diff --git a/.bazelignore b/.bazelignore
index c8f80dd18..a3c929544 100644
--- a/.bazelignore
+++ b/.bazelignore
@@ -8,3 +8,5 @@ site
 .cache
 .direnv
 .eclipse
+
+VENDOR
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 64d1d12e4..ccd0d0902 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -69,7 +69,7 @@ jobs:
       - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v31
       # TODO Remove --no-sandbox after https://github.com/enola-dev/enola/issues/1713
-      - run: nix run --no-sandbox . -- help
+      - run: nix run . -- help
 
   build:
     # https://github.com/orgs/community/discussions/25722
diff --git a/.gitignore b/.gitignore
index 24d877151..7c2bf8e87 100644
--- a/.gitignore
+++ b/.gitignore
@@ -79,3 +79,6 @@ generated/protoc/java/dev/
 generated/classpath
 generated/javac-processors/
 generated/java-class
+
+# bazel vendor --vendor_dir=
+VENDOR
diff --git a/Dockerfile-DevEnv b/Dockerfile-DevEnv
index 0deb6a1c2..5dd0e9081 100644
--- a/Dockerfile-DevEnv
+++ b/Dockerfile-DevEnv
@@ -33,7 +33,7 @@ FROM docker.io/library/fedora:43
 
 RUN dnf update -y
 
-RUN dnf install -y fish gcc-c++ golang \
+RUN dnf install -y fish gcc-c++ \
     java-21-openjdk-devel java-21-openjdk-src java-21-openjdk-javadoc \
     java-21-openjdk-javadoc-zip java-21-openjdk-jmods
 
diff --git a/docs/use/index.md b/docs/use/index.md
index 9902ec042..b59e428a4 100644
--- a/docs/use/index.md
+++ b/docs/use/index.md
@@ -89,8 +89,4 @@ or clearing `~/.jbang/cache`, do not currently work for this application due to
 
 ## Nix
 
-    nix run --no-sandbox github:enola-dev/enola
-
-If this fails after printing _"warning: ignoring the client-specified setting 'sandbox', because it is a restricted setting and you are not a trusted user",_ then you need to add your username to the `trusted-users` list in `/etc/nix/nix.conf` (e.g., `trusted-users = root your-username-here`), and then restart the Nix daemon with `sudo systemctl restart nix-daemon.service`.
-
-PS: See [issue #1713](https://github.com/enola-dev/enola/issues/1713) re. why `--no-sandbox` is still needed.
+    nix run github:enola-dev/enola
diff --git a/flake.lock b/flake.lock
index 7356bcd14..1b476326b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1760193480,
-        "narHash": "sha256-cVwJZjoS3YDkIIapwcgFS7yxBZRnI1lilW3Reu15DQs=",
+        "lastModified": 1761313217,
+        "narHash": "sha256-HnRb5DYd4N2A51UtzNeLiGFcMw092/NGN+cnRmz1D70=",
         "owner": "vorburger",
         "repo": "bazel-nix",
-        "rev": "fb4635096ac939ff4fb6169bda93dca7a31d0369",
+        "rev": "f4e0ec84c0ac6ca6ce441e0fcf57f5d778bd8021",
         "type": "github"
       },
       "original": {
@@ -61,11 +61,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1758690382,
-        "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=",
+        "lastModified": 1761114652,
+        "narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e643668fd71b949c53f8626614b21ff71a07379d",
+        "rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 784ceeb14..7d57a3ceb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -92,6 +92,52 @@
           # $ nix build .#enola
           # $ result/bin/enola --help
           default = enola;
+
+          bazel-vendor-dir = pkgs.stdenv.mkDerivation {
+            #pname = "bazel-vendor-dir";
+            #version = gitRev;
+            name = "bazel-vendor-dir";
+
+            nativeBuildInputs = [
+              pkgs.protobuf
+              pkgs.protoc-gen-grpc-java
+              pkgs.which
+              jdk'
+            ];
+            src = ./.;
+            buildPhase = ''
+              runHook preBuild
+
+              bash tools/protoc/protoc.bash
+              mkdir VENDOR
+              pwd
+              ls
+              # export HOME=$TMPDIR
+              # export HOME=$(pwd)/home
+              export HOME=/build/home
+              mkdir -p $HOME
+              pwd
+              ls
+              bazel vendor --vendor_dir=VENDOR //...
+
+              runHook postBuild
+            '';
+            installPhase = ''
+              runHook preInstall
+
+              tar czvf $out \
+                  --sort=name \
+                  --mtime='UTC 2080-02-01' \
+                  --owner=0 \
+                  --group=0 \
+                  --numeric-owner VENDOR
+
+              runHook postInstall
+            '';
+            # outputHash = pkgs.lib.fakeHash;
+            outputHash = "sha256-kpDyYdYTlC179qHOusvTncRXAGV7549GGoR1y4b8okA=";
+          };
+
           enola = pkgs.stdenv.mkDerivation {
             pname = "enola";
             version = gitRev;
@@ -101,6 +147,7 @@
               pkgs.cacert
               pkgs.makeWrapper
               pkgs.which
+              jdk'
             ];
             src = ./.;
 
