Flox 1.12.0 is now available!
Fix for Nix vulnerabilities
This release fixes GHSA-vh5x-56v6-4368 and GHSA-gr92-w2r5-qw5p. For Linux and macOS installations of Flox, GHSA-vh5x-56v6-4368 can allow arbitrary code execution as root. This affects Flox versions >=1.3.12.
Features
The manifest schema was bumped from 1.11.0 to 1.12.0 for the auto-start feature below.
- flox activate automatically starts services when auto-start = true is set in the manifest’s [services] section, and a new --no-start-services flag suppresses this on individual invocations.
flox publishreports failure-specific error messages for common repository validation issues (missing upstream branch, detached HEAD, SSH/authentication failure, revision not on remote).flox publishcollects narinfo for build outputs and their full closure from the local Nix store when publishing to a metadata-only catalog. This data is required to build a complete SBOM.
Fixes
- Propagated packages now respect the priority of their parent package in the manifest’s
[install]block when activated in “develop” mode. - Manifest builds no longer fail when source files contain special characters in their filenames.
FLOX_FLOXHUB_TOKENis redacted in log files and verbose output.flox publishreports a clear error when.floxfiles are untracked in the build repository, instead of failing with a confusing “could not find environment pointer file” message.flox publishhonors thekeep_tempdirsetting when a build fails in an ephemeral directory.flox publishno longer hangs polling for publisher confirmation when running against a metadata-only orNixCopycatalog configuration.- Metadata-only
flox publishno longer fails withNoTokenwhen no FloxHub token is configured when using Kerberos Authn. flox include upgradeno longer unnecessarily migrates manifests with older but still-supported schema versions, avoiding schema version drift in the lockfile.
Download links and and release notes are available here.