ctrliq/ascender 25.4.0

on GitHub

What's Changed

Notable Items

• Add new inventory type "Federated" in #361
• Create production images for ARM64 in #366
• Add option for custom header logo / browser title in #365
• Add option for DR deployments for disabling all Schedules in #326
• New design theme in #351
• Fix missing columns on User List table in #304
• Dockerfile cleanup in #323
• chore(ci): bump GitHub Actions off Node 20 runtimes by @clo-ciq in #327
• Add revert buttons to Notification secret fields in #331
• Codecs.open() is being deprecated, and native open is faster in most situations in #333
• Add per-user preferred language setting by @blaipr in #335
• Add dark mode support to the UI (PatternFly 4) by @blaipr in #338
• Add a few more UI tweaks for Darkmode in #342
• Bump npm patch/minor dependencies by @blaipr in #341
• Fix: canceled jobs that never started should not set finished time by @flechoide in #343
• Upgrade to Node 22 as 20 is EOL in #355
• Update API theme in #356
• Fix race condition in project directory creation in #358
• Fix linting issues in codebase in #360
• Update Federated Inventory docs in #362
• Pin GitHub Actions to SHAs [SRE-1802] by @tylergohl in #353
• Update short-sha to v4 in #363

Upstream Patches

• Upstream 15970 - Revise start_fact_cache and finish_fact_cache to use JSON file in #332
• Upstream 16417 - Balance controller node selection during capacity ties in #318
• Upstream 16332 - perf: derive last_job_host_summary from query instead of denormalized FK in #319
• Upstream 16433 - fix: constructed inventories no longer increase the host count in #322

Security Fixes

These CVEs were against the underlying packages we depend on, not directly on Ascender. For several of these, we did not use the affected code at all. They were resolved nevertheless as they will still be reported on any vulnerability scan on the container in your environment.

• Upgrade brace-extension to resolve CVE-2026-45149 in #348
• Upgrade css-minimizer-webpack-plugin to resolve CVE-2026-34043 GHSA-5c6j-r48x-rmvq in #310
• Upgrade Django to resolve CVE-2026-5766 CVE-2026-35192 CVE-2026-6907 in #329
• Upgrade dompurify to resolve GHSA-39q2-94rc-95cp in #309
• Upgrade fast-uri to resolve CVE-2026-6321 in #328
• Upgrade follow-redirects to resolve GHSA-r4q5-vmmm-2653 in #308
• Upgrade GitPython to resolve CVE-2026-44244 CVE-2026-44243 in #325
• Upgrade GitPython to resolve GHSA-rpm5-65cw-6hj4 GHSA-x2qx-6953-8485 in #316
• Upgrade idna to resolve CVE-2026-45409 in #352
• Upgrade jwcrypto to resolve CVE-2024-28102 in #311
• Upgrade lxml to resolve CVE-2026-41066 in #330
• Upgrade pip to resolve CVE-2026-3219 in #321
• Upgrade pyjwt to resolve CVE-2026-48526 CVE-2026-48525 CVE-2026-48524 CVE-2026-48523 CVE-2026-48522 in #364
• Upgrade qs to resolve CVE-2026-8723 in #359
• Upgrade requests to resolve CVE-2026-44431 CVE-2026-44432 in #336
• Upgrade Twisted to resolve CVE-2026-42304 in #324
• Upgrade uuid to resolve CVE-2026-41907 in #357
• Replace workbox-webpack-plugin to resolve CVE-2026-34043 GHSA-5c6j-r48x-rmvq in #312
• Upgrade ws to resolve CVE-2026-45736 in #349

New Contributors

• @clo-ciq made their first contribution in #327
• @blaipr made their first contribution in #335
• @flechoide made their first contribution in #343
• @tylergohl made their first contribution in #353

Full Changelog: 25.3.6...25.4.0