mirror of
https://github.com/fleetdm/fleet
synced 2026-05-24 09:28:54 +00:00
324 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Victor Lyuboslavsky
|
de86536f42
|
Redis-backed cache for host-by-key lookups (#43936)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #43928 This PR adds a Redis-backed cache in front of the two host-by-key lookups on the agent auth paths. Docs: https://github.com/fleetdm/fleet/pull/44504 ## What changes **Read path (osquery/orbit auth):** - `LoadHostByNodeKey` and `LoadHostByOrbitNodeKey` now check Redis before falling through to MySQL. - Successful lookups are cached for 60s ± 10% jitter (configurable via `FLEET_REDIS_HOST_CACHE_TTL`). - `NotFound` results are cached for 5s as a negative entry, dampening repeated probes for keys that do not exist (deleted hosts whose agents are still polling, attacker scans, retry storms). - Concurrent lookups for the same key collapse into one DB query via `singleflight`. The shared query runs under a context detached from any one caller's deadline so the leader giving up does not abort the work for joiners. The shared query is itself bounded by a 30s timeout so a wedged DB call cannot pin the singleflight slot indefinitely. **Write path (invalidations):** - These methods now invalidate the cache after a successful inner call: `UpdateHost`, `SerialUpdateHost`, `UpdateHostOsqueryIntervals`, `UpdateHostRefetchRequested`, `UpdateHostRefetchCriticalQueriesUntil`, `UpdateHostIdentityCertHostIDBySerial`, `EnrollOsquery`, `EnrollOrbit`, `NewHost`, `DeleteHost`, `DeleteHosts`, `CleanupExpiredHosts`, `CleanupIncomingHosts`, `AddHostsToTeam`. - `AddHostsToTeam`, `DeleteHosts`, `CleanupExpiredHosts`, and `CleanupIncomingHosts` use a pipelined batch invalidator so 10k-host operations stay in the millisecond range instead of taking minutes of sequential round-trips. - Inner-call errors are not invalidations: a failing write leaves cached state intact. **Configuration:** - New flags `FLEET_REDIS_HOST_CACHE_ENABLED` (default `true`) and `FLEET_REDIS_HOST_CACHE_TTL` (default `60s`). - Server refuses to start if the cache is enabled with `TTL <= 0`. **Observability:** - Three new OTEL counters under the `fleet` meter: - `fleet.host_cache.lookups{result=hit|negative_hit|miss}` - `fleet.host_cache.errors{op=get|set|del}` - `fleet.host_cache.invalidations{reason=update|enroll|team|delete|cert}` - A pre-built SigNoz dashboard ships in `tools/signoz/host_cache_dashboard.json`. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Timeouts are implemented and retries are limited to avoid infinite loops ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Optional Redis-backed host lookup cache for osquery and orbit auth, with automatic invalidation and metrics/monitoring dashboard. * **Bug Fixes** * Fixed host-removal batching so cache-related removals use correct chunks. * **Tests** * Added comprehensive host-cache unit tests covering hits, negative cache, invalidation, concurrency, and JSON round-trips. * **Chores** * New config flags to enable the cache and set TTL (default 60s ±10% jitter). <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Victor Lyuboslavsky
|
9628f49cb8
|
Improved the performance of Windows MDM profile reconciliation (#44075)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #44052 Improve performance by reducing the time for the synchronous API call to update profiles or switch teams. And spreading out the application of profiles by processing 2000 hosts every 30 seconds. 1. **Windows profile reconciliation is no longer synchronous to bulk-set.** Apple, Android, and Apple-declaration paths still write their pending state inside the bulk-set transaction. The Windows path commits the transactional inputs and lets the existing `mdm_windows_profile_manager` cron pick the work up on its next tick. The visible effect is that `host_mdm_windows_profiles` is no longer guaranteed to be populated by the time bulk-set returns; it converges within one cron interval. 2. **The Windows reconciler now processes hosts in bounded batches, with a persisted cursor.** Previous behavior was "scan the universe of pending Windows hosts on every tick." New behavior is a host-window query bounded by batch size and a `host_uuid` cursor, advanced after the batch commits successfully and persisted across ticks. A failed tick leaves the cursor untouched so the same window is retried. 3. **Two replication races are now explicitly handled.** - Admin-delete vs reconcile: the existence check the reconciler uses to avoid touching a just-deleted profile reads from the primary, not a replica. - Insert lag in the reconciler's own listings: hosts that appear in the cursor query but are not yet visible in the scoped listings advance the cursor instead of jamming the loop. 4. **`updates.WindowsConfigProfile` from `BulkSetPendingMDMHostProfiles` is now always false in production.** The only consumer ORs it with the transactional signal from `BatchSetMDMProfiles`, which is the accurate source. The bulk-set call no longer attempts to compute or return that activity signal itself. 5. **Tests opt in to the old synchronous behavior via a named hook.** Default test behavior matches production (deferred). Legacy tests whose assertions require Windows rows immediately after bulk-set call an explicit enable-hook and rely on `t.Cleanup` to restore. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Windows MDM profile reconciliation batching improvements enable large team transfers and bulk profile change operations to complete faster, with profile updates rolling out in the background without blocking host check-ins or other MDM activity. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Lucas Manuel Rodriguez
|
d4c0834cba
|
Bump macadmins/osquery-extension to v1.4.1 and add network_quality ta… (#44214)
**Related issue:** Resolves #44202. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [X] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [X] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [X] Verified that fleetd runs on macOS, Linux and Windows - [X] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added network quality table for macOS to monitor download and upload speeds with results formatted in both kilobits and megabits per second (requires macOS 12+) * **Chores** * Updated MacAdmins osquery extension dependency to v1.4.1 <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
dependabot[bot]
|
3af4baf691
|
Bump github.com/Azure/go-ntlmssp from 0.0.0-20221128193559-754e69321358 to 0.1.1 (#44089)
Bumps [github.com/Azure/go-ntlmssp](https://github.com/Azure/go-ntlmssp) from 0.0.0-20221128193559-754e69321358 to 0.1.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Azure/go-ntlmssp/releases">github.com/Azure/go-ntlmssp's releases</a>.</em></p> <blockquote> <h2>v0.1.1</h2> <p>Fix CVE-2026-32952: A malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using ntlmssp.Negotiator as an HTTP transport.</p> <h2>v0.1.0</h2> <h2>What's Changed</h2> <ul> <li>Bump minimum required version to Go 1.24 by <a href="https://github.com/qmuntal"><code>@qmuntal</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/53">Azure/go-ntlmssp#53</a></li> <li>Fix OOM in NTLM negotiator by avoiding buffering of seekable request bodies by <a href="https://github.com/Copilot"><code>@Copilot</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/54">Azure/go-ntlmssp#54</a></li> <li>Don't modify the rountripped request by <a href="https://github.com/qmuntal"><code>@qmuntal</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/57">Azure/go-ntlmssp#57</a></li> <li>Fix a race occurring when the wrapped Rountripper closes the request body in another goroutine by <a href="https://github.com/qmuntal"><code>@qmuntal</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/58">Azure/go-ntlmssp#58</a></li> <li>Fix a race occurring when the wrapped Rountripper reads request fields in another goroutine by <a href="https://github.com/qmuntal"><code>@qmuntal</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/59">Azure/go-ntlmssp#59</a></li> <li>Only perform basic auth if requested by the server by <a href="https://github.com/qmuntal"><code>@qmuntal</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/60">Azure/go-ntlmssp#60</a></li> <li>Don't pass the original body in the client handshake request by <a href="https://github.com/qmuntal"><code>@qmuntal</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/61">Azure/go-ntlmssp#61</a></li> <li>Return latest server response in case there is an error processing the handshake by <a href="https://github.com/qmuntal"><code>@qmuntal</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/63">Azure/go-ntlmssp#63</a></li> <li>Send body on client NTLM handshake by <a href="https://github.com/qmuntal"><code>@qmuntal</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/64">Azure/go-ntlmssp#64</a></li> <li>Support