v8.1.0 - Security Release

Caution

This version of Snipe-IT REQUIRES PHP 8.2.0 or greater.

Happy Tuesday! Hopefully everyone's power is back up and running after Europe's big power outage yesterday.

As you may have noticed, we've got a new address! We moved the Snipe-IT repo from snipe/snipe-it to grokability/snipe-it. You can read a little more about that on our blog, but the short version is that everything went smoothly, existing PRs and issues were moved, and redirects from the old repo address to the new digs should be automatic.

We now have file uploads for locations, the ability scope locations to company, the ability to seed common manufacturers, locations as a QR code destination, and we added the ability to add custom fields to audit screens (and a bunch more stuff detailed below.)

This release also fixes a ton of bugs, adds more accessibility controls, and addresses some additional security controls around printable lists of items and a vulnerability in Laravel File Validation. As this is a security release, we strongly recommend upgrading as soon as possible.

Added:

• Added #13475 - Custom fields to audit screen by @snipe in #16653
• Added #13274 - Search more related fields in activity report by @snipe in #16655
• Added #9660 - Location QR code option to labels by @Godmartinz in #16651
• Added #16257 - Acceptance PDF logo upload by @snipe in #16617
• Added #15702 - added termination_date, reordered fields for clarity by @snipe in #16762
• Added: #16715 - LinuxMint support to snipeit.sh by @jerm in #16763
• Added #2353: Add ability to tie locations to companies - 2023 edition by @Toreg87 in #12577
• Added #9249 - added file uploads to locations by @snipe in #16780
• Added #16217: database config, added option to skip ssl on the database dump by @ntaylor-86 in #16543
• Added validation around user store endpoint by @marcusmoore in #16432
• Added Label 5520 with 1D barcode - remove 2D barcode by @azmcnutt in #16443
• Added highlight to items when the remaining is less than the min_amt by @snipe in #16495
• Added pagination to Hardware By Serial API Request by @spencerrlongg in #16561
• Added min_qty to asset model bulk edit by @snipe in #16493
• Added webp as inline-able images by @snipe in #16631
• Added command to fix bulk checkin action log entries by @marcusmoore in #16500
• Added missing gates to printing locations by @snipe in #16672 - reported by koyomihack00 (Sn1p3r-H4ck3r) - Thank you!
• Added a check for category email alert boolean by @Godmartinz in #16717
• Added Support for Uploading avif logo Images by @spencerrlongg in #16674
• Toggle for logging deprecation warnings by @snipe in #16716
• Added console command to disable SAML logins by @jerm in #16521
• Added nullsafe checks to Users by @spencerrlongg in #16793
• Added pa11y by @snipe in #16792
• Requestable/Request Item API Endpoints by @spencerrlongg in #15922
• Added option to redirect back to checkedInFrom user for assets/licenses/accessories by @Godmartinz in #16667
• Added/refined ability to scope locations by company by @snipe in #16660
• Improved settings page for location-company scoping by @snipe in #16791
• Added checkout date to license seats by @snipe in #16785
• Added ability to seed common manufacturers by @snipe in #16786
• Added signature to licenses in print view, misc other fixes by @snipe in #16666
• Support more Mint versions and verify newer Ubuntu versions in snipeit.sh by @jerm in #16798
• Added modal tests by @snipe in #16441
• Added tests around login attempt logging by @marcusmoore in #16577
• Added tests around deleting assets by @marcusmoore in #16636
• Added tests around emailing and printing assigned assets by @marcusmoore in #16553

