
     # be in the format below.
     rev = "Release-${lib.replaceStrings ["."] ["-"] version}";
-    sha256 = "sha256-dtZmN8xUCZ9eSgmtBxqfJeWsM4W5Baq7xWXuNAxNLjA=";
+    sha256 = "sha256-5JZgI5lnfX4JlBSEAL7Wv6uao/57GBaMqwgslJt9Bjk=";
 
     # the repository's .gitattributes file contains the lines "/Tst/
     # export-ignore" and "/doc/ export-ignore" so some directories are
@@ -68,7 +68,7 @@ stdenv.mkDerivation rec {
     ncurses
     readline
     ntl
-    flint
+    flint3
     lrcalc
     gfan
   ] ++ lib.optionals enableGfanlib [
diff --git a/pkgs/applications/version-management/commitizen/default.nix b/pkgs/applications/version-management/commitizen/default.nix
index bb1c3243d6db..b1b70646bf67 100644
--- a/pkgs/applications/version-management/commitizen/default.nix
+++ b/pkgs/applications/version-management/commitizen/default.nix
@@ -11,7 +11,7 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "commitizen";
-  version = "3.18.4";
+  version = "3.20.0";
   format = "pyproject";
 
   disabled = python3.pythonOlder "3.8";
@@ -20,7 +20,7 @@ python3.pkgs.buildPythonApplication rec {
     owner = "commitizen-tools";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-ODBlNwrvkYnZ+CvKyc5Bic6DK/z8d6/KR3+iarFxduE=";
+    hash = "sha256-lruEkXgbND2Q49J9mnDSqDA4kWiUBIg1mI+s1a+V3ds=";
   };
 
   pythonRelaxDeps = [
diff --git a/pkgs/applications/video/kodi/addons/jellycon/default.nix b/pkgs/applications/video/kodi/addons/jellycon/default.nix
new file mode 100644
index 000000000000..88e9504f8d19
--- /dev/null
+++ b/pkgs/applications/video/kodi/addons/jellycon/default.nix
@@ -0,0 +1,55 @@
+{ lib, addonDir, buildKodiAddon, fetchFromGitHub, kodi, requests, dateutil, six, kodi-six, signals, websocket }:
+let
+  python = kodi.pythonPackages.python.withPackages (p: with p; [ pyyaml ]);
+in
+buildKodiAddon rec {
+  pname = "jellycon";
+  namespace = "plugin.video.jellycon";
+  version = "0.8.0";
+
+  src = fetchFromGitHub {
+    owner = "jellyfin";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-60my7Y60KV5WWALQiamnmAJZJi82cV21rIGYPiV7T+A=";
+  };
+
+  nativeBuildInputs = [
+    python
+  ];
+
+  prePatch = ''
+    # ZIP does not support timestamps before 1980 - https://bugs.python.org/issue34097
+    substituteInPlace build.py \
+      --replace "with zipfile.ZipFile(f'{target}/{archive_name}', 'w') as z:" "with zipfile.ZipFile(f'{target}/{archive_name}', 'w', strict_timestamps=False) as z:"
+  '';
+
+  buildPhase = ''
+    ${python}/bin/python3 build.py --version=py3
+  '';
+
+  postInstall = ''
+    mv /build/source/addon.xml $out${addonDir}/${namespace}/
+  '';
+
+  propagatedBuildInputs = [
+    requests
+    dateutil
+    six
+    kodi-six
+    signals
+    websocket
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/jellyfin/jellycon";
+    description = "A lightweight Kodi add-on for Jellyfin";
+    longDescription = ''
+      JellyCon is a lightweight Kodi add-on that lets you browse and play media
+      files directly from your Jellyfin server within the Kodi interface. It can
+      easily switch between multiple user accounts at will.
+    '';
+    license = licenses.gpl2Only;
+    maintainers = teams.kodi.members;
+  };
+}
diff --git a/pkgs/applications/video/obs-studio/plugins/advanced-scene-switcher/default.nix b/pkgs/applications/video/obs-studio/plugins/advanced-scene-switcher/default.nix
index b776981522d0..ff4ba78ea950 100644
--- a/pkgs/applications/video/obs-studio/plugins/advanced-scene-switcher/default.nix
+++ b/pkgs/applications/video/obs-studio/plugins/advanced-scene-switcher/default.nix
@@ -23,13 +23,13 @@
 
 stdenv.mkDerivation rec {
   pname = "advanced-scene-switcher";
-  version = "1.24.2";
+  version = "1.25.3";
 
   src = fetchFromGitHub {
     owner = "WarmUpTill";
     repo = "SceneSwitcher";
     rev = version;
-    hash = "sha256-J5Qcs2eoKMeO1O/MCsR5wfmfbtndRaZmHrbleEZqqOo=";
+    hash = "sha256-cVMeFAliP0srvnhJQkOhZB2hrald8RHFhBXwdGIu2uo=";
   };
 
   nativeBuildInputs = [
@@ -61,11 +61,7 @@ stdenv.mkDerivation rec {
     chmod -R +w $sourceRoot/deps/libremidi
   '';
 
-  postInstall = ''
-    mkdir $out/lib $out/share
-    mv $out/obs-plugins/64bit $out/lib/obs-plugins
-    mv $out/data $out/share/obs
-  '';
+  env.NIX_CFLAGS_COMPILE = "-Wno-error=stringop-overflow";
 
   meta = with lib; {
     description = "An automated scene switcher for OBS Studio";
diff --git a/pkgs/applications/video/vdr/markad/default.nix b/pkgs/applications/video/vdr/markad/default.nix
index db273ba4ff04..28dad0200270 100644
--- a/pkgs/applications/video/vdr/markad/default.nix
+++ b/pkgs/applications/video/vdr/markad/default.nix
@@ -19,12 +19,12 @@
 }:
 stdenv.mkDerivation rec {
   pname = "vdr-markad";
-  version = "3.4.12";
+  version = "3.4.13";
 
   src = fetchFromGitHub {
     repo = "vdr-plugin-markad";
     owner = "kfb77";
-    sha256 = "sha256-yc/zWMGzsfZl3n+Qt5Se2duo3jwntCWaYq1yACsrPzM=";
+    sha256 = "sha256-pDnziIWX6deBXuVIN7w6F6TdYDCcEO6MSaUIMB63uAg=";
     rev = "V${version}";
   };
 
diff --git a/pkgs/applications/virtualization/rvvm/default.nix b/pkgs/applications/virtualization/rvvm/default.nix
index b6eaea8d7597..718446d1ce1f 100644
--- a/pkgs/applications/virtualization/rvvm/default.nix
+++ b/pkgs/applications/virtualization/rvvm/default.nix
@@ -1,21 +1,45 @@
-{ lib, stdenv, fetchFromGitHub, SDL_compat, libX11, libXext }:
+{ lib
+, stdenv
+, fetchFromGitHub
+
+, SDL2
+
+, libX11
+, libXext
+
+, guiBackend ? "sdl"
+
+, enableSDL ? guiBackend == "sdl"
+, enableX11 ? guiBackend == "x11"
+}:
+
+assert lib.assertMsg (builtins.elem guiBackend ["sdl" "x11" "none"]) "Unsupported GUI backend";
+assert lib.assertMsg (!(enableSDL && enableX11)) "RVVM can have only one GUI backend at a time";
+assert lib.assertMsg (stdenv.isDarwin -> !enableX11) "macOS supports only SDL GUI backend";
 
 stdenv.mkDerivation rec {
   pname = "rvvm";
-  version = "0.5";
+  version = "0.6";
 
   src = fetchFromGitHub {
     owner = "LekKit";
     repo = "RVVM";
     rev = "v${version}";
-    sha256 = "sha256-1wAKijRYB0FGBe4cSHUynkO4ePVG4QvVIgSoWzNbqtE=";
+    sha256 = "sha256-5nSlKyWDAx0EeKFzzwP5+99XuJz9BHXEF1WNkRMLa9U=";
   };
 
-  buildInputs = if stdenv.isDarwin then [ SDL_compat ] else [ libX11 libXext ];
+  buildInputs = []
+    ++ lib.optionals enableSDL [ SDL2 ]
+    ++ lib.optionals enableX11 [ libX11 libXext ];
+
+  enableParallelBuilding = true;
 
   buildFlags = [ "all" "lib" ];
 
   makeFlags = [ "PREFIX=$(out)" ]
+    ++ lib.optional enableSDL "USE_SDL=2" # Use SDL2 instead of SDL1
+    ++ lib.optional (!enableSDL && !enableX11) "USE_FB=0"
+
     # work around https://github.com/NixOS/nixpkgs/issues/19098
     ++ lib.optional (stdenv.cc.isClang && stdenv.isDarwin) "CFLAGS=-fno-lto";
 
@@ -24,7 +48,7 @@ stdenv.mkDerivation rec {
     description = "The RISC-V Virtual Machine";
     license = with licenses; [ gpl3 /* or */ mpl20 ];
     platforms = platforms.linux ++ platforms.darwin;
-    maintainers = with maintainers; [ ];
+    maintainers = with maintainers; [ kamillaova ];
     mainProgram = "rvvm";
   };
 }
diff --git a/pkgs/by-name/al/alephone-apotheosis-x/package.nix b/pkgs/by-name/al/alephone-apotheosis-x/package.nix
index 16bed9fad97e..566b98f9e856 100644
--- a/pkgs/by-name/al/alephone-apotheosis-x/package.nix
+++ b/pkgs/by-name/al/alephone-apotheosis-x/package.nix
@@ -1,4 +1,4 @@
-{ alephone, requireFile }:
+{ lib, alephone, requireFile }:
 
 alephone.makeWrapper rec {
   pname = "apotheosis-x";
@@ -16,5 +16,6 @@ alephone.makeWrapper rec {
   meta = {
     description = "Total conversion for Marathon Infinity running on the Aleph One engine";
     homepage = "https://simplici7y.com/items/apotheosis-x-5";
+    license = lib.licenses.unfree;
   };
 }
diff --git a/pkgs/by-name/as/asciiquarium-transparent/package.nix b/pkgs/by-name/as/asciiquarium-transparent/package.nix
index 2472d5015daf..b0b476e12bd9 100644
--- a/pkgs/by-name/as/asciiquarium-transparent/package.nix
+++ b/pkgs/by-name/as/asciiquarium-transparent/package.nix
@@ -3,32 +3,35 @@
   stdenv,
   fetchFromGitHub,
   makeWrapper,
-  perlPackages,
+  perl,
 }:
-stdenv.mkDerivation {
+stdenv.mkDerivation (finalAttrs: {
   pname = "asciiquarium-transparent";
-  version = "unstable-2023-02-19";
+  version = "1.3";
+
   src = fetchFromGitHub {
     owner = "nothub";
     repo = "asciiquarium";
-    rev = "653cd99a611080c776d18fc7991ae5dd924c72ce";
-    hash = "sha256-72LRFydbObFDXJllmlRjr5O8qjDqtlp3JunE3kwb5aU=";
+    rev = "${finalAttrs.version}";
+    hash = "sha256-zQyVIfwmhF3WsCeIZLwjDufvKzAfjLxaK2s7WTedqCg=";
   };
-  nativeBuildInputs = [makeWrapper];
-  buildInputs = [perlPackages.perl];
+
+  nativeBuildInputs = [ makeWrapper ];
+  buildInputs = [ perl ];
   installPhase = ''
     runHook preInstall
-    mkdir -p $out/bin
-    cp asciiquarium $out/bin/asciiquarium
-    wrapProgram $out/bin/asciiquarium --set PERL5LIB ${perlPackages.makeFullPerlPath [perlPackages.TermAnimation]}
+    install -Dm555 asciiquarium -t $out/bin
+    wrapProgram $out/bin/asciiquarium \
+      --set PERL5LIB ${with perl.pkgs; makeFullPerlPath [ TermAnimation ]}
     runHook postInstall
   '';
-  meta = with lib; {
+
+  meta = {
     description = "An aquarium/sea animation in ASCII art (with option of transparent background)";
-    mainProgram = "asciiquarium";
     homepage = "https://github.com/nothub/asciiquarium";
-    license = with licenses; [gpl2Only];
-    platforms = platforms.unix;
-    maintainers = with maintainers; [quantenzitrone];
+    license = lib.licenses.gpl2Only;
+    mainProgram = "asciiquarium";
+    maintainers = with lib.maintainers; [ quantenzitrone ];
+    platforms = perl.meta.platforms;
   };
-}
+})
diff --git a/pkgs/by-name/ca/cargo-pgo/package.nix b/pkgs/by-name/ca/cargo-pgo/package.nix
new file mode 100644
index 000000000000..1850fb2d85d6
--- /dev/null
+++ b/pkgs/by-name/ca/cargo-pgo/package.nix
@@ -0,0 +1,29 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "cargo-pgo";
+  version = "0.2.6";
+
+  src = fetchFromGitHub {
+    owner = "kobzol";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-u3kWYPLJYarwwudRpeBdJglP9kNbLRTYgEvZT2pBBoY=";
+  };
+
+  cargoHash = "sha256-Peicupa2vFDzPCH0OQYk7plkWIn82o45oGutOyMlI2s=";
+
+  # Integration tests do not run in Nix build environment due to needing to
+  # create and build Cargo workspaces.
+  doCheck = false;
+
+  meta = with lib; {
+    description = "Cargo subcommand for optimizing Rust binaries/libraries with PGO and BOLT";
+    homepage = "https://github.com/kobzol/cargo-pgo";
+    license = with licenses; [ mit ];
+    maintainers = with maintainers; [ dannixon ];
+  };
+}
diff --git a/pkgs/by-name/ce/cert-viewer/package.nix b/pkgs/by-name/ce/cert-viewer/package.nix
new file mode 100644
index 000000000000..6fcead475a36
--- /dev/null
+++ b/pkgs/by-name/ce/cert-viewer/package.nix
@@ -0,0 +1,26 @@
+{ buildGoModule
+, fetchFromGitHub
+, lib
+}:
+
+buildGoModule rec {
+  pname = "cert-viewer";
+  version = "0.9.0";
+
+  src = fetchFromGitHub {
+    owner = "mgit-at";
+    repo = "cert-viewer";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-q4FLKH0ZA/79zLo7dt+CSOjfKyygTiQKSuungQTtue0=";
+  };
+
+  vendorHash = "sha256-55zDUAe5s+03/OnDcK1DqmMUpFO2sBaVjEk6vbrHgzY=";
+
+  meta = {
+    description = "Admin tool to view and inspect multiple x509 Certificates";
+    homepage = "https://github.com/mgit-at/cert-viewer";
+    license = lib.licenses.apsl20;
+    maintainers = [ lib.maintainers.mkg20001 ];
+    mainProgram = "cert-viewer";
+  };
+}
diff --git a/pkgs/applications/graphics/displaycal/default.nix b/pkgs/by-name/di/displaycal/package.nix
index 0eef148398cb..a48355fbb825 100644
--- a/pkgs/applications/graphics/displaycal/default.nix
+++ b/pkgs/by-name/di/displaycal/package.nix
@@ -10,13 +10,13 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "displaycal";
-  version = "3.9.11";
+  version = "3.9.12";
   format = "setuptools";
 
   src = fetchPypi {
     pname = "DisplayCAL";
     inherit version;
-    hash = "sha256-zAZW2eMjwRYevlz8KEzTxzGO8vx5AydfY3vGTapNo1c=";
+    hash = "sha256-0NZ+fr3ilnyWE6+Xa8xqpccNe7WVvvQfQEYvdQ8rf/Q=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/by-name/gh/gh-copilot/package.nix b/pkgs/by-name/gh/gh-copilot/package.nix
new file mode 100644
index 000000000000..42f0f489bdda
--- /dev/null
+++ b/pkgs/by-name/gh/gh-copilot/package.nix
@@ -0,0 +1,59 @@
+{ stdenv
+, lib
+, fetchurl
+}:
+let
+  inherit (stdenv.hostPlatform) system;
+  throwSystem = throw "Unsupported system: ${system}";
+
+  systemToPlatform = {
+    "x86_64-linux" = {
+      name = "linux-amd64";
+      hash = "sha256-FKzvERcVYkyy1aNYHZIftC2WvSHRxFqSG/g7gpTTvoo=";
+    };
+    "aarch64-linux" = {
+      name = "linux-arm64";
+      hash = "sha256-4vX9On0upgfjM/IL/UzQj5ioeVnSsd2rUgIz6w4szZM=";
+    };
+    "x86_64-darwin" = {
+      name = "darwin-amd64";
+      hash = "sha256-W4ElKXsMo47dVRNJEnLzH2rpvkua56lj/NkJd3R8CCE=";
+    };
+    "aarch64-darwin" = {
+      name = "darwin-arm64";
+      hash = "sha256-F2OA66h/ptkjLZ2oQgkbZlDo31YDZzhk5Pre36TkHvI=";
+    };
+  };
+  platform = systemToPlatform.${system} or throwSystem;
+in
+stdenv.mkDerivation (finalAttrs: {
+  pname = "gh-copilot";
+  version = "0.5.4-beta";
+
+  src = fetchurl {
+    name = "gh-copilot";
+    url = "https://github.com/github/gh-copilot/releases/download/v${finalAttrs.version}/${platform.name}";
+    hash = platform.hash;
+  };
+
+  dontUnpack = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    install -m755 -D $src $out/bin/gh-copilot
+
+    runHook postInstall
+  '';
+
+  meta = {
+    changelog = "https://github.com/github/gh-copilot/releases/tag/v${finalAttrs.version}";
+    description = "Ask for assistance right in your terminal.";
+    homepage = "https://github.com/github/gh-copilot";
+    license = lib.licenses.unfree;
+    mainProgram = "gh-copilot";
+    maintainers = with lib.maintainers; [ perchun ];
+    platforms = lib.attrNames systemToPlatform;
+    sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
+  };
+})
diff --git a/pkgs/tools/networking/godns/default.nix b/pkgs/by-name/go/godns/package.nix
index a41d1993270b..0e5e155523d6 100644
--- a/pkgs/tools/networking/godns/default.nix
+++ b/pkgs/by-name/go/godns/package.nix
@@ -1,25 +1,50 @@
 { lib
 , buildGoModule
 , fetchFromGitHub
+, nodejs
+, npmHooks
+, fetchNpmDeps
 , nix-update-script
 }:
 
 buildGoModule rec {
   pname = "godns";
-  version = "3.0.7";
+  version = "3.1.5";
 
   src = fetchFromGitHub {
     owner = "TimothyYe";
     repo = "godns";
     rev = "refs/tags/v${version}";
-    hash = "sha256-7zgvrEVt8xg54NijcqnXoZcXetzOu9h3Ucw7w03YagU=";
+    hash = "sha256-kdClyeU0hR0ymVLn9xe/kYVJE/9P/hAz/5UwRAQ2KCU=";
   };
 
-  vendorHash = "sha256-veDrGB6gjUa8G/UyKzEgH2ItGGEPlXDePahq2XP2nAo=";
+  vendorHash = "sha256-kSREFNIGH0MXiyKMp1LmrLkhKBhovvNRz46LTXT2XME=";
+  npmDeps = fetchNpmDeps {
+    src = "${src}/web";
+    hash = "sha256-2yeqLly0guU/kpX+yH/QOoDGzyJTxkTaCt8EleJhybU=";
+  };
+
+  npmRoot = "web";
+  nativeBuildInputs = [
+    nodejs
+    npmHooks.npmConfigHook
+  ];
+
+  overrideModAttrs = oldAttrs: {
+    # Do not add `npmConfigHook` to `goModules`
+    nativeBuildInputs = lib.remove npmHooks.npmConfigHook oldAttrs.nativeBuildInputs;
+    # Do not run `preBuild` when building `goModules`
+    preBuild = null;
+  };
 
   # Some tests require internet access, broken in sandbox
   doCheck = false;
 
+  preBuild = ''
+    npm --prefix="$npmRoot" run build
+    go generate ./...
+  '';
+
   ldflags = [
     "-s"
     "-w"
diff --git a/pkgs/by-name/ho/home-manager/package.nix b/pkgs/by-name/ho/home-manager/package.nix
index 2bee53688dbf..f58be650c845 100644
--- a/pkgs/by-name/ho/home-manager/package.nix
+++ b/pkgs/by-name/ho/home-manager/package.nix
@@ -16,14 +16,14 @@
 
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "home-manager";
-  version = "unstable-2024-03-15";
+  version = "unstable-2024-03-19";
 
   src = fetchFromGitHub {
     name = "home-manager-source";
     owner = "nix-community";
     repo = "home-manager";
-    rev = "206f457fffdb9a73596a4cb2211a471bd305243d";
-    hash = "sha256-SUXGZNrXX05YA9G6EmgupxhOr3swI1gcxLUeDMUhrEY=";
+    rev = "022464438a85450abb23d93b91aa82e0addd71fb";
+    hash = "sha256-2bNMraoRB4pdw/HtxgYTFeMhEekBZeQ53/a8xkqpbZc=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/by-name/ja/jan/package.nix b/pkgs/by-name/ja/jan/package.nix
index 181a7006c24c..76daa73b20e6 100644
--- a/pkgs/by-name/ja/jan/package.nix
+++ b/pkgs/by-name/ja/jan/package.nix
@@ -5,10 +5,10 @@
 
 let
   pname = "jan";
-  version = "0.4.8";
+  version = "0.4.9";
   src = fetchurl {
     url = "https://github.com/janhq/jan/releases/download/v${version}/jan-linux-x86_64-${version}.AppImage";
-    hash = "sha256-8Vi2KK+5Wk/K+RJZ0/cbRUb8L25WEiLdo5ay8+ichdw=";
+    hash = "sha256-6XnDrr+AkZH69zXf0OKdi8R6LoRWWMZNqWilZhLGynk=";
   };
 
   appimageContents = appimageTools.extractType2 { inherit pname version src; };
diff --git a/pkgs/by-name/ma/maloader/package.nix b/pkgs/by-name/ma/maloader/package.nix
new file mode 100644
index 000000000000..bb0f744f37b6
--- /dev/null
+++ b/pkgs/by-name/ma/maloader/package.nix
@@ -0,0 +1,63 @@
+{
+  lib,
+  llvmPackages,
+  fetchFromGitHub,
+  opencflite,
+  libuuid,
+  zlib,
+}:
+
+let
+  stdenv = llvmPackages.libcxxStdenv;
+in
+stdenv.mkDerivation {
+  pname = "maloader";
+  version = "0-unstable-2018-05-02";
+
+  src = fetchFromGitHub {
+    owner = "shinh";
+    repo = "maloader";
+    rev = "464a90fdfd06a54c9da5d1a3725ed6229c0d3d60";
+    hash = "sha256-0N3+tr8XUsn3WhJNsPVknumBrfMgDawTEXVRkIs/IV8=";
+  };
+
+  postPatch = ''
+    substituteInPlace ld-mac.cc \
+      --replace-fail 'loadLibMac(mypath)' 'loadLibMac("${placeholder "out"}/lib/")' \
+      --replace-fail 'libCoreFoundation.so' '${opencflite}/lib/libCoreFoundation.so'
+    substituteInPlace libmac/stack_protector-obsd.c \
+      --replace-fail 'sys/sysctl.h' 'linux/sysctl.h'
+  '';
+
+  buildInputs = [
+    libuuid
+    zlib
+  ];
+
+  buildFlags = [
+    "USE_LIBCXX=1"
+    "release"
+  ];
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-error=unused-command-line-argument";
+
+  installPhase = ''
+    runHook preInstall
+
+    install -vD libmac.so "$out/lib/libmac.so"
+
+    for bin in extract macho2elf ld-mac; do
+      install -vD "$bin" "$out/bin/$bin"
+    done
+
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "Mach-O loader for Linux";
+    homepage = "https://github.com/shinh/maloader";
+    license = lib.licenses.bsd2;
+    maintainers = with lib.maintainers; [ wegank ];
+    inherit (opencflite.meta) platforms;
+  };
+}
diff --git a/pkgs/by-name/me/mercure/package.nix b/pkgs/by-name/me/mercure/package.nix
index dc4c67c4362b..bd4bdd231a2b 100644
--- a/pkgs/by-name/me/mercure/package.nix
+++ b/pkgs/by-name/me/mercure/package.nix
@@ -8,18 +8,18 @@
 
 buildGoModule rec {
   pname = "mercure";
-  version = "0.15.9";
+  version = "0.15.10";
 
   src = fetchFromGitHub {
     owner = "dunglas";
     repo = "mercure";
     rev = "v${version}";
-    hash = "sha256-4Y+yZSZrBDLPbQXaOCSKk/EY20Ka8CS4ivUg1TEaqXo=";
+    hash = "sha256-ot4Gb2Zg4VaF/ip9cLJYP69WGmKw/+WQSf20o1aQtpM=";
   };
 
   sourceRoot = "${src.name}/caddy";
 
-  vendorHash = "sha256-N0RmvhBlTiWmBb4TzLmaThD9jVkKgcIO9vPWxJAvLRQ=";
+  vendorHash = "sha256-K+9LQ9wI0ltZI7N2mshiDsjEMc2FzenqSGP00fEWuMQ=";
 
   subPackages = [ "mercure" ];
   excludedPackages = [ "../cmd/mercure" ];
diff --git a/pkgs/by-name/oc/octorpki/package.nix b/pkgs/by-name/oc/octorpki/package.nix
deleted file mode 100644
index 1f710d134228..000000000000
--- a/pkgs/by-name/oc/octorpki/package.nix
+++ /dev/null
@@ -1,51 +0,0 @@
-{ lib
-, buildGoModule
-, fetchFromGitHub
-, fetchpatch
-}:
-
-buildGoModule rec {
-  pname = "octorpki";
-  version = "1.5.10";
-
-  src = fetchFromGitHub {
-    owner = "cloudflare";
-    repo = "cfrpki";
-    rev = "v${version}";
-    hash = "sha256-eqIAauwFh1Zbv3Jkk8plz1OR3ZW8fs0ugNwwTnSHSFM=";
-  };
-
-  patches = [
-    # https://github.com/cloudflare/cfrpki/pull/150
-    (fetchpatch {
-      url = "https://github.com/cloudflare/cfrpki/commit/fd0c4e95b880c463430c91ce1f86205b9309399b.patch";
-      hash = "sha256-cJ0mWkjtGvgTIH5eEum8h2Gy2PqR+nPto+mj5m/I/d4=";
-    })
-  ];
-
-  ldflags = [
-    "-X main.version=v${version}"
-    "-X main.talpath=${placeholder "out"}/share/tals"
-  ];
-
-  subPackages = [
-    "cmd/octorpki"
-  ];
-
-  postInstall = ''
-    mkdir -p $out/share
-    cp -R cmd/octorpki/tals $out/share/tals
-  '';
-
-  vendorHash = null;
-
-  meta = with lib; {
-    homepage = "https://github.com/cloudflare/cfrpki#octorpki";
-    changelog = "https://github.com/cloudflare/cfrpki/releases/tag/v${version}";
-    description = "A software used to download RPKI (RFC 6480) certificates and validate them";
-    mainProgram = "octorpki";
-    license = licenses.bsd3;
-    platforms = platforms.all;
-    maintainers = teams.wdz.members;
-  };
-}
diff --git a/pkgs/by-name/ol/olvid/package.nix b/pkgs/by-name/ol/olvid/package.nix
new file mode 100644
index 000000000000..813d4ae4052e
--- /dev/null
+++ b/pkgs/by-name/ol/olvid/package.nix
@@ -0,0 +1,108 @@
+{ stdenv
+, lib
+, fetchurl
+, zlib
+, libXext
+, libX11
+, libXrender
+, libXtst
+, libXi
+, freetype
+, alsa-lib
+, jdk21
+, openjfx21
+, autoPatchelfHook
+, makeBinaryWrapper
+, wrapGAppsHook
+}:
+
+let
+  repo = "olvid";
+
+  javafxModules = [ "swing" "controls" "media" "fxml" "graphics" "base" ];
+
+  classpath =
+    lib.concatMap (mod: [
+      "${openjfx21}/modules_src/javafx.${mod}/module-info.java"
+      "${openjfx21}/modules/javafx.${mod}"
+      "${openjfx21}/modules_libs/javafx.${mod}"
+    ]) javafxModules ++
+    [ "$out/share/${repo}/*" ];
+
+  jvmArgs = [
+    "-cp" (lib.concatStringsSep ":" classpath)
+    "-Djpackage.app-version=$version"
+    "-Dolvid.sqlcipher=true"
+    "-Dolvid.dev=false"
+    "-Dolvid.packaged=true"
+    "-Dolvid.multiuser=false"
+    "-Dolvid.debug=false"
+    "-Dolvid.version=$version"
+    "-Djava.net.useSystemProxies=true"
+    "-Djava.library.path=$out/lib/"
+    "-Xss8M"
+    "-XX:+ShowCodeDetailsInExceptionMessages"
+    "--add-opens=java.desktop/java.awt=ALL-UNNAMED"
+    "--add-opens=java.desktop/java.awt.geom=ALL-UNNAMED"
+    "--add-opens=java.desktop/sun.awt.geom=ALL-UNNAMED"
+    "--add-opens=java.base/java.util=ALL-UNNAMED"
+    "--add-opens=java.desktop/javax.swing=ALL-UNNAMED"
+    "--add-opens=java.desktop/sun.awt.shell=ALL-UNNAMED"
+  ];
+in
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "olvid";
+  version = "1.5.0";
+
+  dontUnpack = true;
+  dontWrapGApps = true;
+
+  src = fetchurl {
+    url = "https://static.olvid.io/linux/${repo}-${finalAttrs.version}.tar.gz";
+    hash = "sha256-iiMc9mM+uUVeS1i1gzXMZaMwSChdz7vNrL9uqJlR8NU=";
+  };
+
+  nativeBuildInputs = [
+    autoPatchelfHook
+    makeBinaryWrapper
+    wrapGAppsHook
+  ];
+
+  buildInputs = [
+    zlib
+    libXext
+    libX11
+    libXrender
+    libXtst
+    libXi
+    freetype
+    alsa-lib
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    install -dm755 "$out/share/${repo}"
+    tar -xf "$src" -C "$out/share/${repo}" --wildcards --strip-components 3 olvid/lib/app/'*.jar'
+
+    install -dm755 "$out/lib"
+    tar -xf "$src" -C "$out/lib" --strip-components 4 olvid/lib/runtime/lib/
+
+    install -dm755 "$out/bin"
+    makeBinaryWrapper ${jdk21}/bin/java $out/bin/${repo} \
+      "''${gappsWrapperArgs[@]}" \
+      --add-flags "${lib.concatStringsSep " " jvmArgs} io.olvid.windows.messenger.start_up.Launcher"
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "The secure french messenger";
+    homepage = "https://www.olvid.io";
+    license = licenses.agpl3;
+    mainProgram = "olvid";
+    maintainers = with maintainers; [ rookeur ];
+    platforms = platforms.linux;
+  };
+})
diff --git a/pkgs/by-name/op/opencflite/package.nix b/pkgs/by-name/op/opencflite/package.nix
new file mode 100644
index 000000000000..0da9e52e81d6
--- /dev/null
+++ b/pkgs/by-name/op/opencflite/package.nix
@@ -0,0 +1,43 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  pkg-config,
+  icu,
+  libkqueue,
+  libuuid,
+  tzdata,
+  zlib,
+}:
+
+stdenv.mkDerivation rec {
+  pname = "opencflite";
+  version = "635.21.8";
+
+  src = fetchFromGitHub {
+    owner = "gerickson";
+    repo = "opencflite";
+    rev = "opencflite-${version}";
+    hash = "sha256-ijyj4SFYQ0wZAFM2ehNnR9+yu5yDTSVW3VBycBT9l+A=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+
+  buildInputs = [
+    icu
+    libkqueue
+    libuuid
+    tzdata
+    zlib
+  ];
+
+  enableParallelBuilding = true;
+
+  meta = {
+    description = "Cross platform port of the macOS CoreFoundation";
+    homepage = "https://github.com/gerickson/opencflite";
+    license = lib.licenses.apsl20;
+    maintainers = with lib.maintainers; [ wegank ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/pkgs/applications/misc/owmods-cli/default.nix b/pkgs/by-name/ow/owmods-cli/package.nix
index 44a711dfeec1..19961f193e2a 100644
--- a/pkgs/applications/misc/owmods-cli/default.nix
+++ b/pkgs/by-name/ow/owmods-cli/package.nix
@@ -6,34 +6,40 @@
 , pkg-config
 , installShellFiles
 , zstd
+, libsoup_3
+, makeWrapper
+, mono
+, wrapWithMono ? true
 , openssl
-, Security
+, darwin
 }:
 
 rustPlatform.buildRustPackage rec {
   pname = "owmods-cli";
-  version = "0.12.2";
+  version = "0.13.0";
 
   src = fetchFromGitHub {
     owner = "ow-mods";
     repo = "ow-mod-man";
     rev = "cli_v${version}";
-    hash = "sha256-AfqpLL3cGZLKW5/BE6SaBe4S8GzYM2GKUZU8mFH5uX4=";
+    hash = "sha256-JCPuKGO0pbhQaNmZUcZ95EZbXubrjZnw0qJmKCGuAoQ=";
   };
 
