From 94cfc990e011d425af77cb1ada71461866e05828 Mon Sep 17 00:00:00 2001
From: Gautier DI FOLCO <gautier.difolco@gmail.com>
Date: Sat, 22 Feb 2025 16:00:21 +0100
Subject: [PATCH 1/4] hsec-tools: move from feed to atom-conduit

---
 code/hsec-tools/CHANGELOG.md                  |   4 +
 code/hsec-tools/hsec-tools.cabal              |   8 +-
 .../src/Security/Advisories/Generate/HTML.hs  | 103 +++++++++++++-----
 3 files changed, 86 insertions(+), 29 deletions(-)

diff --git a/code/hsec-tools/CHANGELOG.md b/code/hsec-tools/CHANGELOG.md
index cd56e671..82998c49 100644
--- a/code/hsec-tools/CHANGELOG.md
+++ b/code/hsec-tools/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.2.0.1
+
+- Rework HTML/Atom generation, use `atom-conduit` instead of `feed`
+
 ## 0.1.1.0
 
 - Redesign index
diff --git a/code/hsec-tools/hsec-tools.cabal b/code/hsec-tools/hsec-tools.cabal
index 7571448c..650be57a 100644
--- a/code/hsec-tools/hsec-tools.cabal
+++ b/code/hsec-tools/hsec-tools.cabal
@@ -51,11 +51,14 @@ library
 
   build-depends:
     , aeson                 >=2.0.1.0  && <3
+    , atom-conduit          >=0.9      && <0.10
     , base                  >=4.14     && <4.21
     , bytestring            >=0.10     && <0.14
     , Cabal-syntax          >=3.8.1.0  && <3.13
     , commonmark            ^>=0.2.2
     , commonmark-pandoc     >=0.2      && <0.3
+    , conduit               >=1.3      && <1.4
+    , conduit-extra         >=1.3      && <1.4
     , containers            >=0.6      && <0.7
     , cvss                  >= 0.2     && < 0.3
     , data-default          >=0.7      && <0.8
@@ -63,7 +66,6 @@ library
     , extra                 ^>=1.7.5
     , filepath              >=1.4      && <1.5
     , hsec-core             ^>= 0.2
-    , feed                  ==1.3.*
     , file-embed            >=0.0.13.0 && <0.0.17
     , lucid                 >=2.9.0    && < 3
     , mtl                   >=2.2      && <2.4
@@ -75,11 +77,15 @@ library
     , pretty                >=1.0      && <1.2
     , prettyprinter         >=1.7      && <1.8
     , process               >=1.6      && <1.7
+    , refined               >=0.7      && <0.9
+    , resourcet             >=1.2      && <1.4
     , safe                  >=0.3      && <0.4
     , text                  >=1.2      && <3
     , template-haskell      >=2.16.0.0 && <2.23
     , time                  >=1.9      && <1.14
     , toml-parser           >=2.0.0.0  && <2.1
+    , uri-bytestring        >=0.3      && <0.5
+    , xml-conduit           >=1.9      && <1.11
     , validation-selective  >=0.1      && <1
 
   hs-source-dirs:   src
diff --git a/code/hsec-tools/src/Security/Advisories/Generate/HTML.hs b/code/hsec-tools/src/Security/Advisories/Generate/HTML.hs
index 4c8c17ce..6fd492c8 100644
--- a/code/hsec-tools/src/Security/Advisories/Generate/HTML.hs
+++ b/code/hsec-tools/src/Security/Advisories/Generate/HTML.hs
@@ -17,25 +17,29 @@ import Data.Maybe (fromMaybe)
 import Data.Ord (Down (..))
 import Data.Text (Text)
 import qualified Data.Text as T
+import qualified Data.Text.Encoding as BSE
 import qualified Data.Text.IO as T
-import qualified Data.Text.Lazy as TL
 import Data.Time (UTCTime, formatTime, defaultTimeLocale)
-import Data.Time.Format.ISO8601
 import System.Directory (createDirectoryIfMissing)
 import System.Exit (exitFailure)
 import System.FilePath ((</>), takeDirectory)
 import System.IO (hPrint, hPutStrLn, stderr)
 import System.IO.Unsafe (unsafePerformIO)
 