Improved

• Replaced call to Form::close() by @marcusmoore in #16473
• Convert Form::select to blade component by @marcusmoore in #16065
• Remove unneeded eager loading for user show page by @marcusmoore in #16520
• Updated login attempts and throttle duration by @snipe in #16609
• #16628 - added formatting for license keys by @snipe in #16630
• Text tweaks and nicer buttons for requestable items by @snipe in #16643
• Moved warranty/depreciation to be with the other cost/eol values by @akemidx in #16536
• Update rollbar-laravel to 8.1 by @marcusmoore in #16613
• Set empty array if group permission is a string or null by @snipe in #16658
• Avoid logging consumable checkins and purge action log of bad entries by @marcusmoore in #16494
• Scope selectlist by company by @snipe in #16306
• [Docker] Don't cache composer deps, remove any .git repos that creep in by @jerm in #16700
• Handle potentially unsafe file output better during restore by @spencerrlongg in #16668
• Use x-icon blade component, nicer small-screen form size for datepicker on assets checkout by @snipe in #16719
• Disallow deleting accessories that have active checkouts by @marcusmoore in #16435
• Upgraded Debugbar to make deprecation warnings easier to find by @uberbrady in #16783
• Better handle model_id arrays passed to the API by @snipe in #16788
• Removed deprecation resulting in Creation of dynamic property error by @snipe in #16712
• Replaced calls to Form::radio helper on user create and edit pages by @marcusmoore in #16819
• Store accepted_at and declined_at in action log when accepting/declining assets by @marcusmoore in #16676
• Improved wording in asset checkout emails by @marcusmoore in #16446
• Nicer disclosure UI for optional data by @snipe in #16822
• Update references to the repo to reflect move to @grokability org by @jerm in #16701
• Use fieldsets for branding page by @snipe in #16810
• Separate docker builds into Intel/ARM builds by @jerm in #16702
• Use default BS tables “no results” view, small UI formatting improvements by @snipe in #16821
• Removed username and password requirement for LDAP by @fvollmer in #16592
• Updated SECURITY.md to indicate v8 is supported by @CloCkWeRX in #16738
• Fixed #8188 - Added Last Name as an email format by @akemidx in #16637