-  cargoHash = "sha256-PhdfpiUgeOB13ROgzPBYM+sBLGMP+RtV9j9ebo8PpJU=";
+  cargoHash = "sha256-dTEEpjonvFYFv16e0eS71B4OMiYueYSfcs8gmSYeHPc=";
 
   nativeBuildInputs = [
     pkg-config
     installShellFiles
-  ];
+  ] ++ lib.optional wrapWithMono makeWrapper;
 
   buildInputs = [
     zstd
+    libsoup_3
   ] ++ lib.optionals stdenv.isLinux [
     openssl
   ] ++ lib.optionals stdenv.isDarwin [
-    Security
+    darwin.apple_sdk.frameworks.Security
+    darwin.apple_sdk.frameworks.SystemConfiguration
   ];
 
   env = {
@@ -44,9 +50,11 @@ rustPlatform.buildRustPackage rec {
 
   postInstall = ''
     cargo xtask dist_cli
-    installManPage man/man*/*
+    installManPage dist/cli/man/*
     installShellCompletion --cmd owmods \
-      dist/cli/completions/owmods.{bash,fish,zsh}
+    dist/cli/completions/owmods.{bash,fish,zsh}
+    '' + lib.optionalString wrapWithMono ''
+    wrapProgram $out/bin/${meta.mainProgram} --prefix PATH : '${mono}/bin'
   '';
 
   passthru.updateScript = nix-update-script {};
@@ -58,6 +66,6 @@ rustPlatform.buildRustPackage rec {
     changelog = "https://github.com/ow-mods/ow-mod-man/releases/tag/cli_v${version}";
     mainProgram = "owmods";
     license = licenses.gpl3Plus;
-    maintainers = with maintainers; [ locochoco ];
+    maintainers = with maintainers; [ bwc9876 spoonbaker locochoco ];
   };
 }
diff --git a/pkgs/by-name/pr/protonmail-bridge-gui/package.nix b/pkgs/by-name/pr/protonmail-bridge-gui/package.nix
new file mode 100644
index 000000000000..2b15e67908d4
--- /dev/null
+++ b/pkgs/by-name/pr/protonmail-bridge-gui/package.nix
@@ -0,0 +1,113 @@
+{ lib
+, stdenv
+, pkg-config
+, libsecret
+, cmake
+, ninja
+, qt6
+, grpc
+, protobuf
+, zlib
+, gtest
+, sentry-native
+, protonmail-bridge
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "protonmail-bridge-gui";
+
+  inherit (protonmail-bridge) version src;
+
+  patches = [
+    # Use `gtest` from Nixpkgs to allow an offline build
+    ./use-nix-googletest.patch
+  ];
+
+  nativeBuildInputs = [
+    pkg-config
+    cmake
+    ninja
+    qt6.qtbase
+    qt6.qtdeclarative
+    qt6.qtwayland
+    qt6.qtsvg
+    qt6.wrapQtAppsHook
+  ];
+
+  buildInputs = [
+    libsecret
+    grpc
+    protobuf
+    zlib
+    gtest
+    sentry-native
+  ];
+
+  sourceRoot = "${finalAttrs.src.name}/internal/frontend/bridge-gui";
+
+  postPatch = ''
+    # Bypass `vcpkg` by deleting lines that `include` BridgeSetup.cmake
+    find . -type f -name "CMakeLists.txt" -exec sed -i "/BridgeSetup\\.cmake/d" {} \;
+
+    # Use the available ICU version
+    sed -i "s/libicu\(i18n\|uc\|data\)\.so\.56/libicu\1.so/g" bridge-gui/DeployLinux.cmake
+
+    # Create a Desktop Entry that uses a `protonmail-bridge-gui` binary without upstream's launcher
+    sed "s/^\(Icon\|Exec\)=.*$/\1=protonmail-bridge-gui/" ../../../dist/proton-bridge.desktop > proton-bridge-gui.desktop
+
+    # Also update `StartupWMClass` to match the GUI binary's `wmclass` (Wayland app id)
+    sed -i "s/^\(StartupWMClass=\)Proton Mail Bridge$/\1ch.proton.bridge-gui/" proton-bridge-gui.desktop
+
+    # Don't build `bridge-gui-tester`
+    sed -i "/add_subdirectory(bridge-gui-tester)/d" CMakeLists.txt
+  '';
+
+  preConfigure = ''
+    cmakeFlagsArray+=(
+      "-DCMAKE_BUILD_TYPE=Release"
+      "-DBRIDGE_APP_FULL_NAME=Proton Mail Bridge"
+      "-DBRIDGE_VENDOR=Proton AG"
+      "-DBRIDGE_REVISION=${finalAttrs.src.rev}"
+      "-DBRIDGE_TAG=${finalAttrs.version}"
+      "-DBRIDGE_BUILD_ENV=Nix"
+      "-DBRIDGE_APP_VERSION=${finalAttrs.version}"
+    )
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    # Install the GUI binary
+    install -Dm755 bridge-gui/bridge-gui $out/lib/bridge-gui
+
+    # Symlink the backend binary from the protonmail-bridge (CLI) package
+    ln -s ${protonmail-bridge}/bin/protonmail-bridge $out/lib/bridge
+
+    # Symlink the GUI binary
+    mkdir -p $out/bin
+    ln -s $out/lib/bridge-gui $out/bin/protonmail-bridge-gui
+
+    # Install desktop assets
+    install -Dm644 ../proton-bridge-gui.desktop -t $out/share/applications
+    install -Dm644 ../../../../dist/bridge.svg $out/share/icons/hicolor/scalable/apps/protonmail-bridge-gui.svg
+
+    runHook postInstall
+  '';
+
+  meta = {
+    changelog = "https://github.com/ProtonMail/proton-bridge/blob/${finalAttrs.src.rev}/Changelog.md";
+    description = "Qt-based GUI to use your ProtonMail account with your local e-mail client";
+    downloadPage = "https://github.com/ProtonMail/proton-bridge/releases";
+    homepage = "https://github.com/ProtonMail/proton-bridge";
+    license = lib.licenses.gpl3Plus;
+    longDescription = ''
+      Provides a GUI application that runs in the background and seamlessly encrypts
+      and decrypts your mail as it enters and leaves your computer.
+
+      To work, use secret-service freedesktop.org API (e.g. Gnome keyring) or pass.
+    '';
+    mainProgram = "protonmail-bridge-gui";
+    maintainers = with lib.maintainers; [ daniel-fahey ];
+    platforms = lib.platforms.linux;
+  };
+})
diff --git a/pkgs/by-name/pr/protonmail-bridge-gui/use-nix-googletest.patch b/pkgs/by-name/pr/protonmail-bridge-gui/use-nix-googletest.patch
new file mode 100644
index 000000000000..fc1ad2b3ab16
--- /dev/null
+++ b/pkgs/by-name/pr/protonmail-bridge-gui/use-nix-googletest.patch
@@ -0,0 +1,23 @@
+diff --git a/bridgepp/CMakeLists.txt b/bridgepp/CMakeLists.txt
+index f4a0a553..02d631dc 100644
+--- a/bridgepp/CMakeLists.txt
++++ b/bridgepp/CMakeLists.txt
+@@ -172,16 +172,8 @@ if (CMAKE_VERSION VERSION_GREATER_EQUAL "3.24.0")
+     cmake_policy(SET CMP0135 NEW) # avoid warning DOWNLOAD_EXTRACT_TIMESTAMP
+ endif ()
+ 
+-include(FetchContent)
+-FetchContent_Declare(
+-    googletest
+-    URL https://github.com/google/googletest/archive/b796f7d44681514f58a683a3a71ff17c94edb0c1.zip
+-)
+-
+-# For Windows: Prevent overriding the parent project's compiler/linker settings
+-set(gtest_force_shared_crt ON CACHE BOOL "" FORCE)
+-
+-FetchContent_MakeAvailable(googletest)
++# Use find_package to use the gtest package provided by Nix
++find_package(GTest REQUIRED)
+ 
+ enable_testing()
+ 
diff --git a/pkgs/by-name/re/renode-dts2repl/package.nix b/pkgs/by-name/re/renode-dts2repl/package.nix
index 24736a889e51..8f277a02e220 100644
--- a/pkgs/by-name/re/renode-dts2repl/package.nix
+++ b/pkgs/by-name/re/renode-dts2repl/package.nix
@@ -6,14 +6,14 @@
 
 python3.pkgs.buildPythonApplication {
   pname = "renode-dts2repl";
-  version = "unstable-2024-03-12";
+  version = "unstable-2024-03-19";
   pyproject = true;
 
   src = fetchFromGitHub {
     owner = "antmicro";
     repo = "dts2repl";
-    rev = "eff98d616e3541e54ca783c84f598c9e348a76a8";
-    hash = "sha256-qNHj5WOSca04ceGeRNa60M6cH9/rRHLEF1YX75yYDO8=";
+    rev = "dc4160a3a4c23aee846625ac9115fe2cbb91fe42";
+    hash = "sha256-cy4XLKKiWqEvWWDHmj2bhp38pbtSxp+P92r7NxueAaE=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/by-name/re/renode/package.nix b/pkgs/by-name/re/renode/package.nix
index 33646daac8c5..7ea55e0fff98 100644
--- a/pkgs/by-name/re/renode/package.nix
+++ b/pkgs/by-name/re/renode/package.nix
@@ -23,11 +23,11 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "renode";
-  version = "1.14.0";
+  version = "1.15.0";
 
   src = fetchurl {
-    url = "https://builds.renode.io/renode-${finalAttrs.version}.linux-portable.tar.gz";
-    hash = "sha256-1wfVHtCYc99ACz8m2XEg1R0nIDh9xP4ffV/vxeeEHxE=";
+    url = "https://github.com/renode/renode/releases/download/v${finalAttrs.version}/renode-${finalAttrs.version}.linux-portable.tar.gz";
+    hash = "sha256-w3HKYctW1LmiAse/27Y1Gmz9hDprQ1CK7+TXIexCrkg=";
   };
 
   nativeBuildInputs = [
@@ -95,7 +95,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   meta = {
     description = "Virtual development framework for complex embedded systems";
-    homepage = "https://renode.org";
+    homepage = "https://renode.io";
     license = lib.licenses.bsd3;
     maintainers = with lib.maintainers; [ otavio ];
     platforms = [ "x86_64-linux" ];
diff --git a/pkgs/by-name/rs/rs-tftpd/package.nix b/pkgs/by-name/rs/rs-tftpd/package.nix
new file mode 100644
index 000000000000..43b010913ea8
--- /dev/null
+++ b/pkgs/by-name/rs/rs-tftpd/package.nix
@@ -0,0 +1,26 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "rs-tftpd";
+  version = "0.2.12";
+
+  src = fetchFromGitHub {
+    owner = "altugbakan";
+    repo = "rs-tftpd";
+    rev = version;
+    hash = "sha256-H67lXwX+4guHpdq0yTHe6tl1NxC41saNrM9g+yH5otk=";
+  };
+
+  cargoHash = "sha256-B5kduRuX9Lcdd31yj4PsDo8fyy0nabtmsiAXvc8RlYo=";
+
+  meta = with lib; {
+    description = "TFTP Server Daemon implemented in Rust";
+    homepage = "https://github.com/altugbakan/rs-tftpd";
+    license = licenses.mit;
+    maintainers = with maintainers; [ matthewcroughan ];
+    mainProgram = "tftpd";
+  };
+}
diff --git a/pkgs/by-name/sa/satty/package.nix b/pkgs/by-name/sa/satty/package.nix
index 67f69ab79cfb..31e860de8440 100644
--- a/pkgs/by-name/sa/satty/package.nix
+++ b/pkgs/by-name/sa/satty/package.nix
@@ -16,16 +16,16 @@
 rustPlatform.buildRustPackage rec {
 
   pname = "satty";
-  version = "0.11.2";
+  version = "0.11.3";
 
   src = fetchFromGitHub {
     owner = "gabm";
     repo = "Satty";
     rev = "v${version}";
-    hash = "sha256-bUDKRAp3/ByxWRzpoD0qGInxQuEfVIeYJ/pCcAEfH14=";
+    hash = "sha256-TKpotVVjXWm2uue4a4QEqVH/qHKSsegL2MNcsnk0CHw=";
   };
 
-  cargoHash = "sha256-aH08BJK4uOEUrpoMfVGwGnuzncHHW6w6jjxnk4Xz5zo=";
+  cargoHash = "sha256-0AyzjKkTNZwGCT73Xo5AY7rPJwQ9GgAxtMf6lJnrTSA=";
 
   nativeBuildInputs = [
     copyDesktopItems
diff --git a/pkgs/servers/slimserver/default.nix b/pkgs/by-name/sl/slimserver/package.nix
index 1703c03dee26..94b13c99e9dc 100644
--- a/pkgs/servers/slimserver/default.nix
+++ b/pkgs/by-name/sl/slimserver/package.nix
@@ -6,7 +6,7 @@
 , makeWrapper
 , monkeysAudio
 , nixosTests
-, perl538Packages
+, perlPackages
 , sox
 , stdenv
 , wavpack
@@ -15,20 +15,18 @@
 }:
 
 let
-  perlPackages = perl538Packages;
-
   binPath = lib.makeBinPath ([ lame flac faad2 sox wavpack ] ++ (lib.optional stdenv.isLinux monkeysAudio));
   libPath = lib.makeLibraryPath [ zlib stdenv.cc.cc.lib ];
 in
 perlPackages.buildPerlPackage rec {
   pname = "slimserver";
-  version = "8.4.0";
+  version = "8.5.0";
 
   src = fetchFromGitHub {
-    owner = "Logitech";
+    owner = "LMS-Community";
     repo = "slimserver";
     rev = version;
-    hash = "sha256-92mKchgAWRIrNOeK/zXUYRqIAk6THdtz1zQe3fg2kE0=";
+    hash = "sha256-yDJVqZ0+qVm4r/wmQK/hf9uRJaN56WQMO28RE59mNNI=";
   };
 
   nativeBuildInputs = [ makeWrapper ];
@@ -58,7 +56,7 @@ perlPackages.buildPerlPackage rec {
     DataURIEncode
     DBDSQLite
     DBI
-    # DBIxClass # https://github.com/Logitech/slimserver/issues/138
+    # DBIxClass # https://github.com/LMS-Community/slimserver/issues/138
     DigestSHA1
     EncodeDetect
     EV
@@ -144,16 +142,20 @@ perlPackages.buildPerlPackage rec {
 
   outputs = [ "out" ];
 
-  passthru.tests = {
-    inherit (nixosTests) slimserver;
+  passthru = {
+    tests = {
+      inherit (nixosTests) slimserver;
+    };
+
+    updateScript = ./update.nu;
   };
 
   meta = with lib; {
-    homepage = "https://github.com/Logitech/slimserver";
-    changelog = "https://github.com/Logitech/slimserver/blob/${version}/Changelog${lib.versions.major version}.html";
+    homepage = "https://github.com/LMS-Community/slimserver";
+    changelog = "https://github.com/LMS-Community/slimserver/blob/${version}/Changelog${lib.versions.major version}.html";
     description = "Server for Logitech Squeezebox players. This server is also called Logitech Media Server";
     # the firmware is not under a free license, so we do not include firmware in the default package
-    # https://github.com/Logitech/slimserver/blob/public/8.3/License.txt
+    # https://github.com/LMS-Community/slimserver/blob/public/8.3/License.txt
     license = if enableUnfreeFirmware then licenses.unfree else licenses.gpl2Only;
     mainProgram = "slimserver";
     maintainers = with maintainers; [ adamcstephens jecaro ];
diff --git a/pkgs/by-name/sl/slimserver/update.nu b/pkgs/by-name/sl/slimserver/update.nu
new file mode 100755
index 000000000000..556ed236bb68
--- /dev/null
+++ b/pkgs/by-name/sl/slimserver/update.nu
@@ -0,0 +1,14 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i nu -p nushell common-updater-scripts
+
+# get latest tag, but drop versions 10.0 tags since they are 10+ years old
+let latest_tag = list-git-tags --url=https://github.com/LMS-Community/slimserver | lines | find --invert 10.0 | sort --natural | last
+
+let current_version = nix eval --raw -f default.nix slimserver | str trim
+
+if $latest_tag != $current_version {
+  update-source-version slimserver $latest_tag $"--file=(pwd)/pkgs/by-name/sl/slimserver/package.nix"
+  {before: $current_version, after: $latest_tag}
+} else {
+  "No new version"
+}
diff --git a/pkgs/tools/typesetting/soupault/default.nix b/pkgs/by-name/so/soupault/package.nix
index 82ea1e6f5979..639af4136729 100644
--- a/pkgs/tools/typesetting/soupault/default.nix
+++ b/pkgs/by-name/so/soupault/package.nix
@@ -1,5 +1,5 @@
 { lib
-, fetchFromGitea
+, fetchzip
 , ocamlPackages
 , soupault
 , testers
@@ -8,19 +8,19 @@
 let
   pname = "soupault";
 
-  version = "4.8.0";
+  version = "4.9.0";
 in
 ocamlPackages.buildDunePackage {
   inherit pname version;
 
   minimalOCamlVersion = "4.13";
 
-  src = fetchFromGitea {
-    domain = "codeberg.org";
-    owner = "PataphysicalSociety";
-    repo = pname;
-    rev = version;
-    hash = "sha256-/QpT0zgrfMgRKjHyLHugaAlICpPkqaQ7f8fFAL0P02Y=";
+  src = fetchzip {
+    urls = [
+      "https://github.com/PataphysicalSociety/soupault/archive/${version}.tar.gz"
+      "https://codeberg.org/PataphysicalSociety/soupault/archive/${version}.tar.gz"
+    ];
+    hash = "sha256-vGTJUbAeYs/EYFykNSmCc4c9G66/Lz3BsUYnZQ8feFo=";
   };
 
   buildInputs = with ocamlPackages; [
diff --git a/pkgs/by-name/st/strictdoc/package.nix b/pkgs/by-name/st/strictdoc/package.nix
new file mode 100644
index 000000000000..18bc6db8c215
--- /dev/null
+++ b/pkgs/by-name/st/strictdoc/package.nix
@@ -0,0 +1,76 @@
+{ lib
+, python3
+, fetchFromGitHub
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "strictdoc";
+  version = "0.0.49";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "strictdoc-project";
+    repo = "strictdoc";
+    rev = version;
+    hash = "sha256-WtDplupXBtq39oKyo31p5NgXMWtbWgxtpnKn4qCJz3I=";
+  };
+
+  nativeBuildInputs = [
+    python3.pkgs.hatchling
+    python3.pkgs.pythonRelaxDepsHook
+  ];
+
+  propagatedBuildInputs = with python3.pkgs; [
+    beautifulsoup4
+    docutils
+    fastapi
+    graphviz
+    html5lib
+    jinja2
+    lxml
+    pybtex
+    pygments
+    datauri
+    python-multipart
+    selenium
+    requests
+    spdx-tools
+    webdriver-manager
+    reqif
+    setuptools
+    textx
+    toml
+    uvicorn
+    websockets
+    xlrd
+    xlsxwriter
+  ];
+
+  passthru.optional-dependencies = with python3.pkgs; {
+    development = [
+      invoke
+      tox
+    ];
+    nuitka = [
+      nuitka
+      ordered-set
+    ];
+  };
+
+  pythonRelaxDeps = [
+    "python-datauri"
+    "xlsxwriter"
+    "lxml"
+  ];
+
+  pythonImportsCheck = [ "strictdoc" ];
+
+  meta = with lib; {
+    description = "Software for technical documentation and requirements management";
+    homepage = "https://github.com/strictdoc-project/strictdoc";
+    changelog = "https://github.com/strictdoc-project/strictdoc/blob/${src.rev}/CHANGELOG.md";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ yuu ];
+    mainProgram = "strictdoc";
+  };
+}
diff --git a/pkgs/by-name/up/upiano/package.nix b/pkgs/by-name/up/upiano/package.nix
index d13ff18bd425..351e80f0b6d0 100644
--- a/pkgs/by-name/up/upiano/package.nix
+++ b/pkgs/by-name/up/upiano/package.nix
@@ -6,19 +6,24 @@
 python3.pkgs.buildPythonApplication rec {
   pname = "upiano";
   version = "0.1.2";
-  format = "pyproject";
+  pyproject = true;
 
   src = fetchFromGitHub {
     owner = "eliasdorneles";
     repo = "upiano";
-    rev = "v${version}";
+    rev = "refs/tags/v${version}";
     hash = "sha256-5WhflvUCjzW4ZJ+PLUTMbKcUnQa3ChkDjl0R5YvjBWk=";
     forceFetchGit = true;
     fetchLFS = true;
   };
 
-  nativeBuildInputs = [
-    python3.pkgs.poetry-core
+  pythonRelaxDeps = [
+    "textual"
+  ];
+
+  nativeBuildInputs = with python3.pkgs; [
+    poetry-core
+    pythonRelaxDepsHook
   ];
 
   propagatedBuildInputs = with python3.pkgs; [
@@ -26,7 +31,9 @@ python3.pkgs.buildPythonApplication rec {
     textual
   ];
 
-  pythonImportsCheck = [ "upiano" ];
+  pythonImportsCheck = [
+    "upiano"
+  ];
 
   meta = with lib; {
     description = "A Piano in your terminal";
diff --git a/pkgs/by-name/ux/uxn/package.nix b/pkgs/by-name/ux/uxn/package.nix
index 0569d11fa1f2..2ce14ff19f80 100644
--- a/pkgs/by-name/ux/uxn/package.nix
+++ b/pkgs/by-name/ux/uxn/package.nix
@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "uxn";
-  version = "unstable-2024-03-16";
+  version = "unstable-2024-03-18";
 
   src = fetchFromSourcehut {
     owner = "~rabbits";
     repo = "uxn";
-    rev = "5d3cf8b61457fea833d3e232297b378ba54c8350";
-    hash = "sha256-PXXsMKAPRUs4/Y4s/NBorcJmv7RtNK7UlRgmyowrm3A=";
+    rev = "250aecc920a6f12d2d5479a5230a31630dac2a1e";
+    hash = "sha256-nhKlcuhXkrhecRwVIuSf+jOmFbX0NMhmmc5pj6MCNdQ=";
   };
 
   outputs = [ "out" "projects" ];
diff --git a/pkgs/by-name/xd/xdg-terminal-exec/package.nix b/pkgs/by-name/xd/xdg-terminal-exec/package.nix
index 1dd07bd22396..461b7f58ee33 100644
--- a/pkgs/by-name/xd/xdg-terminal-exec/package.nix
+++ b/pkgs/by-name/xd/xdg-terminal-exec/package.nix
@@ -2,16 +2,17 @@
   lib,
   stdenvNoCC,
   fetchFromGitHub,
+  dash,
 }:
-stdenvNoCC.mkDerivation {
+stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "xdg-terminal-exec";
-  version = "unstable-2023-12-08";
+  version = "0.9.0";
 
   src = fetchFromGitHub {
     owner = "Vladimir-csp";
     repo = "xdg-terminal-exec";
-    rev = "04f37d4337b6ce157d4a7338dd600a32deb43a28";
-    hash = "sha256-QIPdF+/dMUEVcz5j9o+wQ4dnw2yWwz7slnLdMNETkGs=";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-uLUHvSjxIjmy0ejqLfliB6gHFRwyTWNH1RL5kTXebUM=";
   };
 
   dontBuild = true;
@@ -21,6 +22,12 @@ stdenvNoCC.mkDerivation {
     runHook postInstall
   '';
 
+  dontPatchShebangs = true;
+  postFixup = ''
+    substituteInPlace $out/bin/xdg-terminal-exec \
+      --replace-fail '#!/bin/sh' '#!${lib.getExe dash}'
+  '';
+
   meta = {
     description = "Proposal for XDG terminal execution utility";
     homepage = "https://github.com/Vladimir-csp/xdg-terminal-exec";
@@ -29,4 +36,4 @@ stdenvNoCC.mkDerivation {
     maintainers = with lib.maintainers; [quantenzitrone];
     platforms = lib.platforms.unix;
   };
-}
+})
diff --git a/pkgs/data/fonts/babelstone-han/default.nix b/pkgs/data/fonts/babelstone-han/default.nix
index 9839295653d1..6dfad42d2086 100644
--- a/pkgs/data/fonts/babelstone-han/default.nix
+++ b/pkgs/data/fonts/babelstone-han/default.nix
@@ -23,7 +23,7 @@ stdenvNoCC.mkDerivation {
     description = "Unicode CJK font with over 36000 Han characters";
     homepage = "https://www.babelstone.co.uk/Fonts/Han.html";
 
-    license = licenses.free;
+    license = licenses.arphicpl;
     platforms = platforms.all;
     maintainers = with maintainers; [ emily ];
   };
diff --git a/pkgs/data/fonts/bront/default.nix b/pkgs/data/fonts/bront/default.nix
index d21c820f127b..36e6adb380df 100644
--- a/pkgs/data/fonts/bront/default.nix
+++ b/pkgs/data/fonts/bront/default.nix
@@ -19,7 +19,7 @@ stdenvNoCC.mkDerivation {
     description = "Bront Fonts";
     longDescription = "Ubuntu Mono Bront and DejaVu Sans Mono Bront fonts.";
     homepage = "https://github.com/chrismwendt/bront";
-    license = licenses.free;
+    license = with licenses; [ bitstreamVera ufl ];
     platforms = platforms.all;
     maintainers = [ maintainers.grburst ];
   };
diff --git a/pkgs/data/misc/conway_polynomials/default.nix b/pkgs/data/misc/conway_polynomials/default.nix
deleted file mode 100644
index caf470c51152..000000000000
--- a/pkgs/data/misc/conway_polynomials/default.nix
+++ /dev/null
@@ -1,41 +0,0 @@
-{ lib, stdenv
-, fetchurl
-, python3
-}:
-
-stdenv.mkDerivation rec {
-  pname = "conway_polynomials";
-  version = "0.5";
-
-  src = fetchurl {
-    url = "mirror://sageupstream/conway_polynomials/conway_polynomials-${version}.tar.bz2";
-    sha256 = "05zb1ly9x2bbscqv0jgc45g48xx77mfs7qdbqhn4ihmihn57iwnq";
-  };
-
-  # Script that creates the "database" (nested python array) and pickles it
-  spkg-install = fetchurl {
-    url = "https://raw.githubusercontent.com/sagemath/sage/9.2/build/pkgs/conway_polynomials/spkg-install.py";
-    sha256 = "1bwnqasnyv793hxg29viing4dnliz29grkhldsirq19d509yk1fs";
-  };
-
-  installPhase = ''
-    # directory layout as spkg-install.py expects
-    dir="$PWD"
-    cd ..
-    ln -s "$dir" "src"
-
-    # environment spkg-install.py expects
-    mkdir -p "$out/share"
-    export SAGE_SHARE="$out/share"
-    export PYTHONPATH=$PWD
-
-    ${python3.interpreter} ${spkg-install}
-  '';
-
-  meta = with lib; {
-    description = "Contains a small database of Conway polynomials";
-    license = licenses.gpl2;
-    platforms = platforms.all;
-    maintainers = teams.sage.members;
-  };
-}
diff --git a/pkgs/data/themes/andromeda-gtk-theme/default.nix b/pkgs/data/themes/andromeda-gtk-theme/default.nix
new file mode 100644
index 000000000000..ae42843d7afa
--- /dev/null
+++ b/pkgs/data/themes/andromeda-gtk-theme/default.nix
@@ -0,0 +1,60 @@
+{ lib, stdenvNoCC, fetchFromGitHub, gtk-engine-murrine }:
+
+stdenvNoCC.mkDerivation {
+  pname = "andromeda-gtk-theme";
+  version = "0-unstable-2024-03-04";
+
+  srcs = [
+    (fetchFromGitHub {
+      owner = "EliverLara";
+      repo = "Andromeda-gtk";
+      rev = "250751a546dd0fa2e67eef86d957fbf993b61dfe";
+      hash = "sha256-exr9j/jW2P9cBhKUPQy3AtK5Vgav5vOyWInXUyVhBk0=";
+      name = "Andromeda-gtk";
+    })
+
+    (fetchFromGitHub {
+      owner = "EliverLara";
+      repo = "Andromeda-gtk";
+      rev = "11a6194d19cb846447db048455a5e782ec830ae1";
+      hash = "sha256-Yy3mih0nyA+ahLqj2D99EKqtmWYJRsvQMkmlLfUPcqQ=";
+      name = "Andromeda-gtk-standard-buttons";
+    })
+  ];
+
+  sourceRoot = ".";
+
+  propagatedUserEnvPkgs = [
+    gtk-engine-murrine
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/share/themes
+    cp -a Andromeda* $out/share/themes
+
+    # remove uneeded files, which are not distributed in https://www.gnome-look.org/p/2039961/
+    rm -rf $out/share/themes/*/Art
+    rm -rf $out/share/themes/*/LICENSE
+    rm -rf $out/share/themes/*/README.md
+    rm -rf $out/share/themes/*/{package.json,package-lock.json,Gulpfile.js}
+    rm -rf $out/share/themes/*/src
+    rm -rf $out/share/themes/*/cinnamon/*.scss
+    rm -rf $out/share/themes/*/gnome-shell/{earlier-versions,extensions,*.scss}
+    rm -rf $out/share/themes/*/gtk-2.0/{assets.svg,assets.txt,links.fish,render-assets.sh}
+    rm -rf $out/share/themes/*/gtk-3.0/{apps,widgets,*.scss}
+    rm -rf $out/share/themes/*/gtk-4.0/{apps,widgets,*.scss}
+    rm -rf $out/share/themes/*/xfwm4/{assets,render_assets.fish}
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "An elegant dark theme for gnome, mate, budgie, cinnamon, xfce";
+    homepage = "https://github.com/EliverLara/Andromeda-gtk";
+    license = licenses.gpl3Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ jakedevs ];
+  };
+}
diff --git a/pkgs/development/chez-modules/chez-mit/default.nix b/pkgs/development/chez-modules/chez-mit/default.nix
index 10407598fb96..677e7fc99194 100644
--- a/pkgs/development/chez-modules/chez-mit/default.nix
+++ b/pkgs/development/chez-modules/chez-mit/default.nix
@@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
     description = "This is a MIT/GNU Scheme compatibility library for Chez Scheme";
     homepage = "https://github.com/fedeinthemix/chez-mit/";
     maintainers = [ maintainers.jitwit ];
-    license = licenses.free;
+    license = licenses.gpl3Plus;
   };
 