+import Control.Monad.Trans.Resource (ResourceT)
+import qualified Data.Conduit as Conduit
+import qualified Data.Conduit.Binary as ConduitBinary
 import Data.Default (def)
 import Distribution.Pretty (prettyShow)
 import Distribution.Types.VersionRange (earlierVersion, intersectVersionRanges, orLaterVersion)
 import Lucid
-import Safe (maximumMay)
-import qualified Text.Atom.Feed as Feed
-import qualified Text.Atom.Feed.Export as FeedExport
+import Refined (refineTH)
+import qualified Text.Atom.Types as Feed
+import qualified Text.Atom.Conduit.Render as FeedExport
 import Text.Pandoc (runIOorExplode)
 import Text.Pandoc.Writers (writeHtml5String)
+import qualified Text.XML.Stream.Render as ConduitXML
+import qualified URI.ByteString as URI
 import Validation (Validation (..))
 
 import qualified Security.Advisories as Advisories
@@ -77,7 +81,7 @@ renderAdvisoriesIndex src dst = do
         renderAdvisory advisory
 
   hPutStrLn stderr $ "Rendering " <> (dst </> "atom.xml")
-  writeFile (dst </> "atom.xml") $ T.unpack $ renderFeed advisories
+  Conduit.runConduitRes $ renderFeed advisories Conduit..| ConduitBinary.sinkFile (dst </> "atom.xml")
 
   putStrLn "Copying assets"
   let assetsDir = dst </> "assets"
@@ -322,39 +326,82 @@ toAdvisoryR x =
 
 -- * Atom/RSS feed
 
-feed :: [Advisories.Advisory] -> Feed.Feed
+feed :: [Advisories.Advisory] -> Feed.AtomFeed
 feed advisories =
-  ( Feed.nullFeed
-      atomFeedUrl
-      (Feed.TextString "Haskell Security Advisory DB") -- Title
-      (maybe "" (T.pack . iso8601Show) . maximumMay . fmap Advisories.advisoryModified $ advisories)
-  )
-    { Feed.feedEntries = fmap toEntry advisories
-    , Feed.feedLinks = [(Feed.nullLink atomFeedUrl) { Feed.linkRel = Just (Left "self") }]
-    , Feed.feedAuthors = [Feed.nullPerson { Feed.personName = "Haskell Security Response Team" }]
+  Feed.AtomFeed
+    { Feed.feedAuthors      = [ hsrt ]
+    , Feed.feedCategories   = []
+    , Feed.feedContributors = []
+    , Feed.feedEntries      = toEntry <$> advisories
+    , Feed.feedGenerator    = Nothing
+    , Feed.feedIcon         = Nothing
+    , Feed.feedId           = "73b10e73-16bc-4bf2-a56c-ad7d09213e45"
+    , Feed.feedLinks        = [
+          Feed.AtomLink
+            { Feed.linkHref   = toAtomURI atomFeedUrl
+            , Feed.linkRel    = "self"
+            , Feed.linkType   = ""
+            , Feed.linkLang   = ""
+            , Feed.linkTitle  = ""
+            , Feed.linkLength = ""
+            }
+    ]
+    , Feed.feedLogo         = Nothing
+    , Feed.feedRights       = Nothing
+    , Feed.feedSubtitle     = Nothing
+    , Feed.feedTitle        = Feed.AtomPlainText Feed.TypeText "Haskell Security Advisory DB"
+    , Feed.feedUpdated      = maximum $ Advisories.advisoryModified <$> advisories
     }
   where
     toEntry advisory =
-      ( Feed.nullEntry
-        (toUrl advisory)
-        (mkSummary advisory)
-        (T.pack . iso8601Show $ Advisories.advisoryModified advisory)
-      )
-        { Feed.entryLinks = [(Feed.nullLink (toUrl advisory)) { Feed.linkRel = Just (Left "alternate") }]
-        , Feed.entryContent = Just (Feed.HTMLContent (Advisories.advisoryHtml advisory))
+      Feed.AtomEntry
+        { Feed.entryAuthors      = [hsrt]
+        , Feed.entryCategories   = []
+        , Feed.entryContent      = Just $ Feed.AtomContentInlineText Feed.TypeHTML $ Advisories.advisoryHtml advisory
+        , Feed.entryContributors = []
+        , Feed.entryId           = T.pack $ Advisories.printHsecId $ Advisories.advisoryId advisory
+        , Feed.entryLinks        = [
+            Feed.AtomLink
+              { Feed.linkHref   = toAtomURI $ toUrl advisory
+              , Feed.linkRel    = "alternate"
+              , Feed.linkType   = ""
+              , Feed.linkLang   = ""
+              , Feed.linkTitle  = ""
+              , Feed.linkLength = ""
+              }
+          ]
+        , Feed.entryPublished    = Just $ Advisories.advisoryPublished advisory
+        , Feed.entryRights       = Nothing
+        , Feed.entrySource       = Nothing
+        , Feed.entrySummary      = Nothing
+        , Feed.entryTitle        = Feed.AtomPlainText Feed.TypeText $ mkTitle advisory
+        , Feed.entryUpdated      = Advisories.advisoryModified advisory
         }
 