user accounts not living in server's domain by <a href="https://github.com/qmuntal"><code>@qmuntal</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/65">Azure/go-ntlmssp#65</a></li> <li>Implement NewAuthenticateMessage and deprecate ProcessChallenge by <a href="https://github.com/qmuntal"><code>@qmuntal</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/67">Azure/go-ntlmssp#67</a></li> <li>Make basic authentication support opt-in by <a href="https://github.com/qmuntal"><code>@qmuntal</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/66">Azure/go-ntlmssp#66</a></li> <li>Allow passing custom client domain and workstation name by <a href="https://github.com/qmuntal"><code>@qmuntal</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/68">Azure/go-ntlmssp#68</a></li> <li>set NEGOTIATE_NTLM and NEGOTIATE_ALWAYS_SIGN capabilities by <a href="https://github.com/qmuntal"><code>@qmuntal</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/69">Azure/go-ntlmssp#69</a></li> <li>testing: add e2e tests by <a href="https://github.com/gdams"><code>@gdams</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/56">Azure/go-ntlmssp#56</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/qmuntal"><code>@qmuntal</code></a> made their first contribution in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/53">Azure/go-ntlmssp#53</a></li> <li><a href="https://github.com/Copilot"><code>@Copilot</code></a> made their first contribution in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/54">Azure/go-ntlmssp#54</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Azure/go-ntlmssp/compare/v0.0.1...v0.1.0">https://github.com/Azure/go-ntlmssp/compare/v0.0.1...v0.1.0</a></p> <h2>v0.0.1</h2> <h2>What's Changed</h2> <ul> <li>Commit to Go 1.6 by <a href="https://github.com/boumenot"><code>@boumenot</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/5">Azure/go-ntlmssp#5</a></li> <li>Handle http redirect by <a href="https://github.com/nqv"><code>@nqv</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/4">Azure/go-ntlmssp#4</a></li> <li>drain request body for connection reuse by <a href="https://github.com/paulmey"><code>@paulmey</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/6">Azure/go-ntlmssp#6</a></li> <li>Add CoC notice by <a href="https://github.com/paulmey"><code>@paulmey</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/7">Azure/go-ntlmssp#7</a></li> <li>Support for auth when server responds with Www-Authenticate: NTLM by <a href="https://github.com/lafriks"><code>@lafriks</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/8">Azure/go-ntlmssp#8</a></li> <li>update README with example by <a href="https://github.com/PaluMacil"><code>@PaluMacil</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/11">Azure/go-ntlmssp#11</a></li> <li>add version, domain and workstation fields by <a href="https://github.com/justdan96"><code>@justdan96</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/13">Azure/go-ntlmssp#13</a></li> <li>move to a current version of Go by <a href="https://github.com/boumenot"><code>@boumenot</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/19">Azure/go-ntlmssp#19</a></li> <li>(BUG) Negotiation fails for servers where 'NTLMv2 session security' i… by <a href="https://github.com/davejohnston"><code>@davejohnston</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/18">Azure/go-ntlmssp#18</a></li> <li>Update negotiator.go by <a href="https://github.com/mszuyev"><code>@mszuyev</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/24">Azure/go-ntlmssp#24</a></li> <li>Fix golint import path by <a href="https://github.com/paulmey"><code>@paulmey</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/25">Azure/go-ntlmssp#25</a></li> <li>add ProcessChallengeWithHash function by <a href="https://github.com/ropnop"><code>@ropnop</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/27">Azure/go-ntlmssp#27</a></li> <li>Set workstation to empty string in authenticate_message.go by <a href="https://github.com/Catbuttes"><code>@Catbuttes</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/30">Azure/go-ntlmssp#30</a></li> <li>Change of the negociator working, to handle several identical header by <a href="https://github.com/Resousse"><code>@Resousse</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/31">Azure/go-ntlmssp#31</a></li> <li>Support for UPN by <a href="https://github.com/tirupatibg"><code>@tirupatibg</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/32">Azure/go-ntlmssp#32</a></li> <li>Adding Microsoft SECURITY.MD by <a href="https://github.com/microsoft-github-policy-service"><code>@microsoft-github-policy-service</code></a>[bot] in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/39">Azure/go-ntlmssp#39</a></li> <li>Handle 3rd return value from GetDomain by <a href="https://github.com/opoplawski"><code>@opoplawski</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/41">Azure/go-ntlmssp#41</a></li> <li>initial refactor by <a href="https://github.com/gdams"><code>@gdams</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/48">Azure/go-ntlmssp#48</a></li> <li>fix linter errors by <a href="https://github.com/gdams"><code>@gdams</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/49">Azure/go-ntlmssp#49</a></li> <li>add dependabot/codeowners + installation instructions by <a href="https://github.com/gdams"><code>@gdams</code></a> in <a href="https://redirect.github.com/Azure/go-ntlmssp/pull/50">Azure/go-ntlmssp#50</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/Azure/go-ntlmssp/commits/v0.1.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/fleetdm/fleet/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> |
||
|
dependabot[bot]
|
faa2bb1bdc
|
Bump github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0 (#43740)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.17.1 to 5.18.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-git/go-git/releases">github.com/go-git/go-git/v5's releases</a>.</em></p> <blockquote> <h2>v5.18.0</h2> <h2>What's Changed</h2> <ul> <li>plumbing: transport/http, Add support for followRedirects policy by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/2004">go-git/go-git#2004</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0">https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0</a></p> <h2>v5.17.2</h2> <h2>What's Changed</h2> <ul> <li>build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1941">go-git/go-git#1941</a></li> <li>dotgit: skip writing pack files that already exist on disk by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1944">go-git/go-git#1944</a></li> </ul> <p>⚠️ This release fixes a bug (<a href="https://redirect.github.com/go-git/go-git/issues/1942">go-git/go-git#1942</a>) that blocked some users from upgrading to <code>v5.17.1</code>. Thanks <a href="https://github.com/pskrbasu"><code>@pskrbasu</code></a> for reporting it. 🙇</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2">https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Lucas Manuel Rodriguez
|
682202444c
|
Update go to 1.26.2 and update tooling to update it (#43771)
Golang 1.26.2 has been released. It fixes some CVEs: https://github.com/golang/go/issues?q=milestone%3AGo1.26.2+label%3ACherryPickApproved <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated Go toolchain to 1.26.2 across the repository and build configs. * Updated Docker build images to use Go 1.26.2. * Expanded the set of tracked modules for the Go version update so additional module files are included in automated updates. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
dependabot[bot]
|
3c1b8fc7a3
|
Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 (#43298)
Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.40.0 to 1.43.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md">go.opentelemetry.io/otel/sdk's changelog</a>.</em></p> <blockquote> <h2>[1.43.0/0.65.0/0.19.0] 2026-04-02</h2> <h3>Added</h3> <ul> <li>Add <code>IsRandom</code> and <code>WithRandom</code> on <code>TraceFlags</code>, and <code>IsRandom</code> on <code>SpanContext</code> in <code>go.opentelemetry.io/otel/trace</code> for <a href="https://www.w3.org/TR/trace-context-2/#random-trace-id-flag">W3C Trace Context Level 2 Random Trace ID Flag</a> support. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8012">#8012</a>)</li> <li>Add service detection with <code>WithService</code> in <code>go.opentelemetry.io/otel/sdk/resource</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7642">#7642</a>)</li> <li>Add <code>DefaultWithContext</code> and <code>EnvironmentWithContext</code> in <code>go.opentelemetry.io/otel/sdk/resource</code> to support plumbing <code>context.Context</code> through default and environment detectors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8051">#8051</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Add support for per-series start time tracking for cumulative metrics in <code>go.opentelemetry.io/otel/sdk/metric</code>. Set <code>OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true</code> to enable. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8060">#8060</a>)</li> <li>Add <code>WithCardinalityLimitSelector</code> for metric reader for configuring cardinality limits specific to the instrument kind. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7855">#7855</a>)</li> </ul> <h3>Changed</h3> <ul> <li>Introduce the <code>EMPTY</code> Type in <code>go.opentelemetry.io/otel/attribute</code> to reflect that an empty value is now a valid value, with <code>INVALID</code> remaining as a deprecated alias of <code>EMPTY</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Improve slice handling in <code>go.opentelemetry.io/otel/attribute</code> to optimize short slice values with fixed-size fast paths. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8039">#8039</a>)</li> <li>Improve performance of span metric recording in <code>go.opentelemetry.io/otel/sdk/trace</code> by returning early if self-observability is not enabled. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8067">#8067</a>)</li> <li>Improve formatting of metric data diffs in <code>go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8073">#8073</a>)</li> </ul> <h3>Deprecated</h3> <ul> <li>Deprecate <code>INVALID</code> in <code>go.opentelemetry.io/otel/attribute</code>. Use <code>EMPTY</code> instead. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Return spec-compliant <code>TraceIdRatioBased</code> description. This is a breaking behavioral change, but it is necessary to make the implementation <a href="https://opentelemetry.io/docs/specs/otel/trace/sdk/#traceidratiobased">spec-compliant</a>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8027">#8027</a>)</li> <li>Fix a race condition in <code>go.opentelemetry.io/otel/sdk/metric</code> where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8056">#8056</a>)</li> <li>Limit HTTP response body to 4 MiB in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp</code> to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108">#8108</a>)</li> <li>Limit HTTP response body to 4 MiB in <code>go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp</code> to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108">#8108</a>)</li> <li>Limit HTTP response body to 4 MiB in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp</code> to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108">#8108</a>)</li> <li><code>WithHostID</code> detector in <code>go.opentelemetry.io/otel/sdk/resource</code> to use full path for <code>kenv</code> command on BSD. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8113">#8113</a>)</li> <li>Fix missing <code>request.GetBody</code> in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp</code> to correctly handle HTTP2 GOAWAY frame. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8096">#8096</a>)</li> </ul> <h2>[1.42.0/0.64.0/0.18.0/0.0.16] 2026-03-06</h2> <h3>Added</h3> <ul> <li>Add <code>go.opentelemetry.io/otel/semconv/v1.40.0</code> package. The package contains semantic conventions from the <code>v1.40.0</code> version of the OpenTelemetry Semantic Conventions. See the <a href="https://github.com/open-telemetry/opentelemetry-go/blob/main/semconv/v1.40.0/MIGRATION.md">migration documentation</a> for information on how to upgrade from <code>go.opentelemetry.io/otel/semconv/v1.39.0</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7985">#7985</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
f8d2660c6c
|
Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.81.0 to 1.97.3 (#43204)
Bumps [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) from 1.81.0 to 1.97.3. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
8201ae63f1
|
Bump github.com/aws/aws-sdk-go-v2/service/kinesis from 1.35.3 to 1.43.5 (#43200)
Bumps [github.com/aws/aws-sdk-go-v2/service/kinesis](https://github.com/aws/aws-sdk-go-v2) from 1.35.3 to 1.43.5. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
98075b2734
|
Bump github.com/aws/aws-sdk-go-v2/service/lambda from 1.72.0 to 1.88.5 (#43199)
Bumps [github.com/aws/aws-sdk-go-v2/service/lambda](https://github.com/aws/aws-sdk-go-v2) from 1.72.0 to 1.88.5. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
abaad3d4ca
|
Bump github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 (#42952)
Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.4 to 3.0.5. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Magnus Jensen
|
d4f48b6f9c
|
ACME MDM -> main (#42926)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** The entire ACME feature branch merge # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] Timeouts are implemented and retries are limited to avoid infinite loops ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually --------- Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com> Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com> |
||
|
dependabot[bot]
|
1aef37c75c
|
Bump github.com/go-git/go-git/v5 from 5.16.5 to 5.17.1 (#42670)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.16.5 to 5.17.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-git/go-git/releases">github.com/go-git/go-git/v5's releases</a>.</em></p> <blockquote> <h2>v5.17.1</h2> <h2>What's Changed</h2> <ul> <li>build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1930">go-git/go-git#1930</a></li> <li>[v5] plumbing: format/index, Improve v4 entry name validation by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1935">go-git/go-git#1935</a></li> <li>[v5] plumbing: format/idxfile, Fix version and fanout checks by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1937">go-git/go-git#1937</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.17.0...v5.17.1">https://github.com/go-git/go-git/compare/v5.17.0...v5.17.1</a></p> <h2>v5.17.0</h2> <h2>What's Changed</h2> <ul> <li>build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1839">go-git/go-git#1839</a></li> <li>git: worktree, optimize infiles function for very large repos by <a href="https://github.com/k-anshul"><code>@k-anshul</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1853">go-git/go-git#1853</a></li> <li>git: Add strict checks for supported extensions by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1861">go-git/go-git#1861</a></li> <li>backport, git: Improve Status() speed with new index.ModTime check by <a href="https://github.com/cedric-appdirect"><code>@cedric-appdirect</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1862">go-git/go-git#1862</a></li> <li>storage: filesystem, Avoid overwriting loose obj files by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1864">go-git/go-git#1864</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.16.5...v5.17.0">https://github.com/go-git/go-git/compare/v5.16.5...v5.17.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
32f1c2026c
|
Bump golang.org/x/image from 0.18.0 to 0.38.0 (#42661)
Bumps [golang.org/x/image](https://github.com/golang/image) from 0.18.0 to 0.38.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
82c3983939
|
Bump github.com/antchfx/xpath from 1.2.2 to 1.3.6 (#42633)
Bumps [github.com/antchfx/xpath](https://github.com/antchfx/xpath) from 1.2.2 to 1.3.6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/antchfx/xpath/releases">github.com/antchfx/xpath's releases</a>.</em></p> <blockquote> <h2>v1.3.6</h2> <p>Merged PR:</p> <ul> <li><a href="https://redirect.github.com/antchfx/xpath/issues/120">#120</a>(<a href="https://github.com/mislav"><code>@mislav</code></a>) - Fix <code>last()</code> predicate on grouped expr.</li> </ul> <p>Fixed:</p> <ul> <li><a href="https://redirect.github.com/antchfx/xpath/issues/121">#121</a></li> </ul> <h2>Release v1.3.5</h2> <p>Merged PR:</p> <ul> <li><a href="https://redirect.github.com/antchfx/xpath/issues/117">#117</a>(<a href="https://github.com/mislav"><code>@mislav</code></a>)- fix <code>ancestor::</code> axes with position predicate.</li> </ul> <p>Fixed:</p> <ul> <li><a href="https://redirect.github.com/antchfx/xpath/issues/113">#113</a> - (fix <code>string()</code> function)</li> </ul> <h2>v1.3.4</h2> <p>Merged PR:</p> <ul> <li><a href="https://redirect.github.com/antchfx/xpath/issues/107">#107</a>(<a href="https://github.com/Mrflatt"><code>@Mrflatt</code></a>) - supports Regexp feature in <code>replace()</code> function</li> <li><a href="https://redirect.github.com/antchfx/xpath/issues/111">#111</a>(<a href="https://github.com/wjc4"><code>@wjc4</code></a>) - Improve <code>getHashCode</code> performance</li> </ul> <p>Fixed:</p> <ul> <li><a href="https://redirect.github.com/antchfx/xpath/issues/109">#109</a></li> </ul> <h2>v1.3.3</h2> <p>fix non-English predicate query <a href="https://redirect.github.com/antchfx/xpath/issues/106">#106</a></p> <h2>v1.3.2</h2> <p>New Features:</p> <ul> <li>Supports Unicode chars for Non-English (PR <a href="https://redirect.github.com/antchfx/xpath/issues/100">#100</a>)</li> </ul> <p>Bug Fixed:</p> <ul> <li><a href="https://redirect.github.com/antchfx/xpath/issues/101">#101</a></li> <li><a href="https://redirect.github.com/antchfx/xpath/issues/102">#102</a></li> <li><a href="https://redirect.github.com/antchfx/xpath/issues/104">#104</a></li> </ul> <h2>v1.3.1</h2> <ul> <li>Merged PR <a href="https://redirect.github.com/antchfx/xpath/issues/97">#97</a>.</li> <li>Allows node-set numeric operator <code>+</code>, <code>-</code>, <code>mod()</code>.<a href=" |