 }
diff --git a/pkgs/development/chez-modules/chez-srfi/default.nix b/pkgs/development/chez-modules/chez-srfi/default.nix
index 1780a1356c5c..d821e6d01556 100644
--- a/pkgs/development/chez-modules/chez-srfi/default.nix
+++ b/pkgs/development/chez-modules/chez-srfi/default.nix
@@ -27,7 +27,7 @@ stdenv.mkDerivation {
     description = "This package provides a collection of SRFI libraries for Chez Scheme";
     homepage = "https://github.com/fedeinthemix/chez-srfi/";
     maintainers = [ maintainers.jitwit ];
-    license = licenses.free;
+    license = licenses.x11;
   };
 
 }
diff --git a/pkgs/development/interpreters/wasmer/default.nix b/pkgs/development/interpreters/wasmer/default.nix
index e69e04f06df3..a509107ec163 100644
--- a/pkgs/development/interpreters/wasmer/default.nix
+++ b/pkgs/development/interpreters/wasmer/default.nix
@@ -14,16 +14,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "wasmer";
-  version = "4.2.6";
+  version = "4.2.7";
 
   src = fetchFromGitHub {
     owner = "wasmerio";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-FSplJAVdy/b0HXvW1qny052I7Fm9EA83/XqmgEvneeg=";
+    hash = "sha256-jyA1DUouODq9giAWeGOw7VMGwA+FbyqpEU77jtCb5v4=";
   };
 
-  cargoHash = "sha256-OYHPudXGsDLVx6XKTsJTxqG5cbOAD25sd5KJDyU9lvY=";
+  cargoHash = "sha256-EpHM8YaT2Ty9IBX/gXEa9n8006A9Y5/fq/ueODxHlnc=";
 
   nativeBuildInputs = [
     rustPlatform.bindgenHook
diff --git a/pkgs/development/libraries/allegro/default.nix b/pkgs/development/libraries/allegro/default.nix
index d9c862443653..0318c3133d63 100644
--- a/pkgs/development/libraries/allegro/default.nix
+++ b/pkgs/development/libraries/allegro/default.nix
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "A game programming library";
     homepage = "https://liballeg.org/";
-    license = licenses.free; # giftware
+    license = licenses.giftware;
     maintainers = [ maintainers.raskin ];
     platforms = platforms.linux;
   };
diff --git a/pkgs/development/libraries/arguments/default.nix b/pkgs/development/libraries/arguments/default.nix
index bacb7662386e..524e00dc5a76 100644
--- a/pkgs/development/libraries/arguments/default.nix
+++ b/pkgs/development/libraries/arguments/default.nix
@@ -26,6 +26,6 @@ stdenv.mkDerivation rec {
     description = "Library for argument handling for MINC programs";
     maintainers = with maintainers; [ bcdarwin ];
     platforms = platforms.unix;
-    license   = licenses.free;
+    license   = licenses.gpl2Plus;
   };
 }
diff --git a/pkgs/development/libraries/fflas-ffpack/default.nix b/pkgs/development/libraries/fflas-ffpack/default.nix
index 66ea25a4b11b..25bab6645e07 100644
--- a/pkgs/development/libraries/fflas-ffpack/default.nix
+++ b/pkgs/development/libraries/fflas-ffpack/default.nix
@@ -31,6 +31,7 @@ stdenv.mkDerivation rec {
   configureFlags = [
     "--with-blas-libs=-lcblas"
     "--with-lapack-libs=-llapacke"
+    "--without-archnative"
   ] ++ lib.optionals stdenv.isx86_64 [
     # disable SIMD instructions (which are enabled *when available* by default)
     # for now we need to be careful to disable *all* relevant versions of an instruction set explicitly (https://github.com/linbox-team/fflas-ffpack/issues/284)
diff --git a/pkgs/development/libraries/flint/3.nix b/pkgs/development/libraries/flint/3.nix
index 3be7fdc63904..b8b8c2d8ec7d 100644
--- a/pkgs/development/libraries/flint/3.nix
+++ b/pkgs/development/libraries/flint/3.nix
@@ -24,16 +24,19 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-ezEaAFA6hjiB64F32+uEMi8pOZ89fXLzsaTJuh1XlLQ=";
   };
 
-  propagatedBuildInputs = [
+  nativeBuildInputs = [
     autoconf
     automake
     gettext
     libtool
   ];
 
+  propagatedBuildInputs = [
+    mpfr
+  ];
+
   buildInputs = [
     gmp
-    mpfr
   ] ++ lib.optionals withBlas [
     openblas
   ] ++ lib.optionals withNtl [
diff --git a/pkgs/development/libraries/givaro/default.nix b/pkgs/development/libraries/givaro/default.nix
index 5df1413287d9..a7b1eaa43831 100644
--- a/pkgs/development/libraries/givaro/default.nix
+++ b/pkgs/development/libraries/givaro/default.nix
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
   propagatedBuildInputs = [ gmpxx ];
 
   configureFlags = [
-    "--disable-optimization"
+    "--without-archnative"
   ] ++ lib.optionals stdenv.isx86_64 [
     # disable SIMD instructions (which are enabled *when available* by default)
     "--${if stdenv.hostPlatform.sse3Support   then "enable" else "disable"}-sse3"
diff --git a/pkgs/development/libraries/linbox/default.nix b/pkgs/development/libraries/linbox/default.nix
index f7e6d0f13b1b..0997513f5a51 100644
--- a/pkgs/development/libraries/linbox/default.nix
+++ b/pkgs/development/libraries/linbox/default.nix
@@ -37,7 +37,7 @@ stdenv.mkDerivation rec {
 
   configureFlags = [
     "--with-blas-libs=-lblas"
-    "--disable-optimization"
+    "--without-archnative"
   ] ++ lib.optionals stdenv.isx86_64 [
     # disable SIMD instructions (which are enabled *when available* by default)
     "--${if stdenv.hostPlatform.sse3Support   then "enable" else "disable"}-sse3"
diff --git a/pkgs/development/libraries/science/biology/bicgl/default.nix b/pkgs/development/libraries/science/biology/bicgl/default.nix
index 4f98874b2595..07d64fbd97ed 100644
--- a/pkgs/development/libraries/science/biology/bicgl/default.nix
+++ b/pkgs/development/libraries/science/biology/bicgl/default.nix
@@ -28,6 +28,6 @@ stdenv.mkDerivation rec {
     description = "Brain Imaging Centre graphics library";
     maintainers = with maintainers; [ bcdarwin ];
     platforms = platforms.unix;
-    license = licenses.free;
+    license = licenses.hpndUc;
   };
 }
diff --git a/pkgs/development/libraries/science/biology/bicpl/default.nix b/pkgs/development/libraries/science/biology/bicpl/default.nix
index 5cf63e342242..c15689aa606a 100644
--- a/pkgs/development/libraries/science/biology/bicpl/default.nix
+++ b/pkgs/development/libraries/science/biology/bicpl/default.nix
@@ -25,6 +25,6 @@ stdenv.mkDerivation rec {
     description = "Brain Imaging Centre programming library";
     maintainers = with maintainers; [ bcdarwin ];
     platforms = platforms.unix;
-    license   = licenses.free;
+    license   = with licenses; [ hpndUc gpl3Plus ];
   };
 }
diff --git a/pkgs/development/lua-modules/generated-packages.nix b/pkgs/development/lua-modules/generated-packages.nix
index 785de9eafe44..f63a2acd23dc 100644
--- a/pkgs/development/lua-modules/generated-packages.nix
+++ b/pkgs/development/lua-modules/generated-packages.nix
@@ -2726,6 +2726,30 @@ buildLuarocksPackage {
   };
 }) {};
 
+mimetypes = callPackage({ buildLuarocksPackage, fetchurl, lua, luaOlder }:
+buildLuarocksPackage {
+  pname = "mimetypes";
+  version = "1.0.0-3";
+  knownRockspec = (fetchurl {
+    url    = "mirror://luarocks/mimetypes-1.0.0-3.rockspec";
+    sha256 = "02f5x5pkz6fba71mp031arrgmddsyivn5fsa0pj3q3a7nxxpmnq9";
+  }).outPath;
+  src = fetchurl {
+    url    = "https://github.com/lunarmodules/lua-mimetypes/archive/v1.0.0/lua-mimetypes-1.0.0.tar.gz";
+    sha256 = "1rc5lnzvw4cg8wxn4w4sar2xgf5vaivdd2hgpxxcqfzzcmblg1zk";
+  };
+
+  disabled = (luaOlder "5.1");
+  propagatedBuildInputs = [ lua ];
+
+  meta = {
+    homepage = "https://github/lunarmodules/lua-mimetypes/";
+    description = "A simple library for looking up the MIME types of files.";
+    license.fullName = "MIT/X11";
+  };
+}) {};
+
+
 moonscript = callPackage({ argparse, buildLuarocksPackage, fetchgit, lpeg, lua, luaOlder, luafilesystem }:
 buildLuarocksPackage {
   pname = "moonscript";
diff --git a/pkgs/development/ocaml-modules/eliom/default.nix b/pkgs/development/ocaml-modules/eliom/default.nix
index 48b9a153f5b3..73f7c0aaccd2 100644
--- a/pkgs/development/ocaml-modules/eliom/default.nix
+++ b/pkgs/development/ocaml-modules/eliom/default.nix
@@ -1,6 +1,7 @@
 { buildDunePackage
 , lib
 , fetchFromGitHub
+, fetchpatch
 , which
 , ocsigen_server
 , lwt_react
@@ -26,6 +27,12 @@ buildDunePackage rec {
     hash = "sha256-REOyxwnQqWOKywVYwN/WP22cNKZv5Nv0OpFVbNBPJN8=";
   };
 
+  # Compatibility with tyxml 4.6.x
+  patches = fetchpatch {
+    url = "https://github.com/ocsigen/eliom/commit/9a6adcce3959a37b971890999331335d07f4f732.patch";
+    hash = "sha256-rgsqohSAHHljvag3c+HNGEgW9qwmqPq8qfTpX6vVKtg=";
+  };
+
   nativeBuildInputs = [
     which
   ];
diff --git a/pkgs/development/ocaml-modules/lwd/tyxml-lwd.nix b/pkgs/development/ocaml-modules/lwd/tyxml-lwd.nix
index 0832847be3d6..0aad68fa5a0b 100644
--- a/pkgs/development/ocaml-modules/lwd/tyxml-lwd.nix
+++ b/pkgs/development/ocaml-modules/lwd/tyxml-lwd.nix
@@ -1,12 +1,17 @@
-{ lib, fetchurl, buildDunePackage, js_of_ocaml, js_of_ocaml-ppx, lwd, tyxml }:
+{ lib, fetchurl, fetchpatch, buildDunePackage, js_of_ocaml, js_of_ocaml-ppx, lwd, tyxml }:
 
 buildDunePackage {
   pname = "tyxml-lwd";
 
   inherit (lwd) version src;
 
+  # Compatibility with latest Tyxml (4.6.x)
+  patches = fetchpatch {
+    url = "https://github.com/let-def/lwd/commit/7f3364ec593b5ccf0d0294b97bcd1e28e4164691.patch";
+    hash = "sha256-W1HjExZxDKRwsrB9ZTkvHTMKO0K5iZl+FrNqPs6BPGU=";
+  };
+
   minimalOCamlVersion = "4.08";
-  duneVersion = "3";
 
   buildInputs = [ js_of_ocaml-ppx ];
   propagatedBuildInputs = [ js_of_ocaml lwd tyxml ];
diff --git a/pkgs/development/ocaml-modules/ocsigen-start/default.nix b/pkgs/development/ocaml-modules/ocsigen-start/default.nix
index 3b26c28f5341..e9af3a27a756 100644
--- a/pkgs/development/ocaml-modules/ocsigen-start/default.nix
+++ b/pkgs/development/ocaml-modules/ocsigen-start/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchFromGitHub, ocaml, findlib, ocsigen-toolkit, pgocaml_ppx, safepass, yojson
+{ stdenv, lib, fetchFromGitHub, fetchpatch, ocaml, findlib, ocsigen-toolkit, pgocaml_ppx, safepass, yojson
 , cohttp-lwt-unix, eliom
 , resource-pooling
 , ocsigen-ppx-rpc
@@ -14,7 +14,13 @@ stdenv.mkDerivation rec {
 
   strictDeps = true;
 
-  patches = [ ./templates-dir.patch ];
+  patches = [ ./templates-dir.patch
+    # Compatibility with tyxml 4.6.x
+    (fetchpatch {
+       url = "https://github.com/ocsigen/ocsigen-start/commit/0b70506f94fcb2e06cb65ce0d6a28b9b84c695f3.patch";
+       hash = "sha256-p/VvIu9reI8lc9lxWiTrjZvn46vuF00QInYuWPtRVyk=";
+    })
+  ];
 
   src = fetchFromGitHub {
     owner = "ocsigen";
diff --git a/pkgs/development/ocaml-modules/tyxml/default.nix b/pkgs/development/ocaml-modules/tyxml/default.nix
index c49327d7d338..4cc5aa4cc42d 100644
--- a/pkgs/development/ocaml-modules/tyxml/default.nix
+++ b/pkgs/development/ocaml-modules/tyxml/default.nix
@@ -2,13 +2,11 @@
 
 buildDunePackage rec {
   pname = "tyxml";
-  version = "4.5.0";
-
-  useDune2 = true;
+  version = "4.6.0";
 
   src = fetchurl {
     url = "https://github.com/ocsigen/tyxml/releases/download/${version}/tyxml-${version}.tbz";
-    sha256 = "0s30f72m457c3gbdmdwbx7ls9zg806nvm83aiz9qkpglbppwr6n6";
+    hash = "sha256-v+tnPGtOEgpOykxIRIrdR9w/jQLCtA9j/9zMTpHJAt0=";
   };
 
   propagatedBuildInputs = [ uutf re ];
diff --git a/pkgs/development/perl-modules/ImageExifTool/default.nix b/pkgs/development/perl-modules/ImageExifTool/default.nix
new file mode 100644
index 000000000000..b9426f57fe11
--- /dev/null
+++ b/pkgs/development/perl-modules/ImageExifTool/default.nix
@@ -0,0 +1,55 @@
+{ lib
+, stdenv
+, buildPerlPackage
+, exiftool
+, fetchurl
+, gitUpdater
+, shortenPerlShebang
+, testers
+}:
+
+buildPerlPackage rec {
+  pname = "Image-ExifTool";
+  version = "12.80";
+
+  src = fetchurl {
+    url = "https://exiftool.org/Image-ExifTool-${version}.tar.gz";
+    hash = "sha256-k9UinWyy++gGSTK9H1Pht81FH4hDzG7uZSBSjLLVeQY=";
+  };
+
+  nativeBuildInputs = lib.optional stdenv.isDarwin shortenPerlShebang;
+  postInstall = lib.optionalString stdenv.isDarwin ''
+    shortenPerlShebang $out/bin/exiftool
+  '';
+
+  passthru = {
+    tests.version = testers.testVersion {
+      inherit version;
+      command = "${lib.getExe exiftool} -ver";
+      package = exiftool;
+    };
+    updateScript = gitUpdater {
+      url = "https://github.com/exiftool/exiftool.git";
+    };
+  };
+
+  meta = {
+    description = "A tool to read, write and edit EXIF meta information";
+    longDescription = ''
+      ExifTool is a platform-independent Perl library plus a command-line
+      application for reading, writing and editing meta information in a wide
+      variety of files. ExifTool supports many different metadata formats
+      including EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop
+      IRB, FlashPix, AFCP and ID3, as well as the maker notes of many digital
+      cameras by Canon, Casio, DJI, FLIR, FujiFilm, GE, GoPro, HP,
+      JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Motorola, Nikon,
+      Nintendo, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Phase One,
+      Reconyx, Ricoh, Samsung, Sanyo, Sigma/Foveon and Sony.
+    '';
+    homepage = "https://exiftool.org/";
+    changelog = "https://exiftool.org/history.html";
+    license = with lib.licenses; [ gpl1Plus /* or */ artistic2 ];
+    maintainers = with lib.maintainers; [ kiloreux anthonyroussel ];
+    mainProgram = "exiftool";
+  };
+}
diff --git a/pkgs/development/python-modules/asyncpg/default.nix b/pkgs/development/python-modules/asyncpg/default.nix
index 88591af61bbd..dce3a9ba0642 100644
--- a/pkgs/development/python-modules/asyncpg/default.nix
+++ b/pkgs/development/python-modules/asyncpg/default.nix
@@ -1,6 +1,7 @@
 { lib
 , fetchPypi
 , buildPythonPackage
+, async-timeout
 , uvloop
 , postgresql
 , pythonOlder
@@ -13,7 +14,7 @@ buildPythonPackage rec {
   version = "0.29.0";
   format = "setuptools";
 
-  disabled = pythonOlder "3.7";
+  disabled = pythonOlder "3.8";
 
   src = fetchPypi {
     inherit pname version;
@@ -23,6 +24,12 @@ buildPythonPackage rec {
   # sandboxing issues on aarch64-darwin, see https://github.com/NixOS/nixpkgs/issues/198495
   doCheck = postgresql.doCheck;
 
+  # required for compatibility with Python versions older than 3.11
+  # see https://github.com/MagicStack/asyncpg/blob/v0.29.0/asyncpg/_asyncio_compat.py#L13
+  propagatedBuildInputs = lib.optionals (pythonOlder "3.11") [
+    async-timeout
+  ];
+
   nativeCheckInputs = [
     uvloop
     postgresql
diff --git a/pkgs/development/python-modules/aws-encryption-sdk/default.nix b/pkgs/development/python-modules/aws-encryption-sdk/default.nix
index 7cdcc917c8a8..3682fd59c007 100644
--- a/pkgs/development/python-modules/aws-encryption-sdk/default.nix
+++ b/pkgs/development/python-modules/aws-encryption-sdk/default.nix
@@ -7,7 +7,6 @@
 , mock
 , pytest-mock
 , pytestCheckHook
-, pythonAtLeast
 , pythonOlder
 , setuptools
 , wrapt
@@ -15,14 +14,14 @@
 
 buildPythonPackage rec {
   pname = "aws-encryption-sdk";
-  version = "3.1.1";
+  version = "3.2.0";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-jV+/AY/GjWscrL5N0Df9gFKWx3Nqn+RX62hNBT9/lWM=";
+    hash = "sha256-QwT8+M4qo/qYsaz/ejvzzQUowynAxDe1Xg9Fa79iNH4=";
   };
 
   nativeBuildInputs = [
@@ -48,9 +47,8 @@ buildPythonPackage rec {
     "test/integration"
   ];
 
-  disabledTests = lib.optionals (pythonAtLeast "3.12") [
-    # AssertionError: Regex pattern did not match, https://github.com/aws/aws-encryption-sdk-python/issues/644
-    "test_abstracts"
+  pythonImportsCheck = [
+    "aws_encryption_sdk"
   ];
 
   meta = with lib; {
diff --git a/pkgs/development/python-modules/boto3-stubs/default.nix b/pkgs/development/python-modules/boto3-stubs/default.nix
index d6c1756f275d..dd2eaf5d78f5 100644
--- a/pkgs/development/python-modules/boto3-stubs/default.nix
+++ b/pkgs/development/python-modules/boto3-stubs/default.nix
@@ -365,14 +365,14 @@
 
 buildPythonPackage rec {
   pname = "boto3-stubs";
-  version = "1.34.65";
+  version = "1.34.67";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-EF2koE3LXk3ckPIauLJKNCPs+stHdbjM04eVdOXc41g=";
+    hash = "sha256-ClKKx4AgcKf5VSSCufiQn3MzxqNIq2he0UQH872kK+Q=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/botocore-stubs/default.nix b/pkgs/development/python-modules/botocore-stubs/default.nix
index 0eb05bbae616..8a07d01a7a09 100644
--- a/pkgs/development/python-modules/botocore-stubs/default.nix
+++ b/pkgs/development/python-modules/botocore-stubs/default.nix
@@ -9,7 +9,7 @@
 
 buildPythonPackage rec {
   pname = "botocore-stubs";
-  version = "1.34.65";
+  version = "1.34.67";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
@@ -17,7 +17,7 @@ buildPythonPackage rec {
   src = fetchPypi {
     pname = "botocore_stubs";
     inherit version;
-    hash = "sha256-fFEK2yxv/uLipfGYwQMLuO3/ITbuVuRnKcAuo3skJKU=";
+    hash = "sha256-ventoBzkmDwt3pQ68lRo6lb2dxUapTOqo5du41xuN7c=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/conway-polynomials/default.nix b/pkgs/development/python-modules/conway-polynomials/default.nix
new file mode 100644
index 000000000000..d5b57a10aa39
--- /dev/null
+++ b/pkgs/development/python-modules/conway-polynomials/default.nix
@@ -0,0 +1,23 @@
+{ lib
+, fetchPypi
+, buildPythonPackage
+}:
+
+buildPythonPackage rec {
+  pname = "conway-polynomials";
+  version = "0.9";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-btIwBgm8558BddW4VGhY7sAoVPi+MjfbjRRJzMzBxYE=";
+  };
+
+  pythonImportsCheck = [ "conway_polynomials" ];
+
+  meta = with lib; {
+    description = "Python interface to Frank Lübeck's Conway polynomial database";
+    homepage = "https://github.com/sagemath/conway-polynomials";
+    maintainers = teams.sage.members;
+    license = licenses.gpl3Plus;
+  };
+}
diff --git a/pkgs/development/python-modules/datadog/default.nix b/pkgs/development/python-modules/datadog/default.nix
index c700bdd82b39..8b0b0956b89d 100644
--- a/pkgs/development/python-modules/datadog/default.nix
+++ b/pkgs/development/python-modules/datadog/default.nix
@@ -16,14 +16,14 @@
 
 buildPythonPackage rec {
   pname = "datadog";
-  version = "0.49.0";
+  version = "0.49.1";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-rcHH/a6ntmQZvyDqsg2eWcMQbKouauHsUvJtECQPsiw=";
+    hash = "sha256-TLenmRr2ytuGj+RQzUVkc+ZfEfxni3189hBE/xxgdNg=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/django-anymail/default.nix b/pkgs/development/python-modules/django-anymail/default.nix
index 799881ebee35..1e619035bd05 100644
--- a/pkgs/development/python-modules/django-anymail/default.nix
+++ b/pkgs/development/python-modules/django-anymail/default.nix
@@ -1,25 +1,29 @@
 { lib
+, boto3
 , buildPythonPackage
-, fetchFromGitHub
-, requests
 , django
-, boto3
+, fetchFromGitHub
 , hatchling
-, python
 , mock
+, python
+, pythonOlder
+, requests
 , responses
+, urllib3
 }:
 
 buildPythonPackage rec {
   pname = "django-anymail";
-  version = "10.2";
+  version = "10.3";
   pyproject = true;
 
+  disabled = pythonOlder "3.7";
+
   src = fetchFromGitHub {
     owner = "anymail";
-    repo = pname;
+    repo = "django-anymail";
     rev = "refs/tags/v${version}";
-    hash = "sha256-k4C82OYm2SdjxeLScrkkitumjYgWkMNFlNeGW+C1Z8o=";
+    hash = "sha256-5uSpPeXpMkpuzMXzsGE6uQJWP/Dt/oqakB8Xb5G1eZY=";
   };
 
   nativeBuildInputs = [
@@ -27,8 +31,9 @@ buildPythonPackage rec {
   ];
 
   propagatedBuildInputs = [
-    requests
     django
+    requests
+    urllib3
   ];
 
   nativeCheckInputs = [
@@ -37,7 +42,9 @@ buildPythonPackage rec {
   ] ++ passthru.optional-dependencies.amazon-ses;
 
   passthru.optional-dependencies = {
-    amazon-ses = [ boto3 ];
+    amazon-ses = [
+      boto3
+    ];
   };
 
   checkPhase = ''
@@ -46,11 +53,14 @@ buildPythonPackage rec {
     runHook postCheck
   '';
 
-  pythonImportsCheck = [ "anymail" ];
+  pythonImportsCheck = [
+    "anymail"
+  ];
 
   meta = with lib; {
     description = "Django email backends and webhooks for Mailgun";
     homepage = "https://github.com/anymail/django-anymail";
+    changelog = "https://github.com/anymail/django-anymail/blob/v${version}/CHANGELOG.rst";
     license = licenses.bsd3;
     maintainers = with maintainers; [ onny ];
   };
diff --git a/pkgs/development/python-modules/etils/default.nix b/pkgs/development/python-modules/etils/default.nix
index b6990e50330f..fd1d034138e9 100644
--- a/pkgs/development/python-modules/etils/default.nix
+++ b/pkgs/development/python-modules/etils/default.nix
@@ -28,14 +28,14 @@
 
 buildPythonPackage rec {
   pname = "etils";
-  version = "1.7.0";
+  version = "1.8.0";
   pyproject = true;
 
   disabled = pythonOlder "3.10";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-l7aP0l4YVoMhUobvOlTjgZm2JF9f6L5r7cEYm+QlY1A=";
+    hash = "sha256-+0ePV/7CAuJg5UyRkrMXaS/WPbLRHZk+cLzf+inMzVg=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/firebase-messaging/default.nix b/pkgs/development/python-modules/firebase-messaging/default.nix
index bc5a4d1dbdf7..5acd1ff48022 100644
--- a/pkgs/development/python-modules/firebase-messaging/default.nix
+++ b/pkgs/development/python-modules/firebase-messaging/default.nix
@@ -1,40 +1,35 @@
 { lib
+, async-timeout
 , buildPythonPackage
-, fetchFromGitHub
-
-# build-system
-, poetry-core
-
-# dependencies
 , cryptography
+, fetchFromGitHub
 , http-ece
+, poetry-core
 , protobuf
+, pytest-asyncio
+, pytest-mock
+, pytestCheckHook
+, pythonOlder
 , requests
-
-# docs
+, requests-mock
 , sphinx
-, sphinxHook
 , sphinx-autodoc-typehints
 , sphinx-rtd-theme
-
-# tests
-, async-timeout
-, requests-mock
-, pytest-asyncio
-, pytest-mock
-, pytestCheckHook
+, sphinxHook
 }:
 
 buildPythonPackage rec {
   pname = "firebase-messaging";
-  version = "0.2.0";
+  version = "0.2.1";
   pyproject = true;
 
+  disabled = pythonOlder "3.8";
+
   src = fetchFromGitHub {
     owner = "sdb9696";
     repo = "firebase-messaging";
-    rev = version;
-    hash = "sha256-e3Ny3pnAfOpNERvvtE/jqSDIsM+YwLq/hbw753QpJ6o=";
+    rev = "refs/tags/${version}";
+    hash = "sha256-8e+S12ZMqAmK7OR7O45QsRa0UKQq6cngeaqz2ugi6iY=";
   };
 
   outputs = [
@@ -75,9 +70,9 @@ buildPythonPackage rec {
   ];
 
   meta = with lib; {
-    description = "A library to subscribe to GCM/FCM and receive notifications within a python application";
+    description = "Library to subscribe to GCM/FCM and receive notifications within a python application";
     homepage = "https://github.com/sdb9696/firebase-messaging";
-    changelog = "https://github.com/sdb9696/firebase-messaging/blob/${src.rev}/CHANGELOG.rst";
+    changelog = "https://github.com/sdb9696/firebase-messaging/releases/tag/${version}";
     license = licenses.mit;
     maintainers = with maintainers; [ ];
   };
diff --git a/pkgs/development/python-modules/garminconnect/default.nix b/pkgs/development/python-modules/garminconnect/default.nix
index 861e2e788994..3e039ec5aac9 100644
--- a/pkgs/development/python-modules/garminconnect/default.nix
+++ b/pkgs/development/python-modules/garminconnect/default.nix
@@ -10,7 +10,7 @@
 
 buildPythonPackage rec {
   pname = "garminconnect";
-  version = "0.2.14";
+  version = "0.2.15";
   pyproject = true;
 
   disabled = pythonOlder "3.10";
@@ -19,7 +19,7 @@ buildPythonPackage rec {
     owner = "cyberjunky";
     repo = "python-garminconnect";
     rev = "refs/tags/${version}";
-    hash = "sha256-FytgckIu99ZKfmxJ0KU+fpbBEgszdp8iwK3SFCL9Ejs=";
+    hash = "sha256-N6PJLsT8BnjGaOLeohDo3ACOyVb/iOCw3LAXZMjwoyw=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/google-cloud-logging/default.nix b/pkgs/development/python-modules/google-cloud-logging/default.nix
index c6d253d9cb07..546ab8cb544e 100644
--- a/pkgs/development/python-modules/google-cloud-logging/default.nix
+++ b/pkgs/development/python-modules/google-cloud-logging/default.nix
@@ -22,14 +22,14 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-logging";
-  version = "3.9.0";
+  version = "3.10.0";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-TeyxsL7UoOPA5Yo3ZkbmAC1r58rQOeNGaCLoZlBy6jM=";
+    hash = "sha256-2T00c1EkDdsUz+IBmHotMs+df0eLiy+r7TAVtCWzJ08=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/griffe/default.nix b/pkgs/development/python-modules/griffe/default.nix
index d0d8275392c1..0ae203f6331f 100644
--- a/pkgs/development/python-modules/griffe/default.nix
+++ b/pkgs/development/python-modules/griffe/default.nix
@@ -12,7 +12,7 @@
 
 buildPythonPackage rec {
   pname = "griffe";
-  version = "0.42.0";
+  version = "0.42.1";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -21,7 +21,7 @@ buildPythonPackage rec {
     owner = "mkdocstrings";
     repo = "griffe";
     rev = "refs/tags/${version}";
-    hash = "sha256-gleVVwi2exSHz+u8zHhH3nF1duz7qDOpiZBm228ZsSs=";
+    hash = "sha256-KaD3j96FJJx43m/nfHa4kAft4FcDOdq+2dsiaMY7PPY=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/internetarchive/default.nix b/pkgs/development/python-modules/internetarchive/default.nix
index 797f24eee83a..6df7a76dadd5 100644
--- a/pkgs/development/python-modules/internetarchive/default.nix
+++ b/pkgs/development/python-modules/internetarchive/default.nix
@@ -11,32 +11,36 @@
 , tqdm
 , urllib3
 , pythonOlder
+, importlib-metadata
 }:
 
 buildPythonPackage rec {
   pname = "internetarchive";
-  version = "3.6.0";
+  version = "3.7.0";
+  pyproject = true;
 
-  format = "pyproject";
+  disabled = pythonOlder "3.8";
 
-  disabled = pythonOlder "3.7";
-
-  # no tests data included in PyPI tarball
   src = fetchFromGitHub {
     owner = "jjjake";
     repo = "internetarchive";
-    rev = "v${version}";
-    hash = "sha256-hy5e6DEAwLKn0l2nJD7fyW5r4ZZiH+fuTEDLQen+dNk=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-krMOjXzI9tmLGLEswXLLqc8J68Gwnl1VrRO2fLbDv0o=";
   };
 
