Releases: opsmill/infrahub
Release list
Infrahub - v1.10.2
Fixed
- Node mutation events are no longer silently dropped when the node has a large number of relationship peers. Previously, creating or updating a node with roughly 250 or more peers (for example a trunk interface tagging a large VLAN range) produced an event whose related resources exceeded the maximum accepted by the task manager, which rejected the whole event: it never appeared in the node's activity log and automation triggers never fired for it. The related resources are now capped at that maximum, keeping the node-scoped entries and as many relationship updates as fit. (#9794)
- Display labels, human-friendly IDs, and computed attributes that read across a relationship no longer error when the related peer is missing, such as after the peer has been deleted. The missing value now resolves as empty. This previously caused branch merge, rebase, and diff calculation to fail.
Infrahub - v1.10.1
Added
- Add "shortest paths only" toggle to a path traversal request so that user can select the faster, shortest paths only query or the exhaustive version. Add "truncated at depth" to the path traversal response to indicate at which depth a request timed out. Update the frontend to support the new toggle and display a warning message if the response is truncated.
Fixed
- Periodic Git synchronization now imports new commits on a repository's configured default branch when that branch is not
main. Previously the sync loaded repositories without theirdefault_branchattribute, fell back to the schema default ofmain, and failed to locate the worktree, leaving such repositories pinned to a stale commit while still reportingin-sync. (#9600) - Fixed branches with a slash in their name (e.g. feature/my-branch) not being clickable on the Branches page. (#9716)
- Restored webhook delivery: configured webhooks now fire for every triggering event, including events not associated with a branch such as account activity, instead of silently sending no request. (#9742)
- Fixed webhook automation configuration running a database read on the shared worker database without opening its own session. This left a Neo4j session cached on the shared connection and could trigger
RuntimeError: read() called while another coroutine is already waiting for incoming datain concurrently running flows. Webhook configuration now opens a dedicated read-only session. - Merging a branch that changes a computed attribute, display label, or human-friendly ID template now refreshes those derived values on nodes that exist only on the target branch. Previously the merge applied the new schema without emitting a schema-update event, so the backfill never ran and the affected nodes kept stale values.
- Merging two branches that each introduced the same unique value could leave duplicate values on the destination branch. A proposed change validated its schema and data integrity earlier in its pipeline but the merge relied on those point-in-time results, so a violation introduced by another branch merged in the meantime was missed. Constraint validation now runs as part of the merge itself, so both proposed-change merges and direct branch merges are checked against the current state of the destination branch. The schema-integrity check also now validates relationship constraints, which were previously skipped. (#9704)
Housekeeping
- Action parameters for all event-driven automations — computed attributes, profiles, human-friendly IDs, display labels, action rules, and schema and branch triggers — are now rendered through a shared helper as explicit string templates, hardening them against the same parameter-serialization failure addressed for webhooks. (#9742)
Infrahub - v1.10.0
We're excited to announce the release of Infrahub, v1.10.0!
The headline addition is graph path traversal - a new way to ask the question Infrahub's graph was built to answer: how is this connected to that? A new GraphQL API and a visual topology explorer let you trace every path between two objects, or find everything reachable from a single node for impact analysis. Infrahub Enterprise also adds native LDAP authentication, completing external authentication for organizations without an OIDC/OAuth2 identity provider.
Alongside these, the release centers on three themes: authentication & identity - LDAP for Enterprise, auto-creation of account groups from identity-provider claims, and a reworked SSO account-identity model; performance & reliability - branch merges executed at the database level, precise artifact regeneration that only rebuilds what a commit actually changed, and a lighter computed-attribute and task pipeline; and API ergonomics - a structured, machine-readable GraphQL error catalogue and richer order_by controls for schema designers.
node_metadata name, restricted inheritance on internal Core generics, the BuiltinIPPrefix.resource_pool change and the restriction on using double underscores in schema attribute and relationship names.
sub) rather than the display name. A transitional setting, INFRAHUB_SECURITY_SSO_ACCOUNT_NAME_FALLBACK (enabled by default), still lets an SSO login reuse a pre-existing account by matching its display name, so upgrades remain smooth. Make sure every SSO user has logged in at least once, then disable the fallback as a hardening step - see Reworked SSO account identity below.
Main changes
Graph path traversal and topology explorer
Infrahub's data is stored in a graph, and 1.10 exposes the graph's most natural capability: traversal. Two new top-level GraphQL queries let you walk relationships across the entire model - not just physical cabling, but any relationship between objects.
InfrahubPathTraversalfinds the paths between two specific objects. Given asource_idand adestination_id, it returns the connecting paths (shortest first) as an ordered list of hops, each hop naming the node and the relationship traversed. Bound the search withmax_depthandmax_paths, and narrow it withkind_filter,relationship_filter,excluded_kinds, andexcluded_namespaces.InfrahubReachableNodesanswers "what depends on this?" Given asource_idand a list oftarget_kinds, it returns every reachable object of those kinds together with the shortest path to each - ideal for blast-radius and impact analysis ("if this device goes offline, what's affected?").
Traversal is branch- and time-aware, read-only, and permission-safe: any path that crosses an object the user cannot read is dropped entirely rather than leaked. A set of internal namespaces (Core, Internal, Builtin, Lineage, Profile, Template) is always excluded so results stay focused on your data; excluded_namespaces only adds to that set.
In the UI, a new Topology Explorer renders results as an interactive graph built on React Flow with automatic layout. You can switch between path mode and dependency mode, filter by kind and namespace, highlight an individual path, and step between paths from the keyboard. Object detail pages add a Trace from this object action to launch the explorer pre-seeded with that node. Because results are returned over GraphQL, the same traversal is available for AI assistants over the MCP server, allowing agents to get a full contextual understanding of data in the intended infrastructure graph.
LDAP authentication (Enterprise)
Infrahub Enterprise now supports native LDAP authentication against Active Directory, OpenLDAP, and other RFC 4510-compliant directories. This gives organizations that have no OIDC/OAuth2 identity provider a first-class external-authentication path that coexists with local accounts and SSO - all three can be active at once and converge on the same session, account, and group handling. On first successful login an Infrahub account is provisioned automatically, matching existing SSO behavior.
Configuration is via INFRAHUB_LDAP_* environment variables and is validated at startup. You can point Infrahub at one or more servers (the first is primary, the rest act as failover), choose bind-then-search with a service account, select the username_attribute appropriate to your directory (for example sAMAccountName on AD or uid on OpenLDAP), and secure the connection with LDAPS or STARTTLS. Optional group mapping (group_enabled) matches LDAP group membership - including nested groups - against existing Infrahub CoreAccountGroup names, granting permissions through the usual account-group → role → permission chain. Combined with auto-created groups (below), group membership can be provisioned on first login with no manual setup.
This feature is available on Infrahub Enterprise only.
Auto-create account groups from your identity provider
Infrahub can now create account groups automatically from identity-provider claims on login, so you no longer have to pre-create a CoreAccountGroup for every group your IdP (or LDAP directory) reports. The feature is opt-in and off by default.
Activate it by setting a claim filter:
security.auto_create_groups_filter(INFRAHUB_SECURITY_AUTO_CREATE_GROUPS_FILTER) - a regular expression, or an ordered list of them, matched against each incoming group claim. The first match wins. A named capture group(?P<name>...)becomes the local group name (e.g.^LDAP/group/(?P<name>.+)$mapsLDAP/group/network-engtonetwork-eng); with no capture the full claim is used. Non-matching claims are dropped, so unrelated IdP groups never appear in Infrahub. Setting this filter is what activates the feature; leaving it empty keeps auto-creation off.security.auto_create_groups_max_per_login- caps the number of new groups created in a single login (default50). Reuse of existing groups is never capped. If the cap is hit, surplus claims are dropped, a warning event is emitted, and the login still completes.
Auto-created groups start with no roles or permissions and run on every external login (OIDC, OAuth2, and native LDAP). If at least one claim matches, it takes precedence over the existing security.sso_user_default_group fallback; if none match, that fallback still applies.
