Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated version metadata for maintained macOS applications: Mattermost
(6.1.2), OneDrive (26.055.0323.0004), and Windsurf (2.0.63). Each update
includes refreshed installer URLs and corresponding checksums to ensure
proper installation and security verification.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
This PR automatically updates both 1Password macOS version policy and
Safari version policy for dogfood.
The changes were generated automatically by the
[dogfood-automated-policy-updates
workflow](https://github.com/fleetdm/fleet/actions/workflows/dogfood-automated-policy-updates.yml).
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Box Drive macOS to version 2.51.233
* Updated Charles macOS to version 5.1
* Updated Docker Desktop Windows to version 4.70.0
* Updated iTerm2 macOS to version 3.6.10
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Fixes#42885
Added new middleware (APIOnlyEndpointCheck) that enforces 403 for
API-only users whose request either isn't in the API endpoint catalog or
falls outside their configured per-user endpoint restrictions.
## Summary
- Reorders the Press Coverage table columns from `Date | Publication |
Headline | Journalist` to `Publication | Headline | Journalist | Date`,
moving Date to the last column.
- Updates dates from short `m/d` format (e.g., `4/16`) to the
`YYYY‑MM‑DD` format with `<nobr>` wrapping (e.g.,
`<nobr>2026‑04‑16</nobr>`), consistent with other tables on the
marketing-assets handbook page.
Built for [Ashish
Kuthiala](https://fleetdm.slack.com/archives/D0AG9JQ53GA/p1776747058493619?thread_ts=1776745763.838459&cid=D0AG9JQ53GA)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds a new "Press Coverage" section with a 6-entry table (Date,
Publication, Headline, Journalist) to the marketing assets handbook
page, placed immediately before the "Release notes" section.
- Covers recent press from CRN, Cyber Defense Wire, Channele2e,
Channelvision, and Apple Must regarding Fleet's partner program launch
and board appointment.
Built for [Ashish
Kuthiala](https://fleetdm.slack.com/archives/D0AG9JQ53GA/p1776745828661249?thread_ts=1776745763.838459&cid=D0AG9JQ53GA)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds a LinkedIn profile link for Alyssa Pallotti in the marketing team
responsibilities table
(`handbook/marketing/marketing-responsibilities.md`).
- Follows the existing `[Name](LinkedIn URL)` pattern used for all other
team members in the table.
## Changes
- `handbook/marketing/marketing-responsibilities.md`: Updated `Alyssa
Pallotti` to `[Alyssa
Pallotti](https://www.linkedin.com/in/alyssapallotti/)` in the Public
Relations (Consultant) row.
---
Built for [Ashish
Kuthiala](https://fleetdm.slack.com/archives/D0AG9JQ53GA/p1776743550333609)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds a new testimonial from Thomas Lübker to the Fleet
customers/testimonials page
- Quote: "I think it is key that people understand the leverage they
have with AI if everything is 'code'. In the AI age, clickops will not
prevail!"
- Anonymous-style testimonial (no company logo) with LinkedIn profile
link
### Changes
- `handbook/company/testimonials.yml` — added new testimonial entry
- `website/assets/images/testimonial-author-thomas-luebker-48x48@2x.png`
— added profile image placeholder
---
Built for [Ashish
Kuthiala](https://fleetdm.slack.com/archives/D0AG9JQ53GA/p1776743212657769)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated application metadata to support newer versions of ChatGPT,
Claude, Cursor, Discord, Docker Desktop, Loom, OrbStack, and Zed across
macOS and Windows platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Correct misspellings in ee/maintained-apps/outputs/apps.json for two
entries: update "Elgate" to "Elgato" in the Elgato Control Center
description and "Elgateo" to "Elgato" in the Elgato Stream Deck
description.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Corrected spelling errors in application descriptions for Elgato
Control Center and Elgato Stream Deck to ensure accurate product
information display.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Add support for Druva inSync: new winget input
(ee/maintained-apps/inputs/winget/druva-insync.json), app metadata
(added entry in ee/maintained-apps/outputs/apps.json) and
platform-specific output with version, installer URL,
installer/uninstaller script refs, sha256 and upgrade_code
(ee/maintained-apps/outputs/druva-insync/windows.json). Also add
frontend icon component and mapping
(frontend/pages/SoftwarePage/components/icons/DruvaInSync.tsx and
index.ts) plus the PNG asset
(website/assets/images/app-icon-druva-insync-60x60@2x.png) so the app is
manageable and visually represented in the UI.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43702
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43142
Since script-only packages have to be specified as a path, add some
logic to allow icon to be set as a path in that situation.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] Timeouts are implemented and retries are limited to avoid infinite
loops
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- `TestSoftwarePackagesPathWithInline` checks custom package yml path so
there is no regression, added `TestScriptOnlyPackagesPathWithInline` to
test script-only package path.
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
- Tested .sh and .ps1 script-only packages with icon path specified in
the team level yaml.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed custom icon handling for script-only packages (e.g., .sh and
.ps1), allowing icons to be set and resolved correctly for packages
referenced by path.
