# Release 2.21.0 (2024-03-11)

- Fix a fixed-output derivation sandbox escape (CVE-2024-27297)

  Cooperating Nix derivations could send file descriptors to files in the Nix
  store to each other via Unix domain sockets in the abstract namespace. This
  allowed one derivation to modify the output of the other derivation, after Nix
  has registered the path as "valid" and immutable in the Nix database.
  In particular, this allowed the output of fixed-output derivations to be
  modified from their expected content.

  This isn't the case any more.

- CLI options `--arg-from-file` and `--arg-from-stdin` [#10122](https://github.com/NixOS/nix/pull/10122)

  The new CLI option `--arg-from-file` *name* *path* passes the contents
  of file *path* as a string value via the function argument *name* to a
  Nix expression. Similarly, the new option `--arg-from-stdin` *name*
  reads the contents of the string from standard input.

- Concise error printing in `nix repl` [#9928](https://github.com/NixOS/nix/pull/9928)

  Previously, if an element of a list or attribute set threw an error while
  evaluating, `nix repl` would print the entire error (including source location
  information) inline. This output was clumsy and difficult to parse:

  ```
  nix-repl> { err = builtins.throw "uh oh!"; }
  { err = «error:
         … while calling the 'throw' builtin
           at «string»:1:9:
              1| { err = builtins.throw "uh oh!"; }
               |         ^

         error: uh oh!»; }
  ```

  Now, only the error message is displayed, making the output much more readable.
  ```
  nix-repl> { err = builtins.throw "uh oh!"; }
  { err = «error: uh oh!»; }
  ```

  However, if the whole expression being evaluated throws an error, source
  locations and (if applicable) a stack trace are printed, just like you'd expect:

  ```
  nix-repl> builtins.throw "uh oh!"
  error:
         … while calling the 'throw' builtin
           at «string»:1:1:
              1| builtins.throw "uh oh!"
               | ^

         error: uh oh!
  ```

- `--debugger` can now access bindings from `let` expressions [#8827](https://github.com/NixOS/nix/issues/8827) [#9918](https://github.com/NixOS/nix/pull/9918)

  Breakpoints and errors in the bindings of a `let` expression can now access
  those bindings in the debugger. Previously, only the body of `let` expressions
  could access those bindings.

- Enter the `--debugger` when `builtins.trace` is called if `debugger-on-trace` is set [#9914](https://github.com/NixOS/nix/pull/9914)

  If the `debugger-on-trace` option is set and `--debugger` is given,
  `builtins.trace` calls will behave similarly to `builtins.break` and will enter
  the debug REPL. This is useful for determining where warnings are being emitted
  from.

- Debugger prints source position information [#9913](https://github.com/NixOS/nix/pull/9913)

  The `--debugger` now prints source location information, instead of the
  pointers of source location information. Before:

  ```
  nix-repl> :bt
  0: while evaluating the attribute 'python311.pythonForBuild.pkgs'
  0x600001522598
  ```

  After:

  ```
  0: while evaluating the attribute 'python311.pythonForBuild.pkgs'
  /nix/store/hg65h51xnp74ikahns9hyf3py5mlbbqq-source/overrides/default.nix:132:27

     131|
     132|       bootstrappingBase = pkgs.${self.python.pythonAttr}.pythonForBuild.pkgs;
        |                           ^
     133|     in
  ```

- The `--debugger` will start more reliably in `let` expressions and function calls [#6649](https://github.com/NixOS/nix/issues/6649) [#9917](https://github.com/NixOS/nix/pull/9917)

  Previously, if you attempted to evaluate this file with the debugger:

  ```nix
  let
    a = builtins.trace "before inner break" (
      builtins.break "hello"
    );
    b = builtins.trace "before outer break" (
      builtins.break a
    );
  in
    b
  ```

  Nix would correctly enter the debugger at `builtins.break a`, but if you asked
  it to `:continue`, it would skip over the `builtins.break "hello"` expression