From a0e3407f21c9c26c547482aa3fc4e581465b7dae Mon Sep 17 00:00:00 2001
From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Date: Mon, 25 Mar 2024 09:41:12 -0400
Subject: [PATCH 01/15] Update rest-api.md (#17801)

- Fix anchor link
---
 docs/REST API/rest-api.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md
index 671831ccb5..a9f2ccdda4 100644
--- a/docs/REST API/rest-api.md	
+++ b/docs/REST API/rest-api.md	
@@ -7372,7 +7372,7 @@ This allows you to easily configure scheduled queries that will impact a whole t
 
 - [Run script](#run-script)
 - [Get script result](#get-script-result)
-- [Run live script](#run-script)
+- [Run live script](#run-live-script)
 - [Upload a script](#upload-a-script)
 - [Delete a script](#delete-a-script)
 - [List scripts](#list-scripts)

From ee14a26df4e236146aaad89d93512f29beef3f22 Mon Sep 17 00:00:00 2001
From: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
Date: Mon, 25 Mar 2024 10:06:36 -0400
Subject: [PATCH 02/15] Return correct OS details for Windows Server 2019
 (#17760)

---
 changes/17562-windows-server-2019-os-details |  1 +
 server/service/osquery_utils/queries.go      | 37 +++++++++++++++-----
 2 files changed, 29 insertions(+), 9 deletions(-)
 create mode 100644 changes/17562-windows-server-2019-os-details

diff --git a/changes/17562-windows-server-2019-os-details b/changes/17562-windows-server-2019-os-details
new file mode 100644
index 0000000000..e3aa773a03
--- /dev/null
+++ b/changes/17562-windows-server-2019-os-details
@@ -0,0 +1 @@
+- Fixed a bug where OS version information would not get detected on Windows Server 2019
diff --git a/server/service/osquery_utils/queries.go b/server/service/osquery_utils/queries.go
index 030294f5ed..e65124e4e8 100644
--- a/server/service/osquery_utils/queries.go
+++ b/server/service/osquery_utils/queries.go
@@ -172,14 +172,24 @@ var hostDetailQueries = map[string]DetailQuery{
 		},
 	},
 	"os_version_windows": {
+		// display_version is not available in some versions of
+		// Windows (Server 2019). By including it using a JOIN it can
+		// return no rows and the query will still succeed
 		Query: `
-		SELECT os.name, r.data as display_version, k.version
+		WITH display_version_table AS (
+			SELECT data as display_version
+			FROM registry
+			WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion'
+		)
+		SELECT
+			os.name,
+			COALESCE(d.display_version, '') AS display_version,
+			k.version
 		FROM
-			registry r,
 			os_version os,
 			kernel_info k
-		WHERE r.path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion'
-		`,
+		LEFT JOIN
+			display_version_table d`,
 		Platforms: []string{"windows"},
 		IngestFunc: func(ctx context.Context, logger log.Logger, host *fleet.Host, rows []map[string]string) error {
 			if len(rows) != 1 {
@@ -531,20 +541,29 @@ var extraDetailQueries = map[string]DetailQuery{
 		// This query is used to populate the `operating_systems` and `host_operating_system`
 		// tables. Separately, the `hosts` table is populated via the `os_version` and
 		// `os_version_windows` detail queries above.
+		//
+		// DisplayVersion doesn't exist on all versions of Windows (Server 2019).
+		// To prevent the query from failing in those cases, we join
+		// the values in when they exist, alternatively the column is
+		// just empty.
 		Query: `
+	WITH display_version_table AS (
+		SELECT data as display_version
+		FROM registry
+		WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion'
+	)
 	SELECT
 		os.name,
 		os.platform,
 		os.arch,
 		k.version as kernel_version,
 		os.version,
-		r.data as display_version
+		COALESCE(d.display_version, '') AS display_version
 	FROM
 		os_version os,
-		kernel_info k,
-		registry r
-	WHERE
-		r.path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion'`,
+		kernel_info k
+	LEFT JOIN
+		display_version_table d`,
 		Platforms:        []string{"windows"},
 		DirectIngestFunc: directIngestOSWindows,
 	},

From 632af6635dad4827f2a3bf410c35f949fbf81afd Mon Sep 17 00:00:00 2001
From: Eric <eashaw@sailsjs.com>
Date: Mon, 25 Mar 2024 13:37:31 -0500
Subject: [PATCH 03/15] Handbook: update `startedOn` date of auto-issue
 rituals. (#17835)

Changes:
- updated the `startedOn` date of 3 rituals with auto-issue enabled.
---
 handbook/business-operations/business-operations.rituals.yml | 4 ++--
 handbook/digital-experience/digital-experience.rituals.yml   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/handbook/business-operations/business-operations.rituals.yml b/handbook/business-operations/business-operations.rituals.yml
index 1726a429dd..3be2ee4b68 100644
--- a/handbook/business-operations/business-operations.rituals.yml
+++ b/handbook/business-operations/business-operations.rituals.yml
@@ -44,7 +44,7 @@
     repo: "confidential"
 -
   task: "AP invoice monitoring" # TODO tie this to a responsibility
-  startedOn: "2024-03-31" 
+  startedOn: "2024-04-01" 
   frequency: "Weekly"
   description: "Look for new accounts payable invoices and make sure that Fleet's suppliers are paid" 
   moreInfoUrl: 
@@ -64,7 +64,7 @@
     repo: "confidential"
 -
   task: "Vanta check" # TODO tie this to a responsibility
-  startedOn: "2024-03-01" 
+  startedOn: "2024-04-01" 
   frequency: "Monthly"
   description: "Look for any new actions in Vanta due in the upcoming months and create issues to ensure they're done on time" 
   moreInfoUrl: 
diff --git a/handbook/digital-experience/digital-experience.rituals.yml b/handbook/digital-experience/digital-experience.rituals.yml
index d0c1a23123..75e4244d02 100644
--- a/handbook/digital-experience/digital-experience.rituals.yml
+++ b/handbook/digital-experience/digital-experience.rituals.yml
@@ -3,7 +3,7 @@
 
 - 
   task: "Check browser compatibility for fleetdm.com"
-  startedOn: "2024-03-01" 
+  startedOn: "2024-03-06" 
   frequency: "Monthly"
   description: "Run `npm audit --only=prod` to check for vulnerabilities on the production dependencies of fleetdm.com."
   moreInfoUrl: "https://fleetdm.com/handbook/digital-experience#check-production-dependencies-of-fleetdm-com"

From b3d77c75e91e789911e6332569fd13c2c407cb67 Mon Sep 17 00:00:00 2001
From: Eric <eashaw@sailsjs.com>
Date: Mon, 25 Mar 2024 13:41:17 -0500
Subject: [PATCH 04/15] Website: update Vanta integration script (#17833)

Related to: #17699

Changes:
- Updated the `send-data-to-vanta` script to retry requests to Vanta's
`https://api.vanta.com/oauth/token` API endpoint that return a `504`
response.
---
 website/scripts/send-data-to-vanta.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/website/scripts/send-data-to-vanta.js b/website/scripts/send-data-to-vanta.js
index d1c45193e8..7c3565e962 100644
--- a/website/scripts/send-data-to-vanta.js
+++ b/website/scripts/send-data-to-vanta.js
@@ -35,7 +35,8 @@ module.exports = {
         },
         headers: { accept: 'application/json' }
       })
-      .retry({raw:{statusCode: 503}})
+      .retry({raw:{statusCode: 503}})// Retry requests that respond with "503: Service temporarily unavailable"
+      .retry({raw:{statusCode: 504}})// Retry requests that respond with "504: Endpoint request timed out"
       .tolerate((err)=>{
         // If an error occurs while sending a request to Vanta, we'll add the error to the errorReportById object, with this connections ID set as the key.
         errorReportById[connectionIdAsString] = new Error(`Could not refresh the token for Vanta connection (id: ${connectionIdAsString}). Full error: ${err}`);

From 3d46b0d22a478cf2acb941748be5f4e01bd745bd Mon Sep 17 00:00:00 2001
From: Jacob Shandling <61553566+jacobshandling@users.noreply.github.com>
Date: Mon, 25 Mar 2024 13:41:35 -0700
Subject: [PATCH 05/15] =?UTF-8?q?UI=20=E2=80=93=20Fix=20error=20state=20an?=
 =?UTF-8?q?d=20alignment=20on=20global=20host=20status=20webhook=20setting?=
 =?UTF-8?q?=20page=20(#17821)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Addresses #17534

<img width="1392" alt="Screenshot 2024-03-22 at 4 41 25 PM"
src="https://github.com/fleetdm/fleet/assets/61553566/a6bff506-4e1d-4342-be34-890a7742c760">

- also fix bug in alignment of error states vs tooltip-wrapped labels
throughout org settings

- [x] Changes file added
- [x] Manual QA for all new/changed functionality

---------

Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
---
 .../17534-improve-error-states-org-settings    |  2 ++
 .../pages/admin/OrgSettingsPage/_styles.scss   |  4 ----
 .../GlobalHostStatusWebhook.tsx                | 18 +++++++++---------
 3 files changed, 11 insertions(+), 13 deletions(-)
 create mode 100644 changes/17534-improve-error-states-org-settings

diff --git a/changes/17534-improve-error-states-org-settings b/changes/17534-improve-error-states-org-settings
new file mode 100644
index 0000000000..6fdff36d01
--- /dev/null
+++ b/changes/17534-improve-error-states-org-settings
@@ -0,0 +1,2 @@
+- Fix error state rendering on the global Host status expiry settings page, fix error state
+  alignment for tooltip-wrapper field labels across organization settings.
diff --git a/frontend/pages/admin/OrgSettingsPage/_styles.scss b/frontend/pages/admin/OrgSettingsPage/_styles.scss
index cfbfb51a9e..3ae29e2405 100644
--- a/frontend/pages/admin/OrgSettingsPage/_styles.scss
+++ b/frontend/pages/admin/OrgSettingsPage/_styles.scss
@@ -101,10 +101,6 @@
       &__disabled-usage-statistics-checkbox {
         @include disabled;
       }
-
-      .component__tooltip-wrapper {
-        margin-bottom: $pad-xsmall;
-      }
     }
   }
 }
diff --git a/frontend/pages/admin/OrgSettingsPage/cards/GlobalHostStatusWebhook/GlobalHostStatusWebhook.tsx b/frontend/pages/admin/OrgSettingsPage/cards/GlobalHostStatusWebhook/GlobalHostStatusWebhook.tsx
index 6783bcc2bb..78c7a0b105 100644
--- a/frontend/pages/admin/OrgSettingsPage/cards/GlobalHostStatusWebhook/GlobalHostStatusWebhook.tsx
+++ b/frontend/pages/admin/OrgSettingsPage/cards/GlobalHostStatusWebhook/GlobalHostStatusWebhook.tsx
@@ -28,7 +28,7 @@ const baseClass = "app-config-form";
 
