<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40317
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] Added/updated automated tests
With the current router we have in place, we can't really test `<Link>`
elements, so our ability to make useful automated tests is pretty
limited here. I extracted the fleet name sorting code into an exported
function and added some tests for that.
- [X] QA'd all new/changed functionality manually
- [X] verified that when All Fleets is selected in dropdown, navigating
to Controls switches to Workstations
- [X] verified that when another fleet is selected in dropdown,
navigating to Controls maintains that selection
- [X] verified that when a fleet is selected in dropdown, navigating to
the dashboard changes to All Fleets
- [X] verified that when "Unassigned" is present in the fleets dropdown,
it is at the bottom
- [X] verified that when using a permalink to the dashboard with a fleet
selected (e.g. `?fleet_id=1`), the correct fleet shows as selected
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42184
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added support for GitOps exceptions per entity type (labels, software,
secrets), allowing specific areas to bypass GitOps mode restrictions
when configured.
* **Bug Fixes**
* Improved GitOps mode behavior to properly respect per-entity-type
exception settings across software, labels, and secrets management.
* **Tests**
* Extended test coverage for GitOps exception handling scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42591
Docs updated here: https://github.com/fleetdm/fleet/pull/42653/changes
# Checklist for submitter
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Enhanced Windows MDM profile deletion and cleanup to properly handle
shared configuration settings across multiple profiles, preventing
unintended removal of settings required by other profiles.
* Improved reliability of profile management when multiple profiles use
overlapping configuration settings.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39190https://www.loom.com/share/3c1828f03c584756b7ed8f3ba75a1038
<img width="1840" height="1196" alt="Screenshot 2026-03-30 at 1 08
32 PM"
src="https://github.com/user-attachments/assets/592c9396-65b4-4723-99e7-63f9ee0264c1"
/>
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Resolved host filtering by software version when the version is not
available on the selected team; now returns software information instead
of an error.
* Fixed a related UI issue caused by the original filtering behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Replaces separate cadences for different event types (field/sales
events settled per sprint, conferences settled per quarter) with a
single quarterly event strategy meeting that covers all event types
(conferences, field/sales events, and GitOps workshops).
- Simplifies the meeting agenda from a two-step process to one decision
covering all events for the following quarter.
## Changes
In `handbook/marketing/event-execution.md`, the "Settle event strategy"
section was updated to:
- Remove the two separate settlement timelines (1 sprint for
field/sales, 1 quarter for conferences)
- Establish one quarterly meeting cadence for all event types
- Consolidate the meeting agenda into a single step instead of
"first...next..."
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1774469541717269)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Sam Pfluger <108141731+Sampfluger88@users.noreply.github.com>
Co-authored-by: Ashish Kuthiala <53918208+akuthiala@users.noreply.github.com>
## Summary
Instead of removing the hotel check-in time block entirely, this PR
updates the CEO travel instructions to:
- Keep the 30-minute check-in time block, but never schedule it before
the hotel's official check-in time
- If the CEO arrives before the hotel's check-in time, call the hotel
ahead of time to request early check-in and note it in the calendar
event agenda
- If early check-in is not available, schedule the check-in at the
hotel's official check-in time
Built for [Savannah
Friend](https://fleetdm.slack.com/archives/D0AK3T404H3/p1774560399725619)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
We're keeping the tested version at 6 for now until we have a CI matrix
to test multiple versions. We run both 6.x and 7.x in production and if
we shipped 7+ code we'd break things.
This PR also fixes a spot I missed when mentioning MySQL version
compatibility.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34433 Part 2
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information. Added by first PR
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Profiles now install during device enrollment setup
* **Bug Fixes**
* Enhanced Apple MDM profile synchronization to handle concurrent
processing scenarios
* Improved profile reconciliation to prevent conflicts when multiple
workers process the same device simultaneously
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42492
Includes changes from running ingestions on all FMAs
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41710
Updates (only) macOS software title names on FMA catalog sync.
Updates software title names on installer upload for Windows FMAs with
an upgrade code.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
Resolves#42456.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [X] Confirmed that the fix is not expected to adversely impact load
test results
Related issue: Resolves https://github.com/fleetdm/fleet/issues/41571
It appears that there is some sort of error with shallow cloning.