||
|
Lucas Manuel Rodriguez
|
d8588ed790
|
Bump macadmins version and add macos_thermal_pressure and macos_soc_power tables (#42569)
**Related issue:** Resolves #42530 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## fleetd/orbit/Fleet Desktop - [X] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [X] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [X] Verified that fleetd runs on macOS, Linux and Windows - [X] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) |
||
|
dependabot[bot]
|
915feb9868
|
Bump github.com/russellhaering/goxmldsig from 1.4.0 to 1.6.0 (#42009)
Bumps [github.com/russellhaering/goxmldsig](https://github.com/russellhaering/goxmldsig) from 1.4.0 to 1.6.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/russellhaering/goxmldsig/releases">github.com/russellhaering/goxmldsig's releases</a>.</em></p> <blockquote> <h2>v1.6.0</h2> <h2>What's Changed</h2> <ul> <li><strong>Security:</strong> Fix possible signature validation bypass caused by loop variable capture in <code>validateSignature</code> (GHSA-479m-364c-43vc)</li> <li>Bump minimum Go version to 1.23</li> <li>Bump <code>github.com/beevik/etree</code> to v1.6.0</li> <li>Add fuzz tests for XML signature validation and canonicalization</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/russellhaering/goxmldsig/compare/v1.5.0...v1.6.0">https://github.com/russellhaering/goxmldsig/compare/v1.5.0...v1.6.0</a></p> <h2>v1.5.0</h2> <h2>What's Changed</h2> <ul> <li>Bump dependencies</li> <li>Update GitHub workflows</li> <li>Security hardening by <a href="https://github.com/ahacker1-securesaml"><code>@ahacker1-securesaml</code></a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/russellhaering/goxmldsig/compare/v1.4.0...v1.5.0">https://github.com/russellhaering/goxmldsig/compare/v1.4.0...v1.5.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
7d1865399e
|
Bump github.com/nats-io/nats-server/v2 from 2.12.3 to 2.12.6 (#42338)
Bumps [github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server) from 2.12.3 to 2.12.6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nats-io/nats-server/releases">github.com/nats-io/nats-server/v2's releases</a>.</em></p> <blockquote> <h2>Release v2.12.6</h2> <h2>Changelog</h2> <p>Refer to the <a href="https://docs.nats.io/release-notes/whats_new/whats_new_212">2.12 Upgrade Guide</a> for backwards compatibility notes with 2.11.x.</p> <h3>Go Version</h3> <ul> <li>1.25.8</li> </ul> <h3>Dependencies</h3> <ul> <li>golang.org/x/crypto v0.49.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7953">#7953</a>)</li> <li>github.com/nats-io/jwt/v2 v2.8.1 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7960">#7960</a>)</li> <li>golang.org/x/sys v0.42.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7923">#7923</a>)</li> <li>golang.org/x/time v0.15.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7923">#7923</a>)</li> </ul> <h3>CVEs</h3> <ul> <li>Fixes CVE-2026-33216, CVE-2026-33217, CVE-2026-33215 (affecting systems using MQTT)</li> <li>Fixes CVE-2026-33246 (affects systems using leafnodes and service imports)</li> <li>Fixes CVE-2026-33218 (affects systems using leafnodes)</li> <li>Fixes CVE-2026-33219 (affects systems using WebSockets)</li> <li>Fixes CVE-2026-33223, CVE-2026-33222 (affects systems using JetStream)</li> <li>Fixes CVE-2026-33248 (affects systems using mutual TLS)</li> <li>Fixes CVE-2026-33247 (affects systems providing credentials on the command line)</li> <li>Fixes CVE-2026-33249 (affects systems where client publish permissions should be restricted)</li> </ul> <h3>Improved</h3> <p>General</p> <ul> <li>Non-WebSocket leafnode connections can now be proxied using HTTP CONNECT (<a href="https://redirect.github.com/nats-io/nats-server/issues/7781">#7781</a>)</li> <li>The <code>$SYS.REQ.USER.INFO</code> response now includes the friendly nametag of the account and/or user if known (<a href="https://redirect.github.com/nats-io/nats-server/issues/7973">#7973</a>)</li> </ul> <p>JetStream</p> <ul> <li>The stream peer-remove command now accepts a peer ID as well as a server name (<a href="https://redirect.github.com/nats-io/nats-server/issues/7952">#7952</a>)</li> </ul> <p>MQTT</p> <ul> <li>Protocol compliance has been improved, including more error handling on invalid or malformed MQTT packets (<a href="https://redirect.github.com/nats-io/nats-server/issues/7933">#7933</a>)</li> </ul> <h3>Fixed</h3> <p>General</p> <ul> <li>Client connections are no longer registered after an auth callout timeout (<a href="https://redirect.github.com/nats-io/nats-server/issues/7932">#7932</a>)</li> <li>Improved handling of duplicate headers</li> <li>A correctness bug when validating relative distinguished names has been fixed</li> <li>Secrets are now redacted correctly in trace logging (<a href="https://redirect.github.com/nats-io/nats-server/issues/7942">#7942</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Scott Gress
|
91362ba2ca
|
Add fleetctl new command (#41909)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #41345 # Details This PR: * Adds a new `fleetctl new` command which creates a starter GitOps repo file structure * Adds support for file globs for the `configuration_profiles:` key in GitOps, to support its use in the `fleetctl new` templates. This involved moving the `BaseItem` type and `SupportsFileInclude` interface into the `fleet` package so that the `MDMProfileSpec` type could implement the interface and do glob expansion. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] added unit and intg tests for globbing profiles - [ ] added tests for `fleetctl new` - [X] QA'd all new/changed functionality manually - [X] `fleetctl new` with no args prompted for org name and created a new `it-and-security` folder under current folder w/ correct files - [X] `fleetctl new --dir /tmp/testnew` created correct files under `/tmp/testnew` - [X] `fleetctl new --dir /tmp/testexisting --force` with an existing `/tmp/testexisting` folder created correct files under `/tmp/testexisting` - [X] `fleetctl new --org-name=foo` created correct files under `it-and-security` without prompting for org name - [X] `paths:` in `configuration_profiles` picks up multiple matching profiles - [X] `paths:` + `path:` in `configuration_profiles` will error if the same profile is picked up twice <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added `fleetctl new` command to initialize GitOps repository structure via CLI. * Added glob pattern support for `configuration_profiles` field, enabling flexible profile selection. * **Chores** * Updated CLI dependencies to support enhanced user interactions. * Removed legacy website generator configuration files. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
dependabot[bot]
|
73c386f207
|
