Extra colon in the "Products:" section auto-generated file:
<img width="228" height="59" alt="Screenshot 2026-04-20 at 3 07 26 PM"
src="https://github.com/user-attachments/assets/687be6ea-71ae-45c7-a1e9-641994ee86ba"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Corrected formatting in product list display by removing redundant
punctuation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43047
Follow-up to https://github.com/fleetdm/fleet/pull/43222
# Checklist for submitter
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
See
https://github.com/fleetdm/fleet/issues/42960#issuecomment-4246769629
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved Apple MDM declaration handling: declarations with unresolved
per-device variables are now attempted per host, marked failed when
resolution fails, and omitted from device configuration/activation
manifests.
* Declarations that fail resolution still factor into declaration token
computation to keep token behavior consistent.
* **Tests**
* Updated tests to reflect per-device resolution failures and adjusted
validation flow.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Run: https://github.com/fleetdm/fleet/actions/runs/24681592163.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added vulnerability disclosures for three CVEs.
* CVE-2026-27806: marked as not affecting fleetctl.
* CVE-2026-32280: denial-of-service affecting many fleetctl versions;
recommend upgrading to a fleetctl build using Go ≥1.26.2 when available.
* CVE-2026-33810: affects fleetctl v4.84.0; recommend upgrading to a
fleetctl build using Go ≥1.26.2 when available.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves
#https://github.com/fleetdm/confidential/issues/14837
**Related issue:** Resolves
#https://github.com/fleetdm/confidential/issues/14839
Commit 1 - fixes the basic-whitepaper.ejs page so that the LP form
headline is not hard coded to GitOps anymore.
Commit 2 - posts the whitepaper and sets up the LP page
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Updates**
* Form headline on whitepaper download page is now customizable.
* Enhanced email submission feedback handling during download process.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Run: https://github.com/fleetdm/fleet/actions/runs/24676558778.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added security vulnerability assessments for CVE-2026-28390,
CVE-2026-4775, and CVE-2026-5201, confirming these issues do not affect
the product. Statements note that vulnerable code is not in the
product’s execution path and relevant processing (TLS/TIFF/graphics) is
not performed by the shipped components. Includes timestamps and
metadata for traceability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Golang 1.26.2 has been released. It fixes some CVEs:
https://github.com/golang/go/issues?q=milestone%3AGo1.26.2+label%3ACherryPickApproved
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Go toolchain to 1.26.2 across the repository and build
configs.
* Updated Docker build images to use Go 1.26.2.
* Expanded the set of tracked modules for the Go version update so
additional module files are included in automated updates.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- Updates wording in `.github/workflows/loadtest-osquery-perf.yml`
- `4098` -> `4096`
- Removes: `(should be a multiple of 8, if setting
loadtest_containers_starting_index)`
- Updates `infrastructure/loadtesting/terraform/osquery_perf/enroll.sh`
to handle values that are not multiples of 8. If the value is not a
multiple of 8, logic has been added to apply the remainder.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Documentation**
* Updated load testing workflow configuration input descriptions for
improved clarity of parameters and their usage examples.
* **Bug Fixes**
* Fixed container count allocation logic in the load testing process to
ensure the final target count is always properly applied, even when
using increment values that don't divide evenly into the specified total
range.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Run: https://github.com/fleetdm/fleet/actions/runs/24673271270
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Security**
* Added vulnerability assessment documentation for CVE-2026-28390,
confirming that bomutils is not affected by this vulnerability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This is a way to test osquery PRs as part of local fleetd TUF builds.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Chores**
* Enhanced macOS build process to support creating application bundles
from pull request workflow artifacts in addition to released versions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
The nightly OSV artifact generation in `fleetdm/vulnerabilities` failed
over the weekend with:
```
fatal: error processing shallow info: 4
```
at `cmd/osv-processor/sync-and-detect-changes.sh` during:
```bash
git fetch --shallow-since="3 days ago" origin main
```
Root cause: `git fetch --shallow-since` errors out when the upstream
(`canonical/ubuntu-security-notices`) has zero commits newer than the
cutoff. Canonical didn't push anything over the weekend, so the 3-day
window returned empty and upload-pack produced an unusable shallow
response.
