Release 3.17.3 (2026-04-07)

• Based on upstream Nix 2.33.3.

What's Changed

Fix for GHSA-g3g9-5vj6-r3gj: root privilege escalation via the Nix daemon

This release contains a critical fix for a security vulnerability on Linux that allows any user that has access to the Nix daemon to obtain root privileges.
This vulnerability affects all versions of Determinate Nix prior to 3.17.3, and all versions of upstream Nix prior to 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.
All Linux users are advised to upgrade immediately.

For more details, see the upstream advisory GHSA-g3g9-5vj6-r3gj.
Many thanks to edef for reporting this issue and to Sergei Zimmerman for implementing the fix.

Avoiding duplicate source tree downloads

When multiple Nix processes (like nix-eval-jobs instances) fetch the same source tree at the same time, it was previously possible for each process to perform the download independently, resulting in wasteful multiple downloads of the same source tree. Nix now uses a per-source tree lock to ensure that only one process performs the download.

PR: DeterminateSystems/nix-src#410

WAT support in builtins.wasm

builtins.wasm now supports WebAssembly Text Format (WAT) in addition to binary Wasm modules.
This is primarily useful for testing.

PR: DeterminateSystems/nix-src#405

Git shallow fetching

Nix now removes Git's shallow.lock lock file before running git fetch.
This prevents fetches from hanging if Git was previously interrupted.

PR: DeterminateSystems/nix-src#414

Debugging improvements

Certain C++ exceptions that should never happen (like std::logic_error) are now treated as aborts, providing stack traces and core dumps that are easier to debug.

PR: DeterminateSystems/nix-src#407

Bug fixes

• nix develop respects legacyPackages again. DeterminateSystems/nix-src#413

• The lookupPathResolved data structure has been made thread-safe. DeterminateSystems/nix-src#415

Full Changelog: v3.17.2...v3.17.3

Release 3.17.2 (2026-03-27)

• Based on upstream Nix 2.33.3.

What's Changed

Bug fixes

• Cache getLegacyGitAccessor(). DeterminateSystems/nix-src#396
• Don't destroy windowSize mutex. DeterminateSystems/nix-src#397
• When doing concurrent substitutions of the same path, download only once. DeterminateSystems/nix-src#398
• builtins.getFlake: Handle path:<p> where p has a discarded string context. DeterminateSystems/nix-src#402
• Ensure _interruptCallbacks is alive while signalHandlerThread is running. DeterminateSystems/nix-src#403
• Fix assertion failure in nix::BuiltPath::toRealisedPaths(). DeterminateSystems/nix-src#401

Full Changelog: v3.17.1...v3.17.2

Release 3.17.1 (2026-03-18)

• Based on upstream Nix 2.33.3.

What's Changed

Provenance now supports "build-time" provenance tags

Users can now specify key/value tags to attach to a build's provenance.
For example, the nix-installer-action now attaches the following properties to each build:

• github_workflow_ref
• github_workflow_sha
• github_sha
• github_run_attempt
• github_run_id
• github_run_number
• github_job
• github_ref
• github_repository
• github_server_url

PR: DeterminateSystems/nix-src#374

Flake inputs are substituted when possible

Locked flake inputs will be fetched from a binary cache when possible, instead of preferring the authoritative flake source.
This is intended to reduce load on code forges, and also improves the user experience on large flake inputs.

PR: [#380](https://github.com/DeterminateSystems/nix-

nix profile upgrade and nix profile remove now support tab completion

PR: DeterminateSystems/nix-src#382

Flake schemas can now define an output as "legacy"

"Legacy" flakes are intended for legacyPackages on Nixpkgs.
The "legacy" mark is intended to reduce evaluation time due to the extreme size of legacyPackages.
Note: the name "legacy" is not intended as a value judgement, and at this point we're sort of stuck with the name.

Bug fixes

• Fix crash in nix repl loading an invalid WASM file twice. DeterminateSystems/nix-src#378
• nix profile upgrade/remove: Implement tab completion by @edolstra in * Don't crash if SIGINT happens while printing an exception. DeterminateSystems/nix-src#384
• nix-env -i: Wait for the async path writer. DeterminateSystems/nix-src#385

Full Changelog: v3.17.0...v3.17.1

Release 3.17.0 (2026-03-04)

• Based on upstream Nix 2.33.3.

What's Changed

Determinate Nix 3.17.0 brings exciting improvements like Flake Schemas, provenance, and Wasm / WASI.
We'll be posting more details over the next week or so on our blog: https://determinate.systems/blog/.