Bump google.golang.org/grpc from 1.78.0 to 1.79.3 (#42011)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.78.0 to 1.79.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/grpc/grpc-go/releases">google.golang.org/grpc's releases</a>.</em></p> <blockquote> <h2>Release 1.79.3</h2> <h1>Security</h1> <ul> <li>server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like <code>grpc/authz</code>. Any request with a non-canonical path is now immediately rejected with an <code>Unimplemented</code> error. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8981">#8981</a>)</li> </ul> <h2>Release 1.79.2</h2> <h1>Bug Fixes</h1> <ul> <li>stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (<a href="https://redirect.github.com/grpc/grpc-go/pull/8874">grpc/grpc-go#8874</a>)</li> </ul> <h2>Release 1.79.1</h2> <h1>Bug Fixes</h1> <ul> <li>grpc: Remove the <code>-dev</code> suffix from the User-Agent header. (<a href="https://redirect.github.com/grpc/grpc-go/pull/8902">grpc/grpc-go#8902</a>)</li> </ul> <h2>Release 1.79.0</h2> <h1>API Changes</h1> <ul> <li>mem: Add experimental API <code>SetDefaultBufferPool</code> to change the default buffer pool. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8806">#8806</a>) <ul> <li>Special Thanks: <a href="https://github.com/vanja-p"><code>@vanja-p</code></a></li> </ul> </li> <li>experimental/stats: Update <code>MetricsRecorder</code> to require embedding the new <code>UnimplementedMetricsRecorder</code> (a no-op struct) in all implementations for forward compatibility. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8780">#8780</a>)</li> </ul> <h1>Behavior Changes</h1> <ul> <li>balancer/weightedtarget: Remove handling of <code>Addresses</code> and only handle <code>Endpoints</code> in resolver updates. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8841">#8841</a>)</li> </ul> <h1>New Features</h1> <ul> <li>experimental/stats: Add support for asynchronous gauge metrics through the new <code>AsyncMetricReporter</code> and <code>RegisterAsyncReporter</code> APIs. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8780">#8780</a>)</li> <li>pickfirst: Add support for weighted random shuffling of endpoints, as described in <a href="https://redirect.github.com/grpc/proposal/pull/535">gRFC A113</a>. <ul> <li>This is enabled by default, and can be turned off using the environment variable <code>GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING</code>. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8864">#8864</a>)</li> </ul> </li> <li>xds: Implement <code>:authority</code> rewriting, as specified in <a href="https://github.com/grpc/proposal/blob/master/A81-xds-authority-rewriting.md">gRFC A81</a>. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8779">#8779</a>)</li> <li>balancer/randomsubsetting: Implement the <code>random_subsetting</code> LB policy, as specified in <a href="https://github.com/grpc/proposal/blob/master/A68-random-subsetting.md">gRFC A68</a>. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8650">#8650</a>) <ul> <li>Special Thanks: <a href="https://github.com/marek-szews"><code>@marek-szews</code></a></li> </ul> </li> </ul> <h1>Bug Fixes</h1> <ul> <li>credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8726">#8726</a>) <ul> <li>Special Thanks: <a href="https://github.com/Atul1710"><code>@Atul1710</code></a></li> </ul> </li> <li>xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in <code>CONNECTING</code> state. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8813">#8813</a>)</li> <li>health: Fix a bug where health checks failed for clients using legacy compression options (<code>WithDecompressor</code> or <code>RPCDecompressor</code>). (<a href="https://redirect.github.com/grpc/grpc-go/issues/8765">#8765</a>) <ul> <li>Special Thanks: <a href="https://github.com/sanki92"><code>@sanki92</code></a></li> </ul> </li> <li>transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8769">#8769</a>) <ul> <li>Special Thanks: <a href="https://github.com/joybestourous"><code>@joybestourous</code></a></li> </ul> </li> <li>server: Propagate status detail headers, if available, when terminating a stream during request header processing. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8754">#8754</a>) <ul> <li>Special Thanks: <a href="https://github.com/joybestourous"><code>@joybestourous</code></a></li> </ul> </li> </ul> <h1>Performance Improvements</h1> <ul> <li>credentials/alts: Optimize read buffer alignment to reduce copies. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8791">#8791</a>)</li> <li>mem: Optimize pooling and creation of <code>buffer</code> objects. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8784">#8784</a>)</li> <li>transport: Reduce slice re-allocations by reserving slice capacity. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8797">#8797</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Victor Lyuboslavsky
|
fbc5b9d8b6
|
Updated go to 1.26.1 (#42027)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #41749 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. |
||
|
Lucas Manuel Rodriguez
|
ba3746f9fa
|
Fix fleetd crash in Apple M5 hardware by upgrading gopsutil (#41940)
Resolves #41863 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] QA'd all new/changed functionality manually Tests performed on the following OSs: - Windows (arm64) - macOS (Apple silicon) - Linux (arm64) - Linux (amd64) Features tested on the OSs above: - "My device". - Restart fleetd. - Kill fleet desktop, should re-start. - Killing stale osqueryd processes on orbit startup. - Checking if osquery is up and running, exit and start. - Checking if Fleet Desktop is already running before launching it. - orbit auto update - Gracefully shutting down Fleet Desktop before restarting it --- ## fleetd/orbit/Fleet Desktop - [X] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux and Windows - [x] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) |
||
|
Scott Gress
|
d5eee802eb
|
Detect unknown keys in GitOps (phase 1) (#40963)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40496 # Details This is the first phase of an effort to detect unknown keys in GitOps .yml files. In the regular `fleetctl gitops` case, it will fail when unknown keys are detected. This behavior can be changed with a new `--allow-unknown-keys` flag which will log the issues and continue. In this first phase we are detecting unknown keys in _most_ GitOps sections, other than the top-level `org_settings:` and `settings:` sections which have more complicated typing. I will tackle those separately as they require a bit more thought. Also ultimately I'd like us to be doing this validation in a more top-down fashion in one place, rather than spreading it across the code by doing it in each individual section, but this is a good first step. As a bonus, I invited my pal Mr. Levenshtein to the party so that we can make suggestions when unknown keys are detected, like: ``` * unknown key "queyr" in "./lib/some-report.yml"; did you mean "query"? ``` > Note: the goal is to return as many validation errors as possible to the user, so they don't have to keep running `fleetctl gitops` to get the next error. I did _not_ update any other errors to stop returning early, in an effort to keep this as low-touch as possible. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually - [X] Tested this against existing it-and-security folder and one with updated keys from https://github.com/fleetdm/fleet/pull/40959; no unknown keys detected - [X] Added unknown keys at various levels, GitOps errored with helpful messages - [X] Same as above but with `--allow-unknown-keys`; GitOps outputted helpful messages but continued. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * GitOps runs now fail when unknown or misspelled keys are present in configuration files. * New CLI flag --allow-unknown-keys lets unknown keys be treated as warnings instead of errors. * Unknown-key messages include suggested valid key names to help correct mistakes. * **Tests** * Expanded test coverage to validate unknown-key detection and the allow-as-warning option. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Ian Littman <iansltx@gmail.com> |
||
|
Scott Gress
|
2c56b89072
|
Support globs in script paths in GitOps (#40799)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40302 # Details This PR adds support for a `paths:` key for scripts declared under `controls:` in a GitOps fleet file. If supplied, `paths:` must contain a "glob" expression (as [supported by the doublestar package](https://github.com/bmatcuk/doublestar?tab=readme-ov-file#patterns)). The existing `path:` key still works but may not contain glob expressions. When a `paths:` key is encountered, we expand it and add all matching valid (as in, `.sh` or `.ps1`) files to the set of script files to process. Subsequent PRs will add this functionality to other entities that use `path:` (such as reports and policies). # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually Tried with various combinations of `*` and `**` in gitops runs, and mixing of `path:` and `paths:` |
||
|
Victor Lyuboslavsky
|
62186cb6bd
|
Final slog migration PR: test infrastructure + tools + remaining standalone files (#40727)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40540 go-kit/log is no longer a direct dependency; moved kitlog adapter required for some 3rd party libraries into its own package # Checklist for submitter - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - Present in previous PR ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Modernized logging across the codebase: switched from legacy logging wrappers to Go's standard slog, updated adapters, tests, tools, and server components. * Threaded the new slog logger through test utilities and tooling; adjusted a small number of logging-related function/constructor signatures to accept the new logger type (minor compatibility updates). <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
dependabot[bot]
|
3cda538f37
|
Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 (#40531)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.6.1 to 1.6.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cloudflare/circl/releases">github.com/cloudflare/circl's releases</a>.</em></p> <blockquote> <h2>CIRCL v1.6.3</h2> <p>Fix a bug on ecc/p384 scalar multiplication.</p> <h3>What's Changed</h3> <ul> <li>sign/mldsa: Check opts for nil value by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/582">cloudflare/circl#582</a></li> <li>ecc/p384: Point addition must handle point doubling case. by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/583">cloudflare/circl#583</a></li> <li>Release CIRCL v1.6.3 by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/584">cloudflare/circl#584</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/cloudflare/circl/compare/v1.6.2...v1.6.3">https://github.com/cloudflare/circl/compare/v1.6.2...v1.6.3</a></p> <h2>CIRCL v1.6.2</h2> <ul> <li>New SLH-DSA, improvements in ML-DSA for arm64.</li> <li>Tested compilation on WASM.</li> </ul> <h2>What's Changed</h2> <ul> <li>Optimize pairing product computation by moving exponentiations to G1. by <a href="https://github.com/dfaranha"><code>@dfaranha</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/547">cloudflare/circl#547</a></li> <li>sign: Adding SLH-DSA signature by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/512">cloudflare/circl#512</a></li> <li>Update code generators to CIRCL v1.6.1. by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/548">cloudflare/circl#548</a></li> <li>ML-DSA: Add preliminary Wycheproof test vectors by <a href="https://github.com/bwesterb"><code>@bwesterb</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/552">cloudflare/circl#552</a></li> <li>go fmt by <a href="https://github.com/bwesterb"><code>@bwesterb</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/554">cloudflare/circl#554</a></li> <li>gz-compressing test vectors, use of HexBytes and ReadGzip functions. by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/555">cloudflare/circl#555</a></li> <li>group: Removes use of elliptic Marshal and Unmarshal functions. by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/556">cloudflare/circl#556</a></li> <li>Support encoding/decoding ML-DSA private keys (as long as they contain seeds) by <a href="https://github.com/bwesterb"><code>@bwesterb</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/559">cloudflare/circl#559</a></li> <li>Update to golangci-lint v2 by <a href="https://github.com/bwesterb"><code>@bwesterb</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/560">cloudflare/circl#560</a></li> <li>Preparation for ARM64 Implementation of poly operations for dilithium package. by <a href="https://github.com/elementrics"><code>@elementrics</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/562">cloudflare/circl#562</a></li> <li>prepare power2Round for custom implementations in assembly by <a href="https://github.com/elementrics"><code>@elementrics</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/564">cloudflare/circl#564</a></li> <li>ARM64 implementation for poly.PackLe16 by <a href="https://github.com/elementrics"><code>@elementrics</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/563">cloudflare/circl#563</a></li> <li>add arm64 version of polyMulBy2toD by <a href="https://github.com/elementrics"><code>@elementrics</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/565">cloudflare/circl#565</a></li> <li>add arm64 version of polySub by <a href="https://github.com/elementrics"><code>@elementrics</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/566">cloudflare/circl#566</a></li> <li>group: add byteLen method for short groups and RandomScalar uses rand.Int by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/568">cloudflare/circl#568</a></li> <li>add arm64 version of poly.Add/Sub by <a href="https://github.com/elementrics"><code>@elementrics</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/572">cloudflare/circl#572</a></li> <li>group: Adding cryptobyte marshaling to scalars by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/569">cloudflare/circl#569</a></li> <li>Bumping up to Go1.25 by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/574">cloudflare/circl#574</a></li> <li>ci: Including WASM compilation. by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/577">cloudflare/circl#577</a></li> <li>Revert to using package-declared HPKE errors for shortkem instead of standard library errors by <a href="https://github.com/harshiniwho"><code>@harshiniwho</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/578">cloudflare/circl#578</a></li> <li>Release v1.6.2 by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/579">cloudflare/circl#579</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/dfaranha"><code>@dfaranha</code></a> made their first contribution in <a href="https://redirect.github.com/cloudflare/circl/pull/547">cloudflare/circl#547</a></li> <li><a href="https://github.com/elementrics"><code>@elementrics</code></a> made their first contribution in <a href="https://redirect.github.com/cloudflare/circl/pull/562">cloudflare/circl#562</a></li> <li><a href="https://github.com/harshiniwho"><code>@harshiniwho</code></a> made their first contribution in <a href="https://redirect.github.com/cloudflare/circl/pull/578">cloudflare/circl#578</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/cloudflare/circl/compare/v1.6.1...v1.6.2">https://github.com/cloudflare/circl/compare/v1.6.1...v1.6.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
6c584e889a
|
Bump github.com/nats-io/nats-server/v2 from 2.12.1 to 2.12.3 (#40406)
Bumps [github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server) from 2.12.1 to 2.12.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nats-io/nats-server/releases">github.com/nats-io/nats-server/v2's releases</a>.</em></p> <blockquote> <h2>Release v2.12.3</h2> <h2>Changelog</h2> <p>Refer to the <a href="https://docs.nats.io/release-notes/whats_new/whats_new_212">2.12 Upgrade Guide</a> for backwards compatibility notes with 2.11.x.</p> <h3>Go Version</h3> <ul> <li>1.25.5 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7604">#7604</a>)</li> </ul> <h3>Dependencies</h3> <ul> <li>github.com/google/go-tpm v0.9.7 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7578">#7578</a>)</li> <li>github.com/nats-io/nkeys v0.4.12 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7578">#7578</a>)</li> <li>golang.org/x/crypto v0.45.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7578">#7578</a>)</li> <li>github.com/klauspost/compress v1.18.2 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7604">#7604</a>)</li> <li>github.com/antithesishq/antithesis-sdk-go v0.5.0-default-no-op (<a href="https://redirect.github.com/nats-io/nats-server/issues/7604">#7604</a>)</li> <li>golang.org/x/crypto v0.46.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7648">#7648</a>)</li> <li>golang.org/x/sys v0.39.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7648">#7648</a>)</li> </ul> <h3>Added</h3> <p>General</p> <ul> <li>Added WebSocket-specific ping interval configuration with <code>ping_internal</code> in the <code>websocket</code> block (<a href="https://redirect.github.com/nats-io/nats-server/issues/7614">#7614</a>)</li> </ul> <h3>Improved</h3> <p>JetStream</p> <ul> <li>The scan for the last sourced message sequence when setting up a subject-filtered source is now considerably faster (<a href="https://redirect.github.com/nats-io/nats-server/issues/7553">#7553</a>)</li> <li>The metalayer will now stage and deduplicate recovery operations at startup, instead of rapidly applying and then undoing conflicting assignments (<a href="https://redirect.github.com/nats-io/nats-server/issues/7540">#7540</a>)</li> <li>Consumer interest checks on interest-based streams are now significantly faster when there are large gaps in interest (<a href="https://redirect.github.com/nats-io/nats-server/issues/7656">#7656</a>)</li> </ul> <p>MQTT</p> <ul> <li>Retained messages will now work correctly even when sourced from a different account and has a subject transform (<a href="https://redirect.github.com/nats-io/nats-server/issues/7636">#7636</a>)</li> </ul> <h3>Fixed</h3> <p>General</p> <ul> <li>WebSocket connections will now correctly limit the buffer size during decompression (<a href="https://redirect.github.com/nats-io/nats-server/issues/7625">#7625</a>, thanks to Pavel Kokout at Aisle Research)</li> </ul> <p>JetStream</p> <ul> <li>A protocol error caused by an invalid transform of acknowledgement reply subjects when originating from a gateway connection has been fixed (<a href="https://redirect.github.com/nats-io/nats-server/issues/7579">#7579</a>)</li> <li>The meta layer will now only respond to peer remove requests after quorum has been reached (<a href="https://redirect.github.com/nats-io/nats-server/issues/7581">#7581</a>)</li> <li>Invalid subject filters containing non-terminating full wildcard no longer produce unexpected matches (<a href="https://redirect.github.com/nats-io/nats-server/issues/7585">#7585</a>)</li> <li>A data race when creating a stream in clustered mode has been fixed (<a href="https://redirect.github.com/nats-io/nats-server/issues/7586">#7586</a>)</li> <li>Raft will no longer allow multiple membership changes to take place concurrently (<a href="https://redirect.github.com/nats-io/nats-server/issues/7565">#7565</a>, <a href="https://redirect.github.com/nats-io/nats-server/issues/7609">#7609</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Josh Roskos
