Image for post changelog-determinate-nix-367

Jun 24, 2025 by Graham Christensen

Changelog: Lazy trees and security improvements

Determinate Nix v3.6.7 includes important security patches and users should upgrade as soon as possible.

Security contents

This release fixes GHSA-g948-229j-48j3, a vulnerability reported by Snyk’s Security Labs team. The vulnerability allowed a user who could build software with the Nix daemon and coordinate running a program on the host to elevate to root. The upstream Nix project has not fully published the security advisory but we will update this post when they do.

Lazy trees now saves NAR hashes to the `flake.lock`

Lazy trees now produces flake.lock files with NAR hashes. Here’s an example command that exhibits this behavior:

nix flake update --commit-lock-file

The previous behavior omitted NAR hashes from the flake.lock, which meant that adopting lazy trees required full buy-in from all users. Now, you can more confidently enable lazy trees in CI and other workflows without first enabling lazy trees for all users.

You can restore the previous behavior by setting lazy-locks to true.

Relevant pull request

DeterminateSystems/nix-src#113

Improved caching with impure evaluation and lazy trees

Users have reported less effective caching when using lazy trees and impure evaluation. This release improves the caching side of things and should improve things substantially.

Relevant pull request

DeterminateSystems/nix-src#117

Lazy trees on its way to general availability

We have laid the ground-work to move lazy trees from feature preview into general availability. For the next phase in this process we will start progressively enabling lazy trees for users.

If you’d like to opt out, please contact support@determinate.systems.

You can see if you’re enrolled in the lazy trees using the determinate-nixd version command:

determinate-nixd version

If Determinate Nix is up to date, you should see this:

Determinate Nixd daemon version: 3.6.7
Determinate Nixd client version: 3.6.7

You are running the latest version of Determinate Nix.

The feature lazy-trees is enabled.

How to get Determinate Nix

If you already have Determinate Nix installed, you can upgrade to 3.6.7 with one Determinate Nixd command:

sudo determinate-nixd upgrade

If you don’t yet have Determinate Nix installed, you can install it on macOS using our graphical installer:

Install Determinate Nix on macOS now

Apple Silicon and Intel

On Linux:

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \
  sh -s -- install --determinate

On NixOS, we recommend using our dedicated NixOS module or our NixOS ISO with Determinate Nix pre-installed.

On GitHub Actions:

on:
  pull_request:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  nix-ci:
    runs-on: ubuntu-latest
    # Include this block to log in to FlakeHub and access private flakes
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/determinate-nix-action@v3
      - uses: DeterminateSystems/flakehub-cache-action@main
      - uses: DeterminateSystems/nix-flake-checker-action@main
      - run: nix flake check

In Amazon Web Services:

data "aws_ami" "detsys_nixos" {
  most_recent = true
  owners      = ["535002876703"]

  filter {
    name   = "name"
    values = ["determinate/nixos/epoch-1/*"]
  }

  filter {
    name   = "architecture"
    values = ["x86_64"]
  }
}

Written by Graham Christensen

Graham is a Nix and Rust developer, with a passion and focus on reliability in the lower levels of the stack. He founded Determinate Systems, Inc to support Nix adoption at your workplace.

Would you like access to private flakes and FlakeHub Cache?