Releases: xoriin/NetMap
Releases · xoriin/NetMap
Release list
NetMap v1.4.0
[1.4.0] - 2026-07-05
Added
- Single sign-on via OpenID Connect (OIDC) — NetMap can now authenticate against any OIDC provider (Authentik, Authelia, Keycloak, Zitadel, Okta, Microsoft Entra ID, Google Workspace) using Authorization Code + PKCE. Configure via environment variables (
OIDC_ENABLED,OIDC_ISSUER,OIDC_CLIENT_ID, …) or in-app under Admin → Security → Single Sign-On (DB settings override env; the client secret is stored encrypted and is write-only in the API). The login screen gains a "Continue with SSO" button alongside the existing username/password form. Security baseline: signed ID-token verification via provider JWKS (asymmetric algorithms only), issuer/audience checks, state + nonce validation bound to the browser with a single-use server-side transaction, PKCE S256, verified-email enforcement, optional email-domain allowlist — and no provider tokens ever reach the browser; a successful callback issues the normal NetMap session cookies. Includes identity linking by provider subject with optional first-time linking by verified email, optional auto-provisioning with a conservative default role (never SuperAdmin), group/role claim mapping with local-role precedence by default and explicit opt-in for provider-managed roles or SuperAdmin grants, an Admin "Test provider" diagnostic action, per-user auth-source (SSO) badges in Admin → Users, audit events for every provision/link/login/settings change, and an optional "Require SSO" mode with guard rails (provider must verify and an active SuperAdmin must exist) that always preserves SuperAdmin local login as the emergency recovery path. Migrations0043_oidc_login_states,0044_external_identities. - Toast notifications — actions across the app (deletes, saves, imports) now confirm success or surface failures in a bottom-right toast stack instead of failing silently or relying on scattered inline text.
- Styled destructive-action confirmations — deleting devices, links, groups, locations, subnets, reservations, DHCP leases, schedules, roles, and saved searches now opens a consistent danger-styled dialog with consequence text; bulk device deletes of 5+ require typing
deleteto confirm. - Workspace crash containment — an unexpected error in one workspace now shows a retryable fault card while the rest of NetMap keeps working, instead of a white screen.
- Loading skeletons — workspaces show shimmer skeleton layouts while data loads (route changes, VLANs, IPAM) instead of blank panels or plain "Loading…" text.
- Response-time (RTT) threshold alert rules — Admin → Alerts now offers a "Response time above threshold" trigger with a configurable millisecond threshold (per device or fleet-wide). The background monitor fires the rule when a device's probe RTT exceeds the threshold, reusing the existing notification channels and cooldown; a persistent high-latency condition re-alerts once per cooldown period. Migration
0036_alert_rule_threshold_msaddsalert_rules.threshold_ms. - Pause monitoring per device — devices can be paused from the device form or the Pause/Resume button in device details. Paused devices are skipped by live/background probes (no false offline alerts), show a gray "paused" status in Monitoring (with a Paused filter and fleet paused count), and stay in inventory/topology. Migration
0037_device_monitoring_fields. - Device lifecycle states — devices carry a lifecycle of planned / active / retired / ignored. Only active devices are monitored; the rest render as paused in Monitoring and show a lifecycle badge in device details.
- Flapping detection — devices whose status changes 4+ times within an hour get a "flapping" badge in the Monitoring table, and a new "Device is flapping" alert rule trigger fires through the normal notification channels with per-rule cooldown.
- Notification delivery history — every alert notification attempt is recorded (rule, target, sent/failed, provider error summary) and shown in Admin → Alerts → Delivery history. Records are pruned after 30 days. Migration
0039_notification_deliveries. - Generic webhook notification method — Admin → Notifications now offers "Generic webhook": NetMap POSTs
{"title": "NetMap", "message": …}as JSON to any HTTP(S) endpoint, with an optional bearer token. Respects the private-target egress blocking setting. - IPAM next-available-IP — the Reserve IP dialog can fill in the next free address of the selected subnet with one click, skipping used IPs, the gateway, and the DHCP pool.
