chore(deps): update dependency nautobot to v3.0.10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nautobot	==3.0.9 → ==3.0.10

GitHub Vulnerability Alerts

CVE-2026-34203

Impact

In Nautobot versions prior to 2.4.30 or prior to 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards.

Management of users via the Nautobot admin UI does correctly enforce configured password validation at this time.

Patches

The issue is resolved in Nautobot versions 2.4.30 and 3.0.10 and later.

• https://github.com/nautobot/nautobot/pull/8778
• https://github.com/nautobot/nautobot/pull/8779

Workarounds

Review which users have been granted object permissions to create and modify user accounts as well as having access tokens for the REST API, and restrict access as appropriate.

It may be appropriate furthermore to rotate passwords for any user accounts suspected to have been given weak passwords.

References

• https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-AUTH_PASSWORD_VALIDATORS
• http://docs.djangoproject.com/en/4.2/topics/auth/passwords/#password-validation

---

Release Notes

nautobot/nautobot (nautobot)

v3.0.10: - 2026-03-30

Compare Source

What's Changed

Security in v3.0.10

• #​8710 - Updated dependency pyasn1 to 0.6.3 to mitigate CVE-2026-30922. As this is not a direct dependency, it will not auto-update when upgrading; please be sure to upgrade your local environment.
• #​8722 - Updated dependency cryptography to ~46.0.6 to mitigate CVE-2026-34073.
• #​8722 - Updated dependency requests to ~2.33.0. to mitigate CVE-2026-25645. As this is not a direct dependency, it will not auto-update when upgrading; please be sure to upgrade your local environment.
• #​8722 - Updated development npm dependency flatted to ~3.4.2 to mitigate CVE-2026-33228.
• #​8778 - Added missing enforcement of any configured Django password validators when managing users via the REST API (CVE-2026-34203).

Added in v3.0.10

• #​5789 - Added graphql and webhooks extras features to all ComponentTemplateModel subclasses.
• #​8736 - Added clear_cache step to nautobot-server post_upgrade command.

Changed in v3.0.10

• #​8747 - Job profiling results are now available for download as a file attached to the Job Result, rather than only being written to the worker's local filesystem.

Fixed in v3.0.10

• #​6111 - Fixed an issue where Contact and Team objects could not be looked up by name alone when creating a ContactAssociation via the REST API.
• #​8465 - Fixed an issue where cable terminations for module interfaces incorrectly displayed as "Circuit" instead of showing the device, type, and component fields.
• #​8547 - Resolved issues with the job logs DB connection. It now correctly respects CONN_MAX_AGE and can recover from errored connections.
• #​8614 - Fixed a race condition when running jobs concurrently that could cause multiple threads to modify the jobs registry at the same time.
• #​8629 - Fixed a scenario where rendering a GitRepository related Jobs "Scheduled Job View" would sometimes show the Job as not installed
• #​8706 - Fixed a bug where GraphQL queries that included related objects were not being optimized correctly since upgrading to graphene-django v3.x in Nautobot 3.0.0.
• #​8724 - Fixed permission name in JobRunScheduleButton in JobView.
• #​8725 - Fixed an issue where nested job kwargs were not being serialized correctly which caused problems when using Kubernetes jobs.
• #​8748 - Fixed a performance issue where the validated_save() method was being called unnecessarily on all VRFDeviceAssignment objects when adding a new assignment to a VRF.
• #​8759 - Fixed an exception related to version control branches and recursive Job execution.
• #​8763 - Fixed get_config_context and ConfigContexModel annotation for subclasses of Device model

Dependencies in v3.0.10

• #​8722 - Updated dependency celery to ~5.6.3.
• #​8722 - Updated dependency nh3 to ~0.3.4.

Documentation in v3.0.10

• #​4234 - Documented suggested method for periodic metrics files removal.

Housekeeping in v3.0.10

• #​8607 - Refreshed indirect npm dependencies to their latest relevant versions.
• #​8608 - Refreshed indirect dependencies to their latest valid versions.
• #​8722 - Updated documentation dependency mkdocs-gen-files to ~0.6.1.
• #​8722 - Updated documentation dependency mkdocs-material to ~9.7.6.
• #​8722 - Updated documentation dependency mkdocs-section-index to ~0.3.11.
• #​8722 - Updated development dependency coverage to ~7.13.5.
• #​8734 - Changed ObjectChangeFactory to use set start and end dates for deterministic timestamps for the time field for tests.

Contributors

• @​glennmatthews
• @​dependabot[bot]
• @​nkallergis
• @​jigangz
• @​joewesch
• @​jvanderaa
• @​dsoftait
• @​djhoward12
• @​progala
• @​renovate[bot]
• @​LochieP
• @​Kircheneer
• @​jordiasla

New Contributors

• @​jigangz made their first contribution in #​8715
• @​jordiasla made their first contribution in #​8766

Full Changelog: nautobot/nautobot@v3.0.9...v3.0.10

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.