diff --git a/_outputs.nix b/_outputs.nix
index 448c04f6..677c98bf 100644
--- a/_outputs.nix
+++ b/_outputs.nix
@@ -11,7 +11,8 @@
       nixpkgs = mkInput {
         owner = "NixOS";
         repo = "nixpkgs";
-        ref = "nixos-unstable";
+        # FIXME: https://pr-tracker.nelim.org/?pr=374780
+        ref = "nixos-unstable-small";
       };
 
       home-manager = mkDep {
diff --git a/apps/config/package.json b/apps/config/package.json
index 6f9dada6..a263e8c7 100644
--- a/apps/config/package.json
+++ b/apps/config/package.json
@@ -7,7 +7,7 @@
         "@eslint/js": "9.18.0",
         "@stylistic/eslint-plugin": "2.13.0",
         "eslint": "9.18.0",
-        "eslint-plugin-jsdoc": "50.6.1",
+        "eslint-plugin-jsdoc": "50.6.2",
         "jiti": "2.4.2",
         "pkg-types": "1.3.1",
         "typescript": "5.7.3",
diff --git a/apps/extract-subs/default.nix b/apps/extract-subs/default.nix
index acf9f693..95e8b147 100644
--- a/apps/extract-subs/default.nix
+++ b/apps/extract-subs/default.nix
@@ -5,7 +5,7 @@
 }:
 buildApp {
   src = ./.;
-  npmDepsHash = "sha256-7UhA8oj+AES+YUrbNJZHQ5SdkzSpcjh7YP8f2WiA3qc=";
+  npmDepsHash = "sha256-vShyulD7uKHE4Oxz8Xy8HdGJpMbF5kQYlHZlQtIcKIA=";
 
   runtimeInputs = [
     ffmpeg-full
diff --git a/apps/extract-subs/package-lock.json b/apps/extract-subs/package-lock.json
index f2e7f387..82c17ab5 100644
Binary files a/apps/extract-subs/package-lock.json and b/apps/extract-subs/package-lock.json differ
diff --git a/apps/update-sources/default.nix b/apps/update-sources/default.nix
index 4bc553cb..c179d3c0 100644
--- a/apps/update-sources/default.nix
+++ b/apps/update-sources/default.nix
@@ -9,7 +9,7 @@
 }:
 buildApp {
   src = ./.;
-  npmDepsHash = "sha256-G2NxC//C8254ZBNep/WWfFUXmFCWR0x8pLeqiUY1ddY=";
+  npmDepsHash = "sha256-k4m8fSF0zOznebbH87p8IPP2SzRR9siVFYBU5Cfs2T0=";
 
   runtimeInputs = [
     go
diff --git a/apps/update-sources/package-lock.json b/apps/update-sources/package-lock.json
index 50502f80..34f5d7c7 100644
Binary files a/apps/update-sources/package-lock.json and b/apps/update-sources/package-lock.json differ
diff --git a/configurations/nos/modules/docker/nextcloud/images/nextcloud.nix b/configurations/nos/modules/docker/nextcloud/images/nextcloud.nix
index c3b0e346..68d470d9 100644
--- a/configurations/nos/modules/docker/nextcloud/images/nextcloud.nix
+++ b/configurations/nos/modules/docker/nextcloud/images/nextcloud.nix
@@ -1,8 +1,8 @@
 pkgs:
 pkgs.dockerTools.pullImage rec {
   imageName = "nextcloud";
-  imageDigest = "sha256:4f6026de2b9cf007bcd01298a86cae2fd5837cbef9d8aa3224454ff80ecac577";
-  hash = "sha256-Urcuc1xkwDeJo9BjRT9vz3wMr/v/Lfn7o11HALowuKU=";
+  imageDigest = "sha256:4c898a6e3a17fcd3bcbe9d2450079a95581cfb9f0dbfca246c39bd60c77d123b";
+  hash = "sha256-kK4F6UQVJm+r98/FH5uMG7VyVm5zzzmA7smc3IoDpFI=";
   finalImageName = imageName;
   finalImageTag = "fpm";
 }
diff --git a/flake.lock b/flake.lock
index bc2fa8bc..3dbf03b7 100644
Binary files a/flake.lock and b/flake.lock differ
diff --git a/flake.nix b/flake.nix
index 657625e1..79d5e922 100644
Binary files a/flake.nix and b/flake.nix differ
diff --git a/inputs/default.nix b/inputs/default.nix
index c4b918e5..74dfc3d0 100644
--- a/inputs/default.nix
+++ b/inputs/default.nix
@@ -139,6 +139,9 @@ let
       hyprgrass = mkHyprDep {
         owner = "horriblename";
         repo = "hyprgrass";
+
+        # FIXME: https://github.com/horriblename/hyprgrass/pull/203
+        rev = "ea3a6079a7e34235ee3df4b600ee11e48b0e7f4d";
       };
 