-    mkSummary advisory =
-      Feed.TextString $
-        T.pack (Advisories.printHsecId (Advisories.advisoryId advisory))
+    mkTitle advisory =
+      T.pack (Advisories.printHsecId (Advisories.advisoryId advisory))
         <> " - "
         <> Advisories.advisorySummary advisory
+
     toUrl advisory = advisoriesRootUrl <> "/" <> advisoryLink (Advisories.advisoryId advisory)
 
-renderFeed :: [Advisories.Advisory] -> Text
+    toAtomURI =
+      Feed.AtomURI
+        . either (error . show) id
+        . URI.parseURI URI.strictURIParserOptions
+        . BSE.encodeUtf8
+
+    hsrt =
+        Feed.AtomPerson
+          { Feed.personName = $$(refineTH "Haskell Security Response Team")
+          , Feed.personEmail = "security-advisories@haskell.org"
+          , Feed.personUri = Nothing
+          }
+
+renderFeed :: [Advisories.Advisory] -> Conduit.ConduitT () BS8.ByteString (ResourceT IO) ()
 renderFeed =
-  maybe (error "Cannot render atom feed") TL.toStrict
-    . FeedExport.textFeed
+  (Conduit..| ConduitXML.renderBytes def)
+    . FeedExport.renderAtomFeed
     . feed
 
 advisoriesRootUrl :: T.Text

From 48be792e4665498e898cbf2894fddd43193956fc Mon Sep 17 00:00:00 2001
From: Gautier DI FOLCO <gautier.difolco@gmail.com>
Date: Sat, 22 Feb 2025 16:56:06 +0100
Subject: [PATCH 2/4] all-packages: add GHC 9.12 support

---
 code/cvss/cvss.cabal             |  2 +-
 code/hsec-core/hsec-core.cabal   | 11 +++--------
 code/hsec-sync/hsec-sync.cabal   | 12 +++++-------
 code/hsec-tools/hsec-tools.cabal | 22 +++++++++++-----------
 4 files changed, 20 insertions(+), 27 deletions(-)

diff --git a/code/cvss/cvss.cabal b/code/cvss/cvss.cabal
index 54ae786b..dd576643 100644
--- a/code/cvss/cvss.cabal
+++ b/code/cvss/cvss.cabal
@@ -31,7 +31,7 @@ test-suite spec
   build-depends:
     , base         <5
     , cvss
-    , tasty        <1.5
+    , tasty        <1.6
     , tasty-hunit  <1.0
     , text
 
diff --git a/code/hsec-core/hsec-core.cabal b/code/hsec-core/hsec-core.cabal
index f783d9a0..78ee1b82 100644
--- a/code/hsec-core/hsec-core.cabal
+++ b/code/hsec-core/hsec-core.cabal
@@ -30,19 +30,14 @@ library
     Security.Advisories.Core.HsecId
 
   build-depends:
-    , base          >=4.14    && <4.20
-    , Cabal-syntax  >=3.8.1.0 && <3.13
+    , base          >=4.14    && <5
+    , Cabal-syntax  >=3.8.1.0 && <3.15
     , cvss >= 0.2 && < 0.3
     , osv >= 0.1 && < 0.2
     , pandoc-types  >=1.22    && <2
     , safe          >=0.3     && <0.4
     , text          >=1.2     && <3
-    , time          >=1.9     && <1.14
-
-  -- , commonmark            ^>=0.2.2
-  -- , commonmark-pandoc     >=0.2     && <0.3
-  -- , containers            >=0.6     && <0.7
-  -- , mtl                   >=2.2     && <2.4
+    , time          >=1.9     && <1.15
   hs-source-dirs:   src
   default-language: Haskell2010
   ghc-options:
diff --git a/code/hsec-sync/hsec-sync.cabal b/code/hsec-sync/hsec-sync.cabal
index 081e600a..ba766f24 100644
--- a/code/hsec-sync/hsec-sync.cabal
+++ b/code/hsec-sync/hsec-sync.cabal
@@ -30,19 +30,17 @@ library
     Security.Advisories.Sync.Url
 