 export type IGlobalHostStatusWebhookFormData = {
   enableHostStatusWebhook: boolean;
-  hostStatusWebhookDestinationUrl: string;
+  destination_url: string;
   hostStatusWebhookHostPercentage: number;
   hostStatusWebhookWindow: number;
 };
@@ -46,7 +46,7 @@ const GlobalHostStatusWebhook = ({
     enableHostStatusWebhook:
       appConfig.webhook_settings.host_status_webhook
         ?.enable_host_status_webhook || false,
-    hostStatusWebhookDestinationUrl:
+    destination_url:
       appConfig.webhook_settings.host_status_webhook?.destination_url || "",
     hostStatusWebhookHostPercentage:
       appConfig.webhook_settings.host_status_webhook?.host_percentage || 1,
@@ -56,7 +56,7 @@ const GlobalHostStatusWebhook = ({
 
   const {
     enableHostStatusWebhook,
-    hostStatusWebhookDestinationUrl,
+    destination_url,
     hostStatusWebhookHostPercentage,
     hostStatusWebhookWindow,
   } = formData;
@@ -72,10 +72,10 @@ const GlobalHostStatusWebhook = ({
     const errors: IAppConfigFormErrors = {};
 
     if (enableHostStatusWebhook) {
-      if (!hostStatusWebhookDestinationUrl) {
+      if (!destination_url) {
         errors.destination_url = "Destination URL must be present";
-      } else if (!validUrl({ url: hostStatusWebhookDestinationUrl })) {
-        errors.server_url = `${hostStatusWebhookDestinationUrl} is not a valid URL`;
+      } else if (!validUrl({ url: destination_url })) {
+        errors.destination_url = `${destination_url} is not a valid URL`;
       }
     }
 
@@ -99,7 +99,7 @@ const GlobalHostStatusWebhook = ({
       webhook_settings: {
         host_status_webhook: {
           enable_host_status_webhook: enableHostStatusWebhook,
-          destination_url: hostStatusWebhookDestinationUrl,
+          destination_url,
           host_percentage: hostStatusWebhookHostPercentage,
           days_count: hostStatusWebhookWindow,
         },
@@ -166,8 +166,8 @@ const GlobalHostStatusWebhook = ({
                 placeholder="https://server.com/example"
                 label="Destination URL"
                 onChange={handleInputChange}
-                name="hostStatusWebhookDestinationUrl"
-                value={hostStatusWebhookDestinationUrl}
+                name="destination_url"
+                value={destination_url}
                 parseTarget
                 onBlur={validateForm}
                 error={formErrors.destination_url}

From da32121f00439cf5620365afb045e3ef0b5b6a28 Mon Sep 17 00:00:00 2001
From: Eric <eashaw@sailsjs.com>
Date: Mon, 25 Mar 2024 18:02:27 -0500
Subject: [PATCH 06/15] Vuln dashboard: Update moment dependency to resolve
 code scanning alerts (#17849)

Related to: #17764

Changes:
- Updated ee/vulnerability-dashboard/assets/dependencies/moment.js to
resolve two code scanning alerts.
---
 ee/vulnerability-dashboard/assets/dependencies/moment.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ee/vulnerability-dashboard/assets/dependencies/moment.js b/ee/vulnerability-dashboard/assets/dependencies/moment.js
index 9428c66bb9..98e2e91970 100644
--- a/ee/vulnerability-dashboard/assets/dependencies/moment.js
+++ b/ee/vulnerability-dashboard/assets/dependencies/moment.js
@@ -680,7 +680,7 @@ function getParseRegexForToken (token, config) {
 
 // Code from http://stackoverflow.com/questions/3561493/is-there-a-regexp-escape-function-in-javascript
 function unescapeFormat(s) {
-    return regexEscape(s.replace('\\', '').replace(/\\(\[)|\\(\])|\[([^\]\[]*)\]|\\(.)/g, function (matched, p1, p2, p3, p4) {
+    return regexEscape(s.replace(/\\/g, '').replace(/\\(\[)|\\(\])|\[([^\]\[]*)\]|\\(.)/g, function (matched, p1, p2, p3, p4) {
         return p1 || p2 || p3 || p4;
     }));
 }
@@ -1477,9 +1477,9 @@ function localeWeekdaysParse (weekdayName, format, strict) {
 
         mom = createUTC([2000, 1]).day(i);
         if (strict && !this._fullWeekdaysParse[i]) {
-            this._fullWeekdaysParse[i] = new RegExp('^' + this.weekdays(mom, '').replace('.', '\.?') + '$', 'i');
-            this._shortWeekdaysParse[i] = new RegExp('^' + this.weekdaysShort(mom, '').replace('.', '\.?') + '$', 'i');
-            this._minWeekdaysParse[i] = new RegExp('^' + this.weekdaysMin(mom, '').replace('.', '\.?') + '$', 'i');
+            this._fullWeekdaysParse[i] = new RegExp('^' + this.weekdays(mom, '').replace('.', '\\.?') + '$', 'i');
+            this._shortWeekdaysParse[i] = new RegExp('^' + this.weekdaysShort(mom, '').replace('.', '\\.?') + '$', 'i');
+            this._minWeekdaysParse[i] = new RegExp('^' + this.weekdaysMin(mom, '').replace('.', '\\.?') + '$', 'i');
         }
         if (!this._weekdaysParse[i]) {
             regex = '^' + this.weekdays(mom, '') + '|^' + this.weekdaysShort(mom, '') + '|^' + this.weekdaysMin(mom, '');

From 6d965426e0b7730ca06cc91c812be61f357ddfce Mon Sep 17 00:00:00 2001
From: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
Date: Tue, 26 Mar 2024 09:55:49 -0400
Subject: [PATCH 07/15] Fleet UI: Users can see a tooltip on a disabled
 checkbox (#17664)

---
 changes/16345-disabled-checkbox-tooltip       |  1 +
 .../forms/fields/Checkbox/Checkbox.tsx        | 17 +++++---
 .../forms/fields/Checkbox/_styles.scss        | 17 ++++++++
 .../TeamHostExpiryToggle.tsx                  | 40 ++++++++-----------
 .../TeamHostExpiryToggle/_styles.scss         |  4 --
 frontend/styles/var/mixins.scss               |  7 ++++
 6 files changed, 53 insertions(+), 33 deletions(-)
 create mode 100644 changes/16345-disabled-checkbox-tooltip

diff --git a/changes/16345-disabled-checkbox-tooltip b/changes/16345-disabled-checkbox-tooltip
new file mode 100644
index 0000000000..5e83ded1e1
--- /dev/null
+++ b/changes/16345-disabled-checkbox-tooltip
@@ -0,0 +1 @@
+- UI fix: users can see a tooltip on a disabled checkbox
diff --git a/frontend/components/forms/fields/Checkbox/Checkbox.tsx b/frontend/components/forms/fields/Checkbox/Checkbox.tsx
index 8380b4279c..83ddcb43be 100644
--- a/frontend/components/forms/fields/Checkbox/Checkbox.tsx
+++ b/frontend/components/forms/fields/Checkbox/Checkbox.tsx
@@ -55,21 +55,26 @@ const Checkbox = (props: ICheckboxProps) => {
     className,
     baseClass
   );
+
+  const checkBoxTickClass = classnames(`${baseClass}__tick`, {
+    [`${baseClass}__tick--disabled`]: disabled,
+    [`${baseClass}__tick--indeterminate`]: indeterminate,
+  });
+
+  const checkBoxLabelClass = classnames(checkBoxClass, {
+    [`${baseClass}__label--disabled`]: disabled,
+  });
+
   const formFieldProps = {
     ...pick(props, ["helpText", "label", "error", "name"]),
     className: wrapperClassName,
     type: "checkbox",
   } as IFormFieldProps;
 
-  const checkBoxTickClass = classnames(`${checkBoxClass}__tick`, {
-    [`${checkBoxClass}__tick--disabled`]: disabled,
-    [`${checkBoxClass}__tick--indeterminate`]: indeterminate,
-  });
-
   return (
     <FormField {...formFieldProps}>
       <>
-        <label htmlFor={name} className={checkBoxClass}>
+        <label htmlFor={name} className={checkBoxLabelClass}>
           <input
             checked={value}
             className={`${baseClass}__input`}
diff --git a/frontend/components/forms/fields/Checkbox/_styles.scss b/frontend/components/forms/fields/Checkbox/_styles.scss
index 3aa8725df1..5c7da05188 100644
--- a/frontend/components/forms/fields/Checkbox/_styles.scss
+++ b/frontend/components/forms/fields/Checkbox/_styles.scss
@@ -29,6 +29,18 @@
         }
       }
 
+      &--disabled {
+        &::after {
+          @include disabled-checkbox;
+        }
+
+        &:hover {
+          &::after {
+            @include disabled-checkbox;
+          }
+        }
+      }
+
       &::before {
         @include position(absolute, 50% null null 50%);
         transform: rotate(45deg);
@@ -41,6 +53,7 @@
         border-top: 0;
         border-left: 0;
         content: "";
+        z-index: 9;
       }
     }
   }
@@ -109,6 +122,10 @@
     padding-left: $pad-small;
     display: inline-block;
     vertical-align: top;
+
+    &--disabled {
+      color: $ui-fleet-black-50;
+    }
   }
 
