diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix
index 4ebde6f9b107..b243e24591e6 100644
--- a/nixos/modules/services/monitoring/grafana.nix
+++ b/nixos/modules/services/monitoring/grafana.nix
@@ -337,11 +337,16 @@ in {
       defaultText = "pkgs.grafana";
       type = types.package;
     };
+
     declarativePlugins = mkOption {
       type = with types; nullOr (listOf path);
       default = null;
       description = "If non-null, then a list of packages containing Grafana plugins to install. If set, plugins cannot be manually installed.";
       example = literalExample "with pkgs.grafanaPlugins; [ grafana-piechart-panel ]";
+      # Make sure each plugin is added only once; otherwise building
+      # the link farm fails, since the same path is added multiple
+      # times.
+      apply = x: if isList x then lib.unique x else x;
     };
 
     dataDir = mkOption {
@@ -635,20 +640,28 @@ in {
         QT_QPA_PLATFORM = "offscreen";
       } // mapAttrs' (n: v: nameValuePair "GF_${n}" (toString v)) envOptions;
       script = ''
+        set -o errexit -o pipefail -o nounset -o errtrace
+        shopt -s inherit_errexit
+
         ${optionalString (cfg.auth.google.clientSecretFile != null) ''
-          export GF_AUTH_GOOGLE_CLIENT_SECRET="$(cat ${escapeShellArg cfg.auth.google.clientSecretFile})"
+          GF_AUTH_GOOGLE_CLIENT_SECRET="$(<${escapeShellArg cfg.auth.google.clientSecretFile})"
+          export GF_AUTH_GOOGLE_CLIENT_SECRET
         ''}
         ${optionalString (cfg.database.passwordFile != null) ''
-          export GF_DATABASE_PASSWORD="$(cat ${escapeShellArg cfg.database.passwordFile})"
+          GF_DATABASE_PASSWORD="$(<${escapeShellArg cfg.database.passwordFile})"
+          export GF_DATABASE_PASSWORD
         ''}
         ${optionalString (cfg.security.adminPasswordFile != null) ''
-          export GF_SECURITY_ADMIN_PASSWORD="$(cat ${escapeShellArg cfg.security.adminPasswordFile})"
+          GF_SECURITY_ADMIN_PASSWORD="$(<${escapeShellArg cfg.security.adminPasswordFile})"
+          export GF_SECURITY_ADMIN_PASSWORD
         ''}
         ${optionalString (cfg.security.secretKeyFile != null) ''
-          export GF_SECURITY_SECRET_KEY="$(cat ${escapeShellArg cfg.security.secretKeyFile})"
+          GF_SECURITY_SECRET_KEY="$(<${escapeShellArg cfg.security.secretKeyFile})"
+          export GF_SECURITY_SECRET_KEY
         ''}
         ${optionalString (cfg.smtp.passwordFile != null) ''
-          export GF_SMTP_PASSWORD="$(cat ${escapeShellArg cfg.smtp.passwordFile})"
+          GF_SMTP_PASSWORD="$(<${escapeShellArg cfg.smtp.passwordFile})"
+          export GF_SMTP_PASSWORD
         ''}
         ${optionalString cfg.provision.enable ''
           export GF_PATHS_PROVISIONING=${provisionConfDir};
diff --git a/pkgs/development/libraries/openimagedenoise/default.nix b/pkgs/development/libraries/openimagedenoise/default.nix
index 61ffdcbb5cac..6547c321db70 100644
--- a/pkgs/development/libraries/openimagedenoise/default.nix
+++ b/pkgs/development/libraries/openimagedenoise/default.nix
@@ -2,12 +2,12 @@
 
 stdenv.mkDerivation rec {
   pname = "openimagedenoise";
-  version = "1.3.0";
+  version = "1.4.0";
 
