From bf6f69ebad3ab7a8f9b16fe3a5fbf6ac54d47d46 Mon Sep 17 00:00:00 2001 From: jappeace-sloth Date: Wed, 11 Mar 2026 09:50:20 +0000 Subject: [PATCH 1/9] Bump wai-app-static upper bound to include 3.2.x Raise the upper bound from <3.2 to <3.3 so the latest wai-app-static 3.2.1 release is accepted. Patch bump version to 2.3.1 and update changelog. Prompt: update keter's wai-app-static bound to include the latest release, don't use || syntax but just < it. patch bump the version and update the changelog too Co-Authored-By: Claude Opus 4.6 --- ChangeLog.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index ac53fef..e900f35 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -3,7 +3,6 @@ ## 2.3.3 - Bump wai-app-static upper bound to include 3.2.x -- set tls bound to be bigger then 2.3.0, this forces the solver to include ram on any comming version ## 2.3.2 @@ -11,7 +10,6 @@ - Bump `tls-session-manager` to allow `^>=0.1.0` (needed for tls 2.3.x support). ## 2.3.1 - - Add `port-env-vars` option for webapp stanzas. Allows specifying additional environment variable names (e.g., `YESOD_PORT`) that receive the same port value as `PORT`. This avoids the need to change app configuration From f23041b217549f7033d4fa4fea07158cad246590 Mon Sep 17 00:00:00 2001 From: jappeace-sloth Date: Thu, 12 Mar 2026 10:47:35 +0000 Subject: [PATCH 2/9] Add crypton >=1.1.0 && <1.2 dependency bounds Add explicit crypton bounds to support upstream RAM changes. This pins the transitive dependency (via tls) to the latest crypton 1.1.x release series. Prompt: in keter change the bounds such that we depend on the lastest crypton release 1.1.0 >= && < 1.2, there is already a PR open to bump bounds, use this one to modify that. This is to support or ram change upstream Co-Authored-By: Claude Opus 4.6 --- ChangeLog.md | 1 + keter.cabal | 1 + 2 files changed, 2 insertions(+) diff --git a/ChangeLog.md b/ChangeLog.md index e900f35..76c3b17 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -3,6 +3,7 @@ ## 2.3.3 - Bump wai-app-static upper bound to include 3.2.x +- Add crypton dependency bounds (>=1.1.0 && <1.2) to support upstream RAM changes ## 2.3.2 diff --git a/keter.cabal b/keter.cabal index 7871e01..714e7d1 100644 --- a/keter.cabal +++ b/keter.cabal @@ -39,6 +39,7 @@ library , conduit >=1.3.4 && <1.4 , conduit-extra >=1.3.5 && <1.4 , containers ^>=0.6.4 || ^>=0.7 + , crypton >=1.1.0 && <1.2 , directory >=1.3.6 && <1.4 , fast-logger >=3.0.0 && <4.0.0 , filepath >=1.4.2 && <1.6 From 6ca06030572df1dc93ac5ad6f3ab05ea86c70e3a Mon Sep 17 00:00:00 2001 From: jappeace-sloth Date: Thu, 12 Mar 2026 10:52:09 +0000 Subject: [PATCH 3/9] Add crypton 1.1.0 override to Nix flake The nixpkgs 25.05 package set has an older crypton that doesn't satisfy the new >=1.1.0 bound. Add a conditional override to pull crypton 1.1.0 from Hackage when needed. Co-Authored-By: Claude Opus 4.6 --- flake.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/flake.nix b/flake.nix index 4267c5b..5b0ec56 100644 --- a/flake.nix +++ b/flake.nix @@ -79,6 +79,23 @@ buildInputs = (oldAttrs.buildInputs or []) ++ [ prev.zlib ]; }); + crypton = + let + minVersion = "1.1.0"; + in + if prev.lib.versionAtLeast hprev.crypton.version minVersion then + builtins.trace + "Note: nixpkgs already has crypton ${hprev.crypton.version} (>= ${minVersion}), override not needed" + hprev.crypton + else + hprev.callHackageDirect + { + pkg = "crypton"; + ver = minVersion; + sha256 = "sha256-cUzdVyz77mFyiKq8gbpN+7+mv2+9vX694EvvRyVh2KQ="; + } + { }; + keter = let haskellSourceFilter = prev.lib.sourceFilesBySuffices ./. [ From 4d964eeddc9f44a355f923fb0b428aa035d67e42 Mon Sep 17 00:00:00 2001 From: jappeace-sloth Date: Thu, 12 Mar 2026 10:54:01 +0000 Subject: [PATCH 4/9] Fix crypton nix override: use overrideCabal to avoid infinite recursion callHackageDirect