```
Run echo "=== Generating OSV Artifacts for Ubuntu ==="
=== Generating OSV Artifacts for Ubuntu ===
=== OSV Repository Sync ===
Repository exists, updating with rolling window...
fatal: error processing shallow info: 4
Error: Process completed with exit code 128.
```
Since we are only keeping a limited history of the repository via cache
before re-clone, fall back to doing a regular `git pull`. This avoids
the complicated shallow cloning / Git having to reconcile the
overlapping but different shallow boundaries, which can cause "error
processing shallow info: 4".
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Modified repository synchronization to use full fetches instead of
rolling-window shallow fetches.
* Updated sync status messaging for clarity.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Bumps [golang.org/x/image](https://github.com/golang/image) from 0.18.0
to 0.38.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="23ae9ed61c"><code>23ae9ed</code></a>
tiff: cap buffer growth to prevent OOM from malicious IFD offset</li>
<li><a
href="e589e60f29"><code>e589e60</code></a>
webp: allow VP8L + VP8X(with alpha)</li>
<li><a
href="fe7d73de74"><code>fe7d73d</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="e3d762b1d3"><code>e3d762b</code></a>
all: upgrade go directive to at least 1.25.0 [generated]</li>
<li><a
href="833c6ed987"><code>833c6ed</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="bc7fe0b43a"><code>bc7fe0b</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="c53c97f4ed"><code>c53c97f</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="9032ff7c7b"><code>9032ff7</code></a>
all: eliminate vet diagnostics</li>
<li><a
href="9c9d08c65c"><code>9c9d08c</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="742b1b756d"><code>742b1b7</code></a>
all: fix some comments</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/image/compare/v0.18.0...v0.38.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/fleetdm/fleet/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36751
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- [X] Verified that `fleetctl generate-gitops` correctly outputs
policies with `install_software.fleet_maintained_app_slug` populated
when the policies have FMA automation
- [X] Verified that running `fleetctl gitops` using files with
`install_software.fleet_maintained_app_slug` creates/updates FMA policy
automation correctly
- [X] Verified no changes to the above for custom packages or VPP apps
- [X] Verified that when software is excepted from GitOps, FMA policy
automations still work (correctly validates FMAs exist before applying)
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [X] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
checking on this
- [X] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [X] Verified that any relevant UI is disabled when GitOps mode is
enabled
Bumps [jsrsasign](https://github.com/kjur/jsrsasign) from 11.1.0 to
11.1.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kjur/jsrsasign/blob/master/ChangeLog.txt">jsrsasign's
changelog</a>.</em></p>
<blockquote>
<p>ChangeLog for jsrsasign</p>
<ul>
<li>Changes from 11.1.0 to 11.1.1 (2026-Feb-20)
<ul>
<li>security fix for DSA and BigInteger
<ul>
<li>PR <a
href="https://redirect.github.com/kjur/jsrsasign/issues/651">#651</a>,
<a
href="https://redirect.github.com/kjur/jsrsasign/issues/650">#650</a>,
<a
href="https://redirect.github.com/kjur/jsrsasign/issues/649">#649</a>,
<a
href="https://redirect.github.com/kjur/jsrsasign/issues/648">#648</a>,
<a
href="https://redirect.github.com/kjur/jsrsasign/issues/647">#647</a>,
<a
href="https://redirect.github.com/kjur/jsrsasign/issues/646">#646</a>,
<a
href="https://redirect.github.com/kjur/jsrsasign/issues/645">#645</a>.