|
6769d8dd3a
|
Bump shogo82148/rdsmysql/v2 v2.4.0 to v2.5.0 (#40103)
https://github.com/shogo82148/rdsmysql/pull/222 Adds AWS GovCloud RDS CA certificates (us-gov-east-1, us-gov-west-1) to the rdsmysql TLS bundle, improving compatibility for Fleet deployments in AWS GovCloud regions. Transitive dependency updates pulled in by rdsmysql v2.5.0: - github.com/aws/aws-sdk-go-v2 and related submodules (minor bumps) - github.com/go-sql-driver/mysql v1.9.1 -> v1.9.3 - filippo.io/edwards25519 v1.1.0 -> v1.1.1 <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves https://github.com/fleetdm/fleet/issues/40148 ## Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] QA'd all new/changed functionality manually — dependency bump only; ran full local test suite across all affected packages (`server/platform/mysql`, `server/logging`, `server/config`, `server/mail`) with no regressions. `go mod verify` passed. |
||
|
dependabot[bot]
|
2c5733a374
|
Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#40113)
Bumps
[filippo.io/edwards25519](https://github.com/FiloSottile/edwards25519)
from 1.1.0 to 1.1.1.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="
|
||
|
Lucas Manuel Rodriguez
|
e9f9d5a7d5
|
Remove github.com/apex/log dependency only used in a tool (#39822)
Realized this when developing in VSCode and typing `log.` then it auto-imported that apex/log thing, which seems we only use in a tool. |
||
|
Lucas Manuel Rodriguez
|
1085d66f6f
|
Update macadmins/osquery-extensions to v1.3.2 (#39691)
Resolves #39642. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] QA'd all new/changed functionality manually ```sh fleetd 1.51.1: osquery> .schema munki_installs CREATE TABLE munki_installs(`installed_version` TEXT, `installed` TEXT, `name` TEXT, `end_time` TEXT, `display_name` TEXT); Using this branch: osquery> .schema munki_installs CREATE TABLE munki_installs(`installed_version` TEXT, `version_to_install` TEXT, `installed` TEXT, `name` TEXT, `end_time` TEXT, `display_name` TEXT); ``` ## fleetd/orbit/Fleet Desktop - [X] Verified that fleetd runs on macOS - [X] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) |
||
|
dependabot[bot]
|
c1e3e89b5f
|
Bump github.com/go-git/go-git/v5 from 5.13.0 to 5.16.5 (#39590)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.13.0 to 5.16.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-git/go-git/releases">github.com/go-git/go-git/v5's releases</a>.</em></p> <blockquote> <h2>v5.16.5</h2> <h2>What's Changed</h2> <ul> <li>build: Update module golang.org/x/crypto to v0.45.0 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1744">go-git/go-git#1744</a></li> <li>build: Bump Go test versions to 1.23-1.25 (v5) by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1746">go-git/go-git#1746</a></li> <li>[v5] git: worktree, Don't delete local untracked files when resetting worktree by <a href="https://github.com/Ch00k"><code>@Ch00k</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1800">go-git/go-git#1800</a></li> <li>Expand packfile checks by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1836">go-git/go-git#1836</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.16.4...v5.16.5">https://github.com/go-git/go-git/compare/v5.16.4...v5.16.5</a></p> <h2>v5.16.4</h2> <h2>What's Changed</h2> <ul> <li>backport plumbing: format/idxfile, prevent panic by <a href="https://github.com/swills"><code>@swills</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1732">go-git/go-git#1732</a></li> <li>[backport] build: test, Fix build on Windows. by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1734">go-git/go-git#1734</a></li> <li>build: Update module golang.org/x/net to v0.38.0 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1742">go-git/go-git#1742</a></li> <li>build: Update module github.com/cloudflare/circl to v1.6.1 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1741">go-git/go-git#1741</a></li> <li>build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1743">go-git/go-git#1743</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.16.3...v5.16.4">https://github.com/go-git/go-git/compare/v5.16.3...v5.16.4</a></p> <h2>v5.16.3</h2> <h2>What's Changed</h2> <ul> <li>internal: Expand regex to fix build [5.x] by <a href="https://github.com/baloo"><code>@baloo</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1644">go-git/go-git#1644</a></li> <li>build: raise timeouts for windows CI tests and disable CIFuzz [5.x] by <a href="https://github.com/baloo"><code>@baloo</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1646">go-git/go-git#1646</a></li> <li>plumbing: support commits extra headers, support jujutsu signed commit [5.x] by <a href="https://github.com/baloo"><code>@baloo</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1633">go-git/go-git#1633</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.16.2...v5.16.3">https://github.com/go-git/go-git/compare/v5.16.2...v5.16.3</a></p> <h2>v5.16.2</h2> <h2>What's Changed</h2> <ul> <li>utils: fix diff so subpaths work for sparse checkouts, fixes 1455 to releases/v5.x by <a href="https://github.com/kane8n"><code>@kane8n</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1567">go-git/go-git#1567</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.16.1...v5.16.2">https://github.com/go-git/go-git/compare/v5.16.1...v5.16.2</a></p> <h2>v5.16.1</h2> <h2>What's Changed</h2> <ul> <li>utils: merkletrie, Fix diff on sparse-checkout index. Fixes <a href="https://redirect.github.com/go-git/go-git/issues/1406">#1406</a> to releases/v5.x by <a href="https://github.com/kane8n"><code>@kane8n</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1561">go-git/go-git#1561</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/kane8n"><code>@kane8n</code></a> made their first contribution in <a href="https://redirect.github.com/go-git/go-git/pull/1561">go-git/go-git#1561</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.16.0...v5.16.1">https://github.com/go-git/go-git/compare/v5.16.0...v5.16.1</a></p> <h2>v5.16.0</h2> <h2>What's Changed</h2> <ul> <li>[v5] plumbing: support mTLS for HTTPS protocol by <a href="https://github.com/hiddeco"><code>@hiddeco</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1510">go-git/go-git#1510</a></li> <li>v5: plumbing: transport, Reintroduce SetHostKeyCallback. Fix <a href="https://redirect.github.com/go-git/go-git/issues/1514">#1514</a> by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1515">go-git/go-git#1515</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Ian Littman
|
d4906dd3d6
|
Update to Go 1.25.7 (#39584)
- [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. |
||
|
Victor Lyuboslavsky
|
a10f05486f
|
Added OTEL log export support (#39279)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #38607 Contributor docs update: https://github.com/fleetdm/fleet/pull/39285/changes Another contributor docs update: https://github.com/fleetdm/fleet/pull/39402/changes Also: - renamed OtelHandler to OtelTracingHandler - made "opentelemetry" be the default when tracing is enabled - updated OTEL dependencies # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually ## New Fleet configuration settings - [x] Setting(s) is/are explicitly excluded from GitOps <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry log export capability, enabling logs to be sent to OpenTelemetry collectors. * New configuration option `logging.otel_logs_enabled` (requires tracing to be enabled). * **Chores** * Updated OpenTelemetry dependencies to v1.40.0 with latest OTLP exporters and logging support. * Updated dependencies including gRPC (v1.78.0), Google libraries, and cryptography packages. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Lucas Manuel Rodriguez
|
7c9713d08f
|
Fix panic in gRPC launcher API handler (#39409)
- [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] QA'd all new/changed functionality manually |
||
|
Zach Wasserman
|
3a0b72a329
|
Add gzip support to API handlers (#38675)
**Related issue:** Resolves #37944 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually ## New Fleet configuration settings - [x] Setting(s) is/are explicitly excluded from GitOps (it's a server configuration) |
||
|
Ian Littman
|
ec06952245