@@ -110,14 +157,13 @@
               # class dev.enola.common.Version reads VERSION
               echo -n "${gitRev}" >tools/version/VERSION
 
-              # See https://github.com/NixOS/nix/issues/14024
-              bash tools/protoc/protoc.bash
-
               # https://github.com/enola-dev/enola/issues/1876
               export HOME="$PWD/.built/HOME"
               mkdir -p "$HOME"
 
-              bazel build //java/dev/enola/cli:enola_deploy.jar
+              tar xfz ${bazel-vendor-dir}
+              bash tools/protoc/protoc.bash
+              bazel build --vendor_dir=VENDOR //java/dev/enola/cli:enola_deploy.jar
 
               runHook postBuild
             '';
diff --git a/tools/evilurl/test.bash b/tools/evilurl/test.bash
index 97d52347f..f1a7f59c4 100755
--- a/tools/evilurl/test.bash
+++ b/tools/evilurl/test.bash
@@ -29,7 +29,7 @@ allow_list=("java/dev/enola/common/io/resource/UrlResource.java"
 
 # TODO Also grep for .toURL() invocations, and fail for any (new) ones.
 
-found_files=$(find . -name "*.java" -print0 | xargs -0 grep -lE "(^|[^a-zA-Z0-9_.])java\.net\.URL($|[^a-zA-Z0-9_#}])" | while IFS= read -r file; do
+found_files=$(find . -name "*.java" -print0 | grep -Zzv VENDOR/ | xargs -0 grep -lE "(^|[^a-zA-Z0-9_.])java\.net\.URL($|[^a-zA-Z0-9_#}])" | while IFS= read -r file; do
     file_name=$(basename "$file")
     allow_path="${file//.\//}"
 
diff --git a/tools/java_toolchain/BUILD b/tools/java_toolchain/BUILD
index f95d82764..f4fd8b4a5 100644
--- a/tools/java_toolchain/BUILD
+++ b/tools/java_toolchain/BUILD
@@ -2,7 +2,8 @@
 
 load(
     "@bazel_tools//tools/jdk:default_java_toolchain.bzl",
-    "DEFAULT_TOOLCHAIN_CONFIGURATION",
+    # See https://github.com/bazelbuild/rules_java/issues/325:
+    "NONPREBUILT_TOOLCHAIN_CONFIGURATION",
     "default_java_toolchain",
 )
 #load("@rules_java//java/toolchains:java_runtime.bzl", "java_runtime")
@@ -16,7 +17,8 @@ load(
 
 default_java_toolchain(
     name = "repository_default_java_toolchain",
-    configuration = DEFAULT_TOOLCHAIN_CONFIGURATION,
+    # See https://github.com/bazelbuild/rules_java/issues/325:
+    configuration = NONPREBUILT_TOOLCHAIN_CONFIGURATION,
 
     # INSTEAD of: java_runtime = "@rules_java//toolchains:remotejdk_21",
     # OR above's: java_runtime = ":jdk_runtime",