Fix:
- Fall back to `git fetch --depth=3` if `--shallow-since` still returns
empty, so the initial clone always succeeds.
Subsequent runs reuse the existing clone and take the other branch of
the script (plain `git fetch origin main`), which doesn't have this
failure mode.
Failing run:
https://github.com/fleetdm/vulnerabilities/actions/runs/24330589309/job/71035337352
## Test plan
- [x] Re-run the Ubuntu OSV artifact generation workflow; initial clone
succeeds regardless of upstream push frequency.
- [x] Manually exercise the cold-cache path locally: `rm -rf
ubuntu-security-notices &&
./cmd/osv-processor/sync-and-detect-changes.sh` — completes without
error.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved initial repository sync: if the primary shallow fetch returns
no commits, the process now falls back to a limited-depth fetch, warns
the user, and shows recent commit history before continuing. Downstream
change detection and existing behavior for already-cloned repos remain
unchanged.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Konstantin Sykulev <konst@sykulev.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42765
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Style
* Enhanced the responsive design of the Identity Provider section by
updating the "learn more" link to dynamically size based on its content
rather than maintaining a fixed width constraint, improving flexibility
and visual consistency across different contexts.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Enhanced macOS uninstall cleanup process for better system maintenance
* **Chores**
* Updated WhatsApp for macOS to version 26.16.15
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Add a new dynamic label 'Macs with Fleet Desktop installed' (platform:
darwin) that selects hosts where apps.name = 'Fleet Desktop'. Update the
macOS policy update-fleet-desktop.yml to include this label via
labels_include_any so the policy targets only hosts with Fleet Desktop
installed. Files changed:
it-and-security/lib/all/labels/macs-with-fleet-desktop-installed.yml
(new) and it-and-security/lib/macos/policies/update-fleet-desktop.yml
(modified).
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42427
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Pending MDM profile records are cleared when Apple or Windows MDM is
turned off, preventing stale profiles from reappearing if MDM is
re-enabled.
* Pending Windows profile records are removed when a device is
unenrolled, avoiding leftover pending installations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Extend the battery-health-check SQL to flag batteries whose max_capacity
/ designed_capacity is below 80%. The new clause guards against zero
capacities and casts max_capacity to REAL for proper floating-point
division, improving detection of degraded batteries in the macOS policy.
Replace two icon assets used by the it-and-security module:
it-and-security/lib/all/icons/fleet-desktop-icon.png and
it-and-security/lib/all/icons/keynote-theme-swan.png. These binary PNG
updates refresh the visuals for the corresponding icons.
Replace the generic "Apple Silicon macOS hosts" label with app-specific
labels_include_any entries for macOS packages and add a Windows label
for VS Code. This change adds or updates labels for many self_service
macOS apps (Brave, Docker Desktop, VS Code, Microsoft Teams, GitHub
Desktop, UTM, Postman, Grammarly Desktop, iTerm2, Sublime Text,
Parallels, Loom, Spotify, Rectangle, Logi Options+, Figma, WhatsApp,
Android Studio, Zed, Obsidian, Google Drive, Cursor, etc.) to target
hosts that have each app installed rather than relying on the Apple
Silicon host label. Improves targeting for software availability in the
fleet configuration.
Add a macOS policy to check Fleet Desktop is at least v1.1.0 and
reference it from the workstations fleet. Update the Fleet Desktop
installer metadata to v1.1.0 (new SHA256). Also wrap long resolution
strings in quotes for consistency in Firefox and 1Password policies.
**Related issue:** Resolves#42879
* Full UI for API-only user management: create/edit flows, fleet/role
assignment, selectable API endpoint permissions, and one-time API key
display.
* New reusable components: API user form, endpoint selector, API access
section, and API key presentation.
* Admin workflow switched from in-page modals to dedicated pages and
streamlined action dropdown navigation.
* Layout and styling refinements for user management, team lists, and
dropdown behaviors.
---------
Co-authored-by: Juan Fernandez <juan@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43047
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
See
https://github.com/fleetdm/fleet/issues/42960#issuecomment-4244206563
and subsequent comments.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Apple DDM declarations support a vetted subset of Fleet variables with
per-host substitution; premium license required. Declaration tokens and
resend behavior now reflect variable changes; unresolved host
substitutions mark that host’s declaration as failed.