   &__label-tooltip {
diff --git a/frontend/pages/admin/TeamManagementPage/TeamDetailsWrapper/TeamSettings/components/TeamHostExpiryToggle/TeamHostExpiryToggle.tsx b/frontend/pages/admin/TeamManagementPage/TeamDetailsWrapper/TeamSettings/components/TeamHostExpiryToggle/TeamHostExpiryToggle.tsx
index dd46c48cff..90d07f9f06 100644
--- a/frontend/pages/admin/TeamManagementPage/TeamDetailsWrapper/TeamSettings/components/TeamHostExpiryToggle/TeamHostExpiryToggle.tsx
+++ b/frontend/pages/admin/TeamManagementPage/TeamDetailsWrapper/TeamSettings/components/TeamHostExpiryToggle/TeamHostExpiryToggle.tsx
@@ -48,32 +48,26 @@ const TeamHostExpiryToggle = ({
       <Checkbox
         name="enableHostExpiry"
         onChange={setTeamExpiryEnabled}
-        value={teamExpiryEnabled || globalHostExpiryEnabled}
-        wrapperClassName={
-          globalHostExpiryEnabled
-            ? `${baseClass}__disabled-team-host-expiry-toggle`
-            : ""
-        }
+        value={teamExpiryEnabled || globalHostExpiryEnabled} // Still shows checkmark if global expiry is enabled though the checkbox will be disabled.
+        disabled={globalHostExpiryEnabled}
         helpText={renderHelpText()}
         tooltipContent={
-          !globalHostExpiryEnabled && (
-            <>
-              When enabled, allows automatic cleanup of
+          <>
+            When enabled, allows automatic cleanup of
+            <br />
+            hosts that have not communicated with Fleet in
+            <br />
+            the number of days specified in the{" "}
+            <strong>
+              Host expiry
               <br />
-              hosts that have not communicated with Fleet in
-              <br />
-              the number of days specified in the{" "}
-              <strong>
-                Host expiry
-                <br />
-                window
-              </strong>{" "}
-              setting.{" "}
-              <em>
-                (Default: <strong>Off</strong>)
-              </em>
-            </>
-          )
+              window
+            </strong>{" "}
+            setting.{" "}
+            <em>
+              (Default: <strong>Off</strong>)
+            </em>
+          </>
         }
       >
         Enable host expiry
diff --git a/frontend/pages/admin/TeamManagementPage/TeamDetailsWrapper/TeamSettings/components/TeamHostExpiryToggle/_styles.scss b/frontend/pages/admin/TeamManagementPage/TeamDetailsWrapper/TeamSettings/components/TeamHostExpiryToggle/_styles.scss
index 43791035fd..3f18097166 100644
--- a/frontend/pages/admin/TeamManagementPage/TeamDetailsWrapper/TeamSettings/components/TeamHostExpiryToggle/_styles.scss
+++ b/frontend/pages/admin/TeamManagementPage/TeamDetailsWrapper/TeamSettings/components/TeamHostExpiryToggle/_styles.scss
@@ -1,8 +1,4 @@
 .team-host-expiry-toggle {
-  &__disabled-team-host-expiry-toggle > .fleet-checkbox {
-    @include disabled;
-  }
-
   &__add-custom-window {
     display: inline-flex;
     align-items: center;
diff --git a/frontend/styles/var/mixins.scss b/frontend/styles/var/mixins.scss
index a600c5c848..e786ab7696 100644
--- a/frontend/styles/var/mixins.scss
+++ b/frontend/styles/var/mixins.scss
@@ -117,6 +117,13 @@ $max-width: 2560px;
   cursor: default;
 }
 
+@mixin disabled-checkbox {
+  background-color: $ui-fleet-black-25;
+  border-color: $ui-fleet-black-25;
+  pointer-events: none;
+  cursor: default;
+}
+
 @mixin grey-text {
   color: $ui-fleet-black-75;
 }

From b44848eeba2c81c4ec51f4697da6dd9356ae2430 Mon Sep 17 00:00:00 2001
From: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
Date: Tue, 26 Mar 2024 10:18:34 -0400
Subject: [PATCH 08/15] Updating changelog for 4.47.2 (#17804)

---
 CHANGELOG.md                                      | 8 ++++++++
 charts/fleet/Chart.yaml                           | 2 +-
 charts/fleet/values.yaml                          | 2 +-
 infrastructure/dogfood/terraform/aws/variables.tf | 2 +-
 infrastructure/dogfood/terraform/gcp/variables.tf | 2 +-
 terraform/byo-vpc/README.md                       | 2 +-
 terraform/byo-vpc/byo-db/byo-ecs/variables.tf     | 2 +-
 terraform/byo-vpc/byo-db/variables.tf             | 2 +-
 terraform/byo-vpc/example/main.tf                 | 2 +-
 terraform/byo-vpc/variables.tf                    | 2 +-
 terraform/example/main.tf                         | 4 ++--
 terraform/variables.tf                            | 2 +-
 tools/fleetctl-npm/package.json                   | 2 +-
 13 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ac4301c2e9..c7115220bd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,11 @@
+## Fleet 4.47.2 (Mar 22, 2024)
+
+### Bug fixes
+
+* Fixed false negative vulnerabilities on macOS Homebrew Python packages.
+* Fixed policies to check "disable guest user".
+* Resolved the issue where Microsoft Edge was not reporting vulnerabilities.
+
 ## Fleet 4.47.1 (Mar 18, 2024)
 
 ### Bug fixes
diff --git a/charts/fleet/Chart.yaml b/charts/fleet/Chart.yaml
index d17e312c04..92a097ab51 100644
--- a/charts/fleet/Chart.yaml
+++ b/charts/fleet/Chart.yaml
@@ -8,7 +8,7 @@ version: v6.0.2
 home: https://github.com/fleetdm/fleet
 sources:
   - https://github.com/fleetdm/fleet.git
-appVersion: v4.47.1
+appVersion: v4.47.2
 dependencies:
   - name: mysql
     condition: mysql.enabled
diff --git a/charts/fleet/values.yaml b/charts/fleet/values.yaml
index a4e2f3b816..5c9e45f593 100644
--- a/charts/fleet/values.yaml
+++ b/charts/fleet/values.yaml
@@ -2,7 +2,7 @@
 # All settings related to how Fleet is deployed in Kubernetes
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
-imageTag: v4.47.1 # Version of Fleet to deploy
+imageTag: v4.47.2 # Version of Fleet to deploy
 podAnnotations: {} # Additional annotations to add to the Fleet pod
 serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
 resources:
diff --git a/infrastructure/dogfood/terraform/aws/variables.tf b/infrastructure/dogfood/terraform/aws/variables.tf
index 532a892465..2775e36c4e 100644
--- a/infrastructure/dogfood/terraform/aws/variables.tf
+++ b/infrastructure/dogfood/terraform/aws/variables.tf
@@ -56,7 +56,7 @@ variable "database_name" {
 
 variable "fleet_image" {
   description = "the name of the container image to run"
-  default     = "fleetdm/fleet:v4.47.1"
+  default     = "fleetdm/fleet:v4.47.2"
 }
 
 variable "software_inventory" {
diff --git a/infrastructure/dogfood/terraform/gcp/variables.tf b/infrastructure/dogfood/terraform/gcp/variables.tf
index 3fb278db31..98f012a0cd 100644
--- a/infrastructure/dogfood/terraform/gcp/variables.tf
+++ b/infrastructure/dogfood/terraform/gcp/variables.tf
@@ -68,5 +68,5 @@ variable "redis_mem" {
 }
 