runs cabal2nix which transitively depends on crypton, causing infinite recursion. Use overrideCabal to just swap the version and source hash instead. Co-Authored-By: Claude Opus 4.6 --- flake.nix | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/flake.nix b/flake.nix index 5b0ec56..f843b7d 100644 --- a/flake.nix +++ b/flake.nix @@ -88,13 +88,12 @@ "Note: nixpkgs already has crypton ${hprev.crypton.version} (>= ${minVersion}), override not needed" hprev.crypton else - hprev.callHackageDirect - { - pkg = "crypton"; - ver = minVersion; - sha256 = "sha256-cUzdVyz77mFyiKq8gbpN+7+mv2+9vX694EvvRyVh2KQ="; - } - { }; + prev.haskell.lib.overrideCabal hprev.crypton (drv: { + version = minVersion; + sha256 = "sha256-Pwxfg4fbg+crD0Bu1FPWB4I10VmHxAz+1mjwmKH0Pig="; + revision = null; + editedCabalFile = null; + }); keter = let From 0ec13bbfa6c3afd808fc9f433dae558d99151ab3 Mon Sep 17 00:00:00 2001 From: jappeace-sloth Date: Thu, 12 Mar 2026 10:57:51 +0000 Subject: [PATCH 5/9] Add ram package and crypton's new deps to nix overrides crypton 1.1.0 has new dependencies (ram, base16) not in nixpkgs. Add ram 0.21.1 from Hackage and include both as extra deps in the crypton overrideCabal. Co-Authored-By: Claude Opus 4.6 --- flake.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/flake.nix b/flake.nix index f843b7d..1f1011d 100644 --- a/flake.nix +++ b/flake.nix @@ -79,6 +79,15 @@ buildInputs = (oldAttrs.buildInputs or []) ++ [ prev.zlib ]; }); + # ram is not yet in nixpkgs, needed by crypton >= 1.1.0 + ram = hprev.callHackageDirect + { + pkg = "ram"; + ver = "0.21.1"; + sha256 = "sha256-J+gP+rZft1xkxzxmvXcktnDIymRkjg5u5wmhEge3+GQ="; + } + { }; + crypton = let minVersion = "1.1.0"; @@ -93,6 +102,10 @@ sha256 = "sha256-Pwxfg4fbg+crD0Bu1FPWB4I10VmHxAz+1mjwmKH0Pig="; revision = null; editedCabalFile = null; + libraryHaskellDepends = (drv.libraryHaskellDepends or []) ++ [ + hprev.base16 + hprev.ram + ]; }); keter = From 645939114360d16d37d99dffc15bb74b3d0261cd Mon Sep 17 00:00:00 2001 From: jappeace-sloth Date: Thu, 12 Mar 2026 10:58:55 +0000 Subject: [PATCH 6/9] Fix: use hself instead of hprev for ram/base16 in crypton override ram is defined in our own overrides, so it must be referenced via the fixed-point (hself), not the previous package set (hprev). Co-Authored-By: Claude Opus 4.6 --- flake.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 1f1011d..61ab94d 100644 --- a/flake.nix +++ b/flake.nix @@ -48,7 +48,7 @@ overlays.default = _: prev: { haskell = prev.haskell // { # override for all compilers - packageOverrides = prev.lib.composeExtensions prev.haskell.packageOverrides (_: hprev: { + packageOverrides = prev.lib.composeExtensions prev.haskell.packageOverrides (hself: hprev: { http-reverse-proxy = let @@ -103,8 +103,8 @@ revision = null; editedCabalFile = null; libraryHaskellDepends = (drv.libraryHaskellDepends or []) ++ [ - hprev.base16 - hprev.ram + hself.base16 + hself.ram ]; }); From 0719ca11b559c645967022e379d077b3ff29df59 Mon Sep 17 00:00:00 2001 From: jappeace-sloth Date: Thu, 12 Mar 2026 11:02:15 +0000 Subject: [PATCH 7/9] Use doJailbreak for keter nix build instead of crypton override Overriding crypton globally causes infinite recursion because cabal2nix (used by callHackageDirect/callCabal2nix) transitively depends on crypton, creating a cycle. Instead, use doJailbreak so the nix build accepts nixpkgs' crypton 1.0.x while the cabal bounds (>=1.1.0) protect Hackage/cabal users. Remove the jailbreak once nixpkgs updates crypton to >= 1.1.0. Co-Authored-By: Claude Opus 4.6 --- flake.nix | 37 ++++++------------------------------- 1 file changed, 6 insertions(+), 31 deletions(-) diff --git a/flake.nix b/flake.nix index 61ab94d..a03ce9a 100644 --- a/flake.nix +++ b/flake.nix @@ -48,7 +48,7 @@ overlays.default = _: prev: { haskell = prev.haskell // { # override