Download Latest Version
v1.12.0 source code.tar.gz (5.4 MB)
Get an email when there's a new version of Flox
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| README.md | 2026-05-05 | 3.0 kB | |
| v1.12.0 source code.tar.gz | 2026-05-05 | 5.4 MB | |
| v1.12.0 source code.zip | 2026-05-05 | 5.9 MB | |
| Totals: 3 Items | 11.2 MB | 1 | |
Fix for Nix vulnerabilities
This release fixes GHSA-vh5x-56v6-4368 and GHSA-gr92-w2r5-qw5p. For Linux and macOS installations of Flox, GHSA-vh5x-56v6-4368 can allow arbitrary code execution as root. This affects Flox versions >=1.3.12.
Features
The manifest schema was bumped from 1.11.0 to 1.12.0 for the auto-start feature below.
flox activateautomatically starts services whenauto-start = trueis set in the manifest's[services]section, and a new--no-start-servicesflag suppresses this on individual invocations.flox publishreports failure-specific error messages for common repository validation issues (missing upstream branch, detached HEAD, SSH/authentication failure, revision not on remote).flox publishcollects narinfo for build outputs and their full closure from the local Nix store when publishing to a metadata-only catalog. This data is required to build a complete SBOM.
Fixes
- Propagated packages now respect the priority of their parent package in the manifest's
[install]block when activated in "develop" mode. - Manifest builds no longer fail when source files contain special characters in their filenames.
FLOX_FLOXHUB_TOKENis redacted in log files and verbose output.flox publishreports a clear error when.floxfiles are untracked in the build repository, instead of failing with a confusing "could not find environment pointer file" message.flox publishhonors thekeep_tempdirsetting when a build fails in an ephemeral directory.flox publishno longer hangs polling for publisher confirmation when running against a metadata-only orNixCopycatalog configuration.- Metadata-only
flox publishno longer fails withNoTokenwhen no FloxHub token is configured when using Kerberos Authn. flox include upgradeno longer unnecessarily migrates manifests with older but still-supported schema versions, avoiding schema version drift in the lockfile.
Download Links
- DEB (x86_64-linux)
- DEB (aarch64-linux)
- RPM (x86_64-linux)
- RPM (aarch64-linux)
- OSX (x86_64-darwin)
- OSX (aarch64-darwin)
[!NOTE] You can find the SHA256 checksums for Flox 1.12.0 and SHA512 checksums for Flox 1.12.0 online.
