improvements and dep updates

Release Notes

For: uc-cdis/fence
Notes since tag: 13.0.0
Notes to tag/commit: e2a757b
Generated: 2026-01-27

Improvements

• Update S3_BUCKETS documentation to mention regex support for bucket names
  and skipping signing for public buckets (#1331)

Dependency Updates

• azure-core to 1.38.0 for sec (#1329)
• Update urllib3 depedency version (#1327)

13.0.0

Release Notes

For: uc-cdis/fence

Notes since tag: 12.4.0

Notes to tag/commit: 4d27de6

Generated: 2026-01-05

Breaking Changes

• This change will set the default url to Arborist for all fence deployments.
  If you want to continue to use fence without arborist, you must explicitly
  set ARBORIST: null in your fence configuration. (#1235)
• Support for local_settings.py is removed completely. (#1302)

Bug Fixes

• Lower audit schema cache to 30 minutes, fixing issues where fence would use
  the wrong schema for 24 hours in cases where audit-service took longer than
  fence to start. (#1310)

Improvements

• Replace raw strings in session.execute() with sqlalchemy.text (#1312)
• Update deprecated datetime.utcnow() and datetime.utcfromtimestamp()
  with 3.13 compatible equivalents (#1312)
• Replace deprecated request attributes with request.payload (#1312)
• Replace deprecated SqlAlchemy's query.get() with Session.get() (#1312)
• Eliminate all boto usage in favor of boto3 (#1312)
• Add a local implementation of strtobool since distutils is no longer
  available since Python 3.12 (#1312)
• Add NoAsyncMagicMock since MagicMock returns AsyncMocks even if the
  source object is partially async (#1312)
• Replace assert <mocked_method>.not_called with
  <mocked_method>.assert_not_called (#1312)
• Set default arborist url in default configuration. (#1235)

Dependency Updates

• Update gen3config, cdiserrors, authutils, cdislogging and userdatamodel to
  the latest version (Python 3.13 support) (#1317)
• Update Fence to Python 3.13 (#1312)
• Cleanup unused dependencies using deptry, add transitive dependencies in
  pyproject.toml (#1302)

Deployment Changes

• Change Docker image to run with gen3 user instead of root (#1312)
• This change will set the default url to Arborist for all fence deployments.
  If you want to continue to use fence without arborist, you must explicitly
  set ARBORIST: null in your fence configuration. (#1235)
• Deployment changes are being done as a part of this gen3-helm PR (#426)
  (#1302)

12.4.0

Release Notes

For: uc-cdis/fence

Notes since tag: 12.3.0

Notes to tag/commit: 12.4.0

Generated: 2025-11-11

New Features

• Allow a HIDE_IDPS configuration option when shib_ipds=* (#1304)

Bug Fixes

• Fix arborist timeouts on usersync (#1307)

Dependency Updates

• gen3authz >= 2.3.2 (#1307)

12.3.0

Release Notes

For: uc-cdis/fence

Notes since tag: 12.2.0

Notes to tag/commit: 12.3.0

Generated: 2025-10-30

Dependency Updates

• authutils >= 7.10 (#1301)
• authlibs >= 1.6.4 (#1301)

Deployment Changes

• alembic migration must be run to account for amr and acr columns in the
  authorization_code table. (#1301)

12.2.0

Release Notes

For: uc-cdis/fence

Notes since tag: 12.1.0

Notes to tag/commit: 4a3d07c

Generated: 2025-10-21

Improvements

• add global username denial regex to configuration (#1299)

12.1.0

Release Notes

For: uc-cdis/fence

Notes since tag: 12.0.1

Notes to tag/commit: 12.1.0

Generated: 2025-10-03

New Features

• Track X-forwarded headers for CADR reporting enhancements (#1291)

Update base image

Improvements

• Update to the fence base image to pull in updates to nginx.conf. See: uc-cdis/base-images#50

12.0.0

Release Notes

For: uc-cdis/fence

Notes since tag: 11.4.1

Notes to tag/commit: 12.0.0

Generated: 2025-09-05

Breaking Changes

• Usersync SFTP now rejects unknown host keys. We switched from
  paramiko.AutoAddPolicy() to paramiko.RejectPolicy() and load keys from
  ~/.ssh/known_hosts. If that file does not contain the dbGaP/SFTP host key,
  the usersync dbGaP sync will fail (previously it auto-trusted and added the
  key) (#1238)

Deployment Changes

• Provide and mount a known_hosts file in the usersync pod/container at
  /root/.ssh/known_hosts (the process runs as root). (#1238)
• Helm: update to the gen3-helm change that adds the fence-ssh-known-hosts
  ConfigMap and mounts it into the usersync job. After upgrading the chart,
  populate that ConfigMap with the correct host keys. (#1238)
• Use ssh-keyscan -p 22 <sftp host> to retrieve the necessary keys to add to the known hosts.

11.4.1

Release Notes

For: uc-cdis/fence

Notes since tag: 11.4.0

Notes to tag/commit: 11.4.1

Generated: 2025-09-04

Bug Fixes

• Arborist timeouts no longer stop usersync (#1293)
• Replace grant bulk policy with smart policy diff (#1293)

11.4.0

Release Notes

For: uc-cdis/fence

Notes since tag: 11.3.2

Notes to tag/commit: 11.4.0

Generated: 2025-09-02

New Features

• The user registration flow has been modified in order to enforce
  registration before a user is officially logged in and can access website
  pages and data (when user registration is enabled) (#1286)
• The login audit log now conditionally includes the user's IP information if
  the audit schema version for login is 2.0 or greater. (#1274)
• Introduced AUDIT_SCHEMA_CACHE to cache audit service schema version/models,
  cache is checked and updated before creating presigned URL and login audit
  logs. (#1274)
• Added _get_audit_schema and _set_schema_models_cache methods to
  AuditServiceClient to fetch and cache the audit schema from the
  audit-service’s /_schema endpoint. (#1274)
• Falls back to a default v1 schema if the endpoint returns a 404 (older
  audit-service versions) (#1274)

Improvements

• Get user's projects from arborist to compare existing permissions to
  incoming permissions to decide which permissions to retain, revoke or add.
  (#1268)
• Added and adjusted tests for new features (#1274)

Dependency Updates

• updated dependency for python_dateutil (#1268)
• update dependency for python-jose (#1268)