[CVE-2021-29427](https://nvd.nist.gov/vuln/detail/CVE-2021-29427), [CVE-2021-29428](https://nvd.nist.gov/vuln/detail/CVE-2021-29428), and [CVE-2021-32751](https://nvd.nist.gov/vuln/detail/CVE-2021-32751).

- `nvimpager` was updated to version 0.13.0, which changes the order of user and
  nvimpager settings: user commands in `-c` and `--cmd` now override the
  respective default settings because they are executed later.

- `javacard-devkit` was dropped due to having a dependency on the Oracle JDK,
  as well as being several years out-of-date.

- Kubernetes `featureGates` have changed from a `listOf str` to `attrsOf bool`.
  This refactor makes it possible to also disable feature gates, without having
  to use `extraOpts` flags.

  A previous configuration may have looked like this:

  ```nix
  {
    featureGates = [ "EphemeralContainers" ];
    extraOpts = pkgs.lib.concatStringsSep " " (
      [
        ''--feature-gates="CSIMigration=false"''
      ]
    );
  }
  ```

  Using an attribute set instead, the new configuration would be:

  ```nix
  {
    featureGates = {
      EphemeralContainers = true;
      CSIMigration=false;
    };
  }
  ```

- `pkgs.nextcloud27` has been removed as it has reached EOL.

- The `environment.noXlibs` option has been removed. It was a common source of unexpected rebuilds and breakage that was often hard to diagnose.
  If you need to disable certain libraries, you're encouraged to add your own overlay to your configuration that targets the packages you care about.

- `frigate` was updated past 0.14.0. This release includes various breaking changes, so please review the [release notes](https://github.com/blakeblackshear/frigate/releases/tag/v0.14.0).
   Most prominently, access to the web interface and API are now protected by authentication. Retrieve the auto-created
   admin account from the `frigate.service` journal after upgrading.

- `nodePackages.coc-python` was dropped, as [its upstream is unmaintained](https://github.com/neoclide/coc-python). The associated `vimPlugins.coc-python` was also dropped.
  The upstream project recommends using `coc-pyright` or `coc-jedi` as replacements.

- `forgejo` has been upgraded from version 7.0 to version 9.0, see the release notes for [8.0](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0) and [9.0](https://codeberg.org/forgejo/forgejo/milestone/7235).

- `services.forgejo.mailerPasswordFile` has been deprecated by the drop-in replacement `services.forgejo.secrets.mailer.PASSWD`,
  which is part of the new free-form `services.forgejo.secrets` option.
  `services.forgejo.secrets` is a small wrapper over systemd's `LoadCredential=`. It has the same structure (sections/keys) as
  `services.forgejo.settings` but takes file paths that will be read before service startup instead of some plaintext value.
  `services.forgejo.package` now defaults to `forgejo-lts`, the Long Term Support version of Forgejo.

- `forgejo` and `forgejo-lts` no longer support the opt-in feature [PAM (Pluggable Authentication Module)](https://forgejo.org/docs/latest/user/authentication/#pam-pluggable-authentication-module).

- `gitea` no longer supports the opt-in feature [PAM (Pluggable Authentication Module)](https://docs.gitea.com/usage/authentication#pam-pluggable-authentication-module).

- `vuze` was removed because it is unmaintained upstream and insecure (CVE-2018-13417).
  BiglyBT is a maintained fork.

- `services.ddclient.use` has been deprecated: `ddclient` now supports separate IPv4 and IPv6 configuration. Use `services.ddclient.usev4` and `services.ddclient.usev6` instead.

- `services.pgbouncer` systemd service is now configured with `Type=notify-reload` and allows reloading configuration without process restart. PgBouncer configuration options were moved to the freeform type option under [`services.pgbouncer.settings`](#opt-services.pgbouncer.settings).

- Docear was removed because it was unmaintained upstream.
  JabRef, Zotero, or Mendeley are potential replacements.