- OpenSSH has been updated from 9.9p2 to 10.0p2, dropping support for DSA keys and adding a new `ssh-auth` binary to handle user authentication in a different address space from unauthenticated sessions. See the [full changelog](https://www.openwall.com/lists/oss-security/2025/04/09/1) for more details.

- Emacs has been updated to 30.1.
  This introduces some backwards‐incompatible changes; see the NEWS for details.
  NEWS can been viewed from Emacs by typing `C-h n`, or by clicking `Help->Emacs News` from the menu bar.
  It can also be browsed [online](https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30).

- The `intel` video driver for X.org (from the xf86-video-intel package, which was previously removed because it was non-functional) has been fixed and the driver has been re-introduced.

- The default openexr version has been updated to 3.2.4.

- The default PHP version has been updated to 8.4.

- The default Erlang OTP version has been updated to 27.

- The default Elixir version has been updated to 1.18.

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

## Backward Incompatibilities {#sec-nixpkgs-release-25.05-incompatibilities}

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- `apptainer` and `singularity` deprecate the workaround of overriding `vendorHash` and related attributes via `<pkg>.override`,
  in favour of the unified overriding of the same group of attributes via `<pkg>.overrideAttrs`.
  The compatibility layer will be removed in future releases.

- `squid` has been updated to version 7, this release includes multiple breaking changes, like ESI removal.
  For more information, [check the release notes](https://github.com/squid-cache/squid/releases/tag/SQUID_7_0_1).

- `postgresql` and `libpq` don't provide `pg_config` by default anymore. Instead, `pg_config` is available via `postgresql.pg_config` or `libpq.pg_config`. This allowed implementing it as a shell script, which can be built for both the build and host systems when cross-compiling. If your build fails to find `pg_config`, add `postgresql.pg_config` or `libpq.pg_config` to `nativeBuildInputs`.

- The [`no-broken-symlinks` hook](https://nixos.org/manual/nixpkgs/unstable/#no-broken-symlinks.sh) was added to catch builds containing dangling or reflexive symlinks, as these are indicative of problems with packaging.
  The hook can be disabled by providing `dontCheckForBrokenSymlinks = true;` as an argument to `mkDerivation`.
  For more information, [check the docs](https://nixos.org/manual/nixpkgs/unstable/#no-broken-symlinks.sh) or [see this PR](https://github.com/NixOS/nixpkgs/pull/370750).

- `gkraken` has been removed. The recommended alternative is `coolercontrol`.

- `opensmtpd-extras` has been deprecated by upstream and is not compatible with
  OpenSMTPD 7.6.0 or later. The package has been removed in favor of a set of new
  `opensmtpd-table-*` packages.

- `postsrsd` upgraded to `>= 2.0.0`, with some different behaviors and
  configuration settings. Notably, it now defaults to listening on a socket
  rather than a port. See [Migrating from version 1.x](https://github.com/roehling/postsrsd/blob/2.0.10/README.rst#migrating-from-version-1x) and [Postfix Setup](https://github.com/roehling/postsrsd?tab=readme-ov-file#postfix-setup) for details.

- `renovate` was updated to v39. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/39.0.0) for breaking changes.
  Like upstream's docker images, renovate now runs on NodeJS 22.

- The hand written `perlPackages.SearchXapian` bindings have been dropped in favor of the (mostly compatible)
  `perlPackages.Xapian`.

- `varnish` was updated from 7.5.0 to 7.7.0, see [Varnish 7.6.0 upgrade guide](https://varnish-cache.org/docs/7.6/whats-new/upgrading-7.6.html) and
[Varnish 7.7.0 upgrade guide](https://varnish-cache.org/docs/7.7/whats-new/upgrading-7.7.html#whatsnew-upgrading-7-7).