Some package is pulling in vulnerable qtwebengine, how can I find it?

I had some package pull in qtwebengine-5.15.19. The nixos-rebuild tool was very quick recommending me how to enable using vulnerable packages, while it was seemingly impossible to find the cause.

I tried some methods (sorry this is some time ago) to find the package pulling in this one as a dependency and didnt find anything I had manually installed, just some random Plasma packages.

How can I check what package pulls in this vulnerable one?

Can I override that package to not include qtwebengine at all, or use a newer version? I am fine with breakages.

Thanks!

Help understanding how versions of dependencies are determined may be helpful to you.

There are a variety of ways to look into dependencies otherwise. nix-tree, nix why-depends and nix-store --query --referrers are all options.

The how versions of dependencies are determined page does not help, as far as i can figure.

And came here after trying nix why-depends in a dozen ways. I think that one would actually help if anywhere documented how to run it, not against the current system, but the one you are trying to go to. (nix --extra-experimental-features nix-command why-depends /run/current-system /nix/store/kp6bn041bad548gi1b24sw4v8bsznyjc-nixpkgs/nixpkgs/pkgs/development/libraries/qt-5/modules/qtwebengine.nix just replies '/nix/store/k01mrnhcj4f2mr5d9mif1axy7i2dcsh3-nixos-system-nixos-25.11pre838203.7b6929d8b900' does not depend on '/nix/store/kp6bn041bad548gi1b24sw4v8bsznyjc-nixpkgs')

As for nix-store which seems promising (albeit if it worked would still need to be cross-referenced with my configuration)…

nix-store --query --referrers /nix/store/kp6bn041bad548gi1b24sw4v8bsznyjc-nixpkgs/nixpkgs/pkgs/development/libraries/qt-5/modules/qtwebengine.nix

Only returns:

/nix/store/6rz1ph3jpjajkby8vw8q05br42s4ik82-env-manifest.nix
/nix/store/3140gng8587aw3qki295n5wgxpzsyfnv-user-environment

And it is some random package i installed requiring the insecure version; otherwise i am on Plasma 6, services.desktopManager.plasma6.enable = true;

Best thing to do is just start a new window or clear and run the failing command but add --show-trace, and search your terminal emulator for while evaluating derivation. There will be a handful of matches and probably only one of the packages named will be in your nix configuration file.

Credit to How to find which package dependency it is? - #3 by waffle8946 (but the stdout part was not even working because nothing is today)

Seriously ridiculous Nix does not have a straightforward command for seeing what in your configuration is requiring a specific package.

(It was openshot-qt to blame in this case.)

New things can be frustrating, and NixOS is definitely a different paradigm.

I think you might be confused. This command is asking what is causing /nix/store/kp6bn041bad548gi1b24sw4v8bsznyjc-nixpkgs/ (in other words, a copy of nixpkgs) to get pulled in, not qtwebengine. That’s also why the command only gave you env-manifest.nix and user-environment. You want some version of nix-store --query --referrers /nix/store/<hash>-qtwebengine-<version>.

It might be easier to just use nix-tree and search (keybound to /) for “qtwebengine”.

There are a couple open issues about this, but no true solution:

Try

nixos-rebuild build --show-trace |& grep 'while evaluating derivation'

and you’ll see the chain of dependencies.
Also, lix seems to be addressing this error:

I didn’t check if nix is doing the same.