To get started, follow the Getting Started section from the main README.
As an example, to run the nix_outdated
from the tiiuae/sbomnix
repository:
# '--' signifies the end of argument list for `nix`.
# '--help' is the first argument to `nix_outdated`
$ nix run github:tiiuae/sbomnix#nix_outdated -- --help
We use Nix package git
as an example target.
To print git
out-path on your local system, try something like:
$ nix eval -f '<nixpkgs>' 'git.outPath'
"/nix/store/2853v0cidl7jww2hs1mlkg0i372mk368-git-2.39.2"
nix_outdated
is a command line tool to list outdated nix dependencies for given target nix out path or flakeref. By default, the script outputs runtime dependencies for the given target that appear outdated in nixpkgs 'nix_unstable' channel - the list of output packages would potentially need a PR to update the package in nixpkgs to the package's latest upstream release version specified in the output table column 'version_upstream'. The list of output packages is in priority order based on how many other packages depend on the potentially outdated package.
Below command finds git
runtime dependencies that would have an update in the package's upstream repository based on repology, and the latest release version is not available in nix unstable:
# Target can be specified with flakeref too, e.g.:
# nix_outdated .
# nix_outdated github:tiiuae/sbomnix
# nix_outdated nixpkgs#git
# Ref: https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-flake.html#flake-references
$ nix_outdated /nix/store/2853v0cidl7jww2hs1mlkg0i372mk368-git-2.39.2
INFO Generating SBOM for target '/nix/store/2853v0cidl7jww2hs1mlkg0i372mk368-git-2.39.2'
INFO Loading runtime dependencies referenced by '/nix/store/2853v0cidl7jww2hs1mlkg0i372mk368-git-2.39.2'
INFO Using SBOM '/tmp/nixdeps_uejjwppb.cdx.json'
INFO Running repology_cli
INFO Using repology out: '/tmp/repology_i1ycaa7g.csv'
INFO Running nix-visualize
INFO Using nix-visualize out: '/tmp/nix-visualize_tl6zogfj.csv'
INFO Writing console report
INFO Dependencies that need update in nixpkgs (in priority order based on how many other packages depend on the potentially outdated package):
| priority | nix_package | version_local | version_nixpkgs | version_upstream |
|------------ -------------------- ----------------- ------------------- -----------------------|
| 9 | libidn2 | 2.3.2 | 2.3.2 | 2.3.4 |
| 8 | glibc | 2.35-224 | 2.35-224 | 2.37 |
| 5 | perl:uri | 5.05 | 5.05 | 5.17 |
| 4 | perl:http-message | 6.26 | 6.26 | 6.44 |
| 4 | openssl | 3.0.8 | 3.0.8 | 3.1.0 |
| 3 | perl:html-parser | 3.75 | 3.75 | 3.81 |
| 3 | perl:try-tiny | 0.30 | 0.30 | 0.31 |
| 3 | perl:mozilla-ca | 20200520 | 20200520 | 20221114;20221114.0.0 |
| 2 | perl:digest-hmac | 1.03 | 1.03 | 1.04 |
| 2 | sqlite | 3.40.1 | 3.41.0 | 3.41.1 |
| 2 | perl:fcgi | 0.79 | 0.79 | 0.82 |
| 2 | perl:net-http | 6.19 | 6.19 | 6.22 |
| 2 | perl:io-socket-ssl | 2.068 | 2.068 | 2.081;2.81.0 |
| 2 | perl:file-listing | 6.14 | 6.14 | 6.15 |
| 2 | perl:http-daemon | 6.14 | 6.14 | 6.16 |
| 2 | perl:http-cookies | 6.09 | 6.09 | 6.10;6.10.0 |
| 2 | perl:cgi | 4.51 | 4.51 | 4.56 |
| 2 | nghttp2 | 1.51.0 | 1.51.0 | 1.52.0 |
| 2 | perl:test-fatal | 0.016 | 0.016 | 0.017;0.17.0 |
| 2 | perl:test-needs | 0.002006 | 0.002006 | 0.002010 |
| 1 | perl:libnet | 3.12 | 3.12 | 3.14 |
| 1 | git | 2.39.2 | 2.39.2 | 2.40.0 |
| 1 | gettext | 0.21 | 0.21 | 0.21.1 |
| 1 | perl:libwww-perl | 6.67 | 6.67 | 6.68 |
INFO Wrote: nix_outdated.csv
As an example, the first row in the above output table means that:
libidn2
in nix unstable is not up-to-date with what repology.org knows is the package's newest upstream version.libidn2
is on the top of the table, as it has the highest priority among the listed outdated packages. The priority is based on how many other packages depend on the given outdated package. This datapoint is based on nix-visualize. The value of thepriority
column is directly thelevel
value determined by nix-visualize. For full description of thelevel
values, see nix-visualize documentation: https://github.com/craigmbooth/nix-visualize#vertical-positioning.libidn2
local version is 2.3.2.libidn2
newest version in nix unstable is 2.3.2 (based on repology.org).libidn2
newest release version in the package's upstream repository is 2.3.4 (based on repology.org).libidn2
is considered outdated, because the version string inversion_upstream
is later than the version string inversion_nixpkgs
.