+  nativeBuildInputs = [
+    setuptools
+  ];
+
   propagatedBuildInputs = [
     tqdm
     docopt
     requests
     jsonpatch
     schema
-    setuptools # needs pkg_resources at runtime
     urllib3
+  ] ++ lib.optionals (pythonOlder "3.10") [
+    importlib-metadata
   ];
 
   nativeCheckInputs = [
@@ -67,7 +71,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "A Python and Command-Line Interface to Archive.org";
     homepage = "https://github.com/jjjake/internetarchive";
-    changelog = "https://github.com/jjjake/internetarchive/raw/v${version}/HISTORY.rst";
+    changelog = "https://github.com/jjjake/internetarchive/blob/v${version}/HISTORY.rst";
     license = licenses.agpl3Plus;
     maintainers = [ maintainers.marsam ];
     mainProgram = "ia";
diff --git a/pkgs/development/python-modules/k5test/default.nix b/pkgs/development/python-modules/k5test/default.nix
index aa7d1c172c67..dbab01e01a54 100644
--- a/pkgs/development/python-modules/k5test/default.nix
+++ b/pkgs/development/python-modules/k5test/default.nix
@@ -1,23 +1,24 @@
 { lib
+, stdenv
 , buildPythonPackage
 , pythonOlder
 , fetchPypi
 , substituteAll
 , findutils
 , krb5
-, stdenv
+, setuptools
 }:
 
 buildPythonPackage rec {
   pname = "k5test";
-  version = "0.10.3";
-  format = "setuptools";
+  version = "0.10.4";
+  pyproject = true;
 
-  disabled = pythonOlder "3.6";
+  disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-nJ3uvK1joxXoGDPUXp/RK/IBZmQ7iry5/29NaxhMVx8=";
+    hash = "sha256-4VJJHmYC9qk7PVM9OHvUWQ8kdgk7aEIXD/C5PeZL7zA=";
   };
 
   patches = [
@@ -29,16 +30,23 @@ buildPythonPackage rec {
     })
   ];
 
+  nativeBuildInputs = [
+    setuptools
+  ];
+
   # No tests
   doCheck = false;
 
-  pythonImportsCheck = [ "k5test" ];
+  pythonImportsCheck = [
+    "k5test"
+  ];
 
   meta = with lib; {
-    broken = stdenv.isDarwin;
     description = "Library for setting up self-contained Kerberos 5 environment";
     homepage = "https://github.com/pythongssapi/k5test";
+    changelog = "https://github.com/pythongssapi/k5test/releases/tag/v${version}";
     license = licenses.mit;
     maintainers = with maintainers; [ ];
+    broken = stdenv.isDarwin;
   };
 }
diff --git a/pkgs/development/python-modules/license-expression/default.nix b/pkgs/development/python-modules/license-expression/default.nix
index 4988a3d25674..a17f4e829cae 100644
--- a/pkgs/development/python-modules/license-expression/default.nix
+++ b/pkgs/development/python-modules/license-expression/default.nix
@@ -9,7 +9,7 @@
 
 buildPythonPackage rec {
   pname = "license-expression";
-  version = "30.2.0";
+  version = "30.3.0";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
@@ -18,7 +18,7 @@ buildPythonPackage rec {
     owner = "nexB";
     repo = "license-expression";
     rev = "refs/tags/v${version}";
-    hash = "sha256-vsQsHi2jdB0OiV6stm1APjQvr+238UoKgaaeXVx/isI=";
+    hash = "sha256-nHqfnetVyz4W2Q6onH0mU/4x9e/vD4rbl9DF4TYqWzs=";
   };
 
   dontConfigure = true;
diff --git a/pkgs/development/python-modules/litellm/default.nix b/pkgs/development/python-modules/litellm/default.nix
index c3ffb1c8bf14..e309fd66bcdb 100644
--- a/pkgs/development/python-modules/litellm/default.nix
+++ b/pkgs/development/python-modules/litellm/default.nix
@@ -33,7 +33,7 @@
 
 buildPythonPackage rec {
   pname = "litellm";
-  version = "1.32.1";
+  version = "1.32.7";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -42,7 +42,7 @@ buildPythonPackage rec {
     owner = "BerriAI";
     repo = "litellm";
     rev = "refs/tags/v${version}";
-    hash = "sha256-qIEAtgfzTiUK+HzsocIH3L7z0Wfah3C4GByaA89wvso=";
+    hash = "sha256-rftiF6D3yyF1gRVz8Pny6Y/0mJnRYVhAsFt8YP+j1aY=";
   };
 
   postPatch = ''
diff --git a/pkgs/development/python-modules/llama-index-core/default.nix b/pkgs/development/python-modules/llama-index-core/default.nix
index 8a71591eb27d..df6e3b92e289 100644
--- a/pkgs/development/python-modules/llama-index-core/default.nix
+++ b/pkgs/development/python-modules/llama-index-core/default.nix
@@ -30,7 +30,7 @@
 
 buildPythonPackage rec {
   pname = "llama-index-core";
-  version = "0.10.18";
+  version = "0.10.20";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -39,7 +39,7 @@ buildPythonPackage rec {
     owner = "run-llama";
     repo = "llama_index";
     rev = "refs/tags/v${version}";
-    hash = "sha256-xNPvaXODY159x8Fl3HRdYCdYeFNIieX5TsLTfup8Dtg=";
+    hash = "sha256-F7k5gtmhFdn369Ws5PSJ/xTid6ONstoWPotk+DmDtLw=";
   };
 
   sourceRoot = "${src.name}/${pname}";
diff --git a/pkgs/development/python-modules/lnkparse3/default.nix b/pkgs/development/python-modules/lnkparse3/default.nix
index 255466a22b7c..94fd7aaee190 100644
--- a/pkgs/development/python-modules/lnkparse3/default.nix
+++ b/pkgs/development/python-modules/lnkparse3/default.nix
@@ -8,7 +8,7 @@
 
 buildPythonPackage rec {
   pname = "lnkparse3";
-  version = "1.3.3";
+  version = "1.4.0";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
@@ -17,7 +17,7 @@ buildPythonPackage rec {
     owner = "Matmaus";
     repo = "LnkParse3";
     rev = "refs/tags/v${version}";
-    hash = "sha256-Ej2Tv1RViHqm2z1EG/cAkImcvtJcwSc3I0DxIL/q8FI=";
+    hash = "sha256-aWMkLFbmikdj4mlAPpo0qrxfE8zgRcSV83aiws03XsQ=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/managesieve/default.nix b/pkgs/development/python-modules/managesieve/default.nix
index e1bd11c70688..1f0c911d5df8 100644
--- a/pkgs/development/python-modules/managesieve/default.nix
+++ b/pkgs/development/python-modules/managesieve/default.nix
@@ -2,26 +2,40 @@
 , buildPythonPackage
 , fetchPypi
 , pytestCheckHook
+, pythonOlder
+, setuptools
 }:
 
 buildPythonPackage rec {
   pname = "managesieve";
-  version = "0.7.1";
-  format = "setuptools";
+  version = "0.8";
+  pyproject = true;
+
+  disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "44930a3b48332d23b35a5305ae7ba47904d4485ed1b7a22208b7d5ad9d60427a";
+    hash = "sha256-2CCb6h69H58YT1byj/fkrfzGsMUbr0GHpJLcMpsSE/M=";
   };
 
-  nativeCheckInputs = [ pytestCheckHook ];
+  nativeBuildInputs = [
+    setuptools
+  ];
+
+  nativeCheckInputs = [
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [
+    "managesieve"
+  ];
 
   meta = with lib; {
     description = "ManageSieve client library for remotely managing Sieve scripts";
-    mainProgram = "sieveshell";
     homepage = "https://managesieve.readthedocs.io/";
     # PSFL for the python module, GPLv3 only for sieveshell
     license = with licenses; [ gpl3Only psfl ];
     maintainers = with maintainers; [ dadada ];
+    mainProgram = "sieveshell";
   };
 }
diff --git a/pkgs/development/python-modules/marimo/default.nix b/pkgs/development/python-modules/marimo/default.nix
new file mode 100644
index 000000000000..d02f85896200
--- /dev/null
+++ b/pkgs/development/python-modules/marimo/default.nix
@@ -0,0 +1,65 @@
+{ lib
+, buildPythonPackage
+, fetchPypi
+, pythonOlder
+, setuptools
+, click
+, jedi
+, markdown
+, pymdown-extensions
+, pygments
+, tomlkit
+, uvicorn
+, starlette
+, websockets
+, docutils
+, black
+, pytestCheckHook
+}:
+
+buildPythonPackage rec {
+  pname = "marimo";
+  version = "0.3.3";
+  pyproject = true;
+
+  disabled = pythonOlder "3.8";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-l5QehU/LqEWb7ybKxace4sm6C9mcNlaHNOp55ExglpQ=";
+  };
+
+  build-system = [
+    setuptools
+  ];
+
+  dependencies = [
+    click
+    jedi
+    markdown
+    pymdown-extensions
+    pygments
+    tomlkit
+    uvicorn
+    starlette
+    websockets
+    docutils
+    black
+  ];
+
+  nativeCheckInputs = [
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [
+    "marimo"
+  ];
+
+  meta = with lib; {
+    description = "A reactive Python notebook that's reproducible, git-friendly, and deployable as scripts or apps";
+    homepage = "https://github.com/marimo-team/marimo";
+    license = licenses.asl20;
+    mainProgram = "marimo";
+    maintainers = with maintainers; [ akshayka dmadisetti ];
+  };
+}
diff --git a/pkgs/development/python-modules/ollama/default.nix b/pkgs/development/python-modules/ollama/default.nix
new file mode 100644
index 000000000000..5e46474e1129
--- /dev/null
+++ b/pkgs/development/python-modules/ollama/default.nix
@@ -0,0 +1,64 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, httpx
+, pillow
+, poetry-core
+, pytest-asyncio
+, pytest-httpserver
+, pytestCheckHook
+, pythonOlder
+, pythonRelaxDepsHook
+}:
+
+buildPythonPackage rec {
+  pname = "ollama";
+  version = "0.1.7";
+  pyproject = true;
+
+  disabled = pythonOlder "3.8";
+
+  src = fetchFromGitHub {
+    owner = "ollama";
+    repo = "ollama-python";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-xNH9kAjSdVXrCI7zkyR7tYxJ/NG8/08ykkDZQJI8Za4=";
+  };
+
+  postPatch = ''
+    substituteInPlace pyproject.toml \
+      --replace-fail "0.0.0" "${version}"
+  '';
+
+  pythonRelaxDeps = [
+    "httpx"
+  ];
+
+  nativeBuildInputs = [
+    poetry-core
+    pythonRelaxDepsHook
+  ];
+
+  propagatedBuildInputs = [
+    httpx
+  ];
+
+  nativeCheckInputs = [
+    pillow
+    pytest-asyncio
+    pytest-httpserver
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [
+    "ollama"
+  ];
+
+  meta = with lib; {
+    description = "Ollama Python library";
+    homepage = "https://github.com/ollama/ollama-python";
+    changelog = "https://github.com/ollama/ollama-python/releases/tag/v${version}";
+    license = licenses.mit;
+    maintainers = with maintainers; [ fab ];
+  };
+}
diff --git a/pkgs/development/python-modules/optuna/default.nix b/pkgs/development/python-modules/optuna/default.nix
index daf5a27e97a7..6965d339ef77 100644
--- a/pkgs/development/python-modules/optuna/default.nix
+++ b/pkgs/development/python-modules/optuna/default.nix
@@ -43,8 +43,8 @@
 
 buildPythonPackage rec {
   pname = "optuna";
-  version = "3.5.0";
-  format = "pyproject";
+  version = "3.6.0";
+  pyproject = true;
 
   disabled = pythonOlder "3.7";
 
@@ -52,7 +52,7 @@ buildPythonPackage rec {
     owner = "optuna";
     repo = "optuna";
     rev = "refs/tags/v${version}";
-    hash = "sha256-lNurMkZZKpKXXQoqhuRUv8LCbdSi1ryj3kYYioYZPF0=";
+    hash = "sha256-KYSefIVGBUsN+A7nOWPBJyD4a+Wa+pO9WLyTpg8Cuy4=";
   };
 
   nativeBuildInputs = [
@@ -132,10 +132,10 @@ buildPythonPackage rec {
 
   meta = with lib; {
     description = "A hyperparameter optimization framework";
-    mainProgram = "optuna";
     homepage = "https://optuna.org/";
-    changelog = "https://github.com/optuna/optuna/releases/tag/${src.rev}";
+    changelog = "https://github.com/optuna/optuna/releases/tag/${version}";
     license = licenses.mit;
     maintainers = with maintainers; [ natsukium ];
+    mainProgram = "optuna";
   };
 }
diff --git a/pkgs/development/python-modules/pontos/default.nix b/pkgs/development/python-modules/pontos/default.nix
index f1477f5b2424..8716316d5779 100644
--- a/pkgs/development/python-modules/pontos/default.nix
+++ b/pkgs/development/python-modules/pontos/default.nix
@@ -18,7 +18,7 @@
 
 buildPythonPackage rec {
   pname = "pontos";
-  version = "24.3.1";
+  version = "24.3.2";
   pyproject = true;
 
   disabled = pythonOlder "3.9";
@@ -27,7 +27,7 @@ buildPythonPackage rec {
     owner = "greenbone";
     repo = "pontos";
     rev = "refs/tags/v${version}";
-    hash = "sha256-EYfhbIFD2p6ZZ4i6NCA22LS6mAZoJCJSYlTmRExWgw4=";
+    hash = "sha256-DXZDXipYBClqSdlTJsaPWaKr3qTiJ3osm3hHPp/MPow=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/pvlib/default.nix b/pkgs/development/python-modules/pvlib/default.nix
index 2c8894cbb11f..986fd4ed8b4d 100644
--- a/pkgs/development/python-modules/pvlib/default.nix
+++ b/pkgs/development/python-modules/pvlib/default.nix
@@ -21,14 +21,14 @@
 
 buildPythonPackage rec {
   pname = "pvlib";
-  version = "0.10.3";
-  format = "pyproject";
+  version = "0.10.4";
+  pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi{
     inherit pname version;
-    hash = "sha256-AkobUj1zpjMyNhLn8xWhcJzwbR/UP/CCGQH2akBostk=";
+    hash = "sha256-DF+ov+ixSjmjC/7+WmzwFksuvYKikSbbPZBqhNk5+HI=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/py-tree-sitter/default.nix b/pkgs/development/python-modules/py-tree-sitter/default.nix
deleted file mode 100644
index 9358a0fbca88..000000000000
--- a/pkgs/development/python-modules/py-tree-sitter/default.nix
+++ /dev/null
@@ -1,34 +0,0 @@
-{ lib
-, stdenv
-, buildPythonPackage
-, fetchFromGitHub
-, setuptools
-}:
-
-buildPythonPackage rec {
-  pname = "py-tree-sitter";
-  version = "0.20.4";
-  format = "pyproject";
-
-  src = fetchFromGitHub {
-    owner = "tree-sitter";
-    repo = "py-tree-sitter";
-    rev = "refs/tags/v${version}";
-    hash = "sha256-R97WcsHQMcuEOCg/QQ9YbGTRD30G9PRv0xAbxuoFyC4=";
-    fetchSubmodules = true;
-  };
-
-  nativeBuildInputs = [
-    setuptools
-  ];
-
-  pythonImportsCheck = [ "tree_sitter" ];
-
-  meta = with lib; {
-    homepage = "https://github.com/tree-sitter/py-tree-sitter";
-    description = "Python bindings for tree-sitter";
-    license = licenses.mit;
-    maintainers = with maintainers; [ siraben ];
-    platforms = platforms.unix;
-  };
-}
diff --git a/pkgs/development/python-modules/pychromecast/default.nix b/pkgs/development/python-modules/pychromecast/default.nix
index f5e6029e8560..5e4e971432ed 100644
--- a/pkgs/development/python-modules/pychromecast/default.nix
+++ b/pkgs/development/python-modules/pychromecast/default.nix
@@ -11,7 +11,7 @@
 
 buildPythonPackage rec {
   pname = "pychromecast";
-  version = "14.0.0";
+  version = "14.0.1";
   pyproject = true;
 
   disabled = pythonOlder "3.11";
@@ -19,7 +19,7 @@ buildPythonPackage rec {
   src = fetchPypi {
     pname = "PyChromecast";
     inherit version;
-    hash = "sha256-3E+LBS52CpeNqbJWi3kCDLea9gigJkZfB1RM/+Q5c88=";
+    hash = "sha256-4W4Kf5SIMZGRuLT6IcoL60vxLu2lyb9kAkEYjyvqCj4=";
   };
 
   postPatch = ''
diff --git a/pkgs/development/python-modules/pyformlang/default.nix b/pkgs/development/python-modules/pyformlang/default.nix
index 9a76ec2a1dfa..ce3923e0f8a6 100644
--- a/pkgs/development/python-modules/pyformlang/default.nix
+++ b/pkgs/development/python-modules/pyformlang/default.nix
@@ -11,12 +11,12 @@
 
 buildPythonPackage rec {
   pname = "pyformlang";
-  version = "1.0.7";
+  version = "1.0.9";
   pyproject = true;
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-i4ib18Ktyc9pRu4P+tQIHoZ/IbAOk8Dn0MXJoxw8gAA=";
+    hash = "sha256-oCwYM4yQ1KYZpC7vVpeHSIDH2Q930JAuTDq9mds9zoc=";
   };
 
   nativeBuildInputs = [
@@ -34,11 +34,13 @@ buildPythonPackage rec {
     pytestCheckHook
   ];
 
-  pythonImportsCheck = [ "pyformlang" ];
+  pythonImportsCheck = [
+    "pyformlang"
+  ];
 
   meta = with lib; {
     description = "A python framework for formal grammars";
-    homepage = "https://pypi.org/project/pyformlang/";
+    homepage = "https://github.com/Aunsiels/pyformlang";
     license = licenses.mit;
     maintainers = with maintainers; [ natsukium ];
   };
diff --git a/pkgs/development/python-modules/pyphotonfile/default.nix b/pkgs/development/python-modules/pyphotonfile/default.nix
index 9d7a30213869..c18d8c60d478 100644
--- a/pkgs/development/python-modules/pyphotonfile/default.nix
+++ b/pkgs/development/python-modules/pyphotonfile/default.nix
@@ -5,26 +5,28 @@
 , numpy
 }:
 let
-  version = "0.2.1";
-  format = "setuptools";
+  version = "0.2.1+";
 in
 buildPythonPackage {
   pname = "pyphotonfile";
+  format = "setuptools";
   inherit version;
+
+  dontUseSetuptoolsCheck = true;
   propagatedBuildInputs = [ pillow numpy ];
 
   src = fetchFromGitHub {
-    owner = "fookatchu";
+    owner = "cab404";
     repo = "pyphotonfile";
-    rev = "v${version}";
-    sha256 = "1hh1fcn7q3kyk2413pjs18xnxvzrchrisbpj2cd59jrdp0qzgv2s";
+    rev = "b7ee92a0071007bb1d6a5984262651beec26543d";
+    sha256 = "iB5ky4fPX8ZnvXlDpggqS/345k2x/mPC4cIgb9M0f/c=";
   };
 
   meta = with lib; {
     maintainers = [ maintainers.cab404 ];
     license = licenses.gpl3Plus;
     description = "Library for reading and writing files for the Anycubic Photon 3D-Printer";
-    homepage = "https://github.com/fookatchu/pyphotonfile";
+    homepage = "https://github.com/cab404/pyphotonfile";
   };
 
 }
diff --git a/pkgs/development/python-modules/pyprosegur/default.nix b/pkgs/development/python-modules/pyprosegur/default.nix
index d73c46971d87..f1be9de65abb 100644
--- a/pkgs/development/python-modules/pyprosegur/default.nix
+++ b/pkgs/development/python-modules/pyprosegur/default.nix
@@ -6,22 +6,27 @@
 , click
 , fetchFromGitHub
 , pythonOlder
+, setuptools
 }:
 
 buildPythonPackage rec {
   pname = "pyprosegur";
-  version = "0.0.9";
-  format = "setuptools";
+  version = "0.0.10";
+  pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "dgomes";
-    repo = pname;
+    repo = "pyprosegur";
     rev = "refs/tags/${version}";
-    hash = "sha256-FTCQ2noxodFKN7qXdc7DG3Zt4j/pR6DeuWIs0GtGRy8=";
+    hash = "sha256-OHFJhufymD181FODHlIu+O5xh9dfKwEIVQX/zTOC6ks=";
   };
 
+  nativeBuildInputs = [
+    setuptools
+  ];
+
   propagatedBuildInputs = [
     aiofiles
     aiohttp
@@ -38,10 +43,10 @@ buildPythonPackage rec {
 
   meta = with lib; {
     description = "Python module to communicate with Prosegur Residential Alarms";
-    mainProgram = "pyprosegur";
     homepage = "https://github.com/dgomes/pyprosegur";
     changelog = "https://github.com/dgomes/pyprosegur/releases/tag/${version}";
     license = with licenses; [ mit ];
     maintainers = with maintainers; [ fab ];
+    mainProgram = "pyprosegur";
   };
 }
diff --git a/pkgs/development/python-modules/pytenable/default.nix b/pkgs/development/python-modules/pytenable/default.nix
index 2810332d42bb..0bf5ef3de39f 100644
--- a/pkgs/development/python-modules/pytenable/default.nix
+++ b/pkgs/development/python-modules/pytenable/default.nix
@@ -20,7 +20,7 @@
 
 buildPythonPackage rec {
   pname = "pytenable";
-  version = "1.4.20";
+  version = "1.4.21";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
@@ -29,7 +29,7 @@ buildPythonPackage rec {
     owner = "tenable";
     repo = "pyTenable";
     rev = "refs/tags/${version}";
-    hash = "sha256-NiAv0zNITpKIQ2TarNoU4HwKuHm22LTu8pJUi0SDlfE=";
+    hash = "sha256-+P+6EmKpR+qlvLMgeg6iIxSx7jtC995v2eijkjJdc70=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/python-fsutil/default.nix b/pkgs/development/python-modules/python-fsutil/default.nix
index 5a347071f620..c1c433ddd2db 100644
--- a/pkgs/development/python-modules/python-fsutil/default.nix
+++ b/pkgs/development/python-modules/python-fsutil/default.nix
@@ -9,7 +9,7 @@
 
 buildPythonPackage rec {
   pname = "python-fsutil";
-  version = "0.13.1";
+  version = "0.14.1";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -18,7 +18,7 @@ buildPythonPackage rec {
     owner = "fabiocaccamo";
     repo = "python-fsutil";
     rev = "refs/tags/${version}";
-    hash = "sha256-yY8hhw6uNKqrcj0geoQeGN/JCDJVja7pCPUHwoViL64=";
+    hash = "sha256-Cs78zpf3W5UZJkkUBEP6l6fi2J4OtJXGvqqQ8PWKx+8=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/sagemaker/default.nix b/pkgs/development/python-modules/sagemaker/default.nix
index 1d85fb9bed9f..4eaa44f0db38 100644
--- a/pkgs/development/python-modules/sagemaker/default.nix
+++ b/pkgs/development/python-modules/sagemaker/default.nix
@@ -26,7 +26,7 @@
 
 buildPythonPackage rec {
   pname = "sagemaker";
-  version = "2.212.0";
+  version = "2.213.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.8";
@@ -35,7 +35,7 @@ buildPythonPackage rec {
     owner = "aws";
     repo = "sagemaker-python-sdk";
     rev = "refs/tags/v${version}";
-    hash = "sha256-JZX/k8AJSQrCrPAsDfEc78mAouBWFQlmRG0ZA1yBGJY=";
+    hash = "sha256-3V4boilVpqvwRBBuZv/AKEks+BH9PFnigfq6Z5kFhqQ=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/sentry-sdk/default.nix b/pkgs/development/python-modules/sentry-sdk/default.nix
index f15096a8e430..f225853368b5 100644
--- a/pkgs/development/python-modules/sentry-sdk/default.nix
+++ b/pkgs/development/python-modules/sentry-sdk/default.nix
@@ -38,7 +38,7 @@
 
 buildPythonPackage rec {
   pname = "sentry-sdk";
-  version = "1.41.0";
+  version = "1.42.0";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
@@ -47,7 +47,7 @@ buildPythonPackage rec {
     owner = "getsentry";
     repo = "sentry-python";
     rev = "refs/tags/${version}";
-    hash = "sha256-eoHoUW3cXxdGeWpo/0kBIfVkLECrnKA2wtobe3GeU2Q=";
+    hash = "sha256-LZn7oWwKdHi/KScitFnNDX7pI92mNkC6niGP+BixjtA=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/tesla-fleet-api/default.nix b/pkgs/development/python-modules/tesla-fleet-api/default.nix
index a9f70fdf92d9..e82fddf4c424 100644
--- a/pkgs/development/python-modules/tesla-fleet-api/default.nix
+++ b/pkgs/development/python-modules/tesla-fleet-api/default.nix
@@ -9,7 +9,7 @@
 
 buildPythonPackage rec {
   pname = "tesla-fleet-api";
-  version = "0.4.9";
+  version = "0.5.0";
   pyproject = true;
 
   disabled = pythonOlder "3.10";
@@ -18,7 +18,7 @@ buildPythonPackage rec {
     owner = "Teslemetry";
     repo = "python-tesla-fleet-api";
     rev = "refs/tags/v${version}";
-    hash = "sha256-GiDhVN6aBj0yeIg596ox2ES28Dca81pVnsYWvc1SZ+A=";
+    hash = "sha256-IRUH3qWRJoCEvzkkR8/qH5i735B030CLKKRRWO9DVuI=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/toml-adapt/default.nix b/pkgs/development/python-modules/toml-adapt/default.nix
index 4ae78a71ea07..6af7f0940ed2 100644
--- a/pkgs/development/python-modules/toml-adapt/default.nix
+++ b/pkgs/development/python-modules/toml-adapt/default.nix
@@ -10,16 +10,16 @@
 
 buildPythonPackage rec {
   pname = "toml-adapt";
-  version = "0.3.2";
-  format = "pyproject";
+  version = "0.3.3";
+  pyproject = true;
 
   disabled = pythonOlder "3.6";
 
   src = fetchFromGitHub {
     owner = "firefly-cpp";
-    repo = pname;
+    repo = "toml-adapt";
     rev = "refs/tags/${version}";
-    hash = "sha256-Za2v1Mon6e0mmGGTNXf1bCV5CIL8hrl7jGz4Lk3N8xc=";
+    hash = "sha256-KD5dTr/wxFbDg3AbfE0jUbgNjvxqDmbHwjY5Dmp6JFI=";
   };
 
   nativeBuildInputs = [
@@ -41,9 +41,10 @@ buildPythonPackage rec {
 
   meta = with lib; {
     description = "A simple Command-line interface for manipulating toml files";
-    mainProgram = "toml-adapt";
     homepage = "https://github.com/firefly-cpp/toml-adapt";
+    changelog = "https://github.com/firefly-cpp/toml-adapt/releases/tag/${version}";
     license = licenses.mit;
     maintainers = with maintainers; [ firefly-cpp ];
+    mainProgram = "toml-adapt";
   };
 }
diff --git a/pkgs/development/python-modules/tree-sitter/default.nix b/pkgs/development/python-modules/tree-sitter/default.nix
index cd572618a2fd..039b9ce21cea 100644
--- a/pkgs/development/python-modules/tree-sitter/default.nix
+++ b/pkgs/development/python-modules/tree-sitter/default.nix
@@ -1,37 +1,52 @@
 { lib
 , buildPythonPackage
-, fetchPypi
+, fetchFromGitHub
+, fetchpatch
 , pytestCheckHook
 , pythonOlder
 , setuptools
-, wheel
 }:
 
 buildPythonPackage rec {
   pname = "tree-sitter";
-  version = "0.20.4";
-  format = "pyproject";
+  version = "0.21.1";
+  pyproject = true;
 
   disabled = pythonOlder "3.7";
 
-  src = fetchPypi {
-    pname = "tree_sitter";
-    inherit version;
-    hash = "sha256-atsSPi8+VjmbvyNZkkYzyILMQO6DRIhSALygki9xO+U=";
+  src = fetchFromGitHub {
+    owner = "tree-sitter";
+    repo = "py-tree-sitter";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-U4ZdU0lxjZO/y0q20bG5CLKipnfpaxzV3AFR6fGS7m4=";
+    fetchSubmodules = true;
   };
 
+  patches = [
+    #  Replace distutils with setuptools, https://github.com/tree-sitter/py-tree-sitter/pull/214
+    (fetchpatch {
+      name = "replace-distutils.patch";
+      url = "https://github.com/tree-sitter/py-tree-sitter/commit/80d3cae493c4a47e49cc1d2ebab0a8eaf7617825.patch";
+      hash = "sha256-00coI8/COpYMiSflAECwh6yJCMJj/ucFEn18Npj2g+Q=";
+    })
+  ];
+
   nativeBuildInputs = [
     setuptools
-    wheel
   ];
 
-  # PyPI tarball doesn't contains tests and source has additional requirements
-  doCheck = false;
+  nativeCheckInputs = [
+    pytestCheckHook
+  ];
 
   pythonImportsCheck = [
     "tree_sitter"
   ];
 
+  preCheck = ''
+    rm -r tree_sitter
+  '';
+
   meta = with lib; {
     description = "Python bindings to the Tree-sitter parsing library";
     homepage = "https://github.com/tree-sitter/py-tree-sitter";
diff --git a/pkgs/development/python-modules/types-setuptools/default.nix b/pkgs/development/python-modules/types-setuptools/default.nix
index 7b9da3aed9d7..881db628ede5 100644
--- a/pkgs/development/python-modules/types-setuptools/default.nix
+++ b/pkgs/development/python-modules/types-setuptools/default.nix
@@ -6,12 +6,12 @@
 
 buildPythonPackage rec {
   pname = "types-setuptools";
-  version = "69.1.0.20240308";
+  version = "69.1.0.20240310";
   pyproject = true;
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-rU9eUSUe7cvkqo2whEr2ZUBUqvycD20/H6APcHPBd2c=";
+    hash = "sha256-/A4QgvVcl0YRvOhEseW+stGolVAfSkZOSDBVkqQmgQA=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/whoosh/default.nix b/pkgs/development/python-modules/whoosh/default.nix
index 10053bc27918..52831486f2b7 100644
--- a/pkgs/development/python-modules/whoosh/default.nix
+++ b/pkgs/development/python-modules/whoosh/default.nix
@@ -1,30 +1,51 @@
-{ lib, buildPythonPackage, fetchPypi, pytest }:
+{ lib
+, buildPythonPackage
+, fetchPypi
+, pytestCheckHook
+, pythonOlder
+, setuptools
+}:
 
 buildPythonPackage rec {
-  pname = "Whoosh";
+  pname = "whoosh";
   version = "2.7.4";
+  pyproject = true;
+
+  disabled = pythonOlder "3.7";
+
   src = fetchPypi {
-    inherit pname version;
-    sha256 = "10qsqdjpbc85fykc1vgcs8xwbgn4l2l52c8d83xf1q59pwyn79bw";
+    pname = "Whoosh";
+    inherit version;
+    hash = "sha256-fKVjPb+p4OD6QA0xUaigxL7FO9Ls7cCmdwWxdWXDGoM=";
   };
 
-  nativeCheckInputs = [ pytest ];
+  nativeBuildInputs = [
+    setuptools
+  ];
+
+  nativeCheckInputs = [
+    pytestCheckHook
+  ];
 