- IP reservation expiry dates — new reservations default to an expiry 90 days from today, expired reservations are flagged in the reservations table, and a "Clear expired" action removes them in bulk. Migration
0040_ip_reservation_expiry. - Saved security searches — the Security workspace can save the current filter set under a name and re-apply or delete it from a dropdown. Saved per user. Migration
0041_saved_security_searches. - What's new popup — after login, authenticated users see a once-per-installed-version popup summarising the changelog for the version they're running. It does not prompt when a newer tag is merely available; Admin → Version can reopen it manually. GitHub release notes for
v*tags are generated from the sameCHANGELOG.mdin CI. - Managed custom device types — Admin → Devices & Icons can add reusable custom device types, edit/rename them, assign a default Tabler icon, and remove unused custom types. Device forms, Inventory bulk actions, Topology, and Overview all consume the same managed type list. Migration
0042_device_types. - Interactive monitoring summary cards — the Monitored/Online/Offline cards in Monitoring now click to apply the matching status filter (click again to clear).
- GitHub Actions security scanning — a new report-only
security-scan.ymlworkflow runs Semgrep SAST pluspip-auditandnpm auditon pushes, pull requests, and a weekly schedule. All jobs are non-blocking until the baseline is triaged. - Instant Monitoring re-entry — the Monitoring workspace keeps an in-memory stale-while-revalidate snapshot of the fleet summary, device table, and service checks. Returning to Monitoring renders the last known data immediately, then refreshes with a lightweight delta request when fresh or a full refresh when stale.
Changed
- Sidebar collapse control — the collapse/expand button now stays in the bottom utility area above a subtle separator in both sidebar states, and the collapsed Inventory badge now sits at the icon's top-right corner instead of pushing it off-centre or overlapping it.
- HTTP/HTTPS monitoring scope clarified — the current service-check groundwork is no longer described as the finished uptime-monitoring workflow; the dedicated HTTP/HTTPS monitoring method with per-check targeting, response timing, and alert integration remains planned.
- CI and bundle analysis cleanup — GitHub workflows now use current major action versions for the Node 24 runner runtime, and normal production frontend builds skip the bundle visualizer unless explicitly run in analyze mode.
- Browser tab titles now show only the current screen — authenticated pages use their page name without the
NetMap —prefix, and login/setup/reset/loading states now show their own tab title instead of inheriting Overview. - What's New release notes now render inline Markdown — changelog bullets in the popup preserve formatting such as links, inline code, emphasis, strikethrough, and bold text while sanitising rendered HTML before display.
- What's New actions — the release-notes action now sits to the left of the close action in the popup footer, "Got it" is the primary action, and the Admin → Version "What's new" control now matches the primary admin action buttons.
- Overview favourites cache — favourite monitoring rows render from a per-user local snapshot while Overview refreshes live monitoring data in the background, avoiding the empty/loading lag on page entry.
- Overview card surfaces — the Overview summary cards and panels now use the same restrained linear-gradient surface treatment as the refreshed admin cards for a more consistent dashboard feel.
- Admin stat card vibrancy — the Admin → System cards now use per-card accent gradients, stronger icon tints, and matching hover glow so they feel closer to the Overview cards instead of washed out.
- OIDC admin form polish — the SSO checkboxes in Admin → Security now match the System settings layout, with option text beside the checkbox, compact helper text underneath, and clearer spacing before Login & Audit History.
- Confirmation toasts — Admin success messages such as "Settings saved", plus Profile and Export confirmations, now use the toast stack instead of full-width success bars. Toast notifications are larger and stay visible longer so saves are harder to miss.
- Full Tabler icon library for device types — the device-type icon picker now exposes the installed Tabler outline library in addition to the curated NetMap icon set. The large Tabler metadata files are emitted as lazy JSON assets so the initial app bundle stays small.