   build-depends:
-    , aeson         >=2.0   && <2.3
-    , base          >=4.14  && <4.21
+    , aeson         >=2.0   && <3
+    , base          >=4.14  && <5
     , bytestring    >=0.10  && <0.13
     , directory     >=1.3   && <1.4
     , either        >=5.0   && <5.1
-    , extra         >=1.7   && <1.8
-    , feed          >=1.3   && <1.4
+    , extra         >=1.7   && <1.9
     , filepath      >=1.4   && <1.6
     , hsec-core     ^>=0.2
     , http-client   >=0.7.0 && <0.8
     , lens          >=5.1   && <5.4
     , tar           >=0.5   && <0.7
-    , tar-conduit   >=0.3   && <0.5
     , temporary     >=1     && <2
     , text          >=1.2   && <3
     , time          >=1.9   && <1.15
@@ -66,9 +64,9 @@ executable hsec-sync
   -- other-extensions:
   build-depends:
     , aeson                 >=2.0.1.0 && <3
-    , base                  >=4.14    && <4.20
+    , base                  >=4.14    && <5
     , bytestring            >=0.10    && <0.13
-    , filepath              >=1.4     && <1.5
+    , filepath              >=1.4     && <1.6
     , hsec-sync
     , optparse-applicative  >=0.17    && <0.19
     , text                  >=1.2     && <3
diff --git a/code/hsec-tools/hsec-tools.cabal b/code/hsec-tools/hsec-tools.cabal
index 650be57a..13136a28 100644
--- a/code/hsec-tools/hsec-tools.cabal
+++ b/code/hsec-tools/hsec-tools.cabal
@@ -52,25 +52,25 @@ library
   build-depends:
     , aeson                 >=2.0.1.0  && <3
     , atom-conduit          >=0.9      && <0.10
-    , base                  >=4.14     && <4.21
+    , base                  >=4.14     && <5
     , bytestring            >=0.10     && <0.14
-    , Cabal-syntax          >=3.8.1.0  && <3.13
+    , Cabal-syntax          >=3.8.1.0  && <3.15
     , commonmark            ^>=0.2.2
     , commonmark-pandoc     >=0.2      && <0.3
     , conduit               >=1.3      && <1.4
     , conduit-extra         >=1.3      && <1.4
-    , containers            >=0.6      && <0.7
+    , containers            >=0.6      && <0.8
     , cvss                  >= 0.2     && < 0.3
     , data-default          >=0.7      && <0.8
     , directory             <2
-    , extra                 ^>=1.7.5
-    , filepath              >=1.4      && <1.5
+    , extra                 >=1.7      && <1.9
+    , filepath              >=1.4      && <1.6
     , hsec-core             ^>= 0.2
     , file-embed            >=0.0.13.0 && <0.0.17
     , lucid                 >=2.9.0    && < 3
     , mtl                   >=2.2      && <2.4
     , osv                   >= 0.1     && < 0.2
-    , pandoc                >=2.0      && <3.6
+    , pandoc                >=2.0      && <3.8
     , pandoc-types          >=1.22     && <2
     , parsec                >=3        && <4
     , pathwalk              >=0.3      && <0.4
@@ -81,8 +81,8 @@ library
     , resourcet             >=1.2      && <1.4
     , safe                  >=0.3      && <0.4
     , text                  >=1.2      && <3
-    , template-haskell      >=2.16.0.0 && <2.23
-    , time                  >=1.9      && <1.14
+    , template-haskell      >=2.16.0.0 && <2.24
+    , time                  >=1.9      && <1.15
     , toml-parser           >=2.0.0.0  && <2.1
     , uri-bytestring        >=0.3      && <0.5
     , xml-conduit           >=1.9      && <1.11
@@ -107,10 +107,10 @@ executable hsec-tools
   -- other-extensions:
   build-depends:
     , aeson                 >=2.0.1.0 && <3
-    , base                  >=4.14    && <4.20
+    , base                  >=4.14    && <5
     , bytestring            >=0.10    && <0.13
-    , Cabal-syntax          >=3.8.1.0 && <3.11
-    , filepath              >=1.4     && <1.5
+    , Cabal-syntax          >=3.8.1.0 && <3.15
+    , filepath              >=1.4     && <1.6
     , hsec-core             ^>= 0.2
     , hsec-tools
     , optparse-applicative  >=0.17    && <0.19

From e775e668a49679f02e5461b10e3e8960261e20ab Mon Sep 17 00:00:00 2001
From: Gautier DI FOLCO <gautier.difolco@gmail.com>
Date: Sat, 22 Feb 2025 16:56:50 +0100
Subject: [PATCH 3/4] nix: upgrade snapshot (GHC 9.6.6)