Thank you <a
href="https://github.com/Kr0remer"><code>@Kr0remer</code></a></li>
<li>After assigned CVE number reports will be added.</li>
</ul>
</li>
<li>SECURITY.md added. Thank you <a
href="https://github.com/njg7194"><code>@njg7194</code></a></li>
</ul>
</li>
</ul>
<p>restore KJUR.crypto.Cipher class without RSA/RSAOAEP support</p>
<ul>
<li>Changes from 11.0.0 to 11.1.0 (2024-Feb-01)
<ul>
<li>src/crypto.js
<ul>
<li>restore KJUR.crypto.Cipher class without RSA and RSAOAEP
encryption/decryption support</li>
</ul>
</li>
</ul>
</li>
</ul>
<p>remove RSA and RSAOAEP encryption for Marvin attack</p>
<ul>
<li>Changes from 10.9.0 to 11.0.0 (2024-Jan-16)
<ul>
<li>remove RSA PKCS#1.5 end OAEP encryption/decryption for Marvin attack
(<a
href="https://redirect.github.com/kjur/jsrsasign/issues/598">#598</a>)</li>
<li>src/crypto.js
<ul>
<li>remove KJUR.crypto.Cipher class for RSA and RSAOAEP
encryption/decryption</li>
</ul>
</li>
<li>ext/{rsa,rsa2}.js
remove encrypt/decrypt/encryptOAEP/decryptOAEP for RSAKey class</li>
</ul>
</li>
</ul>
<p>enhanced support for encrypted PKCS8</p>
<ul>
<li>Changes from 10.8.6 to 10.9.0 (2023-Nov-27)
<ul>
<li>KEYUTIL.getPEM is updated not to use weak ciphers (<a
href="https://redirect.github.com/kjur/jsrsasign/issues/599">#599</a>)
<ul>
<li>default encryptionScheme is changed from des-EDE3-CBC to
aes256-CBC</li>
<li>default prf is changed from hmacWithSHA1 to hmacWithSHA256</li>
</ul>
</li>
<li>src/keyutil.js
<ul>
<li>more encrypted PKCS#8 private key support
<ul>
<li>KEYUTIL.getKey now supports encrypted PKCS#8 private key with
aes128-CBC, aes256-CBC encrypted and using hmacWithSHA224/256/384/512 as
psudorandom function.</li>
<li>KEYUTIL.getPEM now supports such as above encrypted PKCS#8 PEM
priavte key.</li>
</ul>
</li>
</ul>
</li>
<li>src/crypto.js
<ul>
<li>Cipher.decrypt/encrypt now supports symmetric ciphers
(des-EDE3-CBC,aes128-CBC,aes256-CBC)</li>
</ul>
</li>
<li>src/base64x.js
<ul>
<li>function inttohex and twoscompl are added</li>
</ul>
</li>
<li>src/asn1.js
<ul>
<li>ASN1Util.bigIntToMinTwosComplementsHex is now DEPRECATED. use
twoscompl.</li>
</ul>
</li>
<li>src/asn1x509.js
<ul>
<li>aes*-CBC and hmacWithSHA* OIDs are added</li>
</ul>
</li>
<li>test/qunit-do-{base64x,crypto-cipher,keyutil-eprv,keyutil,keyutil-p8egen}.html
<ul>
<li>update and add some test cases for above</li>
</ul>
</li>
<li>stop bower support (bower.json removed)</li>
</ul>
</li>
</ul>
<p>X509.getExtSubjectDirectoryAttributes another bugfix</p>
<ul>
<li>Changes from 10.8.5 to 10.8.6 (2023-Apr-26)
<ul>
<li>src/x509.js
<ul>
<li>another bugfix X509.getExtSubjectDirectoryAttributes method</li>
</ul>
</li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e2b136e9ea"><code>e2b136e</code></a>
11.1.1 release</li>
<li><a
href="e2e417efac"><code>e2e417e</code></a>
Merge pull request <a
href="https://redirect.github.com/kjur/jsrsasign/issues/641">#641</a>
from njg7194/add-security-policy</li>
<li><a
href="77f177673e"><code>77f1776</code></a>
Merge pull request <a
href="https://redirect.github.com/kjur/jsrsasign/issues/651">#651</a>
from Kr0emer/fix/bug-007-isprobableprime-negative</li>
<li><a
href="5ea1c32bb2"><code>5ea1c32</code></a>
Merge pull request <a
href="https://redirect.github.com/kjur/jsrsasign/issues/650">#650</a>
from Kr0emer/fix/bug-006-modpow-negative-exponent</li>
<li><a
href="ee4b013478"><code>ee4b013</code></a>
Merge pull request <a
href="https://redirect.github.com/kjur/jsrsasign/issues/647">#647</a>
from Kr0emer/fix/bug-003-dsa-nonce-compareto</li>
<li><a
href="37b4c06b14"><code>37b4c06</code></a>
Merge pull request <a
href="https://redirect.github.com/kjur/jsrsasign/issues/646">#646</a>
from Kr0emer/fix/bug-002-dsa-domain-params-validation</li>
<li><a
href="d89f0ec6d5"><code>d89f0ec</code></a>
fix(crypto): correct compareTo checks in BigInteger RNG helpers</li>
<li><a
href="02fa75d1db"><code>02fa75d</code></a>
fix(jsbn2): reject non-positive values in primality checks</li>