 variable "image" {
-  default = "fleet:v4.47.1"
+  default = "fleet:v4.47.2"
 }
diff --git a/terraform/byo-vpc/README.md b/terraform/byo-vpc/README.md
index 941a340aa0..902b942aa2 100644
--- a/terraform/byo-vpc/README.md
+++ b/terraform/byo-vpc/README.md
@@ -33,7 +33,7 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | <a name="input_alb_config"></a> [alb\_config](#input\_alb\_config) | n/a | <pre>object({<br>    name                 = optional(string, "fleet")<br>    subnets              = list(string)<br>    security_groups      = optional(list(string), [])<br>    access_logs          = optional(map(string), {})<br>    certificate_arn      = string<br>    allowed_cidrs        = optional(list(string), ["0.0.0.0/0"])<br>    allowed_ipv6_cidrs   = optional(list(string), ["::/0"])<br>    egress_cidrs         = optional(list(string), ["0.0.0.0/0"])<br>    egress_ipv6_cidrs    = optional(list(string), ["::/0"])<br>    extra_target_groups  = optional(any, [])<br>    https_listener_rules = optional(any, [])<br>    tls_policy           = optional(string, "ELBSecurityPolicy-TLS-1-2-2017-01")<br>    idle_timeout         = optional(number, 60)<br>  })</pre> | n/a | yes |
 | <a name="input_ecs_cluster"></a> [ecs\_cluster](#input\_ecs\_cluster) | The config for the terraform-aws-modules/ecs/aws module | <pre>object({<br>    autoscaling_capacity_providers = optional(any, {})<br>    cluster_configuration = optional(any, {<br>      execute_command_configuration = {<br>        logging = "OVERRIDE"<br>        log_configuration = {<br>          cloud_watch_log_group_name = "/aws/ecs/aws-ec2"<br>        }<br>      }<br>    })<br>    cluster_name = optional(string, "fleet")<br>    cluster_settings = optional(map(string), {<br>      "name" : "containerInsights",<br>      "value" : "enabled",<br>    })<br>    create                                = optional(bool, true)<br>    default_capacity_provider_use_fargate = optional(bool, true)<br>    fargate_capacity_providers = optional(any, {<br>      FARGATE = {<br>        default_capacity_provider_strategy = {<br>          weight = 100<br>        }<br>      }<br>      FARGATE_SPOT = {<br>        default_capacity_provider_strategy = {<br>          weight = 0<br>        }<br>      }<br>    })<br>    tags = optional(map(string))<br>  })</pre> | <pre>{<br>  "autoscaling_capacity_providers": {},<br>  "cluster_configuration": {<br>    "execute_command_configuration": {<br>      "log_configuration": {<br>        "cloud_watch_log_group_name": "/aws/ecs/aws-ec2"<br>      },<br>      "logging": "OVERRIDE"<br>    }<br>  },<br>  "cluster_name": "fleet",<br>  "cluster_settings": {<br>    "name": "containerInsights",<br>    "value": "enabled"<br>  },<br>  "create": true,<br>  "default_capacity_provider_use_fargate": true,<br>  "fargate_capacity_providers": {<br>    "FARGATE": {<br>      "default_capacity_provider_strategy": {<br>        "weight": 100<br>      }<br>    },<br>    "FARGATE_SPOT": {<br>      "default_capacity_provider_strategy": {<br>        "weight": 0<br>      }<br>    }<br>  },<br>  "tags": {}<br>}</pre> | no |
-| <a name="input_fleet_config"></a> [fleet\_config](#input\_fleet\_config) | The configuration object for Fleet itself. Fields that default to null will have their respective resources created if not specified. | <pre>object({<br>    mem                          = optional(number, 4096)<br>    cpu                          = optional(number, 512)<br>    image                        = optional(string, "fleetdm/fleet:v4.47.1")<br>    family                       = optional(string, "fleet")<br>    sidecars                     = optional(list(any), [])<br>    depends_on                   = optional(list(any), [])<br>    mount_points                 = optional(list(any), [])<br>    volumes                      = optional(list(any), [])<br>    extra_environment_variables  = optional(map(string), {})<br>    extra_iam_policies           = optional(list(string), [])<br>    extra_execution_iam_policies = optional(list(string), [])<br>    extra_secrets                = optional(map(string), {})<br>    security_groups              = optional(list(string), null)<br>    security_group_name          = optional(string, "fleet")<br>    iam_role_arn                 = optional(string, null)<br>    service = optional(object({<br>      name = optional(string, "fleet")<br>      }), {<br>      name = "fleet"<br>    })<br>    database = optional(object({<br>      password_secret_arn = string<br>      user                = string<br>      database            = string<br>      address             = string<br>      rr_address          = optional(string, null)<br>      }), {<br>      password_secret_arn = null<br>      user                = null<br>      database            = null<br>      address             = null<br>      rr_address          = null<br>    })<br>    redis = optional(object({<br>      address = string<br>      use_tls = optional(bool, true)<br>      }), {<br>      address = null<br>      use_tls = true<br>    })<br>    awslogs = optional(object({<br>      name      = optional(string, null)<br>      region    = optional(string, null)<br>      create    = optional(bool, true)<br>      prefix    = optional(string, "fleet")<br>      retention = optional(number, 5)<br>      }), {<br>      name      = null<br>      region    = null<br>      prefix    = "fleet"<br>      retention = 5<br>    })<br>    loadbalancer = optional(object({<br>      arn = string<br>      }), {<br>      arn = null<br>    })<br>    extra_load_balancers = optional(list(any), [])<br>    networking = optional(object({<br>      subnets         = list(string)<br>      security_groups = optional(list(string), null)<br>      }), {<br>      subnets         = null<br>      security_groups = null<br>    })<br>    autoscaling = optional(object({<br>      max_capacity                 = optional(number, 5)<br>      min_capacity                 = optional(number, 1)<br>      memory_tracking_target_value = optional(number, 80)<br>      cpu_tracking_target_value    = optional(number, 80)<br>      }), {<br>      max_capacity                 = 5<br>      min_capacity                 = 1<br>      memory_tracking_target_value = 80<br>      cpu_tracking_target_value    = 80<br>    })<br>    iam = optional(object({<br>      role = optional(object({<br>        name        = optional(string, "fleet-role")<br>        policy_name = optional(string, "fleet-iam-policy")<br>        }), {<br>        name        = "fleet-role"<br>        policy_name = "fleet-iam-policy"<br>      })<br>      execution = optional(object({<br>        name        = optional(string, "fleet-execution-role")<br>        policy_name = optional(string, "fleet-execution-role")<br>        }), {<br>        name        = "fleet-execution-role"<br>        policy_name = "fleet-iam-policy-execution"<br>      })<br>      }), {<br>      name = "fleetdm-execution-role"<br>    })<br>  })</pre> | <pre>{<br>  "autoscaling": {<br>    "cpu_tracking_target_value": 80,<br>    "max_capacity": 5,<br>    "memory_tracking_target_value": 80,<br>    "min_capacity": 1<br>  },<br>  "awslogs": {<br>    "create": true,<br>    "name": null,<br>    "prefix": "fleet",<br>    "region": null,<br>    "retention": 5<br>  },<br>  "cpu": 256,<br>  "database": {<br>    "address": null,<br>    "database": null,<br>    "password_secret_arn": null,<br>    "rr_address": null,<br>    "user": null<br>  },<br>  "depends_on": [],<br>  "extra_environment_variables": {},<br>  "extra_execution_iam_policies": [],<br>  "extra_iam_policies": [],<br>  "extra_load_balancers": [],<br>  "extra_secrets": {},<br>  "family": "fleet",<br>  "iam": {<br>    "execution": {<br>      "name": "fleet-execution-role",<br>      "policy_name": "fleet-iam-policy-execution"<br>    },<br>    "role": {<br>      "name": "fleet-role",<br>      "policy_name": "fleet-iam-policy"<br>    }<br>  },<br>  "iam_role_arn": null,<br>  "image": "fleetdm/fleet:v4.31.1",<br>  "loadbalancer": {<br>    "arn": null<br>  },<br>  "mem": 512,<br>  "mount_points": [],<br>  "networking": {<br>    "security_groups": null,<br>    "subnets": null<br>  },<br>  "redis": {<br>    "address": null,<br>    "use_tls": true<br>  },<br>  "security_group_name": "fleet",<br>  "security_groups": null,<br>  "service": {<br>    "name": "fleet"<br>  },<br>  "sidecars": [],<br>  "volumes": []<br>}</pre> | no |
+| <a name="input_fleet_config"></a> [fleet\_config](#input\_fleet\_config) | The configuration object for Fleet itself. Fields that default to null will have their respective resources created if not specified. | <pre>object({<br>    mem                          = optional(number, 4096)<br>    cpu                          = optional(number, 512)<br>    image                        = optional(string, "fleetdm/fleet:v4.47.2")<br>    family                       = optional(string, "fleet")<br>    sidecars                     = optional(list(any), [])<br>    depends_on                   = optional(list(any), [])<br>    mount_points                 = optional(list(any), [])<br>    volumes                      = optional(list(any), [])<br>    extra_environment_variables  = optional(map(string), {})<br>    extra_iam_policies           = optional(list(string), [])<br>    extra_execution_iam_policies = optional(list(string), [])<br>    extra_secrets                = optional(map(string), {})<br>    security_groups              = optional(list(string), null)<br>    security_group_name          = optional(string, "fleet")<br>    iam_role_arn                 = optional(string, null)<br>    service = optional(object({<br>      name = optional(string, "fleet")<br>      }), {<br>      name = "fleet"<br>    })<br>    database = optional(object({<br>      password_secret_arn = string<br>      user                = string<br>      database            = string<br>      address             = string<br>      rr_address          = optional(string, null)<br>      }), {<br>      password_secret_arn = null<br>      user                = null<br>      database            = null<br>      address             = null<br>      rr_address          = null<br>    })<br>    redis = optional(object({<br>      address = string<br>      use_tls = optional(bool, true)<br>      }), {<br>      address = null<br>      use_tls = true<br>    })<br>    awslogs = optional(object({<br>      name      = optional(string, null)<br>      region    = optional(string, null)<br>      create    = optional(bool, true)<br>      prefix    = optional(string, "fleet")<br>      retention = optional(number, 5)<br>      }), {<br>      name      = null<br>      region    = null<br>      prefix    = "fleet"<br>      retention = 5<br>    })<br>    loadbalancer = optional(object({<br>      arn = string<br>      }), {<br>      arn = null<br>    })<br>    extra_load_balancers = optional(list(any), [])<br>    networking = optional(object({<br>      subnets         = list(string)<br>      security_groups = optional(list(string), null)<br>      }), {<br>      subnets         = null<br>      security_groups = null<br>    })<br>    autoscaling = optional(object({<br>      max_capacity                 = optional(number, 5)<br>      min_capacity                 = optional(number, 1)<br>      memory_tracking_target_value = optional(number, 80)<br>      cpu_tracking_target_value    = optional(number, 80)<br>      }), {<br>      max_capacity                 = 5<br>      min_capacity                 = 1<br>      memory_tracking_target_value = 80<br>      cpu_tracking_target_value    = 80<br>    })<br>    iam = optional(object({<br>      role = optional(object({<br>        name        = optional(string, "fleet-role")<br>        policy_name = optional(string, "fleet-iam-policy")<br>        }), {<br>        name        = "fleet-role"<br>        policy_name = "fleet-iam-policy"<br>      })<br>      execution = optional(object({<br>        name        = optional(string, "fleet-execution-role")<br>        policy_name = optional(string, "fleet-execution-role")<br>        }), {<br>        name        = "fleet-execution-role"<br>        policy_name = "fleet-iam-policy-execution"<br>      })<br>      }), {<br>      name = "fleetdm-execution-role"<br>    })<br>  })</pre> | <pre>{<br>  "autoscaling": {<br>    "cpu_tracking_target_value": 80,<br>    "max_capacity": 5,<br>    "memory_tracking_target_value": 80,<br>    "min_capacity": 1<br>  },<br>  "awslogs": {<br>    "create": true,<br>    "name": null,<br>    "prefix": "fleet",<br>    "region": null,<br>    "retention": 5<br>  },<br>  "cpu": 256,<br>  "database": {<br>    "address": null,<br>    "database": null,<br>    "password_secret_arn": null,<br>    "rr_address": null,<br>    "user": null<br>  },<br>  "depends_on": [],<br>  "extra_environment_variables": {},<br>  "extra_execution_iam_policies": [],<br>  "extra_iam_policies": [],<br>  "extra_load_balancers": [],<br>  "extra_secrets": {},<br>  "family": "fleet",<br>  "iam": {<br>    "execution": {<br>      "name": "fleet-execution-role",<br>      "policy_name": "fleet-iam-policy-execution"<br>    },<br>    "role": {<br>      "name": "fleet-role",<br>      "policy_name": "fleet-iam-policy"<br>    }<br>  },<br>  "iam_role_arn": null,<br>  "image": "fleetdm/fleet:v4.31.1",<br>  "loadbalancer": {<br>    "arn": null<br>  },<br>  "mem": 512,<br>  "mount_points": [],<br>  "networking": {<br>    "security_groups": null,<br>    "subnets": null<br>  },<br>  "redis": {<br>    "address": null,<br>    "use_tls": true<br>  },<br>  "security_group_name": "fleet",<br>  "security_groups": null,<br>  "service": {<br>    "name": "fleet"<br>  },<br>  "sidecars": [],<br>  "volumes": []<br>}</pre> | no |
 | <a name="input_migration_config"></a> [migration\_config](#input\_migration\_config) | The configuration object for Fleet's migration task. | <pre>object({<br>    mem = number<br>    cpu = number<br>  })</pre> | <pre>{<br>  "cpu": 1024,<br>  "mem": 2048<br>}</pre> | no |
 | <a name="input_rds_config"></a> [rds\_config](#input\_rds\_config) | The config for the terraform-aws-modules/rds-aurora/aws module | <pre>object({<br>    name                            = optional(string, "fleet")<br>    engine_version                  = optional(string, "8.0.mysql_aurora.3.02.2")<br>    instance_class                  = optional(string, "db.t4g.large")<br>    subnets                         = optional(list(string), [])<br>    allowed_security_groups         = optional(list(string), [])<br>    allowed_cidr_blocks             = optional(list(string), [])<br>    apply_immediately               = optional(bool, true)<br>    monitoring_interval             = optional(number, 10)<br>    db_parameter_group_name         = optional(string)<br>    db_parameters                   = optional(map(string), {})<br>    db_cluster_parameter_group_name = optional(string)<br>    db_cluster_parameters           = optional(map(string), {})<br>    enabled_cloudwatch_logs_exports = optional(list(string), [])<br>    master_username                 = optional(string, "fleet")<br>    snapshot_identifier             = optional(string)<br>    cluster_tags                    = optional(map(string), {})<br>    preferred_maintenance_window    = optional(string, "thu:23:00-fri:00:00")<br>  })</pre> | <pre>{<br>  "allowed_cidr_blocks": [],<br>  "allowed_security_groups": [],<br>  "apply_immediately": true,<br>  "cluster_tags": {},<br>  "db_cluster_parameter_group_name": null,<br>  "db_cluster_parameters": {},<br>  "db_parameter_group_name": null,<br>  "db_parameters": {},<br>  "enabled_cloudwatch_logs_exports": [],<br>  "engine_version": "8.0.mysql_aurora.3.02.2",<br>  "instance_class": "db.t4g.large",<br>  "master_username": "fleet",<br>  "monitoring_interval": 10,<br>  "name": "fleet",<br>  "preferred_maintenance_window": "thu:23:00-fri:00:00",<br>  "snapshot_identifier": null,<br>  "subnets": []<br>}</pre> | no |
 | <a name="input_redis_config"></a> [redis\_config](#input\_redis\_config) | n/a | <pre>object({<br>    name                          = optional(string, "fleet")<br>    replication_group_id          = optional(string)<br>    elasticache_subnet_group_name = optional(string, "")<br>    allowed_security_group_ids    = optional(list(string), [])<br>    subnets                       = list(string)<br>    allowed_cidrs                 = list(string)<br>    availability_zones            = optional(list(string), [])<br>    cluster_size                  = optional(number, 3)<br>    instance_type                 = optional(string, "cache.m5.large")<br>    apply_immediately             = optional(bool, true)<br>    automatic_failover_enabled    = optional(bool, false)<br>    engine_version                = optional(string, "6.x")<br>    family                        = optional(string, "redis6.x")<br>    at_rest_encryption_enabled    = optional(bool, true)<br>    transit_encryption_enabled    = optional(bool, true)<br>    parameter = optional(list(object({<br>      name  = string<br>      value = string<br>    })), [])<br>    log_delivery_configuration = optional(list(map(any)), [])<br>    tags                       = optional(map(string), {})<br>  })</pre> | <pre>{<br>  "allowed_cidrs": null,<br>  "allowed_security_group_ids": [],<br>  "apply_immediately": true,<br>  "at_rest_encryption_enabled": true,<br>  "automatic_failover_enabled": false,<br>  "availability_zones": [],<br>  "cluster_size": 3,<br>  "elasticache_subnet_group_name": "",<br>  "engine_version": "6.x",<br>  "family": "redis6.x",<br>  "instance_type": "cache.m5.large",<br>  "log_delivery_configuration": [],<br>  "name": "fleet",<br>  "parameter": [],<br>  "replication_group_id": null,<br>  "subnets": null,<br>  "tags": {},<br>  "transit_encryption_enabled": true<br>}</pre> | no |
diff --git a/terraform/byo-vpc/byo-db/byo-ecs/variables.tf b/terraform/byo-vpc/byo-db/byo-ecs/variables.tf
index f91717e035..0fac721d46 100644
--- a/terraform/byo-vpc/byo-db/byo-ecs/variables.tf
+++ b/terraform/byo-vpc/byo-db/byo-ecs/variables.tf
@@ -13,7 +13,7 @@ variable "fleet_config" {
   type = object({
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
-    image                        = optional(string, "fleetdm/fleet:v4.47.1")
+    image                        = optional(string, "fleetdm/fleet:v4.47.2")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])
diff --git a/terraform/byo-vpc/byo-db/variables.tf b/terraform/byo-vpc/byo-db/variables.tf
index ccc1350a59..090ba32812 100644
--- a/terraform/byo-vpc/byo-db/variables.tf
+++ b/terraform/byo-vpc/byo-db/variables.tf
@@ -74,7 +74,7 @@ variable "fleet_config" {
   type = object({
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
-    image                        = optional(string, "fleetdm/fleet:v4.47.1")
+    image                        = optional(string, "fleetdm/fleet:v4.47.2")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])
diff --git a/terraform/byo-vpc/example/main.tf b/terraform/byo-vpc/example/main.tf
index 0a3234a11d..51c04fed72 100644
--- a/terraform/byo-vpc/example/main.tf
+++ b/terraform/byo-vpc/example/main.tf
@@ -17,7 +17,7 @@ provider "aws" {
 }
 
