[thrownaway122]

Does this not lose the major advantage of a traditional package manager? Namely that I update openssh in one location and all my packages are now secure. Rather than having to update every package that depends upon openshh separately?

[ambrop7]

Generally, all packages depending on that library will need to be rebuilt. But that is automatic when you do an update, it just may take time (either for packages to be rebuild locally, or by the build farm if you're using channels). But you can manually do a hack to substitute a patched version when you want the fix right now: https://nixos.org/wiki/Security_Updates