The groundwork of this feature was contributed by @AlexanderGrooff in #8515
Reworked SSO account identity
Single Sign-On accounts are now keyed on the stable, provider-issued subject identifier (sub) together with the provider and protocol, stored on a dedicated CoreExternalIdentity node, rather than on the user's display name. This removes a class of problems where two users sharing a display name could collide, or where a changed display name produced a duplicate account on the next login. The human-readable name is now stored on the account's label attribute and is refreshed when it becomes stale.
To keep upgrades smooth, the transitional setting INFRAHUB_SECURITY_SSO_ACCOUNT_NAME_FALLBACK (security.sso_account_name_fallback, enabled by default) allows an SSO login that has no linked identity yet to reuse a pre-existing account that matches by display name. This setting is deprecated and will be removed in a future release. The recommended sequence is: upgrade, have every SSO user log in at least once so their CoreExternalIdentity is created, then disable the fallback. Once it is disabled, any SSO account that never re-logged in will be treated as new and a duplicate account will be created - so complete the re-login step first.
Structured GraphQL error catalogue
GraphQL errors are now structured and machine-readable. Every entry in a GraphQL errors[] array includes an extensions block with:
extensions.code- a stable string identifier such as"NODE_NOT_FOUND"or"AUTHENTICATION_REQUIRED".extensions.data- a typed payload specific to that code (may be empty).extensions.http_status- the integer HTTP status.
You can now branch on a stable code instead of parsing the human-readable message, which remains present but is explicitly not part of the stable contract. Multi-field validation failures emit one error per offending field, each with its own code, data, and a path pointing at the exact input - enabling single-pass form validation. The catalogue defines codes including NODE_NOT_FOUND, AUTHENTICATION_REQUIRED, TOKEN_EXPIRED, PERMISSION_DENIED, ATTRIBUTE_REQUIRED, ATTRIBUTE_INVALID_TYPE, ATTRIBUTE_CONSTRAINT_VIOLATION, BRANCH_NOT_FOUND, and SCHEMA_NOT_FOUND, with UNDEFINED_ERROR as a fallback for any uncatalogued exception.
This is a breaking change for consumers that previously read extensions.code as an integer - see Breaking changes for migration guidance. REST (/api/...) responses are unchanged.
Order by metadata and explicit sort direction
Schema order_by entries add two capabilities, letting designers set smarter defaults without passing an ordering argument on every query or view:
- Order by ...
Infrahub - v1.9.8
Changed
- Performance improvements for transform based computed attributes
Fixed
- Removing an attribute or relationship from a generic schema now also reconciles
uniqueness_constraints,human_friendly_id,order_by, anddefault_filteron inheriting node schemas. Previously a node that inherited a constraint referencing the removed field could end up with an orphaned path, causing aRequested unique constraint not found within nodeexception. (#5735) and (#8990) - Preserve
IPPrefix.utilizationon a newly created branch. The per-branch utilization resolver now considers the branch's full inheritance scope, so prefixes show the same value as their origin branch until data is modified. (#9220) - Fixed repository import so that an object referencing a transform defined in the same repository is resolved correctly instead of failing the import. (#9406)
- Scope artifact and Generator regeneration to the changed objects when a definition's GraphQL query filters by a composite, multiple, relationship-based, or human-friendly-id uniqueness constraint. Previously only a single single-attribute uniqueness constraint (or a filter by
ids) was recognized as targeting a unique object, so these common query shapes fell back to regenerating every target in the group during a proposed change. (#9486) - Fixed overriding a node relationship that was set by a Profile. Peers also provided by the Profile are no longer removed when overriding the relationship; they are kept and become node-defined values.
- Update RelationshipAdd and RelationshipRemove GraphQL mutations so that they properly remove the Profile sourcing of all peers on an updated relationship if that relationship is sourced from a Profile.
RelationshipAddnow correctly rejects requests that supply more than one peer for a cardinality-one relationship.