---
 flake.lock | 12 ++++++------
 flake.nix  | 15 ++++++++++++---
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index fc0942e3..4b402869 100644
--- a/flake.lock
+++ b/flake.lock
@@ -5,11 +5,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1689068808,
-        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1689679375,
-        "narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=",
+        "lastModified": 1739866667,
+        "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "684c17c429c42515bafb3ad775d2a710947f3d67",
+        "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index d163def9..06a41c0a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -19,7 +19,6 @@
         osv = pkgs.haskellPackages.callCabal2nix "osv" ./code/osv { inherit cvss; };
         hsec-core = pkgs.haskellPackages.callCabal2nix "hsec-core" ./code/hsec-core {
           inherit cvss osv;
-          Cabal-syntax = pkgs.haskellPackages.Cabal-syntax_3_8_1_0;
         };
         hsec-tools = returnShellEnv:
           pkgs.haskellPackages.developPackage {
@@ -29,8 +28,18 @@
             withHoogle = false;
             overrides = self: super: {
               inherit cvss hsec-core osv;
-              Cabal-syntax = super.Cabal-syntax_3_8_1_0;
-              toml-parser = jailbreakUnbreak (super.callHackageDirect {pkg = "toml-parser"; ver = "2.0.1.0"; sha256 = "sha256-+2d8tflkqT3g7QJVjw/FTdluBASiHP3lDr7w5eNr4bY=";} {});
+              toml-parser = super.toml-parser_2_0_1_0;
+              typst = super.typst_0_6_1;
+              typst-symbols = super.typst-symbols_0_1_7;
+              texmath = super.texmath_0_12_8_12;
+              pandoc = super.pandoc_3_6;
+              commonmark-pandoc = super.commonmark-pandoc_0_2_2_3;
+              commonmark-extensions = super.commonmark-extensions_0_2_5_6;
+              doclayout = super.doclayout_0_5;
+              skylighting = super.skylighting_0_14_5;
+              skylighting-core = super.skylighting-core_0_14_5;
+              tls = super.tls_2_1_5;
+              crypton-connection = super.crypton-connection_0_4_3;
             };
 
             modifier = drv:

From 01edb5d0cd045495bb1ecf60095f64cce3f8539b Mon Sep 17 00:00:00 2001
From: Gautier DI FOLCO <gautier.difolco@gmail.com>
Date: Sat, 22 Feb 2025 18:56:16 +0100
Subject: [PATCH 4/4] ci: add support for GHC 9.10

---
 .github/workflows/haskell-ci.yml | 100 +++++++++++++++++++------------
 code/cvss/cvss.cabal             |   3 +-
 code/hsec-core/hsec-core.cabal   |   2 +-
 code/hsec-sync/hsec-sync.cabal   |   2 +-
 code/hsec-tools/hsec-tools.cabal |   2 +-
 code/osv/osv.cabal               |   2 +-
 6 files changed, 68 insertions(+), 43 deletions(-)

