Security

• The CSRF cookie is now marked as secure when needs_tls is enabled in webfront.conf, matching the existing behavior of the session cookie. (#3829)
• Passwords are no longer leaked in cleartext in Django error emails when LDAP authentication crashes. (#3870)

Removed (developer-centric)

• Removed obsolete Docker-based test environment. Replaced by test suite changes that can run in 'normal' development environments. (#3849)

Added

• Rooms and locations can now have multiple names (aliases). Aliases are searchable throughout NAV -- in the navbar, global search, device history, maintenance, netmap, network explorer, status widgets, and the REST API. Aliases can be managed in SeedDB and via bulk import/export. They are displayed on room/location detail pages, in search results, and in SeedDB list views. (#3314, #3315, #3815, #3818, #3819, #3820, #3821, #3822, #3823, #3836, #3840, #3841, #3844, #3851, #3852, #3868, #3880, #3895)
• Added support for two-factor authentication (TOTP), OAuth2, OIDC, and SAML login via django-allauth. Authentication can be configured through the new TOML config file webfront/authentication.toml. (#3622, #3676, #3834, #3862, #3873, #3889, #3934, #3936)
• Added a report of devices without a known uplink in the topology.
• Debug log runtimes of individual NAVbar search providers.

Changed

• Auditlog entries can now be sorted by individual columns. Hyperlinks to more details are now provided for actors, objects and targets that still exist in the NAV database. (#3776)
• Updated markdown dependency to 3.8.1. (#3812)
• Downgraded spammy WARNING log about alerts referencing deleted objects to DEBUG level. (#3927)

Changed (developer-centric)

• Standardize vendored JavaScript library management.

  Vendored JS files now follow a consistent <name>-<version>.min.js naming
  convention and are tracked as npm dependencies for easier version management.
  A vendor.py tool is included to automate installing and copying vendored
  files. (#2470)

• Tox environments and GitHub workflows switched over to uv for dependency management. (#3859)

Fixed

• Fix network explorer search not working after the first search per page load. (#3853)
• Fixed l2trace crash when tracing through a netbox with no associated prefix. (#3866)
• LDAP login no longer crashes with a 500 error when a user cannot be found during group membership verification. (#3871)
• Fix report column tooltips ($explain_) not showing when the column also has a $name_ override. (#3876)
• Fixed a crash in SeedDB bulk import when IP addresses contain trailing whitespace. (#3884)

Fixed

• Fix collapsed multiselects in status tool filters (#3797)
• Event engine now yields to overdue scheduler callbacks between processing queued events, preventing long event batches from blocking time-critical tasks. (#3798) - Added missing index on netboxentity.deviceid to speed up lookups by device. (#3794)
• Fix crash when rendering navlet error responses due to missing navlet ID (#3802)
• Fixed a session crash (UpdateError) on the login page that could leak cleartext passwords in Django error emails. (#3803)
• Fix chart widget failing to load images from URLs without query parameters (#3805)
• Fixed sc.05.16.0001.sql migration failure on PostgreSQL 14 caused by ambiguous || operator when concatenating an integer without an explicit ::TEXT cast. (#3806)
• Fixed a crash in Netmap when the topology graph exceeds memcached's max item size. The graph is now returned successfully even when it cannot be cached. (#3795)
• Improved active IP collector query performance (~10x) by utilizing partial database indexes on the arp table more effectively. (#3793)
• PortAdmin's "commit configuration" endpoint now returns 503 instead of 500 when the device is unreachable or does not support configuration commits, and no longer triggers spurious admin error emails for these expected operational failures. (#3801)
• Turned support for REMOTE_USER back on. Regression caused by the new auth-system and its complicated route to the finish line.

Security

• Enable CSRF protection in entire NAV web UI (#3395)

Added

• DHCP usage statistics graphs are now shown on VLAN and prefix pages when found in Graphite (#2373)
• Added "more than" / "less than" option to the "Last Seen" filter on the Room view interface list (#3313)
• Added hyperlink to management profile options in SeedDB netbox form (#3643)
• Added browse tree and description search for easier maintenance task component selection (#3778)
• Added support for SNMP v3-based CAM data collection on Cisco switches (Adds support for SNMP v3 context switching for logical MIB instances) (#2811)
• Added script to generate GitHub, blog and e-mail release announcements from CHANGELOG.md

Changed

• Finally switched from NAV's homegrown authentication system to Django's own. This makes NAV compatible with a lot of 3rd party libraries, and is a necessary step to support MFA.