New Contributors
- @lancamat1 made their first contribution in #9460
Full Changelog: infrahub-v1.9.7...infrahub-v1.9.8
Infrahub - v1.10.0b0
node_metadata name, restricted inheritance on internal Core generics, and the BuiltinIPPrefix.resource_pool change.
sub) rather than the display name. A transitional setting, INFRAHUB_SECURITY_SSO_ACCOUNT_NAME_FALLBACK (enabled by default), still lets an SSO login reuse a pre-existing account by matching its display name, so upgrades remain smooth. Make sure every SSO user has logged in at least once, then disable the fallback as a hardening step - see Reworked SSO account identity below.
v1.10.0b0 is the first beta of Infrahub 1.10.0.
The headline addition is graph path traversal - a new way to ask the question Infrahub's graph was built to answer: how is this connected to that? A new GraphQL API and a visual topology explorer let you trace every path between two objects, or find everything reachable from a single node for impact analysis. Infrahub Enterprise also adds native LDAP authentication, completing external authentication for organizations without an OIDC/OAuth2 identity provider.
Alongside these, the release centers on three themes: authentication & identity - LDAP for Enterprise, auto-creation of account groups from identity-provider claims, and a reworked SSO account-identity model; performance & reliability - branch merges executed at the database level, precise artifact regeneration that only rebuilds what a commit actually changed, and a lighter computed-attribute and task pipeline; and API ergonomics - a structured, machine-readable GraphQL error catalogue and richer order_by controls for schema designers.
Main changes
Graph path traversal and topology explorer
Infrahub's data is stored in a graph, and 1.10 exposes the graph's most natural capability: traversal. Two new top-level GraphQL queries let you walk relationships across the entire model - not just physical cabling, but any relationship between objects.
InfrahubPathTraversalfinds the paths between two specific objects. Given asource_idand adestination_id, it returns the connecting paths (shortest first) as an ordered list of hops, each hop naming the node and the relationship traversed. Bound the search withmax_depthandmax_paths, and narrow it withkind_filter,relationship_filter,excluded_kinds, andexcluded_namespaces.InfrahubReachableNodesanswers "what depends on this?" Given asource_idand a list oftarget_kinds, it returns every reachable object of those kinds together with the shortest path to each - ideal for blast-radius and impact analysis ("if this device goes offline, what's affected?").
Traversal is branch- and time-aware, read-only, and permission-safe: any path that crosses an object the user cannot read is dropped entirely rather than leaked. A set of internal namespaces (Core, Internal, Builtin, Lineage, Profile, Template) is always excluded so results stay focused on your data; excluded_namespaces only adds to that set.
In the UI, a new Topology Explorer renders results as an interactive graph built on React Flow with automatic layout. You can switch between path mode and dependency mode, filter by kind and namespace, highlight an individual path, and step between paths from the keyboard. Object detail pages add a Trace from this object action to launch the explorer pre-seeded with that node. Because results are returned over GraphQL, the same traversal is available for AI assistants over the MCP server, allowing agents to get a full contextual understanding of data in the intended infrastructure graph.
LDAP authentication (Enterprise)
Infrahub Enterprise now supports native LDAP authentication against Active Directory, OpenLDAP, and other RFC 4510-compliant directories. This gives organizations that have no OIDC/OAuth2 identity provider a first-class external-authentication path that coexists with local accounts and SSO - all three can be active at once and converge on the same session, account, and group handling. On first successful login an Infrahub account is provisioned automatically, matching existing SSO behavior.
Configuration is via INFRAHUB_LDAP_* environment variables and is validated at startup. You can point Infrahub at one or more servers (the first is primary, the rest act as failover), choose bind-then-search with a service account, select the username_attribute appropriate to your directory (for example sAMAccountName on AD or uid on OpenLDAP), and secure the connection with LDAPS or STARTTLS. Optional group mapping (group_enabled) matches LDAP group membership - including nested groups - against existing Infrahub CoreAccountGroup names, granting permissions through the usual account-group → role → permission chain. Combined with auto-created groups (below), group membership can be provisioned on first login with no manual setup.
