From 2ddbda94672df83e443315e14767b3f159a7f1e3 Mon Sep 17 00:00:00 2001
From: Kenichi Kamiya <kachick1@gmail.com>
Date: Thu, 6 Nov 2025 23:28:41 +0900
Subject: [PATCH] lima: add meta.knownVulnerabilities

The current version 1.0.7 (in release-25.05) is related to these CVEs.

refs:
  * 1.0.7 -> 1.1.1: 97c0a198aa6e52b365281d59b6ae633d744e88cf
  * 1.2.1 -> 1.2.2: d0beb16463f732236e1ba31e134e8c20e7aac25c

Not-cherry-picked-because: Updating to 1.2.2 is not suitable for stable channels. This is because version 1.1.1 is not compatible, especially on the package manager side.
---
 pkgs/applications/virtualization/lima/default.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pkgs/applications/virtualization/lima/default.nix b/pkgs/applications/virtualization/lima/default.nix
index 8df5bc671830..e779b3b7345a 100644
--- a/pkgs/applications/virtualization/lima/default.nix
+++ b/pkgs/applications/virtualization/lima/default.nix
@@ -91,5 +91,13 @@ buildGoModule rec {
     changelog = "https://github.com/lima-vm/lima/releases/tag/v${version}";
     license = licenses.asl20;
     maintainers = with maintainers; [ anhduy ];
+    knownVulnerabilities = [
+      "There are some CVEs in the nerdctl dependency. Has been fixed in Nixpkgs unstable."
+      "CVE-2024-25621"
+      "CVE-2025-64329"
+      "CVE-2025-31133"
+      "CVE-2025-52565"
+      "CVE-2025-52881"
+    ];
   };
 }