Outdated nixpkgs input pulling vulnerable packages, contrary to README #350
Description
Howdy!
Hitting some issues with the flake inputs, in the process of culling vulnerable packages from my company's closures. The README claims to build against DetSys' SPS, but the flake points to 25.05, and it appears the PR that would introduce the SPS is still in draft and experiencing build failures.
Unfortunately as well, despite upstream using 25.11, anecdotally, setting such a follows for dnix results in test failures on aarch64-linux currently.
The driving cause of this concern is 25.05, being outside the support window, appears to contain a number of vulnerable packages (most notably, openssl and busybox) as reported by grype, scanning against bombon-generated SBOMs. Is there a timeline for updating the inputs to a supported nixpkgs release and/or the SPS? Am I misunderstanding the README's claim / are patches being vendored in some opaque way as part of FH's nixpkgs mirroring that bombon & grype wouldn't properly recognize?