   # Wrong encoding
   postPatch = ''
     rm tests/test_reading.py
-    substituteInPlace setup.cfg --replace "[pytest]" "[tool:pytest]"
-  '';
-  checkPhase =  ''
-    # FIXME: test_minimize_dfa fails on python 3.6
-    py.test -k "not test_timelimit and not test_minimize_dfa"
+    substituteInPlace setup.cfg \
+      --replace-fail "[pytest]" "[tool:pytest]"
   '';
 
+  pythonImportsCheck = [
+    "whoosh"
+  ];
+
+  disabledTests = [
+    "test_minimize_dfa"
+  ];
+
   meta = with lib; {
-    description = "Fast, pure-Python full text indexing, search, and spell
-checking library.";
-    homepage    = "https://bitbucket.org/mchaput/whoosh";
-    license     = licenses.bsd2;
+    description = "Fast, pure-Python full text indexing, search, and spell checking library";
+    homepage = "https://github.com/mchaput/whoosh";
+    license = licenses.bsd2;
     maintainers = with maintainers; [ ];
   };
 }
diff --git a/pkgs/development/tools/analysis/checkstyle/default.nix b/pkgs/development/tools/analysis/checkstyle/default.nix
index 9001eef50f1a..916895a64735 100644
--- a/pkgs/development/tools/analysis/checkstyle/default.nix
+++ b/pkgs/development/tools/analysis/checkstyle/default.nix
@@ -1,12 +1,12 @@
 { lib, stdenvNoCC, fetchurl, makeBinaryWrapper, jre }:
 
 stdenvNoCC.mkDerivation rec {
-  version = "10.14.1";
+  version = "10.14.2";
   pname = "checkstyle";
 
   src = fetchurl {
     url = "https://github.com/checkstyle/checkstyle/releases/download/checkstyle-${version}/checkstyle-${version}-all.jar";
-    sha256 = "sha256-XgA8qzLBmvhbYq6c6WB8Yj9yudtKrFS3whbmobVAs2A=";
+    sha256 = "sha256-5OR/HJ0DqquvhWcB35TsKueGUfo7cM3b9mNszMJAz2o=";
   };
 
   nativeBuildInputs = [ makeBinaryWrapper ];
diff --git a/pkgs/development/tools/build-managers/alire/default.nix b/pkgs/development/tools/build-managers/alire/default.nix
index eaa87d573f8c..2eb837442ac4 100644
--- a/pkgs/development/tools/build-managers/alire/default.nix
+++ b/pkgs/development/tools/build-managers/alire/default.nix
@@ -1,31 +1,41 @@
 { lib
 , stdenv
 , fetchFromGitHub
+, fetchpatch
 , gprbuild
 , gnat
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "alire";
-  version = "1.2.2";
+  version = "2.0.0";
 
   src = fetchFromGitHub {
     owner = "alire-project";
     repo = "alire";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-rwNiSXOIIQR1I8wwp1ROVOfEChT6SCa5c6XnTRqekDc=";
+    hash = "sha256-WF7spXwQR04zIGWazUrbCdeLYOzsk8C6G+cfSS6bwdE=";
 
     fetchSubmodules = true;
   };
 
   nativeBuildInputs = [ gprbuild gnat ];
 
-  # on HEAD (roughly 2c4e5a3), alire provides a dev/build.sh script. for now,
-  # just use gprbuild.
+  patches = [(fetchpatch {
+    name = "control-build-jobs.patch";
+    url = "https://github.com/alire-project/alire/pull/1651.patch";
+    hash = "sha256-CBQm8Doydze/KouLWuYm+WYlvnDguR/OuX8A4y4F6fo=";
+  })];
+
+  postPatch = ''
+    patchShebangs ./dev/build.sh
+  '';
+
   buildPhase = ''
     runHook preBuild
 
-    gprbuild -j$NIX_BUILD_CORES -P alr_env
+    export ALIRE_BUILD_JOBS="$NIX_BUILD_CORES"
+    ./dev/build.sh
 
     runHook postBuild
   '';
diff --git a/pkgs/development/tools/build-managers/moon/default.nix b/pkgs/development/tools/build-managers/moon/default.nix
index 949b405b9923..b45d061fcabf 100644
--- a/pkgs/development/tools/build-managers/moon/default.nix
+++ b/pkgs/development/tools/build-managers/moon/default.nix
@@ -9,16 +9,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "moon";
-  version = "1.22.7";
+  version = "1.22.8";
 
   src = fetchFromGitHub {
     owner = "moonrepo";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-sMV7pr3uVWpmx1cK+qooxe55E2IAqdbcYs5H76Al56c=";
+    hash = "sha256-hKVC9xnzlucsja57O9p2ZAbE4YVrroKlQ0WMTWOumbE=";
   };
 
-  cargoHash = "sha256-RsT0P7fNsKchQ3N71DNhdR0jViQJe/pyWKtj/A+nDhk=";
+  cargoHash = "sha256-22nov28oq3KhILiwQUXaknTzcf8MlrAEHiyv31ivvBc=";
 
   env = {
     RUSTFLAGS = "-C strip=symbols";
diff --git a/pkgs/development/tools/golangci-lint/default.nix b/pkgs/development/tools/golangci-lint/default.nix
index 395303c57861..666416ad03e4 100644
--- a/pkgs/development/tools/golangci-lint/default.nix
+++ b/pkgs/development/tools/golangci-lint/default.nix
@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "golangci-lint";
-  version = "1.56.2";
+  version = "1.57.0";
 
   src = fetchFromGitHub {
     owner = "golangci";
     repo = "golangci-lint";
     rev = "v${version}";
-    hash = "sha256-P1bgyYJCzHWWcmAHmBAyghFzKCwiQW3KNkbk5gogpn8=";
+    hash = "sha256-mBdK6HhoTVTRTU8agKETTZTR7NAH2cBQ/YQpbI2tyN0=";
   };
 
-  vendorHash = "sha256-9M9BPLEtNlhmZbS/Kn9yh2att2oIgF+smP7y1XCvrjI=";
+  vendorHash = "sha256-wTx4XbFKvpcZXQrloDWALf3yId1ANCBCvv0k3VwVoiM=";
 
   subPackages = [ "cmd/golangci-lint" ];
 
diff --git a/pkgs/development/tools/konstraint/default.nix b/pkgs/development/tools/konstraint/default.nix
index 8d6b4e6ac8de..f015e08453d6 100644
--- a/pkgs/development/tools/konstraint/default.nix
+++ b/pkgs/development/tools/konstraint/default.nix
@@ -2,15 +2,15 @@
 
 buildGoModule rec {
   pname = "konstraint";
-  version = "0.33.0";
+  version = "0.35.0";
 
   src = fetchFromGitHub {
     owner = "plexsystems";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-rZDLnr3FNLNOadmST70p5ZusK+p9SiUmVrnc5TrKuK4=";
+    sha256 = "sha256-6MYpZm5Uc5l06wRo6/15bmyVkdqjFuxHV3B3TriauQg=";
   };
-  vendorHash = "sha256-gaY3U6+Emk6La5wPyT5TvgTwPsh2Ws2t7C8B5T4c46E=";
+  vendorHash = "sha256-NyNQivJM9bFP/EBfjso+13sWMnubG/fjYafCGUnsvdU=";
 
   # Exclude go within .github folder
   excludedPackages = ".github";
diff --git a/pkgs/development/tools/language-servers/metals/default.nix b/pkgs/development/tools/language-servers/metals/default.nix
index 956e1f0c6072..894b83a72f8c 100644
--- a/pkgs/development/tools/language-servers/metals/default.nix
+++ b/pkgs/development/tools/language-servers/metals/default.nix
@@ -2,7 +2,7 @@
 
 stdenv.mkDerivation rec {
   pname = "metals";
-  version = "1.2.1";
+  version = "1.2.2";
 
   deps = stdenv.mkDerivation {
     name = "${pname}-deps-${version}";
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
     '';
     outputHashMode = "recursive";
     outputHashAlgo = "sha256";
-    outputHash = "sha256-L/ltoLlr4TdsDYwYtaCs6+Q2yTiyzoa2GQ3VK28AlzE=";
+    outputHash = "sha256-xk2ionn/lBV8AR7n7OR03UuRCoP1/K6KuohhpRwFock=";
   };
 
   nativeBuildInputs = [ makeWrapper setJavaClassPath ];
diff --git a/pkgs/development/tools/protolint/default.nix b/pkgs/development/tools/protolint/default.nix
index 3ce19782884a..1bf0909c4fe5 100644
--- a/pkgs/development/tools/protolint/default.nix
+++ b/pkgs/development/tools/protolint/default.nix
@@ -1,13 +1,13 @@
 { lib, buildGoModule, fetchFromGitHub }:
 buildGoModule rec {
   pname = "protolint";
-  version = "0.49.2";
+  version = "0.49.3";
 
   src = fetchFromGitHub {
     owner = "yoheimuta";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-JUSHAIyUMsZOWFhomR6s+gxUIwd/oziBZdlgaZX1sOk=";
+    hash = "sha256-V3xsjaqW5PaEmvEAn85c+eMRzb2DHpsPd9rUyzXDe9o=";
   };
 
   vendorHash = "sha256-8yV/YyNSn6O2UjAQlzM90fOoi3TdxO+v4YPtmSQMFC0=";
diff --git a/pkgs/development/tools/templ/default.nix b/pkgs/development/tools/templ/default.nix
index 63dd98bd54ab..f3eda5a55975 100644
--- a/pkgs/development/tools/templ/default.nix
+++ b/pkgs/development/tools/templ/default.nix
@@ -5,7 +5,7 @@
 
 buildGoModule rec {
   pname = "templ";
-  version = "0.2.598";
+  version = "0.2.639";
 
   subPackages = [ "cmd/templ" ];
 
@@ -21,7 +21,7 @@ buildGoModule rec {
     owner = "a-h";
     repo = "templ";
     rev = "refs/tags/v${version}";
-    hash = "sha256-jMoAocMDq8U1JsYoH3PFzZbnjSAzhifLwNZoKY+ambA=";
+    hash = "sha256-W1efknPo45mmKYuiFakJ0AigmfQqlfQ/u+de0zTRwwY=";
   };
 
   vendorHash = "sha256-Upd5Wq4ajsyOMDiAWS2g2iNO1sm1XJc43AFQLIo5eDM=";
diff --git a/pkgs/games/90secondportraits/default.nix b/pkgs/games/90secondportraits/default.nix
index 4e8cd387a0e1..bd60c836b636 100644
--- a/pkgs/games/90secondportraits/default.nix
+++ b/pkgs/games/90secondportraits/default.nix
@@ -46,7 +46,7 @@ in stdenv.mkDerivation rec {
     mainProgram = "90secondportraits";
     maintainers = with maintainers; [ leenaars ];
     platforms = platforms.linux;
-    license = licenses.free;
+    license = with licenses; [ zlib cc-by-sa-40 cc-by-sa-30 /* vendored */ x11 mit ];
     downloadPage = "http://tangramgames.dk/games/90secondportraits";
   };
 
diff --git a/pkgs/games/antsimulator/default.nix b/pkgs/games/antsimulator/default.nix
index f6b360831458..69cd7ad1894b 100644
--- a/pkgs/games/antsimulator/default.nix
+++ b/pkgs/games/antsimulator/default.nix
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/johnBuffer/AntSimulator";
     description = "Simple Ants simulator";
     mainProgram = "antsimulator";
-    license = licenses.free;
+    license = licenses.mit;
     maintainers = with maintainers; [ ivar ];
     platforms = platforms.unix;
   };
diff --git a/pkgs/games/runelite/default.nix b/pkgs/games/runelite/default.nix
index f6d205d473bc..d9a5da1a2af1 100644
--- a/pkgs/games/runelite/default.nix
+++ b/pkgs/games/runelite/default.nix
@@ -3,13 +3,19 @@
 , makeDesktopItem
 , makeWrapper
 , maven
+, jdk17
 , jre
 , xorg
 , gitUpdater
 , libGL
 }:
 
-maven.buildMavenPackage rec {
+let
+  mavenJdk17 = maven.override {
+    jdk = jdk17;
+  };
+in
+mavenJdk17.buildMavenPackage rec {
   pname = "runelite";
   version = "2.6.13";
 
diff --git a/pkgs/os-specific/darwin/maloader/default.nix b/pkgs/os-specific/darwin/maloader/default.nix
deleted file mode 100644
index c59f854b8475..000000000000
--- a/pkgs/os-specific/darwin/maloader/default.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, opencflite, clang, libcxx }:
-
-stdenv.mkDerivation {
-  pname = "maloader";
-  version = "unstable-2014-02-25";
-
-  src = fetchFromGitHub {
-    owner = "shinh";
-    repo = "maloader";
-    rev = "5f220393e0b7b9ad0cf1aba0e89df2b42a1f0442";
-    sha256 = "0dd1pn07x1y8pyn5wz8qcl1c1xwghyya4d060m3y9vx5dhv9xmzw";
-  };
-
-  postPatch = ''
-    sed -i \
-      -e '/if.*loadLibMac.*mypath/s|mypath|"'"$out/lib/"'"|' \
-      -e 's|libCoreFoundation\.so|${opencflite}/lib/&|' \
-      ld-mac.cc
-  '';
-
-  env.NIX_CFLAGS_COMPILE = "-I${lib.getDev libcxx}/include/c++/v1";
-  buildInputs = [ clang libcxx ];
-  buildFlags = [ "USE_LIBCXX=1" "release" ];
-
-  installPhase = ''
-    install -vD libmac.so "$out/lib/libmac.so"
-
-    for bin in extract macho2elf ld-mac; do
-      install -vD "$bin" "$out/bin/$bin"
-    done
-  '';
-
-  meta = {
-    description = "Mach-O loader for Linux";
-    homepage = "https://github.com/shinh/maloader";
-    license = lib.licenses.bsd2;
-    platforms = lib.platforms.linux;
-    broken = true; # 2018-09-08, no succesful build since 2017-08-21
-  };
-}
diff --git a/pkgs/os-specific/darwin/opencflite/default.nix b/pkgs/os-specific/darwin/opencflite/default.nix
deleted file mode 100644
index 937d0763feff..000000000000
--- a/pkgs/os-specific/darwin/opencflite/default.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ lib, stdenv, fetchurl, icu, libuuid, tzdata }:
-
-stdenv.mkDerivation rec {
-  pname = "opencflite";
-  version = "476.19.0";
-
-  src = fetchurl {
-    url = "mirror://sourceforge/opencflite/${pname}-${version}.tar.gz";
-    sha256 = "0jgmzs0ycl930hmzcvx0ykryik56704yw62w394q1q3xw5kkjn9v";
-  };
-
-  configureFlags = [ "--with-uuid=${libuuid.dev}" ];
-  buildInputs = [ icu tzdata.dev ];
-  enableParallelBuilding = true;
-
-  meta = {
-    description = "Cross platform port of the macOS CoreFoundation";
-    homepage = "https://sourceforge.net/projects/opencflite/";
-    license = lib.licenses.apsl20;
-  };
-}
diff --git a/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix b/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix
index 1e46068b2124..65e259667516 100644
--- a/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix
+++ b/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     description = "Firmware extractor for cards supported by the b43 kernel module";
     mainProgram = "b43-fwcutter";
     homepage = "http://wireless.kernel.org/en/users/Drivers/b43";
-    license = lib.licenses.free;
+    license = lib.licenses.bsd2;
     platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index e19f33c7c6af..1e50fc3dfa15 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -62,10 +62,26 @@ let
       SUNRPC_DEBUG              = yes;
       # Provide access to tunables like sched_migration_cost_ns
       SCHED_DEBUG               = yes;
+
+      # Count IRQ and steal CPU time separately
+      IRQ_TIME_ACCOUNTING       = yes;
+      PARAVIRT_TIME_ACCOUNTING  = yes;
+
+      # Enable CPU lockup detection
+      LOCKUP_DETECTOR           = yes;
+      SOFTLOCKUP_DETECTOR       = yes;
+      HARDLOCKUP_DETECTOR       = yes;
+
+      # Enable streaming logs to a remote device over a network
+      NETCONSOLE                = module;
+      NETCONSOLE_DYNAMIC        = yes;
+
+      # Export known printks in debugfs
+      PRINTK_INDEX              = whenAtLeast "5.15" yes;
     };
 
     power-management = {
-      CPU_FREQ_DEFAULT_GOV_PERFORMANCE = yes;
+      CPU_FREQ_DEFAULT_GOV_SCHEDUTIL   = yes;
       CPU_FREQ_GOV_SCHEDUTIL           = yes;
       PM_ADVANCED_DEBUG                = yes;
       PM_WAKELOCKS                     = yes;
@@ -85,6 +101,30 @@ let
       # depends on HAVE_VIRT_CPU_ACCOUNTING_GEN depends on 64BIT,
       # so we can't force-enable this
       RCU_LAZY                         = whenAtLeast "6.2" (option yes);
+
+      # Auto suspend Bluetooth devices at idle
+      BT_HCIBTUSB_AUTOSUSPEND          = yes;
+
+      # Expose cpufreq stats in sysfs
+      CPU_FREQ_STAT                    = yes;
+
+      # Enable CPU energy model for scheduling
+      ENERGY_MODEL                     = whenAtLeast "5.0" yes;
+
+      # Enable scheduling stats collection
+      SCHEDSTATS                       = yes;
+
+      # Enable thermal interface netlink API
+      THERMAL_NETLINK                  = whenAtLeast "5.9" yes;
+
+      # Prefer power-efficient workqueue implementation to per-CPU workqueues,
+      # which is slightly slower, but improves battery life.
+      # This is opt-in per workqueue, and can be disabled globally with a kernel command line option.
+      WQ_POWER_EFFICIENT_DEFAULT       = yes;
+
+      # Default SATA link power management to "medium with device initiated PM"
+      # for some extra power savings.
+      SATA_MOBILE_LPM_POLICY           = whenAtLeast "5.18" (freeform "3");
     } // optionalAttrs (stdenv.hostPlatform.isx86) {
       INTEL_IDLE                       = yes;
       INTEL_RAPL                       = whenAtLeast "5.3" module;
@@ -109,6 +149,9 @@ let
       CHT_DC_TI_PMIC_OPREGION          = whenAtLeast "5.10" yes;
       MFD_TPS68470                     = whenBetween "5.10" "5.13" yes;
       TPS68470_PMIC_OPREGION           = whenAtLeast "5.10" yes;
+
+      # Enable Intel thermal hardware feedback
+      INTEL_HFI_THERMAL                = whenAtLeast "5.18" yes;
     };
 
     external-firmware = {
@@ -136,6 +179,16 @@ let
       DAMON_DBGFS = whenAtLeast "5.15" yes;
       DAMON_RECLAIM = whenAtLeast "5.16" yes;
       DAMON_LRU_SORT = whenAtLeast "6.0" yes;
+      # Support recovering from memory failures on systems with ECC and MCA recovery.
+      MEMORY_FAILURE = yes;
+
+      # Collect ECC errors and retire pages that fail too often
+      RAS_CEC                   = yes;
+    } // optionalAttrs (stdenv.is32bit) {
+      # Enable access to the full memory range (aka PAE) on 32-bit architectures
+      # This check isn't super accurate but it's close enough
+      HIGHMEM                   = option yes;
+      BOUNCE                    = option yes;
     };
 
     memtest = {
@@ -154,6 +207,9 @@ let
       BFQ_GROUP_IOSCHED = yes;
       MQ_IOSCHED_KYBER = yes;
       IOSCHED_BFQ = module;
+      # Enable CPU utilization clamping for RT tasks
+      UCLAMP_TASK = whenAtLeast "5.3" yes;
+      UCLAMP_TASK_GROUP = whenAtLeast "5.4" yes;
     };
 
 
@@ -166,6 +222,7 @@ let
     # Enable NUMA.
     numa = {
       NUMA  = option yes;
+      NUMA_BALANCING = option yes;
     };
 
     networking = {
@@ -250,6 +307,9 @@ let
       # Bridge Netfilter Configuration
       NF_TABLES_BRIDGE            = mkMerge [ (whenOlder "5.3" yes)
                                               (whenAtLeast "5.3" module) ];
+      # Expose some debug info
+      NF_CONNTRACK_PROCFS         = yes;
+      NF_FLOW_TABLE_PROCFS        = whenAtLeast "6.0" yes;
 
       # needed for `dropwatch`
       # Builtin-only since https://github.com/torvalds/linux/commit/f4b6bcc7002f0e3a3428bac33cf1945abff95450
@@ -276,6 +336,10 @@ let
       INFINIBAND = module;
       INFINIBAND_IPOIB = module;
       INFINIBAND_IPOIB_CM = yes;
+
+      # Enable debugfs for wireless drivers
+      CFG80211_DEBUGFS = yes;
+      MAC80211_DEBUGFS = yes;
     } // optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") {
       # Not enabled by default, hides modules behind it
       NET_VENDOR_MEDIATEK = yes;
@@ -288,8 +352,8 @@ let
       CFG80211_WEXT               = option yes; # Without it, ipw2200 drivers don't build
       IPW2100_MONITOR             = option yes; # support promiscuous mode
       IPW2200_MONITOR             = option yes; # support promiscuous mode
-      HOSTAP_FIRMWARE             = option yes; # Support downloading firmware images with Host AP driver
-      HOSTAP_FIRMWARE_NVRAM       = option yes;
+      HOSTAP_FIRMWARE             = whenOlder "6.8" (option yes); # Support downloading firmware images with Host AP driver
+      HOSTAP_FIRMWARE_NVRAM       = whenOlder "6.8" (option yes);
       MAC80211_MESH               = option yes; # Enable 802.11s (mesh networking) support
       ATH9K_PCI                   = option yes; # Detect Atheros AR9xxx cards on PCI(e) bus
       ATH9K_AHB                   = option yes; # Ditto, AHB bus
@@ -345,8 +409,12 @@ let
       FONT_TER16x32 = whenAtLeast "5.0" yes;
     };
 
-    video = {
+    video = let
+      whenHasDevicePrivate = mkIf (!stdenv.isx86_32 && versionAtLeast version "5.1");
+    in {
       DRM_LEGACY = whenOlder "6.8" no;
+      DRM_SIMPLEDRM = yes;
+
       NOUVEAU_LEGACY_CTX_SUPPORT = whenBetween "5.2" "6.3" no;
 
       # Allow specifying custom EDID on the kernel command line
@@ -371,8 +439,25 @@ let
       DRM_AMD_DC_FP = whenAtLeast "6.4" yes;
       DRM_AMD_DC_HDCP = whenBetween "5.5" "6.4" yes;
       DRM_AMD_DC_SI = whenAtLeast "5.10" yes;
+
+      # Enable AMD Audio Coprocessor support for HDMI outputs
+      DRM_AMD_ACP = yes;
+
+      # Enable AMD secure display when available
+      DRM_AMD_SECURE_DISPLAY = whenAtLeast "5.13" yes;
+
       # Enable new firmware (and by extension NVK) for compatible hardware on Nouveau
       DRM_NOUVEAU_GSP_DEFAULT = whenAtLeast "6.8" yes;
+
+      # Enable Nouveau shared virtual memory (used by OpenCL)
+      DEVICE_PRIVATE = whenHasDevicePrivate yes;
+      DRM_NOUVEAU_SVM = whenHasDevicePrivate yes;
+
+      # Enable HDMI-CEC receiver support
+      MEDIA_CEC_RC = whenAtLeast "5.10" yes;
+
+      # Enable CEC over DisplayPort
+      DRM_DP_CEC = yes;
     } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
       # Intel GVT-g graphics virtualization supports 64-bit only
       DRM_I915_GVT = yes;
@@ -409,6 +494,7 @@ let
       SND_HDA_CODEC_CA0132_DSP = whenOlder "5.7" yes; # Enable DSP firmware loading on Creative Soundblaster Z/Zx/ZxR/Recon
       SND_OSSEMUL         = yes;
       SND_USB_CAIAQ_INPUT = yes;
+      SND_USB_AUDIO_MIDI_V2 = whenAtLeast "6.5" yes;
     # Enable Sound Open Firmware support
     } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" &&
                         versionAtLeast version "5.5") {
@@ -445,14 +531,23 @@ let
       SND_SOC_SOF_TIGERLAKE_SUPPORT     = whenOlder "5.12" yes;
     };
 
-    usb-serial = {
-      USB_SERIAL_GENERIC          = yes; # USB Generic Serial Driver
-    };
-
     usb = {
+      USB                  = yes; # compile USB core into kernel, so we can use USB_SERIAL_CONSOLE before modules
+
       USB_EHCI_ROOT_HUB_TT = yes; # Root Hub Transaction Translators
       USB_EHCI_TT_NEWSCHED = yes; # Improved transaction translator scheduling
       USB_HIDDEV = yes; # USB Raw HID Devices (like monitor controls and Uninterruptable Power Supplies)
+
+      # default to dual role mode
+      USB_DWC2_DUAL_ROLE = yes;
+      USB_DWC3_DUAL_ROLE = yes;
+    };
+
+    usb-serial = {
+      USB_SERIAL                  = yes;
+      USB_SERIAL_GENERIC          = yes; # USB Generic Serial Driver
+      USB_SERIAL_CONSOLE          = yes; # Allow using USB serial adapter as console
+      U_SERIAL_CONSOLE            = whenAtLeast "5.10" yes; # Allow using USB gadget as console
     };
 
     # Filesystem options - in particular, enable extended attributes and
@@ -533,6 +628,7 @@ let
 
       SQUASHFS_FILE_DIRECT         = yes;
       SQUASHFS_DECOMP_MULTI_PERCPU = whenOlder "6.2" yes;
+      SQUASHFS_CHOICE_DECOMP_BY_MOUNT = whenAtLeast "6.2" yes;
       SQUASHFS_XATTR               = yes;
       SQUASHFS_ZLIB                = yes;
       SQUASHFS_LZO                 = yes;
@@ -598,6 +694,16 @@ let
       CRYPTO_DRBG_HASH                 = yes;
       CRYPTO_DRBG_CTR                  = yes;
 
+      # Enable KFENCE
+      # See: https://docs.kernel.org/dev-tools/kfence.html
+      KFENCE                           = whenAtLeast "5.12" yes;
+
+      # Enable support for page poisoning. Still needs to be enabled on the command line to actually work.
+      PAGE_POISONING                   = yes;
+
+      # Enable stack smashing protections in schedule()
+      # See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f
+      SCHED_STACK_END_CHECK            = yes;
     } // optionalAttrs stdenv.hostPlatform.isx86_64 {
       # Enable Intel SGX
       X86_SGX     = whenAtLeast "5.11" yes;
@@ -614,6 +720,9 @@ let
       SEV_GUEST       = whenAtLeast "5.19" module;
       # Shadow stacks
       X86_USER_SHADOW_STACK = whenAtLeast "6.6" yes;
+
+      # Mitigate straight line speculation at the cost of some file size
+      SLS = whenAtLeast "5.17" yes;
     };
 
     microcode = {
@@ -791,6 +900,10 @@ let
       # Unconditionally enabled, because it is required for CRIU and
       # it provides the kcmp() system call that Mesa depends on.
       CHECKPOINT_RESTORE  = yes;
+
+      # Allows soft-dirty tracking on pages, used by CRIU.
+      # See https://docs.kernel.org/admin-guide/mm/soft-dirty.html
+      MEM_SOFT_DIRTY = mkIf (!stdenv.isx86_32) yes;
     };
 
     misc = let
@@ -805,6 +918,9 @@ let
       # enabled by default in x86_64 but not arm64, so we do that here
       HIDRAW               = yes;
 
+      # Enable loading HID fixups as eBPF from userspace
+      HID_BPF            = whenAtLeast "6.3" yes;
+
       HID_ACRUX_FF       = yes;
       DRAGONRISE_FF      = yes;
       GREENASIA_FF       = yes;
@@ -832,7 +948,10 @@ let
       # Enable initrd support.
       BLK_DEV_INITRD    = yes;
 
-      PM_TRACE_RTC         = no; # Disable some expensive (?) features.
+      # Allows debugging systems that get stuck during suspend/resume
+      PM_TRACE             = yes;
+      PM_TRACE_RTC         = yes;
+
       ACCESSIBILITY        = yes; # Accessibility support
       AUXDISPLAY           = yes; # Auxiliary Display support
       HIPPI                = yes;
@@ -857,6 +976,11 @@ let
 
       BLK_SED_OPAL = yes;
 
+      # Enable support for block layer inline encryption
+      BLK_INLINE_ENCRYPTION = whenAtLeast "5.8" yes;
+      # ...but fall back to CPU encryption if unavailable
+      BLK_INLINE_ENCRYPTION_FALLBACK = whenAtLeast "5.8" yes;
+
       BSD_PROCESS_ACCT_V3 = yes;
 
       SERIAL_DEV_BUS = yes; # enables support for serial devices
@@ -971,7 +1095,7 @@ let
       # Disable the firmware helper fallback, udev doesn't implement it any more
       FW_LOADER_USER_HELPER_FALLBACK = option no;
 
-      FW_LOADER_COMPRESS = option yes;
+      FW_LOADER_COMPRESS = whenAtLeast "5.3" yes;
 
       HOTPLUG_PCI_ACPI = yes; # PCI hotplug using ACPI
       HOTPLUG_PCI_PCIE = yes; # PCI-Expresscard hotplug support
@@ -1018,6 +1142,13 @@ let
 
       # Set system time from RTC on startup and resume
       RTC_HCTOSYS = option yes;
+
+      # Expose watchdog information in sysfs
+      WATCHDOG_SYSFS = yes;
+
+      # Enable generic kernel watch queues
+      # See https://docs.kernel.org/core-api/watch_queue.html
+      WATCH_QUEUE = whenAtLeast "5.8" yes;
     } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux") {
       # Enable CPU/memory hotplug support
       # Allows you to dynamically add & remove CPUs/memory to a VM client running NixOS without requiring a reboot
@@ -1048,6 +1179,10 @@ let
       # https://github.com/torvalds/linux/blob/856deb866d16e29bd65952e0289066f6078af773/kernel/dma/contiguous.c#L35-L44
       CMA_SIZE_MBYTES = freeform "32";
 