Full Changelog: v3.16.3...v3.17.0

Release 3.16.3 (2026-02-24)

• Based on upstream Nix 2.33.3.

What's Changed

This release only includes changes in determinate-nixd.

Release 3.16.2 (2026-02-23)

• Based on upstream Nix 2.33.3.

What's Changed

This release is exclusively improvements to determinate-nixd.

Release 3.16.1 (2026-02-22)

• Based on upstream Nix 2.33.3.

What's Changed

nix store info now correctly support --refresh and --offline

Previously, Nix had a hard-coded TTL of seven days.
Determinate Nix moved that TTL to a new setting narinfo-cache-meta-ttl and now nix store info respects the --refresh and --offline flags.

This change makes it possible to freshly validate authenticating to a remote store.

PR: DeterminateSystems/nix-src#355

Corrected builtins.hashString behavior under lazy trees

builtins.hashString now devirtualizes lazy paths, making the hash result stable.

PR: DeterminateSystems/nix-src#360

Full Changelog: v3.16.0...v3.16.1

Release 3.16.0 (2026-02-12)

• Based on upstream Nix 2.33.3.

Support .gitattributes in subdirectories

For performance, the Git backwards compatibility hack was only applied to repositories that had a .gitattributes in the root directory.
However, it is possible to have a .gitattributes file in a subdirectory, and there are real-world repos that do this, so we have dropped that restriction.

PR: DeterminateSystems/nix-src#335

Fix hung downloads when http-connections = 0

When we started limiting the number of active cURL handles in DeterminateSystems/nix-src#315, we did not take into account that http-connections = 0 is a special value that means, roughly "as many connections as possible" (the exact behavior is up to cURL).

This should now be fixed.

PR: DeterminateSystems/nix-src#327

builtins.getFlake now supports relative paths

builtins.getFlake now supports using relative paths, like:

builtins.getFlake ./..

instead of the hacky

builtins.getFlake (builtins.flakeRefToString { type = "path"; path = self.sourceInfo.outPath; narHash = self.narHash; });

Note that allowing builtins.getFlake to fetch from store paths is probably a bad idea, since it's ambiguous when using chroot stores, so a warning will be printed when this is encountered.

PRs:

• DeterminateSystems/nix-src#337
• DeterminateSystems/nix-src#338

Fixed a bug with too many open files

Recently, some users have reported seeing errors like:

error: creating git packfile indexer: failed to create temporary file '/Users/anon/.cache/nix/tarball-cache-v2/objects/pack/pack_git2_56d617039ac17c2b': Too many open files

This should now be fixed.

PR: DeterminateSystems/nix-src#347

Full Changelog: v3.15.2...v3.16.0

Release 3.15.2 (2026-01-20)

• Based on upstream Nix 2.33.1.

What's Changed

Improved performance for users with a lot of dependencies

If you even had the occasion to query your binary cache for over 110,000 store path simultaneously you might have found it rather slow.
Previously, Nix would enqueue all the downloads at once.
This appears to trigger quadratic behavior in curl.

Determinate Nix now enqueues a reasonable number of subtitutions once.
At the same time, we fixed a performance issue in the progress bar with so many dependencies.

PR: DeterminateSystems/nix-src#315

Lazy trees update: path inputs are now lazy

Previously inputs like path:///path/to/a/dependency were eagerly fetched when lazy-trees is enabled.
In Determinate Nix 3.15.2, path input types are also fetched lazily.
This change saves time and improves performance for users with path inputs.

PRs:

• DeterminateSystems/nix-src#312
• DeterminateSystems/nix-src#317

nix repl now reports the Determinate version

A small change, but now nix repl correctly reports the Determinate Nix version:

$ nix repl
Nix (Determinate Nix 3.15.1) 2.33.0
Type :? for help.
nix-repl>

PR: DeterminateSystems/nix-src#316

New Contributors

• @dliberalesso made their first contribution in DeterminateSystems/nix-src#313

Full Changelog: v3.15.1...v3.15.2

Release 3.15.1 (2025-12-24)

• Based on upstream Nix 2.33.0.

What's Changed

Users reported the v3.15.0 tarball could not be fetched in a fixed-output derivation due to current stdenv paths present in the documentation. This release eliminated those paths.

PR: DeterminateSystems/nix-src#306

Additionally, this change re-enables CodeRabbit's code review on our changes. CodeRabit was disabled by the upstream project, and we inadvertently included that change.

PR: DeterminateSystems/nix-src#305

Full Changelog: v3.15.0...v3.15.1