Fix for Nix vulnerabilities
This release fixes GHSA-vh5x-56v6-4368 and GHSA-gr92-w2r5-qw5p. For Linux and macOS installations of Flox, GHSA-vh5x-56v6-4368 can allow arbitrary code execution as root. This affects Flox versions >=1.3.12.
Features
The manifest schema was bumped from 1.11.0 to 1.12.0 for the auto-start feature below.
-
flox activateautomatically starts services whenauto-start = trueis set in the manifest’s[services]section, and a new--no-start-servicesflag suppresses this on individual invocations. -
flox publishreports failure-specific error messages for common repository validation issues (missing upstream branch, detached HEAD, SSH/authentication failure, revision not on remote). -
flox publishcollects narinfo for build outputs and their full closure from the local Nix store when publishing to a metadata-only catalog. This data is required to build a complete SBOM.
Fixes
-
Propagated packages now respect the priority of their parent package in the manifest’s
[install]block when activated in “develop” mode. -
Manifest builds no longer fail when source files contain special characters in their filenames.
-
FLOX_FLOXHUB_TOKENis redacted in log files and verbose output. -
flox publishreports a clear error when.floxfiles are untracked in the build repository, instead of failing with a confusing “could not find environment pointer file” message. -
flox publishhonors thekeep_tempdirsetting when a build fails in an ephemeral directory. -
flox publishno longer hangs polling for publisher confirmation when running against a metadata-only orNixCopycatalog configuration. -
Metadata-only
flox publishno longer fails withNoTokenwhen no FloxHub token is configured when using Kerberos Authn. -
flox include upgradeno longer unnecessarily migrates manifests with older but still-supported schema versions, avoiding schema version drift in the lockfile.
Download links and and release notes are available here.