+      # Add debug interfaces for CMA
+      CMA_DEBUGFS = yes;
+      CMA_SYSFS = yes;
+
       # Many ARM SBCs hand off a pre-configured framebuffer.
       # This always can can be replaced by the actual native driver.
       # Keeping it a built-in ensures it will be used if possible.
@@ -1093,6 +1228,24 @@ let
     } // optionalAttrs (versionAtLeast version "5.4" && stdenv.hostPlatform.system == "x86_64-linux") {
       CHROMEOS_LAPTOP = module;
       CHROMEOS_PSTORE = module;
+    } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
+      # Enable x86 resource control
+      X86_CPU_RESCTRL = whenAtLeast "5.0" yes;
+
+      # Enable TSX on CPUs where it's not vulnerable
+      X86_INTEL_TSX_MODE_AUTO = yes;
+
+      # Enable AMD Wi-Fi RF band mitigations
+      # See https://cateee.net/lkddb/web-lkddb/AMD_WBRF.html
+      AMD_WBRF = whenAtLeast "6.8" yes;
+
+      # Enable Intel Turbo Boost Max 3.0
+      INTEL_TURBO_MAX_3 = yes;
+    };
+
+    accel = {
+      # Build DRM accelerator devices
+      DRM_ACCEL = whenAtLeast "6.2" yes;
     };
   };
 in
diff --git a/pkgs/os-specific/linux/nvidia-x11/default.nix b/pkgs/os-specific/linux/nvidia-x11/default.nix
index 449ff8042a70..9bfbe18f16ab 100644
--- a/pkgs/os-specific/linux/nvidia-x11/default.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/default.nix
@@ -33,14 +33,12 @@ rec {
   stable = if stdenv.hostPlatform.system == "i686-linux" then legacy_390 else latest;
 
   production = generic {
-    version = "535.154.05";
-    sha256_64bit = "sha256-fpUGXKprgt6SYRDxSCemGXLrEsIA6GOinp+0eGbqqJg=";
-    sha256_aarch64 = "sha256-G0/GiObf/BZMkzzET8HQjdIcvCSqB1uhsinro2HLK9k=";
-    openSha256 = "sha256-wvRdHguGLxS0mR06P5Qi++pDJBCF8pJ8hr4T8O6TJIo=";
-    settingsSha256 = "sha256-9wqoDEWY4I7weWW05F4igj1Gj9wjHsREFMztfEmqm10=";
-    persistencedSha256 = "sha256-d0Q3Lk80JqkS1B54Mahu2yY/WocOqFFbZVBh+ToGhaE=";
-
-    patches = [ rcu_patch ];
+    version = "550.67";
+    sha256_64bit = "sha256-mSAaCccc/w/QJh6w8Mva0oLrqB+cOSO1YMz1Se/32uI=";
+    sha256_aarch64 = "sha256-+UuK0UniAsndN15VDb/xopjkdlc6ZGk5LIm/GNs5ivA=";
+    openSha256 = "sha256-M/1qAQxTm61bznAtCoNQXICfThh3hLqfd0s1n1BFj2A=";
+    settingsSha256 = "sha256-FUEwXpeUMH1DYH77/t76wF1UslkcW721x9BHasaRUaM=";
+    persistencedSha256 = "sha256-ojHbmSAOYl3lOi2X6HOBlokTXhTCK6VNsH6+xfGQsyo=";
   };
 
   latest = selectHighestVersion production (generic {
diff --git a/pkgs/os-specific/linux/rtl8814au/default.nix b/pkgs/os-specific/linux/rtl8814au/default.nix
index 0b1522c96972..bef60b52814d 100644
--- a/pkgs/os-specific/linux/rtl8814au/default.nix
+++ b/pkgs/os-specific/linux/rtl8814au/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation {
   pname = "rtl8814au";
-  version = "${kernel.version}-unstable-2023-03-21";
+  version = "${kernel.version}-unstable-2024-03-19";
 
   src = fetchFromGitHub {
     owner = "morrownr";
     repo = "8814au";
-    rev = "6f80699e68fd2a9f2bba3f1a56ca06d1b7992bd8";
-    hash = "sha256-7dv+8vNI1OLLA4SdZQPL87pTS9HR6mGijzWo9WL7vc0=";
+    rev = "d7945c1e0244c83cbbad4da331648246f12eaee9";
+    hash = "sha256-idjHlvyFpQgLGfNAPpZKRnLdXnAogUW3qGHC1WzGVmA=";
   };
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
diff --git a/pkgs/servers/klipper/default.nix b/pkgs/servers/klipper/default.nix
index 0c56e1b10c48..b2067020ad9f 100644
--- a/pkgs/servers/klipper/default.nix
+++ b/pkgs/servers/klipper/default.nix
@@ -8,13 +8,13 @@
 
 stdenv.mkDerivation rec {
   pname = "klipper";
-  version = "unstable-2024-03-15";
+  version = "unstable-2024-03-19";
 
   src = fetchFromGitHub {
     owner = "KevinOConnor";
     repo = "klipper";
-    rev = "bfb71bc2dc63f2911a11ebf580f82b1e8b2706c4";
-    sha256 = "sha256-djF1IOcMCBcsmVV0hgn6QMwDVClxSSithgiRvss9KQc=";
+    rev = "235b75be3c287a9fdcde54b347734bf6a8de2ade";
+    sha256 = "sha256-PTdLhoKTlvrTljAvrK8q/JF9w50kKJHkWrzdPPaSfCc=";
   };
 
   sourceRoot = "${src.name}/klippy";
diff --git a/pkgs/servers/monitoring/mackerel-agent/default.nix b/pkgs/servers/monitoring/mackerel-agent/default.nix
index 81fd88c37b29..a240c1aee990 100644
--- a/pkgs/servers/monitoring/mackerel-agent/default.nix
+++ b/pkgs/servers/monitoring/mackerel-agent/default.nix
@@ -2,20 +2,20 @@
 
 buildGoModule rec {
   pname = "mackerel-agent";
-  version = "0.79.0";
+  version = "0.80.0";
 
   src = fetchFromGitHub {
     owner = "mackerelio";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-UKSrNUKS7VYK/hcKdNetaq6HNPqZyK7VtlJZjoyxU6o=";
+    sha256 = "sha256-ETM7OTJEdySej9wrV9sth1JCJAtfBVdsPH8ndOBV118=";
   };
 
   nativeBuildInputs = [ makeWrapper ];
   nativeCheckInputs = lib.optionals (!stdenv.isDarwin) [ nettools ];
   buildInputs = lib.optionals (!stdenv.isDarwin) [ iproute2 ];
 
-  vendorHash = "sha256-AnkjmgcFSI8RadfTdtCk+NCiAw+NecfaU/vc7WOgbuk=";
+  vendorHash = "sha256-pCUHDHKNaSoIPB3fS+Jf953YMI5cXcUOLF+YP62iPMo=";
 
   subPackages = [ "." ];
 
diff --git a/pkgs/servers/monitoring/prometheus/kea-exporter.nix b/pkgs/servers/monitoring/prometheus/kea-exporter.nix
index 8270de4d9347..721f69763fc0 100644
--- a/pkgs/servers/monitoring/prometheus/kea-exporter.nix
+++ b/pkgs/servers/monitoring/prometheus/kea-exporter.nix
@@ -1,22 +1,28 @@
-{ lib, python3Packages, fetchPypi, nixosTests }:
+{ lib
+, python3Packages
+, fetchPypi
+, nixosTests
+}:
 
 python3Packages.buildPythonApplication rec {
   pname = "kea-exporter";
-  version = "0.5.1";
+  version = "0.6.1";
   format = "pyproject";
 
   src = fetchPypi {
-    inherit pname version;
-    hash = "sha256-rNGA5XEx9xVUP1SeDPgXcaqgDhgX6JFhRX9GM454P5A=";
+    pname = "kea_exporter";
+    inherit version;
+    hash = "sha256-PyNFSTDqT+PBY7d9NSG1FVhN+Y3ID13T6859kBYsFzU=";
   };
 
   nativeBuildInputs = with python3Packages; [
-    pdm-pep517
+    pdm-backend
   ];
 
   propagatedBuildInputs = with python3Packages; [
     click
     prometheus-client
+    requests
   ];
 
   checkPhase = ''
@@ -29,6 +35,7 @@ python3Packages.buildPythonApplication rec {
   };
 
   meta = with lib; {
+    changelog = "https://github.com/mweinelt/kea-exporter/blob/v${version}/HISTORY";
     description = "Export Kea Metrics in the Prometheus Exposition Format";
     mainProgram = "kea-exporter";
     homepage = "https://github.com/mweinelt/kea-exporter";
diff --git a/pkgs/servers/spicedb/zed.nix b/pkgs/servers/spicedb/zed.nix
index 8788834e892c..5d85e9f74e84 100644
--- a/pkgs/servers/spicedb/zed.nix
+++ b/pkgs/servers/spicedb/zed.nix
@@ -5,16 +5,16 @@
 
 buildGoModule rec {
   pname = "zed";
-  version = "0.16.4";
+  version = "0.17.0";
 
   src = fetchFromGitHub {
     owner = "authzed";
     repo = "zed";
     rev = "v${version}";
-    hash = "sha256-PLOzzsW0v4T12NFrQlOYcsC7Cd3OnGD0TYmuavqEtxw=";
+    hash = "sha256-C/vX8gocU7teSACqHBrYTPJryaUP4tuzEo/4TUEdNt0=";
   };
 
-  vendorHash = "sha256-KhtT0v0FJiOvYUhN/rBYxbkUKs0DdIc5HwlhVUAi9cA=";
+  vendorHash = "sha256-qf1jGNCW/ewwqkbsU7fZdYvazhMYw+/DGWkdugQRrec=";
 
   meta = with lib; {
     description = "Command line for managing SpiceDB";
diff --git a/pkgs/shells/carapace/default.nix b/pkgs/shells/carapace/default.nix
index 356979253383..0e462149e67a 100644
--- a/pkgs/shells/carapace/default.nix
+++ b/pkgs/shells/carapace/default.nix
@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "carapace";
-  version = "0.30.2";
+  version = "1.0.0";
 
   src = fetchFromGitHub {
     owner = "rsteube";
     repo = "${pname}-bin";
     rev = "v${version}";
-    hash = "sha256-gYYNwDUL00b9orq1suxa9VtHBLUgRgntQcYw24vgncg=";
+    hash = "sha256-lc+oU9adFbtQyb4wKLgbf5i6UwxsKUJo3giquDTO6qg=";
   };
 
-  vendorHash = "sha256-RML1al1XlONzeCCkz34Ij1I/WDQSTVrm3P6RaOdyWKI=";
+  vendorHash = "sha256-XAdTLfMnOAcOiRYZGrom2Q+qp+epfg6Y9Jv0V0T12/8=";
 
   ldflags = [
     "-s"
diff --git a/pkgs/shells/fish/default.nix b/pkgs/shells/fish/default.nix
index 3703644a73ae..0013c205f31f 100644
--- a/pkgs/shells/fish/default.nix
+++ b/pkgs/shells/fish/default.nix
@@ -135,7 +135,7 @@ let
 
   fish = stdenv.mkDerivation rec {
     pname = "fish";
-    version = "3.7.0";
+    version = "3.7.1";
 
     src = fetchurl {
       # There are differences between the release tarball and the tarball GitHub
@@ -145,7 +145,7 @@ let
       # --version`), as well as the local documentation for all builtins (and
       # maybe other things).
       url = "https://github.com/fish-shell/fish-shell/releases/download/${version}/${pname}-${version}.tar.xz";
-      hash = "sha256-3xtzeLcU8GkLKF7Z5OWK/icKyY28nKWDlYnBr8yjOrE=";
+      hash = "sha256-YUyfVkPNB5nfOROV+mu8NklCe7g5cizjsRTTu8GjslA=";
     };
 
     # Fix FHS paths in tests
@@ -308,7 +308,7 @@ let
     passthru = {
       shellPath = "/bin/fish";
       tests = {
-        nixos = nixosTests.fish;
+        nixos = lib.optionalAttrs stdenv.isLinux nixosTests.fish;
 
         # Test the fish_config tool by checking the generated splash page.
         # Since the webserver requires a port to run, it is not started.
@@ -322,18 +322,17 @@ let
             # if we don't set `delete=False`, the file will get cleaned up
             # automatically (leading the test to fail because there's no
             # tempfile to check)
-            sed -e 's@, mode="w"@, mode="w", delete=False@' -i webconfig.py
+            ${lib.getExe gnused} -e 's@, mode="w"@, mode="w", delete=False@' -i webconfig.py
 
             # we delete everything after the fileurl is assigned
-            sed -e '/fileurl =/q' -i webconfig.py
+            ${lib.getExe gnused} -e '/fileurl =/q' -i webconfig.py
             echo "print(fileurl)" >> webconfig.py
 
             # and check whether the message appears on the page
-            cat (${python3}/bin/python ./webconfig.py \
-              | tail -n1 | sed -ne 's|.*\(/build/.*\)|\1|p' \
-            ) | grep 'a href="http://localhost.*Start the Fish Web config'
-
             # cannot test the http server because it needs a localhost port
+            cat (${python3}/bin/python ./webconfig.py \
+              | tail -n1 | ${lib.getExe gnused} -e 's|file://||' \
+            ) | ${lib.getExe gnugrep} -q 'a href="http://localhost.*Start the Fish Web config'
           '';
           in
           runCommand "test-web-config" { } ''
diff --git a/pkgs/shells/fish/plugins/puffer.nix b/pkgs/shells/fish/plugins/puffer.nix
index 0365c55e5351..107191ca52e6 100644
--- a/pkgs/shells/fish/plugins/puffer.nix
+++ b/pkgs/shells/fish/plugins/puffer.nix
@@ -1,20 +1,24 @@
-{ lib, buildFishPlugin, fetchFromGitHub }:
+{
+  lib,
+  buildFishPlugin,
+  fetchFromGitHub,
+}:
 
 buildFishPlugin rec {
   pname = "puffer";
-  version = "unstable-2022-10-07";
+  version = "1.0.0";
 
   src = fetchFromGitHub {
     owner = "nickeb96";
     repo = "puffer-fish";
-    rev = "fd0a9c95da59512beffddb3df95e64221f894631";
-    hash = "sha256-aij48yQHeAKCoAD43rGhqW8X/qmEGGkg8B4jSeqjVU0=";
+    rev = "v${version}";
+    hash = "sha256-2niYj0NLfmVIQguuGTA7RrPIcorJEPkxhH6Dhcy+6Bk=";
   };
 
-  meta = with lib; {
+  meta = {
     description = "Text Expansions for Fish";
     homepage = "https://github.com/nickeb96/puffer-fish";
-    license = licenses.mit;
-    maintainers = with maintainers; [ quantenzitrone ];
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ quantenzitrone ];
   };
 }
diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix
index 10ed96acc209..32bcabee6d79 100644
--- a/pkgs/stdenv/adapters.nix
+++ b/pkgs/stdenv/adapters.nix
@@ -237,14 +237,18 @@ rec {
       });
     });
 
+  /* Copy the libstdc++ from the model stdenv to the target stdenv.
+   *
+   * TODO(@connorbaker):
+   * This interface provides behavior which should be revisited prior to the
+   * release of 24.05. For a more detailed explanation and discussion, see
+   * https://github.com/NixOS/nixpkgs/issues/283517. */
   useLibsFrom = modelStdenv: targetStdenv:
     let
       ccForLibs = modelStdenv.cc.cc;
-      cc = pkgs.wrapCCWith {
-        /* NOTE: cc.cc is the unwrapped compiler. Should we respect the old
-         * wrapper instead? */
-        cc = targetStdenv.cc.cc;
-
+      /* NOTE(@connorbaker):
+       * This assumes targetStdenv.cc is a cc-wrapper. */
+      cc = targetStdenv.cc.override {
         /* NOTE(originally by rrbutani):
          * Normally the `useCcForLibs`/`gccForLibs` mechanism is used to get a
          * clang based `cc` to use `libstdc++` (from gcc).
diff --git a/pkgs/tools/admin/azure-cli/default.nix b/pkgs/tools/admin/azure-cli/default.nix
index 71c478d61216..9d92a10cc288 100644
--- a/pkgs/tools/admin/azure-cli/default.nix
+++ b/pkgs/tools/admin/azure-cli/default.nix
@@ -5,14 +5,14 @@
 }:
 
 let
-  version = "2.56.0";
+  version = "2.58.0";
 
   src = fetchFromGitHub {
     name = "azure-cli-${version}-src";
     owner = "Azure";
     repo = "azure-cli";
     rev = "azure-cli-${version}";
-    hash = "sha256-rlyBp0aVjmOCIb000PdvU7nJlC9vvk+nVmIEtMTKEG8=";
+    hash = "sha256-2KLjPzxtHeuH0/+Sge1wTmGimOiaTWr8EI+xkFBrPD0=";
   };
 
   # put packages that needs to be overridden in the py package scope
diff --git a/pkgs/tools/admin/azure-cli/python-packages.nix b/pkgs/tools/admin/azure-cli/python-packages.nix
index 3714c5bec020..b01341f1a2ca 100644
--- a/pkgs/tools/admin/azure-cli/python-packages.nix
+++ b/pkgs/tools/admin/azure-cli/python-packages.nix
@@ -95,140 +95,52 @@ let
         '';
       };
 
-      antlr4-python3-runtime = super.antlr4-python3-runtime.override (_: {
-        antlr4 = super.pkgs.antlr4_12;
-      });
-      azure-mgmt-advisor = overrideAzureMgmtPackage super.azure-mgmt-advisor "9.0.0" "zip" "sha256-/ECLNzFf6EeBtRkST4yxuKwQsvQkHkOdDT4l/WyhjXs=";
-      azure-mgmt-apimanagement = overrideAzureMgmtPackage super.azure-mgmt-apimanagement "4.0.0" "zip" "sha256-AiTjLJ28g80xnrRFLfPUevJgeaxLpuGmvkd3+FskNiw=";
-      azure-mgmt-authorization = overrideAzureMgmtPackage super.azure-mgmt-authorization "4.0.0" "zip" "sha256-abhavAmuZPxyl1vUNDEXDYx+tdFmdUuYqsXzhF3lfcQ=";
-      azure-mgmt-billing = overrideAzureMgmtPackage super.azure-mgmt-billing "6.0.0" "zip" "sha256-1PXFpBiKRW/h6zK2xF9VyiBpx0vkHrdpIYQLOfL1wH8=";
+      azure-keyvault-keys = overrideAzureMgmtPackage super.azure-keyvault-keys "4.9.0b3" "tar.gz" "sha256-qoseyf6WqBEG8vPc1hF17K46AWk8Ba8V9KRed4lOlGo=";
+      azure-mgmt-applicationinsights = overrideAzureMgmtPackage super.azure-mgmt-applicationinsights "1.0.0" "zip" "sha256-woeix9703hn5LAwxugKGf6xvW433G129qxkoi7RV/Fs=";
+      azure-mgmt-batch = overrideAzureMgmtPackage super.azure-mgmt-batch "17.2.0" "tar.gz" "sha256-ihXjijfW5OzilXPegIxaiSdsmfJSDqHzUrhqcEyJhY0=";
+      azure-mgmt-batchai = overrideAzureMgmtPackage super.azure-mgmt-batchai "7.0.0b1" "zip" "sha256-mT6vvjWbq0RWQidugR229E8JeVEiobPD3XA/nDM3I6Y=";
       azure-mgmt-botservice = overrideAzureMgmtPackage super.azure-mgmt-botservice "2.0.0b3" "zip" "sha256-XZGQOeMw8usyQ1tl8j57fZ3uqLshomHY9jO/rbpQOvM=";
-      azure-mgmt-cognitiveservices = overrideAzureMgmtPackage super.azure-mgmt-cognitiveservices "13.5.0" "zip" "sha256-RK8LGbH4J+nN6gnGBUweZgkqUcMrwe9aVtvZtAvFeBU=";
+      azure-mgmt-cdn = overrideAzureMgmtPackage super.azure-mgmt-cdn "12.0.0" "zip" "sha256-t8PuIYkjS0r1Gs4pJJJ8X9cz8950imQtbVBABnyMnd0=";
       azure-mgmt-compute = overrideAzureMgmtPackage super.azure-mgmt-compute "30.4.0" "tar.gz" "sha256-C3Qo/YvRXHy9fGa5uwEOClyzeoBs7x9JSNkHGRV2kzQ=";
-      azure-mgmt-containerinstance = overrideAzureMgmtPackage super.azure-mgmt-containerinstance "10.1.0" "zip" "sha256-eNQ3rbKFdPRIyDjtXwH5ztN4GWCYBh3rWdn3AxcEwX4=";
-      azure-mgmt-containerregistry = overrideAzureMgmtPackage super.azure-mgmt-containerregistry "10.1.0" "zip" "sha256-VrX9YfYNvlA8+eNqHCp35BAeQZzQKakZs7ZZKwT8oYc=";
       azure-mgmt-core = overrideAzureMgmtPackage super.azure-mgmt-core "1.3.2" "zip" "sha256-B/Sv6COlXXBLBI1h7f3BMYwFHtWfJEAyEmNQvpXp1QE=";
-      azure-mgmt-cosmosdb = overrideAzureMgmtPackage super.azure-mgmt-cosmosdb "9.3.0" "tar.gz" "sha256-02DisUN2/auBDhPgE9aUvEvYwoQUQC4NYGD/PQZOl/Y=";
-      azure-mgmt-databoxedge = overrideAzureMgmtPackage super.azure-mgmt-databoxedge "1.0.0" "zip" "sha256-BAkAYrwejwDC9FMVo7zrD7OzR57BR01xuINC4TSZsIc=";
-      azure-mgmt-datalake-nspkg = overrideAzureMgmtPackage super.azure-mgmt-datalake-nspkg "3.0.1" "zip" "sha256-3rGSukIviz7Ccs5OiHNnlvIW8o6lsD8oMx14S3o/SIA=";
-      azure-mgmt-datamigration = overrideAzureMgmtPackage super.azure-mgmt-datamigration "10.0.0" "zip" "sha256-XO5w+X/joJPDy3DCoZDC35Nrdy6UoJ73496x7Rd8nzI=";
+      azure-mgmt-datalake-store = overrideAzureMgmtPackage super.azure-mgmt-datalake-store "0.5.0" "zip" "sha256-k3bTVJVmHRn4rMVgT2ewvFlJOxg1u8SA+aGVL5ABekw=";
+      azure-mgmt-devtestlabs = overrideAzureMgmtPackage super.azure-mgmt-devtestlabs "4.0.0" "zip" "sha256-WVScTEBo8mRmsQl7V0qOUJn7LNbIvgoAOVsG07KeJ40=";
       azure-mgmt-dns = overrideAzureMgmtPackage super.azure-mgmt-dns "8.0.0" "zip" "sha256-QHwtrLM1E/++nKS+Wt216dS64Mt++mE8P31THve/jeg=";
+      azure-mgmt-eventgrid = overrideAzureMgmtPackage super.azure-mgmt-eventgrid "10.2.0b2" "zip" "sha256-QcHY1wCwQyVOEdUi06/wEa4dqJH5Ccd33gJ1Sju0qZA=";
+      azure-mgmt-eventhub = overrideAzureMgmtPackage super.azure-mgmt-eventhub "10.1.0" "zip" "sha256-MZqhSBkwypvEefhoEWEPsBUFidWYD7qAX6edcBDDSSA=";
       azure-mgmt-extendedlocation = overrideAzureMgmtPackage super.azure-mgmt-extendedlocation "1.0.0b2" "zip" "sha256-mjfH35T81JQ97jVgElWmZ8P5MwXVxZQv/QJKNLS3T8A=";
-      azure-mgmt-hdinsight = overrideAzureMgmtPackage super.azure-mgmt-hdinsight "9.0.0" "zip" "sha256-QevcacDR+B0l3TBDjBT/9DMfZmOfVYBbkYuWSer/54o=";
-      azure-mgmt-imagebuilder = overrideAzureMgmtPackage super.azure-mgmt-imagebuilder "1.2.0" "zip" "sha256-XmGIzw+yGYgdaNGZJClFRl531BGsQUH+HESUXGVK6TI=";
-      azure-mgmt-iothubprovisioningservices = overrideAzureMgmtPackage super.azure-mgmt-iothubprovisioningservices "1.1.0" "zip" "sha256-04OoJuff93L62G6IozpmHpEaUbHHHD6nKlkMHVoJvJ4=";
-      azure-mgmt-managementgroups = overrideAzureMgmtPackage super.azure-mgmt-managementgroups "1.0.0" "zip" "sha256-urm9UyocNFV/Wwq5lQ5DHj8Au5boo85m3w9s4q4ZzXM=";
+      azure-mgmt-iotcentral = overrideAzureMgmtPackage super.azure-mgmt-iotcentral "10.0.0b1" "zip" "sha256-1CiZuTXYhIb74eGQZUJHHzovYNnnVd3Ydu1UCy2Bu00=";
+      azure-mgmt-kusto = (overrideAzureMgmtPackage super.azure-mgmt-kusto "0.3.0" "zip"
+        "sha256-nri3eB/UQQ7p4gfNDDmDuvnlhBS1tKGISdCYVuNrrN4=").overridePythonAttrs (attrs: {
+        propagatedBuildInputs = attrs.propagatedBuildInputs or [ ] ++ [ self.msrest self.msrestazure ];
+      });
       azure-mgmt-maps = overrideAzureMgmtPackage super.azure-mgmt-maps "2.0.0" "zip" "sha256-OE4X92potwCk+YhHiUXDqXIXEcBAByWv38tjz4ToXw4=";
-      azure-mgmt-marketplaceordering = overrideAzureMgmtPackage super.azure-mgmt-marketplaceordering "1.1.0" "zip" "sha256-aLOB9SpN9ENdrK1al+HFmsTJgfZn3MqPnQRFNBfWCtg=";
+      azure-mgmt-media = overrideAzureMgmtPackage super.azure-mgmt-media "9.0.0" "zip" "sha256-TI7l8sSQ2QUgPqiE3Cu/F67Wna+KHbQS3fuIjOb95ZM=";
       azure-mgmt-monitor = overrideAzureMgmtPackage super.azure-mgmt-monitor "5.0.0" "zip" "sha256-eL9KJowxTF7hZJQQQCNJZ7l+rKPFM8wP5vEigt3ZFGE=";
-      azure-mgmt-msi = overrideAzureMgmtPackage super.azure-mgmt-msi "7.0.0" "zip" "sha256-ctRsmmJ4PsTqthm+nRt4/+u9qhZNQG/TA/FjA/NyVrI=";
+      azure-mgmt-netapp = overrideAzureMgmtPackage super.azure-mgmt-netapp "10.1.0" "zip" "sha256-eJiWTOCk2C79Jotku9bKlu3vU6H8004hWrX+h76MjQM=";
+      azure-mgmt-policyinsights = overrideAzureMgmtPackage super.azure-mgmt-policyinsights "1.1.0b4" "zip" "sha256-aB16xyrhNYHJeitvdCeV+kik21B2LC+5/OSDQIGwTpI=";
       azure-mgmt-privatedns = overrideAzureMgmtPackage super.azure-mgmt-privatedns "1.0.0" "zip" "sha256-tg8W5D97KRWCxfV7rhsIMJbYMD6dmVjiwpInpVzCfEU=";
-      azure-mgmt-recoveryservices = overrideAzureMgmtPackage super.azure-mgmt-recoveryservices "2.5.0" "tar.gz" "sha256-XxowjEhYx5uD/4vY5hGSCSvcarmdbdc5Y2GLHciEurU=";
-      azure-mgmt-recoveryservicesbackup = overrideAzureMgmtPackage super.azure-mgmt-recoveryservicesbackup "7.0.0" "tar.gz" "sha256-GuW6x8JGdBedywum4fDAQ8rwbVU9UgQWgHrFqJ6Uz9A=";
-      azure-mgmt-redhatopenshift = overrideAzureMgmtPackage super.azure-mgmt-redhatopenshift "1.4.0" "tar.gz" "sha256-BL2a2L2AwJWvs0V+VpSGaS8//AWMy5m6rdAPDJPbrEo=";
-      azure-mgmt-redis = overrideAzureMgmtPackage super.azure-mgmt-redis "14.1.0" "zip" "sha256-LO92Wc2+VvsEKiOjVSHXw2o3D69NQlL58m+YqWl6+ig=";
+      azure-mgmt-rdbms = overrideAzureMgmtPackage super.azure-mgmt-rdbms "10.2.0b12" "tar.gz" "sha256-WdTm0YxMXNHGcSGD38YZ1YmJaMjfLJC8OImXedcxDeE=";
+      azure-mgmt-recoveryservicesbackup = overrideAzureMgmtPackage super.azure-mgmt-recoveryservicesbackup "8.0.0" "tar.gz" "sha256-Hakde59uvVcCkvFt9w69nVr7BjNrPU0Q/COcA0h7Cnw=";
+      azure-mgmt-redis = overrideAzureMgmtPackage super.azure-mgmt-redis "14.3.0" "tar.gz" "sha256-eoMbY4oNzYXkn3uFUhxecJQD+BxYkGTbWhAWSgAoLyA=";
+      azure-mgmt-resource = overrideAzureMgmtPackage super.azure-mgmt-resource "23.1.0b2" "zip" "sha256-kMmiKVwjPgmsTIxxxDRNXE41jSTJkemnKhO+P/OcPZI=";
       azure-mgmt-search = overrideAzureMgmtPackage super.azure-mgmt-search "9.0.0" "zip" "sha256-Gc+qoTa1EE4/YmJvUSqVG+zZ50wfohvWOe/fLJ/vgb0=";
       azure-mgmt-security = overrideAzureMgmtPackage super.azure-mgmt-security "5.0.0" "zip" "sha256-OLA+/oLCNEzqID/alebQC3rCJ4L6HAtYXNDqLI/z5wI=";
-      azure-mgmt-servicebus = overrideAzureMgmtPackage super.azure-mgmt-servicebus "8.2.0" "zip" "sha256-i+kgjxQdmnifaNuNIZdU/3gGn9j5OQ6fdkS7laO+nsI=";
-      azure-mgmt-servicefabricmanagedclusters = overrideAzureMgmtPackage super.azure-mgmt-servicefabricmanagedclusters "1.0.0" "zip" "sha256-EJyjolHrt92zWg+IKWFKTapwZaFrwTtSyEIu5/mZXOg=";
-      azure-mgmt-storage = overrideAzureMgmtPackage super.azure-mgmt-storage "21.1.0" "tar.gz" "sha256-1tPA6RfJiLye0Eckd9PvP5CIYAnrHZenEZRPg3VjAWI=";
-      azure-mgmt-trafficmanager = overrideAzureMgmtPackage super.azure-mgmt-trafficmanager "1.0.0" "zip" "sha256-R0F2HoA0bE7dTLPycTaOqYBj+ATQFeJFwv4EjtK1lqg=";
-      azure-synapse-managedprivateendpoints = overrideAzureMgmtPackage super.azure-synapse-managedprivateendpoints "0.4.0" "zip" "sha256-kA6urM/9zQEBKySKfQSQCMkoB7dJ7dHJB0ypJIVUwX4=";
-
-      azure-synapse-spark = overrideAzureMgmtPackage super.azure-synapse-spark "0.2.0" "zip" "sha256-OQ5brhweEIrtN2iP4I5NacdC9t3YUiGIVhhqSs3FMuI=";
-
-      azure-mgmt-appcontainers = overrideAzureMgmtPackage super.azure-mgmt-appcontainers "2.0.0" "zip"
-        "sha256-ccdIdvdgTYPWEZCWqkLc8lEuMuAEERvl5B1huJyBkvU=";
-
-      azure-mgmt-batch = (overrideAzureMgmtPackage super.azure-mgmt-batch "17.0.0" "zip"
-        "sha256-hkM4WVLuwxj4qgXsY8Ya7zu7/v37gKdP0Xbf2EqrsWo=").overridePythonAttrs (attrs: {
-        propagatedBuildInputs = attrs.propagatedBuildInputs or [ ] ++ [ self.msrest ];
-      });
-
-      azure-mgmt-batchai = overrideAzureMgmtPackage super.azure-mgmt-batchai "7.0.0b1" "zip"
-        "sha256-mT6vvjWbq0RWQidugR229E8JeVEiobPD3XA/nDM3I6Y=";
-
-      azure-mgmt-policyinsights = overrideAzureMgmtPackage super.azure-mgmt-policyinsights "1.1.0b4" "zip"
-        "sha512-NW2BNj45lKzBmPXWMuBnVEDG2C6xzo9J/QjcC5fczvyhKBIkhugJVOWdPUsSzyGeQYKdqpRWPOl0yBG/eblHQA==";
-
-      azure-mgmt-cdn = overrideAzureMgmtPackage super.azure-mgmt-cdn "12.0.0" "zip"
-        "sha256-t8PuIYkjS0r1Gs4pJJJ8X9cz8950imQtbVBABnyMnd0=";
-
-      azure-mgmt-rdbms = overrideAzureMgmtPackage super.azure-mgmt-rdbms "10.2.0b11" "tar.gz"
-        "sha256-A7SwklqAhz4Ey9ar1YWythtVZyQ2Y2RUsa27iMc2mxU=";
-
-      azure-mgmt-appconfiguration = overrideAzureMgmtPackage super.azure-mgmt-appconfiguration "3.0.0" "zip"
-        "sha256-FJhuVgqNjdRIegP4vUISrAtHvvVle5VQFVITPm4HLEw=";
-
-      azure-mgmt-eventgrid = overrideAzureMgmtPackage super.azure-mgmt-eventgrid "10.2.0b2" "zip"
-        "sha256-QcHY1wCwQyVOEdUi06/wEa4dqJH5Ccd33gJ1Sju0qZA=";
-
-      azure-mgmt-iothub = overrideAzureMgmtPackage super.azure-mgmt-iothub "3.0.0" "tar.gz"
-        "sha256-2vIfyYxoo1PsYWMYwOYr4EyNaJmWC+jCy/mRZzrItyI=";
-
-      azure-mgmt-iotcentral = overrideAzureMgmtPackage super.azure-mgmt-iotcentral "10.0.0b1" "zip"
-        "sha256-1CiZuTXYhIb74eGQZUJHHzovYNnnVd3Ydu1UCy2Bu00=";
-
-      azure-mgmt-kusto = (overrideAzureMgmtPackage super.azure-mgmt-kusto "0.3.0" "zip"
-        "sha256-nri3eB/UQQ7p4gfNDDmDuvnlhBS1tKGISdCYVuNrrN4=").overridePythonAttrs (attrs: {
-        propagatedBuildInputs = attrs.propagatedBuildInputs or [ ] ++ [ self.msrest self.msrestazure ];
-      });
-
-      azure-mgmt-devtestlabs = overrideAzureMgmtPackage super.azure-mgmt-devtestlabs "4.0.0" "zip"
-        "sha256-WVScTEBo8mRmsQl7V0qOUJn7LNbIvgoAOVsG07KeJ40=";
-
-      azure-mgmt-loganalytics = overrideAzureMgmtPackage super.azure-mgmt-loganalytics "13.0.0b4" "zip"
-        "sha256-Jm1t7v5vyFjNNM/evVaEI9sXJKNwJk6XAXuJSRSnKHk=";
-
-      azure-mgmt-media = overrideAzureMgmtPackage super.azure-mgmt-media "9.0.0" "zip"
-        "sha256-TI7l8sSQ2QUgPqiE3Cu/F67Wna+KHbQS3fuIjOb95ZM=";
-
-      azure-mgmt-web = overrideAzureMgmtPackage super.azure-mgmt-web "7.2.0" "tar.gz"
-        "sha256-78/m9/Ug7Qq8/oZRfhyM8CpxL3N6PbDbfLRsbWR5ge0=";
-
-      azure-mgmt-netapp = overrideAzureMgmtPackage super.azure-mgmt-netapp "10.1.0" "zip"
-        "sha256-eJiWTOCk2C79Jotku9bKlu3vU6H8004hWrX+h76MjQM=";
-
-      azure-mgmt-signalr = overrideAzureMgmtPackage super.azure-mgmt-signalr "2.0.0b2" "tar.gz"
-        "sha256-05PUV8ouAKq/xhGxVEWIzDop0a7WDTV5mGVSC4sv9P4=";
-
-      azure-mgmt-sql = overrideAzureMgmtPackage super.azure-mgmt-sql "4.0.0b12" "tar.gz"
-        "sha256-LJx9cdtqpoHl1pPGYodoA50y8NP4ftbXhY7zohsCPH8=";
-
-      azure-mgmt-sqlvirtualmachine = overrideAzureMgmtPackage super.azure-mgmt-sqlvirtualmachine "1.0.0b5" "zip"
-        "sha256-ZFgJflgynRSxo+B+Vso4eX1JheWlDQjfJ9QmupXypMc=";
-
-      azure-mgmt-synapse = overrideAzureMgmtPackage super.azure-mgmt-synapse "2.1.0b5" "zip"
-        "sha256-5E6Yf1GgNyNVjd+SeFDbhDxnOA6fOAG6oojxtCP4m+k=";
-
-      azure-mgmt-eventhub = overrideAzureMgmtPackage super.azure-mgmt-eventhub "10.1.0" "zip"
-        "sha256-MZqhSBkwypvEefhoEWEPsBUFidWYD7qAX6edcBDDSSA=";
-
-      azure-mgmt-keyvault = overrideAzureMgmtPackage super.azure-mgmt-keyvault "10.3.0" "tar.gz"
-        "sha256-GDtBZM8YaLjqfv6qmO2tfSpOFKm9l3woGLErdRUM0qI=";
-
-      azure-mgmt-applicationinsights = overrideAzureMgmtPackage super.azure-mgmt-applicationinsights "1.0.0" "zip"
-        "sha256-woeix9703hn5LAwxugKGf6xvW433G129qxkoi7RV/Fs=";
-
       azure-mgmt-servicefabric = (overrideAzureMgmtPackage super.azure-mgmt-servicefabric "1.0.0" "zip"
         "sha256-3jXhF5EoMsGp6TEJqNJMq5T1VwOpCHsuscWwZVs7GRM=").overridePythonAttrs (attrs: {
-        propagatedBuildInputs = attrs.propagatedBuildInputs or [ ] ++ [ self.msrest ];
+        propagatedBuildInputs = attrs.propagatedBuildInputs or [ ] ++ [ self.msrest self.msrestazure ];
       });
+      azure-mgmt-servicelinker = overrideAzureMgmtPackage super.azure-mgmt-servicelinker "1.2.0b1" "zip" "sha256-RK1Q51Q0wAG55oKrFmv65/2AUKl+gRdp27t/EcuMONk=";
+      azure-mgmt-signalr = overrideAzureMgmtPackage super.azure-mgmt-signalr "2.0.0b1" "tar.gz" "sha256-oK2ceBEoQ7gAeG6mye+x8HPzQU9bUNRPVJtRW2GL4xg=";
+      azure-mgmt-sql = overrideAzureMgmtPackage super.azure-mgmt-sql "4.0.0b15" "tar.gz" "sha256-zSrDo3+ftYayOK/gvhf/PQ926e3qExtSj/yDgXC9VqA=";
+      azure-mgmt-sqlvirtualmachine = overrideAzureMgmtPackage super.azure-mgmt-sqlvirtualmachine "1.0.0b5" "zip" "sha256-ZFgJflgynRSxo+B+Vso4eX1JheWlDQjfJ9QmupXypMc=";
+      azure-mgmt-storage = overrideAzureMgmtPackage super.azure-mgmt-storage "21.1.0" "tar.gz" "sha256-1tPA6RfJiLye0Eckd9PvP5CIYAnrHZenEZRPg3VjAWI=";
+      azure-mgmt-synapse = overrideAzureMgmtPackage super.azure-mgmt-synapse "2.1.0b5" "zip" "sha256-5E6Yf1GgNyNVjd+SeFDbhDxnOA6fOAG6oojxtCP4m+k=";
+      azure-mgmt-trafficmanager = overrideAzureMgmtPackage super.azure-mgmt-trafficmanager "1.0.0" "zip" "sha256-R0F2HoA0bE7dTLPycTaOqYBj+ATQFeJFwv4EjtK1lqg=";
 