 locals {
-  fleet_image = "fleetdm/fleet:v4.47.1"
+  fleet_image = "fleetdm/fleet:v4.47.2"
   domain_name = "example.com"
 }
 
diff --git a/terraform/byo-vpc/variables.tf b/terraform/byo-vpc/variables.tf
index e9ae55c2d6..e886db4212 100644
--- a/terraform/byo-vpc/variables.tf
+++ b/terraform/byo-vpc/variables.tf
@@ -167,7 +167,7 @@ variable "fleet_config" {
   type = object({
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
-    image                        = optional(string, "fleetdm/fleet:v4.47.1")
+    image                        = optional(string, "fleetdm/fleet:v4.47.2")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])
diff --git a/terraform/example/main.tf b/terraform/example/main.tf
index b13e7319d0..9339221dcb 100644
--- a/terraform/example/main.tf
+++ b/terraform/example/main.tf
@@ -59,8 +59,8 @@ module "fleet" {
 
   fleet_config = {
     # To avoid pull-rate limiting from dockerhub, consider using our quay.io mirror
-    # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.47.1"
-    image = "fleetdm/fleet:v4.47.1" # override default to deploy the image you desire
+    # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.47.2"
+    image = "fleetdm/fleet:v4.47.2" # override default to deploy the image you desire
     # See https://fleetdm.com/docs/deploy/reference-architectures#aws for appropriate scaling
     # memory and cpu.
     autoscaling = {
diff --git a/terraform/variables.tf b/terraform/variables.tf
index ec0e865dce..b77887ddb2 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -215,7 +215,7 @@ variable "fleet_config" {
   type = object({
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
-    image                        = optional(string, "fleetdm/fleet:v4.47.1")
+    image                        = optional(string, "fleetdm/fleet:v4.47.2")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])
diff --git a/tools/fleetctl-npm/package.json b/tools/fleetctl-npm/package.json
index 6cbd601152..af247c6058 100644
--- a/tools/fleetctl-npm/package.json
+++ b/tools/fleetctl-npm/package.json
@@ -1,6 +1,6 @@
 {
   "name": "fleetctl",
-  "version": "v4.47.1",
+  "version": "v4.47.2",
   "description": "Installer for the fleetctl CLI tool",
   "bin": {
     "fleetctl": "./run.js"

From acb79596493b9bfabf3a4412b431f9fb433f9ef0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 26 Mar 2024 10:07:50 -0500
Subject: [PATCH 09/15] Bump express from 4.17.3 to 4.19.2 (#17857)

---
 package.json |   2 +-
 yarn.lock    | 200 ++++++++-------------------------------------------
 2 files changed, 29 insertions(+), 173 deletions(-)

diff --git a/package.json b/package.json
index f73d7ba44e..1d44659eaf 100644
--- a/package.json
+++ b/package.json
@@ -24,7 +24,7 @@
     "dompurify": "3.0.3",
     "es6-object-assign": "1.1.0",
     "es6-promise": "4.2.8",
-    "express": "4.17.3",
+    "express": "4.19.2",
     "file-saver": "1.3.8",
     "history": "2.1.0",
     "isomorphic-fetch": "3.0.0",
diff --git a/yarn.lock b/yarn.lock
index eca3a26a55..d7753d0ebe 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -6639,29 +6639,13 @@ bn.js@^5.0.0, bn.js@^5.2.1:
   resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-5.2.1.tgz#0bc527a6a0d18d0aa8d5b0538ce4a77dccfa7b70"
   integrity sha512-eXRvHzWyYPBuB4NBy0cmYQjGitUrtqwbvlzP3G6VFnNRbsZQIxQ10PbKKHt8gZ/HW/D/747aDl+QkDqg3KQLMQ==
 
-body-parser@1.19.2:
-  version "1.19.2"
-  resolved "https://registry.npmjs.org/body-parser/-/body-parser-1.19.2.tgz"
-  integrity sha512-SAAwOxgoCKMGs9uUAUFHygfLAyaniaoun6I8mFY9pRAJL9+Kec34aU+oIjDhTycub1jozEfEwx1W1IuOYxVSFw==
+body-parser@1.20.2:
+  version "1.20.2"
+  resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.2.tgz#6feb0e21c4724d06de7ff38da36dad4f57a747fd"
+  integrity sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==
   dependencies:
     bytes "3.1.2"
-    content-type "~1.0.4"
-    debug "2.6.9"
-    depd "~1.1.2"
-    http-errors "1.8.1"
-    iconv-lite "0.4.24"
-    on-finished "~2.3.0"
-    qs "6.9.7"
-    raw-body "2.4.3"
-    type-is "~1.6.18"
-
-body-parser@1.20.1:
-  version "1.20.1"
-  resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.1.tgz#b1812a8912c195cd371a3ee5e66faa2338a5c668"
-  integrity sha512-jWi7abTbYwajOytWCQc37VulmWiRae5RyTpaCyDcS5/lMdtwSz5lOpDE67srw/HYe35f1z3fDQw+3txg7gNtWw==
-  dependencies:
-    bytes "3.1.2"
-    content-type "~1.0.4"
+    content-type "~1.0.5"
     debug "2.6.9"
     depd "2.0.0"
     destroy "1.2.0"
@@ -6669,7 +6653,7 @@ body-parser@1.20.1:
     iconv-lite "0.4.24"
     on-finished "2.4.1"
     qs "6.11.0"
-    raw-body "2.5.1"
+    raw-body "2.5.2"
     type-is "~1.6.18"
     unpipe "1.0.0"
 
@@ -7551,10 +7535,10 @@ content-disposition@0.5.4:
   dependencies:
     safe-buffer "5.2.1"
 
-content-type@~1.0.4:
-  version "1.0.4"
-  resolved "https://registry.npmjs.org/content-type/-/content-type-1.0.4.tgz"
-  integrity sha512-hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA==
+content-type@~1.0.4, content-type@~1.0.5:
+  version "1.0.5"
+  resolved "https://registry.yarnpkg.com/content-type/-/content-type-1.0.5.tgz#8b773162656d1d1086784c8f23a54ce6d73d7918"
+  integrity sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==
 
 convert-source-map@^1.1.0, convert-source-map@^1.4.0, convert-source-map@^1.5.0, convert-source-map@^1.6.0, convert-source-map@^1.7.0:
   version "1.9.0"
@@ -7571,16 +7555,16 @@ cookie-signature@1.0.6:
   resolved "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz"
   integrity sha1-4wOogrNCzD7oylE6eZmXNNqzriw=
 
-cookie@0.4.2, cookie@^0.4.2:
+cookie@0.6.0:
+  version "0.6.0"
+  resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.6.0.tgz#2798b04b071b0ecbff0dbb62a505a8efa4e19051"
+  integrity sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==
+
+cookie@^0.4.2:
   version "0.4.2"
   resolved "https://registry.npmjs.org/cookie/-/cookie-0.4.2.tgz"
   integrity sha512-aSWTXFzaKWkvHO1Ny/s+ePFpvKsPnjc551iI41v3ny/ow6tBG5Vd+FuqGNhh1LxOmVzOlGUriIlOaokOvhaStA==
 