* **Tests**
* Added test coverage validating custom icon functionality and path
resolution for script-only packages; included a sample script used by
the test.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Changes:
- Created spacing.less, a file that contains the common
padding/margin/gap values used on the website
- Updated containers.less to contain mixins for page containers
- Added feature-blocks.less, a file that contains three mixins:
`.feature-with-image()`, `.three-column-features()`, and
`.responsive-feature-row()`
- Added mixins for common text styles to typography.less
- Updated pages to use the new mixins
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Centralized spacing and typography system for consistent, responsive
layouts
* Reusable feature-block patterns for image/text rows and multi-column
feature grids
* **Style**
* Standardized page containers and content areas with responsive padding
and max-widths
* Unified heading/body styles via new typography utilities
* Simplified markup and improved feature image/text alignment and
responsiveness
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Extra colon in the "Products:" section auto-generated file:
<img width="228" height="59" alt="Screenshot 2026-04-20 at 3 07 26 PM"
src="https://github.com/user-attachments/assets/687be6ea-71ae-45c7-a1e9-641994ee86ba"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Corrected formatting in product list display by removing redundant
punctuation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43047
Follow-up to https://github.com/fleetdm/fleet/pull/43222
# Checklist for submitter
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
See
https://github.com/fleetdm/fleet/issues/42960#issuecomment-4246769629
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved Apple MDM declaration handling: declarations with unresolved
per-device variables are now attempted per host, marked failed when
resolution fails, and omitted from device configuration/activation
manifests.
* Declarations that fail resolution still factor into declaration token
computation to keep token behavior consistent.
* **Tests**
* Updated tests to reflect per-device resolution failures and adjusted
validation flow.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Run: https://github.com/fleetdm/fleet/actions/runs/24681592163.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added vulnerability disclosures for three CVEs.
* CVE-2026-27806: marked as not affecting fleetctl.
* CVE-2026-32280: denial-of-service affecting many fleetctl versions;
recommend upgrading to a fleetctl build using Go ≥1.26.2 when available.
* CVE-2026-33810: affects fleetctl v4.84.0; recommend upgrading to a
fleetctl build using Go ≥1.26.2 when available.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves
#https://github.com/fleetdm/confidential/issues/14837
**Related issue:** Resolves
#https://github.com/fleetdm/confidential/issues/14839
Commit 1 - fixes the basic-whitepaper.ejs page so that the LP form
headline is not hard coded to GitOps anymore.
Commit 2 - posts the whitepaper and sets up the LP page
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Updates**
* Form headline on whitepaper download page is now customizable.
* Enhanced email submission feedback handling during download process.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Run: https://github.com/fleetdm/fleet/actions/runs/24676558778.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added security vulnerability assessments for CVE-2026-28390,
CVE-2026-4775, and CVE-2026-5201, confirming these issues do not affect
the product. Statements note that vulnerable code is not in the
product’s execution path and relevant processing (TLS/TIFF/graphics) is
not performed by the shipped components. Includes timestamps and
metadata for traceability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Golang 1.26.2 has been released. It fixes some CVEs:
https://github.com/golang/go/issues?q=milestone%3AGo1.26.2+label%3ACherryPickApproved
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Go toolchain to 1.26.2 across the repository and build
configs.
* Updated Docker build images to use Go 1.26.2.
* Expanded the set of tracked modules for the Go version update so
additional module files are included in automated updates.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- Updates wording in `.github/workflows/loadtest-osquery-perf.yml`
- `4098` -> `4096`
- Removes: `(should be a multiple of 8, if setting
loadtest_containers_starting_index)`
- Updates `infrastructure/loadtesting/terraform/osquery_perf/enroll.sh`
to handle values that are not multiples of 8. If the value is not a
multiple of 8, logic has been added to apply the remainder.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Documentation**
* Updated load testing workflow configuration input descriptions for
improved clarity of parameters and their usage examples.
* **Bug Fixes**
* Fixed container count allocation logic in the load testing process to
ensure the final target count is always properly applied, even when
using increment values that don't divide evenly into the specified total
range.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Run: https://github.com/fleetdm/fleet/actions/runs/24673271270
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Security**
* Added vulnerability assessment documentation for CVE-2026-28390,
confirming that bomutils is not affected by this vulnerability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This is a way to test osquery PRs as part of local fleetd TUF builds.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Chores**
* Enhanced macOS build process to support creating application bundles
from pull request workflow artifacts in addition to released versions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
The nightly OSV artifact generation in `fleetdm/vulnerabilities` failed
over the weekend with:
```
fatal: error processing shallow info: 4
```
at `cmd/osv-processor/sync-and-detect-changes.sh` during:
```bash
git fetch --shallow-since="3 days ago" origin main
```
Root cause: `git fetch --shallow-since` errors out when the upstream
(`canonical/ubuntu-security-notices`) has zero commits newer than the
cutoff. Canonical didn't push anything over the weekend, so the 3-day
window returned empty and upload-pack produced an unusable shallow
response.
