Safety vulnerability ID: 61781
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Nemo 4.7.0 updates its dependency 'pillow' to v10.0.1 to include a security fix.
Latest version: 6.0.3
NEMO is a laboratory logistics web application. Use it to schedule reservations, control tool access, track maintenance issues, and more.
Upgrade notes
- For the area auto logout feature, a timed service action/systemd service needs to be enabled on the server. See `nemo_auto_logout.service` and `nemo_auto_logout.timer` files in [the systemd resource folder](https://github.com/usnistgov/NEMO/tree/master/resources/systemd)
- If your are using Django Rest Framework's pagination, change the `DEFAULT_PAGINATION_CLASS` to `NEMO.rest_pagination.NEMOPageNumberPagination` to be able to override page size on the fly using the `page_size` request parameter
New features
- Added the ability to set an auto-logout time for each area. A timed service task needs to be enabled for this feature to work (thanks `Cornell NanoScale Facility` for the contribution!).
- Added checkboxes in calendar view to allow viewing more than one tool/area at a time (thanks `Stanford SNF` for the contribution!)
- Configuration agenda's `near future` days can now be configured in `Customization -> Tools` (thanks `Polytech Group of Characterization of Materials` for the contribution!)
- Added an option in Customization -> Tools to allow tool superusers to be exempt from reservation policy rules (thanks `UPenn Singh Center` for the contribution!)
- A `topic` has been added to the email subject in the broadcast email feature. This topic will be the tool, project or account selected to send an email about. The topic is not added when more than one tool/project/account is selected (thanks `UPenn Singh Center` for the contribution!)
- Consumables can be set to be checked out by regular users (True by default). This only affect instances where consumable self checkout is enabled (thanks `Stanford SNF` for the contribution!)
- Added support for banks for NCD/ProXR interlocks and support for relay 0 to turn on/off all relays (thanks `Stanford SNF` for the contribution!)
- Reviewers for adjustment requests and access requests can now be set on the relevant tool/area and defaults to all facility managers if left blank. This replaces the manager's preference fields to limit adjustment requests (thanks `Stanford SNF` for the contribution!)
Improvements
- In status dashboard, jumbotron and tool status, now displaying the date using Django's MONTH_DAY_FORMAT setting (default to "October 9th"). See 159
- Added the ability to attach pictures when using the broadcast email feature (thanks `UPenn Singh Center` for the contribution!)
- Added a resizing limit for attached images when reporting a tool problem (thanks `UPenn Singh Center` for the contribution!)
- Added a setting to send new tool problems to all qualified users (thanks `USC Nanofab` for the contribution!)
- For PIs in usage page, now showing user's own usage by default, instead of all managed projects (thanks `Cornell NanoScale Facility` for the contribution!)
- Showing project PIs in edit user page when available
- For temporary access requests, the user office will not be cc'd anymore
- Freed time notifications will now be sent when a reservation is missed or shortened
- Added `service personnel` checkbox on edit user page to give users the service personnel role
- Added notes for consumables, updated user interface to show both notes and quantity left (thanks `Stanford SNF` for the contribution!)
- Added label support for dynamic form (post usage questions, reservation questions) for radio buttons, checkboxes and dropdown types. This allows to show different values than the one being submitted
- Added actions to enable/disabled multiple interlock and sensor cards at the same time
API
- Added exact filters wherever iexact was used
- Added filters for validated and validated_by for all charge types
- Added readonly PIs field in Projects endpoint
- When using pagination and the new `NEMOPageNumberPagination` class, the page size can be changed on the fly by using the `page_size` request parameter
- Pagination is now automatically bypassed for any requests not rendered using the Browsable API (except if the page_size parameter is used explicitly in the request). Consequently, exporting in json, excel, etc. will return all results and be less confusing.
Bug fixes
- Fixed a bug in staff status not showing closures when the closure is on the last day of the period the user is looking at
- Fixed conditional expression in tool status wrongly showing usage data history tab to staff even when no post usage questions are set (164)
- Fixed API issue when data would not be rolled back when bulk saving users with integrity errors (non unique username for example)
- Fixed tab issue in requests not showing the correct default tab in some cases
Libraries
- cryptography 41.0.2 -> 41.0.4
- Pillow 10.0.0 -> 10.0.1 (vulnerability)
- Django 3.2.21 -> 3.2.22 (vulnerability)
- django-filter 23.2 -> 23.3
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application