From 9e0787ab43fa37fe19566e4f6a9652c06f762d90 Mon Sep 17 00:00:00 2001 From: Oliver Date: Tue, 26 May 2026 07:03:38 +1000 Subject: [PATCH 1/5] sqlite limitation docs (#12003) * sqlite limitation docs Ref: https://github.com/inventree/InvenTree/issues/12002 * Fix typo * More typo tweaks --- docs/docs/faq.md | 12 +++++++++++- docs/docs/security.md | 20 ++++++++++---------- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/docs/docs/faq.md b/docs/docs/faq.md index 7f2b2c79a0..b0852be612 100644 --- a/docs/docs/faq.md +++ b/docs/docs/faq.md @@ -199,10 +199,20 @@ In either case, ensure that the directory is available *on your local machine* a ## Error Rendering Component -Sometimes, following a software update, you may find that certain components of the web interface are not rendering correctly, and presented with a message similar to the screenshow below: +Sometimes, following a software update, you may find that certain components of the web interface are not rendering correctly, and presented with a message similar to the screenshot below: {{ image("faq/boundary.png", "Error Rendering Component") }} This is often due to a caching issue with your web browser. Try performing a hard refresh of the page to clear the cache, this should resolve the issue in most cases. If the problem persists, refer to the [troubleshooting guide](./troubleshooting.md) for further assistance. + +## Expression tree is too large + +If you are running a large InvenTree deployment on an SQLite database, you may encounter an error similar to: + +``` +Expression tree is too large (maximum depth 1000) +``` + +This is a [known limitation of SQLite](https://www.sqlite.org/limits.html) which can occur when performing complex queries on a large database. Due to [structural limitations](./start/processes.md#sqlite-limitations) of SQLite, it is recommended to use a more robust database backend such as PostgreSQL for larger deployments. diff --git a/docs/docs/security.md b/docs/docs/security.md index d5a34403f5..6a3be12052 100644 --- a/docs/docs/security.md +++ b/docs/docs/security.md @@ -6,24 +6,24 @@ The InvenTree project is committed to providing a secure and safe environment fo To that end, we have implemented a number of security measures over the years, which we will outline in this document. -## Organisational measures +## Organizational Measures The InvenTree project is managed by a small team of developers, who are responsible for the ongoing development and maintenance of the software. Two geographically distributed users have administrative access to the InvenTree codebase. Merges are only done by one of these two users, the maintainer Oliver. Read the Project [Governance](./project/governance.md) document for more information. -InvenTree is open-source, and we welcome contributions from the community. However, all contributions are reviewed and scrutinised before being merged into the codebase. +InvenTree is open-source, and we welcome contributions from the community. However, all contributions are reviewed and scrutinized before being merged into the codebase. ### Security Policy The official [Security Policy]({{ sourcefile("SECURITY.md") }}) is available in the code repository. -We provide this document in our main repo to increase discoverabiltity to ensure that all security issues are handled in a timely manner. +We provide this document in our main repo to increase discoverability to ensure that all security issues are handled in a timely manner. ### Past Reports If we become aware of a security issue, we will take immediate action to address the issue, and will provide a public disclosure of the issue once it has been resolved. We support assigning CVEs to security issues where appropriate. Our [past security advisories can be found here](https://github.com/inventree/InvenTree/security/advisories). -## Technical measures +## Technical Measures -### Code hosting +### Code Hosting The InvenTree project is hosted on GitHub, and we rely on the security measures provided by GitHub to help protect the integrity of the codebase. @@ -35,24 +35,24 @@ Among those are: - (Optional but encouraged) Two-factor authentication for user accounts - (Optional but encouraged) Signed commits / actions -### Code style +### Code Style We enforce style and security checks in our CI/CD pipeline, and we have several automated tests to ensure that the codebase is secure and functional. Checks are run on every pull request, and we require that all checks pass before a pull request can be merged. -### Current versions +### Current Versions InvenTree is built using the Django framework, which has a strong focus on security. We follow best practices for Django development, and we are committed to keeping the codebase up-to-date with the latest security patches and within supported versions. -### Test coverage +### Test Coverage We run coverage tests on our codebase to ensure that we have a high level of test coverage above 90%. This is public and can be found [here](https://app.codecov.io/gh/inventree/InvenTree). -### Pinning dependencies +### Pinning Dependencies We are pinning dependencies to specific versions - aiming for complete reproducibility of builds - wherever possible. Combined with continuous OSV checks, we are able to react quickly to security issues in our dependencies. -## Best practices +## Best Practices We follow most of GitHubs community best practices, check our compliance [here](https://github.com/inventree/InvenTree/community). From d9fea903f149e145e2dac224e835a37165c18e54 Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Tue, 26 May 2026 02:40:17 +0200 Subject: [PATCH 2/5] fix performance test (#12006) follow up to https://github.com/inventree/InvenTree/pull/11963 --- src/performance/tests.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/performance/tests.py b/src/performance/tests.py index db2dd8896c..e05c32391a 100644 --- a/src/performance/tests.py +++ b/src/performance/tests.py @@ -50,7 +50,7 @@ def test_api_auth_performance(): '/api/order/so/shipment/', #'/api/order/po/', #'/api/order/po-line/', - '/api/user/roles/', + '/api/user/me/roles/', '/api/parameter/', '/api/parameter/template/', ], @@ -77,7 +77,7 @@ def test_api_list_performance(url): '/api/order/so/shipment/', '/api/order/po/', '/api/order/po-line/', - '/api/user/roles/', + '/api/user/me/roles/', '/api/parameter/', '/api/parameter/template/', ], From bfd720e762d0681ec618c5d26015e46327513651 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 May 2026 13:06:20 +1000 Subject: [PATCH 3/5] chore(deps): bump the dependencies group with 4 updates (#12008) Bumps the dependencies group with 4 updates: [j178/prek-action](https://github.com/j178/prek-action), [codecov/codecov-action](https://github.com/codecov/codecov-action), [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) and [github/codeql-action](https://github.com/github/codeql-action). Updates `j178/prek-action` from 2.0.3 to 2.0.4 - [Release notes](https://github.com/j178/prek-action/releases) - [Commits](https://github.com/j178/prek-action/compare/6ad80277337ad479fe43bd70701c3f7f8aa74db3...bdca6f102f98e2b4c7029491a53dfd366469e33d) Updates `codecov/codecov-action` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/57e3a136b779b570ffcdbf80b3bdc90e7fab3de2...e79a6962e0d4c0c17b229090214935d2e33f8354) Updates `zizmorcore/zizmor-action` from 0.5.3 to 0.5.6 - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](https://github.com/zizmorcore/zizmor-action/compare/b1d7e1fb5de872772f31590499237e7cce841e8e...5f14fd08f7cf1cb1609c1e344975f152c7ee938d) Updates `github/codeql-action` from 4.35.4 to 4.35.5 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/68bde559dea0fdcac2102bfdf6230c5f70eb485e...9e0d7b8d25671d64c341c19c0152d693099fb5ba) --- updated-dependencies: - dependency-name: j178/prek-action dependency-version: 2.0.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: codecov/codecov-action dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: github/codeql-action dependency-version: 4.35.