<li><a
href="f508dddf7e"><code>f508ddd</code></a>
Merge branch 'master' into fix/bug-002-dsa-domain-params-validation</li>
<li><a
href="ca5b027240"><code>ca5b027</code></a>
Merge pull request <a
href="https://redirect.github.com/kjur/jsrsasign/issues/648">#648</a>
from Kr0emer/fix/bug-004-modinverse-dos</li>
<li>Additional commits viewable in <a
href="https://github.com/kjur/jsrsasign/compare/11.1.0...11.1.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/fleetdm/fleet/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Summary
- Update the macOS "Claude up to date" policy minimum version from
`1.1.5749` to `1.1.9493` (latest Homebrew cask version)
- Update the Windows "Claude up to date" policy minimum version from
`1.1.5368` to `1.1.9310` (latest winget version)
These policies ensure all Workstations team hosts are running the latest
version of the Claude desktop app (Anthropic). The policies,
Fleet-maintained app entries (`claude/darwin`, `claude/windows`), and
workstations team references were already in place — this PR only bumps
the version numbers checked by the osquery queries.
## Changes
| File | Change |
|------|--------|
| `it-and-security/lib/macos/policies/update-claude.yml` |
`version_compare` threshold `1.1.5749` → `1.1.9493` |
| `it-and-security/lib/windows/policies/update-claude.yml` |
`version_compare` threshold `1.1.5368` → `1.1.9310` |
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774884397872049)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds a relevant LinkedIn video link to the "Why do we use a
wireframe-first approach?" section of the "Why this way?" handbook page
- The video illustrates why, much like Pixar's storyboarding process,
Fleet uses wireframes to inexpensively storyboard user journeys before
locking in decisions that are prohibitively expensive to change
post-production
- Minimal change: one new bullet point matching existing formatting and
link style
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1774883979731019?thread_ts=1774883159.649239&cid=D0AFASLRHNU)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Ensure downloaded installer files are removed after validation. Add
cleanupInstaller to remove the installer file (ignoring missing files
and logging failures). Propagate a downloaded installer path from
DownloadMaintainedApp (signature now returns the TempFileReader, the
saved file path, and error), write the installer into cfg.tmpDir and set
INSTALLER_PATH in cfg.env. Call cleanupInstaller on error paths and
after successful validation to avoid leftover temp files.
Resolves#42383. Re-roll of #42384 using the relevant helper function.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Enhanced Android software configuration success notifications to
dynamically display the actual software display name, replacing
previously static messaging. This improvement provides users with more
specific and personalized feedback when confirming successful software
configurations, improving clarity and reducing potential confusion when
managing multiple software installations or updates on their Android
devices.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42452
- Editing a Windows profile to remove LocURIs now deletes those LocURIs
- Removing a shared LocURI from one profile would NOT delete it even
though another profile still uses it.
- Loadtest fixes (batching, etc.)
- Ordering commands by created to make sure a new profile AFTER a delete
doesn't get deleted.
# Checklist for submitter
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added profile change detection to identify and remove LocURIs when
Windows profiles are edited.
* **Bug Fixes**
* Improved error logging when profile payload operations fail.
* Enhanced pending command ordering for consistent processing.
* Optimized profile deletion to prevent orphaned configurations across
multiple profiles.