- Unified table row hover across the app — VLANs, Inventory, Monitoring, IPAM, Security, Overview device lists, audit logs, admin tables, the icon manager, and the topology entity list now share one subtle hover treatment (new
--nm-row-hoverdesign token) with the VLAN table's teal left-edge accent in both themes, replacing a patchwork of per-table hover colours. - Tools action buttons calmed down — Lookup, Ping, Traceroute and the other tool submit buttons use the soft accent treatment (tinted background, teal text) instead of a solid bright block, which was overpowering in dark mode.
- Unified near-duplicate UI colours onto the design-token palette — 485 hard-coded colour values that were visually near-identical to an existing the...
NetMap v1.3.1
This release promotes the tested test branch into main and includes security hardening, dependency
updates, monitoring improvements, topology layout polish, and workflow fixes.
Security
- Replaced
python-josewithPyJWT, removing the unmaintainedecdsadependency. - Updated/pinned vulnerable dependencies including
cryptography,starlette, DOMPurify, Vite, and React
plugin tooling. - Password changes and password resets now revoke active sessions.
- Password-reset flows now invalidate sibling reset tokens and require
APP_URLfor reset links. - RBAC checks tightened for alert management, IPAM mutations, syslog WebSockets, and configurable security-
view access. - Network tools now defend against DNS rebinding by resolving and validating targets before execution.
X-Forwarded-Forparsing now uses the rightmost forwarded address.- Scheduled discovery manual runs now enforce single-flight behavior.
- SNMP walk now has a wall-clock deadline.
- Syslog TCP connection handling no longer tracks unbounded per-connection thread references.
Added
- Overview favourites now open a monitoring detail popup directly on the Overview page.
- Monitoring now has a favourites-only filter.
- Tools Port Check supports TCP and UDP.
- Monitoring service checks support TCP and UDP targets.
- Topology adds a radial group layout option.
Changed
- Inventory now defaults to 25 rows per page.
- Existing saved 10-row Inventory page-size preferences migrate to 25 once, while still allowing users to
manually choose 10 later. - Port-check wording is now generic instead of TCP-only.
- Upgrade docs now start from
/opt/netmapbefore pull/recreate/backup commands.
Fixed
- Primary button styling no longer gets overridden in modal headers.
- Overview favourite detail behavior no longer navigates away to Monitoring.
- Alert monitor service checks now honour each target’s TCP/UDP type.
- Test-branch fixes and polish changes are now preserved in
mainhistory via the test-to-main merge.
NetMap v1.3.0
UI polish release: shared components across workspaces, clearer discovery and IPAM flows, monitoring fixes including working ICMP probes, and several topology stability improvements.
New
- Overview recently updated actions: Users with write access can add a device or run a network scan from the Recently updated panel header and from the empty state.
- Monitoring VLAN filter: Dropdown next to the site filter to narrow the device list by VLAN ID.
Changed
- Consistent UI: Shared modal shell, buttons, search inputs, and status pills across IPAM, Inventory, Monitoring, Topology, Locations, Admin, and related panels.
- Bundled Inter font: Typography is consistent across browsers and containers with weights 400–600; body text uses weight 400 with antialiasing.
- Primary buttons: Deeper teal accent so primary CTAs, such as + Device, are less visually loud.
- Discovery SNMP: Dedicated toggle with a labelled configuration panel; post-scan actions split into Import selected as primary and Update existing as secondary.
- Sidebar: Overview uses a home icon; Monitoring keeps the activity chart icon. NetMap brand links to Overview.
- Announcement banner (MOTD): Purple alert style to distinguish it from offline and network-update notices.
- IP placeholders: Generic 192.168.1.x examples across discovery, device forms, VLAN/IPAM fields, and network tools.
Fixed
IPAM
- Subnet drilldown tabs use an equal-width grid with no horizontal scrollbar.
- Address table columns are equal thirds with sensible alignment.
- Label shows inventory display names with hostname fallback.
- DHCP entries match inventory by MAC when possible.