  This is a big change. Test thoroughly before putting this version into
  production. This is especially important if you have configured REMOTE_USER
  authentication. NAV's classic REMOTE_USER support has a lot of bells and
  whistles that Django's support lacks. We have added support for NAV's config
  options but it is a little used feature. There should be no need to update
  the confg file. (#3626)

• Allow users to set a subscribed dashboard as their default (#3572)

• Refactored dhcpstats backend. Users beware: option user_context_poolname_key in dhcpstats.conf renamed to user_context_groupname_key and its default value changed from name to group. (#3766)

• Upgraded jQuery library to version 4 (#3730)

• Upgraded Marionette to V4 in the IPAM tool (#1873)

• Refactored dashboard navlets to use HTMX for rendering and updates (#3635)

• Stopped CI testing on Python 3.12 by default (#3741)

Fixed

• Re-enabled sorting by actor in auditlog table, now actually working robustly! (#3581)
• Fixed breadcrumbs missing from JWT Create and Edit frontend pages (#3682)
• Fixed bug where Netmap views could not be created or updated (#3737)
• Ensure that the auditlog entries for deleting accounts behave like other entries. (#3738)
• Fixed IP Device select in Add New Service form (#3749)
• Filtering on SeedDB Patch and Cable pages now searches all visible columns instead of only the jack field (#3760)
• Popover arrow is now correctly positioned when aligned to the end (#3770)
• Fix bug where Getting Started tour does not highlight the correct element (#3771)
• PortAdmin's save feedback modal now appears instantly instead of being delayed by a network round-trip (#3772)
• Add global CSRF token handlers for all HTMX and jQuery AJAX POST requests, to ensure things do not break unintentionally when CSRF validation is enabled
• Fixed a crash in nav config where when no config file directory could be found

Fixed

• Fixed location search for locations with slashes in names (#3717)
• Fixed pping and snmptrapd crashes when attempting to look for config files in inaccessible directories (#3720)
• Support RFC3339/ISO8601-formatted timestamps when parsing syslog messages in logengine (#3722)
• Fixed GeoMap display of rooms/locations with slashes in their IDs (#3724)

Security

• Upgrade jQuery library and dependencies (#3582)
• Stop revealing actual API tokens in any type of log (#3686)
• Escape column text in audit log table to mitigate potential XSS vulnerabilities (#2803)

Added

• Added support for searching for inactive devices by serial number in Device History tool (#1996)
• Added OS version and NAV version to exception debug view (#2082)
• Add proper audit log entries for API token manipulations (legacy and JWT) (#3405)
• Added a Django authentication backend to do NAV legacy style LDAP authentication, in preparation for authentication system rewrite (#3498)
• Added confirmation modal when deleting dashboards (#3648)
• Added test/research program nav_cisco_auth_sessions to retrieve information about authentication framework sessions from Cisco switches (#3711)
• Added support for searching by description in main info search (#3149)
• Allow NAV_CONFIG_DIR environment variable to override where NAV looks for configuration files (#3697)

Changed

• Added new dependency distro for identifying Linux distributions (#2082)
• Load info page search results with HTMX (#3618)
• Load filtered device history with HTMX (#3663)
• Disabled broken audit log actor sorting (#3581)

Fixed

• Fixed room urls for rooms with slashes in name (#3661)
• Upgrade select2 dependency to latest version (#1873)
• Strip null bytes from LLDP local chassis IDs to avoid topo job abort errors (ValueErrors) (#2479)
• Fixed ipdevpoll inventory job crash when including Comet T3611 MIB for collecting information for other Comet sensors (#3566)
• Properly redirect entire browser to login page when a background HTMX request is received on an unauthenticated session (e.g. after session times out) (#3656)
• Fixed accessing seeddb/room URLs for rooms with '/' in names (#3659)
• Fixed broken event search URL (#3677)
• Fixed accessing SeedDB urls for locations, usages, organizations and device groups with '/' in names (#3687)
• Fixed bug where subnets were not selectable in the IPAM subnet allocator (#3692)
• Fixed bug in SeedDB IP Device form where enter in a text field triggered an unwanted connectivity check (#3694)
• Added success messages for JWT Token Create and Edit views

