Skip to content

Update nautobot to v3.1.2#2023

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/nautobot
Open

Update nautobot to v3.1.2#2023
renovate[bot] wants to merge 1 commit intomainfrom
renovate/nautobot

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 8, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change Age Confidence
ghcr.io/nautobot/nautobot final patch 3.1.0-py3.123.1.2-py3.12 age confidence
nautobot patch ==3.1.0==3.1.2 age confidence
networktocode/nautobot patch 3.1.03.1.2 age confidence

Release Notes

nautobot/nautobot (ghcr.io/nautobot/nautobot)

v3.1.2: - 2026-05-08

Compare Source

Security in v3.1.2
  • GHSA-c35q-vxrp-ph26 - Added support for WEBHOOK_ALLOWED_SCHEMES settings variable. By default new or updated Webhook records will be restricted to HTTP or HTTPS only, disallowing other schemes that may have been previously allowed. Administrators should audit existing Webhook records to identify any that are invalid, and either update/delete said records or customize WEBHOOK_ALLOWED_SCHEMES as appropriate.
  • GHSA-c35q-vxrp-ph26 - Added support for WEBHOOK_ADDITIONAL_BLOCKED_NETWORKS settings variable. This can be used to specify additional IP networks that should be denied to Webhook sending, for example some deployments may wish to disallow RFC1918 addresses.
  • GHSA-c35q-vxrp-ph26 - Added support for WEBHOOK_ALLOWED_HOSTS settings variable. This can be used to provide an allow-list of specific hosts that would otherwise be blocked by any WEBHOOK_ADDITIONAL_BLOCKED_NETWORKS configuration.
  • GHSA-c35q-vxrp-ph26 - Added logic to deny loopback, link-local, multicast, unspecified, or reserved IP addresses when defining or executing a Webhook. Administrators should audit existing Webhook records to identify any that are invalid and delete said records (CVE-2026-44797).
  • GHSA-c35q-vxrp-ph26 - Added various logic to protect Webhook definitions against being used as a vector for server-side request forgery (SSRF) (CVE-2026-44797).
  • GHSA-p3hx-pwf3-j8wr - Fixed GitRepository.current_head being incorrectly user-editable through the REST API (CVE-2026-44798).
  • GHSA-p3hx-pwf3-j8wr - Added additional data validation to GitRepository.clean() and to various methods of the GitRepo helper class.
  • GHSA-qrpw-gjvh-x5gm - Added a timeout to bulk-rename views (both legacy BulkRenameView and viewset ObjectBulkRenameViewMixin) when doing regular-expression-based bulk renames to protect against denial-of-service (REDoS) due to an overly-complex or maliciously crafted regular expression provided by the user (CVE-2026-44796).
  • GHSA-wpxj-44w3-2j6x - Added logic in the REST API to enforce user "view" permissions when assigning related objects via a GenericForeignKey (CVE-2026-44794).
  • #​8931 - Updated dependency django to >=5.2.14,<5.3 to mitigate CVE-2026-5766, CVE-2026-35192, and CVE-2026-6907.
  • #​8940 - Updated dependency gitpython to >=3.1.50,<3.2 to mitigate CVE-2026-44243, CVE-2026-44244, and GHSA-mv93-w799-cj2w.
Added in v3.1.2
  • #​8413 - Added an "Assume Ownership" action button on the Scheduled Job detail view that allows users with the required permissions to take over ownership of a scheduled job.
Removed in v3.1.2
Fixed in v3.1.2
  • GHSA-wpxj-44w3-2j6x - Fixed ImageAttachment REST API incorrectly marking the image_height and image_width as required fields.
  • GHSA-wpxj-44w3-2j6x - Fixed ImageAttachment REST API incorrectly allowing creation of attachments to an unsupported content_type.
  • GHSA-wpxj-44w3-2j6x - Fixed ContactAssociation REST API incorrectly allowing creation of associations to an invalid associated_object_type.
  • #​8413 - Fixed silent failure of scheduled jobs whose originating user has been removed. The scheduler now records a failed JobResult as well as disables the schedule with state ERRORED.
  • #​8861 - Add an iterator to the queryset in migration 0130_jobresult_generate_log_entry_counts to prevent resource exhaustion.
  • #​8884 - Fixed _JobModalButton refresh_on_close_if_done flag being dropped during modal polling, causing the page to not reload when the Close button (footer, header, or Escape key) is used after a Job completes.
  • #​8890 - Fixed N+1 query patterns on the VRF detail view for templated fields (devices, vms, virtual device contexts).
  • #​8937 - Fixed Job History home page panel sorting.
Dependencies in v3.1.2
  • GHSA-qrpw-gjvh-x5gm - Added regex>=2026.4.4 as a dependency. (Previously it was a development-only dependency.)
  • #​8931 - Updated dependency nh3 to >=0.3.5,<0.4.
Documentation in v3.1.2
  • #​8943 - Updated the security notices documentation.
Housekeeping in v3.1.2
  • GHSA-qrpw-gjvh-x5gm - Replaced bespoke bulk_rename actions on ModuleBayUIViewSet and ModuleBayTemplateUIViewSet with the generic ObjectBulkRenameViewMixin.
  • #​8925 - Added support for --no-input option to invoke tests task.
  • #​8925 - Added support for --command option to invoke nbshell task.
  • #​8931 - Updated development dependency faker to ^40.15.0.
  • #​8931 - Updated development dependency pymarkdownlnt to ~0.9.37.
  • #​8932 - Addressed a number of CodeQL-reported issues in the code base.
  • #​8940 - Loosened timeout requirement in test_bulk_rename_regex_redos_protection to reduce spurious failures in CI.
Contributors

