Caution
This is a security release. All Snipe-IT users are encouraged to upgrade. This version of Snipe-IT REQUIRES PHP 8.2.0 or greater.
Happy Wednesday, everyone! This is a security release due to CVE-2025-54068 in Livewire announced last week. We were patched on the master branch hours after the CVE announcement came out, but this is the official tagged release for the patch.
Beyond that, we have some fixes for custom fields, lots of new tests to better support the team as we continue to work towards improving notifications to make them more flexible and nuanced.
Potentially Breaking Changes
User Permissions Change
It was already true that only superusers could assign new permission groups and promote other users to superadmin, but we've tighten a few more of these controls to disallow editing email address, username, password, and ability to login by users with lower privileges then the user they're trying to edit - meaning admins cannot edit superadmin usernames, email, etc - and regular users who have user editing permission cannot modify those settings for either admins or superadmins, though they can still edit those properties for other regular users. See #17423 for more info there.
User Welcome Emails
We've removed the ability to include credentials for newly created users via import or through the GUI, instead replacing it with the ability to send them a password reset "invitation". Sending passwords via email has been considered a bad idea for a while, so this method seems better. Note that if the newly created user doesn't have an email address in the import, we obviously cannot send them a password reset email, so those emails won't go out.
What's Changed
- Fixed #17310 - 500 on redirect when checking in a license seat by @Godmartinz in #17362
- Fixed #7957 - custom field
textareainput not retaining when switching Asset Models with shared custom fields by @Godmartinz in #17361 - Fixed [FD-49538] - use a
<video>tag for video files for non-Safari usage by @uberbrady in #17374 - Better indicate via submit button colors and messaging that something is about to be accepted or declined by @snipe in #17376
- Code formatting fixes:
app/Modelsby @snipe in #17378 - Fixed #17383 - re-add
/hardware/as an object type in the file upload API by @snipe in #17385 - Fixed redirect option being
NULLby @Godmartinz in #17390 - Fixed display of acceptance button if signature is not required by @snipe in #17407
- Remove password from welcome email, prompt for reset instead by @snipe in #17410
- [FD-47386, FD-49095] New Artisan command to clean checkout acceptances by @uberbrady in #17415
- Bumped livewire to v3.6.4 by @marcusmoore in #17424
- Bump codacy/codacy-analysis-cli-action from 4.4.5 to 4.4.7 by @dependabot[bot] in #17434
- Fixed #13844 - Adds Webhook and Mail Notifications for Components by @Godmartinz in #17391
- Use standard model transformer for asset model API response by @snipe in #17389
- Fixed #17194 - Return to bulk edit with errors and inputs by @Godmartinz in #17292
- Attempt to fix flaky file upload tests by @snipe in #17438
- Attempt to fix flaky file upload tests pt2 by @marcusmoore in #17439
- Fixed #17071 - Adding various tests of the contents of ActionLogs for lots of events by @uberbrady in #17300
- Fixed FD-49886 - Optimize user queries by @snipe in #17442
- Tighter permissions on non-admins and demo modes by @snipe in #17423
- Adds disabled cursor on uneditable fields in user create/edit by @snipe in #17443
- Fixed #17445 - move
jobtitleunderassigned_toin AssetTransformer by @marcusmoore in #17446 - Added #17133 - Copy ability to all Custom fields by @Godmartinz in #17447
- Fixed #17447 - decrypt before copying to clipboard by @snipe in #17450
- Fixed #17316 - handle checkboxes correctly in checkin/checkout by @snipe in #17453
Full Changelog: v8.1.18...v8.2.0