diff --git a/.github/workflows/haskell-ci.yml b/.github/workflows/haskell-ci.yml
index 57df1b76..4d2bb7c4 100644
--- a/.github/workflows/haskell-ci.yml
+++ b/.github/workflows/haskell-ci.yml
@@ -8,9 +8,9 @@
 #
 # For more information, see https://github.com/haskell-CI/haskell-ci
 #
-# version: 0.19.20240708
+# version: 0.19.20250216
 #
-# REGENDATA ("0.19.20240708",["github","--haddock","--github-patches",".github/haskell-ci.patch","cabal.project"])
+# REGENDATA ("0.19.20250216",["github","--haddock","--github-patches",".github/haskell-ci.patch","cabal.project"])
 #
 name: Haskell-CI
 on:
@@ -34,7 +34,7 @@ jobs:
     name: Haskell-CI - Linux - ${{ matrix.compiler }}
     needs: tools_changed
     if: ${{ needs.tools_changed.outputs.should_skip != 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes:
       60
     container:
@@ -43,14 +43,19 @@ jobs:
     strategy:
       matrix:
         include:
-          - compiler: ghc-9.8.1
+          - compiler: ghc-9.10.1
             compilerKind: ghc
-            compilerVersion: 9.8.1
+            compilerVersion: 9.10.1
             setup-method: ghcup
             allow-failure: false
-          - compiler: ghc-9.6.3
+          - compiler: ghc-9.8.3
+            compilerKind: ghc
+            compilerVersion: 9.8.3
+            setup-method: ghcup-vanilla
+            allow-failure: false
+          - compiler: ghc-9.6.6
             compilerKind: ghc
-            compilerVersion: 9.6.3
+            compilerVersion: 9.6.6
             setup-method: ghcup
             allow-failure: false
           - compiler: ghc-9.4.8
@@ -75,40 +80,59 @@ jobs:
             allow-failure: false
       fail-fast: false
     steps:
-      - name: apt
+      - name: apt-get install
         run: |
           apt-get update
           apt-get install -y --no-install-recommends gnupg ca-certificates dirmngr curl git software-properties-common libtinfo5
+      - name: Install GHCup
+        run: |
           mkdir -p "$HOME/.ghcup/bin"
           curl -sL https://downloads.haskell.org/ghcup/0.1.30.0/x86_64-linux-ghcup-0.1.30.0 > "$HOME/.ghcup/bin/ghcup"
           chmod a+x "$HOME/.ghcup/bin/ghcup"
-          "$HOME/.ghcup/bin/ghcup" install ghc "$HCVER" || (cat "$HOME"/.ghcup/logs/*.* && false)
+      - name: Install cabal-install
+        run: |
           "$HOME/.ghcup/bin/ghcup" install cabal 3.12.1.0 || (cat "$HOME"/.ghcup/logs/*.* && false)
+          echo "CABAL=$HOME/.ghcup/bin/cabal-3.12.1.0 -vnormal+nowrap" >> "$GITHUB_ENV"
+      - name: Install GHC (GHCup)
+        if: matrix.setup-method == 'ghcup'
+        run: |
+          "$HOME/.ghcup/bin/ghcup" install ghc "$HCVER" || (cat "$HOME"/.ghcup/logs/*.* && false)
+          HC=$("$HOME/.ghcup/bin/ghcup" whereis ghc "$HCVER")
+          HCPKG=$(echo "$HC" | sed 's#ghc$#ghc-pkg#')
+          HADDOCK=$(echo "$HC" | sed 's#ghc$#haddock#')
+          echo "HC=$HC" >> "$GITHUB_ENV"
+          echo "HCPKG=$HCPKG" >> "$GITHUB_ENV"
+          echo "HADDOCK=$HADDOCK" >> "$GITHUB_ENV"
         env:
           HCKIND: ${{ matrix.compilerKind }}
           HCNAME: ${{ matrix.compiler }}
           HCVER: ${{ matrix.compilerVersion }}
-      - name: Set PATH and environment variables
+      - name: Install GHC (GHCup vanilla)
+        if: matrix.setup-method == 'ghcup-vanilla'
         run: |
-          echo "$HOME/.cabal/bin" >> $GITHUB_PATH
-          echo "LANG=C.UTF-8" >> "$GITHUB_ENV"
-          echo "CABAL_DIR=$HOME/.cabal" >> "$GITHUB_ENV"
-          echo "CABAL_CONFIG=$HOME/.cabal/config" >> "$GITHUB_ENV"
-          HCDIR=/opt/$HCKIND/$HCVER
+          "$HOME/.ghcup/bin/ghcup" -s https://raw.githubusercontent.com/haskell/ghcup-metadata/master/ghcup-vanilla-0.0.8.yaml install ghc "$HCVER" || (cat "$HOME"/.ghcup/logs/*.* && false)
           HC=$("$HOME/.ghcup/bin/ghcup" whereis ghc "$HCVER")
           HCPKG=$(echo "$HC" | sed 's#ghc$#ghc-pkg#')
           HADDOCK=$(echo "$HC" | sed 's#ghc$#haddock#')
           echo "HC=$HC" >> "$GITHUB_ENV"
           echo "HCPKG=$HCPKG" >> "$GITHUB_ENV"
           echo "HADDOCK=$HADDOCK" >> "$GITHUB_ENV"
-          echo "CABAL=$HOME/.ghcup/bin/cabal-3.12.1.0 -vnormal+nowrap" >> "$GITHUB_ENV"
+        env:
+          HCKIND: ${{ matrix.compilerKind }}
+          HCNAME: ${{ matrix.compiler }}
+          HCVER: ${{ matrix.compilerVersion }}
+      - name: Set PATH and environment variables
+        run: |
+          echo "$HOME/.cabal/bin" >> $GITHUB_PATH
+          echo "LANG=C.UTF-8" >> "$GITHUB_ENV"
+          echo "CABAL_DIR=$HOME/.cabal" >> "$GITHUB_ENV"
+          echo "CABAL_CONFIG=$HOME/.cabal/config" >> "$GITHUB_ENV"
           HCNUMVER=$(${HC} --numeric-version|perl -ne '/^(\d+)\.(\d+)\.(\d+)(\.(\d+))?$/; print(10000 * $1 + 100 * $2 + ($3 == 0 ? $5 != 1 : $3))')
           echo "HCNUMVER=$HCNUMVER" >> "$GITHUB_ENV"
           echo "ARG_TESTS=--enable-tests" >> "$GITHUB_ENV"
           echo "ARG_BENCH=--enable-benchmarks" >> "$GITHUB_ENV"
           echo "HEADHACKAGE=false" >> "$GITHUB_ENV"
           echo "ARG_COMPILER=--$HCKIND --with-compiler=$HC" >> "$GITHUB_ENV"
-          echo "GHCJSARITH=0" >> "$GITHUB_ENV"
         env:
           HCKIND: ${{ matrix.compilerKind }}
           HCNAME: ${{ matrix.compiler }}
@@ -164,11 +188,11 @@ jobs:
       - name: initial cabal.project for sdist
         run: |
           touch cabal.project