* **Bug Fixes**
* Clearer errors for unsupported or license-restricted Fleet variables
and more consistent DDM resend/update semantics when variables change.
* **Tests**
* Added extensive unit and integration tests covering Fleet variable
validation, substitution, token changes, resends, and failure states.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated DBeaver Community macOS version metadata to 26.0.3, including
installer URL and validation checksums
* Updated Stats macOS version metadata to 2.12.11, including installer
URL and validation checksums
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Draw.io Desktop to version 29.7.8 with new installer and
checksum.
* Updated GitKraken to version 12.0.1 with new installer and checksum.
* Updated Spotify ARM64 to version 1.2.87.415 with new installer and
checksum.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
The glob/ `paths:` feature was added across PRs #40799 (scripts,
configuration_profiles) and #41141 (labels, policies, reports) but the
customer-facing YAML reference at `docs/Configuration/yaml-files.md` was
never updated to document it.
This adds documentation for:
- New `path:` vs `paths:` reference section explaining the difference
between singular (literal file) and plural (glob pattern)
- Characters to avoid in filenames when using `path:` (`*`, `?`, `[`,
`{`)
- `scripts` section: `paths:` support with `.sh`/`.ps1` filter note
- `apple_settings`/`windows_settings` section: `path:` vs `paths:` wit
examples
- `android_settings` section: `paths:` support note
- `labels`, `policies`, `reports` sections: `paths:` support notes
- `paths:` glob examples added to the controls YAML example for both
scripts, apple_settings, and windows_settings
Discovered via customer-sonet whose Windows profile filenames use
brackets as a CSP naming convention (e.g.
`[AllowSpotlightCollection].xml`), which are rejected by `path:`
validation as glob metacharacters.
See related bug report for the false positive on literal filenames.
https://github.com/fleetdm/fleet/issues/43598
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43598
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Adds google consent mode code to the ejs and re-orders the flow of tags
to support GCM
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Moved analytics and consent scripts so they load only in production.
* Added a client-side consent mode initializer with explicit default
consent states.
* Explicitly included Google Analytics and Ads loader/configuration for
the site properties.
* Reordered a pair of landing-page scripts to change their load
sequence.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43311
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Made environment-variable expansion conditional by package type:
script-only packages no longer expand host env vars during parsing,
while YAML packages still have env vars expanded (expansion errors are
recorded and parsing continues).
* **Tests**
* Added a test to confirm script packages do not expand standard shell
variables during parsing.
* **Chores**
* Updated changelog entry describing the script-only package fix.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixed uneven padding and made the code blocks a little more compact
inside callout blocks to blend better with the smaller text size.
#### Before:
<img width="644" height="115" alt="Screenshot 2026-04-17 at 12 12 06 PM"
src="https://github.com/user-attachments/assets/c9b65b35-8025-454a-b707-374790259f66"
/>
#### After:
<img width="653" height="129" alt="Screenshot 2026-04-17 at 12 23 38 PM"
src="https://github.com/user-attachments/assets/59909631-9107-4347-a8d9-1e7ad0809f2b"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Enhanced spacing for inline code elements within tip blocks
* Improved first-child element padding handling to better accommodate
code formatting
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Released patch version v4.83.2 with updated Helm chart and application
metadata.
* Updated deployment configurations to use the latest container image
version across cloud providers.
* Updated published package version to v4.83.2.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Luke Heath <luke@fleetdm.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Changes:
- Added hover styles to the cta-button mixin.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Call-to-action buttons now display white text without underline on
hover.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Added instructions for accessing the enterprise Claude account and
clarified its usage guidelines.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] Timeouts are implemented and retries are limited to avoid infinite
loops
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Post Linux series article on the business case for Linux device
management. This is another chapter written for the eBook that I'm
extracting to a blog post.
Post Linux DM article: "How to define your Linux device management
needs".
Added as early chapter in IT Leader's Guide to Linux Device Management
eBook.
Resolves broken OTEL on main, which was introduced with dependabot
update #43298
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated OpenTelemetry semantic conventions dependency to the latest
version.
* **Tests**
* Added test coverage for OpenTelemetry resource creation validation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