This feature is available on Infrahub Enterprise only.
Auto-create account groups from your identity provider
Infrahub can now create account groups automatically from identity-provider claims on login, so you no longer have to pre-create a CoreAccountGroup for every group your IdP (or LDAP directory) reports. The feature is opt-in and off by default.
Activate it by setting a claim filter:
security.auto_create_groups_filter(INFRAHUB_SECURITY_AUTO_CREATE_GROUPS_FILTER) - a regular expression, or an ordered list of them, matched against each incoming group claim. The first match wins. A named capture group(?P<name>...)becomes the local group name (e.g.^LDAP/group/(?P<name>.+)$mapsLDAP/group/network-engtonetwork-eng); with no capture the full claim is used. Non-matching claims are dropped, so unrelated IdP groups never appear in Infrahub. Setting this filter is what activates the feature; leaving it empty keeps auto-creation off.security.auto_create_groups_max_per_login- caps the number of new groups created in a single login (default50). Reuse of existing groups is never capped. If the cap is hit, surplus claims are dropped, a warning event is emitted, and the login still completes.
Auto-created groups start with no roles or permissions and run on every external login (OIDC, OAuth2, and native LDAP). If at least one claim matches, it takes precedence over the existing security.sso_user_default_group fallback; if none match, that fallback still applies.
Reworked SSO account identity
Single Sign-On accounts are now keyed on the stable, provider-issued subject identifier (sub) together with the provider and protocol, stored on a dedicated CoreExternalIdentity node, rather than on the user's display name. This removes a class of problems where two users sharing a display name could collide, or where a changed display name produced a duplicate account on the next login. The human-readable name is now stored on the account's label attribute and is refreshed when it becomes stale.
To keep upgrades smooth, the transitional setting INFRAHUB_SECURITY_SSO_ACCOUNT_NAME_FALLBACK (security.sso_account_name_fallback, enabled by default) allows an SSO login that has no linked identity yet to reuse a pre-existing account that matches by display name. This setting is deprecated and will be removed in a future release. The recommended sequence is: upgrade, have every SSO user log in at least once so their CoreExternalIdentity is created, then disable the fallback. Once it is disabled, any SSO account that never re-logged in will be treated as new and a duplicate account will be created - so complete the re-login step first.
Structured GraphQL error catalogue
GraphQL errors are now structured and machine-readable. Every entry in a GraphQL errors[] array includes an extensions block with:
extensions.code- a stable string identifier such as"NODE_NOT_FOUND"or"AUTHENTICATION_REQUIRED".extensions.data- a typed payload specific to that code (may be empty).extensions.http_status- the integer HTTP status.
You can now branch on a stable code instead of parsing the human-readable message, which remains present but is explicitly not part of the stable contract. Multi-field validation failures emit one error per offending field, each with its own code, data, and a path pointing at the exact input - enabling single-pass form validation. The catalogue defines codes including NODE_NOT_FOUND, AUTHENTICATION_REQUIRED, TOKEN_EXPIRED, PERMISSION_DENIED, ATTRIBUTE_REQUIRED, ATTRIBUTE_INVALID_TYPE, ATTRIBUTE_CONSTRAINT_VIOLATION, BRANCH_NOT_FOUND, and SCHEMA_NOT_FOUND, with UNDEFINED_ERROR as a fallback for any uncatalogued exception.
This is a breaking change for consumers that previously read extensions.code as an integer - see Breaking changes for migration guidance. REST (/api/...) responses are unchanged.
Order by metadata and explicit sort direction
Schema order_by entries add two capabilities, letting designers set smarter defaults without passing an ordering argument on every query or view:
- Order by object-level metadata:
node_metadata__created_atandnode_metadata__updated_atsort by the timestamps Infrahub tracks on every nod...