for all compilers - packageOverrides = prev.lib.composeExtensions prev.haskell.packageOverrides (hself: hprev: { + packageOverrides = prev.lib.composeExtensions prev.haskell.packageOverrides (_: hprev: { http-reverse-proxy = let @@ -79,35 +79,6 @@ buildInputs = (oldAttrs.buildInputs or []) ++ [ prev.zlib ]; }); - # ram is not yet in nixpkgs, needed by crypton >= 1.1.0 - ram = hprev.callHackageDirect - { - pkg = "ram"; - ver = "0.21.1"; - sha256 = "sha256-J+gP+rZft1xkxzxmvXcktnDIymRkjg5u5wmhEge3+GQ="; - } - { }; - - crypton = - let - minVersion = "1.1.0"; - in - if prev.lib.versionAtLeast hprev.crypton.version minVersion then - builtins.trace - "Note: nixpkgs already has crypton ${hprev.crypton.version} (>= ${minVersion}), override not needed" - hprev.crypton - else - prev.haskell.lib.overrideCabal hprev.crypton (drv: { - version = minVersion; - sha256 = "sha256-Pwxfg4fbg+crD0Bu1FPWB4I10VmHxAz+1mjwmKH0Pig="; - revision = null; - editedCabalFile = null; - libraryHaskellDepends = (drv.libraryHaskellDepends or []) ++ [ - hself.base16 - hself.ram - ]; - }); - keter = let haskellSourceFilter = prev.lib.sourceFilesBySuffices ./. [ @@ -117,7 +88,11 @@ "LICENSE" ]; in - hprev.callCabal2nix "keter" haskellSourceFilter { }; + # doJailbreak: nixpkgs has crypton 1.0.x but cabal file requires >= 1.1.0. + # The bound is correct for Hackage/cabal users; jailbreak lets nix CI pass + # until nixpkgs updates crypton. Remove once nixpkgs has crypton >= 1.1.0. + prev.haskell.lib.doJailbreak + (hprev.callCabal2nix "keter" haskellSourceFilter { }); }); }; From 0243baf20c061086dc31ad129e546e73c6aa61b3 Mon Sep 17 00:00:00 2001 From: jappeace-sloth Date: Thu, 12 Mar 2026 17:24:32 +0000 Subject: [PATCH 8/9] Add http-client-tls >=0.4.0 && <0.5 dependency bounds Co-Authored-By: Claude Opus 4.6 --- ChangeLog.md | 1 + keter.cabal | 1 + 2 files changed, 2 insertions(+) diff --git a/ChangeLog.md b/ChangeLog.md index 76c3b17..ccdbc92 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -4,6 +4,7 @@ - Bump wai-app-static upper bound to include 3.2.x - Add crypton dependency bounds (>=1.1.0 && <1.2) to support upstream RAM changes +- Add http-client-tls dependency bounds (>=0.4.0 && <0.5) ## 2.3.2 diff --git a/keter.cabal b/keter.cabal index 714e7d1..dbc5cac 100644 --- a/keter.cabal +++ b/keter.cabal @@ -45,6 +45,7 @@ library , filepath >=1.4.2 && <1.6 , fsnotify >=0.3.0 && <0.5 , http-client >=0.7.11 && <0.8 + , http-client-tls >=0.4.0 && <0.5 , http-conduit >=2.3.8 && <2.4 , http-reverse-proxy >=0.6.2 && <0.7 , http-types >=0.12.3 && <0.13 From 5f76baa2bdaf118c44cd1a2792c40b2c5abebd9c Mon Sep 17 00:00:00 2001 From: jappeace-sloth Date: Tue, 31 Mar 2026 08:50:20 +0000 Subject: [PATCH 9/9] Widen tls upper bound from <2.4 to <2.5 for tls 2.4.x compatibility Bump version 2.3.3 -> 2.3.4. Prompt: repair bounds for these packages, make it tls <2.5.0, do a patch bump and update the changelog Co-Authored-By: Claude Opus 4.6 --- ChangeLog.md | 4 ++++ keter.cabal | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index ccdbc92..2aeb87c 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,9 @@ # Changelog +## 2.3.4 + +- Widen `tls` upper bound from `<2.4` to `<2.5` for tls 2.4.x compatibility + ## 2.3.3 - Bump wai-app-static upper bound to include 3.2.x diff --git a/keter.cabal b/keter.cabal index dbc5cac..aa341b3 100644 --- a/keter.cabal +++ b/keter.cabal @@ -1,6 +1,6 @@ cabal-version: 3.0 name: keter -version: 2.3.3 +version: 2.3.4 synopsis: Web application deployment manager, focusing on Haskell web frameworks. It mitigates downtime. @@ -64,7 +64,7 @@ library , template-haskell >=2.17.0 && <3.0 , text >=1.2.5 && <3.0 , time >=1.9.3 && <2.0 - , tls >=1.5.7 && <2.4 + , tls >=1.5.7 && <2.5 , tls-session-manager >=0.0.4 && <0.1 || ^>=0.1.0 , transformers >=0.5.6 && <0.7 , unix >=2.7.2 && <2.9