|
Bump Alpine (to 3.23.3), Go (to 1.25.6) to resolve vulns (#38973) | ||
|
Victor Lyuboslavsky
|
07949df530
|
Improved OpenTelemetry error handling (#38757)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #38756 - Changed to NOT mark many client errors as exceptions - Instead, added client_error and server_error metrics that can be used to alert on unusual error rates # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added separate metrics for distinguishing between client and server errors, enhancing observability and monitoring capabilities. * **Bug Fixes** * Client request errors no longer incorrectly appear in error tracking as exceptions; improved accuracy of error reporting to external services. * Adjusted logging levels for authentication and enrollment operations to provide clearer diagnostics. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Scott Gress
|
393531b624
|
Implement trusted proxies config (#38471)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves # # Details Adds a new `FLEET_SERVER_TRUSTED_PROXIES` config, allowing more fine-grained control over how the client IP is determined for requests. Uses the [realclientip-go](https://github.com/realclientip/realclientip-go) library as the engine for parsing headers and using rules to determine the IP. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Introduced FLEET_SERVER_TRUSTED_PROXIES configuration option to specify trusted proxy IPs and hosts. The server now supports flexible client IP detection strategies that respect your proxy configuration, with support for multiple formats including single IP header names, hop counts, and IP address ranges, adapting to various infrastructure setups and deployment scenarios. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Jordan Montgomery
|
e225ef5791
|
Improve Microsoft endpoint validation (#38180)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #13698 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually |
||
|
Nico
|
116c8ddb4f
|
Remove valyala/fastjson and valyala/fasttemplate dependencies (#37914)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Context: https://fleetdm.slack.com/archives/C019WG4GH0A/p1767713469571139 Replaced `valyala` dependencies and now relying on `json.Unmarshal` and manual traversal of `Template` subjects, such as [this one](https://github.com/fleetdm/fleet/blob/main/server/logging/nats_test.go#L113) # Checklist for submitter ## Testing - [x] ~~Added/updated automated tests~~ I'm relying on existing tests on `nats_test.go` which already cover using a `Template` subject, namely: https://github.com/fleetdm/fleet/blob/main/server/logging/nats_test.go#L112-L132 https://github.com/fleetdm/fleet/blob/main/server/logging/nats_test.go#L194-L245 https://github.com/fleetdm/fleet/blob/main/server/logging/nats_test.go#L301-L356 - [ ] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually Ran `nats-server`, subscribed to all subjects by running `nats --server=nats://localhost:4222 subscribe ">"` and got logs from this query: <img width="675" height="411" alt="Screenshot 2026-01-06 at 4 12 52 PM" src="https://github.com/user-attachments/assets/e4e6e5d0-53ac-4b09-9810-b6032794d5f3" /> <img width="773" height="165" alt="Screenshot 2026-01-06 at 4 11 16 PM" src="https://github.com/user-attachments/assets/6f58d1f1-272b-40b3-96f5-1659c0bbb918" /> <img width="2541" height="119" alt="Screenshot 2026-01-06 at 4 11 06 PM" src="https://github.com/user-attachments/assets/2e61acac-063c-4cdd-aeee-871031600125" /> |
||
|
Eric Busto
|
b6d19de0d9
|
Add support for publishing logs to NATS. (#36527)
**Related issue:** Resolves [34890](https://github.com/fleetdm/fleet/issues/34890) # Checklist for submitter - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually ## New Fleet configuration settings Looking at other log destinations, I couldn't find anything relevant in GitOps. Please let me know if I missed something, however. ## fleetd/orbit/Fleet Desktop I've tested this on both Linux and MacOS. --------- Co-authored-by: Rachael Shaw <r@rachael.wtf> Co-authored-by: nulmete <nicoulmete1@gmail.com> |
||
|
Lucas Manuel Rodriguez
|
e68a129eb9
|
Fix build warning (#37257)
Fixing the following warning: ``` $ make fleet [...] # github.com/shoenig/go-m1cpu ../../gopath/pkg/mod/github.com/shoenig/go-m1cpu@v0.1.6/cpu.go:75:17: warning: variable length array folded to constant array as an extension [-Wgnu-folding-constant] ../../gopath/pkg/mod/github.com/shoenig/go-m1cpu@v0.1.6/cpu.go:77:16: warning: variable length array folded to constant array as an extension [-Wgnu-folding-constant] ``` PS: This warning happens when building fleet because we need to decouple the client code from `server/service`... (hopefully to be done as part of https://github.com/fleetdm/fleet/issues/36087) |
||
|
Ian Littman
|
62755cbd82
|
Bump Go to 1.25.5, Alpine to 3.23.0 where relevant, bump Trivy to current version (#36848)
Fixes vulns reported in https://github.com/fleetdm/fleet/actions/runs/19999992703. We'll definitely want to at least cherry-pick this. |
||
|
Victor Lyuboslavsky
|
61c51672e4
|
Bootstrapping Android app (#36233)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #36202 Updated how Android agent starts. See README updates. # Checklist for submitter ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Periodic configuration check scheduled every 15 minutes in the Android agent * Improved Android management notification handling and app-role support * **Documentation** * Updated Android MDM deployment guide with SHA256 fingerprint instructions and build configuration snippets * **Chores** * Added WorkManager and AMAPI SDK for Android; updated Android/Go tooling and library versions * **Tests** * Added unit test coverage for the periodic config worker <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
dependabot[bot]
|
0cbf0d532a
|
Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#36040)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.41.0 to 0.45.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
27e6c21a88
|
Bump github.com/opencontainers/selinux from 1.11.0 to 1.13.0 (#35381) | ||
|
dependabot[bot]
|
e2f527adaf
|
Bump github.com/containerd/containerd from 1.7.27 to 1.7.29 (#35274)
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.27 to 1.7.29. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/containerd/containerd/releases">github.com/containerd/containerd's releases</a>.</em></p> <blockquote> <h2>containerd 1.7.29</h2> <p>Welcome to the v1.7.29 release of containerd!</p> <p>The twenty-ninth patch release for containerd 1.7 contains various fixes and updates including security patches.</p> <h3>Security Updates</h3> <ul> <li> <p><strong>containerd</strong></p> <ul> <li><a href="https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w"><strong>GHSA-pwhc-rpq9-4c8w</strong></a></li> <li><a href="https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2"><strong>GHSA-m6hq-p25p-ffr2</strong></a></li> </ul> </li> <li> <p><strong>runc</strong></p> <ul> <li><a href="https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"><strong>GHSA-qw9x-cqr3-wc7r</strong></a></li> <li><a href="https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"><strong>GHSA-cgrx-mc8f-2prm</strong></a></li> <li><a href="https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"><strong>GHSA-9493-h29p-rfm2</strong></a></li> </ul> </li> </ul> <h3>Highlights</h3> <h4>Image Distribution</h4> <ul> <li><strong>Update differ to handle zstd media types</strong> (<a href="https://redirect.github.com/containerd/containerd/pull/12018">#12018</a>)</li> </ul> <h4>Runtime</h4> <ul> <li><strong>Update runc binary to v1.3.3</strong> (<a href="https://redirect.github.com/containerd/containerd/pull/12480">#12480</a>)</li> <li><strong>Fix lost container logs from quickly closing io</strong> (<a href="https://redirect.github.com/containerd/containerd/pull/12375">#12375</a>)</li> </ul> <p>Please try out the release binaries and report any issues at <a href="https://github.com/containerd/containerd/issues">https://github.com/containerd/containerd/issues</a>.</p> <h3>Contributors</h3> <ul> <li>Derek McGowan</li> <li>Akihiro Suda</li> <li>Phil Estes</li> <li>Austin Vazquez</li> <li>Sebastiaan van Stijn</li> <li>ningmingxiao</li> <li>Maksym Pavlenko</li> <li>StepSecurity Bot</li> <li>wheat2018</li> </ul> <h3>Changes</h3> <!-- raw HTML omitted --> <ul> <li><a href=" |
||
|
Ian Littman
|
a910347683
|
Bump macadmins extension to v1.2.7, map crowdstrike_falcon table (#34553)
Fixes #33967, #33193, #35149. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [ ] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux (skipped WIndows due to runtime.GOOS gating) - [ ] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) |
||
|
Victor Lyuboslavsky
|
072ee68eda
|
Updating to Go 1.25.3 (#35082) |