Infrahub - v1.8.7
Security
- Added the
INFRAHUB_SECURITY_SSO_ACCOUNT_NAME_FALLBACKsetting (enabled by default) to control whether an SSO login without a linked identity may adopt a pre-existing account that matches by display name. This transitional behavior supports upgrades; disabling it once all SSO users have completed their first login is recommended as a hardening step. The fallback is deprecated and will be removed in a future release. - Enable cryptographic verification of the OIDC
id_token(signature, audience and issuer) by default when reading group claims. This can be disabled throughINFRAHUB_OIDC_<PROVIDER>_ID_TOKEN_VERIFY_SIGNATURE. - Local password changes are now refused for accounts that authenticate through an external directory (LDAP, OIDC, OAuth2). The GraphQL mutation rejects the request, preventing a user from bypassing directory-side revocation by setting a local password.
Fixed
- A failed OIDC
id_tokenverification — invalid signature, audience, issuer, or an unresolvable signing key — now returns an authorization error (HTTP 401) instead of an unhandled server error. - Improve SVG artifact handling: allow scrolling in the preview so oversized content is no longer clipped, and fix the download action so the saved file contains the raw SVG content.
Full Changelog: infrahub-v1.8.6...infrahub-v1.8.7
Infrahub - v1.9.7
Breaking Changes
- Schema attribute and relationship names containing
__are now rejected at load time, since__is reserved as the schema path separator. Any existing schema using such names will fail to load after upgrading — rename the affected attributes or relationships in your schema files (and remove or rename the corresponding data) before upgrading. (#9209)
Security
- Added the
INFRAHUB_SECURITY_SSO_ACCOUNT_NAME_FALLBACKsetting (enabled by default) to control whether an SSO login without a linked identity may adopt a pre-existing account that matches by display name. This transitional behavior supports upgrades; disabling it once all SSO users have completed their first login is recommended as a hardening step. The fallback is deprecated and will be removed in a future release. - Enable cryptographic verification of the OIDC
id_token(signature, audience and issuer) by default when reading group claims. This can be disabled throughINFRAHUB_OIDC_<PROVIDER>_ID_TOKEN_VERIFY_SIGNATURE. - Local password changes are now refused for accounts that authenticate through an external directory (LDAP, OIDC, OAuth2). The self-service form is hidden in the UI and the GraphQL mutation rejects the request, preventing a user from bypassing directory-side revocation by setting a local password.
Fixed
- Prefix pools no longer allocate the same prefix multiple times when the pool resource has the same prefix length as the requested allocation size. Prefix pools can now correctly allocate a prefix that uses an entire linked resource.
- Fix schema processing crashing with
'NodeSchema' object has no attribute 'get'when a node defines a single-element relationship-onlyuniqueness_constraintsentry (e.g.[["parent"]]). (#4483) - The 'Manage Groups' dropdown and the bulk 'Add to groups' toolbar now hide groups whose
group_typeisinternal, so only user-assignable groups appear in the selector. (#4872) - RelationshipAdd now allows setting a cardinality-one relationship (previously, any attempt was rejected). A second add is rejected when a peer is already present. RelationshipRemove now enforces mandatory constraints on cardinality-many relationships and rejects removals that would leave a mandatory relationship with no peers. (#5794)
- GraphQL variables used inside the
datasub-object ofIPPrefixPoolGetResourceandIPAddressPoolGetResourcemutations now resolve correctly instead of being silently ignored (set to null). (#6850) - Artifact diffs no longer show spurious changes for artifacts whose schema kind was renamed or moved to a different namespace on a branch. (#7490)
- Fixed unique constraints not being enforced on computed attributes, and the violation message now names the input attributes to change. (#7924)
- Fix user-check failure logs being emitted one character per line in the proposed change task output — each log entry from
self.log_error(...)is now rendered as a single warning line. (#8224) - Honor
INFRAHUB_CACHE_TLS_ENABLED,INFRAHUB_CACHE_TLS_INSECURE, andINFRAHUB_CACHE_TLS_CA_FILEfor the Prefect result storage block. Background flows previously hung inRUNNINGagainst TLS-only Redis becausesetup_blocks()constructed the block via a code path that ignored every TLS setting. The block now uses aredis://orrediss://connection string that propagates all three TLS knobs throughredis.Redis.from_url, bringing the block into parity with the cache adapter and distributed lock. (#9217) - Fixed git repository sync where multiple task workers could diverge on different commits if upstream advanced during fan-out. (#9349)
- Fixed S3 object storage failing with
AuthorizationHeaderMalformedwhen no static AWS credentials are configured. When bothAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYare unset, Infrahub now falls back to the default AWS credential provider chain, so S3 storage works with IRSA, EC2 instance profiles, and ECS task roles in addition to static access keys. Configuring only one of the two now raises a clear configuration error. (#9429) - A failed OIDC
id_tokenverification — invalid signature, audience, issuer, or an unresolvable signing key — now returns an authorization error (HTTP 401) instead of an unhandled server error. - Fixed a crash when pulling a git repository that had to create a missing local branch and record its commit value.