-      azure-mgmt-servicelinker = overrideAzureMgmtPackage super.azure-mgmt-servicelinker "1.2.0b1" "zip"
-        "sha256-RK1Q51Q0wAG55oKrFmv65/2AUKl+gRdp27t/EcuMONk=";
-
-      azure-storage-common = overrideAzureMgmtPackage super.azure-storage-common "1.4.2" "tar.gz"
-        "sha256-Tsh8dTfUV+yVJS4ORkd+LBzPM3dP/v0F2FRGgssK5AE=";
-
-      azure-keyvault-keys = overrideAzureMgmtPackage super.azure-keyvault-keys "4.9.0b3" "tar.gz"
-        "sha256-qoseyf6WqBEG8vPc1hF17K46AWk8Ba8V9KRed4lOlGo=";
-
-      azure-mgmt-datalake-store = overrideAzureMgmtPackage super.azure-mgmt-datalake-store "0.5.0" "zip"
-        "sha256-k3bTVJVmHRn4rMVgT2ewvFlJOxg1u8SA+aGVL5ABekw=";
-
-      azure-mgmt-resource = overrideAzureMgmtPackage super.azure-mgmt-resource "23.1.0b2" "zip"
-        "sha256-kMmiKVwjPgmsTIxxxDRNXE41jSTJkemnKhO+P/OcPZI=";
+      azure-storage-common = overrideAzureMgmtPackage super.azure-storage-common "1.4.2" "tar.gz" "sha256-Tsh8dTfUV+yVJS4ORkd+LBzPM3dP/v0F2FRGgssK5AE=";
+      azure-synapse-accesscontrol = overrideAzureMgmtPackage super.azure-synapse-accesscontrol "0.5.0" "zip" "sha256-g14ySiByqPgkJGRH8EnIRJO9Q6H2usS5FOeMCQiUuwQ=";
+      azure-synapse-spark = overrideAzureMgmtPackage super.azure-synapse-spark "0.2.0" "zip" "sha256-OQ5brhweEIrtN2iP4I5NacdC9t3YUiGIVhhqSs3FMuI=";
     };
   };
 in
diff --git a/pkgs/tools/admin/drawterm/default.nix b/pkgs/tools/admin/drawterm/default.nix
index 3e4c15faf14b..c83b3dfd6597 100644
--- a/pkgs/tools/admin/drawterm/default.nix
+++ b/pkgs/tools/admin/drawterm/default.nix
@@ -19,13 +19,13 @@
 
 stdenv.mkDerivation {
   pname = "drawterm";
-  version = "unstable-2024-02-18";
+  version = "unstable-2024-03-20";
 
   src = fetchFrom9Front {
     owner = "plan9front";
     repo = "drawterm";
-    rev = "bcf1eb425dd4c90a3bfcd004f6aee3854259da78";
-    hash = "sha256-aUQ6ay2ky9NzVUZvWyHc/GqPlCdhGpXTY8GGytJSC6g=";
+    rev = "77b464a5d5648bb646467111b8faf719cd5c46b6";
+    hash = "sha256-3J/Fa3NXxUieEqRcCepGdd0ktxQFKhyY4z8Pvcq94Kw=";
   };
 
   enableParallelBuilding = true;
diff --git a/pkgs/tools/admin/pulumi-bin/data.nix b/pkgs/tools/admin/pulumi-bin/data.nix
index 5acba25c0850..fa059873593f 100644
--- a/pkgs/tools/admin/pulumi-bin/data.nix
+++ b/pkgs/tools/admin/pulumi-bin/data.nix
@@ -1,12 +1,12 @@
 # DO NOT EDIT! This file is generated automatically by update.sh
 { }:
 {
-  version = "3.111.0";
+  version = "3.111.1";
   pulumiPkgs = {
     x86_64-linux = [
       {
-        url = "https://get.pulumi.com/releases/sdk/pulumi-v3.111.0-linux-x64.tar.gz";
-        sha256 = "19nlzw60bsysqldzdg9zlxc9qvwzlfa9bn8wvffndg0xndy6ghwh";
+        url = "https://get.pulumi.com/releases/sdk/pulumi-v3.111.1-linux-x64.tar.gz";
+        sha256 = "1hkj2dkpxp2migg1xh3vk42k1yq7y1bhchvkjd3vxbsd86llkwjz";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-aiven-v6.12.0-linux-amd64.tar.gz";
@@ -29,8 +29,8 @@
         sha256 = "0984gpc5ds1bycvl1jwd3ifl6933vkd32w2mbyn3ik13wzxqm3q0";
       }
       {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-aws-v6.25.1-linux-amd64.tar.gz";
-        sha256 = "1bwp6fxqaxgyhlakci2crk7qiwgymkmih5cnpcvmgxwvdw56ll4q";
+        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-aws-v6.27.0-linux-amd64.tar.gz";
+        sha256 = "0dcyg4d50x5fkzqmnhw7mm8bgcs2zxph6bdjfdq2cxi28nzzg1ac";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-azuread-v5.47.2-linux-amd64.tar.gz";
@@ -69,8 +69,8 @@
         sha256 = "0hnardid0kbzy65dmn7vz8ddy5hq78nf2871zz6srf2hfyiv7qa4";
       }
       {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-fastly-v8.5.0-linux-amd64.tar.gz";
-        sha256 = "06lzppd2y2qm4gxf54f0s4gps13kk2zv6zmar8lrk31w4sfr06j3";
+        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-fastly-v8.5.1-linux-amd64.tar.gz";
+        sha256 = "0vjd2y8h4m4j7v61wqwzrdgchqpz1nlbrvvrah06k8l9ci2hpml1";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-gcp-v7.14.0-linux-amd64.tar.gz";
@@ -125,8 +125,8 @@
         sha256 = "1fihr9kilipd3lycl5m0vrf8l8658b1pm8mywsnk5wlksk1bf665";
       }
       {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-spotinst-v3.68.0-linux-amd64.tar.gz";
-        sha256 = "018ynwc7l2xvqq1n64ny3rlv37nzbx1b0c2j1jla7r35a4vjym8f";
+        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-spotinst-v3.69.0-linux-amd64.tar.gz";
+        sha256 = "0qmh81kvqprmp1shml183qc6mdq76p6an7cm0b1qg7zyabg7qbrz";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-sumologic-v0.20.3-linux-amd64.tar.gz";
@@ -148,23 +148,14 @@
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-venafi-v1.7.0-linux-amd64.tar.gz";
         sha256 = "0w7cgafkz1r55bz8n51v2rqhmmxzrf7ma60awzlfd2apyihghxyp";
       }
-      {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-vsphere-v4.10.0-linux-amd64.tar.gz";
-        sha256 = "0j3g5d94x5hawlrvr2iya4l0lsqjvszkgrgwppna6cn5mqjpx7v0";
-      }
-      {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-wavefront-v3.1.1-linux-amd64.tar.gz";
-        sha256 = "0ghxcipyz6j3fmawi5bpkz1mdpcdg046nib2w90r26dbidi4l3f3";
-      }
-      {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-yandex-v0.13.0-linux-amd64.tar.gz";
-        sha256 = "14qsnjafhd8ppachxr7j9541p5rbf1cakqlr7mra86fli1r49z9p";
-      }
+      # pulumi-resource-vsphere skipped (does not exist on remote)
+      # pulumi-resource-wavefront skipped (does not exist on remote)
+      # pulumi-resource-yandex skipped (does not exist on remote)
     ];
     x86_64-darwin = [
       {
-        url = "https://get.pulumi.com/releases/sdk/pulumi-v3.111.0-darwin-x64.tar.gz";
-        sha256 = "0z6bcdsm48cw0q6p3jrcbd920kwq56h81hd4qzf1akr5b0fqs8qk";
+        url = "https://get.pulumi.com/releases/sdk/pulumi-v3.111.1-darwin-x64.tar.gz";
+        sha256 = "0vqwgx29z4rpmlxjqjxaixhijha6si0y01ibnr4wiwmm4y6ls578";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-aiven-v6.12.0-darwin-amd64.tar.gz";
@@ -187,8 +178,8 @@
         sha256 = "0369vlly2x6sl59b4qha55yhhyjjpx38vlkmsbbqzla3da7zabf0";
       }
       {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-aws-v6.25.1-darwin-amd64.tar.gz";
-        sha256 = "1dhykjnvn1qr65nmbdafxl1q3vqfqc152x540syf5v3avcf0kqdb";
+        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-aws-v6.27.0-darwin-amd64.tar.gz";
+        sha256 = "0xx4yw5zl4lnswnz4w4qrxgdiy400c8p7bsr1rqz1zmc9bqm43ng";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-azuread-v5.47.2-darwin-amd64.tar.gz";
@@ -227,8 +218,8 @@
         sha256 = "1m5lh59h7nck1flzxs9m4n0ag0klk3jmnpf7hc509vffxs89xnjq";
       }
       {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-fastly-v8.5.0-darwin-amd64.tar.gz";
-        sha256 = "0ibabyyk92v4cx7h6bckbb6yqp25b68z3s34ri2ci3q595f1mr84";
+        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-fastly-v8.5.1-darwin-amd64.tar.gz";
+        sha256 = "1c5wf2ksp7f02x82swjd7gq1d072j4zsyiyllrrazyvv8310zyig";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-gcp-v7.14.0-darwin-amd64.tar.gz";
@@ -283,8 +274,8 @@
         sha256 = "0n0yd8hg10qfxvb6y5hci60n3520w5pidjzw43ih35dj84f0y23s";
       }
       {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-spotinst-v3.68.0-darwin-amd64.tar.gz";
-        sha256 = "1jy9ybxsplz7zapw56l0g11sfdzjf6xg1q7cj4js95fvisd2y0a4";
+        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-spotinst-v3.69.0-darwin-amd64.tar.gz";
+        sha256 = "0mjcsgcwb8mqy5si5kj8l96ig6ccjwfplmr8kwrg22bj7g7vidlz";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-sumologic-v0.20.3-darwin-amd64.tar.gz";
@@ -306,23 +297,14 @@
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-venafi-v1.7.0-darwin-amd64.tar.gz";
         sha256 = "1pvbcyw1l2b27hn48klc2fj3is2y3z1dj90ac4kkqi2ag4xj45vx";
       }
-      {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-vsphere-v4.10.0-darwin-amd64.tar.gz";
-        sha256 = "0yfk80y2dm0rk06q5m5sc159gryxbxp1gmbi4iwjcrpdra6vbm9v";
-      }
-      {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-wavefront-v3.1.1-darwin-amd64.tar.gz";
-        sha256 = "1lypf3yisnf19ygkjy6fmdbzf4i4mi5jzq7yc16hrg3aq2g75rr5";
-      }
-      {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-yandex-v0.13.0-darwin-amd64.tar.gz";
-        sha256 = "11wm9c125154brisncm9cgb41nbjl9q9h4bq6z0ym8v681qq0fc4";
-      }
+      # pulumi-resource-vsphere skipped (does not exist on remote)
+      # pulumi-resource-wavefront skipped (does not exist on remote)
+      # pulumi-resource-yandex skipped (does not exist on remote)
     ];
     aarch64-linux = [
       {
-        url = "https://get.pulumi.com/releases/sdk/pulumi-v3.111.0-linux-arm64.tar.gz";
-        sha256 = "0vgaqm6ap02640yf6a8ycbb2an3ymamgrzl6x1bj3ykk13x7ri2p";
+        url = "https://get.pulumi.com/releases/sdk/pulumi-v3.111.1-linux-arm64.tar.gz";
+        sha256 = "0nahz89vw9gkgszdcv9v9d658x43jzvk547kq6jpsgnzjligf41q";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-aiven-v6.12.0-linux-arm64.tar.gz";
@@ -345,8 +327,8 @@
         sha256 = "10iaa1w7a0xbp15hyfl3slksg7rss04jcchws1z3lqddfn5xdcf2";
       }
       {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-aws-v6.25.1-linux-arm64.tar.gz";
-        sha256 = "14ayammjy00d73qgkcdyyryd60yrk6h71vjqakvmbnwndh44hm52";
+        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-aws-v6.27.0-linux-arm64.tar.gz";
+        sha256 = "1v3h9j9bxqnjg8fj4k75p96sglnnkw5jziyfvbzhcbd11fcvaffs";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-azuread-v5.47.2-linux-arm64.tar.gz";
@@ -385,8 +367,8 @@
         sha256 = "111pia2f5xwkwaqs6p90ri29l5b3ivmahsa1bji4fwyyjyp22h4r";
       }
       {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-fastly-v8.5.0-linux-arm64.tar.gz";
-        sha256 = "14c25p6hfyyxq5cfq1z89gb67ywlr4zwj8lllknwqc7wsnvykllg";
+        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-fastly-v8.5.1-linux-arm64.tar.gz";
+        sha256 = "1cx7b7nxmjng8pff84yf0jhdmnmld5g09a80999ah90p54xy4zww";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-gcp-v7.14.0-linux-arm64.tar.gz";
@@ -441,8 +423,8 @@
         sha256 = "1ssm84izdqzaymw1w3q9b2lkw35brysii73xhw7dgcazhgagfd1w";
       }
       {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-spotinst-v3.68.0-linux-arm64.tar.gz";
-        sha256 = "1nwm69fblmll2d3hgnl5d98x1xhjl49l5cdc8smldr25i5zp5zj2";
+        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-spotinst-v3.69.0-linux-arm64.tar.gz";
+        sha256 = "0ns90ky01kys22dwhkmb4dwax1gzyr8jclczx1fc5d9xvl5cssiy";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-sumologic-v0.20.3-linux-arm64.tar.gz";
@@ -464,23 +446,14 @@
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-venafi-v1.7.0-linux-arm64.tar.gz";
         sha256 = "017ff9x7s4yvsrf4ypsyaz934r9jm954080gn5535w1694k96wbn";
       }
-      {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-vsphere-v4.10.0-linux-arm64.tar.gz";
-        sha256 = "0sgrb6h7d5myp1cy4i7fhhx718n4qx83hj561z98y5hvipg16bcx";
-      }
-      {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-wavefront-v3.1.1-linux-arm64.tar.gz";
-        sha256 = "08mxk5rccxsgvjcnfxwzcr8980gkg7mxfrzx3fyvcxmgvf3ykcn8";
-      }
-      {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-yandex-v0.13.0-linux-arm64.tar.gz";
-        sha256 = "0fd3hgvkr3ch2r5hpmi7h70w4hkbjdyc7z534h151pyc5ssxw8bd";
-      }
+      # pulumi-resource-vsphere skipped (does not exist on remote)
+      # pulumi-resource-wavefront skipped (does not exist on remote)
+      # pulumi-resource-yandex skipped (does not exist on remote)
     ];
     aarch64-darwin = [
       {
-        url = "https://get.pulumi.com/releases/sdk/pulumi-v3.111.0-darwin-arm64.tar.gz";
-        sha256 = "13qhv19xr21y6zs6if6gmyvayy0jrcg4kfn1z7zsqhf6j33ibwys";
+        url = "https://get.pulumi.com/releases/sdk/pulumi-v3.111.1-darwin-arm64.tar.gz";
+        sha256 = "0vs7mnp16bc9zj74v2ibn4nsjp43hjqpsdkgx3xhvb021b6lvnh0";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-aiven-v6.12.0-darwin-arm64.tar.gz";
@@ -503,8 +476,8 @@
         sha256 = "0ja508z0r4gbg2zdyrjb7gq8kn1brrx5q6am5dvwaikqs6i6vxrm";
       }
       {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-aws-v6.25.1-darwin-arm64.tar.gz";
-        sha256 = "0wx39f18qc3yvnzixs7r1lq7lbff3as2xb60ldy3zim2dapy3y37";
+        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-aws-v6.27.0-darwin-arm64.tar.gz";
+        sha256 = "0y0qha8d0dsjnqjaipn6i3csda4cl13zq0mqd8jpda127c3jzzxv";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-azuread-v5.47.2-darwin-arm64.tar.gz";
@@ -543,8 +516,8 @@
         sha256 = "12bzicm43l7yvh02v5fx3z8v46l9i7a9f677735xi5rjbmd2an4c";
       }
       {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-fastly-v8.5.0-darwin-arm64.tar.gz";
-        sha256 = "1ayyr8kywylv6zvwbzs71mvyldkh8qiki8ca90i34rpjxrv92n2d";
+        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-fastly-v8.5.1-darwin-arm64.tar.gz";
+        sha256 = "18985l0djz592235y2brxncpaky850qyr0xa23aflm07wdh7fc3n";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-gcp-v7.14.0-darwin-arm64.tar.gz";
@@ -599,8 +572,8 @@
         sha256 = "1qr6qh4323d6n7f56lixdrph5cb5qby4q2f3l8l4l6n8s345v9kr";
       }
       {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-spotinst-v3.68.0-darwin-arm64.tar.gz";
-        sha256 = "120acxnm1lid5spszv8i4vgnk732fch8j3i2qhrdd3k2p86z0a1n";
+        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-spotinst-v3.69.0-darwin-arm64.tar.gz";
+        sha256 = "0rjb8pbxrp0djvjmxqvivd3jyy9r1iflp6i5a7mzad825g7gzczb";
       }
       {
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-sumologic-v0.20.3-darwin-arm64.tar.gz";
@@ -622,18 +595,9 @@
         url = "https://api.pulumi.com/releases/plugins/pulumi-resource-venafi-v1.7.0-darwin-arm64.tar.gz";
         sha256 = "00qq53wirdjm8zqqisad34fzx70m96dwg0dqysz6nqikq620h7dp";
       }
-      {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-vsphere-v4.10.0-darwin-arm64.tar.gz";
-        sha256 = "1562pylmy4i109wwpn0lqb11m3ajwlswn5f76ni0cq4sw0iips4l";
-      }
-      {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-wavefront-v3.1.1-darwin-arm64.tar.gz";
-        sha256 = "09k9px0pm55jf3kxq1xc37li34mdv96sgcg89wmmm7spwl8q48m1";
-      }
-      {
-        url = "https://api.pulumi.com/releases/plugins/pulumi-resource-yandex-v0.13.0-darwin-arm64.tar.gz";
-        sha256 = "1qaccfqw24g862ij2p49m78hnymg0j2nghshszqrg45v0d0qnknm";
-      }
+      # pulumi-resource-vsphere skipped (does not exist on remote)
+      # pulumi-resource-wavefront skipped (does not exist on remote)
+      # pulumi-resource-yandex skipped (does not exist on remote)
     ];
   };
 }
diff --git a/pkgs/tools/misc/SP800-90B_EntropyAssessment/default.nix b/pkgs/tools/misc/SP800-90B_EntropyAssessment/default.nix
index 7647d2b9f0b0..3c18621d712d 100644
--- a/pkgs/tools/misc/SP800-90B_EntropyAssessment/default.nix
+++ b/pkgs/tools/misc/SP800-90B_EntropyAssessment/default.nix
@@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/usnistgov/SP800-90B_EntropyAssessment";
     description = "Implementation of min-entropy assessment methods included in Special Publication 800-90B";
     platforms = lib.platforms.linux;
-    license = lib.licenses.free; #this software uses the NIST software license
+    license = lib.licenses.nistSoftware;
     maintainers = with lib.maintainers; [ orichter thillux ];
   };
 }
diff --git a/pkgs/tools/misc/mise/default.nix b/pkgs/tools/misc/mise/default.nix
index f720edd67db6..b57d4a7797b6 100644
--- a/pkgs/tools/misc/mise/default.nix
+++ b/pkgs/tools/misc/mise/default.nix
@@ -17,16 +17,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "mise";
-  version = "2024.3.2";
+  version = "2024.3.6";
 
   src = fetchFromGitHub {
     owner = "jdx";
     repo = "mise";
     rev = "v${version}";
-    hash = "sha256-o8oYfah5Vveup9qdxl+Uzl+j4Sqoj+C6BA3c5kpofXo=";
+    hash = "sha256-jTfr4lJ/N3jFmeR0sqNr+V8IxOx7t7YyrDVkFDJSQnI=";
   };
 
-  cargoHash = "sha256-c6hN9JuMuUp1jl5wXf4N5S3hzyQeeLKAb56H9cLBAIY=";
+  cargoHash = "sha256-kfoTmXvGpXGTU7G7xEZmSgS721g0KM8hRZZnLg3XErM=";
 
   nativeBuildInputs = [ installShellFiles pkg-config ];
   buildInputs = [ openssl ] ++ lib.optionals stdenv.isDarwin [ Security SystemConfiguration ];
diff --git a/pkgs/tools/misc/opentelemetry-collector/contrib.nix b/pkgs/tools/misc/opentelemetry-collector/contrib.nix
index e928544d240a..bad1051fcc64 100644
--- a/pkgs/tools/misc/opentelemetry-collector/contrib.nix
+++ b/pkgs/tools/misc/opentelemetry-collector/contrib.nix
@@ -8,18 +8,18 @@
 
 buildGoModule rec {
   pname = "opentelemetry-collector-contrib";
-  version = "0.87.0";
+  version = "0.96.0";
 
   src = fetchFromGitHub {
     owner = "open-telemetry";
     repo = "opentelemetry-collector-contrib";
     rev = "v${version}";
-    sha256 = "sha256-b1TCj3aKupqUMQ74O58O5WJfQM9tj1G0ny5YeeilFAM=";
+    sha256 = "sha256-eQau6PcslY/Bzghmndv1lq5fb+Q+x9guouKzLw5sJTg=";
   };
 
   # proxy vendor to avoid hash missmatches between linux and macOS
   proxyVendor = true;
-  vendorHash = "sha256-o/51Z2Zmdza3pNZa0u3j4uG46orE9S7pUsZOXjHKrnI=";
+  vendorHash = "sha256-aMxOu6eCskTlphMjM/CBs0lN6UkLDgSidS9qwlSUUiU=";
 
   # there is a nested go.mod
   sourceRoot = "${src.name}/cmd/otelcontribcol";
@@ -39,11 +39,7 @@ buildGoModule rec {
   # it instead of trusting the global $PATH.
   propagatedBuildInputs = lib.optionals withSystemd [ systemdMinimal ];
 