+          echo "packages: $GITHUB_WORKSPACE/source/code/osv" >> cabal.project
           echo "packages: $GITHUB_WORKSPACE/source/code/hsec-tools" >> cabal.project
-          echo "packages: $GITHUB_WORKSPACE/source/code/cvss" >> cabal.project
-          echo "packages: $GITHUB_WORKSPACE/source/code/hsec-core" >> cabal.project
           echo "packages: $GITHUB_WORKSPACE/source/code/hsec-sync" >> cabal.project
-          echo "packages: $GITHUB_WORKSPACE/source/code/osv" >> cabal.project
+          echo "packages: $GITHUB_WORKSPACE/source/code/hsec-core" >> cabal.project
+          echo "packages: $GITHUB_WORKSPACE/source/code/cvss" >> cabal.project
           cat cabal.project
       - name: sdist
         run: |
@@ -180,33 +204,33 @@ jobs:
           find sdist -maxdepth 1 -type f -name '*.tar.gz' -exec tar -C $GITHUB_WORKSPACE/unpacked -xzvf {} \;
       - name: generate cabal.project
         run: |
+          PKGDIR_osv="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/osv-[0-9.]*')"
+          echo "PKGDIR_osv=${PKGDIR_osv}" >> "$GITHUB_ENV"
           PKGDIR_hsec_tools="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/hsec-tools-[0-9.]*')"
           echo "PKGDIR_hsec_tools=${PKGDIR_hsec_tools}" >> "$GITHUB_ENV"
-          PKGDIR_cvss="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/cvss-[0-9.]*')"
-          echo "PKGDIR_cvss=${PKGDIR_cvss}" >> "$GITHUB_ENV"
-          PKGDIR_hsec_core="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/hsec-core-[0-9.]*')"
-          echo "PKGDIR_hsec_core=${PKGDIR_hsec_core}" >> "$GITHUB_ENV"
           PKGDIR_hsec_sync="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/hsec-sync-[0-9.]*')"
           echo "PKGDIR_hsec_sync=${PKGDIR_hsec_sync}" >> "$GITHUB_ENV"
-          PKGDIR_osv="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/osv-[0-9.]*')"
-          echo "PKGDIR_osv=${PKGDIR_osv}" >> "$GITHUB_ENV"
+          PKGDIR_hsec_core="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/hsec-core-[0-9.]*')"
+          echo "PKGDIR_hsec_core=${PKGDIR_hsec_core}" >> "$GITHUB_ENV"
+          PKGDIR_cvss="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/cvss-[0-9.]*')"
+          echo "PKGDIR_cvss=${PKGDIR_cvss}" >> "$GITHUB_ENV"
           rm -f cabal.project cabal.project.local
           touch cabal.project
           touch cabal.project.local
+          echo "packages: ${PKGDIR_osv}" >> cabal.project
           echo "packages: ${PKGDIR_hsec_tools}" >> cabal.project
-          echo "packages: ${PKGDIR_cvss}" >> cabal.project
-          echo "packages: ${PKGDIR_hsec_core}" >> cabal.project
           echo "packages: ${PKGDIR_hsec_sync}" >> cabal.project
-          echo "packages: ${PKGDIR_osv}" >> cabal.project
+          echo "packages: ${PKGDIR_hsec_core}" >> cabal.project
+          echo "packages: ${PKGDIR_cvss}" >> cabal.project
+          echo "package osv" >> cabal.project
+          echo "    ghc-options: -Werror=missing-methods" >> cabal.project
           echo "package hsec-tools" >> cabal.project
           echo "    ghc-options: -Werror=missing-methods" >> cabal.project
-          echo "package cvss" >> cabal.project
+          echo "package hsec-sync" >> cabal.project
           echo "    ghc-options: -Werror=missing-methods" >> cabal.project
           echo "package hsec-core" >> cabal.project
           echo "    ghc-options: -Werror=missing-methods" >> cabal.project
-          echo "package hsec-sync" >> cabal.project
-          echo "    ghc-options: -Werror=missing-methods" >> cabal.project
-          echo "package osv" >> cabal.project
+          echo "package cvss" >> cabal.project
           echo "    ghc-options: -Werror=missing-methods" >> cabal.project
           cat >> cabal.project <<EOF
           EOF
@@ -238,15 +262,15 @@ jobs:
           $CABAL v2-test $ARG_COMPILER $ARG_TESTS $ARG_BENCH all --test-show-details=direct
       - name: cabal check
         run: |
+          cd ${PKGDIR_osv} || false
+          ${CABAL} -vnormal check
           cd ${PKGDIR_hsec_tools} || false
           ${CABAL} -vnormal check
-          cd ${PKGDIR_cvss} || false
+          cd ${PKGDIR_hsec_sync} || false
           ${CABAL} -vnormal check
           cd ${PKGDIR_hsec_core} || false
           ${CABAL} -vnormal check
-          cd ${PKGDIR_hsec_sync} || false
-          ${CABAL} -vnormal check
-          cd ${PKGDIR_osv} || false
+          cd ${PKGDIR_cvss} || false
           ${CABAL} -vnormal check
       - name: haddock
         run: |
@@ -256,8 +280,8 @@ jobs:
           rm -f cabal.project.local
           $CABAL v2-build $ARG_COMPILER --disable-tests --disable-benchmarks all
       - name: save cache
-        uses: actions/cache/save@v4
         if: always()
+        uses: actions/cache/save@v4
         with:
           key: ${{ runner.os }}-${{ matrix.compiler }}-${{ github.sha }}
           path: ~/.cabal/store
diff --git a/code/cvss/cvss.cabal b/code/cvss/cvss.cabal
index dd576643..4294302b 100644
--- a/code/cvss/cvss.cabal
+++ b/code/cvss/cvss.cabal
@@ -10,7 +10,8 @@ author:          Tristan de Cacqueray
 maintainer:      tdecacqu@redhat.com
 category:        Data
 extra-doc-files: CHANGELOG.md
-tested-with:     GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1
+tested-with:
+  GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1
 