- Fixed the read-only git repository add flow broadcasting the wrong repository kind, which caused peer workers to materialize the new repository as read-write instead of read-only.
New Contributors
- @Dhanus3133 made their first contribution in #9297
Full Changelog: infrahub-v1.9.6...infrahub-v1.9.7
Infrahub - v1.9.6
Fixed
- Fixed "Copy ID", "Copy HFID", and "Copy Token" actions not working when accessing Infrahub over HTTP (non-secure context). (#8857)
- Fix a bug in the merge logic that prevented the merge operation from deleting an object that had its kind or inheritance updated on the default branch after the branch being merged forked. (#9283)
- Bump SDK version to 1.20.1 to include fix for retrieving branches in the MERGING status (sdk#1036)
Full Changelog: infrahub-v1.9.5...infrahub-v1.9.6
Infrahub - v1.9.5
Fixed
- Upserting a
CoreNumberPoolwithallow_upsert=Trueno longer raises an error whennodeandnode_attributeare unchanged. (#5636) - Fixed the standard resolver for schema-based objects returning an unhelpful database error when negative values were provided for limit or offset query arguments. (#7474)
- Changing
uniquetoFalseon a schema attribute now correctly triggers a migration that adds the attribute to existing Profile and Template objects. (#8894) - Cardinality constraints (
cardinality: one,min_count,max_count) were silently skipped when the relationship being updated declared its peer as a generic and the constraint was defined on a concrete subtype of that generic, letting data violate the schema. The constraint check and lock path now resolve each peer's concrete kind and enforce the constraint declared there. (#8953)
Full Changelog: infrahub-v1.9.4...infrahub-v1.9.5
Infrahub - v1.9.4
Added
- Add a
rebase_branchglobal permission so administrators can grant non-admin users the ability to rebase branches without requiringsuper_admin. (#8050)
Fixed
- Fixed inconsistent IPHost and IPNetwork attribute representations across HFID, display labels, and API responses by normalizing values at input time. Added a migration that recomputes HFID/display labels for nodes whose schema references an IPHost, IPNetwork, or MacAddress attribute. (#8896)
- Standardized stored MacAddress attribute values to colon-separated EUI-48 form (
AA:BB:CC:DD:EE:FF) and rebuilt HFIDs / display labels for nodes referencing MAC attributes. (#9015) - Prevent users from deleting their own account through the
CoreAccountDeletemutation. (#9138) - Remove the unresolvable
is_inheritedfield fromAttributeInterfaceand all concrete attribute types in the GraphQL schema. The field had no resolver, so any query selecting it failed with'<AttributeKind>' object has no attribute 'is_inherited'. (#9146) - Skip artifacts whose
objectpeer can no longer be resolved when validating artifact generation in a Proposed Change. A single orphan row no longer preventsCheckArtifactCreatefrom being dispatched for the rest of the group. (#9188) - Fix diff calculation logic to correctly include updates to branch-aware attributes of branch-agnostic schemas. (#9221)
- Diff calculation between branches no longer scales with the total size of the database. Diffs now complete in a time proportional to the number of changes on the branch. (#9224)
- Reset a Proposed Change's status to "open" following a merge failure that raises an unexpected error.
Full Changelog: infrahub-v1.9.3...infrahub-v1.9.4