       hyprpaper = mkDep {
@@ -161,9 +164,6 @@ let
       nixcord = mkDep {
         owner = "kaylorben";
         repo = "nixcord";
-
-        # FIXME: https://github.com/KaylorBen/nixcord/pull/69
-        rev = "02247bedd6988a1169c4499406970b92bfd8aa02";
       };
     };
 
diff --git a/modules/ags/config/default.nix b/modules/ags/config/default.nix
index b533ead3..37dfa33c 100644
--- a/modules/ags/config/default.nix
+++ b/modules/ags/config/default.nix
@@ -1,3 +1,3 @@
 {
-  npmDepsHash = "sha256-ahAL1uY79aq39acXSr0eSYcDQH7z3eqBtzWq+6lc+MI=";
+  npmDepsHash = "sha256-mt2SERYy7u7EicYbROfSccb9krE8wtQ/fPioQOI4wYk=";
 }
diff --git a/modules/ags/config/package-lock.json b/modules/ags/config/package-lock.json
index b54a543f..c10bda18 100644
Binary files a/modules/ags/config/package-lock.json and b/modules/ags/config/package-lock.json differ
diff --git a/modules/ags/config/package.json b/modules/ags/config/package.json
index 5000e3e5..f0dad63d 100644
--- a/modules/ags/config/package.json
+++ b/modules/ags/config/package.json
@@ -7,7 +7,7 @@
         "@eslint/js": "9.18.0",
         "@stylistic/eslint-plugin": "2.13.0",
         "eslint": "9.18.0",
-        "eslint-plugin-jsdoc": "50.6.1",
+        "eslint-plugin-jsdoc": "50.6.2",
         "fzf": "0.5.2",
         "jiti": "2.4.2",
         "typescript-eslint": "8.20.0"
diff --git a/modules/wyoming-plus/default.nix b/modules/wyoming-plus/default.nix
index 5f62dc01..6d47b806 100644
--- a/modules/wyoming-plus/default.nix
+++ b/modules/wyoming-plus/default.nix
@@ -6,7 +6,7 @@
 }: let
   inherit (lib) getExe mkOption types;
   inherit (lib.modules) mkForce mkIf mkOverride;
-  inherit (lib.strings) concatMapStringsSep concatStringsSep;
+  inherit (lib.strings) concatMapStringsSep concatStringsSep escapeShellArgs;
 
   cfg = config.services.wyoming;
 
@@ -20,11 +20,15 @@ in {
 
   config = {
     systemd.services = mkIf (cfg.openwakeword.enable) {
-      wyoming-openwakeword.serviceConfig = {
-        MemoryDenyWriteExecute = mkForce (cfg.openwakeword.package != forkedPkg);
+      # For some reason I can't just override `ExecStart` anymore.
+      wyoming-openwakeword.serviceConfig = mkForce {
+        DynamicUser = true;
+        User = "wyoming-openwakeword";
+
+        MemoryDenyWriteExecute = cfg.openwakeword.package != forkedPkg;
 
         # changes according to https://github.com/rhasspy/wyoming-openwakeword/pull/27
-        ExecStart = mkForce (concatStringsSep " " [
+        ExecStart = concatStringsSep " " [
           (getExe cfg.openwakeword.package)
 
           "--uri ${cfg.openwakeword.uri}"
@@ -40,8 +44,37 @@ in {
             (model: "--preload-model ${model}")
             cfg.openwakeword.preloadModels)
 