Fix:
- Fall back to `git fetch --depth=3` if `--shallow-since` still returns
empty, so the initial clone always succeeds.
Subsequent runs reuse the existing clone and take the other branch of
the script (plain `git fetch origin main`), which doesn't have this
failure mode.
Failing run:
https://github.com/fleetdm/vulnerabilities/actions/runs/24330589309/job/71035337352
## Test plan
- [x] Re-run the Ubuntu OSV artifact generation workflow; initial clone
succeeds regardless of upstream push frequency.
- [x] Manually exercise the cold-cache path locally: `rm -rf
ubuntu-security-notices &&
./cmd/osv-processor/sync-and-detect-changes.sh` — completes without
error.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved initial repository sync: if the primary shallow fetch returns
no commits, the process now falls back to a limited-depth fetch, warns
the user, and shows recent commit history before continuing. Downstream
change detection and existing behavior for already-cloned repos remain
unchanged.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Konstantin Sykulev <konst@sykulev.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42765
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Style
* Enhanced the responsive design of the Identity Provider section by
updating the "learn more" link to dynamically size based on its content
rather than maintaining a fixed width constraint, improving flexibility
and visual consistency across different contexts.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Enhanced macOS uninstall cleanup process for better system maintenance
* **Chores**
* Updated WhatsApp for macOS to version 26.16.15
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Add a new dynamic label 'Macs with Fleet Desktop installed' (platform:
darwin) that selects hosts where apps.name = 'Fleet Desktop'. Update the
macOS policy update-fleet-desktop.yml to include this label via
labels_include_any so the policy targets only hosts with Fleet Desktop
installed. Files changed:
it-and-security/lib/all/labels/macs-with-fleet-desktop-installed.yml
(new) and it-and-security/lib/macos/policies/update-fleet-desktop.yml
(modified).
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42427
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Pending MDM profile records are cleared when Apple or Windows MDM is
turned off, preventing stale profiles from reappearing if MDM is
re-enabled.
* Pending Windows profile records are removed when a device is
unenrolled, avoiding leftover pending installations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Extend the battery-health-check SQL to flag batteries whose max_capacity
/ designed_capacity is below 80%. The new clause guards against zero
capacities and casts max_capacity to REAL for proper floating-point
division, improving detection of degraded batteries in the macOS policy.
Replace two icon assets used by the it-and-security module:
it-and-security/lib/all/icons/fleet-desktop-icon.png and
it-and-security/lib/all/icons/keynote-theme-swan.png. These binary PNG
updates refresh the visuals for the corresponding icons.
Replace the generic "Apple Silicon macOS hosts" label with app-specific
labels_include_any entries for macOS packages and add a Windows label
for VS Code. This change adds or updates labels for many self_service
macOS apps (Brave, Docker Desktop, VS Code, Microsoft Teams, GitHub
Desktop, UTM, Postman, Grammarly Desktop, iTerm2, Sublime Text,
Parallels, Loom, Spotify, Rectangle, Logi Options+, Figma, WhatsApp,
Android Studio, Zed, Obsidian, Google Drive, Cursor, etc.) to target
hosts that have each app installed rather than relying on the Apple
Silicon host label. Improves targeting for software availability in the
fleet configuration.
Add a macOS policy to check Fleet Desktop is at least v1.1.0 and
reference it from the workstations fleet. Update the Fleet Desktop
installer metadata to v1.1.0 (new SHA256). Also wrap long resolution
strings in quotes for consistency in Firefox and 1Password policies.
**Related issue:** Resolves#42879
* Full UI for API-only user management: create/edit flows, fleet/role
assignment, selectable API endpoint permissions, and one-time API key
display.
* New reusable components: API user form, endpoint selector, API access
section, and API key presentation.
* Admin workflow switched from in-page modals to dedicated pages and
streamlined action dropdown navigation.
* Layout and styling refinements for user management, team lists, and
dropdown behaviors.
---------
Co-authored-by: Juan Fernandez <juan@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43047
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
See
https://github.com/fleetdm/fleet/issues/42960#issuecomment-4244206563
and subsequent comments.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Apple DDM declarations support a vetted subset of Fleet variables with
per-host substitution; premium license required. Declaration tokens and
resend behavior now reflect variable changes; unresolved host
substitutions mark that host’s declaration as failed.
* **Bug Fixes**
* Clearer errors for unsupported or license-restricted Fleet variables
and more consistent DDM resend/update semantics when variables change.
* **Tests**
* Added extensive unit and integration tests covering Fleet variable
validation, substitution, token changes, resends, and failure states.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated DBeaver Community macOS version metadata to 26.0.3, including
installer URL and validation checksums
* Updated Stats macOS version metadata to 2.12.11, including installer
URL and validation checksums
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Draw.io Desktop to version 29.7.8 with new installer and
checksum.
* Updated GitKraken to version 12.0.1 with new installer and checksum.
* Updated Spotify ARM64 to version 1.2.87.415 with new installer and
checksum.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
