**Related issue:** Resolves#42296
This fixes an issue where users who login via sso were not having an
expiration date set on their host token cookie. This would cause them to
have to relogin after every browser session
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42544
Cherrypick of https://github.com/fleetdm/fleet/pull/42566 which is not
merged yet but wanted to figure out where the merge conflicts/issues
might be
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:**
I noticed the below build failure when building the rc on apple silicon.
It doesn't happen on `main` - opened this PR in case it's useful
EDIT: this PR now serves as a cherry-pick to the 4.83 rc for [this
commit](ba3746f9fa)
- see
https://github.com/fleetdm/fleet/pull/42345#pullrequestreview-4005238789
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41857
Fixed in main now by: #42322
The Windows query for patch policy uses the wrong field name
`bundle_short_version` instead of `version`
# Checklist for submitter
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
- Ran this query on a host in dogfood to check that it works
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42311
- Fixes ID collision on Users table (causing users to not be rendered
when an existing user's ID matches an invited user's ID).
- Fixes total users count.
- Fixes `isResettingCurrentUser` check.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
#### Before
- ID collision caused the admin user to not be rendered on the table
(see the user with Invite pending which has id=1 as the admin does).
- Notice that we have a total of 3 users counting the response from
`users` and `invites` endpoints.
<img width="2557" height="477" alt="Screenshot 2026-03-25 at 2 46 31 PM"
src="https://github.com/user-attachments/assets/833b07f5-a0ce-4f15-94bf-79040bd03dba"
/>
<img width="2555" height="722" alt="Screenshot 2026-03-25 at 2 46 26 PM"
src="https://github.com/user-attachments/assets/5707ab37-b060-40b4-913f-864b2254076d"
/>
#### After
- All users showing.
- Updated count to reflect the sum of users + invited users above the
table.
<img width="1358" height="432" alt="Screenshot 2026-03-25 at 2 53 24 PM"
src="https://github.com/user-attachments/assets/2a995e78-0ae8-4846-a8b1-b35edd61cb02"
/>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41345
Updates the README.md generated from `fleetctl new` to include
instructions on how to deploy to GitHub / Gitlab.
---------
(cherry picked from commit 249cb76be8)
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
**Related issue:** Resolves#38546
Cherrypick PR
This fixes a quick error message flash on the mdm settings page when
apple mdm is turned off. We have a finally fixed an issue of stale data
on the integration page getting passed down to the mdm card when turning
apple mdm off. We now invalidate the cache of the config when apple mdm
is turned off, that way we make a request to get the most recent config
which will have the up to date data for `mdm.enabled_and_configured`.
# Checklist for submitter
- [x] QA'd all new/changed functionality manually
Cherry pick of https://github.com/fleetdm/fleet/pull/41909 and
https://github.com/fleetdm/fleet/pull/42239 into 4.83.0
The latter cherry-pick just tweaks some of the template files (e.g.
adding `organization_name` under `apple_business_manager` in the default
.yml file), no new files added.
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Cherry pick of #42253 to 4.83 so that other cherry picks don't fail CI.
Pins the Localstack image to the last-known-good version (4.5) before
they 🔪 'd the community edition and started requiring an auth token. I
also added a "wait for localstack" as an initial debugging step, and
left it in to catch similar future issues. It's probably redundant since
there likely _is_ no future for Fleet and Localstack beyond this, but it
take milliseconds and would catch any other weird Localstack failures
so, why not.
(cherry picked from commit 8ea6f338de)
…e DB access patterns for vuln cron (#41729)
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41664
Switching `kernel_host_counts` to the established swap pattern. Reduce
load on the DB writer by moving the large read to the DB reader.
Do `CleanupSoftwareTitles` in batches. With a single large
select/delete, it took > 16 minutes. In batches, it took ~1.5 minutes in
loadtest with 100K hosts.
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Alerted the release DRI if additional load testing is needed
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
* **Performance Improvements**
* Added indexing and a batched swap/insert flow to speed up
vulnerability-related queries and lower maintenance contention.
* Batched cleanup of orphaned records to reduce long-running delete
operations.
* **Reliability**
* Migration removes a legacy constraint to simplify data maintenance and
avoid migration failures.
* Scheduled vulnerability refresh now runs more atomically to reduce
disruption.
* **Tests**
* Updated assertion logic to improve test clarity for host-count
verification.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Changes:
1. Adding Fleet free checks for each product group
2. Adding UI/UX checks for each product group
3. Expanding the IdP coverage and moving it to orchestration (postmortem
action item: https://github.com/fleetdm/fleet/issues/39684)
4. Moving Certificates to S&C
5. Adjusting assignee list
