Bump nix from 2.34.1 to 2.34.5

[JamieMagee]

What are you trying to accomplish?

Bump the nix Docker image from 2.34.1 to 2.34.5, which patches CVE-2026-39860 — a critical (9.0) sandbox escape where a symlink in a fixed-output derivation could let a builder overwrite arbitrary files as root.

We run nix in single-user mode, so I don't believe we're actually affected (the exploit targets the multi-user daemon). Bumping anyway to prevent spurious vulnerability reports.

GHSA-g3g9-5vj6-r3gj

Anything you want to highlight for special attention from reviewers?

One-line change in Dockerfile: the base image tag goes from 2.34.1 to 2.34.5. No functional changes.

How will you know you've accomplished your goal?

The nix ecosystem's existing tests pass, and the built image uses nix 2.34.5.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Updates the nix Docker build stage to use a patched nix base image version, aligning the nix ecosystem container with the desired security baseline.

Changes:

• Bump docker.io/nixos/nix image tag from 2.34.1 to 2.34.5 in the nix Dockerfile.

Show a summary per file

File	Description
nix/Dockerfile	Updates the nix base image tag used to source /nix for the final updater image.

Copilot's findings

• Files reviewed: 1/1 changed files
• Comments generated: 0