Fixed

• Fixed linking in saved report template dropdown by @marcusmoore in #16436
• Properly handle route model bound LicenseSeat not being found by @marcusmoore in #16488
• Fixed CVE-2025-27515: Laravel File Validation Bypass by @joelpittet in #16445
• Fixed timestamp in action log for bulk accessory check in by @marcusmoore in #16489
• Fixed new user modal pre-populating with first name and last name of acting user by @snipe in #16491
• Fixed various carbon displays by @marcusmoore in #16497
• Fixed location being automatically populated on asset checkin screen by @marcusmoore in #16486
• Fixed issue with bad email addresses in expiration alerts and upcoming audits by @marcusmoore in #16519
• Fixed notes not being saved and update for companies via api by @marcusmoore in #16576
• Fixed potential bad method call and premature email sending in bulk asset checkout by @marcusmoore in #16546
• Early return null from location transformer for missing accessory by @marcusmoore in #16540
• Fix Form save error when using old label engine by @Godmartinz in #16559
• Fix whitespace encrypted custom fields display [FD-46570] by @uberbrady in #16595
• Fixes [FD-47675 ] Fix consumable model number copy-to-clipboard button by @uberbrady in #16594
• Fixed #16610, regression in #16543 by @snipe in #16612
• Fixed #16619 - cloning accessory was not populating fields by @snipe in #16620
• Fixed #16618 - added notes to location sidebar by @snipe in #16621
• Fixed [SC-28682] - Consumable import not importing supplier and item number by @snipe in #16624
• Fixes Accessories history table color contrast by @Godmartinz in #16623
• Removed old Doctrine code to list tables from paveit command by @uberbrady in #16632
• Fixed #16640 - FIFO for requestable assets by @snipe in #16642
• Meta Status Fix for Multi Company by @spencerrlongg in #16560
• Fixed #16524 - added notes as fillable to license seat model by @Godmartinz in #16527
• Fixed active table tab and double scroll bar under locations by @Godmartinz in #16529
• Fixes #16661: Empty signatures in print page by @36864 in #16664
• Fixed #16130 - Added translations for skins, other settings by @snipe in #16669
• Partial fix for #16135 - normalized asset file listing at API endpoint by @snipe in #16671
• Fixed Location being overwritten by default location by @akemidx in #16682
• Create default label when importing assets if none exists by @marcusmoore in #16683
• Fixed #16699 - Better handle user locales in mailables by @snipe in #16709
• Fixed name of ARM docker container workflow by @jerm in #16713
• Fixed ambiguous clause using company_id by @snipe in #16754
• Fixed #16723: Mark category name as required in modals by @CloCkWeRX in #16725
• Fixed: Manage API Keys > New name field not marked required by @CloCkWeRX in #16744
• Fixed: Admin > LDAP Use HTML5 inputs by @CloCkWeRX in #16749
• Fixed: Admin > OAuth - mark fields required by @CloCkWeRX in #16747
• Fixed: Depreciations > Create/Edit - change controls to various number inputs by @CloCkWeRX in #16730
• Fixed: Admin > Security - Mark url fields as URL type by @CloCkWeRX in #16742
• Fixed: Change Password - Mark password fields required for change password by @CloCkWeRX in #16741
• Fixed: Manufacturers > Edit - Mark URL inputs as HTML5 url inputs by @CloCkWeRX in #16732
• Fixed flaky user creation tests by @snipe in #16764
• Fixed #16727: Bulk Audit mark Asset Tag input as required by @CloCkWeRX in #16729
• Fixed: Admin > Webhooks - swap to url input by @CloCkWeRX in #16753
• Fixed: Admin > Custom Fields - Ensure name field is marked required by @CloCkWeRX in #16757
• Fixed: Users > Edit Mark website as a URL field by @CloCkWeRX in #16734
• Fixed: Suppliers > Edit Mark URL inputs as HTML5 URL inputs by @CloCkWeRX in #16733
• Fixed: Editing > Email input Utilize HTML5 controls by @CloCkWeRX in #16731
• Fixed #15035 - adds company to slack message by @snipe in #16765
• Fixed #16689: re-add note field in API files listing for AssetModel by @r-xyz in #16694
• Fixed: Admin > General Settings - Some placeholders not translatable by @CloCkWeRX in #16766
• Fixed #14734: Only show signatures for the printed user by @36864 in #16688
• Return null from accessory transformer for missing assignment by @marcusmoore in #16538
• Fixed #15315 - decode as permissions as boolean by @snipe in #15420
• Fixed min_amt not correctly being set to required or not by @uberbrady in #16781
• Fixed flaky test by @marcusmoore in #16784
• Fixed: [RB-19645] Suppress error message about action_date not existing by @uberbrady in #16787
• Fixed #16475 - Allow deleting oauth client by @snipe in #16789
• Fixed label fields multiple option alignment bug by @Godmartinz in #16818
• Fixed Username dropdown to show Usernames and not Emails as Examples by @akemidx in #16652
• Fixed #15007 - Maintain checkbox and radio custom field values on asset edit page by @marcusmoore in #16817
• Fixed text overflow on settings tiles by for languages with longer words by @akemidx in #16602

If you're having problem using the upgrade.php script with an error like Method Illuminate\Routing\Route:: breadcrumbs does not exist, please run git pull; composer install --no-dev; php upgrade.php, which will pull the latest code, install dependencies, and then run the upgrade script (which handles migrations, clearing caches, etc.)

Note

Please make sure you have changed your BS_TABLE_STORAGE value to localStorage in your .env and clear your cookies after upgrading. See the pinned issue #16136 for additional information. If you do not have a value for BS_TABLE_STORAGE in your .env, it will default to localStorage, but you should still clear your cookies.

New Contributors

• @ntaylor-86 made their first contribution in #16543
• @36864 made their first contribution in #16664
• @fvollmer made their first contribution in #16592
• @CloCkWeRX made their first contribution in #16725
• @koyomihack00 responsibly disclosed a vulnerability

Full Changelog: v8.0.4...v8.1.0

Join the Community!

• Join our Discord! It’s full of great people. We even wrote about it here!
• Follow us on Bluesky at @snipeitapp.com
• Follow us on Mastodon at hachyderm.io/@grokability
• Follow our blog at Grokstar.Dev
• Subscribe here on Github for notifications about new releases. (We recommend selecting "Releases" only for most users - this repo can get noisy.)