-cookie@0.5.0:
-  version "0.5.0"
-  resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.5.0.tgz#d1f5d71adec6558c58f389987c366aa47e994f8b"
-  integrity sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw==
-
 copy-descriptor@^0.1.0:
   version "0.1.1"
   resolved "https://registry.yarnpkg.com/copy-descriptor/-/copy-descriptor-0.1.1.tgz#676f6eb3c39997c2ee1ac3a924fd6124748f578d"
@@ -8034,7 +8018,7 @@ depd@2.0.0:
   resolved "https://registry.yarnpkg.com/depd/-/depd-2.0.0.tgz#b696163cc757560d09cf22cc8fad1571b79e76df"
   integrity sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==
 
-depd@^1.1.2, depd@~1.1.2:
+depd@^1.1.2:
   version "1.1.2"
   resolved "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz"
   integrity sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak=
@@ -8057,11 +8041,6 @@ destroy@1.2.0:
   resolved "https://registry.yarnpkg.com/destroy/-/destroy-1.2.0.tgz#4803735509ad8be552934c67df614f94e66fa015"
   integrity sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==
 
-destroy@~1.0.4:
-  version "1.0.4"
-  resolved "https://registry.npmjs.org/destroy/-/destroy-1.0.4.tgz"
-  integrity sha1-l4hXRCxEdJ5CBmE+N5RiBYJqvYA=
-
 detect-file@^1.0.0:
   version "1.0.0"
   resolved "https://registry.npmjs.org/detect-file/-/detect-file-1.0.0.tgz"
@@ -9215,53 +9194,17 @@ expect@^29.2.0:
     jest-message-util "^29.2.0"
     jest-util "^29.2.0"
 
-express@4.17.3:
-  version "4.17.3"
-  resolved "https://registry.yarnpkg.com/express/-/express-4.17.3.tgz#f6c7302194a4fb54271b73a1fe7a06478c8f85a1"
-  integrity sha512-yuSQpz5I+Ch7gFrPCk4/c+dIBKlQUxtgwqzph132bsT6qhuzss6I8cLJQz7B3rFblzd6wtcI0ZbGltH/C4LjUg==
+express@4.19.2, express@^4.17.3:
+  version "4.19.2"
+  resolved "https://registry.yarnpkg.com/express/-/express-4.19.2.tgz#e25437827a3aa7f2a827bc8171bbbb664a356465"
+  integrity sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==
   dependencies:
     accepts "~1.3.8"
     array-flatten "1.1.1"
-    body-parser "1.19.2"
+    body-parser "1.20.2"
     content-disposition "0.5.4"
     content-type "~1.0.4"
-    cookie "0.4.2"
-    cookie-signature "1.0.6"
-    debug "2.6.9"
-    depd "~1.1.2"
-    encodeurl "~1.0.2"
-    escape-html "~1.0.3"
-    etag "~1.8.1"
-    finalhandler "~1.1.2"
-    fresh "0.5.2"
-    merge-descriptors "1.0.1"
-    methods "~1.1.2"
-    on-finished "~2.3.0"
-    parseurl "~1.3.3"
-    path-to-regexp "0.1.7"
-    proxy-addr "~2.0.7"
-    qs "6.9.7"
-    range-parser "~1.2.1"
-    safe-buffer "5.2.1"
-    send "0.17.2"
-    serve-static "1.14.2"
-    setprototypeof "1.2.0"
-    statuses "~1.5.0"
-    type-is "~1.6.18"
-    utils-merge "1.0.1"
-    vary "~1.1.2"
-
-express@^4.17.3:
-  version "4.18.2"
-  resolved "https://registry.yarnpkg.com/express/-/express-4.18.2.tgz#3fabe08296e930c796c19e3c516979386ba9fd59"
-  integrity sha512-5/PsL6iGPdfQ/lKM1UuielYgv3BUoJfz1aUwU9vHZ+J7gyvwdQXFEBIEIaxeGf0GIcreATNyBExtalisDbuMqQ==
-  dependencies:
-    accepts "~1.3.8"
-    array-flatten "1.1.1"
-    body-parser "1.20.1"
-    content-disposition "0.5.4"
-    content-type "~1.0.4"
-    cookie "0.5.0"
+    cookie "0.6.0"
     cookie-signature "1.0.6"
     debug "2.6.9"
     depd "2.0.0"
@@ -9479,19 +9422,6 @@ finalhandler@1.2.0:
     statuses "2.0.1"
     unpipe "~1.0.0"
 
-finalhandler@~1.1.2:
-  version "1.1.2"
-  resolved "https://registry.npmjs.org/finalhandler/-/finalhandler-1.1.2.tgz"
-  integrity sha512-aAWcW57uxVNrQZqFXjITpW3sIUQmHGG3qSb9mUah9MgMC4NeWhNOlNjXEYq3HjRAvL6arUviZGGJsBg6z0zsWA==
-  dependencies:
-    debug "2.6.9"
-    encodeurl "~1.0.2"
-    escape-html "~1.0.3"
-    on-finished "~2.3.0"
-    parseurl "~1.3.3"
-    statuses "~1.5.0"
-    unpipe "~1.0.0"
-
 find-cache-dir@^2.0.0:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/find-cache-dir/-/find-cache-dir-2.1.0.tgz#8d0f94cd13fe43c6c7c261a0d86115ca918c05f7"
@@ -10413,17 +10343,6 @@ http-cache-semantics@^4.1.0:
   resolved "https://registry.yarnpkg.com/http-cache-semantics/-/http-cache-semantics-4.1.1.tgz#abe02fcb2985460bf0323be664436ec3476a6d5a"
   integrity sha512-er295DKPVsV82j5kw1Gjt+ADA/XYHsajl82cGNQG2eyoPkvgUhX+nDIyelzhIWbbsXP39EHcI6l5tYs2FYqYXQ==
 
-http-errors@1.8.1:
-  version "1.8.1"
-  resolved "https://registry.npmjs.org/http-errors/-/http-errors-1.8.1.tgz"
-  integrity sha512-Kpk9Sm7NmI+RHhnj6OIWDI1d6fIoFAtFt9RLaTMRlg/8w49juAStsrBgp0Dp4OdxdVbRIeKhtCUvoi/RuAhO4g==
-  dependencies:
-    depd "~1.1.2"
-    inherits "2.0.4"
-    setprototypeof "1.2.0"
-    statuses ">= 1.5.0 < 2"
-    toidentifier "1.0.1"
-
 http-errors@2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/http-errors/-/http-errors-2.0.0.tgz#b7774a1486ef73cf7667ac9ae0858c012c57b9d3"
@@ -14102,13 +14021,6 @@ on-finished@2.4.1:
   dependencies:
     ee-first "1.1.1"
 
-on-finished@~2.3.0:
-  version "2.3.0"
-  resolved "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz"
-  integrity sha1-IPEzZIGwg811M3mSoWlxqi2QaUc=
-  dependencies:
-    ee-first "1.1.1"
-
 on-headers@~1.0.2:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/on-headers/-/on-headers-1.0.2.tgz#772b0ae6aaa525c399e489adfad90c403eb3c28f"
@@ -14907,25 +14819,13 @@ puppeteer-core@^2.1.1:
     rimraf "^2.6.1"
     ws "^6.1.0"
 
-qs@6.11.0:
+qs@6.11.0, qs@^6.10.0:
   version "6.11.0"
   resolved "https://registry.yarnpkg.com/qs/-/qs-6.11.0.tgz#fd0d963446f7a65e1367e01abd85429453f0c37a"
   integrity sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==
   dependencies:
     side-channel "^1.0.4"
 
-qs@6.9.7:
-  version "6.9.7"
-  resolved "https://registry.npmjs.org/qs/-/qs-6.9.7.tgz"
-  integrity sha512-IhMFgUmuNpyRfxA90umL7ByLlgRXu6tIfKPpF5TmcfRLlLCckfP/g3IQmju6jjpu+Hh8rA+2p6A27ZSPOOHdKw==
-
-qs@^6.10.0:
-  version "6.10.3"
-  resolved "https://registry.npmjs.org/qs/-/qs-6.10.3.tgz"
-  integrity sha512-wr7M2E0OFRfIfJZjKGieI8lBKb7fRCH4Fv5KNPEs7gJ8jadvotdsS08PzOKR7opXhZ/Xkjtt3WF9g38drmyRqQ==
-  dependencies:
-    side-channel "^1.0.4"
-
 query-string@^3.0.0:
   version "3.0.3"
   resolved "https://registry.npmjs.org/query-string/-/query-string-3.0.3.tgz"
@@ -14998,20 +14898,10 @@ range-parser@^1.2.1, range-parser@~1.2.1:
   resolved "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz"
   integrity sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==
 
-raw-body@2.4.3:
-  version "2.4.3"
-  resolved "https://registry.npmjs.org/raw-body/-/raw-body-2.4.3.tgz"
-  integrity sha512-UlTNLIcu0uzb4D2f4WltY6cVjLi+/jEN4lgEUj3E04tpMDpUlkBo/eSn6zou9hum2VMNpCCUone0O0WeJim07g==
-  dependencies:
-    bytes "3.1.2"
-    http-errors "1.8.1"
-    iconv-lite "0.4.24"
-    unpipe "1.0.0"
-
-raw-body@2.5.1:
-  version "2.5.1"
-  resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.5.1.tgz#fe1b1628b181b700215e5fd42389f98b71392857"
-  integrity sha512-qqJBtEyVgS0ZmPGdCFPWJ3FreoqvG4MVQln/kCgF7Olq95IbOp0/BWyMwbdtn4VTvkM8Y7khCQ2Xgk/tcrCXig==
+raw-body@2.5.2:
+  version "2.5.2"
+  resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.5.2.tgz#99febd83b90e08975087e8f1f9419a149366b68a"
+  integrity sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==
   dependencies:
     bytes "3.1.2"
     http-errors "2.0.0"
@@ -15977,25 +15867,6 @@ semver@^7.2.1, semver@^7.3.2, semver@^7.3.4, semver@^7.3.5, semver@^7.3.7, semve
   dependencies:
     lru-cache "^6.0.0"
 
-send@0.17.2:
-  version "0.17.2"
-  resolved "https://registry.npmjs.org/send/-/send-0.17.2.tgz"
-  integrity sha512-UJYB6wFSJE3G00nEivR5rgWp8c2xXvJ3OPWPhmuteU0IKj8nKbG3DrjiOmLwpnHGYWAVwA69zmTm++YG0Hmwww==
-  dependencies:
-    debug "2.6.9"
-    depd "~1.1.2"
-    destroy "~1.0.4"
-    encodeurl "~1.0.2"
-    escape-html "~1.0.3"
-    etag "~1.8.1"
-    fresh "0.5.2"
-    http-errors "1.8.1"
-    mime "1.6.0"
-    ms "2.1.3"
-    on-finished "~2.3.0"
-    range-parser "~1.2.1"
-    statuses "~1.5.0"
-
 send@0.18.0:
   version "0.18.0"
   resolved "https://registry.yarnpkg.com/send/-/send-0.18.0.tgz#670167cc654b05f5aa4a767f9113bb371bc706be"
@@ -16037,16 +15908,6 @@ serialize-javascript@^6.0.1:
   dependencies:
     randombytes "^2.1.0"
 