Full Changelog: nautobot/nautobot@v3.1.1...v3.1.2

v3.1.1: - 2026-04-27

Compare Source

v3.1.1 (2026-04-27)
Security in v3.1.1
  • #​8840 - Updated dependency GitPython to >=3.1.47,<3.2 to mitigate CVE-2026-42215 and CVE-2026-42284.
  • #​8895 - Updated dependency lxml to 6.1.0 to mitigate CVE-2026-41066. As this is not a direct dependency, it will not auto-update when upgrading; please be sure to upgrade your local environment.
Added in v3.1.1
  • #​8876 - Added render_default_panels_for_object template tag.
  • #​8883 - Added copyright notice to the About page.
Changed in v3.1.1
  • #​8894 - Changed the CSV export algorithm to speed up the export of a large number of objects.
Fixed in v3.1.1
  • #​6199 - Fixed job class template override not working when template_name is set as a Meta attribute.
  • #​8876 - Re-added placeholders for files nautobot/extras/templates/extras/inc/jobresult_js.html, nautobot/project-static/js/job_result.js, and nautobot/project-static/js/log_level_filtering.js that were removed in 3.1.0, in order to avoid breaking Apps still referencing these files.
  • #​8877 - Fixed incorrect refreshing of GitRepository "Synchronization Status" tab.
  • #​8885 - Fixed Kubernetes job kwarg serialization.
  • #​8887 - Fixed NoReverseMatch crash when adding Data Validation Rules.
Dependencies in v3.1.1
  • #​8840 - Updated dependency djangorestframework to >=3.17.1,<3.18.
  • #​8840 - Updated dependency psycopg2-binary to >=2.9.12,<2.10.
  • #​8840 - Updated dependency social-auth-core to >=4.8.6,<4.9.
  • #​8880 - Updated npm dependency htmx.org to ^2.0.10.
  • #​8909 - Updated dependency social-auth-core to >=4.8.7,<4.9.
Documentation in v3.1.1
  • #​8820 - Added documentation on how to set logging levels for Nautobot Jobs.
  • #​8873 - Improved documentation for VPN Terminations, VPN service types, and related VPN models added in v3.1.0.
Housekeeping in v3.1.1
  • #​8840 - Updated development dependency rich to ~14.3.4.
  • #​8840 - Updated documentation dependency mkdocs-section-index to ~0.3.12.
  • #​8840 - Updated documentation dependency mkdocstrings to ~1.0.4.
  • #​8840 - Updated development dependency ruff to ~0.15.11.
  • #​8880 - Updated npm development dependency postcss to ^8.5.10.
  • #​8880 - Updated npm development dependency prettier to ^3.8.3.
  • #​8906 - Fixed a unit test issue that was causing a number of view test cases to be incorrectly skipped.
  • #​8906 - Adjusted the RouteTargetFactory implementation to ensure data is suitable for use with the bulk_rename test cases.
  • #​8909 - Updated development dependency ruff to ~0.15.12.
  • #​8909 - Updated development dependency openapi-spec-validator to ~0.8.5.
Contributors
New Contributors

Full Changelog: nautobot/nautobot@v3.1.0...v3.1.1

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/nautobot branch from d6c2e2b to e06d715 Compare May 8, 2026 21:52
@renovate renovate Bot changed the title Update nautobot to v3.1.1 Update nautobot May 8, 2026
@renovate renovate Bot force-pushed the renovate/nautobot branch from e06d715 to d5362af Compare May 9, 2026 00:38
@renovate renovate Bot changed the title Update nautobot Update nautobot to v3.1.2 May 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants