Add newer nixpkgs pin for vulnix patch

sd234678 · sd234678 · commit febca0819748 · 2025-10-27T11:48:15.000Z
diff --git a/.last-exported-commit b/.last-exported-commit
@@ -1 +1 @@
-Last exported commit from parent repo: 3aa35de923d0330fdea828dbf7b636f09a8e8832
+Last exported commit from parent repo: e9a0e98cdd842807458a0447c1cfb64e52f1f270
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -15,6 +15,7 @@
   description = "Development infrastructure for nix-bootstrap";
   inputs = {
     nixpkgs-src.url = "nixpkgs/25.05";
+    nixpkgs-src-vulnix.url = "nixpkgs/33d83ff29f05f9b2e30cd05b2f60b02a1fbe8a46";
     pre-commit-hooks-lib = {
       inputs.nixpkgs.follows = "nixpkgs-src";
       url = "github:cachix/pre-commit-hooks.nix";
@@ -24,6 +25,7 @@
   outputs = {
     self,
     nixpkgs-src,
+    nixpkgs-src-vulnix,
     pre-commit-hooks-lib,
     ...
   }: let
@@ -34,6 +36,7 @@
     systemsHelpers.forEachSystem supportedSystems (
       system: let
         nixpkgs = nixpkgs-src.legacyPackages.${system};
+        nixpkgs-vulnix = nixpkgs-src-vulnix.legacyPackages.${system};
         inherit
           (import nix/haskell-env.nix {inherit nixpkgs;})
           baseHaskellPackages
@@ -47,7 +50,8 @@
         '';
         pre-commit-hooks = import nix/pre-commit-hooks.nix {
           inherit nixpkgs pre-commit-hooks-lib system;
-          inherit (nixpkgs) alejandra vulnix;
+          inherit (nixpkgs) alejandra;
+          inherit (nixpkgs-vulnix) vulnix;
           src = ./.;
         };
         extraDevShellArgs = {
@@ -79,7 +83,7 @@
           inherit nix-bootstrap;
           # To be used as tools in CI
           ciPackages_buildBinaryCache = buildBinaryCache;
-          ciPackages_vulnix = nixpkgs.vulnix;
+          ciPackages_vulnix = nixpkgs-vulnix.vulnix;
         };
       }
     );
diff --git a/vulnerability-whitelist.toml b/vulnerability-whitelist.toml
@@ -20,6 +20,10 @@ comment = "One vuln is a DOS; n-b is inherently not vulnerable. The others would
 cve = ["CVE-2023-4039"]
 comment = "Reasonable worst-case is loss of availability; risk acceptable."
 
+["glibc"]
+cve = ["CVE-2025-5702", "CVE-2025-5745"]
+comment = "Reasonable worst-case is loss of availability; risk acceptable."
+
 ["zlib-1.3.1"]
 cve = ["CVE-2023-6992"]
 comment = "We do not call the affected code with untrusted data."

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-Last exported commit from parent repo: 3aa35de923d0330fdea828dbf7b636f09a8e8832`
	`1`	`+Last exported commit from parent repo: e9a0e98cdd842807458a0447c1cfb64e52f1f270`