* **Tests**
* Added integration tests validating Windows profile edits with
multi-part removals and shared LocURI protection.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#42182
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See <a
href="https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files">Changes
files</a> for more information.
will add to last PR
## Testing
- [X] Added/updated automated tests
- [X] Added `ChangeManagement.tests.tsx` with unit/integration tests
covering:
- Exceptions checkboxes render correctly from config for new install
(only Enroll secrets checked) and migrated instances (Labels and Enroll
secrets checked)
- Form save sends the correct `gitops.exceptions` payload via
`configAPI.update`
- Form validation shows error when GitOps mode is enabled but no repo
URL is provided
- Non-premium tier renders the premium feature message
- [X] QA'd all new/changed functionality manually
- [X] verified that Labels and Secrets are checked for pre-existing
(migrated) instance
- [X] verified that only Secrets is checked for new instance
- [X] verified that changing the settings in the UI and saving persists
the `gitops.exceptions` config as expected
<img
src="https://github.com/user-attachments/assets/095c538c-68aa-4179-b4b1-fd5878c0a2b0">
## Summary by CodeRabbit
* **New Features**
* Added GitOps exceptions configuration in Change Management settings
with toggles for Labels, Software, and Enroll Secrets, enabling granular
control over exception flags.
<!-- START COPILOT CODING AGENT TIPS -->
---
✨ Let Copilot coding agent [set things up for
you](https://github.com/fleetdm/fleet/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: sgress454 <553428+sgress454@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41601
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Details
This PR updates the front end to use the following renamed API keys:
* bootstrap_package -> macos_bootstrap_package
* manual_agent_install -> macos_manual_agent_install
* enable_release_device_manually -> apple_
enable_release_device_manually
* script -> macos_script
* macos_setup -> setup_experience
* macos_settings -> apple_settings
* custom_settings -> configuration_profiles
* macos_setup_assistant -> apple_setup_assistant
It also ensures that consumers of the "get fleet config" API pull from
the `.fleet` property rather than `.team`, so that they can use all of
the newly renamed response fields.
## Summary by CodeRabbit
* **Refactor**
* Restructured Mobile Device Management configuration for Apple devices,
reorganizing setup experience, bootstrap package, and device
configuration field organization.
* Updated filter terminology and query parameters throughout device
management interfaces, improving how users filter and navigate Apple
device settings.
* Enhanced configuration field naming conventions for better clarity and
maintainability across device management features.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
---
Manual Test Plan
Prerequisites
- Fleet server with MDM enabled (macOS at minimum)
- At least one macOS host enrolled in Fleet MDM
- A team configured with setup experience settings
---
1. Manage Hosts — Filters
- [X] macOS settings filter:
- Go to Hosts > Manage Hosts
- Filter by macOS settings status (e.g. Pending, Verified, Failed)
- Verify the filter applies and hosts list updates
- Check that the URL contains apple_settings=<status>
- Copy the URL, paste it in a new tab — verify the filter is still
applied
- Manually edit the URL to use macos_settings=<status> instead — verify
it still works (backward compat)
- Clear the filter pill — verify both apple_settings and macos_settings
are removed from the URL
- [X] Bootstrap package filter:
- Filter by bootstrap package status
- Verify the URL contains macos_bootstrap_package=<status>
- Manually edit the URL to use bootstrap_package=<status> — verify it
still works
- Clear the filter pill — verify both params are removed
---
2. Setup Experience (Controls Page)
- [X] Bootstrap package:
- Go to Controls > Setup experience for a team
- Upload a bootstrap package — verify it appears in the table
- Toggle the "manual agent install" advanced option on/off — verify it
saves
- Delete the bootstrap package — verify it's removed
- In the bootstrap package table, click "View all hosts" link for a
status row — verify it navigates to Manage Hosts with
macos_bootstrap_package in the URL
- [X] End user authentication:
- Toggle end user authentication on/off for a team and for "No team"
- Verify the toggle reflects the saved state after page reload
- [X] Setup assistant:
- Upload a setup assistant profile
- Verify the "release device manually" toggle works for both a team and
"No team"
- [X] Install software:
- Verify the "require all software" checkbox reflects the correct saved
state for both team and "No team"
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Related to
https://github.com/fleetdm/fleet/issues/42512
---------
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