-serve-static@1.14.2:
-  version "1.14.2"
-  resolved "https://registry.npmjs.org/serve-static/-/serve-static-1.14.2.tgz"
-  integrity sha512-+TMNA9AFxUEGuC0z2mevogSnn9MXKb4fa7ngeRMJaaGv8vTwnIEkKi+QGvPt33HSnf8pRS+WGM0EbMtCJLKMBQ==
-  dependencies:
-    encodeurl "~1.0.2"
-    escape-html "~1.0.3"
-    parseurl "~1.3.3"
-    send "0.17.2"
-
 serve-static@1.15.0:
   version "1.15.0"
   resolved "https://registry.yarnpkg.com/serve-static/-/serve-static-1.15.0.tgz#faaef08cffe0a1a62f60cad0c4e513cff0ac9540"
@@ -16439,11 +16300,6 @@ statuses@2.0.1, statuses@^2.0.0:
   resolved "https://registry.yarnpkg.com/statuses/-/statuses-2.0.1.tgz#55cb000ccf1d48728bd23c685a063998cf1a1b63"
   integrity sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ==
 
-"statuses@>= 1.5.0 < 2", statuses@~1.5.0:
-  version "1.5.0"
-  resolved "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz"
-  integrity sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow=
-
 stdout-stream@^1.4.0:
   version "1.4.1"
   resolved "https://registry.npmjs.org/stdout-stream/-/stdout-stream-1.4.1.tgz"

From 4271ca7fd63317d865383ed8b57305d5dd5a2a24 Mon Sep 17 00:00:00 2001
From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:16:28 -0400
Subject: [PATCH 10/15] Update rest-api.md (#17794)

- Clarify that hostnames are fully qualified domain names (FQDNs). FQDN
= hostname + domain.

For the following issue: #16895
---
 docs/REST API/rest-api.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md
index a9f2ccdda4..2358f62050 100644
--- a/docs/REST API/rest-api.md	
+++ b/docs/REST API/rest-api.md	
@@ -2518,7 +2518,7 @@ Returns the information of the specified host.
 Returns the information of the host specified using the `uuid`, `hardware_serial`, `osquery_host_id`, `hostname`, or
 `node_key` as an identifier.
 
-If `hostname` is specified when there is more than one host with the same hostname, the endpoint returns the first matching host.
+If `hostname` is specified when there is more than one host with the same hostname, the endpoint returns the first matching host. In Fleet, hostnames are fully qualified domain names (FQDNs).
 
 `GET /api/v1/fleet/hosts/identifier/:identifier`
 

From 8f24649a0886ece1e31f33680600f985004c4ea7 Mon Sep 17 00:00:00 2001
From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:18:13 -0400
Subject: [PATCH 11/15] In dogfood, collect expiration for MDM SCEP
 certificates (#17848)

- Add query that runs every 5 minutes to the workstations team
- Plan is to remove the query after the issue tracking renewing all SCEP
certs is closed: https://github.com/fleetdm/confidential/issues/4518
---
 it-and-security/teams/workstations.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/it-and-security/teams/workstations.yml b/it-and-security/teams/workstations.yml
index 49a6a476a0..95ca009dc3 100644
--- a/it-and-security/teams/workstations.yml
+++ b/it-and-security/teams/workstations.yml
@@ -61,3 +61,11 @@ queries:
   - path: ../lib/collect-failed-login-attempts.queries.yml
   - path: ../lib/collect-usb-devices.queries.yml
   - path: ../lib/collect-vs-code-extensions.queries.yml
+  - name: Collect expiration date for MDM SCEP certificates
+    description: "For the following issue: https://github.com/fleetdm/confidential/issues/4518. Returns expiration date for macOS hosts's MDM SCEP certs."
+    query: "SELECT common_name, datetime(not_valid_after,'unixepoch') AS expires FROM certificates WHERE 'common_name' LIKE '%FleetDM Identity%';"
+    platform: darwin
+    interval: 300
+    automations_enabled: false
+    observer_can_run: true
+

From 5872156f225a792911f2abcce134d7ac725c269a Mon Sep 17 00:00:00 2001
From: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:37:08 -0400
Subject: [PATCH 12/15] [released bug/s] Fleet UI: Live query sort updates
 (#17836)

---
 frontend/interfaces/osquery_table.ts          |  4 +++-
 .../PolicyQueriesTableConfig.tsx              |  1 +
 .../components/QueryResults/QueryResults.tsx  | 24 ++++++++++++++++++-
 .../QueryResults/QueryResultsTableConfig.tsx  | 24 +++++++++++++++++--
 4 files changed, 49 insertions(+), 4 deletions(-)

diff --git a/frontend/interfaces/osquery_table.ts b/frontend/interfaces/osquery_table.ts
index 36f5295e9d..3befc8f403 100644
--- a/frontend/interfaces/osquery_table.ts
+++ b/frontend/interfaces/osquery_table.ts
@@ -19,7 +19,9 @@ export type ColumnType =
   | "bigint"
   | "double"
   | "text"
-  | "unsigned_bigint";
+  | "unsigned_bigint"
+  | "STRING"
+  | "string"; // TODO: Why do we have type string, STRING, and text in schema.json?
 
 export interface IQueryTableColumn {
   name: string;
diff --git a/frontend/pages/policies/PolicyPage/components/PolicyQueriesTable/PolicyQueriesTableConfig.tsx b/frontend/pages/policies/PolicyPage/components/PolicyQueriesTable/PolicyQueriesTableConfig.tsx
index 4af0539954..2ae2ad5bde 100644
--- a/frontend/pages/policies/PolicyPage/components/PolicyQueriesTable/PolicyQueriesTableConfig.tsx
+++ b/frontend/pages/policies/PolicyPage/components/PolicyQueriesTable/PolicyQueriesTableConfig.tsx
@@ -53,6 +53,7 @@ const generateTableHeaders = (): IDataColumn[] => {
       Cell: (cellProps: ICellProps): JSX.Element => (
         <TextCell value={cellProps.cell.value} />
       ),
+      sortType: "caseInsensitive",
     },
     {
       title: "Status",
diff --git a/frontend/pages/queries/edit/components/QueryResults/QueryResults.tsx b/frontend/pages/queries/edit/components/QueryResults/QueryResults.tsx
index 1006fcad20..786563c05b 100644
--- a/frontend/pages/queries/edit/components/QueryResults/QueryResults.tsx
+++ b/frontend/pages/queries/edit/components/QueryResults/QueryResults.tsx
@@ -5,13 +5,16 @@ import classnames from "classnames";
 import FileSaver from "file-saver";
 import { QueryContext } from "context/query";
 import { useDebouncedCallback } from "use-debounce";
+import { find } from "lodash";
 
 import {
   generateCSVFilename,
   generateCSVQueryResults,
 } from "utilities/generate_csv";
+import { osqueryTables } from "utilities/osquery_tables";
 import { ICampaign, ICampaignError } from "interfaces/campaign";
 import { ITarget } from "interfaces/target";
+import { IQueryTableColumn } from "interfaces/osquery_table";
 
 import Button from "components/buttons/Button";
 import Icon from "components/Icon/Icon";
@@ -22,6 +25,7 @@ import QueryResultsHeading from "components/queries/queryResults/QueryResultsHea
 import AwaitingResults from "components/queries/queryResults/AwaitingResults";
 import InfoBanner from "components/InfoBanner";
 import CustomLink from "components/CustomLink";
+import { checkTable } from "utilities/sql_tools";
 
 import generateColumnConfigsFromRows from "./QueryResultsTableConfig";
 
@@ -73,6 +77,9 @@ const QueryResults = ({
   const [queryResultsForTableRender, setQueryResultsForTableRender] = useState(
     queryResults
   );
+  const [osqueryTableColumns, setOsqueryTableColumns] = useState<
+    IQueryTableColumn[] | []
+  >([]);
 
   // immediately reset results
   const onRunAgain = useCallback(() => {
@@ -91,10 +98,25 @@ const QueryResults = ({
     debounceQueryResults(queryResults);
   }, [queryResults, debounceQueryResults]);
 
+  // Set table/s columns from SQL
+  useEffect(() => {
+    const tableNames =
+      (lastEditedQueryBody && checkTable(lastEditedQueryBody).tables) || [];
+
+    let columns: IQueryTableColumn[] | [] = [];
+    tableNames.forEach((tableName: string) => {
+      const tableColumns =
+        find(osqueryTables, { name: tableName })?.columns || [];
+      columns = [...columns, ...tableColumns];
+    });
+    setOsqueryTableColumns(columns);
+  }, [lastEditedQueryBody]);
+
   useEffect(() => {
     if (queryResults && queryResults.length > 0) {
       const newResultsColumnConfigs = generateColumnConfigsFromRows(
-        queryResults
+        queryResults,
+        osqueryTableColumns
       );
       // Update tableHeaders if new headers are found
       if (newResultsColumnConfigs !== resultsColumnConfigs) {
diff --git a/frontend/pages/queries/edit/components/QueryResults/QueryResultsTableConfig.tsx b/frontend/pages/queries/edit/components/QueryResults/QueryResultsTableConfig.tsx
index 4a24b110dd..75327cea21 100644
--- a/frontend/pages/queries/edit/components/QueryResults/QueryResultsTableConfig.tsx
+++ b/frontend/pages/queries/edit/components/QueryResults/QueryResultsTableConfig.tsx
@@ -4,6 +4,7 @@
 import React from "react";
 
 import { CellProps, Column, HeaderProps } from "react-table";
+import { find } from "lodash";
 
 import DefaultColumnFilter from "components/TableContainer/DataTable/DefaultColumnFilter";
 import HeaderCell from "components/TableContainer/DataTable/HeaderCell/HeaderCell";
@@ -11,6 +12,7 @@ import {
   getUniqueColumnNamesFromRows,
   internallyTruncateText,
 } from "utilities/helpers";
+import { IQueryTableColumn } from "interfaces/osquery_table";
 
 const _unshiftHostname = <T extends object>(columns: Column<T>[]) => {
   const newHeaders = [...columns];
@@ -32,10 +34,28 @@ const _unshiftHostname = <T extends object>(columns: Column<T>[]) => {
   return newHeaders;
 };
 