Fixed

• Fixed crash reports being sent by unauthenticated clients accessing the API (#3650)
• Fixed non-working port overviews for devices that contain modules with slashes in their name. A broken interfaces API endpoint caused both ipdevinfo and interface browser port lists to malfunction. (#3652)

Security

• In preparation for properly protecting against CSRF attacks throughout NAV:
  • Added CSRF tokens to AJAX POST requests (#3465)
  • Removed CSRF tokens from GET requests (#3472)

Removed

• Removed unused vendored Foundation CSS stylesheets (#3479)
• Removed vendored Foundation JavaScript library from codebase (#3542)

Added

• Show VLAN netident in ipdevinfo port list (#2160)
• Dashboards are now shareable between users (#2344)
• Show device MAC address in the Device Info tab of ipdevinfo (#3222)
• Added Django 5.2 and Python 3.13 to default test matrix (#3467)
• Improved user feedback in PortAdmin by loading live port details in background, after initial page load (#3544)
• Added search results preview in navbar (#3577)
• Documented how to enable IPv6 connectivity inside devcontainer (Docker)

Changed

• Updated NAPALM dependency to 5.1.0 (#3495)
• Replaced SeedDB IP Device "check connectivity" JavaScript with HTMX, including improved user feedback (#3560)

Non-visible and developer-centric changes

• The dated Foundation JavaScript libraries and CSS stylesheets are being replaced by a combination of HTMX-based features, new internal libraries and newer alternative libraries. The goal is to keep the outward user interface more or less unchanged:

  • Use HTMX modals in SeedDB Patch tool (#3461)
  • Replaced tooltip in status actions with accessible help text toggle (#3463)
  • Replaced Foundation Joyride with Driver.js implementation (#3468)
  • Replaced Foundation Topbar JS with JQuery (#3476)
  • Replaced Foundation Equalizer with JQuery (#3477)
  • Replaced foundation alert plugin with custom JavaScript (#3481)
  • Replaced native tooltips with NAV tooltips (#3482)
  • Replaced navlet modals with HTMX implementation (#3487)
  • Replaced search hint modals in Radius tool with HTMX (#3494)
  • Replaced radius detail modals with HTMX (#3514)
  • Added fit-content size to modals to support large content
  • Replace IPAM subnet diagram help modal with HTMX
  • Replaced "about logging" modal with HTMX
  • Replaced Foundation dropdowns with custom implementation
  • Replaced "import dashboard" modal with HTMX
  • Replaced Machine Tracker modals with HTMX
  • Replaced modals in ipdevinfo tool with HTMX
  • Replaced threshold form help modal with HTMX
  • Added custom NAV tooltip as replacement for Foundation JS (#3449)
  • Added reusable HTMX modal utilities and styles (#3461)
  • Added modal closing behaviour controls for close button visibility and outside click handling (#3537)
  • Added support for positioning popover on multiple sides (#3550)
  • Replaced feedback modal in Portadmin with HTMX (#3540)
  • Replaced Foundation dropdowns with popovers (#3531)
  • Upgraded tinysort dependency (#3580)
  • Replaced Foundation Clearing Lightbox with custom Lightbox plugin for room/location picture gallery (#3530)
  • Use fixed position tooltips in status widgets and SeedDB list tree (#3576)
  • Added support for controlling popovers with client side events (#3578)
  • Replaced outdated timepicker library with flatpickr (#3587)

• Modernized Django URL config, mostly by replacing usage of re_path() with path() (#3515, (#3548, (#3631)