-  preCheck = "export CGO_ENABLED=1";
-
-  # This test fails on darwin for mysterious reasons.
-  checkFlags = lib.optionals stdenv.isDarwin
-    [ "-skip" "TestDefaultExtensions/memory_ballast" ];
+  doCheck = false;
 
   ldflags = [
     "-s"
diff --git a/pkgs/tools/misc/pspg/default.nix b/pkgs/tools/misc/pspg/default.nix
index 2449fd30171d..47fb6fbbd8dd 100644
--- a/pkgs/tools/misc/pspg/default.nix
+++ b/pkgs/tools/misc/pspg/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "pspg";
-  version = "5.8.1";
+  version = "5.8.2";
 
   src = fetchFromGitHub {
     owner = "okbob";
     repo = pname;
     rev = version;
-    sha256 = "sha256-nsGBBGw66LCwOuNdBjlz6u9RT+BX6iZmZeDY9yJoc+c=";
+    sha256 = "sha256-1mL/UlN7wD0GBYwg0C2eYCB3MtFO2ILd4+A7br+/ovs=";
   };
 
   nativeBuildInputs = [ pkg-config installShellFiles ];
diff --git a/pkgs/tools/networking/nzbget/default.nix b/pkgs/tools/networking/nzbget/default.nix
index 2c698ae6c831..9a57a2e8a3b5 100644
--- a/pkgs/tools/networking/nzbget/default.nix
+++ b/pkgs/tools/networking/nzbget/default.nix
@@ -2,6 +2,7 @@
 , stdenv
 , fetchFromGitHub
 , autoreconfHook
+, boost
 , pkg-config
 , gnutls
 , libgcrypt
@@ -17,18 +18,19 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "nzbget-ng";
-  version = "21.4-rc2";
+  version = "23.0";
 
   src = fetchFromGitHub {
-    owner = "nzbget-ng";
+    owner = "nzbgetcom";
     repo = "nzbget";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-JJML5mtAog5xC7DkthCtoyn5QeC2Z+fdzSuEa/Te0Ew=";
+    hash = "sha256-JqC82zpsIqRYB7128gTSOQMWJFR/t63NJXlPgGqP0jE=";
   };
 
   nativeBuildInputs = [ autoreconfHook pkg-config ];
 
   buildInputs = [
+    boost
     gnutls
     libgcrypt
     libpar2
@@ -49,11 +51,11 @@ stdenv.mkDerivation (finalAttrs: {
   passthru.tests = { inherit (nixosTests) nzbget; };
 
   meta = with lib; {
-    homepage = "https://nzbget-ng.github.io/";
-    changelog = "https://github.com/nzbget-ng/nzbget/releases/tag/v${finalAttrs.version}";
+    homepage = "https://nzbget.com/";
+    changelog = "https://github.com/nzbgetcom/nzbget/releases/tag/v${finalAttrs.version}";
     license = licenses.gpl2Plus;
     description = "A command line tool for downloading files from news servers";
-    maintainers = with maintainers; [ pSub ];
+    maintainers = with maintainers; [ pSub devusb ];
     platforms = with platforms; unix;
     mainProgram = "nzbget";
   };
diff --git a/pkgs/tools/networking/sockdump/default.nix b/pkgs/tools/networking/sockdump/default.nix
index daedb3a7cbcc..98e88d0d6f83 100644
--- a/pkgs/tools/networking/sockdump/default.nix
+++ b/pkgs/tools/networking/sockdump/default.nix
@@ -2,13 +2,13 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "sockdump";
-  version = "unstable-2023-09-16";
+  version = "unstable-2023-12-11";
 
   src = fetchFromGitHub {
     owner = "mechpen";
     repo = pname;
-    rev = "713759e383366feae76863881e851a6411c73b68";
-    hash = "sha256-q6jdwFhl2G9o2C0BVU6Xz7xizO00yaSQ2KSR/z4fixY=";
+    rev = "d40ec77e960d021861220bc14a273c5dcad13160";
+    hash = "sha256-FLK1rgWvIoFGv/6+DtDhZGeOZrn7V1jYNS3S8qwL/dc=";
   };
 
   propagatedBuildInputs = [ bcc ];
@@ -21,6 +21,6 @@ python3.pkgs.buildPythonApplication rec {
     description = "Dump unix domain socket traffic with bpf";
     mainProgram = "sockdump";
     license = lib.licenses.unlicense;
-    maintainers = with lib.maintainers; [ ehmry ];
+    maintainers = with lib.maintainers; [ ehmry picnoir ];
   };
 }
diff --git a/pkgs/tools/security/cdxgen/default.nix b/pkgs/tools/security/cdxgen/default.nix
index f624b10952fc..351fee2ff2af 100644
--- a/pkgs/tools/security/cdxgen/default.nix
+++ b/pkgs/tools/security/cdxgen/default.nix
@@ -5,16 +5,16 @@
 
 buildNpmPackage rec {
   pname = "cdxgen";
-  version = "10.2.3";
+  version = "10.2.4";
 
   src = fetchFromGitHub {
     owner = "AppThreat";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-C/XTMOFLW2FPPi1Pgx7g5H8jtJlya5LnKmo3oF21yMI=";
+    sha256 = "sha256-fou0BfQfL66Iv+STY0JcRqu22XTgA9nSOse1LJYl3vs=";
   };
 
-  npmDepsHash = "sha256-64dKqV17WvuHjF+n1vCEfpLx6UBNpGkVE+XYi7YswgI=";
+  npmDepsHash = "sha256-ISmNasK44T21HagHKrX1LyCFVm0GF0CsTwIIi3n8h2o=";
 
   dontNpmBuild = true;
 
diff --git a/pkgs/tools/security/cnspec/default.nix b/pkgs/tools/security/cnspec/default.nix
index 9114c52a052a..e01d1155a980 100644
--- a/pkgs/tools/security/cnspec/default.nix
+++ b/pkgs/tools/security/cnspec/default.nix
@@ -5,18 +5,18 @@
 
 buildGoModule rec {
   pname = "cnspec";
-  version = "10.8.0";
+  version = "10.8.2";
 
   src = fetchFromGitHub {
     owner = "mondoohq";
     repo = "cnspec";
     rev = "refs/tags/v${version}";
-    hash = "sha256-EfVbYIGkjH0tHaMgnoyAGw7ZlAPVBlhbKTjryFRBF1A=";
+    hash = "sha256-F38qymDYAV2hc1jKrnyot6rk/vDPAvH+DP/JhucmZkE=";
   };
 
   proxyVendor = true;
 
-  vendorHash = "sha256-xrWGILBxZEoNi4PHG1vixLpOVaW0LRKkTkJsx5mWBns=";
+  vendorHash = "sha256-w8iGRPnYbyNeHZ+cOA6K4GJdsIyES5zC3A70r9BEFuY=";
 
   subPackages = [
     "apps/cnspec"
diff --git a/pkgs/tools/security/dontgo403/default.nix b/pkgs/tools/security/dontgo403/default.nix
index 19bc78f2206c..7fab0dac0425 100644
--- a/pkgs/tools/security/dontgo403/default.nix
+++ b/pkgs/tools/security/dontgo403/default.nix
@@ -5,13 +5,13 @@
 
 buildGoModule rec {
   pname = "dontgo403";
-  version = "1.0.0";
+  version = "1.0.2";
 
   src = fetchFromGitHub {
     owner = "devploit";
     repo = "dontgo403";
     rev = "refs/tags/${version}";
-    hash = "sha256-znmPXue+pzv7vAKnIYsjJQQGMeBETH+ekyVKGz9wRik=";
+    hash = "sha256-qA1i8l2oBQQ5IF8ho3K2k+TAndUTFGwb2NfhyFqfKzU=";
   };
 
   vendorHash = "sha256-IGnTbuaQH8A6aKyahHMd2RyFRh4WxZ3Vx/A9V3uelRg=";
diff --git a/pkgs/tools/security/gotestwaf/default.nix b/pkgs/tools/security/gotestwaf/default.nix
index 5a807b0a08c7..b710d209244c 100644
--- a/pkgs/tools/security/gotestwaf/default.nix
+++ b/pkgs/tools/security/gotestwaf/default.nix
@@ -7,13 +7,13 @@
 
 buildGoModule rec {
   pname = "gotestwaf";
-  version = "0.4.15";
+  version = "0.4.16";
 
   src = fetchFromGitHub {
     owner = "wallarm";
     repo = "gotestwaf";
     rev = "refs/tags/v${version}";
-    hash = "sha256-C5lDiHDSSweUZh83AOv5WIQ4JuC9OiCvpHshgius51k=";
+    hash = "sha256-fMSXnA8ZuyfOQINkWiYwX7NSffsHbdlfDcpfo/hahMY=";
   };
 
   vendorHash = null;
diff --git a/pkgs/tools/system/nvtop/build-nvtop.nix b/pkgs/tools/system/nvtop/build-nvtop.nix
new file mode 100644
index 000000000000..a72ab1ce0dfd
--- /dev/null
+++ b/pkgs/tools/system/nvtop/build-nvtop.nix
@@ -0,0 +1,90 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, gtest
+, cudatoolkit
+, libdrm
+, ncurses
+, testers
+, udev
+, addOpenGLRunpath
+, amd ? false
+, intel ? false
+, msm ? false
+, nvidia ? false
+, apple ? false
+, panfrost ? false
+, panthor ? false
+, ascend ? false
+}:
+
+let
+  drm-postFixup = ''
+    patchelf \
+      --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
+      --set-rpath "${lib.makeLibraryPath [ libdrm ncurses udev ]}" \
+      $out/bin/nvtop
+  '';
+  needDrm = (amd || msm || panfrost || panthor);
+in
+stdenv.mkDerivation (finalAttrs: {
+  pname = "nvtop";
+  version = "3.1.0";
+
+  src = fetchFromGitHub {
+    owner = "Syllo";
+    repo = "nvtop";
+    rev = finalAttrs.version;
+    hash = "sha256-MkkBY2PR6FZnmRMqv9MWqwPWRgixfkUQW5TWJtHEzwA=";
+  };
+
+  cmakeFlags = with lib.strings; [
+    (cmakeBool "BUILD_TESTING" true)
+    (cmakeBool "USE_LIBUDEV_OVER_LIBSYSTEMD" true)
+    (cmakeBool "AMDGPU_SUPPORT" amd)
+    (cmakeBool "NVIDIA_SUPPORT" nvidia)
+    (cmakeBool "INTEL_SUPPORT" intel)
+    (cmakeBool "APPLE_SUPPORT" apple)
+    (cmakeBool "MSM_SUPPORT" msm)
+    (cmakeBool "PANFROST_SUPPORT" panfrost)
+    (cmakeBool "PANTHOR_SUPPORT" panthor)
+    (cmakeBool "ASCEND_SUPPORT" ascend)
+  ];
+  nativeBuildInputs = [ cmake gtest ] ++ lib.optional nvidia addOpenGLRunpath;
+
+  buildInputs = with lib; [ ncurses udev ]
+    ++ optional nvidia cudatoolkit
+    ++ optional needDrm libdrm
+  ;
+
+  # this helps cmake to find <drm.h>
+  env.NIX_CFLAGS_COMPILE = lib.optionalString needDrm "-isystem ${lib.getDev libdrm}/include/libdrm";
+
+  # ordering of fixups is important
+  postFixup = (lib.optionalString needDrm drm-postFixup) + (lib.optionalString nvidia "addOpenGLRunpath $out/bin/nvtop");
+
+  doCheck = true;
+
+  passthru = {
+    tests.version = testers.testVersion {
+      inherit (finalAttrs) version;
+      package = finalAttrs.finalPackage;
+      command = "nvtop --version";
+    };
+  };
+
+  meta = with lib; {
+    description = "A (h)top like task monitor for AMD, Adreno, Intel and NVIDIA GPUs";
+    longDescription = ''
+      Nvtop stands for Neat Videocard TOP, a (h)top like task monitor for AMD, Adreno, Intel and NVIDIA GPUs.
+      It can handle multiple GPUs and print information about them in a htop familiar way.
+    '';
+    homepage = "https://github.com/Syllo/nvtop";
+    changelog = "https://github.com/Syllo/nvtop/releases/tag/${finalAttrs.version}";
+    license = licenses.gpl3Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ willibutz gbtb anthonyroussel ];
+    mainProgram = "nvtop";
+  };
+})
diff --git a/pkgs/tools/system/nvtop/default.nix b/pkgs/tools/system/nvtop/default.nix
index e47291207f08..f6e679b6ffef 100644
--- a/pkgs/tools/system/nvtop/default.nix
+++ b/pkgs/tools/system/nvtop/default.nix
@@ -1,83 +1,18 @@
-{ lib
-, stdenv
-, fetchFromGitHub
-, cmake
-, gtest
-, cudatoolkit
-, libdrm
-, ncurses
-, nvtop
-, testers
-, udev
-, addOpenGLRunpath
-, amd ? true
-, intel ? true
-, msm ? true
-, nvidia ? true
-}:
-
+{ callPackage }:
 let
-  nvidia-postFixup = "addOpenGLRunpath $out/bin/nvtop";
-  libPath = lib.makeLibraryPath [ libdrm ncurses udev ];
-  drm-postFixup = ''
-    patchelf \
-      --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
-      --set-rpath "${libPath}" \
-      $out/bin/nvtop
-  '';
+  # this GPU families are supported "by-default" upstream (see https://github.com/Syllo/nvtop/blob/3a69c2d060298cd6f92cb09db944eded98be1c23/CMakeLists.txt#L81)
+  # coincidentally, these families are also easy to build in nixpkgs at the moment
+  defaultGPUFamilies = [ "amd" "intel" "msm" "nvidia" "panfrost" "panthor" ];
+  # these GPU families are partially supported upstream, they are also tricky to build in nixpkgs
+  # volunteers with specific hardware needed to build and test these package variants
+  additionalGPUFamilies = [ "apple" "ascend" ];
+  defaultSupport = builtins.listToAttrs (builtins.map (gpu: { name = gpu; value = true; }) defaultGPUFamilies);
 in
-stdenv.mkDerivation rec {
-  pname = "nvtop";
-  version = "3.0.2";
-
-  src = fetchFromGitHub {
-    owner = "Syllo";
-    repo = "nvtop";
-    rev = version;
-    hash = "sha256-SHKdjzbc3ZZfOW2p8RLFRKKBfLnO+Z8/bKVxcdLLqxw=";
-  };
-
-  cmakeFlags = with lib; [
-    "-DBUILD_TESTING=ON"
-    "-DUSE_LIBUDEV_OVER_LIBSYSTEMD=ON"
-  ] ++ optional nvidia "-DNVML_INCLUDE_DIRS=${cudatoolkit}/include"
-  ++ optional nvidia "-DNVML_LIBRARIES=${cudatoolkit}/targets/x86_64-linux/lib/stubs/libnvidia-ml.so"
-  ++ optional (!amd) "-DAMDGPU_SUPPORT=OFF"
-  ++ optional (!intel) "-DINTEL_SUPPORT=OFF"
-  ++ optional (!msm) "-DMSM_SUPPORT=OFF"
-  ++ optional (!nvidia) "-DNVIDIA_SUPPORT=OFF"
-  ++ optional (amd || msm) "-DLibdrm_INCLUDE_DIRS=${libdrm}/lib/stubs/libdrm.so.2"
-  ;
-  nativeBuildInputs = [ cmake gtest ] ++ lib.optional nvidia addOpenGLRunpath;
-  buildInputs = with lib; [ ncurses udev ]
-    ++ optional nvidia cudatoolkit
-    ++ optional (amd || msm) libdrm
-  ;
-
-  # ordering of fixups is important
-  postFixup = (lib.optionalString (amd || msm) drm-postFixup) + (lib.optionalString nvidia nvidia-postFixup);
+{
+  full = callPackage ./build-nvtop.nix defaultSupport; #this package supports all default GPU families
+}
+# additional packages with only one specific GPU family support
+// builtins.listToAttrs (builtins.map (gpu: { name = gpu; value = (callPackage ./build-nvtop.nix { "${gpu}" = true; }); }) defaultGPUFamilies)
 
-  doCheck = true;
 
-  passthru = {
-    tests.version = testers.testVersion {
-      inherit version;
-      package = nvtop;
-      command = "nvtop --version";
-    };
-  };
 
-  meta = with lib; {
-    description = "A (h)top like task monitor for AMD, Adreno, Intel and NVIDIA GPUs";
-    longDescription = ''
-      Nvtop stands for Neat Videocard TOP, a (h)top like task monitor for AMD, Adreno, Intel and NVIDIA GPUs.
-      It can handle multiple GPUs and print information about them in a htop familiar way.
-    '';
-    homepage = "https://github.com/Syllo/nvtop";
-    changelog = "https://github.com/Syllo/nvtop/releases/tag/${version}";
-    license = licenses.gpl3Only;
-    platforms = platforms.linux;
-    maintainers = with maintainers; [ willibutz gbtb anthonyroussel ];
-    mainProgram = "nvtop";
-  };
-}
diff --git a/pkgs/tools/text/riffdiff/default.nix b/pkgs/tools/text/riffdiff/default.nix
index a15644d59111..1db7967d0f57 100644
--- a/pkgs/tools/text/riffdiff/default.nix
+++ b/pkgs/tools/text/riffdiff/default.nix
@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "riffdiff";
-  version = "3.0.1";
+  version = "3.1.0";
 
   src = fetchFromGitHub {
     owner = "walles";
     repo = "riff";
     rev = version;
-    hash = "sha256-MHsbwtoiaMBWZi/UHbuhG3VuSSvuQtvxPB9EMMti80A=";
+    hash = "sha256-ASIB7+ZyvMsaRdvJcWT/sR0JLyt4v/gytAIi8Yajlzg=";
   };
 
-  cargoHash = "sha256-pEXGUIrWZGJoYdNoufXEJ+eeIEhm5JhIUlHRisD4qWc=";
+  cargoHash = "sha256-NGTWBlg5xvodK02RtFuCe7KsFm4z2aEpbcx3UqH9G/o=";
 
   meta = with lib; {
     description = "A diff filter highlighting which line parts have changed";
diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix
index 523e94e30c44..560f8fb137c6 100644
--- a/pkgs/top-level/aliases.nix
+++ b/pkgs/top-level/aliases.nix
@@ -828,14 +828,21 @@ mapAliases ({
   noto-fonts-extra = noto-fonts; # Added 2023-04-08
   NSPlist = nsplist; # Added 2024-01-05
   nvidia-thrust = throw "nvidia-thrust has been removed because the project was deprecated; use cudaPackages.cuda_cccl";
+  nvtop = lib.warn "nvtop has been renamed to nvtopPackages.full" nvtopPackages.full; # Added 2024-02-25
+  nvtop-amd = lib.warn "nvtop-amd has been renamed to nvtopPackages.amd" nvtopPackages.amd; # Added 2024-02-25
+  nvtop-nvidia = lib.warn "nvtop-nvidia has been renamed to nvtopPackages.nvidia" nvtopPackages.nvidia; # Added 2024-02-25
+  nvtop-intel = lib.warn "nvtop-intel has been renamed to nvtopPackages.intel" nvtopPackages.intel; # Added 2024-02-25
+  nvtop-msm = lib.warn "nvtop-msm has been renamed to nvtopPackages.msm" nvtopPackages.msm; # Added 2024-02-25
 
   ### O ###
 
   o = orbiton; # Added 2023-04-09
   oathToolkit = oath-toolkit; # Added 2022-04-04
   oauth2_proxy = oauth2-proxy; # Added 2021-04-18
+  obinskit = throw "'obinskit' has been removed from nixpkgs, because the package was unmaintained and depended on an insecure version of electron"; # Added 2024-03-20
   octant = throw "octant has been dropped due to being archived and vulnerable"; # Added 2023-09-29
   octant-desktop = throw "octant-desktop has been dropped due to being archived and vulnerable"; # Added 2023-09-29
+  octorpki = throw "octorpki has been removed, upstream says to use rpki-client instead"; # Added 2024-03-19
   ogre1_9 = throw "ogre1_9 has been removed, use ogre instead"; # Added 2023-03-22
   ogre1_10 = throw "ogre1_10 has been removed, use ogre instead"; # Added 2023-07-20
   opa = throw "opa has been removed from nixpkgs as upstream has abandoned the project"; # Added 2023-03-21
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index eeec06253147..969a20b30347 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -1861,8 +1861,6 @@ with pkgs;
 
   gofu = callPackage ../applications/misc/gofu { };
 
-  godns = callPackage ../tools/networking/godns { };
-
   godspeed = callPackage ../tools/networking/godspeed { };
 
   goodhosts = callPackage ../tools/networking/goodhosts { };
@@ -6119,8 +6117,6 @@ with pkgs;
   optar = callPackage ../tools/graphics/optar { };
 
 
-  obinskit = callPackage ../applications/misc/obinskit { };
-
   ockam = callPackage ../tools/networking/ockam {
     inherit (darwin.apple_sdk.frameworks) Security;
   };
@@ -7724,8 +7720,6 @@ with pkgs;
 
   sonobuoy = callPackage ../applications/networking/cluster/sonobuoy { };
 
-  soupault = callPackage ../tools/typesetting/soupault { };
-
   stratisd = callPackage ../tools/filesystems/stratisd { };
 
   stratis-cli = callPackage ../tools/filesystems/stratis-cli { };
@@ -10690,6 +10684,8 @@ with pkgs;
     inherit (python3Packages) mako;
   };
 
+  marimo = with python3Packages; toPythonApplication marimo;
+
   marktext = callPackage ../applications/misc/marktext { };
 
   mars-mips = callPackage ../development/tools/mars-mips { };
@@ -23899,31 +23895,7 @@ with pkgs;
 
   nvitop = callPackage ../tools/system/nvitop { };
 
-  nvtop = callPackage ../tools/system/nvtop { };
-  nvtop-amd = (callPackage ../tools/system/nvtop {
-    amd = true;
-    intel = false;
-    msm = false;
-    nvidia = false;
-  }).overrideAttrs { pname = "nvtop-amd"; };
-  nvtop-intel = (callPackage ../tools/system/nvtop {
-    amd = false;
-    intel = true;
-    msm = false;
-    nvidia = false;
-  }).overrideAttrs { pname = "nvtop-intel"; };
-  nvtop-msm = (callPackage ../tools/system/nvtop {
-    amd = false;
-    intel = false;
-    msm = true;
-    nvidia = false;
-  }).overrideAttrs { pname = "nvtop-msm"; };
-  nvtop-nvidia = (callPackage ../tools/system/nvtop {
-    amd = false;
-    intel = false;
-    msm = false;
-    nvidia = true;
-  }).overrideAttrs { pname = "nvtop-nvidia"; };
+  nvtopPackages = recurseIntoAttrs (import ../tools/system/nvtop { inherit callPackage; });
 
   ocl-icd = callPackage ../development/libraries/ocl-icd { };
 
@@ -26977,8 +26949,6 @@ with pkgs;
 
   sipwitch = callPackage ../servers/sip/sipwitch { };
 
-  slimserver = callPackage ../servers/slimserver { };
-
   smcroute = callPackage ../servers/smcroute { };
 
   snipe-it = callPackage ../by-name/sn/snipe-it/package.nix {
@@ -27382,8 +27352,6 @@ with pkgs;
 
   disk_indicator = callPackage ../os-specific/linux/disk-indicator { };
 
-  displaycal = callPackage ../applications/graphics/displaycal { };
-
   displaylink = callPackage ../os-specific/linux/displaylink {
     inherit (linuxPackages) evdi;
   };
@@ -28657,6 +28625,8 @@ with pkgs;
 
   android-udev-rules = callPackage ../os-specific/linux/android-udev-rules { };
 
+  andromeda-gtk-theme = libsForQt5.callPackage ../data/themes/andromeda-gtk-theme { };
+
   ankacoder = callPackage ../data/fonts/ankacoder { };
   ankacoder-condensed = callPackage ../data/fonts/ankacoder/condensed.nix { };
 
@@ -28845,8 +28815,6 @@ with pkgs;
 
   commit-mono = callPackage ../data/fonts/commit-mono { };
 
-  conway_polynomials = callPackage ../data/misc/conway_polynomials { };
-
   cooper-hewitt = callPackage ../data/fonts/cooper-hewitt { };
 
   d2coding = callPackage ../data/fonts/d2coding { };
@@ -30775,7 +30743,9 @@ with pkgs;
 
   drawing = callPackage ../applications/graphics/drawing { };
 
-  drawio = callPackage ../applications/graphics/drawio { };
+  drawio = callPackage ../applications/graphics/drawio {
+    inherit (darwin) autoSignDarwinBinariesHook;
+  };
   drawio-headless = callPackage ../applications/graphics/drawio/headless.nix { };
 
   drawpile = libsForQt5.callPackage ../applications/graphics/drawpile { };
@@ -32795,9 +32765,7 @@ with pkgs;
 
   kupfer = callPackage ../applications/misc/kupfer { };
 
-  kuro = callPackage ../applications/misc/kuro {
-    electron = electron_22;
-  };
+  kuro = callPackage ../applications/misc/kuro { };
 
   timoni = callPackage ../applications/networking/cluster/timoni { };
 
@@ -39173,8 +39141,6 @@ with pkgs;
 
   jflap = callPackage ../applications/science/engineering/jflap { };
 
-  strictdoc = python3.pkgs.callPackage ../applications/science/engineering/strictdoc { };
-
   ### SCIENCE / ELECTRONICS
 
   adms = callPackage ../applications/science/electronics/adms { };
@@ -40298,10 +40264,6 @@ with pkgs;
     jre = openjdk19; # TODO: remove override https://github.com/NixOS/nixpkgs/pull/89731
   });
 
-  owmods-cli = callPackage ../applications/misc/owmods-cli {
-    inherit (darwin.apple_sdk.frameworks) Security;
-  };
-
   r128gain = callPackage ../applications/audio/r128gain { };
 
   resp-app = libsForQt5.callPackage ../applications/misc/resp-app { };
diff --git a/pkgs/top-level/darwin-packages.nix b/pkgs/top-level/darwin-packages.nix
index 8fb08c90f70f..a6c98831eee6 100644
--- a/pkgs/top-level/darwin-packages.nix
+++ b/pkgs/top-level/darwin-packages.nix
@@ -153,9 +153,6 @@ impure-cmds // appleSourcePackages // chooseLibs // {
     propagatedBuildInputs = [ self.signingUtils ];
   } ../os-specific/darwin/signing-utils/auto-sign-hook.sh;
 
-  maloader = callPackage ../os-specific/darwin/maloader {
-  };
-
   insert_dylib = callPackage ../os-specific/darwin/insert_dylib { };
 
   iosSdkPkgs = callPackage ../os-specific/darwin/xcode/sdk-pkgs.nix {
@@ -175,8 +172,6 @@ impure-cmds // appleSourcePackages // chooseLibs // {
     inherit (apple_sdk_11_0.libs) simd;
   };
 
-  opencflite = callPackage ../os-specific/darwin/opencflite { };
-
   openwith = pkgs.darwin.apple_sdk_11_0.callPackage ../os-specific/darwin/openwith {
     inherit (apple_sdk_11_0.frameworks) AppKit Foundation UniformTypeIdentifiers;
   };
diff --git a/pkgs/top-level/kodi-packages.nix b/pkgs/top-level/kodi-packages.nix
index 09ec68b592f8..634b02917b55 100644
--- a/pkgs/top-level/kodi-packages.nix
+++ b/pkgs/top-level/kodi-packages.nix
@@ -79,6 +79,8 @@ let
 
     libretro-snes9x = callPackage ../applications/video/kodi/addons/libretro-snes9x { inherit snes9x; };
 
+    jellycon = callPackage ../applications/video/kodi/addons/jellycon { };
+
     jellyfin = callPackage ../applications/video/kodi/addons/jellyfin { };
 
     joystick = callPackage ../applications/video/kodi/addons/joystick { };
diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix
index 718153801014..2594ee3f2b83 100644
--- a/pkgs/top-level/perl-packages.nix
+++ b/pkgs/top-level/perl-packages.nix
@@ -9463,10 +9463,10 @@ with self; {
 
   FFICStat = buildPerlPackage {
     pname = "FFI-C-Stat";
-    version = "0.02";
+    version = "0.03";
     src = fetchurl {
-      url = "mirror://cpan/authors/id/P/PL/PLICEASE/FFI-C-Stat-0.02.tar.gz";
-      hash = "sha256-ThXY9vn5hAfGUtnTE7URUHcTkgGOBx18GShDrILBvlk=";
+      url = "mirror://cpan/authors/id/P/PL/PLICEASE/FFI-C-Stat-0.03.tar.gz";
+      hash = "sha256-YOjveCyLs0cFXJ49ov1BTzX2EP5P77eNBzncyiQoQx4=";
     };
     buildInputs = [ Filechdir PathTiny Test2Suite TestScript ];
     propagatedBuildInputs = [ FFIPlatypus RefUtil ];
@@ -13205,40 +13205,7 @@ with self; {
     };
   };
 
-  ImageExifTool = buildPerlPackage rec {
-    pname = "Image-ExifTool";
-    version = "12.70";
-
-    src = fetchurl {
-      url = "https://exiftool.org/Image-ExifTool-${version}.tar.gz";
-      hash = "sha256-TLJSJEXMPj870TkExq6uraX8Wl4kmNerrSlX3LQsr/4=";
-    };
-
-    nativeBuildInputs = lib.optional stdenv.isDarwin shortenPerlShebang;
-    postInstall = lib.optionalString stdenv.isDarwin ''
-      shortenPerlShebang $out/bin/exiftool
-    '';
-
-    meta = {
-      description = "A tool to read, write and edit EXIF meta information";
-      longDescription = ''
-        ExifTool is a platform-independent Perl library plus a command-line
-        application for reading, writing and editing meta information in a wide
-        variety of files. ExifTool supports many different metadata formats
-        including EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop
-        IRB, FlashPix, AFCP and ID3, as well as the maker notes of many digital
-        cameras by Canon, Casio, DJI, FLIR, FujiFilm, GE, GoPro, HP,
-        JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Motorola, Nikon,
-        Nintendo, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Phase One,
-        Reconyx, Ricoh, Samsung, Sanyo, Sigma/Foveon and Sony.
-      '';
-      homepage = "https://exiftool.org/";
-      changelog = "https://exiftool.org/history.html";
-      license = with lib.licenses; [ gpl1Plus /* or */ artistic2 ];
-      maintainers = with maintainers; [ kiloreux anthonyroussel ];
-      mainProgram = "exiftool";
-    };
-  };
+  ImageExifTool = callPackage ../development/perl-modules/ImageExifTool { };
 
   Inline = buildPerlPackage {
     pname = "Inline";
@@ -19814,10 +19781,10 @@ with self; {
 
   ParallelLoops = buildPerlPackage {
     pname = "Parallel-Loops";
-    version = "0.10";
+    version = "0.12";
     src = fetchurl {
-      url = "mirror://cpan/authors/id/P/PM/PMORCH/Parallel-Loops-0.10.tar.gz";
-      hash = "sha256-b5Z7RuejY7FocbmZHDWeFC3Dsigc/psa85kEcEyL0qo=";
+      url = "mirror://cpan/authors/id/P/PM/PMORCH/Parallel-Loops-0.12.tar.gz";
+      hash = "sha256-tmyP4v1RmHPIp7atHRoE3yAmkSJZteKKQeUdnJsVQVA=";
     };
     propagatedBuildInputs = [ ParallelForkManager ];
     meta = {
diff --git a/pkgs/top-level/python-aliases.nix b/pkgs/top-level/python-aliases.nix
index 96fccb3f3ecc..fed4bac69f27 100644
--- a/pkgs/top-level/python-aliases.nix
+++ b/pkgs/top-level/python-aliases.nix
@@ -501,6 +501,7 @@ mapAliases ({
   thumborPexif = throw "thumborPexif has been removed, because it was unused."; # added 2024-01-07
   torrent_parser = torrent-parser; # added 2023-11-04
   transip = throw "transip has been removed because it is no longer maintained. TransIP SOAP V5 API was marked as deprecated"; # added 2023-02-27
+  py-tree-sitter = throw "Was merged with tree-sitter."; # added 2024-03-20
   trezor_agent = trezor-agent; # Added 2024-01-07
   tumpa = throw "tumpa was promoted to a top-level attribute"; # added 2022-11-19
   tvdb_api = tvdb-api; # added 2023-10-20
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 6e54f1468353..f1e6cb7aec89 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -1955,6 +1955,8 @@ self: super: with self; {
 
   connio = callPackage ../development/python-modules/connio { };
 
+  conway-polynomials = callPackage ../development/python-modules/conway-polynomials {};
+
   correctionlib = callPackage ../development/python-modules/correctionlib { };
 
   coqpit = callPackage ../development/python-modules/coqpit { };
@@ -6999,6 +7001,8 @@ self: super: with self; {
 
   mariadb = callPackage ../development/python-modules/mariadb { };
 
+  marimo = callPackage ../development/python-modules/marimo { };
+
   marisa = callPackage ../development/python-modules/marisa {
     inherit (pkgs) marisa;
   };
@@ -8847,6 +8851,8 @@ self: super: with self; {
 
   oletools = callPackage ../development/python-modules/oletools { };
 
+  ollama = callPackage ../development/python-modules/ollama { };
+
   omegaconf = callPackage ../development/python-modules/omegaconf { };
 
   omemo-dr = callPackage ../development/python-modules/omemo-dr { };
@@ -10301,8 +10307,6 @@ self: super: with self; {
 
   py-tes = callPackage ../development/python-modules/py-tes { };
 
-  py-tree-sitter = callPackage ../development/python-modules/py-tree-sitter { };
-
   py-ubjson = callPackage ../development/python-modules/py-ubjson { };
 
   py-zabbix = callPackage ../development/python-modules/py-zabbix { };