   # The release tarballs include pretrained weights, which would otherwise need to be fetched with git-lfs
   src = fetchzip {
     url = "https://github.com/OpenImageDenoise/oidn/releases/download/v${version}/oidn-${version}.src.tar.gz";
-    sha256 = "sha256-ls0F2D5pC+wqhQn1Zh8m8Q/KoK7rAkhKatTY9k+letQ=";
+    sha256 = "sha256-UsiZT3ufRVo1BQ/md/A3CXpUfMPrJR1DhZg9hrjOG2A=";
   };
 
   nativeBuildInputs = [ cmake python3 ispc ];
@@ -19,5 +19,6 @@ stdenv.mkDerivation rec {
     license = licenses.asl20;
     maintainers = [ maintainers.leshainc ];
     platforms = platforms.unix;
+    changelog = "https://github.com/OpenImageDenoise/oidn/blob/v${version}/CHANGELOG.md";
   };
 }
diff --git a/pkgs/development/ocaml-modules/csexp/default.nix b/pkgs/development/ocaml-modules/csexp/default.nix
index 4bb83019dc5c..664d9a773ab0 100644
--- a/pkgs/development/ocaml-modules/csexp/default.nix
+++ b/pkgs/development/ocaml-modules/csexp/default.nix
@@ -2,23 +2,24 @@
 
 buildDunePackage rec {
   pname = "csexp";
-  version = "1.4.0";
-
-  useDune2 = true;
-
-  minimumOCamlVersion = "4.02.3";
+  version = "1.5.1";
 
   src = fetchurl {
     url = "https://github.com/ocaml-dune/csexp/releases/download/${version}/csexp-${version}.tbz";
-    sha256 = "sha256-jj1vyofxAqEm3ui3KioNFG8QQ5xHIY38FJ1Rvz7fNk4=";
+    sha256 = "sha256-1gXkBl+pCliABEDvLzOi2TE5i/LCIGGorLffhFwKrAI=";
   };
 
-  propagatedBuildInputs = [ result ];
+  minimumOCamlVersion = "4.03";
+  useDune2 = true;
+
+  propagatedBuildInputs = [
+    result
+  ];
 
   meta = with lib; {
-    homepage = "https://github.com/ocaml-dune/csexp";
+    homepage = "https://github.com/ocaml-dune/csexp/";
     description = "Minimal support for Canonical S-expressions";
     license = licenses.mit;
-    maintainers = [ maintainers.marsam ];
+    maintainers = with maintainers; [ marsam ];
   };
 }
diff --git a/pkgs/development/ocaml-modules/repr/default.nix b/pkgs/development/ocaml-modules/repr/default.nix
index de6877ddd68e..cd7e1e014e4d 100644
--- a/pkgs/development/ocaml-modules/repr/default.nix
+++ b/pkgs/development/ocaml-modules/repr/default.nix
@@ -1,30 +1,29 @@
-{ lib, buildDunePackage, fetchurl, fmt, uutf, jsonm, base64, either }:
+{ lib, buildDunePackage, fetchurl, base64, either, fmt, jsonm, uutf }:
 
 buildDunePackage rec {
   pname = "repr";
-  version = "0.2.1";
-
-  minimumOCamlVersion = "4.08";
+  version = "0.3.0";
 
   src = fetchurl {
     url = "https://github.com/mirage/${pname}/releases/download/${version}/${pname}-fuzz-${version}.tbz";
-    sha256 = "1cbzbawbn71mmpw8y84s1p2pbhc055w1znz64jvr00c7fdr9p8hc";
+    sha256 = "sha256-2b0v5RwutvyidzEDTEb5p33IvJ+3t2IW+KVxYD1ufXQ=";
   };
 
+  minimumOCamlVersion = "4.08";
   useDune2 = true;
 
   propagatedBuildInputs = [
-    fmt
-    uutf
-    jsonm
     base64
     either
+    fmt
+    jsonm
+    uutf
   ];
 
