From 38f6c71a1855da7b8e4fd000e3b90d43e7034edb Mon Sep 17 00:00:00 2001 From: Leona Maroni Date: Thu, 15 Jan 2026 20:26:47 +0100 Subject: [PATCH 1/3] paperless-ngx: add patch for GHSA-24x5-wp64-9fcc https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-24x5-wp64-9fcc Not-cherry-picked-because: version on stable too old for bump --- pkgs/by-name/pa/paperless-ngx/package.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/by-name/pa/paperless-ngx/package.nix b/pkgs/by-name/pa/paperless-ngx/package.nix index 64c3d3c3615cb..1aace6eff7521 100644 --- a/pkgs/by-name/pa/paperless-ngx/package.nix +++ b/pkgs/by-name/pa/paperless-ngx/package.nix @@ -3,6 +3,7 @@ stdenv, fetchFromGitHub, fetchPypi, + fetchpatch, node-gyp, nodejs_20, nixosTests, @@ -157,6 +158,14 @@ python.pkgs.buildPythonApplication rec { inherit version src; + patches = [ + (fetchpatch { + name = "GHSA-24x5-wp64-9fcc.patch"; + url = "https://github.com/paperless-ngx/paperless-ngx/commit/9bdbfd362f4a15f8de109ca959f04e3a7d8a39d0.patch"; + hash = "sha256-1iiOeWKvBoHFLa1QySkXYTbX5CVF3VQDWno6A/SinCs="; + }) + ]; + postPatch = '' # pytest-xdist with to many threads makes the tests flaky if (( $NIX_BUILD_CORES > 3)); then From 8a5327cc7a927cd3d19fd7018acf9e20235ffacf Mon Sep 17 00:00:00 2001 From: Leona Maroni Date: Thu, 15 Jan 2026 20:26:47 +0100 Subject: [PATCH 2/3] paperless-ngx: add patch for GHSA-7cq3-mhxq-w946 https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-7cq3-mhxq-w946 Not-cherry-picked-because: version on stable too old for bump --- pkgs/by-name/pa/paperless-ngx/package.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/by-name/pa/paperless-ngx/package.nix b/pkgs/by-name/pa/paperless-ngx/package.nix index 1aace6eff7521..3f604949f9834 100644 --- a/pkgs/by-name/pa/paperless-ngx/package.nix +++ b/pkgs/by-name/pa/paperless-ngx/package.nix @@ -164,6 +164,11 @@ python.pkgs.buildPythonApplication rec { url = "https://github.com/paperless-ngx/paperless-ngx/commit/9bdbfd362f4a15f8de109ca959f04e3a7d8a39d0.patch"; hash = "sha256-1iiOeWKvBoHFLa1QySkXYTbX5CVF3VQDWno6A/SinCs="; }) + (fetchpatch { + name = "GHSA-7cq3-mhxq-w946.patch"; + url = "https://github.com/paperless-ngx/paperless-ngx/commit/bf38ae98f1ac3bae2c6006888a8705e42fbb804f.patch"; + hash = "sha256-ATjtB7dmrXk/R+zjc0y2jJkmvVN7Gmqf0aWMRG9EN7I="; + }) ]; postPatch = '' @@ -252,6 +257,7 @@ python.pkgs.buildPythonApplication rec { pyzbar rapidfuzz redis + regex scikit-learn setproctitle tika-client From a34a84efc4f18b7b90f4a5e9d8d2d7117102dc9b Mon Sep 17 00:00:00 2001 From: Leona Maroni Date: Thu, 15 Jan 2026 11:04:03 +0100 Subject: [PATCH 3/3] paperless-ngx: add patch for GHSA-28cf-xvcf-hw6m https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-28cf-xvcf-hw6m Not-cherry-picked-because: version on stable too old for bump --- pkgs/by-name/pa/paperless-ngx/package.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/by-name/pa/paperless-ngx/package.nix b/pkgs/by-name/pa/paperless-ngx/package.nix index 3f604949f9834..52413d025d7fb 100644 --- a/pkgs/by-name/pa/paperless-ngx/package.nix +++ b/pkgs/by-name/pa/paperless-ngx/package.nix @@ -169,6 +169,11 @@ python.pkgs.buildPythonApplication rec { url = "https://github.com/paperless-ngx/paperless-ngx/commit/bf38ae98f1ac3bae2c6006888a8705e42fbb804f.patch"; hash = "sha256-ATjtB7dmrXk/R+zjc0y2jJkmvVN7Gmqf0aWMRG9EN7I="; }) + (fetchpatch { + name = "GHSA-28cf-xvcf-hw6m.patch"; + url = "https://github.com/paperless-ngx/paperless-ngx/commit/7c457466b76d7a4abeca521043de69d3c1f4eb11.patch"; + hash = "sha256-t2/3lnhj1eywGiX1zmo7aJ+aOEdTWr0xe7yaFj8NeMs="; + }) ]; postPatch = ''