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/qc_checks.yaml | 10 +++++----- .github/workflows/scorecard.yaml | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/qc_checks.yaml b/.github/workflows/qc_checks.yaml index b877b5aff4..0893ef1f5b 100644 --- a/.github/workflows/qc_checks.yaml +++ b/.github/workflows/qc_checks.yaml @@ -117,7 +117,7 @@ jobs: python-version: ${{ env.python_version }} cache: "pip" - name: Run pre commit hook Checks - uses: j178/prek-action@6ad80277337ad479fe43bd70701c3f7f8aa74db3 # pin@v2 + uses: j178/prek-action@bdca6f102f98e2b4c7029491a53dfd366469e33d # pin@v2 - name: Check Version run: | pip install --require-hashes -r contrib/dev_reqs/requirements.txt @@ -415,7 +415,7 @@ jobs: path: .coverage retention-days: 14 - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # pin@v6.0.0 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # pin@v6.0.1 if: always() with: token: ${{ secrets.CODECOV_TOKEN }} @@ -597,7 +597,7 @@ jobs: - name: Run Tests run: invoke dev.test --check --migrations --report --coverage --translations - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # pin@v6.0.0 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # pin@v6.0.1 if: always() with: token: ${{ secrets.CODECOV_TOKEN }} @@ -734,7 +734,7 @@ jobs: - name: Report coverage run: cd src/frontend && npx nyc report --report-dir ./coverage --temp-dir .nyc_output --reporter=lcov --exclude-after-remap false - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # pin@v6.0.0 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # pin@v6.0.1 with: token: ${{ secrets.CODECOV_TOKEN }} slug: inventree/InvenTree @@ -790,4 +790,4 @@ jobs: with: persist-credentials: false - name: Run zizmor 🌈 - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 4d2d571f31..a972164c14 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: sarif_file: results.sarif From 6476d164a06befee384d77c7e9809d26fbba021a Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Tue, 26 May 2026 05:07:04 +0200 Subject: [PATCH 4/5] docs: rename ressouce details (#12005) --- docs/docs/project/{resources.md => sponsored_resources.md} | 3 ++- docs/mkdocs.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) rename docs/docs/project/{resources.md => sponsored_resources.md} (97%) diff --git a/docs/docs/project/resources.md b/docs/docs/project/sponsored_resources.md similarity index 97% rename from docs/docs/project/resources.md rename to docs/docs/project/sponsored_resources.md index 9074d17818..0a733b0686 100644 --- a/docs/docs/project/resources.md +++ b/docs/docs/project/sponsored_resources.md @@ -1,5 +1,5 @@ --- -title: Resources InvenTree receives +title: Sponsored Resources --- The InvenTree project is grateful to receive resources from various vendors free of charge. @@ -18,5 +18,6 @@ Individuals and companies can also support via [GitHub sponsors](https://github. ## Past Supporters Non comprehensive list of past supporters. The project stops consuming resources for various reasons, this does not mean they are not good resources. + - [Coveralls](https://coveralls.io/) - Code coverage as a service - [Deepsource](https://deepsource.io/) - Code quality and security analysis diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index ca0bb711ff..a2827bb068 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -87,7 +87,7 @@ nav: - Project Details: - Governance: project/governance.md - Project Security: security.md - - Resources: project/resources.md + - Sponsored Resources: project/sponsored_resources.md - Privacy: privacy.md - Concepts: - Terminology: concepts/terminology.md From 06680758c3219c54f9e286bf454fe3ce4d042698 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 May 2026 17:27:24 +1000 Subject: [PATCH 5/5] chore(deps): bump python in /contrib/container (#12007) Bumps python from 3.14-slim-trixie to 3.14.5-slim-trixie. --- updated-dependencies: - dependency-name: python dependency-version: 3.14.5-slim-trixie dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- contrib/container/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/container/Dockerfile b/contrib/container/Dockerfile index 2a8693f11d..588cbaa17e 100644 --- a/contrib/container/Dockerfile +++ b/contrib/container/Dockerfile @@ -10,7 +10,7 @@ # - Monitors source files for any changes, and live-reloads server # Base image last bumped 2026-03-20 -FROM python:3.14-slim-trixie@sha256:fb83750094b46fd6b8adaa80f66e2302ecbe45d513f6cece637a841e1025b4ca AS inventree_base +FROM python:3.14.5-slim-trixie@sha256:c845af9399020c7e562969a13689e929074a10fd057acd1b1fad06a2fb068e97 AS inventree_base # Build arguments for this image ARG commit_tag=""