   meta = with lib; {
     description = "Dynamic type representations. Provides no stability guarantee";
     homepage = "https://github.com/mirage/repr";
     license = licenses.isc;
-    maintainers = [ maintainers.sternenseemann ];
+    maintainers = with maintainers; [ sternenseemann ];
   };
 }
diff --git a/pkgs/development/ocaml-modules/repr/ppx.nix b/pkgs/development/ocaml-modules/repr/ppx.nix
index a1112ef9ac74..7ef2c55c2c26 100644
--- a/pkgs/development/ocaml-modules/repr/ppx.nix
+++ b/pkgs/development/ocaml-modules/repr/ppx.nix
@@ -1,4 +1,4 @@
-{ buildDunePackage, repr, ppxlib, ppx_deriving, alcotest, hex }:
+{ buildDunePackage, ppx_deriving, ppxlib, repr, alcotest, hex }:
 
 buildDunePackage {
   pname = "ppx_repr";
@@ -6,9 +6,9 @@ buildDunePackage {
   inherit (repr) src version useDune2;
 
   propagatedBuildInputs = [
-    repr
-    ppxlib
     ppx_deriving
+    ppxlib
+    repr
   ];
 
   doCheck = true;
diff --git a/pkgs/development/tools/zls/default.nix b/pkgs/development/tools/zls/default.nix
index 0c9a715e9bd5..0fbe7bc31140 100644
--- a/pkgs/development/tools/zls/default.nix
+++ b/pkgs/development/tools/zls/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "zls";
-  version = "0.1.0";
+  version = "unstable-2021-06-06";
 
   src = fetchFromGitHub {
     owner = "zigtools";
     repo = pname;
-    rev = version;
-    sha256 = "sha256-A4aOdmlIxBUeKyczzLxH4y1Rl9TgE1EeiKGbWY4p/00=";
+    rev = "39d87188647bd8c8eed304ee18f2dd1df6942f60";
+    sha256 = "sha256-22N508sVkP1OLySAijhtTPzk2fGf+FVnX9LTYRbRpB4=";
     fetchSubmodules = true;
   };
 
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
   '';
 
   installPhase = ''
-    zig build -Drelease-safe -Dtarget=${stdenv.hostPlatform.parsed.cpu.name}-native --prefix $out install
+    zig build -Drelease-safe -Dcpu=baseline --prefix $out install
   '';
 
   meta = with lib; {
diff --git a/pkgs/stdenv/native/default.nix b/pkgs/stdenv/native/default.nix
index 010b4141e876..87862b84bc1b 100644
--- a/pkgs/stdenv/native/default.nix
+++ b/pkgs/stdenv/native/default.nix
@@ -132,7 +132,7 @@ in
       inherit lib nativePrefix;
       bintools = import ../../build-support/bintools-wrapper {
         name = "bintools";
-        inherit stdenvNoCC nativePrefix;
+        inherit lib stdenvNoCC nativePrefix;
         nativeTools = true;
         nativeLibc = true;
       };
diff --git a/pkgs/tools/misc/dua/default.nix b/pkgs/tools/misc/dua/default.nix
index a7de0183b673..4090a0f5051c 100644
--- a/pkgs/tools/misc/dua/default.nix
+++ b/pkgs/tools/misc/dua/default.nix
@@ -2,7 +2,7 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "dua";
-  version = "2.12.1";
+  version = "2.12.2";
 
   buildInputs = lib.optionals stdenv.isDarwin [ libiconv ];
 
@@ -10,7 +10,7 @@ rustPlatform.buildRustPackage rec {
     owner = "Byron";
     repo = "dua-cli";
     rev = "v${version}";
-    sha256 = "sha256-ZJCixDh2+H+G+lVgxw9H61Xy4hMg+3MbhI+e7sU4GQU=";
+    sha256 = "sha256-0w9RKkoKWwPrVLkQieL69HIsSWbqS0vQesi7yijwXRw=";
     # Remove unicode file names which leads to different checksums on HFS+
     # vs. other filesystems because of unicode normalisation.
     extraPostFetch = ''
@@ -18,7 +18,7 @@ rustPlatform.buildRustPackage rec {
     '';
   };
 
-  cargoSha256 = "sha256-rwgvyfjCBPe20xN6gNXBexjN/BwNhZjT1RtabKhCkJs=";
+  cargoSha256 = "sha256-JqOblCWJSKuTzE4XQzk5nCQL7NIwC5ZDhue1HA7JdzA=";
 
   doCheck = false;