-          cfg.openwakeword.extraArgs
-        ]);
+          (escapeShellArgs cfg.openwakeword.extraArgs)
+        ];
+
+        CapabilityBoundingSet = "";
+        DeviceAllow = "";
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectControlGroups = true;
+        ProtectProc = "invisible";
+        ProcSubset = "all"; # reads /proc/cpuinfo
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RuntimeDirectory = "wyoming-openwakeword";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+        UMask = "0077";
       };
     };
 
diff --git a/overlays/build-failures/default.nix b/overlays/build-failures/default.nix
index 732eb07d..b70fd710 100644
--- a/overlays/build-failures/default.nix
+++ b/overlays/build-failures/default.nix
@@ -1,4 +1,8 @@
 final: prev: {
   # FIXME: https://pr-tracker.nelim.org/?pr=357699
   nodejs_latest = prev.nodejs_22;
+
+  wyoming-faster-whisper = prev.wyoming-faster-whisper.overridePythonAttrs (o: {
+    meta = {mainProgram = o.pname;} // o.meta;
+  });
 }
diff --git a/scopedPackages/firefox-addons/generated-firefox-addons.nix b/scopedPackages/firefox-addons/generated-firefox-addons.nix
index 7c6d8cde..726e2ba4 100644
--- a/scopedPackages/firefox-addons/generated-firefox-addons.nix
+++ b/scopedPackages/firefox-addons/generated-firefox-addons.nix
@@ -326,10 +326,10 @@
   };
   "ublock-origin" = buildFirefoxXpiAddon {
     pname = "ublock-origin";
-    version = "1.61.2";
+    version = "1.62.0";
     addonId = "uBlock0@raymondhill.net";
-    url = "https://addons.mozilla.org/firefox/downloads/file/4391011/ublock_origin-1.61.2.xpi";
-    sha256 = "ee3a724a46ff32c17d1723077fecc6ede7fdab742154020b51fb6253ddcbba14";
+    url = "https://addons.mozilla.org/firefox/downloads/file/4412673/ublock_origin-1.62.0.xpi";
+    sha256 = "8a9e02aa838c302fb14e2b5bc88a6036d36358aadd6f95168a145af2018ef1a3";
     meta = with lib; {
       homepage = "https://github.com/gorhill/uBlock#ublock-origin";
       description = "Finally, an efficient wide-spectrum content blocker. Easy on CPU and memory.";
diff --git a/scopedPackages/lovelace-components/custom-sidebar/default.nix b/scopedPackages/lovelace-components/custom-sidebar/default.nix
index 829daca2..8f2b4710 100644
--- a/scopedPackages/lovelace-components/custom-sidebar/default.nix
+++ b/scopedPackages/lovelace-components/custom-sidebar/default.nix
@@ -30,7 +30,7 @@ in
 
     pnpmDeps = pnpm.fetchDeps {
       inherit (finalAttrs) pname version src;
-      hash = "sha256-7cVWjyRZXd7xUZsgRNRYPfAap3LGH5VbLzvi2ocbkwc=";
+      hash = "sha256-NOqEnqdJ/FrgyFNdU5hG/Im8HMltWxv6DrabxAsHl6I=";
     };
 
     passthru.update = concatTextFile {
diff --git a/scopedPackages/lovelace-components/material-rounded-theme/default.nix b/scopedPackages/lovelace-components/material-rounded-theme/default.nix
index bad683e8..3dc922ac 100644
--- a/scopedPackages/lovelace-components/material-rounded-theme/default.nix
+++ b/scopedPackages/lovelace-components/material-rounded-theme/default.nix
@@ -15,7 +15,7 @@ in
       substituteInPlace ./webpack.config.js --replace-fail "git branch --show-current" "echo main"
     '';
 
-    npmDepsHash = "sha256-BlG/IuyJpigw6twUoaxJ5a970JfwBb75FuwgtH4xrCw=";
+    npmDepsHash = "sha256-Vn4OBTM9MoS0LuU4nDYebncvD6wKmfcLP3gHh0CyfaM=";
 
     installPhase = ''
       mkdir $out