Inventory & Overview
- Table uses full panel width on wide 1440p screens.
- MOTD spacing tightened below stat cards.
- Favourites row alignment fixed.
- RTT column hides cleanly on narrow viewports.
Monitoring
- ICMP probes work correctly in Docker with cap_net_raw set on ping at image build time.
- Group dropdown includes devices grouped via topology relationships, not only the denormalised string field.
- Search box shows a single outer focus ring with no double border.
- Reset columns removed; column widths are fixed by default.
- Probe failures logged at WARNING for easier offline diagnosis.
Topology
- Sidebar open/close no longer recentres or pans the map.
- Zone backgrounds no longer flicker during 30-second status polling.
- Ribbon toolbar normalises control heights.
Other
- Icon Manager help text no longer shows an internal dev/ path prefix.
- Discovery scan modal footer no longer uses a shaded action bar.
- Locations View larger map link no longer has a pill background.
NetMap v1.2.9
Added
- LLDP Neighbours tool: discover adjacent devices on switch ports via SNMP LLDP-MIB. Results are matched
to inventory by MAC, IP, or hostname — unmatched neighbours are flagged, and matched pairs get a one-click
topology link button. - OS field on devices: store and edit the operating system string (e.g. "Ubuntu 24.04", "Cisco IOS").
SNMP enrichment now suggestssysDescras OS andsysNameas hostname when those fields are blank.
(suggested by @WindowsStar in #7) - IPAM range reservations: the Reserve IP dialog now accepts a range (e.g.
192.168.1.10-35), shows a
live count preview, and creates all IPs in one submit. MAC field is hidden in range mode. - Port ranges and comma-separated ports in service checks: enter
443,67,68,8080-8090, or any - Service check device picker: searchable dropdown in the "Specific device" form — no need to pre-click
a device in the table first. (suggested by @WindowsStar in #6) - Last poll relative time: the topbar "Last poll" indicator now shows a live "(X min ago)" counter
updated every 30 seconds. - Created timestamp in device details (read-only). (suggested by @WindowsStar in #7)
Changed
- Port Monitoring modal (formerly "Service Checks"): renamed, widened, and redesigned to a two-column
layout with the form on the left and active checks on the right. Device picker supports multi-selection with
live search. - Admin Credentials tab renamed to "SNMP Profiles" to better reflect what it manages.
- Automation tab change observations now use the card-row layout matching the discovery modal style.
- Login screen now shows the app favicon in place of the generic network icon, on both the branding
panel and form header. - Dark mode is now the default for new installations and users who haven't set a preference.
- IPAM reserved colour changed from purple to deep teal; DHCP range pill is muted in dark mode; free-cell
hover colour updated to device green.
Fixed
- Public IP devices were always shown as offline, the monitor now probes all registered devices regardless
of the public-targets gate. (reported by @WindowsStar in #6) - Port checks now run in parallel (up to 12 concurrent connections) instead of sequentially, preventing long
monitor cycles when many devices have port targets. - Monitoring "X minutes ago" timestamps were offset for non-UTC users due to naive datetime handling, fixed
by normalizing allchecked_atfields to UTC. (reported by @WindowsStar in #6) - Monitoring panel height no longer has a fixed 520 px cap.
- Monitoring table column layout and spacing cleaned up.
NetMap v1.2.7
v1.2.7
Highlights
- Added notification profiles with encrypted per-profile configuration, test sends, and expanded Apprise-
backed provider support. - Added SuperAdmin database backup/restore controls.
- Improved Security/syslog search so raw-log searches match individual prefix terms instead of requiring
exact phrases. - Added OpenWrt banIP parsing for action, chain/context, and feed/list metadata.
- Hardened firewall database recovery when corruption is detected during startup retention cleanup.
- Improved discovery MAC matching, SNMP profile enrichment, monitoring UI polish, and network tool
validation.
Full Changelog: https://github.com/xoriin/NetMap/blob/main/CHANGELOG.md