Fixed

• Protect against unexpected NUL bytes in SNMP strings by stripping them (#2479)
• Fixed bug where status widget tooltip gets stuck (#3301)
• Show friendly error message in Arnold when attempting to block ports on switches that do not feature a writeable management profile (#3383)
• Fixed bug where ipdevinfo job refresh does not display error messages properly (#3385)
• Made it possible to un-revoke JWT refresh token by recreating the token (#3457)
• Fixed broken all-time searches in Radius tool (#3500)
• Removed "no racks" alert after adding a new rack to a room (#3506)
• Show distinct filter groups in Groups and Permissions modal in Alert Profiles (#3523)
• Show errors on invalid IP in Network Explorer search (#3534)
• Fixed saving rooms/locations with active alerts widgets after editing (#3561)
• Fixed sudo-ing to the default (anonymous) account (#3571)
• Fixed PortAdmin bug where restarting interfaces fails (#3589)
• Fixed tooltips in Device History and Subnet Matrix tools (#3591)
• Enabled GetBulk / bulkwalk operations under synchronous SNMP v3 communication (enormously speeding up PortAdmin SNMPv3 queries) (#3594)
• Adjusted size and position of "close modal" icon to avoid overlap with text
• Fixed bug where QR Code button is not clickable

Fixed

• Correctly display current chosen filter in Status tool (#3442)
• Fixed showing activity graphs in port details in ipdevinfo (#3484)

Added

User-visible additions

• New SQL reports in the Report tool:
  • Added an operational entities SQL report. (#1947)
  • Added an Events detected last 24 hours SQL report. (#3305)
• Collection job refreshing from web UI:
  • Added button to refresh ipdevpoll background jobs directly from IP Device Info tool. (#3350)
  • ipdevpoll can now immediately reschedule jobs on incoming refresh events on the NAV event queue. Refreshes can be ordered from the command line using the navrefresh program. (#2626)
• Added QR code link features:
  • Added link to "My Stuff" menu to generate QR code link to current page. (#2897)
  • Added button to SeedDB that downloads a ZIP file with QR Codes linking to the selected netboxes/rooms. (#2899)
  • Added config option to switch between generating SVG or PNG QR codes. (#2916)
• API additions:
  • Added API endpoint for looking up vendor of MAC address. (#3337)
  • Added API endpoint for the NetboxEntity model. (#3378)
  • JWT token signing features:
    • Added API endpoint for JWT refresh tokens. (#3270)
    • Added new tab to User and API administration tool for managing JWT refresh tokens. (#3273)
    • Expiration times for issued JWT refresh tokens can be configured via jwt.conf. (#3016)
    • Added support for including API endpoint read/write permission claims to JWT tokens.
• Added password security warnings:
  • Show a banner if the logged in user's password is insecure or old and it should be changed. (#3345)
  • Show a banner to admins if other users' passwords are insecure or old. (#3346)
• Added support for the T3611 sensor from Comet. (#3307)
• Added support for fetching DHCP pool statistics from Kea DHCP API. (#2931)

Developer-centric additions

• Added HTMX as new front-end library. (#3386)
• Document practical usage of devcontainer for developers. (#3398)
• Added developer utilities for easily dumping/loading production data into devcontainer.

Changed

User-visible changes

• Replaced QuickSelect component picker with dynamic HTMX-based search in Maintenance tool. (#3425)
• Replaced QuickSelect component picker with dynamic HTMX-based search in Device history tool. (#3434)
• Dependency changes:
  • Updated NAPALM dependency to 5.0 (#2358)
  • Updated django-rest-framework to version 3.14+, for proper compatibility Django 4.2 (#3403)

Developer-centric changes

• Replaced usage of twisted.internet.defer.returnValue with regular Python return, due to deprecation in newest Twisted version. (#2955)
• Redefined NAV account model to be usable as a Django user model. (#3332)
• Remove unused ColumnsForm (#3243)

Fixed

• Fixed missing ARP API endpoint documentation for IP address filtering. (#3215)
• Fixed broken location history searches from location view page. (#3360)
• Restored ISO timestamps in the web UI (as they were before NAV 5.13) (#3369)
• Fixed broken Add to dashboard functionality for boolean value sensors (#3394)
• Fixed sorting by timestamp columns in threshold rule table and Useradmin API-token table. (#3410)
• Take advantage of auxiliary end_time indexes on ARP table to improve prefix usage lookups in API. (#3413)
• Made Docker test environment usable for devs on Apple silicon Macs.

Fixed

• Relax API permissions for endpoints used by NAV web GUI tools intended for non-admin users. Several tools stopped working for non-admin users as a result of the permissions lockdown in the 5.13.1 security fix.
  • Relax permissions for API interface view endpoint (#3373)
  • Relax permissions for API prefix usage view endpoint (#3374)
  • Relax permissions for API list room endpoint (#3375)