+// Sorts numerical columns correctly while perserving case insensitive sort for text columns
+const sortType = (
+  colName: string | number | symbol,
+  osqueryTableColumns?: IQueryTableColumn[] | []
+) => {
+  if (typeof colName === "string" && !!osqueryTableColumns) {
+    const numberTypes = ["integer", "bigint", "unsigned_bigint", "double"];
+
+    const type = find(osqueryTableColumns, { name: colName })?.type;
+
+    if (type && numberTypes.includes(type)) {
+      return "alphanumeric";
+    }
+  }
+  return "caseInsensitive";
+};
+
 const generateColumnConfigsFromRows = <T extends Record<keyof T, unknown>>(
   // TODO - narrow typing down this entire chain of logic
   // typed as any[] to accomodate loose typing of websocket API
-  results: T[] // {col:val, ...} for each row of query results
+  results: T[], // {col:val, ...} for each row of query results
+  osqueryTableColumns?: IQueryTableColumn[] | []
 ): Column<T>[] => {
   const uniqueColumnNames = getUniqueColumnNamesFromRows(results);
   const columnsConfigs = uniqueColumnNames.map<Column<T>>((colName) => {
@@ -56,7 +76,7 @@ const generateColumnConfigsFromRows = <T extends Record<keyof T, unknown>>(
       },
       Filter: DefaultColumnFilter,
       disableSortBy: false,
-      sortType: "caseInsensitive",
+      sortType: sortType(colName, osqueryTableColumns),
     };
   });
   return _unshiftHostname(columnsConfigs);

From 746a254362d375ef7cc734fa3b63bade5177dc59 Mon Sep 17 00:00:00 2001
From: Gabriel Hernandez <ghernandez345@gmail.com>
Date: Tue, 26 Mar 2024 16:38:53 +0000
Subject: [PATCH 13/15] fix ui bug for showing os updates table with no team
 (#17862)

quick fix to correctly show the os versions for "no teams" on os updates
page

**before:**

<img width="1688" alt="image"
src="https://github.com/fleetdm/fleet/assets/1153709/6867e62f-48a0-4020-9760-86c6f62af207">

**after:**

<img width="1687" alt="image"
src="https://github.com/fleetdm/fleet/assets/1153709/6d5245e4-bb46-466a-ba9f-7752ea1b0997">

- [x] Manual QA for all new/changed functionality
---
 .../CurrentVersionSection.tsx                   |  9 +++++----
 .../CurrentVersionSection/_styles.scss          |  4 ++++
 frontend/services/entities/operating_systems.ts | 17 ++++++++++++++---
 3 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/frontend/pages/ManageControlsPage/OSUpdates/components/CurrentVersionSection/CurrentVersionSection.tsx b/frontend/pages/ManageControlsPage/OSUpdates/components/CurrentVersionSection/CurrentVersionSection.tsx
index 6253acf923..a77aec7b04 100644
--- a/frontend/pages/ManageControlsPage/OSUpdates/components/CurrentVersionSection/CurrentVersionSection.tsx
+++ b/frontend/pages/ManageControlsPage/OSUpdates/components/CurrentVersionSection/CurrentVersionSection.tsx
@@ -55,20 +55,21 @@ const CurrentVersionSection = ({
     );
   };
 
-  if (!data) {
-    return null;
-  }
-
   const renderTable = () => {
     if (isError) {
       return (
         <DataError
+          className={`${baseClass}__error`}
           description="Refresh the page to try again."
           excludeIssueLink
         />
       );
     }
 
+    if (!data) {
+      return null;
+    }
+
     if (!data.os_versions) {
       return <OSVersionsEmptyState />;
     }
diff --git a/frontend/pages/ManageControlsPage/OSUpdates/components/CurrentVersionSection/_styles.scss b/frontend/pages/ManageControlsPage/OSUpdates/components/CurrentVersionSection/_styles.scss
index 41163be448..4fd04a2e4f 100644
--- a/frontend/pages/ManageControlsPage/OSUpdates/components/CurrentVersionSection/_styles.scss
+++ b/frontend/pages/ManageControlsPage/OSUpdates/components/CurrentVersionSection/_styles.scss
@@ -15,4 +15,8 @@
       font-size: 18px;
     }
   }
+
+  &__error {
+    padding: $pad-xxlarge;
+  }
 }
diff --git a/frontend/services/entities/operating_systems.ts b/frontend/services/entities/operating_systems.ts
index f58d666048..29ba06b141 100644
--- a/frontend/services/entities/operating_systems.ts
+++ b/frontend/services/entities/operating_systems.ts
@@ -4,6 +4,7 @@ import endpoints from "utilities/endpoints";
 import { IOperatingSystemVersion } from "interfaces/operating_system";
 import { OsqueryPlatform } from "interfaces/platform";
 import { buildQueryStringFromParams } from "utilities/url";
+import { API_NO_TEAM_ID } from "interfaces/team";
 
 // TODO: add platforms to this constant as new ones are supported
 export const OS_VERSIONS_API_SUPPORTED_PLATFORMS = [
@@ -49,6 +50,11 @@ export interface IOSVersionResponse {
   os_version: IOperatingSystemVersion;
 }
 
+type IGetOSVersionsRequestQueryParams = Record<
+  string,
+  string | number | undefined
+>;
+
 export const getOSVersions = ({
   platform,
   teamId,
@@ -62,16 +68,21 @@ export const getOSVersions = ({
   const { OS_VERSIONS } = endpoints;
   let path = OS_VERSIONS;
 
-  const queryString = buildQueryStringFromParams({
+  const params: IGetOSVersionsRequestQueryParams = {
     platform,
-    team_id: teamId,
     os_name,
     os_version,
     order_key,
     order_direction,
     page,
     per_page,
-  });
+  };
+
+  if (teamId !== API_NO_TEAM_ID) {
+    params.team_id = teamId;
+  }
+
+  const queryString = buildQueryStringFromParams(params);
 
   if (queryString) path += `?${queryString}`;
 

From c739ed2472df88312b6580107eb26603aba73c66 Mon Sep 17 00:00:00 2001
From: George Karr <georgekarrv@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:02:09 -0500
Subject: [PATCH 14/15] Update Releasing-Fleet.md (#16725)

Updating broken link

---------

Co-authored-by: Sam Pfluger <108141731+Sampfluger88@users.noreply.github.com>
---
 docs/Contributing/Releasing-Fleet.md | 2 +-
 handbook/engineering/README.md       | 1 +
 website/config/custom.js             | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/Contributing/Releasing-Fleet.md b/docs/Contributing/Releasing-Fleet.md
index c75d9c25d9..f3f928fc86 100644
--- a/docs/Contributing/Releasing-Fleet.md
+++ b/docs/Contributing/Releasing-Fleet.md
@@ -113,7 +113,7 @@ When the Actions Workflow has been completed, [publish the new version of Fleet]
 
 2. Check the [Docker Publish GitHub action](https://github.com/fleetdm/fleet/actions/workflows/goreleaser-snapshot-fleet.yaml) to confirm it completes successfully for this branch.
 
-3. Create a [Release QA](https://github.com/fleetdm/fleet/blob/main/.github/ISSUE_TEMPLATE/smoke-tests.md) issue. Populate the version and browsers, and assign to the QA person leading the release. Add the appropriate [product group label](https://fleetdm.com/handbook/company/product-groups), and `:release` label, so that it appears on the product group's release board.
+3. Create a [Release QA](https://github.com/fleetdm/fleet/blob/main/.github/ISSUE_TEMPLATE/release-qa.md) issue. Populate the version and browsers, and assign to the QA person leading the release. Add the appropriate [product group label](https://fleetdm.com/handbook/company/product-groups), and `:release` label, so that it appears on the product group's release board.
 
 4. Notify QA that the release candidate is ready for (release QA)[#complete-release-qa].
 
diff --git a/handbook/engineering/README.md b/handbook/engineering/README.md
index 833e9af805..b8d649a056 100644
--- a/handbook/engineering/README.md
+++ b/handbook/engineering/README.md
@@ -124,6 +124,7 @@ Next, create a new GitHub issue using the [Release QA template](https://github.c
 
 The issue's template will contain validation steps for Fleet and individual `fleetd` components. Remove any instructions that do not apply to this release.
 
+
 ### Indicate your product group is release-ready
 Once a product group completes its QA process during the freeze period, its QA lead moves the smoke testing ticket to the "Ready for release" column on their ZenHub board. They then notify the release ritual DRI by tagging them in a comment, indicating that their group is prepared for release. The release ritual DRI starts the [release process](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Releasing-Fleet.md) after all QA leads have made these updates and confirmed their readiness for release.
 
diff --git a/website/config/custom.js b/website/config/custom.js
index 099b220802..c76c7568d1 100644
--- a/website/config/custom.js
+++ b/website/config/custom.js
@@ -258,7 +258,7 @@ module.exports.custom = {
     '.github/ISSUE_TEMPLATE': ['mikermcneil', 'lukeheath', 'sampfluger88'],
     '.github/ISSUE_TEMPLATE/bug-report.md': ['xpkoala','noahtalerman', 'lukeheath'],
     '.github/ISSUE_TEMPLATE/feature-request.md': ['xpkoala','noahtalerman', 'lukeheath'],
-    '.github/ISSUE_TEMPLATE/smoke-tests.md': ['xpkoala','lukeheath','noahtalerman', 'lukeheath'],
+    '.github/ISSUE_TEMPLATE/release-qa.md': ['xpkoala','lukeheath','noahtalerman', 'lukeheath'],
   },
 
   confidentialGithubRepoMaintainersByPath: {// fleetdm/confidential

From 0752993c93dd994e961b81159c8232092d73a81f Mon Sep 17 00:00:00 2001
From: George Karr <georgekarrv@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:36:38 -0500
Subject: [PATCH 15/15] Update MDM-macOS-setup.md (#17807)

---
 docs/Using Fleet/MDM-macOS-setup.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/Using Fleet/MDM-macOS-setup.md b/docs/Using Fleet/MDM-macOS-setup.md
index 976eda7c57..d19c5fc9c6 100644
--- a/docs/Using Fleet/MDM-macOS-setup.md	
+++ b/docs/Using Fleet/MDM-macOS-setup.md	
@@ -30,6 +30,8 @@ For the MDM protocol to function, we need to generate the four following files:
 
 The APNs certificates serve as authentication between Fleet and Apple, while the SCEP certificates serve as authentication between Fleet and hosts.
 
+> To prevent abuse, please use your work email. If your email isn't accepted, please make sure it's not on this [list of blocked emails].(https://github.com/fleetdm/fleet/blob/d5df23964b0b52f1d442b66ffe4451dc2a9ef969/website/api/controllers/deliver-apple-csr.js#L60)
+
 Use either of the following methods to generate the necessary files:
 
 #### Fleet UI