 library
   exposed-modules:  Security.CVSS
diff --git a/code/hsec-core/hsec-core.cabal b/code/hsec-core/hsec-core.cabal
index 78ee1b82..2e6b850d 100644
--- a/code/hsec-core/hsec-core.cabal
+++ b/code/hsec-core/hsec-core.cabal
@@ -22,7 +22,7 @@ category:           Data
 extra-doc-files:    CHANGELOG.md
 
 tested-with:
-  GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1
+  GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1
 
 library
   exposed-modules:
diff --git a/code/hsec-sync/hsec-sync.cabal b/code/hsec-sync/hsec-sync.cabal
index ba766f24..61ad8d58 100644
--- a/code/hsec-sync/hsec-sync.cabal
+++ b/code/hsec-sync/hsec-sync.cabal
@@ -21,7 +21,7 @@ maintainer:      gautier.difolco@gmail.com
 category:        Data
 extra-doc-files: CHANGELOG.md, overview.png, recommended-workflow.png
 tested-with:
-  GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1
+  GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1
 
 library
   exposed-modules:  Security.Advisories.Sync
diff --git a/code/hsec-tools/hsec-tools.cabal b/code/hsec-tools/hsec-tools.cabal
index 13136a28..25cb3c10 100644
--- a/code/hsec-tools/hsec-tools.cabal
+++ b/code/hsec-tools/hsec-tools.cabal
@@ -29,7 +29,7 @@ extra-source-files:
   test/golden/*.md
 
 tested-with:
-  GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1
+  GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1
 
 library
   exposed-modules:
diff --git a/code/osv/osv.cabal b/code/osv/osv.cabal
index 2f0edf56..377874c7 100644
--- a/code/osv/osv.cabal
+++ b/code/osv/osv.cabal
@@ -24,7 +24,7 @@ category:           Data
 extra-doc-files:    CHANGELOG.md
 
 tested-with:
-  GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1
+  GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1
 
 library
   exposed-modules: